Skip to content

Comments

enip: convert to rust#10901

Closed
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:enip-rust-3958-v17
Closed

enip: convert to rust#10901
catenacyber wants to merge 1 commit intoOISF:masterfrom
catenacyber:enip-rust-3958-v17

Conversation

@catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3958

Describe changes:

  • convert enip parser to rust

Alon the way, also

  • transactions are now bidirectional
  • there is a enip logger
  • gap support is improved with probing for resync
  • frames
  • events
  • enip_command keyword accepts now string enumeration as values.
  • more keywords, to have parity with logging

#10850 with needed rebase

SV_BRANCH=OISF/suricata-verify#1666

Ticket: 3958

- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- frames support
- app-layer events
- enip_command keyword accepts now string enumeration as values.
- add enip.status keyword
- add keywords :
    enip.product_name, enip.protocol_version, enip.revision,
    enip.identity_status, enip.state, enip.serial, enip.product_code,
    enip.device_type, enip.vendor_id, enip.capabilities,
    enip.cip_attribute, enip.cip_class, enip.cip_instance,
    enip.cip_status, enip.cip_extendedstatus
@codecov
Copy link

codecov bot commented Apr 18, 2024

Codecov Report

Attention: Patch coverage is 43.60902% with 1950 lines in your changes are missing coverage. Please review.

Project coverage is 82.17%. Comparing base (2b4e102) to head (2321978).

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #10901      +/-   ##
==========================================
+ Coverage   77.64%   82.17%   +4.53%     
==========================================
  Files         922      941      +19     
  Lines      247806   250157    +2351     
==========================================
+ Hits       192400   205570   +13170     
+ Misses      55406    44587   -10819     
Flag Coverage Δ
fuzzcorpus 63.35% <33.76%> (?)
suricata-verify 61.34% <38.80%> (-1.09%) ⬇️
unittests 61.65% <11.22%> (-0.56%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information:

ERROR: QA failed on SURI_TLPW2_autofp_suri_time.

ERROR: QA failed on SURI_TLPW1_files_sha256.

ERROR: QA failed on SURI_TLPR1_suri_time.

field baseline test %
SURI_TLPW2_autofp_stats_chk
.uptime 138 145 105.07%
SURI_TLPR1_stats_chk
.uptime 644 693 107.61%

Pipeline 20220

Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kudos on tackling keyword/log output parity :D

Not sure if possible, but wondering if we could have dedicated commits:
Maybe:

  • one for docs
  • one for logging and parsing (and schema?)
  • one for detection
  • one for new keywords added
  • replacement of C code with rust code into an independent commit
  • maybe one for unittests removal, just to keep the change contained?

Please ignore if this proposal doesn't make sense or would be too much work

@catenacyber
Copy link
Contributor Author

Not sure if possible, but wondering if we could have dedicated commits: Maybe:

  • one for docs

I do not like separating doc commits from the code changes needing the documentation...
I do not think this was settled

  • one for logging and parsing (and schema?)
  • one for detection

Already existing keywords must be done within the same commit as parsing goes from c to rust...

  • one for new keywords added
  • replacement of C code with rust code into an independent commit

This is not independent : I add logging and parsing in rust, while moving away the C code...

  • maybe one for unittests removal, just to keep the change contained?

Interesting. Why so ?

Please ignore if this proposal doesn't make sense or would be too much work

This can be work... not sure if it is relevant...

@jufajardini
Copy link
Contributor

  • maybe one for unittests removal, just to keep the change contained?

Interesting. Why so ?

Looking again, I can't see what made me make this comment, please ignore. >__<'

Please ignore if this proposal doesn't make sense or would be too much work

This can be work... not sure if it is relevant...

In general I see that we try to break changes into smaller commits, so that's where this comes from. But I don't have a super strong opinion about this, yet...

Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some questions and feedback inline

}

#[no_mangle]
pub unsafe extern "C" fn rs_enip_tx_has_cip_attribute(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update all [no_mangle] functions to use the new naming style for FFI rust funcs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do

Copy link
Contributor Author

@catenacyber catenacyber May 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With python

f = open("diff.txt")
for l in f.readlines():
    base = l[:-1]
    trans1 = base.replace("rs_enip", "SCEnip")
    trans = ""
    state = 0
    for c in trans1:
        if c == '_':
            state = 1
        else:
            if state == 1:
                trans += c.upper()
                state = 0
            else:
                trans += c
    print("git grep %s | cut -d: -f1 | xargs sed -i -e 's/%s/%s/'" % (base, base, trans))

let input = stream_slice.as_slice();
match parser::parse_enip_pdu(input) {
Ok((_, pdu)) => {
process_frames(&pdu, &stream_slice, flow, input);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should create the frame regardless of the parser result

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean only for UDP ?

And which frame are you talking about ? There are many...
I think you want a frame pdu which is both the header and payload frame, right ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the standard Pdu frame...

And will do so for Websocket ;-)

Ok(())
}

fn enip_vendorid_string(p: u16) -> Option<&'static str> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where does this list come from?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

}
}

fn enip_devicetype_string(p: u16) -> Option<&'static str> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the source of this info?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I bet on Wireshark

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@catenacyber
Copy link
Contributor Author

Continued in #11174

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

4 participants