Getting Started With Rust in Suricata 4.0¶
In Suricata 4.0 experimental Rust support has been added. This is a quick guide to get started.
On Ubuntu 16.04 or higher, Rust can be installed through apt.
apt install rustc apt install cargo
For other platforms, or if you want to use the latest and greatest Rust, see https://www.rust-lang.org/en-US/install.html
When building Suricata, the --enable-rust option has to be added to configure:
./configure --enable-rust
This should result in:
...
checking for cargo... /usr/bin/cargo
checking for rustc... /usr/bin/rustc
checking for ./rust/vendor... no
checking for cargo-vendor... no
Warning: cargo-vendor not found, but it is only required
for building the distribution
To install: cargo install cargo-vendor
...
Don't worry about the message about cargo-vendor, it's not needed to use the Rust support.
When configure is complete the summary should say:
... Rust support (experimental): yes ...
The next step is to build Suricata as normal, with 'make'. Right now this has
to be done on a system with access to the internet as 'cargo' is going to
pull in a few dependencies. We'll address this later using 'cargo-vendor'.
So run 'make':
...
Making all in rust
make[2]: Entering directory '/home/victor/dev/suricata/rust'
cd ../rust && CARGO_TARGET_DIR=/home/victor/dev/suricata/rust/target \
python ./gen-c-headers.py && \
cargo build --release --features ""
Writing ./gen/c-headers/rust-core-gen.h
Writing ./gen/c-headers/rust-log-gen.h
Writing ./gen/c-headers/rust-dns-lua-gen.h
Writing ./gen/c-headers/rust-dns-dns-gen.h
Writing ./gen/c-headers/rust-dns-log-gen.h
Writing ./gen/c-headers/rust-nfs-log-gen.h
Writing ./gen/c-headers/rust-nfs-nfs3-gen.h
Updating registry `https://github.com/rust-lang/crates.io-index`
Downloading libc v0.2.23
Downloading nom v3.0.0
Compiling libc v0.2.23
Compiling nom v3.0.0
Compiling suricata v4.0.0-dev (file:///home/victor/dev/suricata/rust)
note: link against the following native artifacts when linking against this static library
note: the order and any duplication can be significant on some platforms, and so may need to be preserved
note: library: util
note: library: dl
note: library: pthread
note: library: gcc_s
note: library: c
note: library: m
note: library: rt
make[2]: Leaving directory '/home/victor/dev/suricata/rust'
...
CC app-layer-dns-tcp.o
CC app-layer-dns-tcp-rust.o
CC app-layer-dns-udp.o
CC app-layer-dns-udp-rust.o
...
To validate that indeed Rust is fully enabled, check the --build-info output:
$ ./src/suricata --build-info|grep -i rust Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS MAGIC RUST Rust support (experimental): yes CFLAGS -g -O2 -march=native -I../rust/gen/c-headers
Now install as normal using 'make install'.
Enabling the Rust parsers¶
When Rust is compiled in the Rust DNS parser is automatically used. So if the config
enabled DNS parsing Rust is used.
To enable the NFSv3 parser and logger, make sure to have this config in your suricata.yaml:
outputs:
...
- eve-log:
enabled: yes
...
types:
...
- nfs3
app-layer:
protocols:
nfs3:
enabled: yes
...
Then start Suricata as normal. DNS logging and detection should function
as normal and new NFSv3 log records should appear in EVE.
Experimental Rust Parsers¶
Additional Rust parsers can be enabled through the --enable-rust-experimental option. Although Rust support is considered experimental currently, within the current support some things are more experimental than others.
suricata --build-info|grep -i rust
Features: DEBUG UNITTESTS NFQ PCAP_SET_BUFF AF_PACKET NETMAP HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON PROFILING TLS MAGIC RUST
Rust support (experimental): yes
Experimental Rust parsers: yes
Rust strict mode: no
CFLAGS -O0 -ggdb -fno-omit-frame-pointer -Wno-unused-parameter -march=native -I${srcdir}/../rust/gen/c-headers
To enable the NTP protocol parser:
app-layer:
protocols:
ntp:
enabled: yes