Rust add snmp 01

[chifflier]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
• I have signed the Open Information Security Foundation contribution agreement at https://suricata-ids.org/about/contribution-agreement/
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2738

Describe changes:

• Add a new app-layer to decode SNMP v1, v2c and v3
• note SNMP is using UDP port 161
• note: SNMPv3 is usually encrypted
• Add a JSON logger for SNMP metadata
• Add new keywords: snmp_version, snmp_community, and snmp_pdu_type
• Written in rust, and using external crates der-parser (already used) and snmp-parser (new dependency)

Example of JSON output:

  "snmp": {
    "version": 2,
    "pdu_type": "Response",
    "vars": [
      "1.3.6.1.2.1.1.3.0"
    ],
    "community": "public"
  }

Example of detection rules:

alert snmp any any -> any any (msg:"old SNMP protocol version (<3)"; snmp_version:<3; sid:1; rev:1;)
alert snmp any any -> any any (msg:"SNMP community private"; snmp_community; content:"private"; sid:2; rev:1;)
alert snmp any any -> any any (msg:"SNMP response"; snmp_pdu_type:2; sid:3; rev:1;)

[pevma]

I am getting a lot these on live traffic -

(snmp.rs:142) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Code(Custom(128)))
(snmp.rs:142) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Code(Custom(128)))
(snmp.rs:142) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Code(Custom(128)))

Anything I can do to debug further?

[chifflier]

I am getting a lot these on live traffic -

(snmp.rs:142) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Code(Custom(128)))
(snmp.rs:142) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Code(Custom(128)))
(snmp.rs:142) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Code(Custom(128)))

Anything I can do to debug further?

Thanks for the tests! AFAICT, this was caused by messages types unsupported by snmp-parser. The crate has been updated, and 053613b updates this PR, so it should be fixed.

[pevma]

It seems it there is more to it

root@suricata:~# suricata -V
This is Suricata version 4.1.0-dev (rev 053613b0)

[2691] 21/12/2018 -- 01:56:05 - (tm-threads.c:2172) <Notice> (TmThreadWaitOnThreadInit) -- all 16 packet processing threads, 6 management threads initialized, engine started.
[2804] 21/12/2018 -- 07:15:39 - (snmp.rs:143) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Position(MapRes, [67, 5, 0, 148, 146, 22, 239, 48, 17, 48, 15, 6, 10, 43, 6, 1, 2, 1, 2, 2, 1, 1, 14, 2, 1, 14]))
[2804] 21/12/2018 -- 07:15:53 - (snmp.rs:143) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Position(MapRes, [67, 5, 0, 148, 146, 28, 103, 48, 129, 132, 48, 21, 6, 16, 43, 6, 1, 4, 1, 11, 2, 14, 11, 1, 7, 2, 1, 4, 135, 117, 2, 1, 6, 48, 21, 6, 16, 43, 6, 1, 4, 1, 11, 2, 14, 11, 1, 7, 2, 1, 5, 135, 117, 2, 1, 2, 48, 21, 6, 16, 43, 6, 1, 4, 1, 11, 2, 14, 11, 1, 7, 2, 1, 6, 135, 117, 2, 1, 2, 48, 61, 6, 15, 43, 6, 1, 4, 1, 11, 2, 14, 11, 1, 7, 3, 0, 135, 117, 4, 42, 104, 116, 116, 112, 58, 47, 47, 49, 57, 50, 46, 49, 54, 56, 46, 52, 56, 46, 51, 47, 99, 103, 105, 47, 102, 68, 101, 116, 97, 105, 108, 63, 105, 110, 100, 101, 120, 61, 49, 48, 49, 51]))
[2804] 21/12/2018 -- 07:16:02 - (snmp.rs:143) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Position(MapRes, [67, 5, 0, 148, 146, 32, 34, 48, 17, 48, 15, 6, 10, 43, 6, 1, 2, 1, 2, 2, 1, 1, 14, 2, 1, 14]))
[2804] 21/12/2018 -- 07:16:06 - (snmp.rs:143) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Position(MapRes, [67, 5, 0, 148, 146, 33, 128, 48, 17, 48, 15, 6, 10, 43, 6, 1, 2, 1, 2, 2, 1, 1, 14, 2, 1, 14]))
[2804] 21/12/2018 -- 07:16:24 - (snmp.rs:143) <Info> (<rust>) -- parse_snmp_v1 failed: Error(Position(MapRes, [67, 5, 0, 148, 146, 40, 186, 48, 129, 132, 48, 21, 6, 16, 43, 6, 1, 4, 1, 11, 2, 14, 11, 1, 7, 2, 1, 4, 135, 118, 2, 1, 6, 48, 21, 6, 16, 43, 6, 1, 4, 1, 11, 2, 14, 11, 1, 7, 2, 1, 5, 135, 118, 2, 1, 2, 48, 21, 6, 16, 43, 6, 1, 4, 1, 11, 2, 14, 11, 1, 7, 2, 1, 6, 135, 118, 2, 1, 2, 48, 61, 6, 15, 43, 6, 1, 4, 1, 11, 2, 14, 11, 1, 7, 3, 0, 135, 118, 4, 42, 104, 116, 116, 112, 58, 47, 47, 49, 57, 50, 46, 49, 54, 56, 46, 52, 56, 46, 51, 47, 99, 103, 105, 47, 102, 68, 101, 116, 97, 105, 108, 63, 105, 110, 100, 101, 120, 61, 49, 48, 49, 52]))

I've been trying to carve out a live traffic pcap to reproduce the issue unsuccessfully so far. Have another round of pcaps ready now and will have a look again and feedback.

[norg]

maybe add within

[norg]

documentation looks good

[chifflier]

Cancelling PR until the nom4 transition is done

[jasonish]

"pdu_type": "Response",

The titlecase here stands out. I'd rather see this all in lower case and leave the casing to a presentation layer unless there is good reason not to.