|
|
|
|
/* Copyright (C) 2007-2011 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Victor Julien <victor@inliniac.net>
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
|
|
|
|
|
*
|
|
|
|
|
* Generic App-layer functions
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "suricata-common.h"
|
|
|
|
|
|
|
|
|
|
#include "app-layer.h"
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
#include "app-layer-parser.h"
|
|
|
|
|
#include "app-layer-protos.h"
|
|
|
|
|
#include "app-layer-detect-proto.h"
|
|
|
|
|
#include "stream-tcp-reassemble.h"
|
|
|
|
|
#include "stream-tcp-private.h"
|
|
|
|
|
#include "stream-tcp-inline.h"
|
|
|
|
|
#include "flow.h"
|
|
|
|
|
#include "flow-util.h"
|
|
|
|
|
|
|
|
|
|
#include "util-debug.h"
|
|
|
|
|
#include "util-print.h"
|
|
|
|
|
#include "util-profiling.h"
|
|
|
|
|
#include "util-validate.h"
|
|
|
|
|
#include "decode-events.h"
|
|
|
|
|
#include "app-layer-htp-mem.h"
|
|
|
|
|
|
|
|
|
|
/**
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
* \brief This is for the app layer in general and it contains per thread
|
|
|
|
|
* context relevant to both the alpd and alp.
|
|
|
|
|
*/
|
|
|
|
|
struct AppLayerThreadCtx_ {
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
/* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
|
|
|
|
|
AppLayerProtoDetectThreadCtx *alpd_tctx;
|
|
|
|
|
/* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
|
|
|
|
|
#ifdef PROFILING
|
|
|
|
|
uint64_t ticks_start;
|
|
|
|
|
uint64_t ticks_end;
|
|
|
|
|
uint64_t ticks_spent;
|
|
|
|
|
AppProto alproto;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
uint64_t proto_detect_ticks_start;
|
|
|
|
|
uint64_t proto_detect_ticks_end;
|
|
|
|
|
uint64_t proto_detect_ticks_spent;
|
|
|
|
|
#endif
|
|
|
|
|
};
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
|
|
|
|
|
/***** L7 layer dispatchers *****/
|
|
|
|
|
|
|
|
|
|
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
Packet *p, Flow *f,
|
|
|
|
|
TcpSession *ssn, TcpStream *stream,
|
|
|
|
|
uint8_t *data, uint32_t data_len,
|
|
|
|
|
uint8_t flags)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
DEBUG_ASSERT_FLOW_LOCKED(f);
|
|
|
|
|
|
|
|
|
|
AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
|
|
|
|
|
AppProto *alproto;
|
|
|
|
|
AppProto *alproto_otherdir;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
uint8_t dir;
|
|
|
|
|
uint32_t data_al_so_far;
|
|
|
|
|
int r = 0;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
uint8_t first_data_dir;
|
|
|
|
|
|
|
|
|
|
SCLogDebug("data_len %u flags %02X", data_len, flags);
|
|
|
|
|
if (f->flags & FLOW_NO_APPLAYER_INSPECTION) {
|
|
|
|
|
SCLogDebug("FLOW_AL_NO_APPLAYER_INSPECTION is set");
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (flags & STREAM_TOSERVER) {
|
|
|
|
|
alproto = &f->alproto_ts;
|
|
|
|
|
alproto_otherdir = &f->alproto_tc;
|
|
|
|
|
dir = 0;
|
|
|
|
|
} else {
|
|
|
|
|
alproto = &f->alproto_tc;
|
|
|
|
|
alproto_otherdir = &f->alproto_ts;
|
|
|
|
|
dir = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* if we don't know the proto yet and we have received a stream
|
|
|
|
|
* initializer message, we run proto detection.
|
|
|
|
|
* We receive 2 stream init msgs (one for each direction) but we
|
|
|
|
|
* only run the proto detection once. */
|
|
|
|
|
if (*alproto == ALPROTO_UNKNOWN && (flags & STREAM_GAP)) {
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
|
|
|
|
|
StreamTcpSetSessionNoReassemblyFlag(ssn, dir);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
|
|
|
|
|
} else if (*alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
|
|
|
|
|
if (data_len == 0)
|
|
|
|
|
data_al_so_far = 0;
|
|
|
|
|
else
|
|
|
|
|
data_al_so_far = f->data_al_so_far[dir];
|
|
|
|
|
|
|
|
|
|
SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
|
|
|
|
|
#ifdef PRINT
|
|
|
|
|
if (data_len > 0) {
|
|
|
|
|
printf("=> Init Stream Data (app layer) -- start %s%s\n",
|
|
|
|
|
flags & STREAM_TOCLIENT ? "toclient" : "",
|
|
|
|
|
flags & STREAM_TOSERVER ? "toserver" : "");
|
|
|
|
|
PrintRawDataFp(stdout, data, data_len);
|
|
|
|
|
printf("=> Init Stream Data -- end\n");
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_PD_START(app_tctx);
|
|
|
|
|
*alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
|
|
|
|
|
f,
|
|
|
|
|
data, data_len,
|
|
|
|
|
IPPROTO_TCP, flags);
|
|
|
|
|
PACKET_PROFILING_APP_PD_END(app_tctx);
|
|
|
|
|
|
|
|
|
|
if (*alproto != ALPROTO_UNKNOWN) {
|
|
|
|
|
if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
|
|
|
|
|
AppLayerDecoderEventsSetEventRaw(p->app_layer_events,
|
|
|
|
|
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
|
|
|
|
|
/* it indicates some data has already been sent to the parser */
|
|
|
|
|
if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
f->alproto = *alproto = *alproto_otherdir;
|
|
|
|
|
} else {
|
|
|
|
|
if (flags & STREAM_TOCLIENT)
|
|
|
|
|
f->alproto = *alproto_otherdir = *alproto;
|
|
|
|
|
else
|
|
|
|
|
f->alproto = *alproto = *alproto_otherdir;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f->alproto = *alproto;
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
|
|
|
|
|
|
|
|
|
|
/* if we have seen data from the other direction first, send
|
|
|
|
|
* data for that direction first to the parser. This shouldn't
|
|
|
|
|
* be an issue, since each stream processing happens
|
|
|
|
|
* independently of the other stream direction. At this point of
|
|
|
|
|
* call, you need to know that this function's already being
|
|
|
|
|
* called by the very same StreamReassembly() function that we
|
|
|
|
|
* will now call shortly for the opposing direction. */
|
|
|
|
|
if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
|
|
|
|
|
!(flags & ssn->data_first_seen_dir)) {
|
|
|
|
|
TcpStream *opposing_stream = NULL;
|
|
|
|
|
if (stream == &ssn->client) {
|
|
|
|
|
opposing_stream = &ssn->server;
|
|
|
|
|
if (StreamTcpInlineMode()) {
|
|
|
|
|
p->flowflags &= ~FLOW_PKT_TOSERVER;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOCLIENT;
|
|
|
|
|
} else {
|
|
|
|
|
p->flowflags &= ~FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
opposing_stream = &ssn->client;
|
|
|
|
|
if (StreamTcpInlineMode()) {
|
|
|
|
|
p->flowflags &= ~FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
} else {
|
|
|
|
|
p->flowflags &= ~FLOW_PKT_TOSERVER;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOCLIENT;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
int ret;
|
|
|
|
|
if (StreamTcpInlineMode()) {
|
|
|
|
|
ret = StreamTcpReassembleInlineAppLayer(tv, ra_ctx, ssn,
|
|
|
|
|
opposing_stream, p);
|
|
|
|
|
} else {
|
|
|
|
|
ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
|
|
|
|
|
opposing_stream, p);
|
|
|
|
|
}
|
|
|
|
|
if (stream == &ssn->client) {
|
|
|
|
|
if (StreamTcpInlineMode()) {
|
|
|
|
|
p->flowflags &= ~FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
} else {
|
|
|
|
|
p->flowflags &= ~FLOW_PKT_TOSERVER;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOCLIENT;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (StreamTcpInlineMode()) {
|
|
|
|
|
p->flowflags &= ~FLOW_PKT_TOSERVER;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOCLIENT;
|
|
|
|
|
} else {
|
|
|
|
|
p->flowflags &= ~FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (ret < 0) {
|
|
|
|
|
FlowSetSessionNoApplayerInspectionFlag(f);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
goto failure;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* if the parser operates such that it needs to see data from
|
|
|
|
|
* a particular direction first, we check if we have seen
|
|
|
|
|
* data from that direction first for the flow. IF it is not
|
|
|
|
|
* the same, we set an event and exit.
|
|
|
|
|
*
|
|
|
|
|
* \todo We need to figure out a more robust solution for this,
|
|
|
|
|
* as this can lead to easy evasion tactics, where the
|
|
|
|
|
* attackeer can first send some dummy data in the wrong
|
|
|
|
|
* direction first to mislead our proto detection process.
|
|
|
|
|
* While doing this we need to update the parsers as well,
|
|
|
|
|
* since the parsers must be robust to see such wrong
|
|
|
|
|
* direction data.
|
|
|
|
|
* Either ways the moment we see the
|
|
|
|
|
* APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
|
|
|
|
|
* flow, it shows something's fishy.
|
|
|
|
|
*/
|
|
|
|
|
if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto);
|
|
|
|
|
|
|
|
|
|
if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
|
|
|
|
|
AppLayerDecoderEventsSetEventRaw(p->app_layer_events,
|
|
|
|
|
APPLAYER_WRONG_DIRECTION_FIRST_DATA);
|
|
|
|
|
FlowSetSessionNoApplayerInspectionFlag(f);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
|
|
|
|
|
/* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
|
|
|
|
|
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
goto failure;
|
|
|
|
|
}
|
|
|
|
|
/* This can happen if the current direction is not the
|
|
|
|
|
* right direction, and the data from the other(also
|
|
|
|
|
* the right direction) direction is available to be sent
|
|
|
|
|
* to the app layer, but it is not ack'ed yet and hence
|
|
|
|
|
* the forced call to STreamTcpAppLayerReassemble still
|
|
|
|
|
* hasn't managed to send data from the other direction
|
|
|
|
|
* to the app layer. */
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (first_data_dir && !(first_data_dir & flags)) {
|
|
|
|
|
BUG_ON(*alproto_otherdir != ALPROTO_UNKNOWN);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
FlowCleanupAppLayer(f);
|
|
|
|
|
f->alproto = *alproto = ALPROTO_UNKNOWN;
|
|
|
|
|
StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream);
|
|
|
|
|
FLOW_RESET_PP_DONE(f, flags);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
FLOW_RESET_PM_DONE(f, flags);
|
|
|
|
|
goto failure;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
|
|
|
|
|
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_START(app_tctx, *alproto);
|
|
|
|
|
r = AppLayerParserParse(app_tctx->alp_tctx, f, *alproto, flags, data + data_al_so_far, data_len - data_al_so_far);
|
|
|
|
|
PACKET_PROFILING_APP_END(app_tctx, *alproto);
|
|
|
|
|
f->data_al_so_far[dir] = 0;
|
|
|
|
|
} else {
|
|
|
|
|
if (*alproto_otherdir != ALPROTO_UNKNOWN) {
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
|
|
|
|
|
|
|
|
|
|
/* this would handle this test case -
|
|
|
|
|
* http parser which says it wants to see toserver data first only.
|
|
|
|
|
* tcp handshake
|
|
|
|
|
* toclient data first received. - RUBBISH DATA which
|
|
|
|
|
* we don't detect as http
|
|
|
|
|
* toserver data next sent - we detect this as http.
|
|
|
|
|
* at this stage we see that toclient is the first data seen
|
|
|
|
|
* for this session and we try and redetect the app protocol,
|
|
|
|
|
* but we are unable to detect the app protocol like before.
|
|
|
|
|
* But since we have managed to detect the protocol for the
|
|
|
|
|
* other direction as http, we try to use that. At this
|
|
|
|
|
* stage we check if the direction of this stream matches
|
|
|
|
|
* to that acceptable by the app parser. If it is not the
|
|
|
|
|
* acceptable direction we error out.
|
|
|
|
|
*/
|
|
|
|
|
if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
(first_data_dir) && !(first_data_dir & flags))
|
|
|
|
|
{
|
|
|
|
|
FlowSetSessionNoApplayerInspectionFlag(f);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
|
|
|
|
|
goto failure;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (data_len > 0)
|
|
|
|
|
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_START(app_tctx, *alproto_otherdir);
|
|
|
|
|
r = AppLayerParserParse(app_tctx->alp_tctx, f, *alproto_otherdir, flags,
|
|
|
|
|
data + data_al_so_far, data_len - data_al_so_far);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_END(app_tctx, *alproto_otherdir);
|
|
|
|
|
if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
|
|
|
|
|
AppLayerDecoderEventsSetEventRaw(p->app_layer_events,
|
|
|
|
|
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
|
|
|
|
|
f->data_al_so_far[dir] = 0;
|
|
|
|
|
} else {
|
|
|
|
|
f->data_al_so_far[dir] = data_len;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
|
|
|
|
|
FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
|
|
|
|
|
FlowSetSessionNoApplayerInspectionFlag(f);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
|
|
|
|
|
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
|
|
|
|
|
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
SCLogDebug("stream data (len %" PRIu32 " alproto "
|
|
|
|
|
"%"PRIu16" (flow %p)", data_len, f->alproto, f);
|
|
|
|
|
#ifdef PRINT
|
|
|
|
|
if (data_len > 0) {
|
|
|
|
|
printf("=> Stream Data (app layer) -- start %s%s\n",
|
|
|
|
|
flags & STREAM_TOCLIENT ? "toclient" : "",
|
|
|
|
|
flags & STREAM_TOSERVER ? "toserver" : "");
|
|
|
|
|
PrintRawDataFp(stdout, data, data_len);
|
|
|
|
|
printf("=> Stream Data -- end\n");
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
/* if we don't have a data object here we are not getting it
|
|
|
|
|
* a start msg should have gotten us one */
|
|
|
|
|
if (f->alproto != ALPROTO_UNKNOWN) {
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_START(app_tctx, f->alproto);
|
|
|
|
|
r = AppLayerParserParse(app_tctx->alp_tctx, f, f->alproto, flags, data, data_len);
|
|
|
|
|
PACKET_PROFILING_APP_END(app_tctx, f->alproto);
|
|
|
|
|
} else {
|
|
|
|
|
SCLogDebug(" smsg not start, but no l7 data? Weird");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \fixme a bit hacky but will be improved in 2.1 */
|
|
|
|
|
HTPMemuseCounter(tv, ra_ctx);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
goto end;
|
|
|
|
|
failure:
|
|
|
|
|
r = -1;
|
|
|
|
|
end:
|
|
|
|
|
SCReturnInt(r);
|
|
|
|
|
}
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
int AppLayerHandleTCPMsg(StreamMsg *smsg)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
TcpSession *ssn;
|
|
|
|
|
StreamMsg *cur;
|
|
|
|
|
|
|
|
|
|
#ifdef PRINT
|
|
|
|
|
printf("=> Stream Data (raw reassembly) -- start %s%s\n",
|
|
|
|
|
smsg->flags & STREAM_TOCLIENT ? "toclient" : "",
|
|
|
|
|
smsg->flags & STREAM_TOSERVER ? "toserver" : "");
|
|
|
|
|
PrintRawDataFp(stdout, smsg->data, smsg->data_len);
|
|
|
|
|
printf("=> Stream Data -- end\n");
|
|
|
|
|
#endif
|
|
|
|
|
SCLogDebug("smsg %p", smsg);
|
|
|
|
|
BUG_ON(smsg->flow == NULL);
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
ssn = smsg->flow->protoctx;
|
|
|
|
|
if (ssn != NULL) {
|
|
|
|
|
SCLogDebug("storing smsg %p in the tcp session", smsg);
|
|
|
|
|
|
|
|
|
|
/* store the smsg in the tcp stream */
|
|
|
|
|
if (smsg->flags & STREAM_TOSERVER) {
|
|
|
|
|
SCLogDebug("storing smsg in the to_server");
|
|
|
|
|
|
|
|
|
|
/* put the smsg in the stream list */
|
|
|
|
|
if (ssn->toserver_smsg_head == NULL) {
|
|
|
|
|
ssn->toserver_smsg_head = smsg;
|
|
|
|
|
ssn->toserver_smsg_tail = smsg;
|
|
|
|
|
smsg->next = NULL;
|
|
|
|
|
smsg->prev = NULL;
|
|
|
|
|
} else {
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
cur = ssn->toserver_smsg_tail;
|
|
|
|
|
cur->next = smsg;
|
|
|
|
|
smsg->prev = cur;
|
|
|
|
|
smsg->next = NULL;
|
|
|
|
|
ssn->toserver_smsg_tail = smsg;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
SCLogDebug("storing smsg in the to_client");
|
|
|
|
|
|
|
|
|
|
/* put the smsg in the stream list */
|
|
|
|
|
if (ssn->toclient_smsg_head == NULL) {
|
|
|
|
|
ssn->toclient_smsg_head = smsg;
|
|
|
|
|
ssn->toclient_smsg_tail = smsg;
|
|
|
|
|
smsg->next = NULL;
|
|
|
|
|
smsg->prev = NULL;
|
|
|
|
|
} else {
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
cur = ssn->toclient_smsg_tail;
|
|
|
|
|
cur->next = smsg;
|
|
|
|
|
smsg->prev = cur;
|
|
|
|
|
smsg->next = NULL;
|
|
|
|
|
ssn->toclient_smsg_tail = smsg;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FlowDeReference(&smsg->flow);
|
|
|
|
|
} else { /* no ssn ptr */
|
|
|
|
|
/* if there is no ssn ptr we won't
|
|
|
|
|
* be inspecting this msg in detect
|
|
|
|
|
* so return it to the pool. */
|
|
|
|
|
|
|
|
|
|
FlowDeReference(&smsg->flow);
|
|
|
|
|
|
|
|
|
|
/* return the used message to the queue */
|
|
|
|
|
StreamMsgReturnToPool(smsg);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int AppLayerHandleUdp(AppLayerThreadCtx *tctx, Packet *p, Flow *f)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
int r = 0;
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(f);
|
|
|
|
|
|
|
|
|
|
uint8_t flags = 0;
|
|
|
|
|
if (p->flowflags & FLOW_PKT_TOSERVER) {
|
|
|
|
|
flags |= STREAM_TOSERVER;
|
|
|
|
|
} else {
|
|
|
|
|
flags |= STREAM_TOCLIENT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* if we don't know the proto yet and we have received a stream
|
|
|
|
|
* initializer message, we run proto detection.
|
|
|
|
|
* We receive 2 stream init msgs (one for each direction) but we
|
|
|
|
|
* only run the proto detection once. */
|
|
|
|
|
if (f->alproto == ALPROTO_UNKNOWN && !(f->flags & FLOW_ALPROTO_DETECT_DONE)) {
|
|
|
|
|
SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
p->payload_len);
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_PD_START(tctx);
|
|
|
|
|
f->alproto = AppLayerProtoDetectGetProto(tctx->alpd_tctx,
|
|
|
|
|
f,
|
|
|
|
|
p->payload, p->payload_len,
|
|
|
|
|
IPPROTO_UDP, flags);
|
|
|
|
|
PACKET_PROFILING_APP_PD_END(tctx);
|
|
|
|
|
|
|
|
|
|
if (f->alproto != ALPROTO_UNKNOWN) {
|
|
|
|
|
f->flags |= FLOW_ALPROTO_DETECT_DONE;
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_START(tctx, f->alproto);
|
|
|
|
|
r = AppLayerParserParse(tctx->alp_tctx,
|
|
|
|
|
f, f->alproto, flags,
|
|
|
|
|
p->payload, p->payload_len);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_END(tctx, f->alproto);
|
|
|
|
|
} else {
|
|
|
|
|
f->flags |= FLOW_ALPROTO_DETECT_DONE;
|
|
|
|
|
SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
SCLogDebug("stream data (len %" PRIu32 " ), alproto "
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
"%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
|
|
|
|
|
|
|
|
|
|
/* if we don't have a data object here we are not getting it
|
|
|
|
|
* a start msg should have gotten us one */
|
|
|
|
|
if (f->alproto != ALPROTO_UNKNOWN) {
|
|
|
|
|
PACKET_PROFILING_APP_START(tctx, f->alproto);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
r = AppLayerParserParse(tctx->alp_tctx,
|
|
|
|
|
f, f->alproto, flags,
|
|
|
|
|
p->payload, p->payload_len);
|
|
|
|
|
PACKET_PROFILING_APP_END(tctx, f->alproto);
|
|
|
|
|
} else {
|
|
|
|
|
SCLogDebug("udp session has started, but failed to detect alproto "
|
|
|
|
|
"for l7");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_UNLOCK(f);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
PACKET_PROFILING_APP_STORE(tctx, p);
|
|
|
|
|
SCReturnInt(r);
|
|
|
|
|
}
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
/***** Utility *****/
|
|
|
|
|
|
|
|
|
|
AppProto AppLayerGetProtoByName(char *alproto_name)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
SCReturnCT(AppLayerProtoDetectGetProtoByName(alproto_name), "AppProto");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
char *AppLayerGetProtoName(AppProto alproto)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
SCReturnCT(AppLayerProtoDetectGetProtoName(alproto), "char *");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void AppLayerListSupportedProtocols(void)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
AppProto alproto;
|
|
|
|
|
AppProto alprotos[ALPROTO_MAX];
|
|
|
|
|
|
|
|
|
|
AppLayerProtoDetectSupportedAppProtocols(alprotos);
|
|
|
|
|
|
|
|
|
|
printf("=========Supported App Layer Protocols=========\n");
|
|
|
|
|
for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
|
|
|
|
|
if (alprotos[alproto] == 1)
|
|
|
|
|
printf("%s\n", AppLayerGetProtoName(alproto));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCReturn;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/***** Setup/General Registration *****/
|
|
|
|
|
|
|
|
|
|
int AppLayerSetup(void)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
AppLayerProtoDetectSetup();
|
|
|
|
|
AppLayerParserSetup();
|
|
|
|
|
|
|
|
|
|
AppLayerParserRegisterProtocolParsers();
|
|
|
|
|
AppLayerProtoDetectPrepareState();
|
|
|
|
|
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int AppLayerDeSetup(void)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
AppLayerProtoDetectDeSetup();
|
|
|
|
|
AppLayerParserDeSetup();
|
|
|
|
|
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
AppLayerThreadCtx *AppLayerGetCtxThread(void)
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (app_tctx == NULL)
|
|
|
|
|
goto error;
|
|
|
|
|
memset(app_tctx, 0, sizeof(*app_tctx));
|
|
|
|
|
|
|
|
|
|
if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
|
|
|
|
|
goto error;
|
|
|
|
|
if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
goto done;
|
|
|
|
|
error:
|
|
|
|
|
AppLayerDestroyCtxThread(app_tctx);
|
|
|
|
|
app_tctx = NULL;
|
|
|
|
|
done:
|
|
|
|
|
SCReturnPtr(app_tctx, "void *");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
if (app_tctx == NULL)
|
|
|
|
|
SCReturn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
|
|
|
|
|
if (app_tctx->alpd_tctx != NULL)
|
|
|
|
|
AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
|
|
|
|
|
if (app_tctx->alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
SCFree(app_tctx);
|
|
|
|
|
|
|
|
|
|
SCReturn;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* profiling */
|
|
|
|
|
|
|
|
|
|
void AppLayerProfilingReset(AppLayerThreadCtx *app_tctx) {
|
|
|
|
|
#ifdef PROFILING
|
|
|
|
|
PACKET_PROFILING_APP_RESET(app_tctx);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void AppLayerProfilingStore(AppLayerThreadCtx *app_tctx, Packet *p) {
|
|
|
|
|
#ifdef PROFILING
|
|
|
|
|
PACKET_PROFILING_APP_STORE(app_tctx, p);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
/***** Unittests *****/
|
|
|
|
|
|
|
|
|
|
#ifdef UNITTESTS
|
|
|
|
|
|
|
|
|
|
#include "stream-tcp.h"
|
|
|
|
|
#include "stream-tcp-private.h"
|
|
|
|
|
#include "stream-tcp-reassemble.h"
|
|
|
|
|
#include "stream-tcp-inline.h"
|
|
|
|
|
#include "stream-tcp-util.h"
|
|
|
|
|
#include "stream.h"
|
|
|
|
|
#include "util-unittest.h"
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test GET -> HTTP/1.1
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest01(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request */
|
|
|
|
|
uint8_t request[] = {
|
|
|
|
|
0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
|
|
|
|
|
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
|
|
|
|
|
0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
|
|
|
|
|
0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
|
|
|
|
|
0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
|
|
|
|
|
0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
|
|
|
|
|
0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request);
|
|
|
|
|
p->payload = request;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full response - request ack */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(88);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(88);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_HTTP ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test GE -> T -> HTTP/1.1
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest02(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* partial request */
|
|
|
|
|
uint8_t request1[] = { 0x47, 0x45, };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request1);
|
|
|
|
|
p->payload = request1;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack against partial request */
|
|
|
|
|
p->tcph->th_ack = htonl(3);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* complete partial request */
|
|
|
|
|
uint8_t request2[] = {
|
|
|
|
|
0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
|
|
|
|
|
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
|
|
|
|
|
0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
|
|
|
|
|
0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
|
|
|
|
|
0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
|
|
|
|
|
0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
|
|
|
|
|
0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(3);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request2);
|
|
|
|
|
p->payload = request2;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response - request ack */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(88);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 7\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(88);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_HTTP ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 8\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
|
|
|
|
|
*/
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
static int AppLayerTest03(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* request */
|
|
|
|
|
uint8_t request[] = {
|
|
|
|
|
0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
|
|
|
|
|
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
|
|
|
|
|
0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
|
|
|
|
|
0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
|
|
|
|
|
0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
|
|
|
|
|
0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
|
|
|
|
|
0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request);
|
|
|
|
|
p->payload = request;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* rubbish response */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(88);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(88);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest04(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* request */
|
|
|
|
|
uint8_t request[] = {
|
|
|
|
|
0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
|
|
|
|
|
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
|
|
|
|
|
0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
|
|
|
|
|
0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
|
|
|
|
|
0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
|
|
|
|
|
0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
|
|
|
|
|
0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request);
|
|
|
|
|
p->payload = request;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* partial response */
|
|
|
|
|
uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
|
|
|
|
|
p->tcph->th_ack = htonl(88);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response1);
|
|
|
|
|
p->payload = response1;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* partial response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(5);
|
|
|
|
|
p->tcph->th_seq = htonl(88);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 4 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* remaining response */
|
|
|
|
|
uint8_t response2[] = {
|
|
|
|
|
0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(88);
|
|
|
|
|
p->tcph->th_seq = htonl(5);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response2);
|
|
|
|
|
p->payload = response2;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 4 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 7\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(88);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 8\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test RUBBISH -> HTTP/1.1
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest05(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request */
|
|
|
|
|
uint8_t request[] = {
|
|
|
|
|
0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
|
|
|
|
|
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
|
|
|
|
|
0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
|
|
|
|
|
0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
|
|
|
|
|
0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
|
|
|
|
|
0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
|
|
|
|
|
0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request);
|
|
|
|
|
p->payload = request;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full response - request ack */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(88);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(88);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_HTTP ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test HTTP/1.1 -> GET
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest06(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full response - request ack */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOCLIENT) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request - response ack*/
|
|
|
|
|
uint8_t request[] = {
|
|
|
|
|
0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
|
|
|
|
|
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
|
|
|
|
|
0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
|
|
|
|
|
0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
|
|
|
|
|
0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
|
|
|
|
|
0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
|
|
|
|
|
0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request);
|
|
|
|
|
p->payload = request;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_HTTP ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
!(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test GET -> DCERPC
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest07(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request */
|
|
|
|
|
uint8_t request[] = {
|
|
|
|
|
0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
|
|
|
|
|
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
|
|
|
|
|
0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
|
|
|
|
|
0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
|
|
|
|
|
0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
|
|
|
|
|
0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
|
|
|
|
|
0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request);
|
|
|
|
|
p->payload = request;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full response - request ack */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(88);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(88);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_ts != ALPROTO_HTTP ||
|
|
|
|
|
f.alproto_tc != ALPROTO_HTTP ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test SMB -> HTTP/1.1
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest08(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request */
|
|
|
|
|
uint8_t request[] = {
|
|
|
|
|
0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
|
|
|
|
|
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
|
|
|
|
|
0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
|
|
|
|
|
0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
|
|
|
|
|
0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
|
|
|
|
|
0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
|
|
|
|
|
0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
|
|
|
|
|
0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request);
|
|
|
|
|
p->payload = request;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full response - request ack */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(88);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_DCERPC ||
|
|
|
|
|
f.alproto_ts != ALPROTO_DCERPC ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(88);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_DCERPC ||
|
|
|
|
|
f.alproto_ts != ALPROTO_DCERPC ||
|
|
|
|
|
f.alproto_tc != ALPROTO_DCERPC ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
!(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test RUBBISH(TC - PM and PP NOT DONE) ->
|
|
|
|
|
* RUBBISH(TC - PM and PP DONE) ->
|
|
|
|
|
* RUBBISH(TS - PM and PP DONE)
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest09(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request */
|
|
|
|
|
uint8_t request1[] = {
|
|
|
|
|
0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request1);
|
|
|
|
|
p->payload = request1;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response - request ack */
|
|
|
|
|
p->tcph->th_ack = htonl(9);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request */
|
|
|
|
|
uint8_t request2[] = {
|
|
|
|
|
0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(9);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request2);
|
|
|
|
|
p->payload = request2;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full response - request ack */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(17);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 7\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(17);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
!(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 8\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test RUBBISH(TC - PM and PP DONE) ->
|
|
|
|
|
* RUBBISH(TS - PM and PP DONE)
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest10(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request */
|
|
|
|
|
uint8_t request1[] = {
|
|
|
|
|
0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request1);
|
|
|
|
|
p->payload = request1;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response - request ack */
|
|
|
|
|
p->tcph->th_ack = htonl(17);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full response - request ack */
|
|
|
|
|
uint8_t response[] = {
|
|
|
|
|
0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(17);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response);
|
|
|
|
|
p->payload = response;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 7\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(17);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
!(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 8\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test RUBBISH(TC - PM and PP DONE) ->
|
|
|
|
|
* RUBBISH(TS - PM and PP NOT DONE) ->
|
|
|
|
|
* RUBBISH(TS - PM and PP DONE)
|
|
|
|
|
*/
|
|
|
|
|
static int AppLayerTest11(void)
|
|
|
|
|
{
|
|
|
|
|
Packet *p = SCMalloc(SIZE_OF_PACKET);
|
|
|
|
|
if (unlikely(p == NULL))
|
|
|
|
|
return 0;
|
|
|
|
|
Flow f;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
StreamTcpThread *stt = NULL;
|
|
|
|
|
TCPHdr tcph;
|
|
|
|
|
PacketQueue pq;
|
|
|
|
|
memset(&pq,0,sizeof(PacketQueue));
|
|
|
|
|
memset(p, 0, SIZE_OF_PACKET);
|
|
|
|
|
memset (&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&tv, 0, sizeof (ThreadVars));
|
|
|
|
|
StreamTcpThreadInit(&tv, NULL, (void **)&stt);
|
|
|
|
|
memset(&tcph, 0, sizeof (TCPHdr));
|
|
|
|
|
|
|
|
|
|
f.flags = FLOW_IPV4;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->tcph = &tcph;
|
|
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
tcph.th_win = htons(5480);
|
|
|
|
|
tcph.th_flags = TH_SYN;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
TcpSession *ssn = (TcpSession *)f.protoctx;
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 1\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_SYN | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 2\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handshake */
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != 0) {
|
|
|
|
|
printf("failure 3\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full request */
|
|
|
|
|
uint8_t request1[] = {
|
|
|
|
|
0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
|
|
|
|
|
0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
|
|
|
|
|
p->tcph->th_ack = htonl(1);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = sizeof(request1);
|
|
|
|
|
p->payload = request1;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 4\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response - request ack */
|
|
|
|
|
p->tcph->th_ack = htonl(17);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 5\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* full response - request ack */
|
|
|
|
|
uint8_t response1[] = {
|
|
|
|
|
0x55, 0x74, 0x54, 0x50, };
|
|
|
|
|
p->tcph->th_ack = htonl(17);
|
|
|
|
|
p->tcph->th_seq = htonl(1);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response1);
|
|
|
|
|
p->payload = response1;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 6\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack from request */
|
|
|
|
|
p->tcph->th_ack = htonl(5);
|
|
|
|
|
p->tcph->th_seq = htonl(17);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 7\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
uint8_t response2[] = {
|
|
|
|
|
0x2f, 0x31, 0x2e, 0x31,
|
|
|
|
|
0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
|
|
|
|
|
0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
|
|
|
|
|
0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
|
|
|
|
|
0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
|
|
|
|
|
0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
|
|
|
|
|
0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
|
|
|
|
|
0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
|
|
|
|
|
0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
|
|
|
|
|
0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
|
|
|
|
|
0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
|
|
|
|
|
0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
|
|
|
|
|
0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
|
|
|
|
|
0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
|
|
|
|
|
0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
|
|
|
|
|
0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
|
|
|
|
|
0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
|
|
|
|
|
0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
|
|
|
|
|
0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
|
|
|
|
|
0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
|
|
|
|
|
0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
|
|
|
|
|
0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
|
|
|
|
|
0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
|
|
|
|
|
0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
|
|
|
|
|
0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
|
|
|
|
|
0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
|
|
|
|
|
0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
|
|
|
|
|
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
|
|
|
|
|
0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
|
|
|
|
|
0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
|
|
|
|
|
0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
|
|
|
|
|
0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
|
|
|
|
|
0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
|
|
|
|
|
0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
|
|
|
|
|
0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
|
|
|
|
|
0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
|
|
|
|
|
0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
|
|
|
|
|
0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
|
|
|
|
|
0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
|
|
|
|
|
0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
|
|
|
|
|
0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
|
|
|
|
|
p->tcph->th_ack = htonl(17);
|
|
|
|
|
p->tcph->th_seq = htonl(5);
|
|
|
|
|
p->tcph->th_flags = TH_PUSH | TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOCLIENT;
|
|
|
|
|
p->payload_len = sizeof(response2);
|
|
|
|
|
p->payload = response2;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
f.flags & FLOW_NO_APPLAYER_INSPECTION ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != STREAM_TOSERVER) {
|
|
|
|
|
printf("failure 8\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* response ack from request */
|
|
|
|
|
p->tcph->th_ack = htonl(328);
|
|
|
|
|
p->tcph->th_seq = htonl(17);
|
|
|
|
|
p->tcph->th_flags = TH_ACK;
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
p->payload_len = 0;
|
|
|
|
|
p->payload = NULL;
|
|
|
|
|
if (StreamTcpPacket(&tv, p, stt, &pq) == -1)
|
|
|
|
|
goto end;
|
|
|
|
|
if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
|
|
|
|
|
!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.alproto != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_ts != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.alproto_tc != ALPROTO_UNKNOWN ||
|
|
|
|
|
f.data_al_so_far[0] != 0 ||
|
|
|
|
|
f.data_al_so_far[1] != 0 ||
|
|
|
|
|
!(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER) || !FLOW_IS_PP_DONE(&f, STREAM_TOSERVER) ||
|
|
|
|
|
!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT) || !FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT) ||
|
|
|
|
|
ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
|
|
|
|
|
printf("failure 9\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
StreamTcpSessionClear(p->flow->protoctx);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
end:
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
SCFree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
void AppLayerUnittestsRegister(void)
|
|
|
|
|
{
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
UtRegisterTest("AppLayerTest01", AppLayerTest01, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest02", AppLayerTest02, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest03", AppLayerTest03, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest04", AppLayerTest04, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest05", AppLayerTest05, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest06", AppLayerTest06, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest07", AppLayerTest07, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest08", AppLayerTest08, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest09", AppLayerTest09, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest10", AppLayerTest10, 1);
|
|
|
|
|
UtRegisterTest("AppLayerTest11", AppLayerTest11, 1);
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
SCReturn;
|
|
|
|
|
}
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
|
|
|
|
|
#endif /* UNITTESTS */
|
