aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a559c41295'
${ noResults }
suricata/src/app-layer-ssl.c

4221 lines
149 KiB
C
Raw Normal View History Unescape Escape

Add TLS decode events
14 years ago
/* Copyright (C) 2007-2012 Open Information Security Foundation
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
support for sslv2/sslv3 their unit tests and better stream no reassembly flag handling
15 years ago
Add a few extra safety checks in new SSL code.
15 years ago
/**
* \file
*
Changed my email address to anoopsaldanha at gmail dot com from my current one
14 years ago
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
* \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
Add a few extra safety checks in new SSL code.
15 years ago
*
*/
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "threads.h"
#include "util-print.h"
#include "util-pool.h"
#include "stream-tcp-private.h"
#include "stream-tcp-reassemble.h"
#include "stream-tcp.h"
#include "stream.h"
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
#include "app-layer.h"
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "app-layer-ssl.h"
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
#include "app-layer-tls-handshake.h"
Add TLS decode events
14 years ago
#include "decode-events.h"
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
#include "conf.h"
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
#include "util-spm.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "flow-util.h"
#include "flow-private.h"
#include "util-byte.h"
Add TLS decode events
14 years ago
SCEnumCharMap tls_decoder_event_table[ ] = {
/* TLS protocol messages */
TLS: add variable to store the error code in the decoder Use a variable to store the decoding error code if required, and remove the calls to SCLogInfo and SCLogDebug.
14 years ago
{ "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER },
{ "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER },
tls: check SSL3/TLS version per record Set event if SSL3/TLS record isn't within the acceptable range.
11 years ago
{ "INVALID_RECORD_VERSION", TLS_DECODER_EVENT_INVALID_RECORD_VERSION },
TLS: add variable to store the error code in the decoder Use a variable to store the decoding error code if required, and remove the calls to SCLogInfo and SCLogDebug.
14 years ago
{ "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE },
{ "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE },
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
{ "HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_HEARTBEAT },
{ "INVALID_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_INVALID_HEARTBEAT },
{ "OVERFLOW_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT },
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
{ "DATALEAK_HEARTBEAT_MISMATCH", TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH },
Add TLS decode events
14 years ago
/* Certificates decoding messages */
TLS: add variable to store the error code in the decoder Use a variable to store the decoding error code if required, and remove the calls to SCLogInfo and SCLogDebug.
14 years ago
{ "INVALID_CERTIFICATE", TLS_DECODER_EVENT_INVALID_CERTIFICATE },
{ "CERTIFICATE_MISSING_ELEMENT", TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT },
{ "CERTIFICATE_UNKNOWN_ELEMENT", TLS_DECODER_EVENT_CERTIFICATE_UNKNOWN_ELEMENT },
{ "CERTIFICATE_INVALID_LENGTH", TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH },
{ "CERTIFICATE_INVALID_STRING", TLS_DECODER_EVENT_CERTIFICATE_INVALID_STRING },
tls: debug compilation fixes, new tls decoder rule for tls.error_message_encountered event.
13 years ago
{ "ERROR_MESSAGE_ENCOUNTERED", TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED },
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
/* used as a generic error event */
{ "INVALID_SSL_RECORD", TLS_DECODER_EVENT_INVALID_SSL_RECORD },
TLS: add variable to store the error code in the decoder Use a variable to store the decoding error code if required, and remove the calls to SCLogInfo and SCLogDebug.
14 years ago
{ NULL, -1 },
Add TLS decode events
14 years ago
};
Move TlsConfig structure out of app-layer-protos.h and rename it to SslConfig.
14 years ago
typedef struct SslConfig_ {
int no_reassemble;
} SslConfig;
SslConfig ssl_config;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* SSLv3 record types */
#define SSLV3_CHANGE_CIPHER_SPEC 20
#define SSLV3_ALERT_PROTOCOL 21
#define SSLV3_HANDSHAKE_PROTOCOL 22
#define SSLV3_APPLICATION_PROTOCOL 23
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
#define SSLV3_HEARTBEAT_PROTOCOL 24
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* SSLv3 handshake protocol types */
#define SSLV3_HS_HELLO_REQUEST 0
#define SSLV3_HS_CLIENT_HELLO 1
#define SSLV3_HS_SERVER_HELLO 2
tls: no event on 'new session ticket' in handshake Don't set an event on encountering a 'new session ticket' (4) record in the TLS handshake.
12 years ago
#define SSLV3_HS_NEW_SESSION_TICKET 4
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
#define SSLV3_HS_CERTIFICATE 11
#define SSLV3_HS_SERVER_KEY_EXCHANGE 12
#define SSLV3_HS_CERTIFICATE_REQUEST 13
#define SSLV3_HS_SERVER_HELLO_DONE 14
#define SSLV3_HS_CERTIFICATE_VERIFY 15
#define SSLV3_HS_CLIENT_KEY_EXCHANGE 16
#define SSLV3_HS_FINISHED 20
#define SSLV3_HS_CERTIFICATE_URL 21
#define SSLV3_HS_CERTIFICATE_STATUS 22
/* SSLv2 protocol message types */
#define SSLV2_MT_ERROR 0
#define SSLV2_MT_CLIENT_HELLO 1
#define SSLV2_MT_CLIENT_MASTER_KEY 2
#define SSLV2_MT_CLIENT_FINISHED 3
#define SSLV2_MT_SERVER_HELLO 4
#define SSLV2_MT_SERVER_VERIFY 5
#define SSLV2_MT_SERVER_FINISHED 6
#define SSLV2_MT_REQUEST_CERTIFICATE 7
#define SSLV2_MT_CLIENT_CERTIFICATE 8
fix wrong record hdr len check in ssl parser
13 years ago
#define SSLV3_RECORD_HDR_LEN 5
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
#define SSLV3_MESSAGE_HDR_LEN 4
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
/* TLS heartbeat protocol types */
#define TLS_HB_REQUEST 1
#define TLS_HB_RESPONSE 2
some naming changes in ssl parser and ssl related keywords
15 years ago
static void SSLParserReset(SSLState *ssl_state)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed = 0;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint32_t input_len)
{
Fix realloc error handling This patch is fixing realloc error handling. In case of a realloc failure, it free the initial memory and continue existing error handling. The patch has been obtained via the following semantic patch and a bit oh hand editing: @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) + if (ptmp == NULL) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) ES + if (ptmp == NULL) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) ES + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> }
12 years ago
void *ptmp;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint8_t *initial_input = input;
uint32_t parsed = 0;
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
int rc;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
Add a few extra safety checks in new SSL code.
15 years ago
if (input_len == 0) {
return 0;
}
ssl parser fix/updates
13 years ago
switch (ssl_state->curr_connp->handshake_type) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case SSLV3_HS_CLIENT_HELLO:
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_STATE_CLIENT_HELLO;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
case SSLV3_HS_SERVER_HELLO:
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
case SSLV3_HS_SERVER_KEY_EXCHANGE:
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_KEYX;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
case SSLV3_HS_CLIENT_KEY_EXCHANGE:
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_STATE_CLIENT_KEYX;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
case SSLV3_HS_CERTIFICATE:
ssl parser fix/updates
13 years ago
if (ssl_state->curr_connp->trec == NULL) {
fix wrong record hdr len check in ssl parser
13 years ago
ssl_state->curr_connp->trec_len = 2 * ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN + 1;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->trec = SCMalloc( ssl_state->curr_connp->trec_len );
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
}
ssl parser fix/updates
13 years ago
if (ssl_state->curr_connp->trec_pos + input_len >= ssl_state->curr_connp->trec_len) {
ssl_state->curr_connp->trec_len = ssl_state->curr_connp->trec_len + 2 * input_len + 1;
Fix realloc error handling This patch is fixing realloc error handling. In case of a realloc failure, it free the initial memory and continue existing error handling. The patch has been obtained via the following semantic patch and a bit oh hand editing: @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) + if (ptmp == NULL) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) ES + if (ptmp == NULL) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) ES + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> }
12 years ago
ptmp = SCRealloc(ssl_state->curr_connp->trec,
ssl_state->curr_connp->trec_len);
if (unlikely(ptmp == NULL)) {
SCFree(ssl_state->curr_connp->trec);
}
ssl_state->curr_connp->trec = ptmp;
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
}
error checking: add missing alloc error treatment The return of some malloc like functions was not treated in some places of the code.
12 years ago
if (unlikely(ssl_state->curr_connp->trec == NULL)) {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->trec_len = 0;
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
/* error, skip packet */
parsed += input_len;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed += input_len;
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
return -1;
}
Fix realloc error handling This patch is fixing realloc error handling. In case of a realloc failure, it free the initial memory and continue existing error handling. The patch has been obtained via the following semantic patch and a bit oh hand editing: @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) + if (ptmp == NULL) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) ES + if (ptmp == NULL) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) ES + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> }
12 years ago
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
uint32_t write_len = 0;
if ((ssl_state->curr_connp->bytes_processed + input_len) > ssl_state->curr_connp->record_length + (SSLV3_RECORD_HDR_LEN)) {
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if ((ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) < ssl_state->curr_connp->bytes_processed) {
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
return -1;
}
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
write_len = (ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) - ssl_state->curr_connp->bytes_processed;
} else {
write_len = input_len;
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
}
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
memcpy(ssl_state->curr_connp->trec + ssl_state->curr_connp->trec_pos, initial_input, write_len);
ssl_state->curr_connp->trec_pos += write_len;
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
ssl parser fix/updates
13 years ago
rc = DecodeTLSHandshakeServerCertificate(ssl_state, ssl_state->curr_connp->trec, ssl_state->curr_connp->trec_pos);
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
if (rc > 0) {
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
/* do not return normally if the packet was fragmented:
* we would return the size of the *entire* message,
* while we expect only the number of bytes parsed bytes
* from the *current* fragment
*/
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (write_len < (ssl_state->curr_connp->trec_pos - rc)) {
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
return -1;
}
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
uint32_t diff = write_len - (ssl_state->curr_connp->trec_pos - rc);
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed += diff;
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
ssl_state->curr_connp->trec_pos = 0;
ssl_state->curr_connp->handshake_type = 0;
ssl_state->curr_connp->hs_bytes_processed = 0;
ssl_state->curr_connp->message_length = 0;
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
return diff;
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
} else {
ssl_state->curr_connp->bytes_processed += write_len;
parsed += write_len;
return parsed;
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
}
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
break;
case SSLV3_HS_HELLO_REQUEST:
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case SSLV3_HS_CERTIFICATE_REQUEST:
case SSLV3_HS_CERTIFICATE_VERIFY:
case SSLV3_HS_FINISHED:
case SSLV3_HS_CERTIFICATE_URL:
case SSLV3_HS_CERTIFICATE_STATUS:
break;
tls: no event on 'new session ticket' in handshake Don't set an event on encountering a 'new session ticket' (4) record in the TLS handshake.
12 years ago
case SSLV3_HS_NEW_SESSION_TICKET:
SCLogDebug("new session ticket");
break;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
default:
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
return -1;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
uint32_t write_len = 0;
if ((ssl_state->curr_connp->bytes_processed + input_len) >= ssl_state->curr_connp->record_length + (SSLV3_RECORD_HDR_LEN)) {
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if ((ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) < ssl_state->curr_connp->bytes_processed) {
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
return -1;
}
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
write_len = (ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) - ssl_state->curr_connp->bytes_processed;
} else {
write_len = input_len;
}
if ((ssl_state->curr_connp->trec_pos + write_len) >= ssl_state->curr_connp->message_length) {
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (ssl_state->curr_connp->message_length < ssl_state->curr_connp->trec_pos) {
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
return -1;
}
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
parsed += ssl_state->curr_connp->message_length - ssl_state->curr_connp->trec_pos;
ssl_state->curr_connp->bytes_processed += ssl_state->curr_connp->message_length - ssl_state->curr_connp->trec_pos;
ssl_state->curr_connp->handshake_type = 0;
ssl_state->curr_connp->hs_bytes_processed = 0;
ssl_state->curr_connp->message_length = 0;
ssl_state->curr_connp->trec_pos = 0;
return parsed;
} else {
ssl_state->curr_connp->trec_pos += write_len;
ssl_state->curr_connp->bytes_processed += write_len;
parsed += write_len;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return parsed;
}
}
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, uint8_t *input,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint32_t input_len)
{
uint8_t *initial_input = input;
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
int retval;
Add a few extra safety checks in new SSL code.
15 years ago
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (input_len == 0 ||
ssl_state->curr_connp->bytes_processed ==
(ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN))
{
Add a few extra safety checks in new SSL code.
15 years ago
return 0;
}
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
switch (ssl_state->curr_connp->hs_bytes_processed) {
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
case 0:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->handshake_type = *(input++);
ssl_state->curr_connp->bytes_processed++;
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
ssl_state->curr_connp->hs_bytes_processed++;
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (--input_len == 0 ||
ssl_state->curr_connp->bytes_processed ==
(ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN))
{
return (input - initial_input);
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
case 1:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->message_length = *(input++) << 16;
ssl_state->curr_connp->bytes_processed++;
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
ssl_state->curr_connp->hs_bytes_processed++;
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (--input_len == 0 ||
ssl_state->curr_connp->bytes_processed ==
(ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN))
{
return (input - initial_input);
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
case 2:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->message_length |= *(input++) << 8;
ssl_state->curr_connp->bytes_processed++;
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
ssl_state->curr_connp->hs_bytes_processed++;
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (--input_len == 0 ||
ssl_state->curr_connp->bytes_processed ==
(ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN))
{
return (input - initial_input);
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
case 3:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->message_length |= *(input++);
ssl_state->curr_connp->bytes_processed++;
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
ssl_state->curr_connp->hs_bytes_processed++;
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
--input_len;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
retval = SSLv3ParseHandshakeType(ssl_state, input, input_len);
if (retval < 0) {
ssl parser fix/updates
13 years ago
return retval;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
input += retval;
ssl parser fix/updates
13 years ago
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
return (input - initial_input);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
/**
* \internal
* \brief TLS Heartbeat parser (see RFC 6520)
*
* \param sslstate Pointer to the SSL state.
* \param input Pointer the received input data.
* \param input_len Length in bytes of the received data.
tls/heartbleed: formatting fixes
11 years ago
* \param direction 1 toclient, 0 toserver
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
*
* \retval The number of bytes parsed on success, 0 if nothing parsed, -1 on failure.
*/
static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, uint8_t *input,
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
uint32_t input_len, uint8_t direction)
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
{
uint8_t hb_type;
uint16_t payload_len;
uint16_t padding_len;
// expect at least 3 bytes, heartbeat type (1) + length (2)
if (input_len < 3) {
return 0;
}
hb_type = *input++;
tls/heartbleed: improve encrypted logic Don't assume that if the type field isn't 01 or 02 it's an encrypted heartbeat. Instead, use our knowledge of the SSL state.
11 years ago
if (!(ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) {
if (!(hb_type == TLS_HB_REQUEST || hb_type == TLS_HB_RESPONSE)) {
AppLayerDecoderEventsSetEvent(ssl_state->f,
TLS_DECODER_EVENT_INVALID_HEARTBEAT);
return -1;
}
}
if ((ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) == 0) {
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
ssl_state->flags |= SSL_AL_FLAG_HB_INFLIGHT;
if (direction) {
ssl_state->flags |= SSL_AL_FLAG_HB_SERVER_INIT;
SCLogDebug("HeartBeat Record type sent in the toclient "
"direction!");
} else {
ssl_state->flags |= SSL_AL_FLAG_HB_CLIENT_INIT;
SCLogDebug("HeartBeat Record type sent in the toserver "
"direction!");
}
tls/heartbleed: formatting fixes
11 years ago
/* if we reach this poin then can we assume that the HB request
* is encrypted if so lets set the heartbeat record len */
tls/heartbleed: improve encrypted logic Don't assume that if the type field isn't 01 or 02 it's an encrypted heartbeat. Instead, use our knowledge of the SSL state.
11 years ago
if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
ssl_state->hb_record_len = ssl_state->curr_connp->record_length;
tls/heartbleed: formatting fixes
11 years ago
SCLogDebug("Encrypted HeartBeat Request In-flight. Storing len %u", ssl_state->hb_record_len);
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
return (ssl_state->curr_connp->record_length - 3);
}
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
payload_len = (*input++) << 8;
payload_len |= (*input++);
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
// check that the requested payload length is really present in record (CVE-2014-0160)
if ((uint32_t)(payload_len+3) > ssl_state->curr_connp->record_length) {
SCLogDebug("We have a short record in HeartBeat Request");
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT);
return -1;
}
// check the padding length
// it must be at least 16 bytes (RFC 6520, section 4)
padding_len = ssl_state->curr_connp->record_length - payload_len - 3;
if (padding_len < 16) {
SCLogDebug("We have a short record in HeartBeat Request");
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HEARTBEAT);
return -1;
}
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
if (input_len < payload_len+padding_len) { // we don't have the payload
return 0;
}
tls/heartbleed: formatting fixes
11 years ago
/* OpenSSL still seems to discard multiple in-flight
* heartbeats although some tools send multiple at once */
} else if (direction == 1 && (ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) &&
(ssl_state->flags & SSL_AL_FLAG_HB_SERVER_INIT)) {
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
SCLogDebug("Multiple In-Flight Server Intiated HeartBeats");
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HEARTBEAT);
return -1;
tls/heartbleed: formatting fixes
11 years ago
} else if (direction == 0 && (ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) &&
(ssl_state->flags & SSL_AL_FLAG_HB_CLIENT_INIT)) {
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
SCLogDebug("Multiple In-Flight Client Intiated HeartBeats");
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HEARTBEAT);
return -1;
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
} else {
tls/heartbleed: formatting fixes
11 years ago
/* we have a HB record in the opposite direction of the request
* lets reset our flags */
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
ssl_state->flags &= ~SSL_AL_FLAG_HB_INFLIGHT;
ssl_state->flags &= ~SSL_AL_FLAG_HB_SERVER_INIT;
ssl_state->flags &= ~SSL_AL_FLAG_HB_CLIENT_INIT;
tls/heartbleed: formatting fixes
11 years ago
/* if we reach this poin then can we assume that the HB request is
*encrypted if so lets set the heartbeat record len */
tls/heartbleed: improve encrypted logic Don't assume that if the type field isn't 01 or 02 it's an encrypted heartbeat. Instead, use our knowledge of the SSL state.
11 years ago
if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
tls/heartbleed: formatting fixes
11 years ago
/* check to see if the encrypted response is longer than the
* encrypted request */
if (ssl_state->hb_record_len > 0 &&
ssl_state->hb_record_len < ssl_state->curr_connp->record_length)
{
SCLogDebug("My Heart It's Bleeding.. OpenSSL HeartBleed Response (%u)",
ssl_state->hb_record_len);
AppLayerDecoderEventsSetEvent(ssl_state->f,
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH);
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
ssl_state->hb_record_len = 0;
return -1;
}
}
tls/heartbleed: formatting fixes
11 years ago
/* reset the hb record len in-case we have legit hb's followed by a bad one */
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
ssl_state->hb_record_len = 0;
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
}
tls/heartbleed: formatting fixes
11 years ago
/* skip the heartbeat, 3 bytes were already parsed, e.g |18 03 02| for TLS 1.2 */
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
return (ssl_state->curr_connp->record_length - 3);
}
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLv3ParseRecord(uint8_t direction, SSLState *ssl_state,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint8_t *input, uint32_t input_len)
{
uint8_t *initial_input = input;
Add a few extra safety checks in new SSL code.
15 years ago
if (input_len == 0) {
return 0;
}
ssl parser fix/updates
13 years ago
switch (ssl_state->curr_connp->bytes_processed) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 0:
if (input_len >= 5) {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->content_type = input[0];
ssl_state->curr_connp->version = input[1] << 8;
ssl_state->curr_connp->version |= input[2];
ssl_state->curr_connp->record_length = input[3] << 8;
ssl_state->curr_connp->record_length |= input[4];
fix wrong record hdr len check in ssl parser
13 years ago
ssl_state->curr_connp->bytes_processed += SSLV3_RECORD_HDR_LEN;
return SSLV3_RECORD_HDR_LEN;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
} else {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->content_type = *(input++);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 1:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->version = *(input++) << 8;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 2:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->version |= *(input++);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 3:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->record_length = *(input++) << 8;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 4:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->record_length |= *(input++);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
ssl parser fix/updates
13 years ago
} /* switch (ssl_state->curr_connp->bytes_processed) */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed += (input - initial_input);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return (input - initial_input);
}
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLv2ParseRecord(uint8_t direction, SSLState *ssl_state,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint8_t *input, uint32_t input_len)
{
uint8_t *initial_input = input;
Add a few extra safety checks in new SSL code.
15 years ago
if (input_len == 0) {
return 0;
}
ssl parser fix/updates
13 years ago
if (ssl_state->curr_connp->record_lengths_length == 2) {
switch (ssl_state->curr_connp->bytes_processed) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 0:
ssl parser fix/updates
13 years ago
if (input_len >= ssl_state->curr_connp->record_lengths_length + 1) {
ssl_state->curr_connp->record_length = (0x7f & input[0]) << 8 | input[1];
ssl_state->curr_connp->content_type = input[2];
ssl_state->curr_connp->version = SSL_VERSION_2;
ssl_state->curr_connp->bytes_processed += 3;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return 3;
} else {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->record_length = (0x7f & *(input++)) << 8;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 1:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->record_length |= *(input++);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 2:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->content_type = *(input++);
ssl_state->curr_connp->version = SSL_VERSION_2;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
ssl parser fix/updates
13 years ago
} /* switch (ssl_state->curr_connp->bytes_processed) */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
} else {
ssl parser fix/updates
13 years ago
switch (ssl_state->curr_connp->bytes_processed) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 0:
ssl parser fix/updates
13 years ago
if (input_len >= ssl_state->curr_connp->record_lengths_length + 1) {
ssl_state->curr_connp->record_length = (0x3f & input[0]) << 8 | input[1];
ssl_state->curr_connp->content_type = input[3];
ssl_state->curr_connp->version = SSL_VERSION_2;
ssl_state->curr_connp->bytes_processed += 4;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return 4;
} else {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->record_length = (0x3f & *(input++)) << 8;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 1:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->record_length |= *(input++);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 2:
/* padding */
input++;
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 3:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->content_type = *(input++);
ssl_state->curr_connp->version = SSL_VERSION_2;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
ssl parser fix/updates
13 years ago
} /* switch (ssl_state->curr_connp->bytes_processed) */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed += (input - initial_input);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return (input - initial_input);
}
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLv2Decode(uint8_t direction, SSLState *ssl_state,
app-layer: Use opaque pointers instead of void For AppLayerThreadCtx, AppLayerParserState, AppLayerParserThreadCtx and AppLayerProtoDetectThreadCtx, use opaque pointers instead of void pointers. AppLayerParserState is declared in flow.h as it's part of the Flow structure. AppLayerThreadCtx is declared in decode.h, as it's part of the DecodeThreadVars structure.
12 years ago
AppLayerParserState *pstate, uint8_t *input,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint32_t input_len)
{
int retval = 0;
uint8_t *initial_input = input;
ssl parser fix/updates
13 years ago
if (ssl_state->curr_connp->bytes_processed == 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (input[0] & 0x80) {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->record_lengths_length = 2;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
} else {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->record_lengths_length = 3;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
}
/* the + 1 because, we also read one extra byte inside SSLv2ParseRecord
* to read the msg_type */
ssl parser fix/updates
13 years ago
if (ssl_state->curr_connp->bytes_processed < (ssl_state->curr_connp->record_lengths_length + 1)) {
some naming changes in ssl parser and ssl related keywords
15 years ago
retval = SSLv2ParseRecord(direction, ssl_state, input, input_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (retval == -1) {
Add TLS decode events
14 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSLV2_HEADER);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return -1;
} else {
input += retval;
input_len -= retval;
}
}
if (input_len == 0) {
return (input - initial_input);
}
ssl parser fix/updates
13 years ago
switch (ssl_state->curr_connp->content_type) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case SSLV2_MT_ERROR:
ssl connection error message event added. Remove warning log for the same error alert
13 years ago
SCLogDebug("SSLV2_MT_ERROR msg_type received. "
"Error encountered in establishing the sslv2 "
"session, may be version");
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
case SSLV2_MT_CLIENT_HELLO:
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_STATE_CLIENT_HELLO;
ssl_state->flags |= SSL_AL_FLAG_SSL_CLIENT_HS;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
ssl parser fix/updates
13 years ago
if (ssl_state->curr_connp->record_lengths_length == 3) {
switch (ssl_state->curr_connp->bytes_processed) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 4:
if (input_len >= 6) {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->session_id_length = input[4] << 8;
ssl_state->curr_connp->session_id_length |= input[5];
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
input += 6;
input_len -= 6;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed += 6;
if (ssl_state->curr_connp->session_id_length == 0) {
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_SSL_NO_SESSION_ID;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
break;
} else {
input++;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 5:
input++;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 6:
input++;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 7:
input++;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 8:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->session_id_length = *(input++) << 8;
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 9:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->session_id_length |= *(input++);
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
ssl parser fix/updates
13 years ago
} /* switch (ssl_state->curr_connp->bytes_processed) */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
ssl parser fix/updates
13 years ago
/* ssl_state->curr_connp->record_lengths_length is 3 */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
} else {
ssl parser fix/updates
13 years ago
switch (ssl_state->curr_connp->bytes_processed) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case 3:
if (input_len >= 6) {
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->session_id_length = input[4] << 8;
ssl_state->curr_connp->session_id_length |= input[5];
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
input += 6;
input_len -= 6;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed += 6;
if (ssl_state->curr_connp->session_id_length == 0) {
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_SSL_NO_SESSION_ID;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
break;
} else {
input++;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
}
case 4:
input++;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
case 5:
input++;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
case 6:
input++;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
case 7:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->session_id_length = *(input++) << 8;
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
case 8:
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->session_id_length |= *(input++);
ssl_state->curr_connp->bytes_processed++;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (--input_len == 0)
break;
ssl parser fix/updates
13 years ago
} /* switch (ssl_state->curr_connp->bytes_processed) */
} /* else - if (ssl_state->curr_connp->record_lengths_length == 3) */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
case SSLV2_MT_CLIENT_MASTER_KEY:
some naming changes in ssl parser and ssl related keywords
15 years ago
if ( !(ssl_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS)) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("Client hello is not seen before master key "
"message!!");
}
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
case SSLV2_MT_CLIENT_CERTIFICATE:
if (direction == 1) {
SCLogDebug("Incorrect SSL Record type sent in the toclient "
"direction!");
} else {
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_STATE_CLIENT_KEYX;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case SSLV2_MT_SERVER_VERIFY:
case SSLV2_MT_SERVER_FINISHED:
if (direction == 0 &&
ssl parser fix/updates
13 years ago
!(ssl_state->curr_connp->content_type & SSLV2_MT_CLIENT_CERTIFICATE)) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("Incorrect SSL Record type sent in the toserver "
"direction!");
}
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
/* fall through */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case SSLV2_MT_CLIENT_FINISHED:
case SSLV2_MT_REQUEST_CERTIFICATE:
/* both ways hello seen */
some naming changes in ssl parser and ssl related keywords
15 years ago
if ((ssl_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) &&
(ssl_state->flags & SSL_AL_FLAG_SSL_SERVER_HS)) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (direction == 0) {
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) {
ssl_state->flags |= SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("SSLv2 client side has started the encryption");
some naming changes in ssl parser and ssl related keywords
15 years ago
} else if (ssl_state->flags & SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY) {
ssl_state->flags |= SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("SSLv2 client side has started the encryption");
}
} else {
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("SSLv2 Server side has started the encryption");
}
some naming changes in ssl parser and ssl related keywords
15 years ago
if ((ssl_state->flags & SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED) &&
(ssl_state->flags & SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED)) {
App Layer: cleanup state func naming Rename functions related to AppLayerState to be more consistent.
12 years ago
AppLayerParserStateSetFlag(pstate,
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
APP_LAYER_PARSER_NO_INSPECTION);
Move TlsConfig structure out of app-layer-protos.h and rename it to SslConfig.
14 years ago
if (ssl_config.no_reassemble == 1)
App Layer: cleanup state func naming Rename functions related to AppLayerState to be more consistent.
12 years ago
AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_REASSEMBLY);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("SSLv2 No reassembly & inspection has been set");
}
}
break;
case SSLV2_MT_SERVER_HELLO:
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO;
ssl_state->flags |= SSL_AL_FLAG_SSL_SERVER_HS;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
}
ssl parser fix/updates
13 years ago
if (input_len + ssl_state->curr_connp->bytes_processed >=
(ssl_state->curr_connp->record_length + ssl_state->curr_connp->record_lengths_length)) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* looks like we have another record after this*/
ssl parser fix/updates
13 years ago
uint32_t diff = ssl_state->curr_connp->record_length +
ssl_state->curr_connp->record_lengths_length + - ssl_state->curr_connp->bytes_processed;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
input += diff;
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLParserReset(ssl_state);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return (input - initial_input);
/* we still don't have the entire record for the one we are
* currently parsing */
} else {
input += input_len;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed += input_len;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return (input - initial_input);
}
}
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLv3Decode(uint8_t direction, SSLState *ssl_state,
app-layer: Use opaque pointers instead of void For AppLayerThreadCtx, AppLayerParserState, AppLayerParserThreadCtx and AppLayerProtoDetectThreadCtx, use opaque pointers instead of void pointers. AppLayerParserState is declared in flow.h as it's part of the Flow structure. AppLayerThreadCtx is declared in decode.h, as it's part of the DecodeThreadVars structure.
12 years ago
AppLayerParserState *pstate, uint8_t *input,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint32_t input_len)
{
int retval = 0;
uint32_t parsed = 0;
fix wrong record hdr len check in ssl parser
13 years ago
if (ssl_state->curr_connp->bytes_processed < SSLV3_RECORD_HDR_LEN) {
some naming changes in ssl parser and ssl related keywords
15 years ago
retval = SSLv3ParseRecord(direction, ssl_state, input, input_len);
ssl parser fix/updates
13 years ago
if (retval < 0) {
Add TLS decode events
14 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_TLS_HEADER);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return -1;
} else {
parsed += retval;
input_len -= retval;
}
}
if (input_len == 0) {
return parsed;
}
tls: check SSL3/TLS version per record Set event if SSL3/TLS record isn't within the acceptable range.
11 years ago
/* check record version */
if (ssl_state->curr_connp->version < SSL_VERSION_3 ||
ssl_state->curr_connp->version > TLS_VERSION_12) {
AppLayerDecoderEventsSetEvent(ssl_state->f,
TLS_DECODER_EVENT_INVALID_RECORD_VERSION);
return -1;
}
ssl parser fix/updates
13 years ago
switch (ssl_state->curr_connp->content_type) {
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* we don't need any data from these types */
case SSLV3_CHANGE_CIPHER_SPEC:
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_CHANGE_CIPHER_SPEC;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (direction)
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
else
some naming changes in ssl parser and ssl related keywords
15 years ago
ssl_state->flags |= SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
case SSLV3_ALERT_PROTOCOL:
break;
case SSLV3_APPLICATION_PROTOCOL:
some naming changes in ssl parser and ssl related keywords
15 years ago
if ((ssl_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC) &&
(ssl_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC)) {
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
/*
App Layer: cleanup state func naming Rename functions related to AppLayerState to be more consistent.
12 years ago
AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_INSPECTION);
Move TlsConfig structure out of app-layer-protos.h and rename it to SslConfig.
14 years ago
if (ssl_config.no_reassemble == 1)
App Layer: cleanup state func naming Rename functions related to AppLayerState to be more consistent.
12 years ago
AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_REASSEMBLY);
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
*/
AppLayerParserStateSetFlag(pstate,APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
ssl parser fix/updates
13 years ago
break;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
case SSLV3_HANDSHAKE_PROTOCOL:
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
break;
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
if (ssl_state->curr_connp->record_length < 4) {
SSLParserReset(ssl_state);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
return -1;
}
some naming changes in ssl parser and ssl related keywords
15 years ago
retval = SSLv3ParseHandshakeProtocol(ssl_state, input + parsed, input_len);
ssl parser fix/updates
13 years ago
if (retval < 0) {
Add TLS decode events
14 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return -1;
} else {
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
if ((uint32_t)retval > input_len) {
SCLogDebug("Error parsing SSLv3.x. Reseting parser "
"state. Let's get outta here");
SSLParserReset(ssl_state);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
return -1;
}
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
parsed += retval;
input_len -= retval;
fix wrong record hdr len check in ssl parser
13 years ago
if (ssl_state->curr_connp->bytes_processed == ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) {
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLParserReset(ssl_state);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
tls: force 'raw' reassembly after each record Trigger raw reassembly after each record and after the handshake.
10 years ago
SCLogDebug("trigger RAW! (post HS)");
AppLayerParserTriggerRawStreamReassembly(ssl_state->f);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return parsed;
}
break;
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
case SSLV3_HEARTBEAT_PROTOCOL:
Look for Mismatched Encrypted HB request and response sizes, along with multiple in-flight HB requests from the same direction
11 years ago
retval = SSLv3ParseHeartbeatProtocol(ssl_state, input + parsed, input_len, direction);
TLS: add detection for malicious heartbeats (AKA heartbleed) The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not check the payload length correctly, resulting in a copy of at most 64k of memory from the server (ref: CVE-2014-0160). This patch adds support for decoding heartbeat messages (if not encrypted), and checking several parts (type, length and padding). When an anomaly is detected, a TLS event is raised.
11 years ago
if (retval < 0)
return -1;
break;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
default:
ssl parser fix/updates
13 years ago
/* \todo fix the event from invalid rule to unknown rule */
Add TLS decode events
14 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_RECORD_TYPE);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
return -1;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
fix wrong record hdr len check in ssl parser
13 years ago
if (input_len + ssl_state->curr_connp->bytes_processed >= ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) {
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if ((ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) < ssl_state->curr_connp->bytes_processed) {
/* defensive checks. Something's wrong. */
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
return -1;
}
tls: force 'raw' reassembly after each record Trigger raw reassembly after each record and after the handshake.
10 years ago
SCLogDebug("record complete, trigger RAW");
AppLayerParserTriggerRawStreamReassembly(ssl_state->f);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* looks like we have another record */
fix wrong record hdr len check in ssl parser
13 years ago
uint32_t diff = ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN - ssl_state->curr_connp->bytes_processed;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
parsed += diff;
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLParserReset(ssl_state);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return parsed;
/* we still don't have the entire record for the one we are
* currently parsing */
} else {
parsed += input_len;
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->bytes_processed += input_len;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return parsed;
}
}
/**
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
* \internal
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
* \brief SSLv2, SSLv23, SSLv3, TLSv1.1, TLSv1.2, TLSv1.3 parser.
*
* On parsing error, this should be the only function that should reset
* the parser state, to avoid multiple functions in the chain reseting
* the parser state.
*
* \param direction 0 for toserver, 1 for toclient.
* \param alstate Pointer to the state.
* \param pstate Application layer parser state for this session.
* \param input Pointer the received input data.
* \param input_len Length in bytes of the received data.
* \param output Pointer to the list of parsed output elements.
*
* \todo On reaching an inconsistent state, check if the input has
* another new record, instead of just returning after the reset
*
* \retval >=0 On success.
*/
app-layer: Use opaque pointers instead of void For AppLayerThreadCtx, AppLayerParserState, AppLayerParserThreadCtx and AppLayerProtoDetectThreadCtx, use opaque pointers instead of void pointers. AppLayerParserState is declared in flow.h as it's part of the Flow structure. AppLayerThreadCtx is declared in decode.h, as it's part of the DecodeThreadVars structure.
12 years ago
static int SSLDecode(Flow *f, uint8_t direction, void *alstate, AppLayerParserState *pstate,
ssl parser fix/updates
13 years ago
uint8_t *input, uint32_t ilen)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLState *ssl_state = (SSLState *)alstate;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
int retval = 0;
uint8_t counter = 0;
ssl parser fix/updates
13 years ago
int32_t input_len = (int32_t)ilen;
Add TLS decode events
14 years ago
ssl_state->f = f;
app-layer: update all protocols to accept NULL+EOF Update all non-HTTP protocol parsers to accept a NULL+EOF input.
10 years ago
if (input == NULL && AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
SCReturnInt(1);
app-layer: fix coverity warnings
10 years ago
} else if (input == NULL || input_len == 0) {
SCReturnInt(-1);
app-layer: update all protocols to accept NULL+EOF Update all non-HTTP protocol parsers to accept a NULL+EOF input.
10 years ago
}
ssl parser fix/updates
13 years ago
if (direction == 0)
ssl_state->curr_connp = &ssl_state->client_connp;
else
ssl_state->curr_connp = &ssl_state->server_connp;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* if we have more than one record */
ssl parser fix/updates
13 years ago
while (input_len > 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (counter++ == 30) {
SCLogDebug("Looks like we have looped quite a bit. Reset state "
"and get out of here");
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLParserReset(ssl_state);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
ssl parser fix/updates
13 years ago
return -1;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
ssl parser fix/updates
13 years ago
/* ssl_state->bytes_processed is 0 for a
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
* fresh record or positive to indicate a record currently being
* parsed */
ssl parser fix/updates
13 years ago
switch (ssl_state->curr_connp->bytes_processed) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* fresh record */
case 0:
/* only SSLv2, has one of the top 2 bits set */
Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
if ((input[0] & 0x80) || (input[0] & 0x40)) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("SSLv2 detected");
ssl parser fix/updates
13 years ago
ssl_state->curr_connp->version = SSL_VERSION_2;
some naming changes in ssl parser and ssl related keywords
15 years ago
retval = SSLv2Decode(direction, ssl_state, pstate, input,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
input_len);
ssl parser fix/updates
13 years ago
if (retval < 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("Error parsing SSLv2.x. Reseting parser "
"state. Let's get outta here");
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLParserReset(ssl_state);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
ssl parser fix/updates
13 years ago
return -1;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
} else {
input_len -= retval;
input += retval;
}
} else {
SCLogDebug("SSLv3.x detected");
ssl parser fix/updates
13 years ago
/* we will keep it this way till our record parser tells
* us what exact version it is */
ssl_state->curr_connp->version = TLS_VERSION_UNKNOWN;
some naming changes in ssl parser and ssl related keywords
15 years ago
retval = SSLv3Decode(direction, ssl_state, pstate, input,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
input_len);
ssl parser fix/updates
13 years ago
if (retval < 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("Error parsing SSLv3.x. Reseting parser "
"state. Let's get outta here");
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLParserReset(ssl_state);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
ssl parser fix/updates
13 years ago
return -1;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
} else {
input_len -= retval;
input += retval;
fix wrong record hdr len check in ssl parser
13 years ago
if (ssl_state->curr_connp->bytes_processed == SSLV3_RECORD_HDR_LEN
ssl parser fix/updates
13 years ago
&& ssl_state->curr_connp->record_length == 0) {
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
/* empty record */
SSLParserReset(ssl_state);
}
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
}
break;
default:
/* we would have established by now if we are dealing with
* SSLv2 or above */
ssl parser fix/updates
13 years ago
if (ssl_state->curr_connp->version == SSL_VERSION_2) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("Continuing parsing SSLv2 record from where we "
"previously left off");
some naming changes in ssl parser and ssl related keywords
15 years ago
retval = SSLv2Decode(direction, ssl_state, pstate, input,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
input_len);
if (retval == -1) {
SCLogDebug("Error parsing SSLv2.x. Reseting parser "
"state. Let's get outta here");
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLParserReset(ssl_state);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return 0;
} else {
input_len -= retval;
input += retval;
}
} else {
SCLogDebug("Continuing parsing SSLv3.x record from where we "
"previously left off");
some naming changes in ssl parser and ssl related keywords
15 years ago
retval = SSLv3Decode(direction, ssl_state, pstate, input,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
input_len);
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
if (retval < 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
SCLogDebug("Error parsing SSLv3.x. Reseting parser "
"state. Let's get outta here");
some naming changes in ssl parser and ssl related keywords
15 years ago
SSLParserReset(ssl_state);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return 0;
} else {
ssl parser fix/updates
13 years ago
if (retval > input_len) {
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
SCLogDebug("Error parsing SSLv3.x. Reseting parser "
"state. Let's get outta here");
SSLParserReset(ssl_state);
}
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
input_len -= retval;
input += retval;
fix wrong record hdr len check in ssl parser
13 years ago
if (ssl_state->curr_connp->bytes_processed == SSLV3_RECORD_HDR_LEN
ssl parser fix/updates
13 years ago
&& ssl_state->curr_connp->record_length == 0) {
TLS app layer: rewrite decoder to handle multiple messages in records Since we now parse the content of the TLS messages, we need to handle the case multiple messages are shipped in a single TLS record, and taking care of the multiple levels of fragmentation (message, record, and TCP). Additionally, fix a bug where the parser state was not reset after an empty record.
14 years ago
/* empty record */
SSLParserReset(ssl_state);
}
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
}
break;
ssl parser fix/updates
13 years ago
} /* switch (ssl_state->curr_connp->bytes_processed) */
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
} /* while (input_len) */
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
return 1;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
app-layer: Use opaque pointers instead of void For AppLayerThreadCtx, AppLayerParserState, AppLayerParserThreadCtx and AppLayerProtoDetectThreadCtx, use opaque pointers instead of void pointers. AppLayerParserState is declared in flow.h as it's part of the Flow structure. AppLayerThreadCtx is declared in decode.h, as it's part of the DecodeThreadVars structure.
12 years ago
int SSLParseClientRecord(Flow *f, void *alstate, AppLayerParserState *pstate,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint8_t *input, uint32_t input_len,
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
void *local_data)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
Add TLS decode events
14 years ago
return SSLDecode(f, 0 /* toserver */, alstate, pstate, input, input_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
app-layer: Use opaque pointers instead of void For AppLayerThreadCtx, AppLayerParserState, AppLayerParserThreadCtx and AppLayerProtoDetectThreadCtx, use opaque pointers instead of void pointers. AppLayerParserState is declared in flow.h as it's part of the Flow structure. AppLayerThreadCtx is declared in decode.h, as it's part of the DecodeThreadVars structure.
12 years ago
int SSLParseServerRecord(Flow *f, void *alstate, AppLayerParserState *pstate,
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
uint8_t *input, uint32_t input_len,
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
void *local_data)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
Add TLS decode events
14 years ago
return SSLDecode(f, 1 /* toclient */, alstate, pstate, input, input_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
/**
* \internal
* \brief Function to allocate the SSL state memory.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
void *SSLStateAlloc(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
app-layer-ssl: code cleanup Don't alloc a void ptr and then cast in every operation. Instead, alloc a SSLState ptr and only case to void on returning the ptr.
12 years ago
SSLState *ssl_state = SCMalloc(sizeof(SSLState));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(ssl_state == NULL))
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
return NULL;
some naming changes in ssl parser and ssl related keywords
15 years ago
memset(ssl_state, 0, sizeof(SSLState));
app-layer-ssl: code cleanup Don't alloc a void ptr and then cast in every operation. Instead, alloc a SSLState ptr and only case to void on returning the ptr.
12 years ago
ssl_state->client_connp.cert_log_flag = 0;
ssl_state->server_connp.cert_log_flag = 0;
TAILQ_INIT(&ssl_state->server_connp.certs);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
app-layer-ssl: code cleanup Don't alloc a void ptr and then cast in every operation. Instead, alloc a SSLState ptr and only case to void on returning the ptr.
12 years ago
return (void *)ssl_state;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
/**
* \internal
* \brief Function to free the SSL state memory.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
void SSLStateFree(void *p)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
SSLState *ssl_state = (SSLState *)p;
tls: keep pointers to all certificates in chain When multiple certificates forming a chain are sent. A pointer to the start of each certificate is kept. This will allow treatment on certificates chains.
13 years ago
SSLCertsChain *item;
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.trec)
SCFree(ssl_state->client_connp.trec);
if (ssl_state->client_connp.cert0_subject)
SCFree(ssl_state->client_connp.cert0_subject);
if (ssl_state->client_connp.cert0_issuerdn)
SCFree(ssl_state->client_connp.cert0_issuerdn);
tls: adding fingerprint calculation. Adding a pointer in ssl_state struct and compute fingerprint during certificate decoding.
14 years ago
if (ssl_state->client_connp.cert0_fingerprint)
SCFree(ssl_state->client_connp.cert0_fingerprint);
ssl parser fix/updates
13 years ago
if (ssl_state->server_connp.trec)
SCFree(ssl_state->server_connp.trec);
if (ssl_state->server_connp.cert0_subject)
SCFree(ssl_state->server_connp.cert0_subject);
if (ssl_state->server_connp.cert0_issuerdn)
SCFree(ssl_state->server_connp.cert0_issuerdn);
tls: adding fingerprint calculation. Adding a pointer in ssl_state struct and compute fingerprint during certificate decoding.
14 years ago
if (ssl_state->server_connp.cert0_fingerprint)
SCFree(ssl_state->server_connp.cert0_fingerprint);
ssl parser fix/updates
13 years ago
tls: keep pointers to all certificates in chain When multiple certificates forming a chain are sent. A pointer to the start of each certificate is kept. This will allow treatment on certificates chains.
13 years ago
/* Free certificate chain */
while ((item = TAILQ_FIRST(&ssl_state->server_connp.certs))) {
TAILQ_REMOVE(&ssl_state->server_connp.certs, item, next);
SCFree(item);
}
TAILQ_INIT(&ssl_state->server_connp.certs);
TLS handshake: decode the SERVER_CERTIFICATE message Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the certificates and keep the subject name. Add the tls.subject keyword for substring match in rules (TLS layer). Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago
SCFree(ssl_state);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
return;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
static uint16_t SSLProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset)
We have a new probing parser to detect sslv2 records. todos to be covered later
13 years ago
{
/* probably a rst/fin sending an eof */
if (ilen == 0)
return ALPROTO_UNKNOWN;
/* for now just the 3 byte header ones */
/* \todo Detect the 2 byte ones */
if ((input[0] & 0x80) && (input[2] == 0x01)) {
return ALPROTO_TLS;
}
return ALPROTO_FAILED;
}
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
int SSLStateGetEventInfo(const char *event_name,
int *event_id, AppLayerEventType *event_type)
{
*event_id = SCMapEnumNameToValue(event_name, tls_decoder_event_table);
if (*event_id == -1) {
SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
"ssl's enum map table.", event_name);
/* yes this is fatal */
return -1;
}
*event_type = APP_LAYER_EVENT_TYPE_GENERAL;
return 0;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
static int SSLRegisterPatternsForProtocolDetection(void)
{
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|01 00 02|", 5, 2, STREAM_TOSERVER) < 0)
{
return -1;
}
/** SSLv3 */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|01 03 00|", 3, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|16 03 00|", 3, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/** TLSv1 */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|01 03 01|", 3, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|16 03 01|", 3, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/** TLSv1.1 */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|01 03 02|", 3, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|16 03 02|", 3, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/** TLSv1.2 */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|01 03 03|", 3, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|16 03 03|", 3, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/***** toclient direction *****/
TLS: register patterns for tls-alerts Register patterns for when server has an alert as the first message.
12 years ago
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|15 03 00|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|16 03 00|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|17 03 00|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
/** TLSv1 */
TLS: register patterns for tls-alerts Register patterns for when server has an alert as the first message.
12 years ago
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|15 03 01|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|16 03 01|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|17 03 01|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
/** TLSv1.1 */
TLS: register patterns for tls-alerts Register patterns for when server has an alert as the first message.
12 years ago
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|15 03 02|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|16 03 02|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|17 03 02|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
/** TLSv1.2 */
TLS: register patterns for tls-alerts Register patterns for when server has an alert as the first message.
12 years ago
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|15 03 03|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|16 03 03|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|17 03 03|", 3, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
/* Subsection - SSLv2 style record by client, but informing the server
* the max version it supports.
* Updated by Anoop Saldanha. Disabled it for now. We'll get back to
* it after some tests */
#if 0
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|01 03 00|", 5, 2, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_TLS,
"|00 02|", 7, 5, STREAM_TOCLIENT) < 0)
{
return -1;
}
#endif
return 0;
}
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
/**
* \brief Function to register the SSL protocol parser and other functions
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
void RegisterSSLParsers(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs
14 years ago
char *proto_name = "tls";
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
/** SSLv2 and SSLv23*/
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) {
AppLayerProtoDetectRegisterProtocol(ALPROTO_TLS, proto_name);
if (SSLRegisterPatternsForProtocolDetection() < 0)
return;
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
if (RunmodeIsUnittests()) {
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerProtoDetectPPRegister(IPPROTO_TCP,
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
"443",
ALPROTO_TLS,
0, 3,
STREAM_TOSERVER,
SSLProbingParser);
} else {
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP,
proto_name, ALPROTO_TLS,
0, 3,
SSLProbingParser);
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
}
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol",
proto_name);
return;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (AppLayerParserConfParserEnabled("tcp", proto_name)) {
AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TLS, STREAM_TOSERVER,
SSLParseClientRecord);
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TLS, STREAM_TOCLIENT,
SSLParseServerRecord);
AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_TLS, SSLStateGetEventInfo);
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
AppLayerParserRegisterParserAcceptableDataDirection(IPPROTO_TCP, ALPROTO_TLS, STREAM_TOSERVER);
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
/* Get the value of no reassembly option from the config file */
if (ConfGetNode("app-layer.protocols.tls.no-reassemble") == NULL) {
if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
ssl_config.no_reassemble = 1;
} else {
if (ConfGetBool("app-layer.protocols.tls.no-reassemble", &ssl_config.no_reassemble) != 1)
ssl_config.no_reassemble = 1;
}
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
Add --unittests-coverage option to list how many code modules have tests
12 years ago
#ifdef UNITTESTS
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_TLS, SSLParserRegisterTests);
Add --unittests-coverage option to list how many code modules have tests
12 years ago
#endif
We have a new probing parser to detect sslv2 records. todos to be covered later
13 years ago
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* Get the value of no reassembly option from the config file */
Do not use underscored config vars internally.
14 years ago
if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
Move TlsConfig structure out of app-layer-protos.h and rename it to SslConfig.
14 years ago
ssl_config.no_reassemble = 1;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
return;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
}
/***************************************Unittests******************************/
#ifdef UNITTESTS
/**
*\test Send a get request in one chunk.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest01(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t tlsbuf[] = { 0x16, 0x03, 0x01 };
uint32_t tlslen = sizeof(tlsbuf);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER | STREAM_EOF, tlsbuf, tlslen);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != TLS_VERSION_10) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
TLS_VERSION_10, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/** \test Send a get request in two chunks. */
update ssl parser test. Some minor indentation changes
15 years ago
static int SSLParserTest02(void)
{
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
int result = 1;
Flow f;
uint8_t tlsbuf1[] = { 0x16 };
uint32_t tlslen1 = sizeof(tlsbuf1);
uint8_t tlsbuf2[] = { 0x03, 0x01 };
uint32_t tlslen2 = sizeof(tlsbuf2);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf1, tlslen1);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf2, tlslen2);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != TLS_VERSION_10) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
TLS_VERSION_10, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/** \test Send a get request in three chunks. */
update ssl parser test. Some minor indentation changes
15 years ago
static int SSLParserTest03(void)
{
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
int result = 1;
Flow f;
uint8_t tlsbuf1[] = { 0x16 };
uint32_t tlslen1 = sizeof(tlsbuf1);
uint8_t tlsbuf2[] = { 0x03 };
uint32_t tlslen2 = sizeof(tlsbuf2);
uint8_t tlsbuf3[] = { 0x01 };
uint32_t tlslen3 = sizeof(tlsbuf3);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf1, tlslen1);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf2, tlslen2);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf3, tlslen3);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != TLS_VERSION_10) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
TLS_VERSION_10, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/** \test Send a get request in three chunks + more data. */
update ssl parser test. Some minor indentation changes
15 years ago
static int SSLParserTest04(void)
{
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
int result = 1;
Flow f;
uint8_t tlsbuf1[] = { 0x16 };
uint32_t tlslen1 = sizeof(tlsbuf1);
uint8_t tlsbuf2[] = { 0x03 };
uint32_t tlslen2 = sizeof(tlsbuf2);
uint8_t tlsbuf3[] = { 0x01 };
uint32_t tlslen3 = sizeof(tlsbuf3);
uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 };
uint32_t tlslen4 = sizeof(tlsbuf4);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf1, tlslen1);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf2, tlslen2);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf3, tlslen3);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf4, tlslen4);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != TLS_VERSION_10) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
TLS_VERSION_10, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
#if 0
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/** \test Test the setting up of no reassembly and no payload inspection flag
* after detection of the TLS handshake completion */
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
static int SSLParserTest05(void)
{
int result = 1;
Flow f;
uint8_t tlsbuf[] = { 0x16, 0x03, 0x01, 0x00, 0x01 };
uint32_t tlslen = sizeof(tlsbuf);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
StreamTcpInitConfig(TRUE);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
tlsbuf[0] = 0x14;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
tlsbuf[0] = 0x14;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
tlsbuf[0] = 0x17;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (ssl_state == NULL) {
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x17) {
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != TLS_VERSION_10) {
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
TLS_VERSION_10, ssl_state->client_connp.client_version);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
result = 0;
goto end;
}
AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *)
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
ssn.alparser;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
AppLayerParserState *parser_state = &parser_state_store->to_server;
if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) &&
!(ssn.client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) &&
!(ssn.server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY))
{
printf("The flags should be set\n");
result = 0;
goto end;
}
if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) {
printf("The flags should be set\n");
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
#endif
#if 0
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/** \test Test the setting up of no reassembly and no payload inspection flag
* after detection of the valid TLS handshake completion, the rouge
* 0x17 packet will not be considered in the detection process */
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
static int SSLParserTest06(void)
{
int result = 1;
Flow f;
uint8_t tlsbuf[] = { 0x16, 0x03, 0x01, 0x00, 0x01 };
uint32_t tlslen = sizeof(tlsbuf);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
StreamTcpInitConfig(TRUE);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
tlsbuf[0] = 0x14;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
tlsbuf[0] = 0x17;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (ssl_state == NULL) {
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x17) {
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp._content_type);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != TLS_VERSION_10) {
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
TLS_VERSION_10, ssl_state->client_connp.version);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
result = 0;
goto end;
}
AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *)
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
ssn.alparser;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
AppLayerParserState *parser_state = &parser_state_store->to_server;
if ((parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) ||
(ssn.client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) ||
(ssn.server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
printf("The flags should not be set\n");
result = 0;
goto end;
}
tlsbuf[0] = 0x14;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
tlsbuf[0] = 0x17;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) &&
!(ssn.client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) &&
!(ssn.server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
printf("The flags should be set\n");
result = 0;
goto end;
}
if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) {
printf("The flags should be set\n");
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
#endif
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/** \test multimsg test */
update ssl parser test. Some minor indentation changes
15 years ago
static int SSLParserMultimsgTest01(void)
{
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
int result = 1;
Flow f;
/* 3 msgs */
uint8_t tlsbuf1[] = {
0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c
};
uint32_t tlslen1 = sizeof(tlsbuf1);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf1, tlslen1);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != TLS_VERSION_10) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
TLS_VERSION_10, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/** \test multimsg test server */
update ssl parser test. Some minor indentation changes
15 years ago
static int SSLParserMultimsgTest02(void)
{
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
int result = 1;
Flow f;
/* 3 msgs */
uint8_t tlsbuf1[] = {
0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c
};
uint32_t tlslen1 = sizeof(tlsbuf1);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf1, tlslen1);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->server_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16,
ssl parser fix/updates
13 years ago
ssl_state->server_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->server_connp.version != 0x0301) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", 0x0301,
ssl parser fix/updates
13 years ago
ssl_state->server_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Test the detection of SSLv3 protocol from the given packet
*/
update ssl parser test. Some minor indentation changes
15 years ago
static int SSLParserTest07(void)
{
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
int result = 1;
Flow f;
uint8_t tlsbuf[] = { 0x16, 0x03, 0x00, 0x00, 0x6f, 0x01,
0x00, 0x00, 0x6b, 0x03, 0x00, 0x4b, 0x2f, 0xdc,
0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e,
0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb,
0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97,
0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d,
0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff,
0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35,
0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52,
0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24,
0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38,
0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44,
0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41,
0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff,
0x00, 0x0a, 0x00, 0x02, 0x01, 0x00 };
uint32_t tlslen = sizeof(tlsbuf);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
#if 0
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/** \test Test the setting up of no reassembly and no payload inspection flag
* after detection of the SSLv3 handshake completion */
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
static int SSLParserTest08(void)
{
int result = 1;
Flow f;
uint8_t tlsbuf[] = { 0x16, 0x03, 0x00, 0x00, 0x01 };
uint32_t tlslen = sizeof(tlsbuf);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
StreamTcpInitConfig(TRUE);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
tlsbuf[0] = 0x14;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
tlsbuf[0] = 0x14;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
tlsbuf[0] = 0x17;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
if (ssl_state == NULL) {
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x17) {
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != SSL_VERSION_3) {
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, ssl_state->client_connp.version);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
result = 0;
goto end;
}
AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *)
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
ssn.alparser;
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
AppLayerParserState *parser_state = &parser_state_store->to_server;
if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) &&
!(ssn.client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) &&
!(ssn.server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
printf("The flags should be set\n");
result = 0;
goto end;
}
if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) {
printf("The flags should be set\n");
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
add tls.no_reassemble use for sslv2 which we missed previously. Also some cleanup
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
#endif
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest09(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16,
};
uint32_t buf1_len = sizeof(buf1);
uint8_t buf2[] = {
0x03, 0x00, 0x00, 0x6f, 0x01,
0x00, 0x00, 0x6b, 0x03, 0x00, 0x4b, 0x2f, 0xdc,
0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e,
0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb,
0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97,
0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d,
0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff,
0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35,
0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52,
0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24,
0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38,
0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44,
0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41,
0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff,
0x00, 0x0a, 0x00, 0x02, 0x01, 0x00
};
uint32_t buf2_len = sizeof(buf2);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest10(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03,
};
uint32_t buf1_len = sizeof(buf1);
uint8_t buf2[] = {
0x00, 0x00, 0x6f, 0x01,
0x00, 0x00, 0x6b, 0x03, 0x00, 0x4b, 0x2f, 0xdc,
0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e,
0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb,
0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97,
0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d,
0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff,
0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35,
0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52,
0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24,
0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38,
0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44,
0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41,
0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff,
0x00, 0x0a, 0x00, 0x02, 0x01, 0x00
};
uint32_t buf2_len = sizeof(buf2);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest11(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x6f, 0x01,
};
uint32_t buf1_len = sizeof(buf1);
uint8_t buf2[] = {
0x00, 0x00, 0x6b, 0x03, 0x00, 0x4b, 0x2f, 0xdc,
0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e,
0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb,
0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97,
0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d,
0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff,
0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35,
0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52,
0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24,
0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38,
0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44,
0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41,
0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff,
0x00, 0x0a, 0x00, 0x02, 0x01, 0x00
};
uint32_t buf2_len = sizeof(buf2);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest12(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x6f, 0x01,
};
uint32_t buf1_len = sizeof(buf1);
uint8_t buf2[] = {
0x00, 0x00, 0x6b,
};
uint32_t buf2_len = sizeof(buf2);
uint8_t buf3[] = {
0x03, 0x00, 0x4b, 0x2f, 0xdc,
0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e,
0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb,
0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97,
0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d,
0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff,
0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35,
0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52,
0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24,
0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38,
0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44,
0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41,
0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff,
0x00, 0x0a, 0x00, 0x02, 0x01, 0x00
};
uint32_t buf3_len = sizeof(buf2);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf3, buf3_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest13(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x6f, 0x01,
};
uint32_t buf1_len = sizeof(buf1);
uint8_t buf2[] = {
0x00, 0x00, 0x6b,
};
uint32_t buf2_len = sizeof(buf2);
uint8_t buf3[] = {
0x03, 0x00, 0x4b, 0x2f, 0xdc,
0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7,
};
uint32_t buf3_len = sizeof(buf3);
uint8_t buf4[] = {
0xcf, 0x8e,
0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb,
0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97,
0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d,
0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff,
0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35,
0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52,
0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24,
0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38,
0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44,
0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41,
0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff,
0x00, 0x0a, 0x00, 0x02, 0x01, 0x00
};
uint32_t buf4_len = sizeof(buf4);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf3, buf3_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf4, buf4_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest14(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x00,
};
uint32_t buf1_len = sizeof(buf1);
uint8_t buf2[] = {
0x16, 0x03, 0x00, 0x00, 0x00,
};
uint32_t buf2_len = sizeof(buf2);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest15(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x01, 0x01,
};
uint32_t buf1_len = sizeof(buf1);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
if (r == 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest16(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x02, 0x01, 0x00
};
uint32_t buf1_len = sizeof(buf1);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
if (r == 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest17(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00
};
uint32_t buf1_len = sizeof(buf1);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
if (r == 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest18(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00,
0x6b,
};
uint32_t buf1_len = sizeof(buf1);
uint8_t buf2[] = {
0x16, 0x03, 0x00, 0x00, 0x00,
};
uint32_t buf2_len = sizeof(buf2);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest19(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00,
0x6b, 0x16, 0x03, 0x00, 0x00, 0x00,
};
uint32_t buf1_len = sizeof(buf1);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest20(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00,
0x16, 0x03, 0x00, 0x00, 0x00,
};
uint32_t buf1_len = sizeof(buf1);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
fix for #725. Update trec_len, trec_pos to 32 bits from 16 bits. Handle handshakes that are fragmented across records.
13 years ago
if (r == 0) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
/**
* \test SSLv2 Record parsing.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest21(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 0;
Flow f;
uint8_t buf[] = {
0x80, 0x31, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00,
0x01,
};
uint32_t buf_len = sizeof(buf);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER | STREAM_EOF, buf,
buf_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *app_state = f.alstate;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (app_state == NULL) {
printf("no ssl state: ");
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->client_connp.content_type != SSLV2_MT_CLIENT_HELLO) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
ssl parser fix/updates
13 years ago
SSLV2_MT_SERVER_HELLO, app_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->client_connp.version != SSL_VERSION_2) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_2, app_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
result = 1;
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
Improve memory cleanup in some unittests
12 years ago
StreamTcpFreeConfig(TRUE);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
FLOW_DESTROY(&f);
return result;
}
/**
* \test SSLv2 Record parsing.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest22(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf[] = {
0x80, 0x31, 0x04, 0x00, 0x01, 0x00,
0x02, 0x00, 0x00, 0x00, 0x10, 0x07, 0x00, 0xc0,
0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00,
0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04,
0x00, 0x80, 0x02, 0x00, 0x80, 0x76, 0x64, 0x75,
0x2d, 0xa7, 0x98, 0xfe, 0xc9, 0x12, 0x92, 0xc1,
0x2f, 0x34, 0x84, 0x20, 0xc5};
uint32_t buf_len = sizeof(buf);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
//AppLayerDetectProtoThreadInit();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT | STREAM_EOF, buf,
buf_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *app_state = f.alstate;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (app_state == NULL) {
printf("no ssl state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->server_connp.content_type != SSLV2_MT_SERVER_HELLO) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
ssl parser fix/updates
13 years ago
SSLV2_MT_SERVER_HELLO, app_state->server_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->server_connp.version != SSL_VERSION_2) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_2, app_state->server_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
return result;
}
/**
* \test SSLv2 Record parsing.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest23(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t chello_buf[] = {
0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00,
0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00,
0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02,
0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39,
0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00,
0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00,
0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16,
0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00,
0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00,
0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64,
0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00,
0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a,
0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80,
0x21
};
uint32_t chello_buf_len = sizeof(chello_buf);
uint8_t shello_buf[] = {
0x16, 0x03, 0x00, 0x00, 0x4a, 0x02,
0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94,
0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88,
0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6,
0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd,
0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb,
0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe,
0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6,
0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e,
0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35,
0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00,
0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a,
0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f,
0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30,
0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31,
0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13,
0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54,
0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06,
0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e,
0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c,
0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c,
0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43,
0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13,
0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53,
0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c,
0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73,
0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e,
0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30,
0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34,
0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38,
0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37,
0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b,
0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06,
0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e,
0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65,
0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61,
0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31,
0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64,
0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65,
0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61,
0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e,
0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c,
0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77,
0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69,
0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde,
0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6,
0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba,
0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73,
0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4,
0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f,
0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45,
0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12,
0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c,
0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b,
0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7,
0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd,
0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e,
0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53,
0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90,
0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89,
0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55,
0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10,
0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b,
0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d,
0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16,
0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c,
0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f,
0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01,
0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81,
0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75,
0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e,
0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d,
0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23,
0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9,
0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5,
0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b,
0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f,
0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14,
0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23,
0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2,
0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34,
0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53,
0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad,
0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2,
0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e,
0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e,
0x00, 0x00, 0x00
};
uint32_t shello_buf_len = sizeof(shello_buf);
uint8_t client_change_cipher_spec_buf[] = {
0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00,
0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38,
0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61,
0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a,
0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e,
0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f,
0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80,
0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a,
0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80,
0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59,
0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76,
0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84,
0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7,
0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7,
0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2,
0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7,
0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb,
0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16,
0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35,
0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a,
0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81,
0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90,
0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1,
0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76,
0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79,
0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18,
0x4c, 0xfc, 0x75, 0x56
};
uint32_t client_change_cipher_spec_buf_len =
sizeof(client_change_cipher_spec_buf);
uint8_t server_change_cipher_spec_buf[] = {
0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03,
0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59,
0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a,
0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86,
0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7,
0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3,
0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89,
0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27,
0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2,
0x4d, 0x9f, 0x6b
};
uint32_t server_change_cipher_spec_buf_len =
sizeof(server_change_cipher_spec_buf);
uint8_t toserver_app_data_buf[] = {
0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e,
0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c,
0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10,
0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb,
0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa,
0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5,
0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e,
0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20,
0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7,
0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f,
0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78,
0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c,
0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f,
0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0,
0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0,
0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0,
0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc,
0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1,
0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67,
0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f,
0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10,
0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4,
0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0,
0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68,
0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f,
0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4,
0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10,
0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f,
0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60,
0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8,
0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8,
0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09,
0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a,
0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd,
0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7,
0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a,
0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63,
0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b,
0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1,
0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60,
0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87,
0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7,
0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed,
0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc,
0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43,
0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58,
0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d,
0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39,
0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99,
0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92,
0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40,
0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef,
0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2,
0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6,
0x8a, 0xa2, 0x9e, 0xcd, 0xfa
};
uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
//AppLayerDetectProtoThreadInit();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER | STREAM_START, chello_buf,
chello_buf_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *app_state = f.alstate;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (app_state == NULL) {
printf("no ssl state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->client_connp.content_type != SSLV2_MT_CLIENT_HELLO) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
ssl parser fix/updates
13 years ago
SSLV2_MT_CLIENT_HELLO, app_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->client_connp.version != SSL_VERSION_2) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_2, app_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
if (app_state->flags !=
(SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS |
SSL_AL_FLAG_SSL_NO_SESSION_ID)) {
printf("flags not set\n");
result = 0;
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, shello_buf,
shello_buf_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
ssl parser fix/updates
13 years ago
if (app_state->server_connp.content_type != SSLV3_HANDSHAKE_PROTOCOL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
ssl parser fix/updates
13 years ago
SSLV3_HANDSHAKE_PROTOCOL, app_state->server_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->server_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, app_state->server_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
if (app_state->flags !=
(SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS |
SSL_AL_FLAG_SSL_NO_SESSION_ID | SSL_AL_FLAG_STATE_SERVER_HELLO)) {
printf("flags not set\n");
result = 0;
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, client_change_cipher_spec_buf,
client_change_cipher_spec_buf_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* with multiple records the client content type hold the type from the last
* record */
ssl parser fix/updates
13 years ago
if (app_state->client_connp.content_type != SSLV3_HANDSHAKE_PROTOCOL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
ssl parser fix/updates
13 years ago
SSLV3_HANDSHAKE_PROTOCOL, app_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, app_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
if (app_state->flags !=
(SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS |
SSL_AL_FLAG_SSL_NO_SESSION_ID | SSL_AL_FLAG_STATE_SERVER_HELLO |
SSL_AL_FLAG_STATE_CLIENT_KEYX | SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC |
SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) {
printf("flags not set\n");
result = 0;
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, server_change_cipher_spec_buf,
server_change_cipher_spec_buf_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* with multiple records the serve content type hold the type from the last
* record */
ssl parser fix/updates
13 years ago
if (app_state->server_connp.content_type != SSLV3_HANDSHAKE_PROTOCOL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
ssl parser fix/updates
13 years ago
SSLV3_HANDSHAKE_PROTOCOL, app_state->server_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->server_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, app_state->server_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
if (app_state->flags !=
(SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS |
SSL_AL_FLAG_SSL_NO_SESSION_ID | SSL_AL_FLAG_STATE_SERVER_HELLO |
SSL_AL_FLAG_STATE_CLIENT_KEYX | SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC |
SSL_AL_FLAG_CHANGE_CIPHER_SPEC | SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC |
SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) {
printf("flags not set\n");
result = 0;
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, toserver_app_data_buf,
toserver_app_data_buf_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
ssl parser fix/updates
13 years ago
if (app_state->client_connp.content_type != SSLV3_APPLICATION_PROTOCOL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
ssl parser fix/updates
13 years ago
SSLV3_APPLICATION_PROTOCOL, app_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (app_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, app_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
if (app_state->flags !=
(SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS |
SSL_AL_FLAG_SSL_NO_SESSION_ID | SSL_AL_FLAG_STATE_SERVER_HELLO |
SSL_AL_FLAG_STATE_CLIENT_KEYX | SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC |
SSL_AL_FLAG_CHANGE_CIPHER_SPEC | SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC |
SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) {
printf("flags not set\n");
result = 0;
goto end;
}
update ssl parser test. Some minor indentation changes
15 years ago
if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) {
printf("The flags should be set\n");
result = 0;
goto end;
}
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
return result;
}
/**
* \test Tests the parser for handling fragmented records.
*/
some naming changes in ssl parser and ssl related keywords
15 years ago
static int SSLParserTest24(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
int result = 1;
Flow f;
uint8_t buf1[] = {
0x16, 0x03, 0x00, 0x00, 0x6f, 0x01, 0x00, 0x00,
0x6b, 0x03,
};
uint32_t buf1_len = sizeof(buf1);
uint8_t buf2[] = {
0x00, 0x4b, 0x2f, 0xdc,
0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e,
0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb,
0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97,
0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d,
0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff,
0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35,
0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52,
0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24,
0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38,
0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44,
0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41,
0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff,
0x00, 0x0a, 0x00, 0x02, 0x01, 0x00
};
uint32_t buf2_len = sizeof(buf2);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f.m);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SSLState *ssl_state = f.alstate;
some naming changes in ssl parser and ssl related keywords
15 years ago
if (ssl_state == NULL) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("no tls state: ");
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.content_type != 0x16) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16,
ssl parser fix/updates
13 years ago
ssl_state->client_connp.content_type);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
ssl parser fix/updates
13 years ago
if (ssl_state->client_connp.version != SSL_VERSION_3) {
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
ssl parser fix/updates
13 years ago
SSL_VERSION_3, ssl_state->client_connp.version);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
result = 0;
goto end;
}
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
/**
* \test Test for bug #955 and CVE-2013-5919. The data is from the
* pcap that was used to report this issue.
*/
static int SSLParserTest25(void)
{
int result = 0;
Flow f;
uint8_t client_hello[] = {
0x16, 0x03, 0x01, 0x00, 0xd3, 0x01, 0x00, 0x00,
0xcf, 0x03, 0x01, 0x51, 0x60, 0xc2, 0x15, 0x36,
0x73, 0xf5, 0xb8, 0x58, 0x55, 0x3b, 0x68, 0x12,
0x7d, 0xe3, 0x28, 0xa3, 0xe1, 0x02, 0x79, 0x2d,
0x12, 0xe1, 0xf4, 0x24, 0x12, 0xa2, 0x9e, 0xf1,
0x08, 0x49, 0x68, 0x20, 0x0e, 0x96, 0x46, 0x3d,
0x84, 0x5a, 0xc6, 0x55, 0xeb, 0x3b, 0x53, 0x77,
0xf4, 0x8e, 0xf4, 0xd2, 0x8b, 0xec, 0xd6, 0x99,
0x63, 0x64, 0x62, 0xf8, 0x3f, 0x3b, 0xd5, 0x35,
0x45, 0x1b, 0x16, 0xac, 0x00, 0x46, 0x00, 0x04,
0x00, 0x05, 0x00, 0x2f, 0x00, 0x35, 0xc0, 0x02,
0xc0, 0x04, 0xc0, 0x05, 0xc0, 0x0c, 0xc0, 0x0e,
0xc0, 0x0f, 0xc0, 0x07, 0xc0, 0x09, 0xc0, 0x0a,
0xc0, 0x11, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x33,
0x00, 0x39, 0x00, 0x32, 0x00, 0x38, 0x00, 0x0a,
0xc0, 0x03, 0xc0, 0x0d, 0xc0, 0x08, 0xc0, 0x12,
0x00, 0x16, 0x00, 0x13, 0x00, 0x09, 0x00, 0x15,
0x00, 0x12, 0x00, 0x03, 0x00, 0x08, 0x00, 0x14,
0x00, 0x11, 0x00, 0xff, 0x01, 0x00, 0x00, 0x40,
0x00, 0x0b, 0x00, 0x04, 0x03, 0x00, 0x01, 0x02,
0x00, 0x0a, 0x00, 0x34, 0x00, 0x32, 0x00, 0x0e,
0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x0c,
0x00, 0x18, 0x00, 0x09, 0x00, 0x0a, 0x00, 0x16,
0x00, 0x17, 0x00, 0x08, 0x00, 0x06, 0x00, 0x07,
0x00, 0x14, 0x00, 0x15, 0x00, 0x04, 0x00, 0x05,
0x00, 0x12, 0x00, 0x13, 0x00, 0x01, 0x00, 0x02,
0x00, 0x03, 0x00, 0x0f, 0x00, 0x10, 0x00, 0x11
};
uint32_t client_hello_len = sizeof(client_hello);
uint8_t server_hello_certificate_done[] = {
0x16, 0x03, 0x01, 0x00, 0x51, 0x02, 0x00, 0x00,
0x4d, 0x03, 0x01, 0x51, 0x60, 0xc2, 0x17, 0xb7,
0x81, 0xaa, 0x27, 0xa1, 0xd5, 0xfa, 0x14, 0xc1,
0xe0, 0x05, 0xab, 0x75, 0xf2, 0x51, 0xe7, 0x6e,
0xe6, 0xf9, 0xc4, 0x8f, 0x16, 0x08, 0x26, 0x6c,
0x1b, 0x86, 0x90, 0x20, 0x0a, 0x38, 0x90, 0x2d,
0x17, 0x7d, 0xb7, 0x6b, 0x6b, 0xe5, 0xeb, 0x61,
0x90, 0x35, 0xf8, 0xcd, 0xb1, 0x2a, 0x69, 0x6e,
0x0e, 0x3e, 0x5f, 0x90, 0xdc, 0x2f, 0x51, 0x45,
0x68, 0x63, 0xe3, 0xb3, 0x00, 0x05, 0x00, 0x00,
0x05, 0xff, 0x01, 0x00, 0x01, 0x00, 0x16, 0x03,
0x01, 0x07, 0x60, 0x0b, 0x00, 0x07, 0x5c, 0x00,
0x07, 0x59, 0x00, 0x03, 0xcc, 0x30, 0x82, 0x03,
0xc8, 0x30, 0x82, 0x03, 0x31, 0xa0, 0x03, 0x02,
0x01, 0x02, 0x02, 0x10, 0x01, 0x7f, 0x77, 0xde,
0xb3, 0xbc, 0xbb, 0x23, 0x5d, 0x44, 0xcc, 0xc7,
0xdb, 0xa6, 0x2e, 0x72, 0x30, 0x0d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x05, 0x05, 0x00, 0x30, 0x81, 0xba, 0x31, 0x1f,
0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67,
0x6e, 0x20, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20,
0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31,
0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0b,
0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69,
0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04,
0x0b, 0x13, 0x2a, 0x56, 0x65, 0x72, 0x69, 0x53,
0x69, 0x67, 0x6e, 0x20, 0x49, 0x6e, 0x74, 0x65,
0x72, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61,
0x6c, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x43, 0x6c,
0x61, 0x73, 0x73, 0x20, 0x33, 0x31, 0x49, 0x30,
0x47, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x40,
0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69,
0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
0x2f, 0x43, 0x50, 0x53, 0x20, 0x49, 0x6e, 0x63,
0x6f, 0x72, 0x70, 0x2e, 0x62, 0x79, 0x20, 0x52,
0x65, 0x66, 0x2e, 0x20, 0x4c, 0x49, 0x41, 0x42,
0x49, 0x4c, 0x49, 0x54, 0x59, 0x20, 0x4c, 0x54,
0x44, 0x2e, 0x28, 0x63, 0x29, 0x39, 0x37, 0x20,
0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e,
0x30, 0x1e, 0x17, 0x0d, 0x31, 0x32, 0x30, 0x36,
0x32, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
0x5a, 0x17, 0x0d, 0x31, 0x33, 0x31, 0x32, 0x33,
0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a,
0x30, 0x68, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10,
0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x50,
0x61, 0x6c, 0x6f, 0x20, 0x41, 0x6c, 0x74, 0x6f,
0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
0x0a, 0x13, 0x0e, 0x46, 0x61, 0x63, 0x65, 0x62,
0x6f, 0x6f, 0x6b, 0x2c, 0x20, 0x49, 0x6e, 0x63,
0x2e, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55,
0x04, 0x02, 0x14, 0x0e, 0x2a, 0x2e, 0x66, 0x61,
0x63, 0x65, 0x62, 0x6f, 0x6f, 0x6b, 0x2e, 0x63,
0x6f, 0x6d, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00,
0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xae,
0x94, 0xb1, 0x71, 0xe2, 0xde, 0xcc, 0xc1, 0x69,
0x3e, 0x05, 0x10, 0x63, 0x24, 0x01, 0x02, 0xe0,
0x68, 0x9a, 0xe8, 0x3c, 0x39, 0xb6, 0xb3, 0xe7,
0x4b, 0x97, 0xd4, 0x8d, 0x7b, 0x23, 0x68, 0x91,
0x00, 0xb0, 0xb4, 0x96, 0xee, 0x62, 0xf0, 0xe6,
0xd3, 0x56, 0xbc, 0xf4, 0xaa, 0x0f, 0x50, 0x64,
0x34, 0x02, 0xf5, 0xd1, 0x76, 0x6a, 0xa9, 0x72,
0x83, 0x5a, 0x75, 0x64, 0x72, 0x3f, 0x39, 0xbb,
0xef, 0x52, 0x90, 0xde, 0xd9, 0xbc, 0xdb, 0xf9,
0xd3, 0xd5, 0x5d, 0xfa, 0xd2, 0x3a, 0xa0, 0x3d,
0xc6, 0x04, 0xc5, 0x4d, 0x29, 0xcf, 0x1d, 0x4b,
0x3b, 0xdb, 0xd1, 0xa8, 0x09, 0xcf, 0xae, 0x47,
0xb4, 0x4c, 0x7e, 0xae, 0x17, 0xc5, 0x10, 0x9b,
0xee, 0x24, 0xa9, 0xcf, 0x4a, 0x8d, 0x91, 0x1b,
0xb0, 0xfd, 0x04, 0x15, 0xae, 0x4c, 0x3f, 0x43,
0x0a, 0xa1, 0x2a, 0x55, 0x7e, 0x2a, 0xe1, 0x02,
0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x1e,
0x30, 0x82, 0x01, 0x1a, 0x30, 0x09, 0x06, 0x03,
0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
0x44, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x3d,
0x30, 0x3b, 0x30, 0x39, 0x06, 0x0b, 0x60, 0x86,
0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x17,
0x03, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b,
0x06, 0x01, 0x05, 0x05, 0x07, 0x00, 0x01, 0x16,
0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f,
0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72,
0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f,
0x6d, 0x2f, 0x72, 0x70, 0x61, 0x30, 0x3c, 0x06,
0x03, 0x55, 0x1d, 0x1f, 0x04, 0x35, 0x30, 0x33,
0x30, 0x31, 0xa0, 0x2f, 0xa0, 0x2d, 0x86, 0x2b,
0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x53,
0x56, 0x52, 0x49, 0x6e, 0x74, 0x6c, 0x2d, 0x63,
0x72, 0x6c, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73,
0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
0x53, 0x56, 0x52, 0x49, 0x6e, 0x74, 0x6c, 0x2e,
0x63, 0x72, 0x6c, 0x30, 0x1d, 0x06, 0x03, 0x55,
0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08,
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
0x03, 0x02, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
0x0f, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30,
0x34, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x01, 0x01, 0x04, 0x28, 0x30, 0x26, 0x30,
0x24, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x30, 0x01, 0x86, 0x18, 0x68, 0x74, 0x74,
0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70,
0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67,
0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x27, 0x06,
0x03, 0x55, 0x1d, 0x11, 0x04, 0x20, 0x30, 0x1e,
0x82, 0x0e, 0x2a, 0x2e, 0x66, 0x61, 0x63, 0x65,
0x62, 0x6f, 0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d,
0x82, 0x0c, 0x66, 0x61, 0x63, 0x65, 0x62, 0x6f,
0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81,
0x00, 0x5b, 0x6c, 0x2b, 0x75, 0xf8, 0xed, 0x30,
0xaa, 0x51, 0xaa, 0xd3, 0x6a, 0xba, 0x59, 0x5e,
0x55, 0x51, 0x41, 0x95, 0x1f, 0x81, 0xa5, 0x3b,
0x44, 0x79, 0x10, 0xac, 0x1f, 0x76, 0xff, 0x78,
0xfc, 0x27, 0x81, 0x61, 0x6b, 0x58, 0xf3, 0x12,
0x2a, 0xfc, 0x1c, 0x87, 0x01, 0x04, 0x25, 0xe9,
0xed, 0x43, 0xdf, 0x1a, 0x7b, 0xa6, 0x49, 0x80,
0x60, 0x67, 0xe2, 0x68, 0x8a, 0xf0, 0x3d, 0xb5,
0x8c, 0x7d, 0xf4, 0xee, 0x03, 0x30, 0x9a, 0x6a,
0xfc, 0x24, 0x7c, 0xcb, 0x13, 0x4d, 0xc3, 0x3e,
0x54, 0xc6, 0xbc, 0x1d, 0x51, 0x33, 0xa5, 0x32,
0xa7, 0x32, 0x73, 0xb1, 0xd7, 0x9c, 0xad, 0xc0,
0x8e, 0x7e, 0x1a, 0x83, 0x11, 0x6d, 0x34, 0x52,
0x33, 0x40, 0xb0, 0x30, 0x54, 0x27, 0xa2, 0x17,
0x42, 0x82, 0x7c, 0x98, 0x91, 0x66, 0x98, 0xee,
0x7e, 0xaf, 0x8c, 0x3b, 0xdd, 0x71, 0x70, 0x08,
0x17, 0x00, 0x03, 0x87, 0x30, 0x82, 0x03, 0x83,
0x30, 0x82, 0x02, 0xec, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x10, 0x46, 0xfc, 0xeb, 0xba, 0xb4,
0xd0, 0x2f, 0x0f, 0x92, 0x60, 0x98, 0x23, 0x3f,
0x93, 0x07, 0x8f, 0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
0x05, 0x00, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55,
0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69,
0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e,
0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03,
0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61,
0x73, 0x73, 0x20, 0x33, 0x20, 0x50, 0x75, 0x62,
0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d,
0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74,
0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x20, 0x41, 0x75, 0x64, 0x68, 0x6f, 0x72,
0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x39,
0x37, 0x30, 0x34, 0x31, 0x37, 0x30, 0x30, 0x30,
0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x36,
0x31, 0x30, 0x32, 0x34, 0x32, 0x33, 0x35, 0x39,
0x35, 0x39, 0x5a, 0x30, 0x81, 0xba, 0x31, 0x1f,
0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67,
0x6e, 0x20, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20,
0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31,
0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0b,
0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69,
0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04,
0x0b, 0x13, 0x2a, 0x56, 0x65, 0x72, 0x69, 0x53,
0x69, 0x67, 0x6e, 0x20, 0x49, 0x6e, 0x74, 0x65,
0x72, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61,
0x6c, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x43, 0x6c,
0x61, 0x73, 0x73, 0x20, 0x33, 0x31, 0x49, 0x30,
0x47, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x40,
0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69,
0x73, 0x69,
0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43,
0x50, 0x53, 0x20, 0x49, 0x6e, 0x63, 0x6f, 0x72,
0x70, 0x2e, 0x62, 0x79, 0x20, 0x52, 0x65, 0x66,
0x2e, 0x20, 0x4c, 0x49, 0x41, 0x42, 0x49, 0x4c,
0x49, 0x54, 0x59, 0x20, 0x4c, 0x54, 0x44, 0x2e,
0x28, 0x63, 0x29, 0x39, 0x37, 0x20, 0x56, 0x65,
0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x30, 0x81,
0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
0x81, 0x81, 0x00, 0xd8, 0x82, 0x80, 0xe8, 0xd6,
0x19, 0x02, 0x7d, 0x1f, 0x85, 0x18, 0x39, 0x25,
0xa2, 0x65, 0x2b, 0xe1, 0xbf, 0xd4, 0x05, 0xd3,
0xbc, 0xe6, 0x36, 0x3b, 0xaa, 0xf0, 0x4c, 0x6c,
0x5b, 0xb6, 0xe7, 0xaa, 0x3c, 0x73, 0x45, 0x55,
0xb2, 0xf1, 0xbd, 0xea, 0x97, 0x42, 0xed, 0x9a,
0x34, 0x0a, 0x15, 0xd4, 0xa9, 0x5c, 0xf5, 0x40,
0x25, 0xdd, 0xd9, 0x07, 0xc1, 0x32, 0xb2, 0x75,
0x6c, 0xc4, 0xca, 0xbb, 0xa3, 0xfe, 0x56, 0x27,
0x71, 0x43, 0xaa, 0x63, 0xf5, 0x30, 0x3e, 0x93,
0x28, 0xe5, 0xfa, 0xf1, 0x09, 0x3b, 0xf3, 0xb7,
0x4d, 0x4e, 0x39, 0xf7, 0x5c, 0x49, 0x5a, 0xb8,
0xc1, 0x1d, 0xd3, 0xb2, 0x8a, 0xfe, 0x70, 0x30,
0x95, 0x42, 0xcb, 0xfe, 0x2b, 0x51, 0x8b, 0x5a,
0x3c, 0x3a, 0xf9, 0x22, 0x4f, 0x90, 0xb2, 0x02,
0xa7, 0x53, 0x9c, 0x4f, 0x34, 0xe7, 0xab, 0x04,
0xb2, 0x7b, 0x6f, 0x02, 0x03, 0x01, 0x00, 0x01,
0xa3, 0x81, 0xe3, 0x30, 0x81, 0xe0, 0x30, 0x0f,
0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x08, 0x30,
0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30,
0x44, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x3d,
0x30, 0x3b, 0x30, 0x39, 0x06, 0x0b, 0x60, 0x86,
0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x01,
0x01, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b,
0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16,
0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f,
0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72,
0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f,
0x6d, 0x2f, 0x43, 0x50, 0x53, 0x30, 0x34, 0x06,
0x03, 0x55, 0x1d, 0x25, 0x04, 0x2d, 0x30, 0x2b,
0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x03, 0x02, 0x06, 0x09, 0x60, 0x86,
0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01, 0x06,
0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45,
0x01, 0x08, 0x01, 0x30, 0x0b, 0x06, 0x03, 0x55,
0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06,
0x30, 0x11, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
0x86, 0xf8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03,
0x02, 0x01, 0x06, 0x30, 0x31, 0x06, 0x03, 0x55,
0x1d, 0x1f, 0x04, 0x2a, 0x30, 0x28, 0x30, 0x26,
0xa0, 0x24, 0xa0, 0x22, 0x86, 0x20, 0x68, 0x74,
0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c,
0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67,
0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x63,
0x61, 0x33, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81,
0x00, 0x40, 0x8e, 0x49, 0x97, 0x96, 0x8a, 0x73,
0xdd, 0x8e, 0x4d, 0xef, 0x3e, 0x61, 0xb7, 0xca,
0xa0, 0x62, 0xad, 0xf4, 0x0e, 0x0a, 0xbb, 0x75,
0x3d, 0xe2, 0x6e, 0xd8, 0x2c, 0xc7, 0xbf, 0xf4,
0xb9, 0x8c, 0x36, 0x9b, 0xca, 0xa2, 0xd0, 0x9c,
0x72, 0x46, 0x39, 0xf6, 0xa6, 0x82, 0x03, 0x65,
0x11, 0xc4, 0xbc, 0xbf, 0x2d, 0xa6, 0xf5, 0xd9,
0x3b, 0x0a, 0xb5, 0x98, 0xfa, 0xb3, 0x78, 0xb9,
0x1e, 0xf2, 0x2b, 0x4c, 0x62, 0xd5, 0xfd, 0xb2,
0x7a, 0x1d, 0xdf, 0x33, 0xfd, 0x73, 0xf9, 0xa5,
0xd8, 0x2d, 0x8c, 0x2a, 0xea, 0xd1, 0xfc, 0xb0,
0x28, 0xb6, 0xe9, 0x49, 0x48, 0x13, 0x4b, 0x83,
0x8a, 0x1b, 0x48, 0x7b, 0x24, 0xf7, 0x38, 0xde,
0x6f, 0x41, 0x54, 0xb8, 0xab, 0x57, 0x6b, 0x06,
0xdf, 0xc7, 0xa2, 0xd4, 0xa9, 0xf6, 0xf1, 0x36,
0x62, 0x80, 0x88, 0xf2, 0x8b, 0x75, 0xd6, 0x80,
0x75, 0x16, 0x03, 0x01, 0x00, 0x04, 0x0e, 0x00,
0x00, 0x00
};
uint32_t server_hello_certificate_done_len = sizeof(server_hello_certificate_done);
uint8_t client_key_exchange_cipher_enc_hs[] = {
0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
0x80, 0x00, 0x80, 0x14, 0x2b, 0x2f, 0x9f, 0x02,
0x1d, 0x4e, 0x0d, 0xa7, 0x41, 0x0f, 0x99, 0xc5,
0xe9, 0x49, 0x22, 0x14, 0xa0, 0x42, 0x7b, 0xb4,
0x6d, 0x4f, 0x82, 0x3c, 0x3a, 0x6e, 0xed, 0xd5,
0x6e, 0x72, 0x71, 0xae, 0x00, 0x4a, 0x9a, 0xc9,
0x0e, 0x2d, 0x08, 0xa2, 0xd3, 0x3a, 0xb0, 0xb2,
0x1a, 0x56, 0x01, 0x7c, 0x9a, 0xfa, 0xfb, 0x1a,
0xd7, 0x7e, 0x20, 0x68, 0x51, 0xd0, 0xfe, 0xd9,
0xdc, 0xa7, 0x0b, 0xeb, 0x1a, 0xb6, 0xd3, 0xc7,
0x17, 0x1f, 0xf3, 0x6e, 0x91, 0xdd, 0x06, 0x0d,
0x48, 0xde, 0xcd, 0x0c, 0x36, 0x8c, 0x83, 0x29,
0x9a, 0x40, 0x03, 0xcd, 0xf3, 0x1b, 0xdb, 0xd8,
0x44, 0x6b, 0x75, 0xf3, 0x5a, 0x9f, 0x26, 0x1a,
0xc4, 0x16, 0x35, 0x8f, 0xc1, 0x15, 0x19, 0xa9,
0xdf, 0x07, 0xa9, 0xe5, 0x56, 0x45, 0x6d, 0xca,
0x20, 0x3c, 0xcf, 0x8e, 0xbe, 0x44, 0x68, 0x73,
0xc8, 0x0b, 0xc7, 0x14, 0x03, 0x01, 0x00, 0x01,
0x01, 0x16, 0x03, 0x01, 0x00, 0x24, 0xf9, 0x7e,
0x28, 0x77, 0xa9, 0x9a, 0x08, 0x0c, 0x2e, 0xa9,
0x09, 0x15, 0x27, 0xcd, 0x93, 0x5f, 0xc0, 0x32,
0x0a, 0x8d, 0x62, 0xd3, 0x54, 0x79, 0x6b, 0x51,
0xd7, 0xba, 0x02, 0xd6, 0xdb, 0x66, 0xe8, 0x97,
0x5d, 0x7a
};
uint32_t client_key_exchange_cipher_enc_hs_len = sizeof(client_key_exchange_cipher_enc_hs);
TcpSession ssn;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
StreamTcpInitConfig(TRUE);
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, client_hello, client_hello_len);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
SSLState *ssl_state = f.alstate;
if (ssl_state == NULL) {
printf("no tls state: ");
goto end;
}
if (ssl_state->client_connp.bytes_processed != 0 ||
ssl_state->client_connp.hs_bytes_processed != 0)
{
printf("client_hello error\n");
goto end;
}
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_hello_certificate_done,
server_hello_certificate_done_len);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
if (ssl_state->client_connp.bytes_processed != 0 ||
ssl_state->client_connp.hs_bytes_processed != 0)
{
printf("server_hello_certificate_done error\n");
goto end;
}
SCMutexLock(&f.m);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
client_key_exchange_cipher_enc_hs,
client_key_exchange_cipher_enc_hs_len);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
/* The reason hs_bytes_processed is 2 is because, the record
* immediately after the client key exchange is 2 bytes long,
* and next time we see a new handshake, it is after we have
* seen a change cipher spec. Hence when we process the
* handshake, we immediately break and don't parse the pdu from
* where we left off, and leave the hs_bytes_processed var
* isn't reset. */
if (ssl_state->client_connp.bytes_processed != 0 ||
ssl_state->client_connp.hs_bytes_processed != 2)
{
printf("client_key_exchange_cipher_enc_hs error\n");
goto end;
}
result = 1;
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
StreamTcpFreeConfig(TRUE);
return result;
}
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
#endif /* UNITTESTS */
some naming changes in ssl parser and ssl related keywords
15 years ago
void SSLParserRegisterTests(void)
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
{
#ifdef UNITTESTS
some naming changes in ssl parser and ssl related keywords
15 years ago
UtRegisterTest("SSLParserTest01", SSLParserTest01, 1);
UtRegisterTest("SSLParserTest02", SSLParserTest02, 1);
UtRegisterTest("SSLParserTest03", SSLParserTest03, 1);
UtRegisterTest("SSLParserTest04", SSLParserTest04, 1);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
/* Updated by Anoop Saldanha. Faulty tests. Disable it for now */
some naming changes in ssl parser and ssl related keywords
15 years ago
//UtRegisterTest("SSLParserTest05", SSLParserTest05, 1);
//UtRegisterTest("SSLParserTest06", SSLParserTest06, 1);
UtRegisterTest("SSLParserTest07", SSLParserTest07, 1);
//UtRegisterTest("SSLParserTest08", SSLParserTest08, 1);
UtRegisterTest("SSLParserTest09", SSLParserTest09, 1);
UtRegisterTest("SSLParserTest10", SSLParserTest10, 1);
UtRegisterTest("SSLParserTest11", SSLParserTest11, 1);
UtRegisterTest("SSLParserTest12", SSLParserTest12, 1);
UtRegisterTest("SSLParserTest13", SSLParserTest13, 1);
UtRegisterTest("SSLParserTest14", SSLParserTest14, 1);
UtRegisterTest("SSLParserTest15", SSLParserTest15, 1);
UtRegisterTest("SSLParserTest16", SSLParserTest16, 1);
UtRegisterTest("SSLParserTest17", SSLParserTest17, 1);
UtRegisterTest("SSLParserTest18", SSLParserTest18, 1);
UtRegisterTest("SSLParserTest19", SSLParserTest19, 1);
UtRegisterTest("SSLParserTest20", SSLParserTest20, 1);
UtRegisterTest("SSLParserTest21", SSLParserTest21, 1);
UtRegisterTest("SSLParserTest22", SSLParserTest22, 1);
UtRegisterTest("SSLParserTest23", SSLParserTest23, 1);
UtRegisterTest("SSLParserTest24", SSLParserTest24, 1);
bug #955 - Fix SSL parsing issue. The parser wasn't carrying out a bounds check on record length while in the middle of parsing a handshake. As a result we would step onto the next record header and consider it a part of the current handshake. - Contains an unittest to test the issue. - Disable the duplicate parser unittest registration. The issue came to light through an irregular ssl record, which was reported by Sebastian Roschke, via CVE-2013-5919. Thanks to Sebastian Roschke for reporting this issue.
12 years ago
UtRegisterTest("SSLParserTest25", SSLParserTest25, 1);
some naming changes in ssl parser and ssl related keywords
15 years ago
UtRegisterTest("SSLParserMultimsgTest01", SSLParserMultimsgTest01, 1);
UtRegisterTest("SSLParserMultimsgTest02", SSLParserMultimsgTest02, 1);
replace the contents of app-layer-ssl.[ch] with the contents from app-layer-tls.[ch]
15 years ago
#endif /* UNITTESTS */
return;
}