aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b32abea06b'
${ noResults }
suricata/src/app-layer-parser.c

3048 lines
103 KiB
C
Raw Normal View History Unescape Escape

Create SCMUTEX_INITIALIZER to abstract out PTHREAD_MUTEX_INITIALIZER This allows replacing pthread mutexes with other types of mutex.
12 years ago
/* Copyright (C) 2007-2013 Open Information Security Foundation
Import of GPLv2 Header 050410
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*
* Generic App-layer parsing functions.
*/
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
Rename to Suricata.
16 years ago
#include "suricata-common.h"
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
#include "debug.h"
app layer error handling
16 years ago
#include "util-unittest.h"
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
#include "decode.h"
#include "threads.h"
#include "util-print.h"
#include "util-pool.h"
properly init flows inside of unit-tests caused lock-up when falling back to using mutex locks
15 years ago
#include "flow-util.h"
FLOW_DESTROY added to clean-up UT's that init flow
15 years ago
#include "detect-engine-state.h"
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
#include "detect-engine-port.h"
FLOW_DESTROY added to clean-up UT's that init flow
15 years ago
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
#include "stream-tcp.h"
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
#include "stream-tcp-private.h"
#include "stream.h"
tls no reassembly support
16 years ago
#include "stream-tcp-reassemble.h"
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
file-extraction: Disconnect file handling from flow and move into the app layer state.
14 years ago
#include "app-layer.h"
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
#include "app-layer-protos.h"
#include "app-layer-parser.h"
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
#include "app-layer-smb.h"
Add --unittests-coverage option to list how many code modules have tests
12 years ago
#include "app-layer-smb2.h"
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
#include "app-layer-dcerpc.h"
#include "app-layer-dcerpc-udp.h"
#include "app-layer-htp.h"
#include "app-layer-ftp.h"
#include "app-layer-ssl.h"
#include "app-layer-ssh.h"
smtp parser support
14 years ago
#include "app-layer-smtp.h"
DNS TCP and UDP parser and DNS response logger
13 years ago
#include "app-layer-dns-udp.h"
#include "app-layer-dns-tcp.h"
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
#include "conf.h"
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
16 years ago
#include "util-spm.h"
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
More logging API usage changes.
16 years ago
#include "util-debug.h"
Support for app layer decoder events added + app_layer_event keyword added
14 years ago
#include "decode-events.h"
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
#include "util-unittest-helper.h"
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
#include "util-validate.h"
More logging API usage changes.
16 years ago
Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs
14 years ago
AppLayerProto al_proto_table[ALPROTO_MAX]; /**< Application layer protocol
table mapped to their
corresponding parsers */
Properly lock app layer result pool and add some debugging code for memory tracking.
16 years ago
#define MAX_PARSERS 100
static AppLayerParserTableElement al_parser_table[MAX_PARSERS];
static uint16_t al_max_parsers = 0; /* incremented for every registered parser */
Update to the parsers.
16 years ago
static Pool *al_result_pool = NULL;
Create SCMUTEX_INITIALIZER to abstract out PTHREAD_MUTEX_INITIALIZER This allows replacing pthread mutexes with other types of mutex.
12 years ago
static SCMutex al_result_pool_mutex = SCMUTEX_INITIALIZER;
Properly lock app layer result pool and add some debugging code for memory tracking.
16 years ago
#ifdef DEBUG
static uint32_t al_result_pool_elmts = 0;
#endif /* DEBUG */
file-extraction: Disconnect file handling from flow and move into the app layer state.
14 years ago
/** \brief Get the file container flow
* \param f flow pointer to a LOCKED flow
* \retval files void pointer to the state
file extract: split toserver and toclient tracking Split toserver and toclient file tracking for the http state.
14 years ago
* \retval direction flow direction, either STREAM_TOCLIENT or STREAM_TOSERVER
file-extraction: Disconnect file handling from flow and move into the app layer state.
14 years ago
* \retval NULL in case we have no state */
file extract: split toserver and toclient tracking Split toserver and toclient file tracking for the http state.
14 years ago
FileContainer *AppLayerGetFilesFromFlow(Flow *f, uint8_t direction) {
file handling: improve filestore keyword handling In stateful detection only inspect the file portion of the rule after all other conditions matched. This to prevent "filestore" from tagging files for storage during a partial match. Add a couple of unittests to test the behaviour change.
14 years ago
SCEnter();
Add more flow lock assertions to the debug validation code.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
file-extraction: Disconnect file handling from flow and move into the app layer state.
14 years ago
uint16_t alproto = f->alproto;
if (alproto == ALPROTO_UNKNOWN)
file handling: improve filestore keyword handling In stateful detection only inspect the file portion of the rule after all other conditions matched. This to prevent "filestore" from tagging files for storage during a partial match. Add a couple of unittests to test the behaviour change.
14 years ago
SCReturnPtr(NULL, "FileContainer");
file-extraction: Disconnect file handling from flow and move into the app layer state.
14 years ago
file handling: improve filestore keyword handling In stateful detection only inspect the file portion of the rule after all other conditions matched. This to prevent "filestore" from tagging files for storage during a partial match. Add a couple of unittests to test the behaviour change.
14 years ago
if (al_proto_table[alproto].StateGetFiles != NULL) {
FileContainer *ptr = al_proto_table[alproto].StateGetFiles(AppLayerGetProtoStateFromFlow(f), direction);
SCReturnPtr(ptr, "FileContainer");
} else {
SCReturnPtr(NULL, "FileContainer");
}
file-extraction: Disconnect file handling from flow and move into the app layer state.
14 years ago
}
Update to the parsers.
16 years ago
app layer: add support for per TX decoder events
12 years ago
/** \brief Get the decoder events from the flow
* \param f flow pointer to a LOCKED flow
* \param tx_id transaction id
* \retval files void pointer to the state
* \retval NULL in case we have no state */
AppLayerDecoderEvents *AppLayerGetEventsFromFlowByTx(Flow *f, uint64_t tx_id) {
SCEnter();
DEBUG_ASSERT_FLOW_LOCKED(f);
uint16_t alproto = f->alproto;
if (alproto == ALPROTO_UNKNOWN)
SCReturnPtr(NULL, "AppLayerDecoderEvents");
if (al_proto_table[alproto].StateGetEvents != NULL) {
AppLayerDecoderEvents *ptr = al_proto_table[alproto].StateGetEvents(AppLayerGetProtoStateFromFlow(f), tx_id);
SCReturnPtr(ptr, "AppLayerDecoderEvents");
} else {
SCReturnPtr(NULL, "AppLayerDecoderEvents");
}
}
App layer: add 'StateHasEvents' API call Per TX decoder events resulted in significant overhead to the detection engine, as it walked all TX' all the time to check if decoder events were available. This commit introduces a new API call StateHasEvents, which speeds up this process, at the expense of keeping a counter in the state. Implement this for DNS as well.
12 years ago
/** \brief check if we have decoder events
* \retval 1 yes
* \retval 0 no */
app layer: add support for per TX decoder events
12 years ago
int AppLayerFlowHasDecoderEvents(Flow *f, uint8_t flags) {
AppLayerDecoderEvents *decoder_events;
DEBUG_ASSERT_FLOW_LOCKED(f);
if (f->alproto <= ALPROTO_UNKNOWN || f->alproto >= ALPROTO_MAX)
return 0;
if (AppLayerProtoIsTxEventAware(f->alproto)) {
App layer: add 'StateHasEvents' API call Per TX decoder events resulted in significant overhead to the detection engine, as it walked all TX' all the time to check if decoder events were available. This commit introduces a new API call StateHasEvents, which speeds up this process, at the expense of keeping a counter in the state. Implement this for DNS as well.
12 years ago
/* fast path if supported by proto */
if (al_proto_table[f->alproto].StateHasEvents != NULL) {
if (al_proto_table[f->alproto].StateHasEvents(f->alstate) == 1)
app layer: add support for per TX decoder events
12 years ago
return 1;
App layer: add 'StateHasEvents' API call Per TX decoder events resulted in significant overhead to the detection engine, as it walked all TX' all the time to check if decoder events were available. This commit introduces a new API call StateHasEvents, which speeds up this process, at the expense of keeping a counter in the state. Implement this for DNS as well.
12 years ago
} else {
/* check each tx */
uint64_t tx_id = AppLayerTransactionGetInspectId(f, flags);
uint64_t max_id = AppLayerGetTxCnt(f->alproto, f->alstate);
for ( ; tx_id < max_id; tx_id++) {
decoder_events = AppLayerGetEventsFromFlowByTx(f, tx_id);
if (decoder_events && decoder_events->cnt)
return 1;
}
app layer: add support for per TX decoder events
12 years ago
}
}
decoder_events = AppLayerGetDecoderEventsForFlow(f);
if (decoder_events && decoder_events->cnt)
return 1;
return 0;
}
/** \brief Return true if alproto uses per TX events
* \param alproto proto to check
*/
int AppLayerProtoIsTxEventAware(uint16_t alproto) {
if (alproto > ALPROTO_UNKNOWN && alproto < ALPROTO_MAX &&
al_proto_table[alproto].StateGetEvents != NULL)
return 1;
return 0;
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/** \brief Alloc a AppLayerParserResultElmt func for the pool */
pool: realize a block allocation for preallocated item. This patch required a evolution of Pool API as it is needed to proceed to alloc or init separetely. The PoolInit has been changed with a new Init function parameter.
13 years ago
static void *AlpResultElmtPoolAlloc()
app layer error handling
16 years ago
{
pool: realize a block allocation for preallocated item. This patch required a evolution of Pool API as it is needed to proceed to alloc or init separetely. The PoolInit has been changed with a new Init function parameter.
13 years ago
AppLayerParserResultElmt *e = NULL;
e = (AppLayerParserResultElmt *)SCMalloc
(sizeof(AppLayerParserResultElmt));
Fix inconsistent use of dynamic memory allocation
15 years ago
if (e == NULL)
Update to the parsers.
16 years ago
return NULL;
Properly lock app layer result pool and add some debugging code for memory tracking.
16 years ago
#ifdef DEBUG
al_result_pool_elmts++;
SCLogDebug("al_result_pool_elmts %"PRIu32"", al_result_pool_elmts);
#endif /* DEBUG */
Update to the parsers.
16 years ago
return e;
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
int AppLayerGetAlstateProgress(uint16_t alproto, void *state, uint8_t direction)
{
return al_proto_table[alproto].StateGetAlstateProgress(state, direction);
}
uint64_t AppLayerGetTxCnt(uint16_t alproto, void *alstate)
{
return al_proto_table[alproto].StateGetTxCnt(alstate);
}
void *AppLayerGetTx(uint16_t alproto, void *alstate, uint64_t tx_id)
{
return al_proto_table[alproto].StateGetTx(alstate, tx_id);
}
int AppLayerGetAlstateProgressCompletionStatus(uint16_t alproto, uint8_t direction)
{
return al_proto_table[alproto].StateGetAlstateProgressCompletionStatus(direction);
}
int AppLayerAlprotoSupportsTxs(uint16_t alproto)
{
return (al_proto_table[alproto].StateTransactionFree != NULL);
}
pool: rename Free function to Cleanup This patch renames Free functions to Cleanup as the free is made by the pool system.
13 years ago
static void AlpResultElmtPoolCleanup(void *e)
app layer error handling
16 years ago
{
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
AppLayerParserResultElmt *re = (AppLayerParserResultElmt *)e;
if (re->flags & ALP_RESULT_ELMT_ALLOC) {
if (re->data_ptr != NULL)
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(re->data_ptr);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
Properly lock app layer result pool and add some debugging code for memory tracking.
16 years ago
#ifdef DEBUG
al_result_pool_elmts--;
SCLogDebug("al_result_pool_elmts %"PRIu32"", al_result_pool_elmts);
#endif /* DEBUG */
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
app layer error handling
16 years ago
static AppLayerParserResultElmt *AlpGetResultElmt(void)
{
Properly lock app layer result pool and add some debugging code for memory tracking.
16 years ago
SCMutexLock(&al_result_pool_mutex);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
AppLayerParserResultElmt *e = (AppLayerParserResultElmt *)PoolGet(al_result_pool);
Properly lock app layer result pool and add some debugging code for memory tracking.
16 years ago
SCMutexUnlock(&al_result_pool_mutex);
Small stream fixes.
16 years ago
if (e == NULL) {
Yet more logging api usage changes.
16 years ago
return NULL;
Small stream fixes.
16 years ago
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
e->next = NULL;
Update to the parsers.
16 years ago
return e;
}
app layer error handling
16 years ago
static void AlpReturnResultElmt(AppLayerParserResultElmt *e)
{
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (e->flags & ALP_RESULT_ELMT_ALLOC) {
if (e->data_ptr != NULL)
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(e->data_ptr);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
e->flags = 0;
e->data_ptr = NULL;
e->data_len = 0;
e->next = NULL;
Properly lock app layer result pool and add some debugging code for memory tracking.
16 years ago
SCMutexLock(&al_result_pool_mutex);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
PoolReturn(al_result_pool, (void *)e);
Properly lock app layer result pool and add some debugging code for memory tracking.
16 years ago
SCMutexUnlock(&al_result_pool_mutex);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
app layer error handling
16 years ago
static void AlpAppendResultElmt(AppLayerParserResult *r, AppLayerParserResultElmt *e)
{
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (r->head == NULL) {
r->head = e;
r->tail = e;
r->cnt = 1;
} else {
r->tail->next = e;
r->tail = e;
r->cnt++;
}
}
/**
* \param alloc Is ptr alloc'd (1) or a ptr to static mem (0).
initial version of better error checking/handling in the app layer code
16 years ago
* \retval -1 error
* \retval 0 ok
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
*/
app layer error handling
16 years ago
static int AlpStoreField(AppLayerParserResult *output, uint16_t idx,
uint8_t *ptr, uint32_t len, uint8_t alloc)
{
initial version of better error checking/handling in the app layer code
16 years ago
SCEnter();
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
AppLayerParserResultElmt *e = AlpGetResultElmt();
app layer htp error handling and fixes for memory leaks and segv
16 years ago
if (e == NULL) {
fixed-pool-error-and-tcp-state-transition
16 years ago
SCLogError(SC_ERR_POOL_EMPTY, "App layer \"al_result_pool\" is empty");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
app layer htp error handling and fixes for memory leaks and segv
16 years ago
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (alloc == 1)
e->flags |= ALP_RESULT_ELMT_ALLOC;
e->name_idx = idx;
e->data_ptr = ptr;
e->data_len = len;
AlpAppendResultElmt(output, e);
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(0);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
Provide a function to set the app layer tx eof flag. Use this in FFR code instead of diretly setting the flag. This cleans up the API as well
14 years ago
void AppLayerSetEOF(Flow *f)
{
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
if (f == NULL)
stream: improve TCP ssn reuse cleanup.
14 years ago
return;
Provide a function to set the app layer tx eof flag. Use this in FFR code instead of diretly setting the flag. This cleans up the API as well
14 years ago
AppLayerParserStateStore *parser_state_store =
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
(AppLayerParserStateStore *)f->alparser;
Provide a function to set the app layer tx eof flag. Use this in FFR code instead of diretly setting the flag. This cleans up the API as well
14 years ago
if (parser_state_store != NULL) {
parser_state_store->id_flags |= APP_LAYER_TRANSACTION_EOF;
parser_state_store->to_client.flags |= APP_LAYER_PARSER_EOF;
parser_state_store->to_server.flags |= APP_LAYER_PARSER_EOF;
Fix stateful inspection not always inspecting at stream end.
13 years ago
/* increase version so we will inspect it one more time
* with the EOF flags now set */
parser_state_store->version++;
Provide a function to set the app layer tx eof flag. Use this in FFR code instead of diretly setting the flag. This cleans up the API as well
14 years ago
}
}
Add 'BySize' field parser. Add stub tls parser.
16 years ago
/** \brief Parse a field up to we reach the size limit
*
* \retval 1 Field found and stored.
* \retval 0 Field parsing in progress.
* \retval -1 error
*/
app layer error handling
16 years ago
int AlpParseFieldBySize(AppLayerParserResult *output, AppLayerParserState *pstate,
uint16_t field_idx, uint32_t size, uint8_t *input,
uint32_t input_len, uint32_t *offset)
{
initial version of better error checking/handling in the app layer code
16 years ago
SCEnter();
Add 'BySize' field parser. Add stub tls parser.
16 years ago
if ((pstate->store_len + input_len) < size) {
if (pstate->store_len == 0) {
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCMalloc(input_len);
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Add 'BySize' field parser. Add stub tls parser.
16 years ago
memcpy(pstate->store, input, input_len);
pstate->store_len = input_len;
} else {
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCRealloc(pstate->store, (input_len + pstate->store_len));
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Add 'BySize' field parser. Add stub tls parser.
16 years ago
memcpy(pstate->store+pstate->store_len, input, input_len);
pstate->store_len += input_len;
}
} else {
if (pstate->store_len == 0) {
initial version of better error checking/handling in the app layer code
16 years ago
int r = AlpStoreField(output, field_idx, input, size, /* static mem */0);
if (r == -1) {
Renaming errors with naming conventions
16 years ago
SCLogError(SC_ERR_ALPARSER, "Failed to store field value");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
}
Add 'BySize' field parser. Add stub tls parser.
16 years ago
(*offset) += size;
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(1);
Add 'BySize' field parser. Add stub tls parser.
16 years ago
} else {
uint32_t diff = size - pstate->store_len;
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCRealloc(pstate->store, (diff + pstate->store_len));
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Add 'BySize' field parser. Add stub tls parser.
16 years ago
memcpy(pstate->store+pstate->store_len, input, diff);
pstate->store_len += diff;
app layer error handling
16 years ago
int r = AlpStoreField(output, field_idx, pstate->store,
pstate->store_len, /* alloc mem */1);
initial version of better error checking/handling in the app layer code
16 years ago
if (r == -1) {
Renaming errors with naming conventions
16 years ago
SCLogError(SC_ERR_ALPARSER, "Failed to store field value");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
}
Add 'BySize' field parser. Add stub tls parser.
16 years ago
(*offset) += diff;
pstate->store = NULL;
pstate->store_len = 0;
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(1);
Add 'BySize' field parser. Add stub tls parser.
16 years ago
}
}
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(0);
Add 'BySize' field parser. Add stub tls parser.
16 years ago
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/** \brief Parse a field up to the EOF
*
* \retval 1 Field found and stored.
* \retval 0 Field parsing in progress.
* \retval -1 error
*/
app layer error handling
16 years ago
int AlpParseFieldByEOF(AppLayerParserResult *output, AppLayerParserState *pstate,
uint16_t field_idx, uint8_t *input, uint32_t input_len)
{
initial version of better error checking/handling in the app layer code
16 years ago
SCEnter();
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (pstate->store_len == 0) {
if (pstate->flags & APP_LAYER_PARSER_EOF) {
initial version of better error checking/handling in the app layer code
16 years ago
SCLogDebug("store_len 0 and EOF");
int r = AlpStoreField(output, field_idx, input, input_len, 0);
if (r == -1) {
Renaming errors with naming conventions
16 years ago
SCLogError(SC_ERR_ALPARSER, "Failed to store field value");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
}
SCReturnInt(1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
} else {
initial version of better error checking/handling in the app layer code
16 years ago
SCLogDebug("store_len 0 but no EOF");
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* delimiter field not found, so store the result for the next run */
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCMalloc(input_len);
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
memcpy(pstate->store, input, input_len);
pstate->store_len = input_len;
}
} else {
if (pstate->flags & APP_LAYER_PARSER_EOF) {
initial version of better error checking/handling in the app layer code
16 years ago
SCLogDebug("store_len %" PRIu32 " and EOF", pstate->store_len);
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCRealloc(pstate->store, (input_len + pstate->store_len));
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
memcpy(pstate->store+pstate->store_len, input, input_len);
pstate->store_len += input_len;
initial version of better error checking/handling in the app layer code
16 years ago
int r = AlpStoreField(output, field_idx, pstate->store, pstate->store_len, 1);
if (r == -1) {
Renaming errors with naming conventions
16 years ago
SCLogError(SC_ERR_ALPARSER, "Failed to store field value");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
pstate->store = NULL;
pstate->store_len = 0;
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
} else {
initial version of better error checking/handling in the app layer code
16 years ago
SCLogDebug("store_len %" PRIu32 " but no EOF", pstate->store_len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* delimiter field not found, so store the result for the next run */
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCRealloc(pstate->store, (input_len + pstate->store_len));
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
memcpy(pstate->store+pstate->store_len, input, input_len);
pstate->store_len += input_len;
}
}
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(0);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
/** \brief Parse a field up to a delimeter.
*
* \retval 1 Field found and stored.
* \retval 0 Field parsing in progress.
* \retval -1 error
*/
app layer error handling
16 years ago
int AlpParseFieldByDelimiter(AppLayerParserResult *output, AppLayerParserState *pstate,
uint16_t field_idx, const uint8_t *delim, uint8_t delim_len,
uint8_t *input, uint32_t input_len, uint32_t *offset)
{
initial version of better error checking/handling in the app layer code
16 years ago
SCEnter();
app layer error handling
16 years ago
SCLogDebug("pstate->store_len %" PRIu32 ", delim_len %" PRIu32 "",
pstate->store_len, delim_len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (pstate->store_len == 0) {
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
16 years ago
uint8_t *ptr = SpmSearch(input, input_len, (uint8_t*)delim, delim_len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (ptr != NULL) {
64 bit cleanup part2
16 years ago
uint32_t len = ptr - input;
app layer error handling
16 years ago
SCLogDebug(" len %" PRIu32 "", len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
initial version of better error checking/handling in the app layer code
16 years ago
int r = AlpStoreField(output, field_idx, input, len, 0);
if (r == -1) {
Renaming errors with naming conventions
16 years ago
SCLogError(SC_ERR_ALPARSER, "Failed to store field value");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
(*offset) += (len + delim_len);
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
} else {
if (pstate->flags & APP_LAYER_PARSER_EOF) {
app layer error handling
16 years ago
SCLogDebug("delim not found and EOF");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(0);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
app layer error handling
16 years ago
SCLogDebug("delim not found, continue");
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* delimiter field not found, so store the result for the next run */
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCMalloc(input_len);
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
memcpy(pstate->store, input, input_len);
pstate->store_len = input_len;
}
} else {
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
16 years ago
uint8_t *ptr = SpmSearch(input, input_len, (uint8_t*)delim, delim_len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (ptr != NULL) {
64 bit cleanup part2
16 years ago
uint32_t len = ptr - input;
app layer error handling
16 years ago
SCLogDebug("len %" PRIu32 " + %" PRIu32 " = %" PRIu32 "", len,
pstate->store_len, len + pstate->store_len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCRealloc(pstate->store, (len + pstate->store_len));
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
memcpy(pstate->store+pstate->store_len, input, len);
pstate->store_len += len;
app layer error handling
16 years ago
int r = AlpStoreField(output, field_idx, pstate->store,
pstate->store_len, 1);
initial version of better error checking/handling in the app layer code
16 years ago
if (r == -1) {
Renaming errors with naming conventions
16 years ago
SCLogError(SC_ERR_ALPARSER, "Failed to store field value");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
pstate->store = NULL;
pstate->store_len = 0;
(*offset) += (len + delim_len);
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
} else {
if (pstate->flags & APP_LAYER_PARSER_EOF) {
/* if the input len is smaller than the delim len we search the
* pstate->store since we may match there. */
if (delim_len > input_len) {
app layer error handling
16 years ago
/* delimiter field not found, so store the result for the
* next run */
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCRealloc(pstate->store, (input_len +
app layer error handling
16 years ago
pstate->store_len));
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
memcpy(pstate->store+pstate->store_len, input, input_len);
pstate->store_len += input_len;
app layer error handling
16 years ago
SCLogDebug("input_len < delim_len, checking pstate->store");
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (pstate->store_len >= delim_len) {
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
16 years ago
ptr = SpmSearch(pstate->store, pstate->store_len, (uint8_t*)delim,
app layer error handling
16 years ago
delim_len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (ptr != NULL) {
app layer error handling
16 years ago
SCLogDebug("now we found the delim");
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
64 bit cleanup part2
16 years ago
uint32_t len = ptr - pstate->store;
app layer error handling
16 years ago
int r = AlpStoreField(output, field_idx,
pstate->store, len, 1);
initial version of better error checking/handling in the app layer code
16 years ago
if (r == -1) {
Renaming errors with naming conventions
16 years ago
SCLogError(SC_ERR_ALPARSER, "Failed to store "
app layer htp error handling and fixes for memory leaks and segv
16 years ago
"field value");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
pstate->store = NULL;
pstate->store_len = 0;
(*offset) += (input_len);
app layer error handling
16 years ago
SCLogDebug("offset %" PRIu32 "", (*offset));
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
goto free_and_return;
}
goto free_and_return;
}
free_and_return:
app layer error handling
16 years ago
SCLogDebug("not found and EOF, so free what we have so far.");
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(pstate->store);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
pstate->store = NULL;
pstate->store_len = 0;
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(0);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
/* delimiter field not found, so store the result for the next run */
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
pstate->store = SCRealloc(pstate->store, (input_len + pstate->store_len));
Fix inconsistent use of dynamic memory allocation
15 years ago
if (pstate->store == NULL)
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
memcpy(pstate->store+pstate->store_len, input, input_len);
pstate->store_len += input_len;
/* if the input len is smaller than the delim len we search the
* pstate->store since we may match there. */
if (delim_len > input_len && delim_len <= pstate->store_len) {
app layer error handling
16 years ago
SCLogDebug("input_len < delim_len, checking pstate->store");
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
16 years ago
ptr = SpmSearch(pstate->store, pstate->store_len, (uint8_t*)delim, delim_len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (ptr != NULL) {
app layer error handling
16 years ago
SCLogDebug("now we found the delim");
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
64 bit cleanup part2
16 years ago
uint32_t len = ptr - pstate->store;
initial version of better error checking/handling in the app layer code
16 years ago
int r = AlpStoreField(output, field_idx, pstate->store, len, 1);
if (r == -1) {
Renaming errors with naming conventions
16 years ago
SCLogError(SC_ERR_ALPARSER, "Failed to store field value");
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(-1);
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
pstate->store = NULL;
pstate->store_len = 0;
(*offset) += (input_len);
app layer error handling
16 years ago
SCLogDebug("ffset %" PRIu32 "", (*offset));
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(1);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
}
}
}
initial version of better error checking/handling in the app layer code
16 years ago
SCReturnInt(0);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
app layer error handling
16 years ago
uint16_t AppLayerGetProtoByName(const char *name)
{
First iteration of doing app layer detection.
16 years ago
uint8_t u = 1;
SCLogDebug("looking for name %s", name);
for ( ; u < ALPROTO_MAX; u++) {
if (al_proto_table[u].name == NULL)
continue;
SCLogDebug("name %s proto %"PRIu16"",
al_proto_table[u].name, u);
if (strcasecmp(name,al_proto_table[u].name) == 0) {
SCLogDebug("match, returning %"PRIu16"", u);
return u;
}
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParser *pp = alp_proto_ctx.probing_parsers;
while (pp != NULL) {
AppLayerProbingParserPort *pp_port = pp->port;
while (pp_port != NULL) {
AppLayerProbingParserElement *pp_pe = pp_port->toserver;
while (pp_pe != NULL) {
if (strcasecmp(pp_pe->al_proto_name, name) == 0) {
return pp_pe->al_proto;
}
pp_pe = pp_pe->next;
}
pp_pe = pp_port->toclient;
while (pp_pe != NULL) {
if (strcasecmp(pp_pe->al_proto_name, name) == 0) {
return pp_pe->al_proto;
}
pp_pe = pp_pe->next;
}
pp_port = pp_port->next;
}
pp = pp->next;
}
First iteration of doing app layer detection.
16 years ago
return ALPROTO_UNKNOWN;
}
Add documentation url in list-keyword output. The output of the list-keyword is modified to include the url to the keyword documentation when this is available. All documented keywords should have their link set. list-keyword can be used with an optional value: no option or short: display list of keywords csv: display a csv output on info an all keywords all: display a human readable output of keywords info $KWD: display the info about one keyword.
13 years ago
const char *AppLayerGetProtoString(int proto)
{
fix logic error in sanity check
13 years ago
if ((proto >= ALPROTO_MAX) || (proto < 0)) {
Add documentation url in list-keyword output. The output of the list-keyword is modified to include the url to the keyword documentation when this is available. All documented keywords should have their link set. list-keyword can be used with an optional value: no option or short: display list of keywords csv: display a csv output on info an all keywords all: display a human readable output of keywords info $KWD: display the info about one keyword.
13 years ago
return "Undefined";
}
if (al_proto_table[proto].name == NULL) {
return "Unset";
} else {
return al_proto_table[proto].name;
}
}
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
/** \brief Description: register a parser.
*
* \param name full parser name, e.g. "http.request_line"
app layer error handling
16 years ago
* \todo do we need recursive, so a "http" and a "request_line" where the engine
* knows it's actually "http.request_line"... same difference maybe.
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
* \param AppLayerParser pointer to the parser function
*
* \retval 0 on success
* \retval -1 on error
*/
app layer error handling
16 years ago
int AppLayerRegisterParser(char *name, uint16_t proto, uint16_t parser_id,
app layer htp error handling and fixes for memory leaks and segv
16 years ago
int (*AppLayerParser)(Flow *f, void *protocol_state,
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
AppLayerParserState *parser_state,
uint8_t *input, uint32_t input_len,
void *local_data,
AppLayerParserResult *output),
char *dependency)
app layer error handling
16 years ago
{
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
al_max_parsers++;
added check for full al_parser_table
16 years ago
if(al_max_parsers >= MAX_PARSERS){
SCLogInfo("Failed to register %s al_parser_table array full",name);
exit(EXIT_FAILURE);
}
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
al_parser_table[al_max_parsers].name = name;
Update to the parsers.
16 years ago
al_parser_table[al_max_parsers].proto = proto;
al_parser_table[al_max_parsers].parser_local_id = parser_id;
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
al_parser_table[al_max_parsers].AppLayerParser = AppLayerParser;
Update to the parsers.
16 years ago
app layer error handling
16 years ago
SCLogDebug("registered %p at proto %" PRIu32 ", al_proto_table idx "
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
"%" PRIu32 ", parser_local_id %" PRIu32 "",
app layer error handling
16 years ago
AppLayerParser, proto, al_max_parsers,
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
parser_id);
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
return 0;
}
/** \brief Description: register a protocol parser.
*
* \param name full parser name, e.g. "http.request_line"
app layer error handling
16 years ago
* \todo do we need recursive, so a "http" and a "request_line" where the engine
* knows it's actually "http.request_line"... same difference maybe.
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
* \param AppLayerParser pointer to the parser function
*
* \retval 0 on success
* \retval -1 on error
*/
app layer error handling
16 years ago
int AppLayerRegisterProto(char *name, uint8_t proto, uint8_t flags,
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
int (*AppLayerParser)(Flow *f, void *protocol_state,
AppLayerParserState *parser_state,
uint8_t *input, uint32_t input_len,
void *local_data, AppLayerParserResult *output))
app layer error handling
16 years ago
{
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
al_max_parsers++;
added check for full al_parser_table
16 years ago
if(al_max_parsers >= MAX_PARSERS){
SCLogInfo("Failed to register %s al_parser_table array full",name);
exit(EXIT_FAILURE);
}
Hacks to enable alert dns even though we have dnstcp and dnsudp parsers. Needs proper solution later.
13 years ago
/* register name here as well so pp only protocols will work */
if (al_proto_table[proto].name != NULL) {
BUG_ON(strcmp(al_proto_table[proto].name, name) != 0);
} else {
al_proto_table[proto].name = name;
}
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
al_parser_table[al_max_parsers].name = name;
al_parser_table[al_max_parsers].AppLayerParser = AppLayerParser;
/* create proto, direction -- parser mapping */
if (flags & STREAM_TOSERVER) {
al_proto_table[proto].to_server = al_max_parsers;
} else if (flags & STREAM_TOCLIENT) {
al_proto_table[proto].to_client = al_max_parsers;
}
app layer error handling
16 years ago
SCLogDebug("registered %p at proto %" PRIu32 " flags %02X, al_proto_table "
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
"idx %" PRIu32 ", %s", AppLayerParser, proto,
flags, al_max_parsers, name);
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
return 0;
}
Add --unittests-coverage option to list how many code modules have tests
12 years ago
#ifdef UNITTESTS
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
void AppLayerParserRegisterUnittests(uint16_t proto, void (*RegisterUnittests)(void)) {
Add --unittests-coverage option to list how many code modules have tests
12 years ago
al_proto_table[proto].RegisterUnittests = RegisterUnittests;
}
#endif
app layer error handling
16 years ago
void AppLayerRegisterStateFuncs(uint16_t proto, void *(*StateAlloc)(void),
void (*StateFree)(void *))
{
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
al_proto_table[proto].StateAlloc = StateAlloc;
al_proto_table[proto].StateFree = StateFree;
}
Applayer: remove obsolete StateUpdateTransactionId Also, update StateTransactionFree to take an u64 tx id, so it's consistant with the rest of the engine. To reflect these changes, AppLayerRegisterTransactionIdFuncs has been renamed to AppLayerRegisterTxFreeFunc. HTP, DNS, SMB, DCERPC parsers updated.
12 years ago
void AppLayerRegisterTxFreeFunc(uint16_t proto,
void (*StateTransactionFree)(void *, uint64_t))
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
{
al_proto_table[proto].StateTransactionFree = StateTransactionFree;
}
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
void AppLayerRegisterLocalStorageFunc(uint16_t proto,
void *(*LocalStorageAlloc)(void),
void (*LocalStorageFree)(void *))
{
al_proto_table[proto].LocalStorageAlloc = LocalStorageAlloc;
al_proto_table[proto].LocalStorageFree = LocalStorageFree;
return;
}
stream/app layer: add Truncate app layer callback that is called if stream depth is reached. Use it to trunc open files in HTTP.
13 years ago
void AppLayerRegisterTruncateFunc(uint16_t proto, void (*Truncate)(void *, uint8_t))
{
al_proto_table[proto].Truncate = Truncate;
return;
}
void AppLayerStreamTruncated(uint16_t proto, void *state, uint8_t flags) {
if (al_proto_table[proto].Truncate != NULL) {
al_proto_table[proto].Truncate(state, flags);
}
}
introduce app layer local storage api support
14 years ago
void *AppLayerGetProtocolParserLocalStorage(uint16_t proto)
{
if (al_proto_table[proto].LocalStorageAlloc != NULL) {
return al_proto_table[proto].LocalStorageAlloc();
}
return NULL;
}
file-extraction: Disconnect file handling from flow and move into the app layer state.
14 years ago
void AppLayerRegisterGetFilesFunc(uint16_t proto,
file extract: split toserver and toclient tracking Split toserver and toclient file tracking for the http state.
14 years ago
FileContainer *(*StateGetFiles)(void *, uint8_t))
file-extraction: Disconnect file handling from flow and move into the app layer state.
14 years ago
{
al_proto_table[proto].StateGetFiles = StateGetFiles;
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
void AppLayerRegisterGetAlstateProgressFunc(uint16_t alproto,
int (*StateGetAlstateProgress)(void *alstate, uint8_t direction))
{
al_proto_table[alproto].StateGetAlstateProgress = StateGetAlstateProgress;
}
void AppLayerRegisterGetTxCnt(uint16_t alproto,
uint64_t (*StateGetTxCnt)(void *alstate))
{
al_proto_table[alproto].StateGetTxCnt = StateGetTxCnt;
}
void AppLayerRegisterGetTx(uint16_t alproto,
void *(StateGetTx)(void *alstate, uint64_t tx_id))
{
al_proto_table[alproto].StateGetTx = StateGetTx;
}
void AppLayerRegisterGetAlstateProgressCompletionStatus(uint16_t alproto,
int (*StateGetAlstateProgressCompletionStatus)(uint8_t direction))
{
al_proto_table[alproto].StateGetAlstateProgressCompletionStatus =
StateGetAlstateProgressCompletionStatus;
}
app layer: add support for per TX decoder events
12 years ago
void AppLayerRegisterGetEventsFunc(uint16_t proto,
AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t))
{
al_proto_table[proto].StateGetEvents = StateGetEvents;
App layer: add 'StateHasEvents' API call Per TX decoder events resulted in significant overhead to the detection engine, as it walked all TX' all the time to check if decoder events were available. This commit introduces a new API call StateHasEvents, which speeds up this process, at the expense of keeping a counter in the state. Implement this for DNS as well.
12 years ago
}
void AppLayerRegisterHasEventsFunc(uint16_t proto,
int (*StateHasEvents)(void *)) {
al_proto_table[proto].StateHasEvents = StateHasEvents;
app layer: add support for per TX decoder events
12 years ago
}
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
/** \brief Indicate to the app layer parser that a logger is active
* for this protocol.
*/
void AppLayerRegisterLogger(uint16_t proto) {
al_proto_table[proto].logger = TRUE;
}
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
void AppLayerRegisterGetEventInfo(uint16_t alproto,
int (*StateGetEventInfo)(const char *event_name,
int *event_id,
AppLayerEventType *event_type))
Move app event module registration as a part of app layer proto table.
12 years ago
{
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
al_proto_table[alproto].StateGetEventInfo = StateGetEventInfo;
Move app event module registration as a part of app layer proto table.
12 years ago
}
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
app layer error handling
16 years ago
AppLayerParserStateStore *AppLayerParserStateStoreAlloc(void)
{
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
AppLayerParserStateStore *s = (AppLayerParserStateStore *)SCMalloc
app layer error handling
16 years ago
(sizeof(AppLayerParserStateStore));
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
if (s == NULL)
return NULL;
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
memset(s, 0, sizeof(AppLayerParserStateStore));
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
return s;
}
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
/** \brief free a AppLayerParserStateStore structure
* \param s AppLayerParserStateStore structure to free */
app layer error handling
16 years ago
void AppLayerParserStateStoreFree(AppLayerParserStateStore *s)
{
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
if (s->to_server.store != NULL)
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(s->to_server.store);
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
if (s->to_client.store != NULL)
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(s->to_client.store);
Support for app layer decoder events added + app_layer_event keyword added
14 years ago
if (s->decoder_events != NULL)
AppLayerDecoderEventsFreeEvents(s->decoder_events);
Support for smtp decoder events
14 years ago
s->decoder_events = NULL;
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(s);
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
}
app layer error handling
16 years ago
static void AppLayerParserResultCleanup(AppLayerParserResult *result)
{
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
AppLayerParserResultElmt *e = result->head;
while (e != NULL) {
AppLayerParserResultElmt *next_e = e->next;
result->head = next_e;
if (next_e == NULL)
result->tail = NULL;
result->cnt--;
AlpReturnResultElmt(e);
e = next_e;
}
}
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
static int AppLayerDoParse(void *local_data, Flow *f,
void *app_layer_state,
AppLayerParserState *parser_state,
uint8_t *input, uint32_t input_len,
uint16_t parser_idx,
Remove unused conditional locking code from the app layer parsing code.
16 years ago
uint16_t proto)
app layer error handling
16 years ago
{
SCEnter();
Add more flow lock assertions to the debug validation code.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
int retval = 0;
AppLayerParserResult result = { NULL, NULL, 0 };
app layer error handling
16 years ago
SCLogDebug("parser_idx %" PRIu32 "", parser_idx);
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
//printf("--- (%u)\n", input_len);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
//PrintRawDataFp(stdout, input,input_len);
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
//printf("---\n");
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* invoke the parser */
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
int r = al_parser_table[parser_idx].
AppLayerParser(f, app_layer_state,
parser_state, input, input_len,
local_data, &result);
app layer error handling
16 years ago
if (r < 0) {
if (r == -1) {
AppLayerParserResultCleanup(&result);
SCReturnInt(-1);
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
#ifdef DEBUG
app layer error handling
16 years ago
} else {
BUG_ON(r); /* this is not supposed to happen!! */
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
#else
SCReturnInt(-1);
#endif
app layer error handling
16 years ago
}
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* process the result elements */
AppLayerParserResultElmt *e = result.head;
for (; e != NULL; e = e->next) {
app layer error handling
16 years ago
SCLogDebug("e %p e->name_idx %" PRIu32 ", e->data_ptr %p, e->data_len "
"%" PRIu32 ", map_size %" PRIu32 "", e, e->name_idx,
e->data_ptr, e->data_len, al_proto_table[proto].map_size);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* no parser defined for this field. */
app layer error handling
16 years ago
if (e->name_idx >= al_proto_table[proto].map_size ||
al_proto_table[proto].map[e->name_idx] == NULL)
{
SCLogDebug("no parser for proto %" PRIu32 ", parser_local_id "
"%" PRIu32 "", proto, e->name_idx);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
continue;
}
64 bit cleanup part2
16 years ago
uint16_t idx = al_proto_table[proto].map[e->name_idx]->parser_id;
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* prepare */
64 bit cleanup part2
16 years ago
uint16_t tmp = parser_state->parse_field;
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
parser_state->parse_field = 0;
parser_state->flags |= APP_LAYER_PARSER_EOF;
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
r = AppLayerDoParse(local_data, f, app_layer_state, parser_state, e->data_ptr,
Remove unused conditional locking code from the app layer parsing code.
16 years ago
e->data_len, idx, proto);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* restore */
parser_state->flags &= ~APP_LAYER_PARSER_EOF;
parser_state->parse_field = tmp;
/* bail out on a serious error */
if (r < 0) {
app layer error handling
16 years ago
if (r == -1) {
retval = -1;
break;
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
#ifdef DEBUG
app layer error handling
16 years ago
} else {
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
BUG_ON(r); /* this is not supposed to happen!! */
#else
SCReturnInt(-1);
#endif
app layer error handling
16 years ago
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
}
AppLayerParserResultCleanup(&result);
app layer error handling
16 years ago
SCReturnInt(retval);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
/**
* \brief remove obsolete (inspected and logged) transactions
*/
App layer: clean up TX before lowest active one Update DNS to handle cleaning up this way.
12 years ago
static void AppLayerTransactionsCleanup(AppLayerProto *p, AppLayerParserStateStore *parser_state_store, void *app_layer_state)
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
{
if (p->StateTransactionFree == NULL)
App layer: clean up TX before lowest active one Update DNS to handle cleaning up this way.
12 years ago
return;
uint64_t inspect = 0, log = 0;
if (parser_state_store->inspect_id[0] < parser_state_store->inspect_id[1])
inspect = parser_state_store->inspect_id[0];
else
inspect = parser_state_store->inspect_id[1];
log = parser_state_store->log_id;
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
dns: fix transaction handling When logging is disabled, the app layer would still be flagged as logging. This caused transactions not to be freed until the end of the flow as the logged tx id would never increment. This fix postpones the setting of the app layer parser "logger" flag to the point where we know the logger is enabled.
12 years ago
SCLogDebug("inspect %"PRIu64", log %"PRIu64", logger: %s",
inspect, log, p->logger ? "true" : "false");
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
if (p->logger == TRUE) {
App layer: clean up TX before lowest active one Update DNS to handle cleaning up this way.
12 years ago
uint64_t min = log < inspect ? log : inspect;
if (min > 0) {
SCLogDebug("freeing %"PRIu64" (with logger) %p", min - 1, p->StateTransactionFree);
p->StateTransactionFree(app_layer_state, min - 1);
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
}
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
} else {
App layer: clean up TX before lowest active one Update DNS to handle cleaning up this way.
12 years ago
if (inspect > 0) {
SCLogDebug("freeing %"PRIu64" (no logger) %p", inspect - 1, p->StateTransactionFree);
p->StateTransactionFree(app_layer_state, inspect - 1);
}
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
}
}
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
#ifdef DEBUG
Add error counters.
15 years ago
uint32_t applayererrors = 0;
uint32_t applayerhttperrors = 0;
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
#endif
Add error counters.
15 years ago
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
/**
* \brief Layer 7 Parsing main entry point.
*
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
* \param f Properly initialized and locked flow.
* \param proto L7 proto, e.g. ALPROTO_HTTP
* \param flags Stream flags
* \param input Input L7 data
* \param input_len Length of the input data.
*
* \retval -1 error
* \retval 0 ok
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
*/
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
int AppLayerParse(void *local_data, Flow *f, uint8_t proto,
uint8_t flags, uint8_t *input, uint32_t input_len)
app layer error handling
16 years ago
{
More logging API usage changes.
16 years ago
SCEnter();
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
64 bit cleanup part2
16 years ago
uint16_t parser_idx = 0;
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
AppLayerProto *p = &al_proto_table[proto];
Fix checking for the stream GAP after the ssn ptr was initialized.
15 years ago
TcpSession *ssn = NULL;
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
UDP support at AppLayer message handling
15 years ago
/* Used only if it's TCP */
Fix checking for the stream GAP after the ssn ptr was initialized.
15 years ago
ssn = f->protoctx;
Kick out streams with gaps in them in the app layer parser until we add proper support.
15 years ago
Stream reassembly / app layer: disable gap errors Gap errors on the app layer are now silently handled. No longer printed to the screen.
14 years ago
/* Do this check before calling AppLayerParse */
Removed FLOW_AL_STREAM_START, EOF and GAP flags. We don't need these. Just use STREAM_* flags
14 years ago
if (flags & STREAM_GAP) {
Fix checking for the stream GAP after the ssn ptr was initialized.
15 years ago
SCLogDebug("stream gap detected (missing packets), this is not yet supported.");
stream/app layer: call new Truncate callback for data gap case as well.
13 years ago
if (f->alstate != NULL)
AppLayerStreamTruncated(proto, f->alstate, flags);
Disable printing dreaded app layer error messages to the screen: app layer events are here to safe us.
14 years ago
goto error;
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
}
/* Get the parser state (if any) */
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
AppLayerParserStateStore *parser_state_store = f->alparser;
if (parser_state_store == NULL) {
parser_state_store = AppLayerParserStateStoreAlloc();
if (parser_state_store == NULL)
goto error;
UDP support at AppLayer message handling
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
f->alparser = (void *)parser_state_store;
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
}
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes.
14 years ago
parser_state_store->version++;
SCLogDebug("app layer state version incremented to %"PRIu16,
parser_state_store->version);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
AppLayerParserState *parser_state = NULL;
Removed FLOW_AL_STREAM_START, EOF and GAP flags. We don't need these. Just use STREAM_* flags
14 years ago
if (flags & STREAM_TOSERVER) {
Application layer detection improvements - improve locking of application layer handling, making sure that the flow cannot be freed/cleared when the detection engine is still working with it. - add a check to the app layer detection to make sure that a match function will only inspect an app layer state if it's of the right type.
16 years ago
SCLogDebug("to_server msg (flow %p)", f);
Add some debugging and simplify locking for app layer slightly.
16 years ago
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
parser_state = &parser_state_store->to_server;
if (!(parser_state->flags & APP_LAYER_PARSER_USE)) {
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
parser_idx = p->to_server;
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
parser_state->cur_parser = parser_idx;
parser_state->flags |= APP_LAYER_PARSER_USE;
} else {
app layer error handling
16 years ago
SCLogDebug("using parser %" PRIu32 " we stored before (to_server)",
parser_state->cur_parser);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
parser_idx = parser_state->cur_parser;
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
}
} else {
Application layer detection improvements - improve locking of application layer handling, making sure that the flow cannot be freed/cleared when the detection engine is still working with it. - add a check to the app layer detection to make sure that a match function will only inspect an app layer state if it's of the right type.
16 years ago
SCLogDebug("to_client msg (flow %p)", f);
Add some debugging and simplify locking for app layer slightly.
16 years ago
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
parser_state = &parser_state_store->to_client;
if (!(parser_state->flags & APP_LAYER_PARSER_USE)) {
parser_idx = p->to_client;
parser_state->cur_parser = parser_idx;
parser_state->flags |= APP_LAYER_PARSER_USE;
} else {
app layer error handling
16 years ago
SCLogDebug("using parser %" PRIu32 " we stored before (to_client)",
parser_state->cur_parser);
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
parser_idx = parser_state->cur_parser;
}
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
}
Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
if (parser_idx == 0 || (parser_state->flags & APP_LAYER_PARSER_DONE)) {
app layer error handling
16 years ago
SCLogDebug("no parser for protocol %" PRIu32 "", proto);
More logging API usage changes.
16 years ago
SCReturnInt(0);
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
}
Removed FLOW_AL_STREAM_START, EOF and GAP flags. We don't need these. Just use STREAM_* flags
14 years ago
if (flags & STREAM_EOF)
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
parser_state->flags |= APP_LAYER_PARSER_EOF;
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/* See if we already have a 'app layer' state */
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
void *app_layer_state = f->alstate;
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
if (app_layer_state == NULL) {
Application layer detection improvements - improve locking of application layer handling, making sure that the flow cannot be freed/cleared when the detection engine is still working with it. - add a check to the app layer detection to make sure that a match function will only inspect an app layer state if it's of the right type.
16 years ago
/* lock the allocation of state as we may
* alloc more than one otherwise */
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
app_layer_state = p->StateAlloc();
Application layer detection improvements - improve locking of application layer handling, making sure that the flow cannot be freed/cleared when the detection engine is still working with it. - add a check to the app layer detection to make sure that a match function will only inspect an app layer state if it's of the right type.
16 years ago
if (app_layer_state == NULL) {
More logging API usage changes.
16 years ago
goto error;
Application layer detection improvements - improve locking of application layer handling, making sure that the flow cannot be freed/cleared when the detection engine is still working with it. - add a check to the app layer detection to make sure that a match function will only inspect an app layer state if it's of the right type.
16 years ago
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
f->alstate = app_layer_state;
SCLogDebug("alloced new app layer state %p (name %s)",
app_layer_state, al_proto_table[f->alproto].name);
Application layer detection improvements - improve locking of application layer handling, making sure that the flow cannot be freed/cleared when the detection engine is still working with it. - add a check to the app layer detection to make sure that a match function will only inspect an app layer state if it's of the right type.
16 years ago
} else {
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
SCLogDebug("using existing app layer state %p (name %s))",
app_layer_state, al_proto_table[f->alproto].name);
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
}
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
/* invoke the recursive parser, but only on data. We may get empty msgs on EOF */
if (input_len > 0) {
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
int r = AppLayerDoParse(local_data, f, app_layer_state, parser_state,
input, input_len, parser_idx, proto);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
if (r < 0)
goto error;
}
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
Applayer to flow fixes and cleanups.
15 years ago
/* set the packets to no inspection and reassembly if required */
tls no reassembly support
16 years ago
if (parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) {
if app layer inspection is disabled, immediately set the eof flag
14 years ago
AppLayerSetEOF(f);
tls no reassembly support
16 years ago
FlowSetNoPayloadInspectionFlag(f);
UDP support at AppLayer message handling
15 years ago
FlowSetSessionNoApplayerInspectionFlag(f);
tls no reassembly support
16 years ago
/* Set the no reassembly flag for both the stream in this TcpSession */
if (parser_state->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
UDP support at AppLayer message handling
15 years ago
if (ssn != NULL) {
StreamTcpSetSessionNoReassemblyFlag(ssn,
Removed FLOW_AL_STREAM_START, EOF and GAP flags. We don't need these. Just use STREAM_* flags
14 years ago
flags & STREAM_TOCLIENT ? 1 : 0);
UDP support at AppLayer message handling
15 years ago
StreamTcpSetSessionNoReassemblyFlag(ssn,
Removed FLOW_AL_STREAM_START, EOF and GAP flags. We don't need these. Just use STREAM_* flags
14 years ago
flags & STREAM_TOSERVER ? 1 : 0);
UDP support at AppLayer message handling
15 years ago
}
tls no reassembly support
16 years ago
}
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
/* next, see if we can get rid of transactions now */
AppLayerTransactionsCleanup(p, parser_state_store, app_layer_state);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
if (parser_state->flags & APP_LAYER_PARSER_EOF) {
SCLogDebug("eof, flag Transaction id's");
parser_state_store->id_flags |= APP_LAYER_TRANSACTION_EOF;
}
stream/app layer: add Truncate app layer callback that is called if stream depth is reached. Use it to trunc open files in HTTP.
13 years ago
/* stream truncated, inform app layer */
if (flags & STREAM_DEPTH) {
AppLayerStreamTruncated(proto, app_layer_state, flags);
}
More logging API usage changes.
16 years ago
SCReturnInt(0);
Stream reassembly / app layer: disable gap errors Gap errors on the app layer are now silently handled. No longer printed to the screen.
14 years ago
More logging API usage changes.
16 years ago
error:
app layer error handling
16 years ago
if (ssn != NULL) {
Disable printing dreaded app layer error messages to the screen: app layer events are here to safe us.
14 years ago
#ifdef DEBUG
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
if (FLOW_IS_IPV4(f)) {
Add some debugging and simplify locking for app layer slightly.
16 years ago
char src[16];
char dst[16];
Transform inet_ntop call into PrintInet one.
14 years ago
PrintInet(AF_INET, (const void*)&f->src.addr_data32[0], src,
app layer error handling
16 years ago
sizeof (src));
Transform inet_ntop call into PrintInet one.
14 years ago
PrintInet(AF_INET, (const void*)&f->dst.addr_data32[0], dst,
app layer error handling
16 years ago
sizeof (dst));
Disable printing dreaded app layer error messages to the screen: app layer events are here to safe us.
14 years ago
SCLogDebug("Error occured in parsing \"%s\" app layer "
app layer probing parser updates
14 years ago
"protocol, using network protocol %"PRIu8", source IP "
"address %s, destination IP address %s, src port %"PRIu16" and "
"dst port %"PRIu16"", al_proto_table[f->alproto].name,
f->proto, src, dst, f->sp, f->dp);
fflush(stdout);
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
} else if (FLOW_IS_IPV6(f)) {
Add some debugging and simplify locking for app layer slightly.
16 years ago
char dst6[46];
char src6[46];
Transform inet_ntop call into PrintInet one.
14 years ago
PrintInet(AF_INET6, (const void*)&f->src.addr_data32, src6,
updated error info ouput
16 years ago
sizeof (src6));
Transform inet_ntop call into PrintInet one.
14 years ago
PrintInet(AF_INET6, (const void*)&f->dst.addr_data32, dst6,
updated error info ouput
16 years ago
sizeof (dst6));
Disable printing dreaded app layer error messages to the screen: app layer events are here to safe us.
14 years ago
SCLogDebug("Error occured in parsing \"%s\" app layer "
app layer probing parser updates
14 years ago
"protocol, using network protocol %"PRIu8", source IPv6 "
"address %s, destination IPv6 address %s, src port %"PRIu16" and "
"dst port %"PRIu16"", al_proto_table[f->alproto].name,
f->proto, src6, dst6, f->sp, f->dp);
fflush(stdout);
updated error info ouput
16 years ago
}
Stream reassembly / app layer: disable gap errors Gap errors on the app layer are now silently handled. No longer printed to the screen.
14 years ago
applayererrors++;
if (f->alproto == ALPROTO_HTTP)
applayerhttperrors++;
#endif
/* Set the no app layer inspection flag for both
* the stream in this Flow */
FlowSetSessionNoApplayerInspectionFlag(f);
AppLayerSetEOF(f);
}
More logging API usage changes.
16 years ago
SCReturnInt(-1);
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
void AppLayerTransactionUpdateLogId(Flow *f)
{
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
((AppLayerParserStateStore *)f->alparser)->log_id++;
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
return;
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
uint64_t AppLayerTransactionGetLogId(Flow *f)
{
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
return ((AppLayerParserStateStore *)f->alparser)->log_id;
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
uint16_t AppLayerGetStateVersion(Flow *f)
{
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes.
14 years ago
SCEnter();
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes.
14 years ago
uint16_t version = 0;
AppLayerParserStateStore *parser_state_store = NULL;
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
parser_state_store = (AppLayerParserStateStore *)f->alparser;
if (parser_state_store != NULL) {
version = parser_state_store->version;
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes.
14 years ago
}
SCReturnUInt(version);
}
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
uint64_t AppLayerTransactionGetInspectId(Flow *f, uint8_t flags)
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
{
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
return ((AppLayerParserStateStore *)f->alparser)->
inspect_id[flags & STREAM_TOSERVER ? 0 : 1];
}
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
void AppLayerTransactionUpdateInspectId(Flow *f, uint8_t flags)
{
uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
More lock fixes for the transaction update. Issues reported by Coverity.
12 years ago
FLOWLOCK_WRLOCK(f);
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
uint64_t total_txs = AppLayerGetTxCnt(f->alproto, f->alstate);
uint64_t idx = AppLayerTransactionGetInspectId(f, flags);
int state_done_progress = AppLayerGetAlstateProgressCompletionStatus(f->alproto, direction);
void *tx;
int state_progress;
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
More lock fixes for the transaction update. Issues reported by Coverity.
12 years ago
for (; idx < total_txs; idx++) {
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
tx = AppLayerGetTx(f->alproto, f->alstate, idx);
if (tx == NULL)
continue;
state_progress = AppLayerGetAlstateProgress(f->alproto, tx, direction);
if (state_progress >= state_done_progress)
continue;
else
break;
}
((AppLayerParserStateStore *)f->alparser)->inspect_id[direction] = idx;
More lock fixes for the transaction update. Issues reported by Coverity.
12 years ago
FLOWLOCK_UNLOCK(f);
Convert uricontent scanning to use the detect engine state.
15 years ago
Transaction engine redesigned. Improved accuracy, improved performance. Performance improvement noticeable with http heavy traffic and ruleset. A lot of other cosmetic changes carried out as well. Wrappers introduced for a lot of app layer functions. Failing dce unittests disabled. Will be reintroduced in the updated dce engine. Cross transaction matching taken care of. FPs emanating from these matches have now disappeared. Double inspection of transactions taken care of as well.
12 years ago
return;
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
}
Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs
14 years ago
void AppLayerListSupportedProtocols(void)
{
uint32_t i;
uint32_t temp_alprotos_buf[ALPROTO_MAX];
coverity fixes
13 years ago
memset(temp_alprotos_buf, 0, sizeof(temp_alprotos_buf));
Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs
14 years ago
printf("=========Supported App Layer Protocols=========\n");
/* for each proto, alloc the map array */
for (i = 0; i < ALPROTO_MAX; i++) {
if (al_proto_table[i].name == NULL)
continue;
temp_alprotos_buf[i] = 1;
printf("%s\n", al_proto_table[i].name);
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParser *pp = alp_proto_ctx.probing_parsers;
while (pp != NULL) {
AppLayerProbingParserPort *pp_port = pp->port;
while (pp_port != NULL) {
AppLayerProbingParserElement *pp_pe = pp_port->toserver;
while (pp_pe != NULL) {
if (temp_alprotos_buf[pp_pe->al_proto] == 1) {
pp_pe = pp_pe->next;
continue;
}
Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
printf("%s\n", pp_pe->al_proto_name);
pp_pe = pp_pe->next;
}
pp_pe = pp_port->toclient;
while (pp_pe != NULL) {
if (temp_alprotos_buf[pp_pe->al_proto] == 1) {
pp_pe = pp_pe->next;;
continue;
}
Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
printf("%s\n", pp_pe->al_proto_name);
pp_pe = pp_pe->next;
}
Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
pp_port = pp_port->next;
}
pp = pp->next;
}
Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs
14 years ago
return;
}
Support for app layer decoder events added + app_layer_event keyword added
14 years ago
AppLayerDecoderEvents *AppLayerGetDecoderEventsForFlow(Flow *f)
{
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
Support for app layer decoder events added + app_layer_event keyword added
14 years ago
/* Get the parser state (if any) */
AppLayerParserStateStore *parser_state_store = NULL;
if (f == NULL || f->alparser == NULL) {
return NULL;
}
parser_state_store = (AppLayerParserStateStore *)f->alparser;
if (parser_state_store != NULL) {
return parser_state_store->decoder_events;
}
return NULL;
}
Trigger raw stream reassembly on receiving a full HTTP request or response.
14 years ago
/**
* \brief Trigger "raw" stream reassembly from the app layer.
*
* This way HTTP for example, can trigger raw stream inspection right
* when the full request body is received. This is often smaller than
* our raw reassembly size limit.
*
* \param f flow, for access the stream state
*/
void AppLayerTriggerRawStreamReassembly(Flow *f) {
SCEnter();
Fix locking error in filestore handling. Add debug validate check for asserting a flow is locked.
14 years ago
DEBUG_ASSERT_FLOW_LOCKED(f);
Trigger raw stream reassembly on receiving a full HTTP request or response.
14 years ago
#ifdef DEBUG
BUG_ON(f == NULL);
#endif
if (f != NULL && f->protoctx != NULL) {
TcpSession *ssn = (TcpSession *)f->protoctx;
StreamTcpReassembleTriggerRawReassembly(ssn);
}
SCReturn;
}
app layer error handling
16 years ago
void RegisterAppLayerParsers(void)
{
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
/** \todo move to general init function */
memset(&al_proto_table, 0, sizeof(al_proto_table));
memset(&al_parser_table, 0, sizeof(al_parser_table));
Update to the parsers.
16 years ago
/** setup result pool
* \todo Per thread pool */
pool: realize a block allocation for preallocated item. This patch required a evolution of Pool API as it is needed to proceed to alloc or init separetely. The PoolInit has been changed with a new Init function parameter.
13 years ago
al_result_pool = PoolInit(1000, 250,
sizeof(AppLayerParserResultElmt),
reintroduce pool free func for cases where block alloc is not used.
13 years ago
AlpResultElmtPoolAlloc, NULL, NULL,
AlpResultElmtPoolCleanup, NULL);
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
RegisterHTPParsers();
RegisterSSLParsers();
RegisterSMBParsers();
Add --unittests-coverage option to list how many code modules have tests
12 years ago
/** \todo bug 719 */
//RegisterSMB2Parsers();
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
RegisterDCERPCParsers();
RegisterDCERPCUDPParsers();
RegisterFTPParsers();
RegisterSSHParsers();
smtp parser support
14 years ago
RegisterSMTPParsers();
DNS TCP and UDP parser and DNS response logger
13 years ago
RegisterDNSUDPParsers();
RegisterDNSTCPParsers();
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
/** IMAP */
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
if (AppLayerProtoDetectionEnabled("imap")) {
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap");
return;
}
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
/** MSN Messenger */
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
if (AppLayerProtoDetectionEnabled("msn")) {
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"msn");
return;
}
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
fix for bug #987. We don't support jabber protocol detection atm. Disable the code check inside suricata to check if jabber protocol detection is enabled in the yaml file. Also updated an error log message for app layer.
12 years ago
#if 0
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
/** Jabber */
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
if (AppLayerProtoDetectionEnabled("jabber")) {
fix for bug #987. We don't support jabber protocol detection atm. Disable the code check inside suricata to check if jabber protocol detection is enabled in the yaml file. Also updated an error log message for app layer.
12 years ago
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
} else {
SCLogInfo("Protocol detection disabled for %s protocol and as a "
"consequence the conf param \"app-layer.protocols.%s."
"parser-enabled\" will now be ignored.", "jabber", "jabber");
return;
}
fix for bug #987. We don't support jabber protocol detection atm. Disable the code check inside suricata to check if jabber protocol detection is enabled in the yaml file. Also updated an error log message for app layer.
12 years ago
#endif
push all proto detection code into their respective app parser register functions for every alproto
14 years ago
return;
Update to the parsers.
16 years ago
}
UDP support at AppLayer message handling
15 years ago
void AppLayerParserCleanupState(Flow *f)
app layer error handling
16 years ago
{
UDP support at AppLayer message handling
15 years ago
if (f == NULL) {
SCLogDebug("no flow");
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
return;
}
UDP support at AppLayer message handling
15 years ago
if (f->alproto >= ALPROTO_MAX) {
Fixing some code reviews (Thanks to Steve Grubb)
16 years ago
SCLogDebug("app layer proto unknown");
return;
}
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
/* free the parser protocol state */
UDP support at AppLayer message handling
15 years ago
AppLayerProto *p = &al_proto_table[f->alproto];
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
if (p->StateFree != NULL && f->alstate != NULL) {
SCLogDebug("calling StateFree");
p->StateFree(f->alstate);
f->alstate = NULL;
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
}
Make sure all smsgs are handled every time, even in case or error. The fuzzer found an issue where unhandled messages remained in the queue leading to threading issues.
16 years ago
/* free the app layer parser api state */
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
if (f->alparser != NULL) {
SCLogDebug("calling AppLayerParserStateStoreFree");
AppLayerParserStateStoreFree(f->alparser);
f->alparser = NULL;
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
}
}
Further work on the stream L7 parser, it's api and the http stub implementation.
16 years ago
/** \brief Create a mapping between the individual parsers local field id's
* and the global field parser id's.
*
*/
app layer error handling
16 years ago
void AppLayerParsersInitPostProcess(void)
{
64 bit cleanup part2
16 years ago
uint16_t u16 = 0;
Update to the parsers.
16 years ago
/* build local->global mapping */
for (u16 = 1; u16 <= al_max_parsers; u16++) {
/* no local parser */
if (al_parser_table[u16].parser_local_id == 0)
continue;
app layer error handling
16 years ago
if (al_parser_table[u16].parser_local_id >
al_proto_table[al_parser_table[u16].proto].map_size)
{
al_proto_table[al_parser_table[u16].proto].map_size =
al_parser_table[u16].parser_local_id;
}
SCLogDebug("map_size %" PRIu32 "", al_proto_table
[al_parser_table[u16].proto].map_size);
Update to the parsers.
16 years ago
}
/* for each proto, alloc the map array */
for (u16 = 0; u16 < ALPROTO_MAX; u16++) {
if (al_proto_table[u16].map_size == 0)
continue;
al_proto_table[u16].map_size++;
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
al_proto_table[u16].map = (AppLayerLocalMap **)SCMalloc
app layer error handling
16 years ago
(al_proto_table[u16].map_size *
sizeof(AppLayerLocalMap *));
Update to the parsers.
16 years ago
if (al_proto_table[u16].map == NULL) {
Fix inconsistent use of dynamic memory allocation
15 years ago
SCLogError(SC_ERR_FATAL, "Fatal error encountered in AppLayerParsersInitPostProcess. Exiting...");
exit(EXIT_FAILURE);
Update to the parsers.
16 years ago
}
app layer error handling
16 years ago
memset(al_proto_table[u16].map, 0, al_proto_table[u16].map_size *
sizeof(AppLayerLocalMap *));
Update to the parsers.
16 years ago
64 bit cleanup part2
16 years ago
uint16_t u = 0;
Update to the parsers.
16 years ago
for (u = 1; u <= al_max_parsers; u++) {
/* no local parser */
if (al_parser_table[u].parser_local_id == 0)
continue;
if (al_parser_table[u].proto != u16)
continue;
64 bit cleanup part2
16 years ago
uint16_t parser_local_id = al_parser_table[u].parser_local_id;
app layer error handling
16 years ago
SCLogDebug("parser_local_id: %" PRIu32 "", parser_local_id);
Update to the parsers.
16 years ago
if (parser_local_id < al_proto_table[u16].map_size) {
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
al_proto_table[u16].map[parser_local_id] = SCMalloc(sizeof(AppLayerLocalMap));
Update to the parsers.
16 years ago
if (al_proto_table[u16].map[parser_local_id] == NULL) {
Fix inconsistent use of dynamic memory allocation
15 years ago
exit(EXIT_FAILURE);
Update to the parsers.
16 years ago
}
al_proto_table[u16].map[parser_local_id]->parser_id = u;
}
}
}
for (u16 = 0; u16 < ALPROTO_MAX; u16++) {
if (al_proto_table[u16].map_size == 0)
continue;
if (al_proto_table[u16].map == NULL)
continue;
64 bit cleanup part2
16 years ago
uint16_t x = 0;
Update to the parsers.
16 years ago
for (x = 0; x < al_proto_table[u16].map_size; x++) {
if (al_proto_table[u16].map[x] == NULL)
continue;
app layer error handling
16 years ago
SCLogDebug("al_proto_table[%" PRIu32 "].map[%" PRIu32 "]->parser_id:"
Application layer detection improvements - improve locking of application layer handling, making sure that the flow cannot be freed/cleared when the detection engine is still working with it. - add a check to the app layer detection to make sure that a match function will only inspect an app layer state if it's of the right type.
16 years ago
" %" PRIu32 "", u16, x, al_proto_table[u16].map[x]->parser_id);
Update to the parsers.
16 years ago
}
}
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*.
16 years ago
}
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
/*************************App Layer Conf Options Parsing***********************/
/**
* \brief Given a protocol name, checks if the parser is enabled in the
* conf file.
*
* \param al_proto Name of the app layer protocol.
*
* \retval 1 If enabled.
* \retval 0 If disabled.
*/
int AppLayerParserEnabled(const char *al_proto)
{
int enabled = 1;
char param[100];
int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
al_proto, ".enabled");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
ConfNode *node = ConfGetNode(param);
if (node == NULL) {
SCLogInfo("Entry for %s not found.", param);
return enabled;
} else {
if (strcasecmp(node->val, "yes") == 0) {
enabled = 1;
} else if (strcasecmp(node->val, "no") == 0) {
enabled = 0;
} else if (strcasecmp(node->val, "detection-only") == 0) {
enabled = 0;
} else {
SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
exit(EXIT_FAILURE);
}
}
return enabled;
}
/**
* \brief Given a protocol name, checks if proto detection is enabled in the
* conf file.
*
* \param al_proto Name of the app layer protocol.
*
* \retval 1 If enabled.
* \retval 0 If disabled.
*/
int AppLayerProtoDetectionEnabled(const char *al_proto)
{
int enabled = 1;
char param[100];
int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
al_proto, ".enabled");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
ConfNode *node = ConfGetNode(param);
if (node == NULL) {
SCLogInfo("Entry for %s not found.", param);
return enabled;
} else {
if (strcasecmp(node->val, "yes") == 0) {
enabled = 1;
} else if (strcasecmp(node->val, "no") == 0) {
enabled = 0;
} else if (strcasecmp(node->val, "detection-only") == 0) {
enabled = 1;
} else {
SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
exit(EXIT_FAILURE);
}
}
return enabled;
}
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
/**
* \brief Gets event info for this alproto.
*
* \param alproto The app layer protocol.
* \param event_name The event name.
* \param event_id The event id.
* \param The type of event, as represented by AppLayerEventType.
*
* \retval 0 On succesfully returning back info.
* \retval -1 On failure.
*/
int AppLayerGetEventInfo(uint16_t alproto, const char *event_name,
int *event_id, AppLayerEventType *event_type)
Move app event module registration as a part of app layer proto table.
12 years ago
{
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
if (al_proto_table[alproto].StateGetEventInfo == NULL)
Move app event module registration as a part of app layer proto table.
12 years ago
return -1;
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
return al_proto_table[alproto].StateGetEventInfo(event_name,
event_id, event_type);
Move app event module registration as a part of app layer proto table.
12 years ago
}
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_proto,
uint16_t min_depth, uint16_t max_depth,
Introduce detection parser function pointer.
12 years ago
ProbingParserFPtr ProbingParser)
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
{
char param[100];
Inside PP parser, we were using the return value from DetectPortParse as the ip_proto value, which is wrong. We have fixed this now.
12 years ago
uint8_t ip_proto;
DetectProto dp;
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
int r;
ConfNode *node;
ConfNode *proto_node = NULL;
ConfNode *port_node = NULL;
r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
al_proto_name, ".detection-ports");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
node = ConfGetNode(param);
if (node == NULL) {
SCLogDebug("Entry for %s not found.", param);
return;
}
/* for each proto */
TAILQ_FOREACH(proto_node, &node->head, next) {
Inside PP parser, we were using the return value from DetectPortParse as the ip_proto value, which is wrong. We have fixed this now.
12 years ago
memset(&dp, 0, sizeof(dp));
r = DetectProtoParse(&dp, proto_node->name);
if (r < 0) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
"%s.%s. Accepted values are tcp, udp and sctp",
param, proto_node->name);
exit(EXIT_FAILURE);
}
if (dp.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
ip_proto = IPPROTO_TCP;
} else if (dp.proto[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8))) {
ip_proto = IPPROTO_UDP;
} else if (dp.proto[IPPROTO_SCTP / 8] & (1 << (IPPROTO_SCTP % 8))) {
ip_proto = IPPROTO_SCTP;
} else {
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
Inside PP parser, we were using the return value from DetectPortParse as the ip_proto value, which is wrong. We have fixed this now.
12 years ago
"%s.%s. Accepted values are tcp, udp and sctp",
param, proto_node->name);
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
exit(EXIT_FAILURE);
}
/* toserver */
r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.",
al_proto_name, ".detection-ports.", proto_node->name, ".toserver");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
port_node = ConfGetNode(param);
if (port_node != NULL && port_node->val != NULL) {
AppLayerRegisterProbingParser(&alp_proto_ctx,
ip_proto,
port_node->val,
(char *)al_proto_name,
al_proto,
min_depth, max_depth,
STREAM_TOSERVER,
ProbingParser);
}
/* toclient */
r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.",
al_proto_name, ".detection-ports.", proto_node->name, ".toclient");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
port_node = ConfGetNode(param);
if (port_node != NULL && port_node->val != NULL) {
AppLayerRegisterProbingParser(&alp_proto_ctx,
ip_proto,
port_node->val,
(char *)al_proto_name,
al_proto,
min_depth, max_depth,
STREAM_TOCLIENT,
ProbingParser);
}
}
return;
}
Add support for port based probing parsers for alproto detection
14 years ago
/********************************Probing Parsers*******************************/
app layer probing parser updates
14 years ago
introduce bitmasks instead of alproto_masks for use by the probing parser. Remove all alproto_masks we had previouslys for PP
14 years ago
static uint32_t AppLayerProbingParserGetMask(uint16_t al_proto)
app layer probing parser updates
14 years ago
{
introduce bitmasks instead of alproto_masks for use by the probing parser. Remove all alproto_masks we had previouslys for PP
14 years ago
if (al_proto > ALPROTO_UNKNOWN &&
al_proto < ALPROTO_FAILED) {
return (1 << al_proto);
app layer probing parser updates
14 years ago
} else {
SCLogError(SC_ERR_ALPARSER, "Unknown protocol detected - %"PRIu16,
al_proto);
exit(EXIT_FAILURE);
}
}
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
static inline AppLayerProbingParserElement *AllocAppLayerProbingParserElement(void)
{
AppLayerProbingParserElement *p = SCMalloc(sizeof(AppLayerProbingParserElement));
Use unlikely in malloc failure test. This patch is a result of applying the following coccinelle transformation to suricata sources: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc|SCMallocAligned|SCRealloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
12 years ago
if (unlikely(p == NULL)) {
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
exit(EXIT_FAILURE);
}
memset(p, 0, sizeof(AppLayerProbingParserElement));
return p;
}
static inline void DeAllocAppLayerProbingParserElement(AppLayerProbingParserElement *p)
{
SCFree(p->al_proto_name);
SCFree(p);
return;
}
static inline AppLayerProbingParserPort *AllocAppLayerProbingParserPort(void)
{
AppLayerProbingParserPort *p = SCMalloc(sizeof(AppLayerProbingParserPort));
Use unlikely in malloc failure test. This patch is a result of applying the following coccinelle transformation to suricata sources: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc|SCMallocAligned|SCRealloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
12 years ago
if (unlikely(p == NULL)) {
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
exit(EXIT_FAILURE);
}
memset(p, 0, sizeof(AppLayerProbingParserPort));
return p;
}
static inline void DeAllocAppLayerProbingParserPort(AppLayerProbingParserPort *p)
{
AppLayerProbingParserElement *e;
e = p->toserver;
while (e != NULL) {
AppLayerProbingParserElement *e_next = e->next;
DeAllocAppLayerProbingParserElement(e);
e = e_next;
}
e = p->toclient;
while (e != NULL) {
AppLayerProbingParserElement *e_next = e->next;
DeAllocAppLayerProbingParserElement(e);
e = e_next;
}
SCFree(p);
return;
}
static inline AppLayerProbingParser *AllocAppLayerProbingParser(void)
{
AppLayerProbingParser *p = SCMalloc(sizeof(AppLayerProbingParser));
Use unlikely in malloc failure test. This patch is a result of applying the following coccinelle transformation to suricata sources: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc|SCMallocAligned|SCRealloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
12 years ago
if (unlikely(p == NULL)) {
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
exit(EXIT_FAILURE);
}
memset(p, 0, sizeof(AppLayerProbingParser));
return p;
}
static inline void DeAllocAppLayerProbingParser(AppLayerProbingParser *p)
{
AppLayerProbingParserPort *pt = p->port;
while (pt != NULL) {
AppLayerProbingParserPort *pt_next = pt->next;
DeAllocAppLayerProbingParserPort(pt);
pt = pt_next;
}
SCFree(p);
return;
}
Add support for port based probing parsers for alproto detection
14 years ago
static AppLayerProbingParserElement *
AppLayerCreateAppLayerProbingParserElement(const char *al_proto_name,
uint16_t al_proto,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
uint16_t port,
Add support for port based probing parsers for alproto detection
14 years ago
uint16_t min_depth,
uint16_t max_depth,
probing parser updated to always accept u32 buflens. Update all probing parser functions to accomodate this change
14 years ago
uint16_t (*AppLayerProbingParser)
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
(uint8_t *input, uint32_t input_len, uint32_t *offset))
Add support for port based probing parsers for alproto detection
14 years ago
{
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParserElement *pe = AllocAppLayerProbingParserElement();
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
pe->al_proto_name = SCStrdup(al_proto_name);
if (pe->al_proto_name == NULL)
exit(EXIT_FAILURE);
Add support for port based probing parsers for alproto detection
14 years ago
pe->al_proto = al_proto;
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
pe->port = port;
app layer probing parser updates
14 years ago
pe->al_proto_mask = AppLayerProbingParserGetMask(al_proto);
Add support for port based probing parsers for alproto detection
14 years ago
pe->min_depth = min_depth;
pe->max_depth = max_depth;
pe->ProbingParser = AppLayerProbingParser;
pe->next = NULL;
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if (max_depth != 0 && min_depth >= max_depth) {
fix bounds checking in smb probing parser
14 years ago
SCLogError(SC_ERR_ALPARSER, "Invalid arguments sent to "
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"register the probing parser. min_depth >= max_depth");
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
goto error;
}
if (al_proto <= ALPROTO_UNKNOWN || al_proto >= ALPROTO_MAX) {
SCLogError(SC_ERR_ALPARSER, "Invalid arguments sent to register "
"the probing parser. Invalid alproto - %d", al_proto);
goto error;
}
if (AppLayerProbingParser == NULL) {
SCLogError(SC_ERR_ALPARSER, "Invalid arguments sent to "
"register the probing parser. Probing parser func NULL");
goto error;
fix bounds checking in smb probing parser
14 years ago
}
Add support for port based probing parsers for alproto detection
14 years ago
return pe;
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
error:
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
DeAllocAppLayerProbingParserElement(pe);
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
return NULL;
Add support for port based probing parsers for alproto detection
14 years ago
}
app layer probing parser updates
14 years ago
static AppLayerProbingParserElement *
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
DuplicateAppLayerProbingParserElement(AppLayerProbingParserElement *pe)
Add support for port based probing parsers for alproto detection
14 years ago
{
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParserElement *new_pe = AllocAppLayerProbingParserElement();
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(new_pe == NULL)) {
app layer probing parser updates
14 years ago
return NULL;
Add support for port based probing parsers for alproto detection
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
new_pe->al_proto_name = SCStrdup(pe->al_proto_name);
if (new_pe->al_proto_name == NULL)
exit(EXIT_FAILURE);
app layer probing parser updates
14 years ago
new_pe->al_proto = pe->al_proto;
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
new_pe->port = pe->port;
app layer probing parser updates
14 years ago
new_pe->al_proto_mask = pe->al_proto_mask;
new_pe->min_depth = pe->min_depth;
new_pe->max_depth = pe->max_depth;
new_pe->ProbingParser = pe->ProbingParser;
new_pe->next = NULL;
return new_pe;
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
void AppLayerPrintProbingParsers(AppLayerProbingParser *pp)
app layer probing parser updates
14 years ago
{
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParserPort *pp_port = NULL;
AppLayerProbingParserElement *pp_pe = NULL;
app layer probing parser updates
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
printf("\n");
app layer probing parser updates
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
for ( ; pp != NULL; pp = pp->next) {
/* print ip protocol */
if (pp->ip_proto == IPPROTO_TCP)
printf("IPProto: TCP\n");
else if (pp->ip_proto == IPPROTO_UDP)
printf("IPProto: UDP\n");
else
printf("IPProto: %"PRIu16"\n", pp->ip_proto);
pp_port = pp->port;
for ( ; pp_port != NULL; pp_port = pp_port->next) {
if (pp_port->toserver == NULL)
goto AppLayerPrintProbingParsers_jump_toclient;
printf(" Port: %"PRIu16 "\n", pp_port->port);
printf(" To_Server: (max-depth: %"PRIu16 ", "
"mask - %"PRIu32")\n",
pp_port->toserver_max_depth,
pp_port->toserver_al_proto_mask);
pp_pe = pp_port->toserver;
for ( ; pp_pe != NULL; pp_pe = pp_pe->next) {
printf(" name: %s\n", pp_pe->al_proto_name);
if (pp_pe->al_proto == ALPROTO_HTTP)
printf(" alproto: ALPROTO_HTTP\n");
else if (pp_pe->al_proto == ALPROTO_FTP)
printf(" alproto: ALPROTO_FTP\n");
else if (pp_pe->al_proto == ALPROTO_SMTP)
printf(" alproto: ALPROTO_SMTP\n");
else if (pp_pe->al_proto == ALPROTO_TLS)
printf(" alproto: ALPROTO_TLS\n");
else if (pp_pe->al_proto == ALPROTO_SSH)
printf(" alproto: ALPROTO_SSH\n");
else if (pp_pe->al_proto == ALPROTO_IMAP)
printf(" alproto: ALPROTO_IMAP\n");
else if (pp_pe->al_proto == ALPROTO_MSN)
printf(" alproto: ALPROTO_MSN\n");
else if (pp_pe->al_proto == ALPROTO_JABBER)
printf(" alproto: ALPROTO_JABBER\n");
else if (pp_pe->al_proto == ALPROTO_SMB)
printf(" alproto: ALPROTO_SMB\n");
else if (pp_pe->al_proto == ALPROTO_SMB2)
printf(" alproto: ALPROTO_SMB2\n");
else if (pp_pe->al_proto == ALPROTO_DCERPC)
printf(" alproto: ALPROTO_DCERPC\n");
else if (pp_pe->al_proto == ALPROTO_DCERPC_UDP)
printf(" alproto: ALPROTO_DCERPC_UDP\n");
else if (pp_pe->al_proto == ALPROTO_IRC)
printf(" alproto: ALPROTO_IRC\n");
else
printf("impossible\n");
printf(" port: %"PRIu16 "\n", pp_pe->port);
printf(" mask: %"PRIu32 "\n", pp_pe->al_proto_mask);
printf(" min_depth: %"PRIu32 "\n", pp_pe->min_depth);
printf(" max_depth: %"PRIu32 "\n", pp_pe->max_depth);
printf("\n");
}
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerPrintProbingParsers_jump_toclient:
if (pp_port->toclient == NULL) {
continue;
}
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
printf(" To_Client: (max-depth: %"PRIu16 ", "
"mask - %"PRIu32")\n",
pp_port->toclient_max_depth,
pp_port->toclient_al_proto_mask);
pp_pe = pp_port->toclient;
for ( ; pp_pe != NULL; pp_pe = pp_pe->next) {
printf(" name: %s\n", pp_pe->al_proto_name);
if (pp_pe->al_proto == ALPROTO_HTTP)
printf(" alproto: ALPROTO_HTTP\n");
else if (pp_pe->al_proto == ALPROTO_FTP)
printf(" alproto: ALPROTO_FTP\n");
else if (pp_pe->al_proto == ALPROTO_SMTP)
printf(" alproto: ALPROTO_SMTP\n");
else if (pp_pe->al_proto == ALPROTO_TLS)
printf(" alproto: ALPROTO_TLS\n");
else if (pp_pe->al_proto == ALPROTO_SSH)
printf(" alproto: ALPROTO_SSH\n");
else if (pp_pe->al_proto == ALPROTO_IMAP)
printf(" alproto: ALPROTO_IMAP\n");
else if (pp_pe->al_proto == ALPROTO_MSN)
printf(" alproto: ALPROTO_MSN\n");
else if (pp_pe->al_proto == ALPROTO_JABBER)
printf(" alproto: ALPROTO_JABBER\n");
else if (pp_pe->al_proto == ALPROTO_SMB)
printf(" alproto: ALPROTO_SMB\n");
else if (pp_pe->al_proto == ALPROTO_SMB2)
printf(" alproto: ALPROTO_SMB2\n");
else if (pp_pe->al_proto == ALPROTO_DCERPC)
printf(" alproto: ALPROTO_DCERPC\n");
else if (pp_pe->al_proto == ALPROTO_DCERPC_UDP)
printf(" alproto: ALPROTO_DCERPC_UDP\n");
else if (pp_pe->al_proto == ALPROTO_IRC)
printf(" alproto: ALPROTO_IRC\n");
else
printf("impossible\n");
printf(" port: %"PRIu16 "\n", pp_pe->port);
printf(" mask: %"PRIu32 "\n", pp_pe->al_proto_mask);
printf(" min_depth: %"PRIu32 "\n", pp_pe->min_depth);
printf(" max_depth: %"PRIu32 "\n", pp_pe->max_depth);
printf("\n");
Add support for port based probing parsers for alproto detection
14 years ago
}
}
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
return;
}
static inline void AppendAppLayerProbingParserElement(AppLayerProbingParserElement **head_pe,
AppLayerProbingParserElement *new_pe)
{
if (*head_pe == NULL) {
*head_pe = new_pe;
return;
Add support for port based probing parsers for alproto detection
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if ((*head_pe)->port == 0) {
if (new_pe->port != 0) {
new_pe->next = *head_pe;
*head_pe = new_pe;
Add support for port based probing parsers for alproto detection
14 years ago
} else {
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParserElement *temp_pe = *head_pe;
while (temp_pe->next != NULL)
temp_pe = temp_pe->next;
temp_pe->next = new_pe;
Add support for port based probing parsers for alproto detection
14 years ago
}
} else {
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParserElement *temp_pe = *head_pe;
if (new_pe->port == 0) {
while (temp_pe->next != NULL)
temp_pe = temp_pe->next;
temp_pe->next = new_pe;
Add support for port based probing parsers for alproto detection
14 years ago
} else {
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
while (temp_pe->next != NULL && temp_pe->next->port != 0)
temp_pe = temp_pe->next;
new_pe->next = temp_pe->next;
temp_pe->next = new_pe;
Add support for port based probing parsers for alproto detection
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
}
app layer probing parser updates
14 years ago
return;
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
static inline void AppendAppLayerProbingParser(AppLayerProbingParser **head_pp,
AppLayerProbingParser *new_pp)
app layer probing parser updates
14 years ago
{
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if (*head_pp == NULL) {
*head_pp = new_pp;
return;
app layer probing parser updates
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParser *temp_pp = *head_pp;
while (temp_pp->next != NULL)
temp_pp = temp_pp->next;
temp_pp->next = new_pp;
Add support for port based probing parsers for alproto detection
14 years ago
return;
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
static inline void AppendAppLayerProbingParserPort(AppLayerProbingParserPort **head_port,
AppLayerProbingParserPort *new_port)
Add support for port based probing parsers for alproto detection
14 years ago
{
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if (*head_port == NULL) {
*head_port = new_port;
return;
}
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if ((*head_port)->port == 0) {
new_port->next = *head_port;
*head_port = new_port;
} else {
AppLayerProbingParserPort *temp_port = *head_port;
while (temp_port->next != NULL && temp_port->next->port != 0) {
temp_port = temp_port->next;
Add support for port based probing parsers for alproto detection
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
new_port->next = temp_port->next;
temp_port->next = new_port;
Add support for port based probing parsers for alproto detection
14 years ago
}
return;
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
static inline void AppLayerInsertNewProbingParser(AppLayerProbingParser **pp,
uint16_t ip_proto,
uint16_t port,
char *al_proto_name, uint16_t al_proto,
uint16_t min_depth, uint16_t max_depth,
uint8_t flags,
Introduce detection parser function pointer.
12 years ago
ProbingParserFPtr ProbingParser)
app layer probing parser updates
14 years ago
{
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
/* get the top level ipproto pp */
AppLayerProbingParser *curr_pp = *pp;
while (curr_pp != NULL) {
if (curr_pp->ip_proto == ip_proto)
app layer probing parser updates
14 years ago
break;
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
curr_pp = curr_pp->next;
app layer probing parser updates
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if (curr_pp == NULL) {
AppLayerProbingParser *new_pp = AllocAppLayerProbingParser();
new_pp->ip_proto = ip_proto;
AppendAppLayerProbingParser(pp, new_pp);
curr_pp = new_pp;
app layer probing parser updates
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
/* get the top level port pp */
AppLayerProbingParserPort *curr_port = curr_pp->port;
while (curr_port != NULL) {
if (curr_port->port == port)
break;
curr_port = curr_port->next;
app layer probing parser updates
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if (curr_port == NULL) {
AppLayerProbingParserPort *new_port = AllocAppLayerProbingParserPort();
new_port->port = port;
AppendAppLayerProbingParserPort(&curr_pp->port, new_port);
curr_port = new_port;
if (flags & STREAM_TOSERVER) {
curr_port->toserver_max_depth = max_depth;
} else {
curr_port->toclient_max_depth = max_depth;
} /* else - if (flags & STREAM_TOSERVER) */
app layer probing parser updates
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParserPort *zero_port;
app layer probing parser updates
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
zero_port = curr_pp->port;
while (zero_port != NULL && zero_port->port != 0) {
zero_port = zero_port->next;
}
if (zero_port != NULL) {
AppLayerProbingParserElement *zero_pe;
zero_pe = zero_port->toserver;
for ( ; zero_pe != NULL; zero_pe = zero_pe->next) {
if (curr_port->toserver == NULL)
curr_port->toserver_max_depth = zero_pe->max_depth;
if (zero_pe->max_depth == 0)
curr_port->toserver_max_depth = zero_pe->max_depth;
if (curr_port->toserver_max_depth != 0 &&
curr_port->toserver_max_depth < zero_pe->max_depth) {
curr_port->toserver_max_depth = zero_pe->max_depth;
}
AppLayerProbingParserElement *dup_pe =
DuplicateAppLayerProbingParserElement(zero_pe);
AppendAppLayerProbingParserElement(&curr_port->toserver, dup_pe);
curr_port->toserver_al_proto_mask |= dup_pe->al_proto_mask;
}
zero_pe = zero_port->toclient;
for ( ; zero_pe != NULL; zero_pe = zero_pe->next) {
if (curr_port->toclient == NULL)
curr_port->toclient_max_depth = zero_pe->max_depth;
if (zero_pe->max_depth == 0)
curr_port->toclient_max_depth = zero_pe->max_depth;
if (curr_port->toclient_max_depth != 0 &&
curr_port->toclient_max_depth < zero_pe->max_depth) {
curr_port->toclient_max_depth = zero_pe->max_depth;
}
app layer probing parser updates
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParserElement *dup_pe =
DuplicateAppLayerProbingParserElement(zero_pe);
AppendAppLayerProbingParserElement(&curr_port->toclient, dup_pe);
curr_port->toclient_al_proto_mask |= dup_pe->al_proto_mask;
}
} /* if (zero_port != NULL) */
} /* if (curr_port == NULL) */
app layer probing parser updates
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
/* insert the pe_pp */
AppLayerProbingParserElement *curr_pe;
if (flags & STREAM_TOSERVER)
curr_pe = curr_port->toserver;
else
curr_pe = curr_port->toclient;
while (curr_pe != NULL) {
if (curr_pe->al_proto == al_proto) {
fix for bug #987. We don't support jabber protocol detection atm. Disable the code check inside suricata to check if jabber protocol detection is enabled in the yaml file. Also updated an error log message for app layer.
12 years ago
SCLogError(SC_ERR_ALPARSER, "Duplicate pp registered - "
"ip_proto - %"PRIu16" Port - %"PRIu16" "
"App Protocol - %s, App Protocol(ID) - "
"%"PRIu16" min_depth - %"PRIu16" "
"max_dept - %"PRIu16".",
ip_proto, port, al_proto_name, al_proto,
min_depth, max_depth);
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
goto error;
}
curr_pe = curr_pe->next;
}
app layer probing parser updates
14 years ago
/* Get a new parser element */
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerProbingParserElement *new_pe =
AppLayerCreateAppLayerProbingParserElement(al_proto_name,
al_proto,
curr_port->port,
min_depth, max_depth,
app layer probing parser updates
14 years ago
ProbingParser);
if (new_pe == NULL)
goto error;
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
curr_pe = new_pe;
AppLayerProbingParserElement **head_pe;
if (flags & STREAM_TOSERVER) {
if (curr_port->toserver == NULL)
curr_port->toserver_max_depth = new_pe->max_depth;
if (new_pe->max_depth == 0)
curr_port->toserver_max_depth = new_pe->max_depth;
if (curr_port->toserver_max_depth != 0 &&
curr_port->toserver_max_depth < new_pe->max_depth) {
curr_port->toserver_max_depth = new_pe->max_depth;
Add support for port based probing parsers for alproto detection
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
curr_port->toserver_al_proto_mask |= new_pe->al_proto_mask;
head_pe = &curr_port->toserver;
} else {
if (curr_port->toclient == NULL)
curr_port->toclient_max_depth = new_pe->max_depth;
if (new_pe->max_depth == 0)
curr_port->toclient_max_depth = new_pe->max_depth;
if (curr_port->toclient_max_depth != 0 &&
curr_port->toclient_max_depth < new_pe->max_depth) {
curr_port->toclient_max_depth = new_pe->max_depth;
Add support for port based probing parsers for alproto detection
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
curr_port->toclient_al_proto_mask |= new_pe->al_proto_mask;
head_pe = &curr_port->toclient;
Add support for port based probing parsers for alproto detection
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppendAppLayerProbingParserElement(head_pe, new_pe);
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if (curr_port->port == 0) {
AppLayerProbingParserPort *temp_port = curr_pp->port;
while (temp_port != NULL && temp_port->port != 0) {
if (flags & STREAM_TOSERVER) {
if (temp_port->toserver == NULL)
temp_port->toserver_max_depth = curr_pe->max_depth;
if (curr_pe->max_depth == 0)
temp_port->toserver_max_depth = curr_pe->max_depth;
if (temp_port->toserver_max_depth != 0 &&
temp_port->toserver_max_depth < curr_pe->max_depth) {
temp_port->toserver_max_depth = curr_pe->max_depth;
}
AppendAppLayerProbingParserElement(&temp_port->toserver,
DuplicateAppLayerProbingParserElement(curr_pe));
temp_port->toserver_al_proto_mask |= curr_pe->al_proto_mask;
} else {
if (temp_port->toclient == NULL)
temp_port->toclient_max_depth = curr_pe->max_depth;
if (curr_pe->max_depth == 0)
temp_port->toclient_max_depth = curr_pe->max_depth;
if (temp_port->toclient_max_depth != 0 &&
temp_port->toclient_max_depth < curr_pe->max_depth) {
temp_port->toclient_max_depth = curr_pe->max_depth;
}
AppendAppLayerProbingParserElement(&temp_port->toclient,
DuplicateAppLayerProbingParserElement(curr_pe));
temp_port->toclient_al_proto_mask |= curr_pe->al_proto_mask;
}
temp_port = temp_port->next;
} /* while */
} /* if */
app layer probing parser updates
14 years ago
error:
return;
}
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
void AppLayerRegisterParserAcceptableDataDirection(uint16_t al_proto,
uint8_t flags)
{
Cosmetic changes to app parser struct. Removed a flag parameter introuced earlier to indicate the data that is first acceptable by the parser. We now use a differently named parameter to carry out the same activity.
12 years ago
al_proto_table[al_proto].first_data_dir |=
(flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
return;
}
void AppLayerMapProbingParserAgainstAlproto(uint16_t al_proto,
uint8_t flags,
ProbingParserFPtr ProbingParser)
{
Rename function pointer var to use the FuncPtr typing convention. Resupply "dns" as the alproto name for ALPROTO_DNS.
12 years ago
al_proto_table[al_proto].PPAlprotoMap[(flags & STREAM_TOSERVER) ? 0 : 1] = ProbingParser;
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
return;
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
void AppLayerRegisterProbingParser(AlpProtoDetectCtx *ctx,
uint16_t ip_proto,
char *portstr,
char *al_proto_name, uint16_t al_proto,
uint16_t min_depth, uint16_t max_depth,
uint8_t flags,
Introduce detection parser function pointer.
12 years ago
ProbingParserFPtr ProbingParser)
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
{
DetectPort *head = NULL;
DetectPortParse(&head, portstr);
DetectPort *temp_dp = head;
while (temp_dp != NULL) {
uint32_t port = temp_dp->port;
if (port == 0 && temp_dp->port2 != 0)
port++;
for ( ; port <= temp_dp->port2; port++) {
AppLayerInsertNewProbingParser(&ctx->probing_parsers,
ip_proto,
port,
al_proto_name, al_proto,
min_depth, max_depth,
flags,
ProbingParser);
}
temp_dp = temp_dp->next;
app layer probing parser updates
14 years ago
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
DetectPortCleanupList(head);
app layer probing parser updates
14 years ago
Add support for port based probing parsers for alproto detection
14 years ago
return;
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
void AppLayerFreeProbingParsers(AppLayerProbingParser *pp)
Add support for port based probing parsers for alproto detection
14 years ago
{
Fix a leak in app layer parser proto code. Free the proto signatures allocated internally for PM parser.
12 years ago
AppLayerProbingParser *tmp_pp = NULL;
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
if (pp == NULL)
return;
Add support for port based probing parsers for alproto detection
14 years ago
Fix a leak in app layer parser proto code. Free the proto signatures allocated internally for PM parser.
12 years ago
while (pp != NULL) {
tmp_pp = pp->next;
DeAllocAppLayerProbingParser(pp);
pp = tmp_pp;
}
Add support for port based probing parsers for alproto detection
14 years ago
return;
}
/**************************************Unittests*******************************/
app layer error handling
16 years ago
#ifdef UNITTESTS
typedef struct TestState_ {
uint8_t test;
}TestState;
/**
* \brief Test parser function to test the memory deallocation of app layer
* parser of occurence of an error.
*/
app layer htp error handling and fixes for memory leaks and segv
16 years ago
static int TestProtocolParser(Flow *f, void *test_state, AppLayerParserState *pstate,
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
uint8_t *input, uint32_t input_len,
void *local_data, AppLayerParserResult *output)
app layer error handling
16 years ago
{
return -1;
}
/** \brief Function to allocates the Test protocol state memory
*/
static void *TestProtocolStateAlloc(void)
{
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
void *s = SCMalloc(sizeof(TestState));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(s == NULL))
app layer error handling
16 years ago
return NULL;
memset(s, 0, sizeof(TestState));
return s;
}
/** \brief Function to free the Test Protocol state memory
*/
static void TestProtocolStateFree(void *s)
{
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(s);
app layer error handling
16 years ago
}
Move app event module registration as a part of app layer proto table.
12 years ago
static AppLayerProto al_proto_table_ut_backup[ALPROTO_MAX];
void AppLayerParserBackupAlprotoTable(void)
{
int i;
for (i = ALPROTO_UNKNOWN; i < ALPROTO_MAX; i++)
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
al_proto_table_ut_backup[i].StateGetEventInfo = al_proto_table[i].StateGetEventInfo;
Move app event module registration as a part of app layer proto table.
12 years ago
return;
}
void AppLayerParserRestoreAlprotoTable(void)
{
int i;
for (i = ALPROTO_UNKNOWN; i < ALPROTO_MAX; i++)
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
al_proto_table[i].StateGetEventInfo = al_proto_table_ut_backup[i].StateGetEventInfo;
Move app event module registration as a part of app layer proto table.
12 years ago
return;
}
/**
* \test Test the deallocation of app layer parser memory on occurance of
* error in the parsing process.
app layer error handling
16 years ago
*/
static int AppLayerParserTest01 (void)
{
Make sure a stream that has a failing app layer inspection module no longer stops reassembly, but only app layer inspection. This way we can continue to inspect the reassembled stream.
15 years ago
int result = 0;
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
Flow *f = NULL;
app layer error handling
16 years ago
uint8_t testbuf[] = { 0x11 };
uint32_t testlen = sizeof(testbuf);
TcpSession ssn;
memset(&ssn, 0, sizeof(ssn));
/* Register the Test protocol state and parser functions */
AppLayerRegisterProto("test", ALPROTO_TEST, STREAM_TOSERVER,
TestProtocolParser);
AppLayerRegisterStateFuncs(ALPROTO_TEST, TestProtocolStateAlloc,
TestProtocolStateFree);
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
if (f == NULL)
goto end;
f->protoctx = &ssn;
f->alproto = ALPROTO_TEST;
f->proto = IPPROTO_TCP;
app layer error handling
16 years ago
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f->m);
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
int r = AppLayerParse(NULL, f, ALPROTO_TEST, STREAM_TOSERVER|STREAM_EOF, testbuf,
Remove unused conditional locking code from the app layer parsing code.
16 years ago
testlen);
app layer error handling
16 years ago
if (r != -1) {
Make sure a stream that has a failing app layer inspection module no longer stops reassembly, but only app layer inspection. This way we can continue to inspect the reassembled stream.
15 years ago
printf("returned %" PRId32 ", expected -1: ", r);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f->m);
app layer error handling
16 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f->m);
app layer error handling
16 years ago
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
if (!(f->flags & FLOW_NO_APPLAYER_INSPECTION))
app layer error handling
16 years ago
{
Make sure a stream that has a failing app layer inspection module no longer stops reassembly, but only app layer inspection. This way we can continue to inspect the reassembled stream.
15 years ago
printf("flag should have been set, but is not: ");
app layer error handling
16 years ago
goto end;
}
Make sure a stream that has a failing app layer inspection module no longer stops reassembly, but only app layer inspection. This way we can continue to inspect the reassembled stream.
15 years ago
result = 1;
app layer error handling
16 years ago
end:
UDP support at AppLayer message handling
15 years ago
StreamTcpFreeConfig(TRUE);
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
UTHFreeFlow(f);
UDP support at AppLayer message handling
15 years ago
return result;
}
Move app event module registration as a part of app layer proto table.
12 years ago
/**
* \test Test the deallocation of app layer parser memory on occurance of
* error in the parsing process for UDP.
UDP support at AppLayer message handling
15 years ago
*/
static int AppLayerParserTest02 (void)
{
int result = 1;
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
Flow *f = NULL;
UDP support at AppLayer message handling
15 years ago
uint8_t testbuf[] = { 0x11 };
uint32_t testlen = sizeof(testbuf);
/* Register the Test protocol state and parser functions */
AppLayerRegisterProto("test", ALPROTO_TEST, STREAM_TOSERVER,
TestProtocolParser);
AppLayerRegisterStateFuncs(ALPROTO_TEST, TestProtocolStateAlloc,
TestProtocolStateFree);
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
if (f == NULL)
goto end;
f->alproto = ALPROTO_TEST;
f->proto = IPPROTO_UDP;
UDP support at AppLayer message handling
15 years ago
StreamTcpInitConfig(TRUE);
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexLock(&f->m);
modify all relevant app layer API calls to accomodate passing parser local storage argument
14 years ago
int r = AppLayerParse(NULL, f, ALPROTO_TEST, STREAM_TOSERVER|STREAM_EOF, testbuf,
UDP support at AppLayer message handling
15 years ago
testlen);
if (r != -1) {
printf("returned %" PRId32 ", expected -1: \n", r);
result = 0;
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f->m);
UDP support at AppLayer message handling
15 years ago
goto end;
}
unittests: some functions needs a flow lock. In debug validation mode, it is required to call application layer parsing and other functions with a lock on flow. This patch updates the code to do so.
12 years ago
SCMutexUnlock(&f->m);
UDP support at AppLayer message handling
15 years ago
end:
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
StreamTcpFreeConfig(TRUE);
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
UTHFreeFlow(f);
app layer error handling
16 years ago
return result;
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
typedef struct AppLayerPPTestDataElement_ {
char *al_proto_name;
uint16_t al_proto;
uint16_t port;
uint32_t al_proto_mask;
uint32_t min_depth;
uint32_t max_depth;
} AppLayerPPTestDataElement;
typedef struct AppLayerPPTestDataPort_ {
uint16_t port;
uint32_t toserver_al_proto_mask;
uint32_t toclient_al_proto_mask;
uint16_t toserver_max_depth;
uint16_t toclient_max_depth;
AppLayerPPTestDataElement *toserver_element;
AppLayerPPTestDataElement *toclient_element;
int ts_no_of_element;
int tc_no_of_element;
} AppLayerPPTestDataPort;
typedef struct AppLayerPPTestDataIPProto_ {
uint16_t ip_proto;
AppLayerPPTestDataPort *port;
int no_of_port;
} AppLayerPPTestDataIPProto;
int AppLayerPPTestData(AppLayerProbingParser *pp,
AppLayerPPTestDataIPProto *ip_proto, int no_of_ip_proto)
Add support for port based probing parsers for alproto detection
14 years ago
{
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
int result = 0;
int i, j, k;
Fix compiler warning app-layer-parser.c: In function ‘AppLayerPPTestData’: app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable] int dir = 0; ^
12 years ago
#ifdef DEBUG
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
int dir = 0;
Fix compiler warning app-layer-parser.c: In function ‘AppLayerPPTestData’: app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable] int dir = 0; ^
12 years ago
#endif
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
for (i = 0; i < no_of_ip_proto; i++, pp = pp->next) {
if (pp->ip_proto != ip_proto[i].ip_proto)
goto end;
AppLayerProbingParserPort *pp_port = pp->port;
for (k = 0; k < ip_proto[i].no_of_port; k++, pp_port = pp_port->next) {
if (pp_port->port != ip_proto[i].port[k].port)
goto end;
if (pp_port->toserver_al_proto_mask != ip_proto[i].port[k].toserver_al_proto_mask)
goto end;
if (pp_port->toclient_al_proto_mask != ip_proto[i].port[k].toclient_al_proto_mask)
goto end;
if (pp_port->toserver_max_depth != ip_proto[i].port[k].toserver_max_depth)
goto end;
if (pp_port->toclient_max_depth != ip_proto[i].port[k].toclient_max_depth)
goto end;
AppLayerProbingParserElement *pp_element = pp_port->toserver;
Fix compiler warning app-layer-parser.c: In function ‘AppLayerPPTestData’: app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable] int dir = 0; ^
12 years ago
#ifdef DEBUG
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
dir = 0;
Fix compiler warning app-layer-parser.c: In function ‘AppLayerPPTestData’: app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable] int dir = 0; ^
12 years ago
#endif
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
for (j = 0 ; j < ip_proto[i].port[k].ts_no_of_element;
j++, pp_element = pp_element->next) {
if ((strlen(pp_element->al_proto_name) !=
strlen(ip_proto[i].port[k].toserver_element[j].al_proto_name)) ||
strcasecmp(pp_element->al_proto_name,
ip_proto[i].port[k].toserver_element[j].al_proto_name) != 0) {
goto end;
}
if (pp_element->al_proto != ip_proto[i].port[k].toserver_element[j].al_proto) {
goto end;
}
if (pp_element->port != ip_proto[i].port[k].toserver_element[j].port) {
goto end;
}
if (pp_element->al_proto_mask != ip_proto[i].port[k].toserver_element[j].al_proto_mask) {
goto end;
}
if (pp_element->min_depth != ip_proto[i].port[k].toserver_element[j].min_depth) {
goto end;
}
if (pp_element->max_depth != ip_proto[i].port[k].toserver_element[j].max_depth) {
goto end;
}
} /* for */
if (pp_element != NULL)
goto end;
pp_element = pp_port->toclient;
Fix compiler warning app-layer-parser.c: In function ‘AppLayerPPTestData’: app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable] int dir = 0; ^
12 years ago
#ifdef DEBUG
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
dir = 1;
Fix compiler warning app-layer-parser.c: In function ‘AppLayerPPTestData’: app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable] int dir = 0; ^
12 years ago
#endif
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
for (j = 0 ; j < ip_proto[i].port[k].tc_no_of_element; j++, pp_element = pp_element->next) {
if ((strlen(pp_element->al_proto_name) !=
strlen(ip_proto[i].port[k].toclient_element[j].al_proto_name)) ||
strcasecmp(pp_element->al_proto_name,
ip_proto[i].port[k].toclient_element[j].al_proto_name) != 0) {
goto end;
}
if (pp_element->al_proto != ip_proto[i].port[k].toclient_element[j].al_proto) {
goto end;
}
if (pp_element->port != ip_proto[i].port[k].toclient_element[j].port) {
goto end;
}
if (pp_element->al_proto_mask != ip_proto[i].port[k].toclient_element[j].al_proto_mask) {
goto end;
}
if (pp_element->min_depth != ip_proto[i].port[k].toclient_element[j].min_depth) {
goto end;
}
if (pp_element->max_depth != ip_proto[i].port[k].toclient_element[j].max_depth) {
goto end;
}
} /* for */
if (pp_element != NULL)
goto end;
}
if (pp_port != NULL)
goto end;
}
if (pp != NULL)
goto end;
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
result = 1;
end:
Fix compiler warning app-layer-parser.c: In function ‘AppLayerPPTestData’: app-layer-parser.c:2525:9: error: variable ‘dir’ set but not used [-Werror=unused-but-set-variable] int dir = 0; ^
12 years ago
#ifdef DEBUG
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
printf("i = %d, k = %d, j = %d(%s)\n", i, k, j, (dir == 0) ? "ts" : "tc");
#endif
return result;
}
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
uint16_t ProbingParserDummyForTesting(uint8_t *input, uint32_t input_len, uint32_t *offset)
{
return 0;
Add support for port based probing parsers for alproto detection
14 years ago
}
app layer error handling
16 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
static int AppLayerProbingParserTest01(void)
app layer error handling
16 years ago
{
Add support for port based probing parsers for alproto detection
14 years ago
int result = 0;
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
AlpProtoDetectCtx ctx;
AlpProtoInit(&ctx);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"80",
Add support for port based probing parsers for alproto detection
14 years ago
"http",
ALPROTO_HTTP,
5, 8,
STREAM_TOSERVER,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"80",
Add support for port based probing parsers for alproto detection
14 years ago
"smb",
ALPROTO_SMB,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
5, 6,
STREAM_TOSERVER,
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
IPPROTO_TCP,
"80",
"ftp",
ALPROTO_FTP,
7, 10,
Add support for port based probing parsers for alproto detection
14 years ago
STREAM_TOSERVER,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
Add support for port based probing parsers for alproto detection
14 years ago
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"81",
Add support for port based probing parsers for alproto detection
14 years ago
"dcerpc",
ALPROTO_DCERPC,
9, 10,
STREAM_TOSERVER,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"81",
"ftp",
ALPROTO_FTP,
7, 15,
Add support for port based probing parsers for alproto detection
14 years ago
STREAM_TOSERVER,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"0",
"smtp",
ALPROTO_SMTP,
12, 0,
STREAM_TOSERVER,
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
IPPROTO_TCP,
"0",
"tls",
ALPROTO_TLS,
12, 18,
Add support for port based probing parsers for alproto detection
14 years ago
STREAM_TOSERVER,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
Add support for port based probing parsers for alproto detection
14 years ago
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"85",
Add support for port based probing parsers for alproto detection
14 years ago
"dcerpc",
ALPROTO_DCERPC,
9, 10,
STREAM_TOSERVER,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerRegisterProbingParser(&ctx,
IPPROTO_TCP,
"85",
"ftp",
ALPROTO_FTP,
7, 15,
STREAM_TOSERVER,
ProbingParserDummyForTesting);
Add support for port based probing parsers for alproto detection
14 years ago
result = 1;
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
AppLayerRegisterProbingParser(&ctx,
IPPROTO_UDP,
"85",
"imap",
ALPROTO_IMAP,
12, 23,
STREAM_TOSERVER,
ProbingParserDummyForTesting);
Add support for port based probing parsers for alproto detection
14 years ago
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
/* toclient */
AppLayerRegisterProbingParser(&ctx,
IPPROTO_TCP,
"0",
"jabber",
ALPROTO_JABBER,
12, 23,
STREAM_TOCLIENT,
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
IPPROTO_TCP,
"0",
"irc",
ALPROTO_IRC,
12, 14,
STREAM_TOCLIENT,
ProbingParserDummyForTesting);
Add support for port based probing parsers for alproto detection
14 years ago
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"85",
"dcerpc",
ALPROTO_DCERPC,
9, 10,
STREAM_TOCLIENT,
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
IPPROTO_TCP,
"81",
"ftp",
ALPROTO_FTP,
7, 15,
STREAM_TOCLIENT,
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
IPPROTO_TCP,
"0",
"tls",
ALPROTO_TLS,
12, 18,
STREAM_TOCLIENT,
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
IPPROTO_TCP,
"80",
Add support for port based probing parsers for alproto detection
14 years ago
"http",
ALPROTO_HTTP,
5, 8,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
STREAM_TOCLIENT,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"81",
Add support for port based probing parsers for alproto detection
14 years ago
"dcerpc",
ALPROTO_DCERPC,
9, 10,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
STREAM_TOCLIENT,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"90",
"ftp",
ALPROTO_FTP,
7, 15,
STREAM_TOCLIENT,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"80",
Add support for port based probing parsers for alproto detection
14 years ago
"smb",
ALPROTO_SMB,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
5, 6,
STREAM_TOCLIENT,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
IPPROTO_UDP,
"85",
"imap",
ALPROTO_IMAP,
12, 23,
STREAM_TOCLIENT,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"0",
"smtp",
ALPROTO_SMTP,
12, 17,
STREAM_TOCLIENT,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
AppLayerRegisterProbingParser(&ctx,
Add support for port based probing parsers for alproto detection
14 years ago
IPPROTO_TCP,
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
"80",
"ftp",
ALPROTO_FTP,
7, 10,
STREAM_TOCLIENT,
fix valgrind issue for SMB test. Small restructuring. probing_parsers global variable now part of AlpProtoDetectCtx
14 years ago
ProbingParserDummyForTesting);
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
//AppLayerPrintProbingParsers(ctx.probing_parsers);
AppLayerPPTestDataElement element_ts_80[] =
{ { "http", ALPROTO_HTTP, 80, 1 << ALPROTO_HTTP, 5, 8 },
{ "smb", ALPROTO_SMB, 80, 1 << ALPROTO_SMB, 5, 6 },
{ "ftp", ALPROTO_FTP, 80, 1 << ALPROTO_FTP, 7, 10 },
{ "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 0 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 25 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
};
AppLayerPPTestDataElement element_tc_80[] =
{ { "http", ALPROTO_HTTP, 80, 1 << ALPROTO_HTTP, 5, 8 },
{ "smb", ALPROTO_SMB, 80, 1 << ALPROTO_SMB, 5, 6 },
{ "ftp", ALPROTO_FTP, 80, 1 << ALPROTO_FTP, 7, 10 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 14 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 17 }
};
AppLayerPPTestDataElement element_ts_81[] =
{ { "dcerpc", ALPROTO_DCERPC, 81, 1 << ALPROTO_DCERPC, 9, 10 },
{ "ftp", ALPROTO_FTP, 81, 1 << ALPROTO_FTP, 7, 15 },
{ "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 0 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 25 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
};
AppLayerPPTestDataElement element_tc_81[] =
{ { "ftp", ALPROTO_FTP, 81, 1 << ALPROTO_FTP, 7, 15 },
{ "dcerpc", ALPROTO_DCERPC, 81, 1 << ALPROTO_DCERPC, 9, 10 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 14 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 17 }
};
AppLayerPPTestDataElement element_ts_85[] =
{ { "dcerpc", ALPROTO_DCERPC, 85, 1 << ALPROTO_DCERPC, 9, 10 },
{ "ftp", ALPROTO_FTP, 85, 1 << ALPROTO_FTP, 7, 15 },
{ "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 0 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 25 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
};
AppLayerPPTestDataElement element_tc_85[] =
{ { "dcerpc", ALPROTO_DCERPC, 85, 1 << ALPROTO_DCERPC, 9, 10 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 14 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 17 }
};
AppLayerPPTestDataElement element_ts_90[] =
{ { "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 0 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 25 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
};
AppLayerPPTestDataElement element_tc_90[] =
{ { "ftp", ALPROTO_FTP, 90, 1 << ALPROTO_FTP, 7, 15 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 14 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 17 }
};
AppLayerPPTestDataElement element_ts_0[] =
{ { "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 0 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 25 },
{ "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
};
AppLayerPPTestDataElement element_tc_0[] =
{ { "jabber", ALPROTO_JABBER, 0, 1 << ALPROTO_JABBER, 12, 23 },
{ "irc", ALPROTO_IRC, 0, 1 << ALPROTO_IRC, 12, 14 },
{ "tls", ALPROTO_TLS, 0, 1 << ALPROTO_TLS, 12, 18 },
{ "smtp", ALPROTO_SMTP, 0, 1 << ALPROTO_SMTP, 12, 17 }
};
AppLayerPPTestDataElement element_ts_85_udp[] =
{ { "imap", ALPROTO_IMAP, 85, 1 << ALPROTO_IMAP, 12, 23 },
};
AppLayerPPTestDataElement element_tc_85_udp[] =
{ { "imap", ALPROTO_IMAP, 85, 1 << ALPROTO_IMAP, 12, 23 },
};
AppLayerPPTestDataPort ports_tcp[] =
{ { 80,
((1 << ALPROTO_HTTP) | (1 << ALPROTO_SMB) | (1 << ALPROTO_FTP) |
(1 << ALPROTO_SMTP) | (1 << ALPROTO_TLS) | (1 << ALPROTO_IRC) | (1 << ALPROTO_JABBER)),
((1 << ALPROTO_HTTP) | (1 << ALPROTO_SMB) | (1 << ALPROTO_FTP) |
(1 << ALPROTO_JABBER) | (1 << ALPROTO_IRC) | (1 << ALPROTO_TLS) | (1 << ALPROTO_SMTP)),
0, 23,
element_ts_80, element_tc_80,
sizeof(element_ts_80) / sizeof(AppLayerPPTestDataElement),
sizeof(element_tc_80) / sizeof(AppLayerPPTestDataElement),
},
{ 81,
((1 << ALPROTO_DCERPC) | (1 << ALPROTO_FTP) |
(1 << ALPROTO_SMTP) | (1 << ALPROTO_TLS) | (1 << ALPROTO_IRC) | (1 << ALPROTO_JABBER)),
((1 << ALPROTO_FTP) | (1 << ALPROTO_DCERPC) |
(1 << ALPROTO_JABBER) | (1 << ALPROTO_IRC) | (1 << ALPROTO_TLS) | (1 << ALPROTO_SMTP)),
0, 23,
element_ts_81, element_tc_81,
sizeof(element_ts_81) / sizeof(AppLayerPPTestDataElement),
sizeof(element_tc_81) / sizeof(AppLayerPPTestDataElement),
},
{ 85,
((1 << ALPROTO_DCERPC) | (1 << ALPROTO_FTP) |
(1 << ALPROTO_SMTP) | (1 << ALPROTO_TLS) | (1 << ALPROTO_IRC) | (1 << ALPROTO_JABBER)),
((1 << ALPROTO_DCERPC) |
(1 << ALPROTO_JABBER) | (1 << ALPROTO_IRC) | (1 << ALPROTO_TLS) | (1 << ALPROTO_SMTP)),
0, 23,
element_ts_85, element_tc_85,
sizeof(element_ts_85) / sizeof(AppLayerPPTestDataElement),
sizeof(element_tc_85) / sizeof(AppLayerPPTestDataElement)
},
{ 90,
((1 << ALPROTO_SMTP) | (1 << ALPROTO_TLS) | (1 << ALPROTO_IRC) | (1 << ALPROTO_JABBER)),
((1 << ALPROTO_FTP) |
(1 << ALPROTO_JABBER) | (1 << ALPROTO_IRC) | (1 << ALPROTO_TLS) | (1 << ALPROTO_SMTP)),
0, 23,
element_ts_90, element_tc_90,
sizeof(element_ts_90) / sizeof(AppLayerPPTestDataElement),
sizeof(element_tc_90) / sizeof(AppLayerPPTestDataElement)
},
{ 0,
((1 << ALPROTO_SMTP) | (1 << ALPROTO_TLS) | (1 << ALPROTO_IRC) | (1 << ALPROTO_JABBER)),
((1 << ALPROTO_JABBER) | (1 << ALPROTO_IRC) | (1 << ALPROTO_TLS) | (1 << ALPROTO_SMTP)),
0, 23,
element_ts_0, element_tc_0,
sizeof(element_ts_0) / sizeof(AppLayerPPTestDataElement),
sizeof(element_tc_0) / sizeof(AppLayerPPTestDataElement)
}
};
AppLayerPPTestDataPort ports_udp[] =
{ { 85,
(1 << ALPROTO_IMAP),
(1 << ALPROTO_IMAP),
23, 23,
element_ts_85_udp, element_tc_85_udp,
sizeof(element_ts_85_udp) / sizeof(AppLayerPPTestDataElement),
sizeof(element_tc_85_udp) / sizeof(AppLayerPPTestDataElement),
},
};
AppLayerPPTestDataIPProto ip_proto[] =
{ { IPPROTO_TCP,
ports_tcp,
sizeof(ports_tcp) / sizeof(AppLayerPPTestDataPort),
},
{ IPPROTO_UDP,
ports_udp,
sizeof(ports_udp) / sizeof(AppLayerPPTestDataPort),
},
};
if (AppLayerPPTestData(ctx.probing_parsers, ip_proto,
sizeof(ip_proto) / sizeof(AppLayerPPTestDataIPProto)) == 0) {
goto end;
Add support for port based probing parsers for alproto detection
14 years ago
}
app layer probing parser updates
14 years ago
result = 1;
end:
AlpProtoTestDestroy(&ctx);
return result;
}
Add support for port based probing parsers for alproto detection
14 years ago
#endif /* UNITESTS */
void AppLayerParserRegisterTests(void)
{
#ifdef UNITTESTS
Add --unittests-coverage option to list how many code modules have tests
12 years ago
int i;
for (i = 0; i < ALPROTO_MAX; i++) {
AppLayerProto *p = &al_proto_table[i];
if (p->name == NULL)
continue;
g_ut_modules++;
if (p->RegisterUnittests != NULL) {
p->RegisterUnittests();
g_ut_covered++;
} else {
if (coverage_unittests)
SCLogWarning(SC_WARN_NO_UNITTESTS, "app layer module %s has no "
"unittests", p->name);
}
}
Add support for port based probing parsers for alproto detection
14 years ago
UtRegisterTest("AppLayerParserTest01", AppLayerParserTest01, 1);
UtRegisterTest("AppLayerParserTest02", AppLayerParserTest02, 1);
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
UtRegisterTest("AppLayerProbingParserTest01",
AppLayerProbingParserTest01, 1);
Add support for port based probing parsers for alproto detection
14 years ago
#endif /* UNITTESTS */
return;
app layer error handling
16 years ago
}