|
|
|
|
/* Copyright (C) 2007-2013 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
|
|
|
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __APP_LAYER_PROTOS_H__
|
|
|
|
|
#define __APP_LAYER_PROTOS_H__
|
|
|
|
|
|
|
|
|
|
enum AppProtoEnum {
|
|
|
|
|
ALPROTO_UNKNOWN = 0,
|
|
|
|
|
ALPROTO_HTTP,
|
|
|
|
|
ALPROTO_FTP,
|
|
|
|
|
ALPROTO_SMTP,
|
|
|
|
|
ALPROTO_TLS, /* SSLv2, SSLv3 & TLSv1 */
|
|
|
|
|
ALPROTO_SSH,
|
|
|
|
|
ALPROTO_IMAP,
|
|
|
|
|
ALPROTO_MSN,
|
|
|
|
|
ALPROTO_JABBER,
|
|
|
|
|
ALPROTO_SMB,
|
|
|
|
|
ALPROTO_DCERPC,
|
|
|
|
|
ALPROTO_IRC,
|
|
|
|
|
|
|
|
|
|
ALPROTO_DNS,
|
|
|
|
|
ALPROTO_MODBUS,
|
|
|
|
|
ALPROTO_ENIP,
|
|
|
|
|
ALPROTO_DNP3,
|
|
|
|
|
ALPROTO_NFS,
|
|
|
|
|
ALPROTO_NTP,
|
|
|
|
|
ALPROTO_FTPDATA,
|
|
|
|
|
ALPROTO_TFTP,
|
|
|
|
|
ALPROTO_IKEV2,
|
|
|
|
|
ALPROTO_KRB5,
|
|
|
|
|
ALPROTO_DHCP,
|
|
|
|
|
ALPROTO_TEMPLATE,
|
|
|
|
|
ALPROTO_TEMPLATE_RUST,
|
|
|
|
|
|
|
|
|
|
/* used by the probing parser when alproto detection fails
|
|
|
|
|
* permanently for that particular stream */
|
|
|
|
|
ALPROTO_FAILED,
|
|
|
|
|
#ifdef UNITTESTS
|
|
|
|
|
ALPROTO_TEST,
|
|
|
|
|
#endif /* UNITESTS */
|
|
|
|
|
/* keep last */
|
|
|
|
|
ALPROTO_MAX,
|
|
|
|
|
};
|
|
|
|
|
// NOTE: if ALPROTO's get >= 256, update SignatureNonPrefilterStore
|
|
|
|
|
|
|
|
|
|
/* not using the enum as that is a unsigned int, so 4 bytes */
|
|
|
|
|
typedef uint16_t AppProto;
|
|
|
|
|
|
proto-detect: improve midstream support
When Suricata picks up a flow it assumes the first packet is
toserver. In a perfect world without packet loss and where all
sessions neatly start after Suricata itself started, this would be
true. However, in reality we have to account for packet loss and
Suricata starting to get packets for flows already active be for
Suricata is (re)started.
The protocol records on the wire would often be able to tell us more
though. For example in SMB1 and SMB2 records there is a flag that
indicates whether the record is a request or a response. This patch
is enabling the procotol detection engine to utilize this information
to 'reverse' the flow.
There are three ways in which this is supported in this patch:
1. patterns for detection are registered per direction. If the proto
was not recognized in the traffic direction, and midstream is
enabled, the pattern set for the opposing direction is also
evaluated. If that matches, the flow is considered to be in the
wrong direction and is reversed.
2. probing parsers now have a way to feed back their understanding
of the flow direction. They are now passed the direction as
Suricata sees the traffic when calling the probing parsers. The
parser can then see if its own observation matches that, and
pass back it's own view to the caller.
3. a new pattern + probing parser set up: probing parsers can now
be registered with a pattern, so that when the pattern matches
the probing parser is called as well. The probing parser can
then provide the protocol detection engine with the direction
of the traffic.
The process of reversing takes a multi step approach as well:
a. reverse the current packets direction
b. reverse most of the flows direction sensitive flags
c. tag the flow as 'reversed'. This is because the 5 tuple is
*not* reversed, since it is immutable after the flows creation.
Most of the currently registered parsers benefit already:
- HTTP/SMTP/FTP/TLS patterns are registered per direction already
so they will benefit from the pattern midstream logic in (1)
above.
- the Rust based SMB parser uses a mix of pattern + probing parser
as described in (3) above.
- the NFS detection is purely done by probing parser and is updated
to consider the direction in that parser.
Other protocols, such as DNS, are still to do.
Ticket: #2572
6 years ago
|
|
|
static inline bool AppProtoIsValid(AppProto a)
|
|
|
|
|
{
|
|
|
|
|
return ((a > ALPROTO_UNKNOWN && a < ALPROTO_FAILED));
|
|
|
|
|
}
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
/**
|
|
|
|
|
* \brief Maps the ALPROTO_*, to its string equivalent.
|
|
|
|
|
*
|
|
|
|
|
* \param alproto App layer protocol id.
|
|
|
|
|
*
|
|
|
|
|
* \retval String equivalent for the alproto.
|
|
|
|
|
*/
|
|
|
|
|
const char *AppProtoToString(AppProto alproto);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Maps a string to its ALPROTO_* equivalent.
|
|
|
|
|
*
|
|
|
|
|
* \param String equivalent for the alproto.
|
|
|
|
|
*
|
|
|
|
|
* \retval alproto App layer protocol id, or ALPROTO_UNKNOWN.
|
|
|
|
|
*/
|
|
|
|
|
AppProto StringToAppProto(const char *proto_name);
|
|
|
|
|
|
|
|
|
|
#endif /* __APP_LAYER_PROTOS_H__ */
|
