app-layer: scripts to setup app-layer templates

setup-app-layer.sh sets up an application layer detector and
parser template.

setup-app-layer-logger.sh sets up a JSON application layer
transaction logger for an application parser that has
already been provisioned.

setup-app-layer-detect.sh sets up a keyword for performing
content inspections on buffers created by the application
layer.

scripts/setup-app-layer-detect.sh

@@ -0,0 +1,233 @@
+#! /bin/sh
+#
+# Script to provision a new application layer detector and parser.
+
+set -e
+
+function usage() {
+    cat <<EOF
+
+usage: $0 <protocol name>
+
+This script will provision content inspection for app-layer decoded
+buffers.
+
+Examples:
+
+    $0 DNP3
+    $0 Gopher
+
+EOF
+}
+
+fail_if_exists() {
+    path="$1"
+    if test -e "${path}"; then
+	echo "error: ${path} already exists."
+	exit 1
+    fi
+}
+
+function copy_template_file() {
+    src="$1"
+    dst="$2"
+
+    echo "Creating ${dst}."
+
+    sed -e "s/TEMPLATE/${protoname_upper}/g" \
+	-e "s/template/${protoname_lower}/g" \
+	-e "s/Template/${protoname}/g" > ${dst} < ${src}
+}
+
+function copy_templates() {
+    detect_h_dst="src/detect-${protoname_lower}-buffer.h"
+    detect_c_dst="src/detect-${protoname_lower}-buffer.c"
+    detect_engine_h_dst="src/detect-engine-${protoname_lower}.h"
+    detect_engine_c_dst="src/detect-engine-${protoname_lower}.c"
+
+    fail_if_exists ${detect_h_dst}
+    fail_if_exists ${detect_c_dst}
+    fail_if_exists ${detect_engine_h_dst}
+    fail_if_exists ${detect_engine_c_dst}
+
+    copy_template_file "src/detect-template-buffer.h" ${detect_h_dst}
+    copy_template_file "src/detect-template-buffer.c" ${detect_c_dst}
+    copy_template_file "src/detect-engine-template.h" ${detect_engine_h_dst}
+    copy_template_file "src/detect-engine-template.c" ${detect_engine_c_dst}
+}
+
+function patch_makefile_am() {
+    filename="src/Makefile.am"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/^detect-engine-template.c
+t-
+s/template/${protoname_lower}/g
+/^detect-template-buffer.c
+t-
+s/template/${protoname_lower}/g
+w
+EOF
+}
+
+function patch_detect_engine_content_inspection_h() {
+    filename="src/detect-engine-content-inspection.h"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/DETECT_ENGINE_CONTENT_INSPECTION_MODE_TEMPLATE_BUFFER
+t-
+s/TEMPLATE/${protoname_upper}/
+w
+EOF
+}
+
+function patch_detect_engine_state_h() {
+    filename="src/detect-engine-state.h"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT
+t-
+s/TEMPLATE/${protoname_upper}/
+w
+EOF
+}
+
+function patch_detect_engine_c() {
+    filename="src/detect-engine.c"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/#include "detect-engine-template.h"
+t-
+s/template/${protoname_lower}/
+w
+/ALPROTO_TEMPLATE
+-2
+.,+6t-
+-6
+.,+6s/Template/${protoname}/g
+-6
+.,+6s/TEMPLATE/${protoname_upper}/g
++6
+/ALPROTO_TEMPLATE
+-2
+.,+6t-
+-6
+.,+6s/Template/${protoname}/g
+-6
+.,+6s/TEMPLATE/${protoname_upper}/g
+w
+EOF
+
+    ed -s ${filename} > /dev/null <<EOF
+/case DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH
+.,+1t-
+-
+s/TEMPLATE/${protoname_upper}/g
++
+s/template/${protoname_lower}/g
+w
+EOF
+}
+
+function patch_detect_parse_c() {
+    filename="src/detect-parse.c"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/\/\* Template\. \*\/
+.,+4t-
+-4s/Template/${protoname}/g
++1s/TEMPLATE/${protoname_upper}/g
+w
+EOF
+}
+
+function patch_detect_c() {
+    filename="src/detect.c"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/#include "detect-template-buffer.h"
+t-
+s/template/${protoname_lower}/
+/case ALPROTO_TEMPLATE
+.,+3t-
+-3
+s/ALPROTO_TEMPLATE/ALPROTO_${protoname_upper}/g
++
+s/template/${protoname_lower}/g
++
+s/TEMPLATE/${protoname_upper}/g
++2
+/ALPROTO_TEMPLATE
+.,+3t-
+-3
+.,+s/TEMPLATE/${protoname_upper}/g
++
+s/template/${protoname_lower}/g
++3
+/SIG_MASK_REQUIRE_TEMPLATE_STATE
+.t-
+s/TEMPLATE/${protoname_upper}/g
+/DetectTemplateBufferRegister
+t-
+s/Template/${protoname}/
+w
+EOF
+}
+
+function patch_detect_h() {
+    filename="src/detect.h"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH
+t-
+s/TEMPLATE/${protoname_upper}/
+/SIG_MASK_REQUIRE_TEMPLATE_STATE
+t-
+s/TEMPLATE/${protoname_upper}/
+/DETECT_AL_TEMPLATE_BUFFER
+t-
+s/TEMPLATE/${protoname_upper}/
+w
+EOF
+}
+
+protoname="$1"
+
+if [ "${protoname}" = "" ]; then
+    usage
+    exit 1
+fi
+
+protoname_lower=$(printf ${protoname} | tr '[:upper:]' '[:lower:]')
+protoname_upper=$(printf ${protoname} | tr '[:lower:]' '[:upper:]')
+
+copy_templates
+patch_makefile_am
+patch_detect_engine_content_inspection_h
+patch_detect_engine_state_h
+patch_detect_engine_c
+patch_detect_parse_c
+patch_detect_c
+patch_detect_h
+
+cat <<EOF
+
+The following files have been created and linked into the build:
+
+    detect-${protoname_lower}-buffer.h detect-${protoname_lower}-buffer.c
+
+        The setup for the content inspection modifier keyword.
+
+    detect-engine-${protoname_lower}.h detect-engine-${protoname_lower}.c
+
+        The content inspection engine.
+
+Please fix in src/detect-engine-state.h the values for:
+    DE_STATE_FLAG_${protoname_upper}_BUFFER_INSPECT
+    DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT
+
+Please fix in src/detect.h the values for:
+    SIG_MASK_REQUIRE_${protoname_upper}_STATE
+    SIG_MASK_REQUIRE_TEMPLATE_STATE
+
+EOF

scripts/setup-app-layer-logger.sh

@@ -0,0 +1,154 @@
+#! /bin/sh
+
+set -e
+
+function usage() {
+    cat <<EOF
+
+usage: $0 <protocol name>
+
+This script will provision a new JSON application layer transaction
+logger for the protocol name specified on the command line. This is
+done by copying and patching src/output-json-template.h and
+src/output-json-template.c then link the new files into the build
+system.
+
+It is required that the application layer parser has already been
+provisioned by the setup-app-layer.sh script.
+
+Examples:
+
+    $0 DNP3
+    $0 Gopher
+
+EOF
+}
+
+fail_if_exists() {
+    path="$1"
+    if test -e "${path}"; then
+	echo "error: ${path} already exists."
+	exit 1
+    fi
+}
+
+function copy_template_file() {
+    src="$1"
+    dst="$2"
+
+    echo "Creating ${dst}."
+    
+    sed -e "s/TEMPLATE/${protoname_upper}/g" \
+	-e "s/template/${protoname_lower}/g" \
+	-e "s/Template/${protoname}/g" > ${dst} < ${src}
+}
+
+function copy_templates() {
+    src_h="src/output-json-template.h"
+    dst_h="src/output-json-${protoname_lower}.h"
+    src_c="src/output-json-template.c"
+    dst_c="src/output-json-${protoname_lower}.c"
+
+    fail_if_exists ${dst_h}
+    fail_if_exists ${dst_c}
+
+    copy_template_file ${src_h} ${dst_h}
+    copy_template_file ${src_c} ${dst_c}
+}
+
+function patch_makefile_am() {
+    filename="src/Makefile.am"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/output-json-template.c
+t-
+s/template/${protoname_lower}/
+w
+EOF
+}
+
+function patch_suricata_c() {
+    filename="src/suricata.c"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/#include "output-json-template.h"
+t-
+s/template/${protoname_lower}/
+/TmModuleJsonTemplateLogRegister
+-
+.,+t-
+-
+.,+s/Template/${protoname}/
+w
+EOF
+}
+
+patch_tm_modules_c() {
+    filename="src/tm-modules.c"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/TMM_JSONTEMPLATELOG
+t-
+s/TEMPLATE/${protoname_upper}
+w
+EOF
+}
+
+patch_tm_threads_common_h() {
+    filename="src/tm-threads-common.h"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/TMM_JSONTEMPLATELOG
+t-
+s/TEMPLATE/${protoname_upper}
+w
+EOF
+}
+
+patch_suricata_yaml_in() {
+    filename="suricata.yaml.in"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/eve-log:
+/types:
+a
+        - ${protoname_lower}
+.
+w
+EOF
+}
+
+protoname="$1"
+
+if [ "${protoname}" = "" ]; then
+    usage
+    exit 1
+fi
+
+protoname_lower=$(printf ${protoname} | tr '[:upper:]' '[:lower:]')
+protoname_upper=$(printf ${protoname} | tr '[:lower:]' '[:upper:]')
+
+# Requires that the protocol has already been setup.
+if ! grep -q "ALPROTO_${protoname_upper}" src/app-layer-protos.h; then
+    echo "error: no app-layer parser exists for ALPROTO_${protoname_upper}."
+    exit 1
+fi
+
+copy_templates
+patch_makefile_am
+patch_suricata_c
+patch_tm_modules_c
+patch_tm_threads_common_h
+patch_suricata_yaml_in
+
+cat <<EOF
+
+A JSON application layer transaction logger for the protocol
+${protoname} has now been set in the files:
+
+    src/output-json-${protoname_lower}.h
+    src/output-json-${protoname_lower}.c
+
+and should now build cleanly. Try running 'make'.
+
+EOF

scripts/setup-app-layer.sh

@@ -0,0 +1,166 @@
+#! /bin/sh
+#
+# Script to provision a new application layer detector and parser.
+
+set -e
+#set -x
+
+function usage() {
+    cat <<EOF
+
+usage: $0 <protocol name>
+
+This script will provision a new app-layer parser for the protocol
+name specified on the command line. This is done by copying and
+patching src/app-layer-template.[ch] then linking the new files into
+the build system.
+
+Examples:
+
+    $0 DNP3
+    $0 Gopher
+
+EOF
+}
+
+fail_if_exists() {
+    path="$1"
+    if test -e "${path}"; then
+	echo "error: ${path} already exists."
+	exit 1
+    fi
+}
+
+function copy_template_file() {
+    src="$1"
+    dst="$2"
+
+    echo "Creating ${dst}."
+    
+    sed -e "s/TEMPLATE/${protoname_upper}/g" \
+	-e "s/template/${protoname_lower}/g" \
+	-e "s/Template/${protoname}/g" > ${dst} < ${src}
+}
+
+function copy_app_layer_templates {
+    src_h="src/app-layer-template.h"
+    dst_h="src/app-layer-${protoname_lower}.h"
+    src_c="src/app-layer-template.c"
+    dst_c="src/app-layer-${protoname_lower}.c"
+
+    fail_if_exists ${dst_h}
+    fail_if_exists ${dst_c}
+
+    copy_template_file ${src_h} ${dst_h}
+    copy_template_file ${src_c} ${dst_c}
+}
+
+function patch_makefile_am {
+    filename="src/Makefile.am"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/app-layer-template
+t-
+s/template/${protoname_lower}/g
+w
+EOF
+}
+
+function patch_app_layer_protos_h {
+    filename="src/app-layer-protos.h"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/ALPROTO_TEMPLATE
+t-
+s/TEMPLATE/${protoname_upper}/
+w
+EOF
+}
+
+function patch_app_layer_protos_c {
+    filename="src/app-layer-protos.c"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/case ALPROTO_TEMPLATE
+.,+2t-
+-2
+s/TEMPLATE/${protoname_upper}/
++
+s/template/${protoname_lower}/
+w
+EOF
+}
+
+function patch_app_layer_detect_proto_c() {
+    filename="src/app-layer-detect-proto.c"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/== ALPROTO_TEMPLATE
+.,+t-
+-,.s/TEMPLATE/${protoname_upper}/
++3
+/== ALPROTO_TEMPLATE
+.,+t-
+-,.s/TEMPLATE/${protoname_upper}/
++3
+w
+EOF
+}
+
+function patch_app_layer_parser_c() {
+    filename="src/app-layer-parser.c"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/#include "app-layer-template.h"
+t-
+s/template/${protoname_lower}/
+/RegisterTemplateParsers
+t-
+s/Template/${protoname}/
+w
+EOF
+}
+
+function patch_suricata_yaml_in() {
+    filename="suricata.yaml.in"
+    echo "Patching ${filename}."
+    ed -s ${filename} > /dev/null <<EOF
+/^app-layer:
+/protocols:
+a
+    ${protoname_lower}:
+      enabled: yes
+.
+w
+EOF
+}
+
+protoname="$1"
+
+if [ "${protoname}" = "" ]; then
+    usage
+    exit 1
+fi
+
+protoname_lower=$(printf ${protoname} | tr '[:upper:]' '[:lower:]')
+protoname_upper=$(printf ${protoname} | tr '[:lower:]' '[:upper:]')
+
+copy_app_layer_templates
+patch_makefile_am
+patch_app_layer_protos_h
+patch_app_layer_protos_c
+patch_app_layer_detect_proto_c
+patch_app_layer_parser_c
+patch_suricata_yaml_in
+
+cat <<EOF
+
+An application detector and parser for the protocol ${protoname} has
+now been setup in the files:
+
+    src/app-layer-${protoname_lower}.h
+    src/app-layer-${protoname_lower}.c
+
+and should now build cleanly. Try running 'make'.
+
+EOF