diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c index d291d25b3a..b69618392b 100644 --- a/src/app-layer-dns-common.c +++ b/src/app-layer-dns-common.c @@ -22,6 +22,7 @@ */ #include "suricata-common.h" +#include "app-layer-parser.h" #include "app-layer-dns-common.h" #ifdef DEBUG #include "util-print.h" @@ -37,9 +38,25 @@ SCEnumCharMap dns_decoder_event_table[ ] = { { NULL, -1 }, }; -/** \brief register event map */ -void DNSAppLayerDecoderEventsRegister(int alproto) { - AppLayerRegisterEventsTable(alproto, dns_decoder_event_table); +int DNSStateGetEventInfo(const char *event_name, + int *event_id, AppLayerEventType *event_type) +{ + *event_id = SCMapEnumNameToValue(event_name, dns_decoder_event_table); + if (*event_id == -1) { + SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in " + "dns's enum map table.", event_name); + /* this should be treated as fatal */ + return -1; + } + + *event_type = APP_LAYER_EVENT_TYPE_GENERAL; + + return 0; +} + +void DNSAppLayerRegisterGetEventInfo(uint16_t alproto) +{ + return AppLayerRegisterGetEventInfo(alproto, DNSStateGetEventInfo); } AppLayerDecoderEvents *DNSGetEvents(void *state, uint64_t id) { diff --git a/src/app-layer-dns-common.h b/src/app-layer-dns-common.h index 1782188bb1..acbc2ec010 100644 --- a/src/app-layer-dns-common.h +++ b/src/app-layer-dns-common.h @@ -155,6 +155,9 @@ void RegisterDNSParsers(void); void DNSParserTests(void); void DNSParserRegisterTests(void); void DNSAppLayerDecoderEventsRegister(int alproto); +int DNSStateGetEventInfo(const char *event_name, + int *event_id, AppLayerEventType *event_type); +void DNSAppLayerRegisterGetEventInfo(uint16_t alproto); void *DNSGetTx(void *alstate, uint64_t tx_id); uint64_t DNSGetTxCnt(void *alstate); diff --git a/src/app-layer-dns-tcp.c b/src/app-layer-dns-tcp.c index b8f6072635..da96641f27 100644 --- a/src/app-layer-dns-tcp.c +++ b/src/app-layer-dns-tcp.c @@ -620,12 +620,13 @@ void RegisterDNSTCPParsers(void) { DNSGetAlstateProgress); AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP, DNSGetAlstateProgressCompletionStatus); + DNSAppLayerRegisterGetEventInfo(ALPROTO_DNS_TCP); } else { SCLogInfo("Parsed disabled for %s protocol. Protocol detection" "still on.", proto_name); } - DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_TCP); + return; } /* UNITTESTS */ diff --git a/src/app-layer-dns-udp.c b/src/app-layer-dns-udp.c index 91354c10ab..cde5c8aa5f 100644 --- a/src/app-layer-dns-udp.c +++ b/src/app-layer-dns-udp.c @@ -341,7 +341,7 @@ void RegisterDNSUDPParsers(void) { AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP, DNSGetAlstateProgressCompletionStatus); - DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP); + DNSAppLayerRegisterGetEventInfo(ALPROTO_DNS_UDP); } else { SCLogInfo("Parsed disabled for %s protocol. Protocol detection" "still on.", proto_name); diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index e875c4c7dc..f3bd657bee 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -28,6 +28,7 @@ * \author Gurvinder Singh * \author Pablo Rincon * \author Brian Rectanus + * \author Anoop Saldanha * * This file provides a HTTP protocol support for the engine using HTP library. */ @@ -69,6 +70,7 @@ #include "detect-engine-state.h" #include "detect-parse.h" +#include "decode-events.h" #include "conf.h" #include "util-memcmp.h" @@ -2387,6 +2389,22 @@ static int HTPStateGetAlstateProgressCompletionStatus(uint8_t direction) return (direction == 0) ? HTP_REQUEST_COMPLETE : HTP_RESPONSE_COMPLETE; } +int HTPStateGetEventInfo(const char *event_name, + int *event_id, AppLayerEventType *event_type) +{ + *event_id = SCMapEnumNameToValue(event_name, http_decoder_event_table); + if (*event_id == -1) { + SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in " + "http's enum map table.", event_name); + /* this should be treated as fatal */ + return -1; + } + + *event_type = APP_LAYER_EVENT_TYPE_GENERAL; + + return 0; +} + static void HTPStateTruncate(void *state, uint8_t flags) { FileContainer *fc = HTPStateGetFiles(state, flags); if (fc != NULL) { @@ -2442,7 +2460,7 @@ void RegisterHTPParsers(void) AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP, HTPStateGetAlstateProgressCompletionStatus); - AppLayerRegisterEventsTable(ALPROTO_HTTP, http_decoder_event_table); + AppLayerRegisterGetEventInfo(ALPROTO_HTTP, HTPStateGetEventInfo); AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate); diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index ab60d2966d..b4f5e7d501 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -857,10 +857,12 @@ void AppLayerRegisterLogger(uint16_t proto) { al_proto_table[proto].logger = TRUE; } -void AppLayerRegisterEventsTable(uint16_t alproto, - SCEnumCharMap *events_table) +void AppLayerRegisterGetEventInfo(uint16_t alproto, + int (*StateGetEventInfo)(const char *event_name, + int *event_id, + AppLayerEventType *event_type)) { - al_proto_table[alproto].events_table = events_table; + al_proto_table[alproto].StateGetEventInfo = StateGetEventInfo; } AppLayerParserStateStore *AppLayerParserStateStoreAlloc(void) @@ -1635,19 +1637,25 @@ int AppLayerProtoDetectionEnabled(const char *al_proto) return enabled; } -int AppLayerGetAlprotoEventInfo(uint16_t alproto, const char *event_name, - int *event_id) +/** + * \brief Gets event info for this alproto. + * + * \param alproto The app layer protocol. + * \param event_name The event name. + * \param event_id The event id. + * \param The type of event, as represented by AppLayerEventType. + * + * \retval 0 On succesfully returning back info. + * \retval -1 On failure. + */ +int AppLayerGetEventInfo(uint16_t alproto, const char *event_name, + int *event_id, AppLayerEventType *event_type) { - *event_id = SCMapEnumNameToValue(event_name, al_proto_table[alproto].events_table); - if (*event_id == -1) { - SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in " - "\"%s\"'s enum map table.", event_name, - al_proto_table[alproto].name); - /* yes this is fatal */ + if (al_proto_table[alproto].StateGetEventInfo == NULL) return -1; - } - return 0; + return al_proto_table[alproto].StateGetEventInfo(event_name, + event_id, event_type); } void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_proto, @@ -2356,21 +2364,13 @@ static void TestProtocolStateFree(void *s) SCFree(s); } -/****Unittests*****/ - static AppLayerProto al_proto_table_ut_backup[ALPROTO_MAX]; -/** - * \brief Backup al_proto_table. - * - * Currently we backup only the event table. Feel free to backup - * other stuff as and when required. - */ void AppLayerParserBackupAlprotoTable(void) { int i; for (i = ALPROTO_UNKNOWN; i < ALPROTO_MAX; i++) - al_proto_table_ut_backup[i].events_table = al_proto_table[i].events_table; + al_proto_table_ut_backup[i].StateGetEventInfo = al_proto_table[i].StateGetEventInfo; return; } @@ -2379,7 +2379,7 @@ void AppLayerParserRestoreAlprotoTable(void) { int i; for (i = ALPROTO_UNKNOWN; i < ALPROTO_MAX; i++) - al_proto_table[i].events_table = al_proto_table_ut_backup[i].events_table; + al_proto_table[i].StateGetEventInfo = al_proto_table_ut_backup[i].StateGetEventInfo; return; } diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index 4155791747..07c42d9097 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -51,8 +51,6 @@ typedef struct AppLayerProto_ { AppLayerLocalMap **map; - SCEnumCharMap *events_table; - void *(*StateAlloc)(void); void (*StateFree)(void *); void (*StateTransactionFree)(void *, uint64_t); @@ -71,6 +69,9 @@ typedef struct AppLayerProto_ { void *(*StateGetTx)(void *alstate, uint64_t tx_id); int (*StateGetAlstateProgressCompletionStatus)(uint8_t direction); + int (*StateGetEventInfo)(const char *event_name, + int *event_id, AppLayerEventType *event_type); + ProbingParserFPtr pp_alproto_map[2]; /* The current values taken are STREAM_TOSERVER, STREAM_TOCLIENT */ uint8_t flags; @@ -290,8 +291,10 @@ void AppLayerRegisterGetTx(uint16_t alproto, void *(*StateGetTx)(void *alstate, uint64_t tx_id)); void AppLayerRegisterGetAlstateProgressCompletionStatus(uint16_t alproto, int (*StateProgressCompletionStatus)(uint8_t direction)); -void AppLayerRegisterEventsTable(uint16_t alproto, - SCEnumCharMap *events_table); +void AppLayerRegisterGetEventInfo(uint16_t alproto, + int (*StateGetEventInfo)(const char *event_name, + int *event_id, + AppLayerEventType *event_type)); int AppLayerParse(void *, Flow *, uint8_t, uint8_t, uint8_t *, uint32_t); @@ -458,8 +461,8 @@ int AppLayerProtoDetectionEnabled(const char *alproto); * \param event_name Name of the event. * \param event_id Pointer to an instance to send back event id. */ -int AppLayerGetAlprotoEventInfo(uint16_t alproto, const char *event_name, - int *event_id); +int AppLayerGetEventInfo(uint16_t alproto, const char *event_name, + int *event_id, AppLayerEventType *event_type); /***** Utility *****/ @@ -470,6 +473,12 @@ void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_prot /***** Unittests *****/ +/** + * \brief Backup al_proto_table. + * + * Currently we backup only the event table. Feel free to backup + * other stuff as and when required. + */ void AppLayerParserBackupAlprotoTable(void); void AppLayerParserRestoreAlprotoTable(void); diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index 4f45b13cf0..ce9c101127 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -48,8 +48,8 @@ #include "detect-engine-state.h" #include "detect-parse.h" -#include "conf.h" #include "decode-events.h" +#include "conf.h" #define SMTP_MAX_REQUEST_AND_REPLY_LINE_LENGTH 510 @@ -834,6 +834,22 @@ static void SMTPSetMpmState(void) mpm_table[SMTP_MPM].Prepare(smtp_mpm_ctx); } +int SMTPStateGetEventInfo(const char *event_name, + int *event_id, AppLayerEventType *event_type) +{ + *event_id = SCMapEnumNameToValue(event_name, smtp_decoder_event_table); + if (*event_id == -1) { + SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in " + "smtp's enum map table.", event_name); + /* yes this is fatal */ + return -1; + } + + *event_type = APP_LAYER_EVENT_TYPE_GENERAL; + + return 0; +} + /** * \brief Register the SMPT Protocol parser. */ @@ -863,7 +879,7 @@ void RegisterSMTPParsers(void) AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT, SMTPParseServerRecord); - AppLayerRegisterEventsTable(ALPROTO_SMTP, smtp_decoder_event_table); + AppLayerRegisterGetEventInfo(ALPROTO_SMTP, SMTPStateGetEventInfo); AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc, SMTPLocalStorageFree); diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 04ad8bd6cf..63df5d582b 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -42,8 +42,8 @@ #include "app-layer-tls-handshake.h" -#include "conf.h" #include "decode-events.h" +#include "conf.h" #include "util-spm.h" #include "util-unittest.h" @@ -986,6 +986,22 @@ static uint16_t SSLProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset return ALPROTO_FAILED; } +int SSLStateGetEventInfo(const char *event_name, + int *event_id, AppLayerEventType *event_type) +{ + *event_id = SCMapEnumNameToValue(event_name, tls_decoder_event_table); + if (*event_id == -1) { + SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in " + "ssl's enum map table.", event_name); + /* yes this is fatal */ + return -1; + } + + *event_type = APP_LAYER_EVENT_TYPE_GENERAL; + + return 0; +} + /** * \brief Function to register the SSL protocol parser and other functions */ @@ -1053,7 +1069,7 @@ void RegisterSSLParsers(void) AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT, SSLParseServerRecord); - AppLayerRegisterEventsTable(ALPROTO_TLS, tls_decoder_event_table); + AppLayerRegisterGetEventInfo(ALPROTO_TLS, SSLStateGetEventInfo); AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree); diff --git a/src/decode-events.h b/src/decode-events.h index bd80c8969d..3570a7f0c4 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -227,6 +227,12 @@ enum { #define DECODER_EVENTS_BUFFER_STEPS 5 +/* the event types for app events */ +typedef enum AppLayerEventType_ { + APP_LAYER_EVENT_TYPE_GENERAL = 1, + APP_LAYER_EVENT_TYPE_TRANSACTION, +} AppLayerEventType; + /** * \brief Data structure to store app layer decoder events. */ diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c index 451faa9d0d..a59ca3b7f3 100644 --- a/src/detect-app-layer-event.c +++ b/src/detect-app-layer-event.c @@ -115,6 +115,7 @@ static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg) const char *p_idx; int r = 0; int event_id = 0; + AppLayerEventType event_type = 0; uint16_t alproto; if (arg == NULL) { @@ -148,7 +149,7 @@ static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg) "with unknown protocol \"%s\"", buffer); return NULL; } - r = AppLayerGetAlprotoEventInfo(alproto, p_idx + 1, &event_id); + r = AppLayerGetEventInfo(alproto, p_idx + 1, &event_id, &event_type); if (r < 0) { SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword protocol " "\"%s\" don't have event \"%s\" registered", buffer, p_idx + 1); @@ -236,10 +237,29 @@ SCEnumCharMap app_layer_event_test_map[ ] = { { "event6", APP_LAYER_EVENT_TEST_MAP_EVENT6 }, }; +static int DetectAppLayerEventTestGetEventInfo(const char *event_name, + int *event_id, + AppLayerEventType *event_type) +{ + *event_id = SCMapEnumNameToValue(event_name, app_layer_event_test_map); + if (*event_id == -1) { + SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in " + "app-layer-event's test enum map table.", event_name); + /* this should be treated as fatal */ + return -1; + } + + *event_type = APP_LAYER_EVENT_TYPE_GENERAL; + + return 0; +} + + int DetectAppLayerEventTest01(void) { AppLayerParserBackupAlprotoTable(); - AppLayerRegisterEventsTable(ALPROTO_SMTP, app_layer_event_test_map); + AppLayerRegisterGetEventInfo(ALPROTO_SMTP, + DetectAppLayerEventTestGetEventInfo); int result = 0; @@ -265,10 +285,14 @@ int DetectAppLayerEventTest02(void) { AppLayerParserBackupAlprotoTable(); - AppLayerRegisterEventsTable(ALPROTO_SMTP, app_layer_event_test_map); - AppLayerRegisterEventsTable(ALPROTO_HTTP, app_layer_event_test_map); - AppLayerRegisterEventsTable(ALPROTO_SMB, app_layer_event_test_map); - AppLayerRegisterEventsTable(ALPROTO_FTP, app_layer_event_test_map); + AppLayerRegisterGetEventInfo(ALPROTO_SMTP, + DetectAppLayerEventTestGetEventInfo); + AppLayerRegisterGetEventInfo(ALPROTO_HTTP, + DetectAppLayerEventTestGetEventInfo); + AppLayerRegisterGetEventInfo(ALPROTO_SMB, + DetectAppLayerEventTestGetEventInfo); + AppLayerRegisterGetEventInfo(ALPROTO_FTP, + DetectAppLayerEventTestGetEventInfo); int result = 0;