Add and use EventGetInfo for getting info on an event.

Also update existing parsers and app-layer-event Setup to use this.
12 years ago · 5e2d9dbdc3
parent 60a2b157b2
commit 5e2d9dbdc3
11 changed files with 155 additions and 45 deletions
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@ -22,6 +22,7 @@
 */

 #include "suricata-common.h"
+#include "app-layer-parser.h"
 #include "app-layer-dns-common.h"
 #ifdef DEBUG
 #include "util-print.h"
@ -37,9 +38,25 @@ SCEnumCharMap dns_decoder_event_table[ ] = {
    { NULL,                         -1 },
 };

-/** \brief register event map */
-void DNSAppLayerDecoderEventsRegister(int alproto) {
-    AppLayerRegisterEventsTable(alproto, dns_decoder_event_table);
+int DNSStateGetEventInfo(const char *event_name,
+                         int *event_id, AppLayerEventType *event_type)
+{
+    *event_id = SCMapEnumNameToValue(event_name, dns_decoder_event_table);
+    if (*event_id == -1) {
+        SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
+                   "dns's enum map table.",  event_name);
+        /* this should be treated as fatal */
+        return -1;
+    }
+
+    *event_type = APP_LAYER_EVENT_TYPE_GENERAL;
+
+    return 0;
+}
+
+void DNSAppLayerRegisterGetEventInfo(uint16_t alproto)
+{
+    return AppLayerRegisterGetEventInfo(alproto, DNSStateGetEventInfo);
 }

 AppLayerDecoderEvents *DNSGetEvents(void *state, uint64_t id) {
--- a/src/app-layer-dns-common.h
+++ b/src/app-layer-dns-common.h
@ -155,6 +155,9 @@ void RegisterDNSParsers(void);
 void DNSParserTests(void);
 void DNSParserRegisterTests(void);
 void DNSAppLayerDecoderEventsRegister(int alproto);
+int DNSStateGetEventInfo(const char *event_name,
+                         int *event_id, AppLayerEventType *event_type);
+void DNSAppLayerRegisterGetEventInfo(uint16_t alproto);

 void *DNSGetTx(void *alstate, uint64_t tx_id);
 uint64_t DNSGetTxCnt(void *alstate);
--- a/src/app-layer-dns-tcp.c
+++ b/src/app-layer-dns-tcp.c
@ -620,12 +620,13 @@ void RegisterDNSTCPParsers(void) {
                                               DNSGetAlstateProgress);
        AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP,
                                                           DNSGetAlstateProgressCompletionStatus);
+        DNSAppLayerRegisterGetEventInfo(ALPROTO_DNS_TCP);
    } else {
        SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
                  "still on.", proto_name);
    }

-    DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_TCP);
+    return;
 }

 /* UNITTESTS */
--- a/src/app-layer-dns-udp.c
+++ b/src/app-layer-dns-udp.c
@ -341,7 +341,7 @@ void RegisterDNSUDPParsers(void) {
        AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP,
                                                           DNSGetAlstateProgressCompletionStatus);

-        DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP);
+        DNSAppLayerRegisterGetEventInfo(ALPROTO_DNS_UDP);
    } else {
        SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
                  "still on.", proto_name);
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@ -28,6 +28,7 @@
 * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
 * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
 * \author Brian Rectanus <brectanu@gmail.com>
+ * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 *
 * This file provides a HTTP protocol support for the engine using HTP library.
 */
@ -69,6 +70,7 @@
 #include "detect-engine-state.h"
 #include "detect-parse.h"

+#include "decode-events.h"
 #include "conf.h"

 #include "util-memcmp.h"
@ -2387,6 +2389,22 @@ static int HTPStateGetAlstateProgressCompletionStatus(uint8_t direction)
    return (direction == 0) ? HTP_REQUEST_COMPLETE : HTP_RESPONSE_COMPLETE;
 }

+int HTPStateGetEventInfo(const char *event_name,
+                         int *event_id, AppLayerEventType *event_type)
+{
+    *event_id = SCMapEnumNameToValue(event_name, http_decoder_event_table);
+    if (*event_id == -1) {
+        SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
+                   "http's enum map table.",  event_name);
+        /* this should be treated as fatal */
+        return -1;
+    }
+
+    *event_type = APP_LAYER_EVENT_TYPE_GENERAL;
+
+    return 0;
+}
+
 static void HTPStateTruncate(void *state, uint8_t flags) {
    FileContainer *fc = HTPStateGetFiles(state, flags);
    if (fc != NULL) {
@ -2442,7 +2460,7 @@ void RegisterHTPParsers(void)
        AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP,
                                                           HTPStateGetAlstateProgressCompletionStatus);

-        AppLayerRegisterEventsTable(ALPROTO_HTTP, http_decoder_event_table);
+        AppLayerRegisterGetEventInfo(ALPROTO_HTTP, HTPStateGetEventInfo);

        AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate);

--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@ -857,10 +857,12 @@ void AppLayerRegisterLogger(uint16_t proto) {
    al_proto_table[proto].logger = TRUE;
 }

-void AppLayerRegisterEventsTable(uint16_t alproto,
-                                 SCEnumCharMap *events_table)
+void AppLayerRegisterGetEventInfo(uint16_t alproto,
+                                  int (*StateGetEventInfo)(const char *event_name,
+                                                           int *event_id,
+                                                           AppLayerEventType *event_type))
 {
-    al_proto_table[alproto].events_table = events_table;
+    al_proto_table[alproto].StateGetEventInfo = StateGetEventInfo;
 }

 AppLayerParserStateStore *AppLayerParserStateStoreAlloc(void)
@ -1635,19 +1637,25 @@ int AppLayerProtoDetectionEnabled(const char *al_proto)
    return enabled;
 }

-int AppLayerGetAlprotoEventInfo(uint16_t alproto, const char *event_name,
-                                int *event_id)
+/**
+ * \brief Gets event info for this alproto.
+ *
+ * \param alproto The app layer protocol.
+ * \param event_name The event name.
+ * \param event_id The event id.
+ * \param The type of event, as represented by AppLayerEventType.
+ *
+ * \retval 0 On succesfully returning back info.
+ * \retval -1 On failure.
+ */
+int AppLayerGetEventInfo(uint16_t alproto, const char *event_name,
+                         int *event_id, AppLayerEventType *event_type)
 {
-    *event_id = SCMapEnumNameToValue(event_name, al_proto_table[alproto].events_table);
-    if (*event_id == -1) {
-        SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
-                   "\"%s\"'s enum map table.",  event_name,
-                   al_proto_table[alproto].name);
-        /* yes this is fatal */
+    if (al_proto_table[alproto].StateGetEventInfo == NULL)
        return -1;
-    }

-    return 0;
+    return al_proto_table[alproto].StateGetEventInfo(event_name,
+                                                     event_id, event_type);
 }

 void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_proto,
@ -2356,21 +2364,13 @@ static void TestProtocolStateFree(void *s)
    SCFree(s);
 }

-/****Unittests*****/
-
 static AppLayerProto al_proto_table_ut_backup[ALPROTO_MAX];

-/**
- * \brief Backup al_proto_table.
- *
- *        Currently we backup only the event table.  Feel free to backup
- *        other stuff as and when required.
- */
 void AppLayerParserBackupAlprotoTable(void)
 {
    int i;
    for (i = ALPROTO_UNKNOWN; i < ALPROTO_MAX; i++)
-        al_proto_table_ut_backup[i].events_table = al_proto_table[i].events_table;
+        al_proto_table_ut_backup[i].StateGetEventInfo = al_proto_table[i].StateGetEventInfo;

    return;
 }
@ -2379,7 +2379,7 @@ void AppLayerParserRestoreAlprotoTable(void)
 {
    int i;
    for (i = ALPROTO_UNKNOWN; i < ALPROTO_MAX; i++)
-        al_proto_table[i].events_table = al_proto_table_ut_backup[i].events_table;
+        al_proto_table[i].StateGetEventInfo = al_proto_table_ut_backup[i].StateGetEventInfo;

    return;
 }
--- a/src/app-layer-parser.h
+++ b/src/app-layer-parser.h
@ -51,8 +51,6 @@ typedef struct AppLayerProto_ {

    AppLayerLocalMap **map;

-    SCEnumCharMap *events_table;
-
    void *(*StateAlloc)(void);
    void (*StateFree)(void *);
    void (*StateTransactionFree)(void *, uint64_t);
@ -71,6 +69,9 @@ typedef struct AppLayerProto_ {
    void *(*StateGetTx)(void *alstate, uint64_t tx_id);
    int (*StateGetAlstateProgressCompletionStatus)(uint8_t direction);

+    int (*StateGetEventInfo)(const char *event_name,
+                             int *event_id, AppLayerEventType *event_type);
+
    ProbingParserFPtr pp_alproto_map[2];
    /* The current values taken are STREAM_TOSERVER, STREAM_TOCLIENT */
    uint8_t flags;
@ -290,8 +291,10 @@ void AppLayerRegisterGetTx(uint16_t alproto,
                           void *(*StateGetTx)(void *alstate, uint64_t tx_id));
 void AppLayerRegisterGetAlstateProgressCompletionStatus(uint16_t alproto,
    int (*StateProgressCompletionStatus)(uint8_t direction));
-void AppLayerRegisterEventsTable(uint16_t alproto,
-                                 SCEnumCharMap *events_table);
+void AppLayerRegisterGetEventInfo(uint16_t alproto,
+                                  int (*StateGetEventInfo)(const char *event_name,
+                                                           int *event_id,
+                                                           AppLayerEventType *event_type));

 int AppLayerParse(void *, Flow *, uint8_t,
                  uint8_t, uint8_t *, uint32_t);
@ -458,8 +461,8 @@ int AppLayerProtoDetectionEnabled(const char *alproto);
 * \param event_name Name of the event.
 * \param event_id   Pointer to an instance to send back event id.
 */
-int AppLayerGetAlprotoEventInfo(uint16_t alproto, const char *event_name,
-                                int *event_id);
+int AppLayerGetEventInfo(uint16_t alproto, const char *event_name,
+                         int *event_id, AppLayerEventType *event_type);

 /***** Utility *****/

@ -470,6 +473,12 @@ void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_prot

 /***** Unittests *****/

+/**
+ * \brief Backup al_proto_table.
+ *
+ *        Currently we backup only the event table.  Feel free to backup
+ *        other stuff as and when required.
+ */
 void AppLayerParserBackupAlprotoTable(void);
 void AppLayerParserRestoreAlprotoTable(void);

--- a/src/app-layer-smtp.c
+++ b/src/app-layer-smtp.c
@ -48,8 +48,8 @@
 #include "detect-engine-state.h"
 #include "detect-parse.h"

-#include "conf.h"
 #include "decode-events.h"
+#include "conf.h"

 #define SMTP_MAX_REQUEST_AND_REPLY_LINE_LENGTH 510

@ -834,6 +834,22 @@ static void SMTPSetMpmState(void)
    mpm_table[SMTP_MPM].Prepare(smtp_mpm_ctx);
 }

+int SMTPStateGetEventInfo(const char *event_name,
+                          int *event_id, AppLayerEventType *event_type)
+{
+    *event_id = SCMapEnumNameToValue(event_name, smtp_decoder_event_table);
+    if (*event_id == -1) {
+        SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
+                   "smtp's enum map table.",  event_name);
+        /* yes this is fatal */
+        return -1;
+    }
+
+    *event_type = APP_LAYER_EVENT_TYPE_GENERAL;
+
+    return 0;
+}
+
 /**
 * \brief Register the SMPT Protocol parser.
 */
@ -863,7 +879,7 @@ void RegisterSMTPParsers(void)
        AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT,
                              SMTPParseServerRecord);

-        AppLayerRegisterEventsTable(ALPROTO_SMTP, smtp_decoder_event_table);
+        AppLayerRegisterGetEventInfo(ALPROTO_SMTP, SMTPStateGetEventInfo);

        AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc,
                                         SMTPLocalStorageFree);
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@ -42,8 +42,8 @@

 #include "app-layer-tls-handshake.h"

-#include "conf.h"
 #include "decode-events.h"
+#include "conf.h"

 #include "util-spm.h"
 #include "util-unittest.h"
@ -986,6 +986,22 @@ static uint16_t SSLProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset
    return ALPROTO_FAILED;
 }

+int SSLStateGetEventInfo(const char *event_name,
+                         int *event_id, AppLayerEventType *event_type)
+{
+    *event_id = SCMapEnumNameToValue(event_name, tls_decoder_event_table);
+    if (*event_id == -1) {
+        SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
+                   "ssl's enum map table.",  event_name);
+        /* yes this is fatal */
+        return -1;
+    }
+
+    *event_type = APP_LAYER_EVENT_TYPE_GENERAL;
+
+    return 0;
+}
+
 /**
 * \brief Function to register the SSL protocol parser and other functions
 */
@ -1053,7 +1069,7 @@ void RegisterSSLParsers(void)

        AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT,
                              SSLParseServerRecord);
-        AppLayerRegisterEventsTable(ALPROTO_TLS, tls_decoder_event_table);
+        AppLayerRegisterGetEventInfo(ALPROTO_TLS, SSLStateGetEventInfo);

        AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);

--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -227,6 +227,12 @@ enum {

 #define DECODER_EVENTS_BUFFER_STEPS 5

+/* the event types for app events */
+typedef enum AppLayerEventType_ {
+    APP_LAYER_EVENT_TYPE_GENERAL = 1,
+    APP_LAYER_EVENT_TYPE_TRANSACTION,
+} AppLayerEventType;
+
 /**
 * \brief Data structure to store app layer decoder events.
 */
--- a/src/detect-app-layer-event.c
+++ b/src/detect-app-layer-event.c
@ -115,6 +115,7 @@ static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg)
    const char *p_idx;
    int r = 0;
    int event_id = 0;
+    AppLayerEventType event_type = 0;
    uint16_t alproto;

    if (arg == NULL) {
@ -148,7 +149,7 @@ static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg)
                   "with unknown protocol \"%s\"", buffer);
        return NULL;
    }
-    r = AppLayerGetAlprotoEventInfo(alproto, p_idx + 1, &event_id);
+    r = AppLayerGetEventInfo(alproto, p_idx + 1, &event_id, &event_type);
    if (r < 0) {
        SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword protocol "
                   "\"%s\" don't have event \"%s\" registered", buffer, p_idx + 1);
@ -236,10 +237,29 @@ SCEnumCharMap app_layer_event_test_map[ ] = {
    { "event6", APP_LAYER_EVENT_TEST_MAP_EVENT6 },
 };

+static int DetectAppLayerEventTestGetEventInfo(const char *event_name,
+                                               int *event_id,
+                                               AppLayerEventType *event_type)
+{
+    *event_id = SCMapEnumNameToValue(event_name, app_layer_event_test_map);
+    if (*event_id == -1) {
+        SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
+                   "app-layer-event's test enum map table.",  event_name);
+        /* this should be treated as fatal */
+        return -1;
+    }
+
+    *event_type = APP_LAYER_EVENT_TYPE_GENERAL;
+
+    return 0;
+}
+
+
 int DetectAppLayerEventTest01(void)
 {
    AppLayerParserBackupAlprotoTable();
-    AppLayerRegisterEventsTable(ALPROTO_SMTP, app_layer_event_test_map);
+    AppLayerRegisterGetEventInfo(ALPROTO_SMTP,
+                                 DetectAppLayerEventTestGetEventInfo);

    int result = 0;

@ -265,10 +285,14 @@ int DetectAppLayerEventTest02(void)
 {
    AppLayerParserBackupAlprotoTable();

-    AppLayerRegisterEventsTable(ALPROTO_SMTP, app_layer_event_test_map);
-    AppLayerRegisterEventsTable(ALPROTO_HTTP, app_layer_event_test_map);
-    AppLayerRegisterEventsTable(ALPROTO_SMB, app_layer_event_test_map);
-    AppLayerRegisterEventsTable(ALPROTO_FTP, app_layer_event_test_map);
+    AppLayerRegisterGetEventInfo(ALPROTO_SMTP,
+                                 DetectAppLayerEventTestGetEventInfo);
+    AppLayerRegisterGetEventInfo(ALPROTO_HTTP,
+                                 DetectAppLayerEventTestGetEventInfo);
+    AppLayerRegisterGetEventInfo(ALPROTO_SMB,
+                                 DetectAppLayerEventTestGetEventInfo);
+    AppLayerRegisterGetEventInfo(ALPROTO_FTP,
+                                 DetectAppLayerEventTestGetEventInfo);

    int result = 0;