aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Introduce new options into the conf file to enable/disable -

Browse Source 
1. Proto detection
2. Parsers

For app layer protocols.

libhtp has now been moved to the section under app-layer.protocols.http,
but we still provide backward compatibility with older conf files.
pull/567/head
Anoop Saldanha 12 years ago
parent d9686fae57
commit ddde572fba
16 changed files with 614 additions and 302 deletions
Show Stats Download Patch File Download Diff File

30
src/app-layer-dcerpc-udp.c
Unescape Escape View File

@ -720,18 +720,30 @@ static void DCERPCUDPStateFree(void *s) {
void RegisterDCERPCUDPParsers(void) {
char *proto_name = "dcerpcudp";
/** DCERPC */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER,
DCERPCUDPParse);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT,
DCERPCUDPParse);
AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc,
DCERPCUDPStateFree);
if (AppLayerProtoDetectionEnabled("dcerpc")) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"dcerpc");
return;
}
if (AppLayerParserEnabled("dcerpc")) {
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER,
DCERPCUDPParse);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT,
DCERPCUDPParse);
AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc,
DCERPCUDPStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", "dcerpc");
}
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_DCERPC_UDP, DCERPCUDPParserRegisterTests);
#endif
return;
}
/* UNITTESTS */

30
src/app-layer-dcerpc.c
Unescape Escape View File

@ -1869,18 +1869,30 @@ static void DCERPCStateFree(void *s) {
void RegisterDCERPCParsers(void) {
char *proto_name = "dcerpc";
/** DCERPC */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER,
DCERPCParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT,
DCERPCParseResponse);
AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc,
DCERPCStateFree);
if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER,
DCERPCParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT,
DCERPCParseResponse);
AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc,
DCERPCStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_DCERPC, DCERPCParserRegisterTests);
#endif
return;
}
/* UNITTESTS */

69
src/app-layer-dns-tcp.c
Unescape Escape View File

@ -578,35 +578,46 @@ void RegisterDNSTCPParsers(void) {
char *proto_name = "dnstcp";
/** DNS */
AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOSERVER,
DNSTCPRequestParse);
AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOCLIENT,
DNSTCPResponseParse);
AppLayerRegisterStateFuncs(ALPROTO_DNS_TCP, DNSStateAlloc,
DNSStateFree);
AppLayerRegisterTxFreeFunc(ALPROTO_DNS_TCP,
DNSStateTransactionFree);
AppLayerRegisterGetEventsFunc(ALPROTO_DNS_TCP, DNSGetEvents);
AppLayerRegisterHasEventsFunc(ALPROTO_DNS_TCP, DNSHasEvents);
AppLayerRegisterGetTx(ALPROTO_DNS_TCP,
DNSGetTx);
AppLayerRegisterGetTxCnt(ALPROTO_DNS_TCP,
DNSGetTxCnt);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_TCP,
DNSGetAlstateProgress);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP,
DNSGetAlstateProgressCompletionStatus);
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_TCP,
"53",
proto_name,
ALPROTO_DNS_TCP,
0, sizeof(DNSTcpHeader),
STREAM_TOSERVER,
DNSTcpProbingParser);
if (AppLayerProtoDetectionEnabled(proto_name)) {
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_TCP,
"53",
proto_name,
ALPROTO_DNS_TCP,
0, sizeof(DNSTcpHeader),
STREAM_TOSERVER,
DNSTcpProbingParser);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOSERVER,
DNSTCPRequestParse);
AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOCLIENT,
DNSTCPResponseParse);
AppLayerRegisterStateFuncs(ALPROTO_DNS_TCP, DNSStateAlloc,
DNSStateFree);
AppLayerRegisterTxFreeFunc(ALPROTO_DNS_TCP,
DNSStateTransactionFree);
AppLayerRegisterGetEventsFunc(ALPROTO_DNS_TCP, DNSGetEvents);
AppLayerRegisterHasEventsFunc(ALPROTO_DNS_TCP, DNSHasEvents);
AppLayerRegisterGetTx(ALPROTO_DNS_TCP,
DNSGetTx);
AppLayerRegisterGetTxCnt(ALPROTO_DNS_TCP,
DNSGetTxCnt);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_TCP,
DNSGetAlstateProgress);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP,
DNSGetAlstateProgressCompletionStatus);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_TCP);
}

73
src/app-layer-dns-udp.c
Unescape Escape View File

@ -298,37 +298,48 @@ void RegisterDNSUDPParsers(void) {
char *proto_name = "dnsudp";
/** DNS */
AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOSERVER,
DNSUDPRequestParse);
AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOCLIENT,
DNSUDPResponseParse);
AppLayerRegisterStateFuncs(ALPROTO_DNS_UDP, DNSStateAlloc,
DNSStateFree);
AppLayerRegisterTxFreeFunc(ALPROTO_DNS_UDP,
DNSStateTransactionFree);
AppLayerRegisterGetEventsFunc(ALPROTO_DNS_UDP, DNSGetEvents);
AppLayerRegisterHasEventsFunc(ALPROTO_DNS_UDP, DNSHasEvents);
AppLayerRegisterGetTx(ALPROTO_DNS_UDP,
DNSGetTx);
AppLayerRegisterGetTxCnt(ALPROTO_DNS_UDP,
DNSGetTxCnt);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_UDP,
DNSGetAlstateProgress);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP,
DNSGetAlstateProgressCompletionStatus);
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_UDP,
"53",
proto_name,
ALPROTO_DNS_UDP,
0, sizeof(DNSHeader),
STREAM_TOSERVER,
DNSUdpProbingParser);
DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP);
if (AppLayerProtoDetectionEnabled(proto_name)) {
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_UDP,
"53",
proto_name,
ALPROTO_DNS_UDP,
0, sizeof(DNSHeader),
STREAM_TOSERVER,
DNSUdpProbingParser);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOSERVER,
DNSUDPRequestParse);
AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOCLIENT,
DNSUDPResponseParse);
AppLayerRegisterStateFuncs(ALPROTO_DNS_UDP, DNSStateAlloc,
DNSStateFree);
AppLayerRegisterTxFreeFunc(ALPROTO_DNS_UDP,
DNSStateTransactionFree);
AppLayerRegisterGetEventsFunc(ALPROTO_DNS_UDP, DNSGetEvents);
AppLayerRegisterHasEventsFunc(ALPROTO_DNS_UDP, DNSHasEvents);
AppLayerRegisterGetTx(ALPROTO_DNS_UDP,
DNSGetTx);
AppLayerRegisterGetTxCnt(ALPROTO_DNS_UDP,
DNSGetTxCnt);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_UDP,
DNSGetAlstateProgress);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP,
DNSGetAlstateProgressCompletionStatus);
DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
}
/* UNITTESTS */

32
src/app-layer-ftp.c
Unescape Escape View File

@ -262,23 +262,29 @@ static void FTPStateFree(void *s) {
#endif
}
void RegisterFTPParsers(void) {
char *proto_name = "ftp";
/** FTP */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER);
AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER,
FTPParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT,
FTPParseResponse);
AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP,
FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine,
"ftp");
AppLayerRegisterStateFuncs(ALPROTO_FTP, FTPStateAlloc, FTPStateFree);
if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER);
}
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER,
FTPParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT,
FTPParseResponse);
AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP,
FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine,
"ftp");
AppLayerRegisterStateFuncs(ALPROTO_FTP, FTPStateAlloc, FTPStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_FTP, FTPParserRegisterTests);
#endif

101
src/app-layer-htp.c
Unescape Escape View File

@ -1853,6 +1853,9 @@ void HTPFreeConfig(void)
{
SCEnter();
if (!AppLayerProtoDetectionEnabled("http") || !AppLayerParserEnabled("http"))
SCReturn;
HTPCfgRec *nextrec = cfglist.next;
SCRadixReleaseRadixTree(cfgtree);
cfgtree = NULL;
@ -2284,15 +2287,24 @@ void HTPConfigure(void)
}
SCLogDebug("LIBHTP default config: %p", cfglist.cfg);
HTPConfigSetDefaultsPhase1(&cfglist);
HTPConfigParseParameters(&cfglist, ConfGetNode("libhtp.default-config"),
cfgtree);
if (ConfGetNode("app-layer.protocols.http.libhtp") == NULL) {
HTPConfigParseParameters(&cfglist, ConfGetNode("libhtp.default-config"),
cfgtree);
} else {
HTPConfigParseParameters(&cfglist, ConfGetNode("app-layer.protocols.http.libhtp.default-config"), cfgtree);
}
HTPConfigSetDefaultsPhase2(&cfglist);
/* Read server config and create a parser for each IP in radix tree */
ConfNode *server_config = ConfGetNode("libhtp.server-config");
ConfNode *server_config = ConfGetNode("app-layer.protocols.http.libhtp.server-config");
if (server_config == NULL) {
server_config = ConfGetNode("libhtp.server-config");
if (server_config == NULL) {
SCLogDebug("LIBHTP Configuring %p", server_config);
SCReturn;
}
}
SCLogDebug("LIBHTP Configuring %p", server_config);
if (server_config == NULL)
SCReturn;
ConfNode *si;
/* Server Nodes */
@ -2393,44 +2405,55 @@ void RegisterHTPParsers(void)
char *proto_name = "http";
/** HTTP */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER);
AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree);
AppLayerRegisterTxFreeFunc(ALPROTO_HTTP, HTPStateTransactionFree);
AppLayerRegisterGetFilesFunc(ALPROTO_HTTP, HTPStateGetFiles);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_HTTP, HTPStateGetAlstateProgress);
AppLayerRegisterGetTxCnt(ALPROTO_HTTP, HTPStateGetTxCnt);
AppLayerRegisterGetTx(ALPROTO_HTTP, HTPStateGetTx);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP,
HTPStateGetAlstateProgressCompletionStatus);
AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table);
AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate);
AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER,
HTPHandleRequestData);
AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT,
HTPHandleResponseData);
if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol",
proto_name);
return;
}
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree);
AppLayerRegisterTxFreeFunc(ALPROTO_HTTP, HTPStateTransactionFree);
AppLayerRegisterGetFilesFunc(ALPROTO_HTTP, HTPStateGetFiles);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_HTTP, HTPStateGetAlstateProgress);
AppLayerRegisterGetTxCnt(ALPROTO_HTTP, HTPStateGetTxCnt);
AppLayerRegisterGetTx(ALPROTO_HTTP, HTPStateGetTx);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP,
HTPStateGetAlstateProgressCompletionStatus);
AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table);
AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate);
AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER,
HTPHandleRequestData);
AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT,
HTPHandleResponseData);
SC_ATOMIC_INIT(htp_config_flags);
HTPConfigure();
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_HTTP, HTPParserRegisterTests);
#endif
SC_ATOMIC_INIT(htp_config_flags);
HTPConfigure();
SCReturn;
}

121
src/app-layer-parser.c
Unescape Escape View File

@ -57,6 +57,7 @@
#include "app-layer-dns-udp.h"
#include "app-layer-dns-tcp.h"
#include "conf.h"
#include "util-spm.h"
#include "util-debug.h"
@ -1399,16 +1400,35 @@ void RegisterAppLayerParsers(void)
RegisterDNSTCPParsers();
/** IMAP */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER);
if (AppLayerProtoDetectionEnabled("imap")) {
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap");
return;
}
/** MSN Messenger */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER);
if (AppLayerProtoDetectionEnabled("msn")) {
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"msn");
return;
}
/** Jabber */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT);
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);
if (AppLayerProtoDetectionEnabled("jabber")) {
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT);
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection disabled for %s protocol and as a "
"consequence the conf param \"app-layer.protocols.%s."
"parser-enabled\" will now be ignored.", "jabber", "jabber");
return;
}
return;
}
@ -1521,6 +1541,95 @@ void AppLayerParsersInitPostProcess(void)
}
}
/*************************App Layer Conf Options Parsing***********************/
/**
* \brief Given a protocol name, checks if the parser is enabled in the
* conf file.
*
* \param al_proto Name of the app layer protocol.
*
* \retval 1 If enabled.
* \retval 0 If disabled.
*/
int AppLayerParserEnabled(const char *al_proto)
{
int enabled = 1;
char param[100];
int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
al_proto, ".enabled");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
ConfNode *node = ConfGetNode(param);
if (node == NULL) {
SCLogInfo("Entry for %s not found.", param);
return enabled;
} else {
if (strcasecmp(node->val, "yes") == 0) {
enabled = 1;
} else if (strcasecmp(node->val, "no") == 0) {
enabled = 0;
} else if (strcasecmp(node->val, "detection-only") == 0) {
enabled = 0;
} else {
SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
exit(EXIT_FAILURE);
}
}
return enabled;
}
/**
* \brief Given a protocol name, checks if proto detection is enabled in the
* conf file.
*
* \param al_proto Name of the app layer protocol.
*
* \retval 1 If enabled.
* \retval 0 If disabled.
*/
int AppLayerProtoDetectionEnabled(const char *al_proto)
{
int enabled = 1;
char param[100];
int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
al_proto, ".enabled");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
ConfNode *node = ConfGetNode(param);
if (node == NULL) {
SCLogInfo("Entry for %s not found.", param);
return enabled;
} else {
if (strcasecmp(node->val, "yes") == 0) {
enabled = 1;
} else if (strcasecmp(node->val, "no") == 0) {
enabled = 0;
} else if (strcasecmp(node->val, "detection-only") == 0) {
enabled = 1;
} else {
SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
exit(EXIT_FAILURE);
}
}
return enabled;
}
/********************************Probing Parsers*******************************/

3
src/app-layer-parser.h
Unescape Escape View File

@ -416,4 +416,7 @@ int AppLayerAlprotoSupportsTxs(uint16_t alproto);
void AppLayerTriggerRawStreamReassembly(Flow *);
int AppLayerParserEnabled(const char *alproto);
int AppLayerProtoDetectionEnabled(const char *alproto);
#endif /* __APP_LAYER_PARSER_H__ */

45
src/app-layer-smb.c
Unescape Escape View File

@ -1400,24 +1400,35 @@ static uint16_t SMBProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset
void RegisterSMBParsers(void) {
char *proto_name = "smb";
/** SMB */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER);
/** SMB2 */
AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER);
AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse);
AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree);
if (AppLayerProtoDetectionEnabled(proto_name)) {
/** SMB */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER);
/** SMB2 */
AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER);
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_TCP,
"139",
"smb",
ALPROTO_SMB,
SMB_PROBING_PARSER_MIN_DEPTH, 0,
STREAM_TOSERVER,
SMBProbingParser);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse);
AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_TCP,
"139",
"smb",
ALPROTO_SMB,
SMB_PROBING_PARSER_MIN_DEPTH, 0,
STREAM_TOSERVER,
SMBProbingParser);
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SMB, SMBParserRegisterTests);
#endif

16
src/app-layer-smb2.c
Unescape Escape View File

@ -518,12 +518,22 @@ static void SMB2StateFree(void *s) {
}
void RegisterSMB2Parsers(void) {
AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse);
AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse);
AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree);
/** SMB2 */
char *proto_name = "smb2";
if (AppLayerProtoDetectionEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse);
AppLayerRegisterProto(proto_name, ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse);
AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SMB2, SMB2ParserRegisterTests);
#endif
return;
}
/* UNITTESTS */

35
src/app-layer-smtp.c
Unescape Escape View File

@ -847,21 +847,32 @@ void RegisterSMTPParsers(void)
{
char *proto_name = "smtp";
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0,
STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0,
STREAM_TOSERVER);
if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0,
STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0,
STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree);
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree);
AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER,
SMTPParseClientRecord);
AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT,
SMTPParseServerRecord);
AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table);
AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER,
SMTPParseClientRecord);
AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT,
SMTPParseServerRecord);
AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table);
AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc,
SMTPLocalStorageFree);
AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc,
SMTPLocalStorageFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
SMTPSetMpmState();

23
src/app-layer-ssh.c
Unescape Escape View File

@ -739,14 +739,25 @@ void RegisterSSHParsers(void)
char *proto_name = "ssh";
/** SSH */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER);
if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT,
SSHParseServerRecord);
AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER,
SSHParseClientRecord);
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT,
SSHParseServerRecord);
AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER,
SSHParseClientRecord);
AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree);
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SSH, SSHParserRegisterTests);
#endif

91
src/app-layer-ssl.c
Unescape Escape View File

@ -994,44 +994,65 @@ void RegisterSSLParsers(void)
char *proto_name = "tls";
/** SSLv2 and SSLv23*/
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER);
/* subsection - SSLv2 style record by client, but informing the server the max
* version it supports */
/* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it
* after some tests */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 5, 2, STREAM_TOSERVER);
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT);
/** SSLv3 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */
if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER);
/* subsection - SSLv2 style record by client, but informing the server the max
* version it supports */
/* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it
* after some tests */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 5, 2, STREAM_TOSERVER);
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT);
/** SSLv3 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1.1 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1.2 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER,
SSLParseClientRecord);
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT,
SSLParseServerRecord);
AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table);
AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_TCP,
"443",
proto_name,
ALPROTO_TLS,
0, 3,
STREAM_TOSERVER,
SSLProbingParser);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_TCP,
"443",
proto_name,
ALPROTO_TLS,
0, 3,
STREAM_TOSERVER,
SSLProbingParser);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol",
proto_name);
return;
}
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER,
SSLParseClientRecord);
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT,
SSLParseServerRecord);
AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table);
AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
/* Get the value of no reassembly option from the config file */
if (ConfGetNode("app-layer.protocols.tls.no-reassemble") == NULL) {
if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
ssl_config.no_reassemble = 1;
} else {
if (ConfGetBool("app-layer.protocols.tls.no-reassemble", &ssl_config.no_reassemble) != 1)
ssl_config.no_reassemble = 1;
}
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_TLS, SSLParserRegisterTests);
#endif

28
src/detect-dns-query.c
Unescape Escape View File

@ -166,9 +166,9 @@ static int DetectDnsQueryTest01(void) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)");
s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
@ -287,13 +287,13 @@ static int DetectDnsQueryTest02(void) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
@ -432,7 +432,7 @@ static int DetectDnsQueryTest03(void) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; sid:1;)");
if (s == NULL) {
@ -529,7 +529,7 @@ static int DetectDnsQueryTest04(void) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) {
@ -680,13 +680,13 @@ static int DetectDnsQueryTest05(void) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
@ -842,14 +842,14 @@ static int DetectDnsQueryTest06(void) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
@ -977,19 +977,19 @@ static int DetectDnsQueryTest07(void) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test Z flag event\"; "
"app-layer-event:dns.z_flag_set; sid:3;)");
if (s == NULL) {

28
src/detect-parse.c
Unescape Escape View File

@ -636,7 +636,11 @@ int SigParseProto(Signature *s, const char *protostr) {
if (s->alproto == ALPROTO_UNKNOWN) {
SCLogError(SC_ERR_UNKNOWN_PROTOCOL, "protocol \"%s\" cannot be used "
"in a signature", protostr);
"in a signature. Either detection for this protocol "
"supported yet OR detection has been disabled for "
"protocol through the yaml option "
"app-layer.protocols.%s.detection-enabled", protostr,
protostr);
SCReturnInt(-1);
}
}
@ -1224,6 +1228,28 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) {
}
}
}
}
if (s->alproto != ALPROTO_UNKNOWN) {
if (s->flags & SIG_FLAG_STATE_MATCH) {
if (al_proto_table[s->alproto].to_server == 0 ||
al_proto_table[s->alproto].to_client == 0) {
const char *proto_name = TmModuleAlprotoToString(s->alproto);
SCLogInfo("Signature uses options that need the app layer "
"parser for \"%s\", but the parser's disabled "
"for the protocol. Please check if you have "
"disabled it through the option "
"\"app-layer.protocols.%s.enabled\" or internally "
"there the parser has been disabled in the code. "
"Invalidating signature.", proto_name, proto_name);
SCReturnInt(0);
}
}
}
if (s->flags & SIG_FLAG_REQUIRE_PACKET) {

191
suricata.yaml.in
Unescape Escape View File

@ -976,84 +976,119 @@ pcre:
match-limit: 3500
match-limit-recursion: 1500
###########################################################################
# Configure libhtp.
#
#
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# server-config: List of server configurations to use if address matches
# address: List of ip addresses or networks for this block
# personalitiy: List of personalities used by this block
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# Currently Available Personalities:
# Minimal
# Generic
# IDS (default)
# IIS_4_0
# IIS_5_0
# IIS_5_1
# IIS_6_0
# IIS_7_0
# IIS_7_5
# Apache_2
###########################################################################
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 3072
response-body-limit: 3072
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
# decoding
double-decode-path: no
double-decode-query: no
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
# Holds details on the app-layer. The protocols section details each protocol.
# Under each protocol, the default value for detection-enabled and "
# parsed-enabled is yes, unless specified otherwise.
# Each protocol covers enabling/disabling parsers for all ipprotos
# the app-layer protocol runs on. For example "dcerpc" refers to the tcp
# version of the protocol as well as the udp version of the protocol.
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
# "yes" enables both detection and the parser, "no" disables both, and
# "detection-only" enables detection only(parser disabled).
app-layer:
protocols:
tls:
enabled: yes
#no-reassemble: yes
dcerpc:
enabled: yes
ftp:
enabled: yes
ssh:
enabled: yes
smtp:
enabled: yes
imap:
enabled: detection-only
msn:
enabled: detection-only
smb:
enabled: yes
# smb2 detection is disabled internally inside the engine.
#smb2:
# enabled: yes
http:
enabled: yes
###########################################################################
# Configure libhtp.
#
#
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# server-config: List of server configurations to use if address matches
# address: List of ip addresses or networks for this block
# personalitiy: List of personalities used by this block
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# Currently Available Personalities:
# Minimal
# Generic
# IDS (default)
# IIS_4_0
# IIS_5_0
# IIS_5_1
# IIS_6_0
# IIS_7_0
# IIS_7_5
# Apache_2
###########################################################################
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 3072
response-body-limit: 3072
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
# decoding
double-decode-path: no
double-decode-query: no
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
# Profiling settings. Only effective if Suricata has been built with the
# the --enable-profiling configure flag.

Write Preview
Loading…
Cancel
Save