suricata
app-layer-dcerpc-udp.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2009, 2010 Open Information Security Foundation
3  *
4  * You can copy, redistribute or modify this Program under the terms of
5  * the GNU General Public License version 2 as published by the Free
6  * Software Foundation.
7  *
8  * This program is distributed in the hope that it will be useful,
9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11  * GNU General Public License for more details.
12  *
13  * You should have received a copy of the GNU General Public License
14  * version 2 along with this program; if not, write to the Free Software
15  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
16  * 02110-1301, USA.
17  */
18 /*
19  * \todo Updated by AS: Inspect the possibilities of sending junk start at the
20  * start of udp session to avoid alproto detection.
21  */
22 
23 #include "suricata-common.h"
24 #include "suricata.h"
25 
26 #include "debug.h"
27 #include "decode.h"
28 
29 #include "flow-util.h"
30 
31 #include "threads.h"
32 
33 #include "util-print.h"
34 #include "util-pool.h"
35 #include "util-debug.h"
36 
37 #include "stream-tcp-private.h"
38 #include "stream-tcp-reassemble.h"
39 #include "stream-tcp.h"
40 #include "stream.h"
41 
42 #include "app-layer-protos.h"
43 #include "app-layer-parser.h"
44 #include "app-layer.h"
45 
46 #include "util-spm.h"
47 #include "util-unittest.h"
48 
50 #include "app-layer-dcerpc-udp.h"
51 
52 static AppLayerResult RustDCERPCUDPParse(Flow *f, void *dcerpc_state,
53  AppLayerParserState *pstate, const uint8_t *input, uint32_t input_len,
54  void *local_data, const uint8_t flags)
55 {
56  return rs_dcerpc_udp_parse(f, dcerpc_state, pstate, input, input_len,
57  local_data, flags);
58 }
59 
60 static void *RustDCERPCUDPStateNew(void)
61 {
62  return rs_dcerpc_udp_state_new();
63 }
64 
65 static void RustDCERPCUDPStateFree(void *s)
66 {
67  return rs_dcerpc_udp_state_free(s);
68 }
69 
70 static int RustDCERPCUDPSetTxDetectState(void *vtx, DetectEngineState *de_state)
71 {
72  return rs_dcerpc_udp_set_tx_detect_state(vtx, de_state);
73 }
74 
75 static DetectEngineState *RustDCERPCUDPGetTxDetectState(void *vtx)
76 {
77  return rs_dcerpc_udp_get_tx_detect_state(vtx);
78 }
79 
80 static void RustDCERPCUDPStateTransactionFree(void *state, uint64_t tx_id)
81 {
82  return rs_dcerpc_udp_state_transaction_free(state, tx_id);
83 }
84 
85 static void *RustDCERPCUDPGetTx(void *state, uint64_t tx_id)
86 {
87  return rs_dcerpc_udp_get_tx(state, tx_id);
88 }
89 
90 static uint64_t RustDCERPCUDPGetTxCnt(void *state)
91 {
92  return rs_dcerpc_udp_get_tx_cnt(state);
93 }
94 
95 static int RustDCERPCUDPGetAlstateProgressCompletionStatus(uint8_t direction)
96 {
97  return rs_dcerpc_udp_get_alstate_progress_completion_status(direction);
98 }
99 
100 static int RustDCERPCUDPGetAlstateProgress(void *tx, uint8_t direction)
101 {
102  return rs_dcerpc_udp_get_alstate_progress(tx, direction);
103 }
104 
105 static int DCERPCUDPRegisterPatternsForProtocolDetection(void)
106 {
108  "|04 00|", 2, 0, STREAM_TOSERVER) < 0)
109  {
110  return -1;
111  }
112 
113  return 0;
114 }
115 
117 {
118  const char *proto_name = "dcerpc";
119 
120  if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) {
122  if (DCERPCUDPRegisterPatternsForProtocolDetection() < 0)
123  return;
124  } else {
125  SCLogInfo("Protocol detection and parser disabled for %s protocol.",
126  "dcerpc");
127  return;
128  }
129 
130  if (AppLayerParserConfParserEnabled("udp", "dcerpc")) {
132  RustDCERPCUDPParse);
134  RustDCERPCUDPParse);
135  AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_DCERPC, RustDCERPCUDPStateNew,
136  RustDCERPCUDPStateFree);
138 
139  AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_DCERPC, RustDCERPCUDPStateTransactionFree);
140 
142  RustDCERPCUDPGetTxDetectState, RustDCERPCUDPSetTxDetectState);
143 
144  AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_DCERPC, RustDCERPCUDPGetTx);
145 
146  AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_DCERPC, RustDCERPCUDPGetTxCnt);
147 
148  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP, ALPROTO_DCERPC, RustDCERPCUDPGetAlstateProgress);
149 
151  RustDCERPCUDPGetAlstateProgressCompletionStatus);
152  } else {
153  SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
154  "still on.", "dcerpc");
155  }
156 
157  return;
158 }
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:490
app-layer-dcerpc-udp.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void), void(*StateFree)(void *))
Definition: app-layer-parser.c:397
DetectEngineState_
Definition: detect-engine-state.h:92
stream-tcp.h
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:302
threads.h
Flow_
Flow data structure.
Definition: flow.h:343
AppLayerParserRegisterParserAcceptableDataDirection
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:376
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:501
stream-tcp-reassemble.h
AppLayerParserRegisterDetectStateFuncs
void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto, DetectEngineState *(*GetTxDetectState)(void *tx), int(*SetTxDetectState)(void *tx, DetectEngineState *))
Definition: app-layer-parser.c:577
util-unittest.h
decode.h
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:155
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
app-layer-parser.h
stream.h
app-layer-dcerpc-common.h
stream-tcp-private.h
RegisterDCERPCUDPParsers
void RegisterDCERPCUDPParsers(void)
Definition: app-layer-dcerpc-udp.c:116
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1826
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:217
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:364
AppLayerParserRegisterGetStateProgressCompletionStatus
void AppLayerParserRegisterGetStateProgressCompletionStatus(AppProto alproto, int(*StateGetProgressCompletionStatus)(uint8_t direction))
Definition: app-layer-parser.c:542
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:523
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
util-spm.h
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
app-layer-protos.h
suricata.h
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:512
AppLayerProtoDetectPMRegisterPatternCS
int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-sensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1723
util-pool.h
AppLayerProtoDetectConfProtoDetectionEnabled
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:1890
debug.h
app-layer.h