#include "suricata-common.h"#include "decode.h"#include "threads.h"#include "threadvars.h"#include "tm-threads.h"#include "detect.h"#include "detect-engine-port.h"#include "detect-engine-build.h"#include "detect-parse.h"#include "detect-engine.h"#include "detect-content.h"#include "detect-engine-mpm.h"#include "detect-engine-state.h"#include "util-print.h"#include "util-pool.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-validate.h"#include "flow.h"#include "flow-util.h"#include "flow-private.h"#include "stream-tcp-private.h"#include "stream-tcp-reassemble.h"#include "stream-tcp.h"#include "stream.h"#include "app-layer.h"#include "app-layer-protos.h"#include "app-layer-parser.h"#include "app-layer-detect-proto.h"#include "app-layer-expectation.h"#include "conf.h"#include "util-memcmp.h"#include "util-spm.h"#include "util-debug.h"#include "runmodes.h"#include "app-layer-htp.h"#include "detect-engine-alert.h"
Go to the source code of this file.
Data Structures | |
| struct | AppLayerProtoDetectProbingParserElement_ |
| struct | AppLayerProtoDetectProbingParserPort_ |
| struct | AppLayerProtoDetectProbingParser_ |
| struct | AppLayerProtoDetectPMSignature_ |
| struct | AppLayerProtoDetectPMCtx_ |
| struct | AppLayerProtoDetectCtxIpproto_ |
| struct | AppLayerProtoDetectCtx_ |
| The app layer protocol detection context. More... | |
| struct | AppLayerProtoDetectAliases_ |
| struct | AppLayerProtoDetectThreadCtx_ |
| The app layer protocol detection thread context. More... | |
| struct | AppLayerProtoDetectPPTestDataElement_ |
| struct | AppLayerProtoDetectPPTestDataPort_ |
| struct | AppLayerProtoDetectPPTestDataIPProto_ |
Typedefs | |
| typedef struct AppLayerProtoDetectProbingParserElement_ | AppLayerProtoDetectProbingParserElement |
| typedef struct AppLayerProtoDetectProbingParserPort_ | AppLayerProtoDetectProbingParserPort |
| typedef struct AppLayerProtoDetectProbingParser_ | AppLayerProtoDetectProbingParser |
| typedef struct AppLayerProtoDetectPMSignature_ | AppLayerProtoDetectPMSignature |
| typedef struct AppLayerProtoDetectPMCtx_ | AppLayerProtoDetectPMCtx |
| typedef struct AppLayerProtoDetectCtxIpproto_ | AppLayerProtoDetectCtxIpproto |
| typedef struct AppLayerProtoDetectCtx_ | AppLayerProtoDetectCtx |
| The app layer protocol detection context. More... | |
| typedef struct AppLayerProtoDetectAliases_ | AppLayerProtoDetectAliases |
| typedef struct AppLayerProtoDetectPPTestDataElement_ | AppLayerProtoDetectPPTestDataElement |
| typedef struct AppLayerProtoDetectPPTestDataPort_ | AppLayerProtoDetectPPTestDataPort |
| typedef struct AppLayerProtoDetectPPTestDataIPProto_ | AppLayerProtoDetectPPTestDataIPProto |
Functions | |
| AppProto | AppLayerProtoDetectGetProto (AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow) |
| Returns the app layer protocol given a buffer. More... | |
| int | AppLayerProtoDetectPrepareState (void) |
| Prepares the internal state for protocol detection. This needs to be called once all the patterns and probing parser ports have been registered. More... | |
| void | AppLayerProtoDetectPPRegister (uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2) |
| register parser at a port More... | |
| int | AppLayerProtoDetectPPParseConfPorts (const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc) |
| int | AppLayerProtoDetectPMRegisterPatternCS (uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction) |
| Registers a case-sensitive pattern for protocol detection. More... | |
| int | AppLayerProtoDetectPMRegisterPatternCSwPP (uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction, ProbingParserFPtr PPFunc, uint16_t pp_min_depth, uint16_t pp_max_depth) |
| int | AppLayerProtoDetectPMRegisterPatternCI (uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction) |
| Registers a case-insensitive pattern for protocol detection. More... | |
| int | AppLayerProtoDetectSetup (void) |
| The first function to be called. This initializes a global protocol detection context. More... | |
| int | AppLayerProtoDetectDeSetup (void) |
| Cleans up the app layer protocol detection phase. More... | |
| void | AppLayerProtoDetectRegisterProtocol (AppProto alproto, const char *alproto_name) |
| Registers a protocol for protocol detection phase. More... | |
| void | AppLayerProtoDetectRegisterAlias (const char *proto_name, const char *proto_alias) |
| bool | AppLayerRequestProtocolChange (Flow *f, uint16_t dp, AppProto expect_proto) |
| request applayer to wrap up this protocol and rerun protocol detection. More... | |
| bool | AppLayerRequestProtocolTLSUpgrade (Flow *f) |
| request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS. Used by STARTTLS. More... | |
| void | AppLayerForceProtocolChange (Flow *f, AppProto new_proto) |
| Forces a flow app-layer protocol change. Happens for instance when a HTTP2 flow is seen as DOH2. More... | |
| void | AppLayerProtoDetectReset (Flow *f) |
| Reset proto detect for flow. More... | |
| int | AppLayerProtoDetectConfProtoDetectionEnabledDefault (const char *ipproto, const char *alproto, bool default_enabled) |
| Given a protocol name, checks if proto detection is enabled in the conf file. More... | |
| int | AppLayerProtoDetectConfProtoDetectionEnabled (const char *ipproto, const char *alproto) |
| Given a protocol name, checks if proto detection is enabled in the conf file. More... | |
| AppLayerProtoDetectThreadCtx * | AppLayerProtoDetectGetCtxThread (void) |
| Inits and returns an app layer protocol detection thread context. More... | |
| void | AppLayerProtoDetectDestroyCtxThread (AppLayerProtoDetectThreadCtx *alpd_tctx) |
| Destroys the app layer protocol detection thread context. More... | |
| void | AppLayerProtoDetectSupportedIpprotos (AppProto alproto, uint8_t *ipprotos) |
| AppProto | AppLayerProtoDetectGetProtoByName (const char *alproto_name) |
| const char * | AppLayerProtoDetectGetProtoName (AppProto alproto) |
| void | AppLayerProtoDetectSupportedAppProtocols (AppProto *alprotos) |
| void | AppLayerRegisterExpectationProto (uint8_t proto, AppProto alproto) |
| void | AppLayerProtoDetectUnittestCtxBackup (void) |
| Backs up the internal context used by the app layer proto detection module. More... | |
| void | AppLayerProtoDetectUnittestCtxRestore (void) |
| Restores back the internal context used by the app layer proto detection module, that was previously backed up by calling AppLayerProtoDetectUnittestCtxBackup(). More... | |
| void | AppLayerProtoDetectUnittestsRegister (void) |
| Register unittests for app layer proto detection module. More... | |
Detailed Description
Definition in file app-layer-detect-proto.c.
Typedef Documentation
◆ AppLayerProtoDetectAliases
| typedef struct AppLayerProtoDetectAliases_ AppLayerProtoDetectAliases |
◆ AppLayerProtoDetectCtx
| typedef struct AppLayerProtoDetectCtx_ AppLayerProtoDetectCtx |
The app layer protocol detection context.
◆ AppLayerProtoDetectCtxIpproto
| typedef struct AppLayerProtoDetectCtxIpproto_ AppLayerProtoDetectCtxIpproto |
◆ AppLayerProtoDetectPMCtx
| typedef struct AppLayerProtoDetectPMCtx_ AppLayerProtoDetectPMCtx |
◆ AppLayerProtoDetectPMSignature
| typedef struct AppLayerProtoDetectPMSignature_ AppLayerProtoDetectPMSignature |
◆ AppLayerProtoDetectPPTestDataElement
◆ AppLayerProtoDetectPPTestDataIPProto
◆ AppLayerProtoDetectPPTestDataPort
◆ AppLayerProtoDetectProbingParser
◆ AppLayerProtoDetectProbingParserElement
◆ AppLayerProtoDetectProbingParserPort
Function Documentation
◆ AppLayerForceProtocolChange()
Forces a flow app-layer protocol change. Happens for instance when a HTTP2 flow is seen as DOH2.
- Parameters
-
f flow to act on new_proto new app-layer protocol
Definition at line 1865 of file app-layer-detect-proto.c.
References Flow_::alproto, Flow_::alproto_orig, Flow_::alproto_tc, and Flow_::alproto_ts.
◆ AppLayerProtoDetectConfProtoDetectionEnabled()
| int AppLayerProtoDetectConfProtoDetectionEnabled | ( | const char * | ipproto, |
| const char * | alproto | ||
| ) |
Given a protocol name, checks if proto detection is enabled in the conf file.
- Parameters
-
alproto Name of the app layer protocol.
- Return values
-
1 If enabled. 0 If disabled.
Definition at line 1964 of file app-layer-detect-proto.c.
References AppLayerProtoDetectConfProtoDetectionEnabledDefault().
Referenced by HTPFreeConfig(), RegisterFTPParsers(), RegisterHTPParsers(), RegisterIMAPParsers(), RegisterNFSTCPParsers(), RegisterSMTPParsers(), RegisterSSHParsers(), RegisterSSLParsers(), and RegisterTFTPParsers().
◆ AppLayerProtoDetectConfProtoDetectionEnabledDefault()
| int AppLayerProtoDetectConfProtoDetectionEnabledDefault | ( | const char * | ipproto, |
| const char * | alproto, | ||
| bool | default_enabled | ||
| ) |
Given a protocol name, checks if proto detection is enabled in the conf file.
- Parameters
-
alproto Name of the app layer protocol. default_enabled enable by default if not in the configuration file
- Return values
-
1 If enabled. 0 If disabled.
Definition at line 1894 of file app-layer-detect-proto.c.
References BUG_ON, FatalError, RunmodeIsUnittests(), SCConfGetNode(), SCConfValIsFalse(), SCConfValIsTrue(), SCEnter, SCLogDebug, SCLogError, SCReturnInt, and SCConfNode_::val.
Referenced by AppLayerProtoDetectConfProtoDetectionEnabled(), RegisterDNP3Parsers(), and RegisterHTTP2Parsers().
◆ AppLayerProtoDetectDeSetup()
| int AppLayerProtoDetectDeSetup | ( | void | ) |
Cleans up the app layer protocol detection phase.
- Todo:
- incomplete. Need more work.
Definition at line 1724 of file app-layer-detect-proto.c.
References FLOW_PROTO_DEFAULT, PatIntId, and SCEnter.
Referenced by AppLayerDeSetup().
◆ AppLayerProtoDetectDestroyCtxThread()
| void AppLayerProtoDetectDestroyCtxThread | ( | AppLayerProtoDetectThreadCtx * | tctx | ) |
Destroys the app layer protocol detection thread context.
- Parameters
-
tctx Pointer to the app layer protocol detection thread context.
Definition at line 2022 of file app-layer-detect-proto.c.
References FLOW_PROTO_DEFAULT, and SCEnter.
Referenced by AppLayerDestroyCtxThread().
◆ AppLayerProtoDetectGetCtxThread()
| AppLayerProtoDetectThreadCtx* AppLayerProtoDetectGetCtxThread | ( | void | ) |
Inits and returns an app layer protocol detection thread context.
- Parameters
-
ctx Pointer to the app layer protocol detection context.
- Return values
-
Pointer to the thread context, on success; NULL, on failure.
Definition at line 1969 of file app-layer-detect-proto.c.
References alpd_tctx, FLOW_PROTO_DEFAULT, PatIntId, and SCEnter.
Referenced by AppLayerGetCtxThread(), and LLVMFuzzerTestOneInput().
◆ AppLayerProtoDetectGetProto()
| AppProto AppLayerProtoDetectGetProto | ( | AppLayerProtoDetectThreadCtx * | tctx, |
| Flow * | f, | ||
| const uint8_t * | buf, | ||
| uint32_t | buflen, | ||
| uint8_t | ipproto, | ||
| uint8_t | flags, | ||
| bool * | reverse_flow | ||
| ) |
Returns the app layer protocol given a buffer.
- Parameters
-
tctx Pointer to the app layer protocol detection thread context. f Pointer to the flow. buf The buffer to be inspected. buflen The length of the above buffer. ipproto The ip protocol. flags The direction bitfield - STREAM_TOSERVER/STREAM_TOCLIENT. [out] reverse_flow true if flow is detected to be reversed
- Return values
-
The app layer protocol.
Definition at line 1395 of file app-layer-detect-proto.c.
References ALPROTO_UNKNOWN, flags, FLOW_IS_PM_DONE, g_alproto_max, SCEnter, and SCLogDebug.
Referenced by AppLayerHandleUdp(), and LLVMFuzzerTestOneInput().
◆ AppLayerProtoDetectGetProtoByName()
| AppProto AppLayerProtoDetectGetProtoByName | ( | const char * | alproto_name | ) |
Definition at line 2068 of file app-layer-detect-proto.c.
References SCEnter.
Referenced by AppLayerGetProtoByName().
◆ AppLayerProtoDetectGetProtoName()
| const char* AppLayerProtoDetectGetProtoName | ( | AppProto | alproto | ) |
Definition at line 2093 of file app-layer-detect-proto.c.
References ALPROTO_HTTP.
Referenced by AppLayerGetProtoName().
◆ AppLayerProtoDetectPMRegisterPatternCI()
| int AppLayerProtoDetectPMRegisterPatternCI | ( | uint8_t | ipproto, |
| AppProto | alproto, | ||
| const char * | pattern, | ||
| uint16_t | depth, | ||
| uint16_t | offset, | ||
| uint8_t | direction | ||
| ) |
Registers a case-insensitive pattern for protocol detection.
Definition at line 1668 of file app-layer-detect-proto.c.
References SCEnter.
◆ AppLayerProtoDetectPMRegisterPatternCS()
| int AppLayerProtoDetectPMRegisterPatternCS | ( | uint8_t | ipproto, |
| AppProto | alproto, | ||
| const char * | pattern, | ||
| uint16_t | depth, | ||
| uint16_t | offset, | ||
| uint8_t | direction | ||
| ) |
Registers a case-sensitive pattern for protocol detection.
Definition at line 1641 of file app-layer-detect-proto.c.
References SCEnter.
◆ AppLayerProtoDetectPMRegisterPatternCSwPP()
| int AppLayerProtoDetectPMRegisterPatternCSwPP | ( | uint8_t | ipproto, |
| AppProto | alproto, | ||
| const char * | pattern, | ||
| uint16_t | depth, | ||
| uint16_t | offset, | ||
| uint8_t | direction, | ||
| ProbingParserFPtr | PPFunc, | ||
| uint16_t | pp_min_depth, | ||
| uint16_t | pp_max_depth | ||
| ) |
Definition at line 1654 of file app-layer-detect-proto.c.
References SCEnter.
◆ AppLayerProtoDetectPPParseConfPorts()
| int AppLayerProtoDetectPPParseConfPorts | ( | const char * | ipproto_name, |
| uint8_t | ipproto, | ||
| const char * | alproto_name, | ||
| AppProto | alproto, | ||
| uint16_t | min_depth, | ||
| uint16_t | max_depth, | ||
| ProbingParserFPtr | ProbingParserTs, | ||
| ProbingParserFPtr | ProbingParserTc | ||
| ) |
- Return values
-
bool 0 if no config was found, 1 if config was found
Definition at line 1567 of file app-layer-detect-proto.c.
References AppLayerProtoDetectPPRegister(), FatalError, SCConfGetNode(), SCConfNodeLookupChild(), SCEnter, SCLogDebug, SCReturnInt, and SCConfNode_::val.
◆ AppLayerProtoDetectPPRegister()
| void AppLayerProtoDetectPPRegister | ( | uint8_t | ipproto, |
| const char * | portstr, | ||
| AppProto | alproto, | ||
| uint16_t | min_depth, | ||
| uint16_t | max_depth, | ||
| uint8_t | direction, | ||
| ProbingParserFPtr | ProbingParser1, | ||
| ProbingParserFPtr | ProbingParser2 | ||
| ) |
register parser at a port
- Parameters
-
direction STREAM_TOSERVER or STREAM_TOCLIENT for dp or sp
Definition at line 1527 of file app-layer-detect-proto.c.
Referenced by AppLayerProtoDetectPPParseConfPorts(), RegisterDNP3Parsers(), and RegisterTFTPParsers().
◆ AppLayerProtoDetectPrepareState()
| int AppLayerProtoDetectPrepareState | ( | void | ) |
Prepares the internal state for protocol detection. This needs to be called once all the patterns and probing parser ports have been registered.
Definition at line 1483 of file app-layer-detect-proto.c.
References FLOW_PROTO_DEFAULT, and SCEnter.
◆ AppLayerProtoDetectRegisterAlias()
| void AppLayerProtoDetectRegisterAlias | ( | const char * | proto_name, |
| const char * | proto_alias | ||
| ) |
Definition at line 1783 of file app-layer-detect-proto.c.
References AppLayerProtoDetectAliases_::next, AppLayerProtoDetectAliases_::proto_alias, AppLayerProtoDetectAliases_::proto_name, SCEnter, SCMalloc, and unlikely.
Referenced by AppLayerRegisterParserAlias().
◆ AppLayerProtoDetectRegisterProtocol()
| void AppLayerProtoDetectRegisterProtocol | ( | AppProto | alproto, |
| const char * | alproto_name | ||
| ) |
Registers a protocol for protocol detection phase.
This is the first function to be called after calling the setup function, AppLayerProtoDetectSetup(), before calling any other app layer functions, AppLayerParser or AppLayerProtoDetect, alike. With this function you are associating/registering a string that can be used by users to write rules, i.e. you register the http protocol for protocol detection using AppLayerProtoDetectRegisterProtocol(ctx, ALPROTO_HTTP1, "http"), following which you can write rules like - alert http any any -> any any (sid:1;) which basically matches on the HTTP protocol.
- Parameters
-
alproto The protocol. alproto_str The string to associate with the above "alproto". Please send a static string that won't be destroyed post making this call, since this function won't create a copy of the received argument.
- Return values
-
0 On success; -1 On failure.
Definition at line 1763 of file app-layer-detect-proto.c.
References SCEnter.
Referenced by RegisterDNP3Parsers(), RegisterFTPParsers(), RegisterHTPParsers(), RegisterHTTP2Parsers(), RegisterIMAPParsers(), RegisterSMTPParsers(), RegisterSSHParsers(), RegisterSSLParsers(), and RegisterTFTPParsers().
◆ AppLayerProtoDetectReset()
| void AppLayerProtoDetectReset | ( | Flow * | f | ) |
Reset proto detect for flow.
Definition at line 1875 of file app-layer-detect-proto.c.
References Flow_::alparser, Flow_::alproto, Flow_::alproto_tc, Flow_::alproto_ts, ALPROTO_UNKNOWN, FLOW_RESET_PE_DONE, FLOW_RESET_PM_DONE, FLOW_RESET_PP_DONE, Flow_::probing_parser_toclient_alproto_masks, and Flow_::probing_parser_toserver_alproto_masks.
◆ AppLayerProtoDetectSetup()
| int AppLayerProtoDetectSetup | ( | void | ) |
The first function to be called. This initializes a global protocol detection context.
- Return values
-
0 On success; -1 On failure.
Definition at line 1683 of file app-layer-detect-proto.c.
References SCEnter.
◆ AppLayerProtoDetectSupportedAppProtocols()
| void AppLayerProtoDetectSupportedAppProtocols | ( | AppProto * | alprotos | ) |
Definition at line 2110 of file app-layer-detect-proto.c.
References g_alproto_max, and SCEnter.
Referenced by AppLayerListSupportedProtocols(), AppLayerRegisterThreadCounters(), and ListAppLayerHooks().
◆ AppLayerProtoDetectSupportedIpprotos()
| void AppLayerProtoDetectSupportedIpprotos | ( | AppProto | alproto, |
| uint8_t * | ipprotos | ||
| ) |
Definition at line 2048 of file app-layer-detect-proto.c.
References ALPROTO_DOH2, ALPROTO_HTTP, ALPROTO_HTTP1, ALPROTO_HTTP2, AppLayerProtoDetectSupportedIpprotos(), and SCEnter.
Referenced by AppLayerProtoDetectSupportedIpprotos().
◆ AppLayerProtoDetectUnittestCtxBackup()
| void AppLayerProtoDetectUnittestCtxBackup | ( | void | ) |
Backs up the internal context used by the app layer proto detection module.
Definition at line 2159 of file app-layer-detect-proto.c.
References SCEnter.
◆ AppLayerProtoDetectUnittestCtxRestore()
| void AppLayerProtoDetectUnittestCtxRestore | ( | void | ) |
Restores back the internal context used by the app layer proto detection module, that was previously backed up by calling AppLayerProtoDetectUnittestCtxBackup().
Definition at line 2167 of file app-layer-detect-proto.c.
References SCEnter.
◆ AppLayerProtoDetectUnittestsRegister()
| void AppLayerProtoDetectUnittestsRegister | ( | void | ) |
Register unittests for app layer proto detection module.
Definition at line 3609 of file app-layer-detect-proto.c.
References SCEnter, and UtRegisterTest().
◆ AppLayerRegisterExpectationProto()
| void AppLayerRegisterExpectationProto | ( | uint8_t | proto, |
| AppProto | alproto | ||
| ) |
Definition at line 2140 of file app-layer-detect-proto.c.
◆ AppLayerRequestProtocolChange()
request applayer to wrap up this protocol and rerun protocol detection.
When this is called, the old session is reset unconditionally. A 'detect/log' flush packet is generated for both direction before the reset, so allow for final detection and logging.
- Parameters
-
f flow to act on dp destination port to use in protocol detection. Set to 443 for start tls, set to the HTTP uri port for CONNECT and set to 0 to not use it. expect_proto expected protocol. AppLayer event will be set if detected protocol differs from this.
Definition at line 1823 of file app-layer-detect-proto.c.
References Flow_::alproto, Flow_::alproto_expect, Flow_::alproto_orig, Flow_::alproto_tc, Flow_::alproto_ts, ALPROTO_UNKNOWN, DEBUG_VALIDATE_BUG_ON, FlowChangeProto(), FlowSetChangeProtoFlag(), and Flow_::protodetect_dp.
Referenced by AppLayerRequestProtocolTLSUpgrade().
◆ AppLayerRequestProtocolTLSUpgrade()
| bool AppLayerRequestProtocolTLSUpgrade | ( | Flow * | f | ) |
request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS. Used by STARTTLS.
Sets detection port to 443 to make port based TLS detection work for SMTP, FTP etc as well.
- Parameters
-
f flow to act on
Definition at line 1854 of file app-layer-detect-proto.c.
References ALPROTO_TLS, and AppLayerRequestProtocolChange().
