185 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
196 uint32_t buflen, uint16_t searchlen,
bool *rflow)
201 SCLogDebug(
"s->co->offset (%"PRIu16
") > searchlen (%"PRIu16
")",
205 if (s->
cd->
depth > searchlen) {
206 SCLogDebug(
"s->co->depth (%"PRIu16
") > searchlen (%"PRIu16
")",
211 const uint8_t *sbuf = buf + s->
cd->
offset;
213 SCLogDebug(
"s->co->offset (%"PRIu16
") s->cd->depth (%"PRIu16
")",
222 uint8_t direction = (
flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
223 SCLogDebug(
"matching, s->direction %s, our dir %s",
224 (s->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient",
225 (
flags & STREAM_TOSERVER) ?
"toserver" :
"toclient");
230 SCLogDebug(
"direction is wrong, rflow = true");
236 SCLogDebug(
"PP can't be run yet as pp_min_depth %u > buflen %u",
244 SCLogDebug(
"found %s/%u, rdir %02x reverse_flow? %s",
246 (rdir && direction != rdir) ?
"true" :
"false");
247 *rflow = (rdir && direction != rdir);
254 SCLogDebug(
"depth reached and answer inconclusive: fail");
269 uint32_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
275 SCLogDebug(
"searchlen %u buflen %u", searchlen, buflen);
281 if (search_cnt == 0) {
289 memset(pm_results_bf, 0,
sizeof(pm_results_bf));
298 s, tctx, f,
flags, buf, buflen, searchlen, rflow);
301 if (AppProtoIsValid(
proto) &&
302 !(pm_results_bf[
proto / 8] & (1 << (
proto % 8))) )
304 pm_results[pm_matches++] =
proto;
310 if (pm_matches == 0 && buflen >= pm_ctx->
pp_max_len) {
322 const uint8_t *buf, uint32_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
337 if (
flags & STREAM_TOSERVER) {
345 m = PMGetProtoInspect(tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
366 if (
flags & STREAM_TOSERVER) {
373 SCLogDebug(
"no matches and in midstream mode, lets try the "
374 "*patterns for the other side");
378 om = PMGetProtoInspect(
379 tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
387 }
else if (om < 0 &&
m &&
m < 0) {
392 }
else if (om == 0 ||
m == 0) {
414 while (pp_port != NULL) {
415 if (pp_port->
dp != NULL && pp_port->
dp->
alproto == alproto) {
416 pp_elem = pp_port->
dp;
419 if (pp_port->
sp != NULL && pp_port->
sp->
alproto == alproto) {
420 pp_elem = pp_port->
sp;
423 pp_port = pp_port->
next;
426 SCReturnPtr(pp_elem,
"AppLayerProtoDetectProbingParserElement *");
446 while (pp_port != NULL) {
451 pp_port = pp_port->
next;
455 SCReturnPtr(pp_port,
"AppLayerProtoDetectProbingParserPort *");
463 static AppProto AppLayerProtoDetectPEGetProto(
Flow *f, uint8_t ipproto, uint8_t
flags)
476 uint8_t
flags,
const uint8_t *buf, uint32_t buflen, uint32_t *alproto_masks, uint8_t *rdir)
479 if ((buflen < pe->min_depth) ||
491 if (AppProtoIsValid(alproto)) {
511 static AppProto AppLayerProtoDetectPPGetProto(
Flow *f,
const uint8_t *buf, uint32_t buflen,
512 uint8_t ipproto,
const uint8_t
flags,
bool *reverse_flow)
520 uint32_t *alproto_masks = NULL;
522 uint8_t idir = (
flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
526 bool probe_is_found =
false;
533 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient");
535 if (dir == STREAM_TOSERVER) {
537 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
539 if (pp_port_dp != NULL) {
540 SCLogDebug(
"toserver - Probing parser found for destination port %"PRIu16, dp);
543 pe1 = pp_port_dp->
dp;
545 SCLogDebug(
"toserver - No probing parser registered for dest port %"PRIu16, dp);
548 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
549 if (pp_port_sp != NULL) {
550 SCLogDebug(
"toserver - Probing parser found for source port %"PRIu16, sp);
553 pe2 = pp_port_sp->
sp;
555 SCLogDebug(
"toserver - No probing parser registered for source port %"PRIu16, sp);
559 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
565 if (pp_port_dp != NULL) {
566 SCLogDebug(
"toclient - Probing parser found for destination port %"PRIu16, dp);
569 pe1 = pp_port_dp->
dp;
571 SCLogDebug(
"toclient - No probing parser registered for dest port %"PRIu16, dp);
574 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
575 if (pp_port_sp != NULL) {
576 SCLogDebug(
"toclient - Probing parser found for source port %"PRIu16, sp);
578 pe2 = pp_port_sp->
sp;
580 SCLogDebug(
"toclient - No probing parser registered for source port %"PRIu16, sp);
588 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_tc);
590 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_ts);
593 if (pe1 == NULL && pe2 == NULL && pe0 == NULL) {
594 SCLogDebug(
"%s - No probing parsers found for either port",
595 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient");
598 probe_is_found =
true;
603 alproto = PPGetProto(pe0, f,
flags, buf, buflen, alproto_masks, &rdir);
604 if (AppProtoIsValid(alproto))
606 alproto = PPGetProto(pe1, f,
flags, buf, buflen, alproto_masks, &rdir);
607 if (AppProtoIsValid(alproto))
609 alproto = PPGetProto(pe2, f,
flags, buf, buflen, alproto_masks, &rdir);
610 if (AppProtoIsValid(alproto))
615 if (pp_port_dp && pp_port_sp)
622 if (alproto_masks[0] == mask) {
624 SCLogDebug(
"%s, mask is now %08x, needed %08x, so done",
625 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient",
626 alproto_masks[0], mask);
629 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient",
630 alproto_masks[0], mask);
636 if (idir == STREAM_TOSERVER) {
637 dir = STREAM_TOCLIENT;
639 dir = STREAM_TOSERVER;
641 SCLogDebug(
"no match + midstream, retry the other direction %s",
642 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient");
643 goto again_midstream;
644 }
else if (!probe_is_found) {
649 if (AppProtoIsValid(alproto) && rdir != 0 && rdir != idir) {
650 SCLogDebug(
"PP found %u, is reverse flow", alproto);
651 *reverse_flow =
true;
655 (idir == STREAM_TOSERVER) ?
"toserver":
"toclient", alproto_masks[0]);
661 static void AppLayerProtoDetectPPGetIpprotos(
AppProto alproto,
670 for (pp = alpd_ctx.
ctx_pp; pp != NULL; pp = pp->
next) {
671 for (pp_port = pp->
port; pp_port != NULL; pp_port = pp_port->
next) {
672 for (pp_pe = pp_port->
dp; pp_pe != NULL; pp_pe = pp_pe->
next) {
676 for (pp_pe = pp_port->
sp; pp_pe != NULL; pp_pe = pp_pe->
next) {
686 static uint32_t AppLayerProtoDetectProbingParserGetMask(
AppProto alproto)
691 FatalError(
"Unknown protocol detected - %u", alproto);
707 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserElement");
728 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserPort");
740 AppLayerProtoDetectProbingParserElementFree(e);
747 AppLayerProtoDetectProbingParserElementFree(e);
765 SCReturnPtr(p,
"AppLayerProtoDetectProbingParser");
775 AppLayerProtoDetectProbingParserPortFree(pt);
785 AppProto alproto, uint16_t min_depth, uint16_t max_depth)
790 pe->
alproto_mask = AppLayerProtoDetectProbingParserGetMask(alproto);
795 if (max_depth != 0 && min_depth >= max_depth) {
797 "register the probing parser. min_depth >= max_depth");
800 if (alproto <= ALPROTO_UNKNOWN || alproto >=
ALPROTO_MAX) {
801 SCLogError(
"Invalid arguments sent to register "
802 "the probing parser. Invalid alproto - %d",
807 SCReturnPtr(pe,
"AppLayerProtoDetectProbingParserElement");
809 AppLayerProtoDetectProbingParserElementFree(pe);
810 SCReturnPtr(NULL,
"AppLayerProtoDetectProbingParserElement");
828 SCReturnPtr(new_pe,
"AppLayerProtoDetectProbingParserElement");
839 printf(
"\nProtocol Detection Configuration\n");
841 for ( ; pp != NULL; pp = pp->
next) {
843 if (pp->
ipproto == IPPROTO_TCP)
844 printf(
"IPProto: TCP\n");
845 else if (pp->
ipproto == IPPROTO_UDP)
846 printf(
"IPProto: UDP\n");
848 printf(
"IPProto: %"PRIu8
"\n", pp->
ipproto);
851 for ( ; pp_port != NULL; pp_port = pp_port->
next) {
852 if (pp_port->
dp != NULL) {
853 printf(
" Port: %"PRIu16
"\n", pp_port->
port);
855 printf(
" Destination port: (max-depth: %"PRIu16
", "
856 "mask - %"PRIu32
")\n",
860 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
864 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
865 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
871 if (pp_port->
sp == NULL) {
875 printf(
" Source port: (max-depth: %"PRIu16
", "
876 "mask - %"PRIu32
")\n",
880 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
884 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
885 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
901 if (*head_pe == NULL) {
907 while (temp_pe->
next != NULL)
908 temp_pe = temp_pe->
next;
909 temp_pe->
next = new_pe;
919 if (*head_pp == NULL) {
925 while (temp_pp->
next != NULL)
926 temp_pp = temp_pp->
next;
927 temp_pp->
next = new_pp;
938 if (*head_port == NULL) {
939 *head_port = new_port;
944 if ((*head_port)->port == 0 && (*head_port)->use_ports) {
945 new_port->
next = *head_port;
946 *head_port = new_port;
949 while (temp_port->
next != NULL &&
951 temp_port = temp_port->
next;
954 temp_port->
next = new_port;
962 uint8_t ipproto,
bool use_ports, uint16_t port,
AppProto alproto, uint16_t min_depth,
970 while (curr_pp != NULL) {
971 if (curr_pp->
ipproto == ipproto)
973 curr_pp = curr_pp->
next;
975 if (curr_pp == NULL) {
978 AppLayerProtoDetectProbingParserAppend(pp, new_pp);
984 while (curr_port != NULL) {
986 if (curr_port->
port == port && use_ports)
988 curr_port = curr_port->
next;
990 if (curr_port == NULL) {
992 new_port->
port = port;
994 AppLayerProtoDetectProbingParserPortAppend(&curr_pp->
port, new_port);
995 curr_port = new_port;
996 if (direction & STREAM_TOSERVER) {
1004 zero_port = curr_pp->
port;
1006 while (zero_port != NULL && !(zero_port->
port == 0 && zero_port->
use_ports)) {
1007 zero_port = zero_port->
next;
1009 if (zero_port != NULL) {
1012 zero_pe = zero_port->
dp;
1013 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1014 if (curr_port->
dp == NULL)
1024 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1025 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
dp, dup_pe);
1029 zero_pe = zero_port->
sp;
1030 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1031 if (curr_port->
sp == NULL)
1041 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1042 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
sp, dup_pe);
1050 if (direction & STREAM_TOSERVER)
1051 curr_pe = curr_port->
dp;
1053 curr_pe = curr_port->
sp;
1054 while (curr_pe != NULL) {
1055 if (curr_pe->
alproto == alproto) {
1057 "ipproto - %" PRIu8
" Port - %" PRIu16
" "
1058 "App Protocol - NULL, App Protocol(ID) - "
1059 "%" PRIu16
" min_depth - %" PRIu16
" "
1060 "max_dept - %" PRIu16
".",
1061 ipproto, port, alproto, min_depth, max_depth);
1064 curr_pe = curr_pe->
next;
1068 AppLayerProtoDetectProbingParserElementCreate(alproto, min_depth, max_depth);
1073 if (direction & STREAM_TOSERVER) {
1076 if (curr_port->
dp == NULL)
1085 head_pe = &curr_port->
dp;
1089 if (curr_port->
sp == NULL)
1098 head_pe = &curr_port->
sp;
1100 AppLayerProtoDetectProbingParserElementAppend(head_pe, new_pe);
1105 while (temp_port != NULL && !(temp_port->
port == 0 && temp_port->
use_ports)) {
1106 if (direction & STREAM_TOSERVER) {
1107 if (temp_port->
dp == NULL)
1115 AppLayerProtoDetectProbingParserElementAppend(&temp_port->
dp,
1116 AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1119 if (temp_port->
sp == NULL)
1127 AppLayerProtoDetectProbingParserElementAppend(&temp_port->
sp,
1128 AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1131 temp_port = temp_port->
next;
1141 static void AppLayerProtoDetectPMGetIpprotos(
AppProto alproto,
1148 for (
int j = 0; j < 2; j++) {
1154 ipprotos[ipproto / 8] |= 1 << (ipproto % 8);
1166 typedef struct TempContainer_ {
1168 uint16_t content_len;
1173 uint32_t struct_total_size = 0;
1174 uint32_t content_total_size = 0;
1176 uint8_t *ahb = NULL;
1177 uint8_t *content = NULL;
1178 uint16_t content_len = 0;
1180 TempContainer *struct_offset = NULL;
1181 uint8_t *content_offset = NULL;
1184 if (ctx->
head == NULL)
1187 for (s = ctx->
head; s != NULL; s = s->
next) {
1188 struct_total_size +=
sizeof(TempContainer);
1193 ahb =
SCMalloc(
sizeof(uint8_t) * (struct_total_size + content_total_size));
1197 struct_offset = (TempContainer *)ahb;
1198 content_offset = ahb + struct_total_size;
1199 for (s = ctx->
head; s != NULL; s = s->
next) {
1200 TempContainer *tcdup = (TempContainer *)ahb;
1204 for (; tcdup != struct_offset; tcdup++) {
1205 if (tcdup->content_len != content_len ||
1206 SCMemcmp(tcdup->content, content, tcdup->content_len) != 0)
1213 if (tcdup != struct_offset) {
1214 s->
cd->
id = tcdup->id;
1218 struct_offset->content_len = content_len;
1219 struct_offset->content = content_offset;
1220 content_offset += content_len;
1221 memcpy(struct_offset->content, content, content_len);
1222 struct_offset->id = max_id++;
1223 s->
cd->
id = struct_offset->id;
1249 if (ctx->
map == NULL)
1253 for (s = ctx->
head; s != NULL; ) {
1273 ctx->
map[s->
id] = s;
1315 AppProto alproto, uint8_t direction,
1317 uint16_t pp_min_depth, uint16_t pp_max_depth)
1339 static int AppLayerProtoDetectPMRegisterPattern(uint8_t ipproto,
AppProto alproto,
1340 const char *pattern,
1341 uint16_t depth, uint16_t
offset,
1345 uint16_t pp_min_depth, uint16_t pp_max_depth)
1369 if (depth < cd->content_len)
1372 if (direction & STREAM_TOSERVER)
1379 if (depth < ctx_pm->min_len)
1383 AppLayerProtoDetectPMAddSignature(ctx_pm, cd, alproto, direction,
1384 PPFunc, pp_min_depth, pp_max_depth);
1397 const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t
flags,
bool *reverse_flow)
1400 SCLogDebug(
"buflen %u for %s direction", buflen,
1401 (
flags & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1408 uint16_t pm_matches = AppLayerProtoDetectPMGetProto(
1409 tctx, f, buf, buflen,
flags, pm_results, reverse_flow);
1410 if (pm_matches > 0) {
1412 alproto = pm_results[0];
1415 uint8_t reverse_dir = (
flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER;
1428 pm_alproto = alproto;
1436 alproto = AppLayerProtoDetectPPGetProto(f, buf, buflen, ipproto,
flags, &rflow);
1437 if (AppProtoIsValid(alproto)) {
1439 *reverse_flow =
true;
1447 alproto = AppLayerProtoDetectPEGetProto(f, ipproto,
flags);
1451 if (!AppProtoIsValid(alproto))
1452 alproto = pm_alproto;
1466 while (pp != NULL) {
1468 AppLayerProtoDetectProbingParserFree(pp);
1476 static void AppLayerProtoDetectFreeAliases(
void)
1481 if (cur_alias == NULL)
1485 while (cur_alias != NULL) {
1486 next_alias = cur_alias->
next;
1488 cur_alias = next_alias;
1508 for (j = 0; j < 2; j++) {
1511 if (AppLayerProtoDetectPMSetContentIDs(ctx_pm) < 0)
1517 if (AppLayerProtoDetectPMMapSignatures(ctx_pm) < 0)
1519 if (AppLayerProtoDetectPMPrepareMpm(ctx_pm) < 0)
1526 AppLayerProtoDetectPrintProbingParsers(alpd_ctx.
ctx_pp);
1544 const char *portstr,
1546 uint16_t min_depth, uint16_t max_depth,
1554 if (portstr == NULL) {
1557 AppLayerProtoDetectInsertNewProbingParser(&alpd_ctx.
ctx_pp, ipproto,
false, 0, alproto,
1558 min_depth, max_depth, direction, ProbingParser1, ProbingParser2);
1563 while (temp_dp != NULL) {
1564 uint16_t port = temp_dp->
port;
1565 if (port == 0 && temp_dp->
port2 != 0)
1568 AppLayerProtoDetectInsertNewProbingParser(&alpd_ctx.
ctx_pp, ipproto,
true, port,
1569 alproto, min_depth, max_depth, direction, ProbingParser1, ProbingParser2);
1570 if (port == temp_dp->
port2) {
1576 temp_dp = temp_dp->
next;
1585 const char *alproto_name,
1587 uint16_t min_depth, uint16_t max_depth,
1599 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1600 alproto_name,
".detection-ports");
1603 }
else if (r > (
int)
sizeof(param)) {
1604 FatalError(
"buffer not big enough to write param.");
1608 SCLogDebug(
"Entry for %s not found.", param);
1609 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1610 alproto_name,
".", ipproto_name,
".detection-ports");
1613 }
else if (r > (
int)
sizeof(param)) {
1614 FatalError(
"buffer not big enough to write param.");
1623 if (port_node == NULL)
1626 if (port_node != NULL && port_node->
val != NULL) {
1630 min_depth, max_depth,
1632 ProbingParserTs, ProbingParserTc);
1637 if (port_node == NULL)
1640 if (port_node != NULL && port_node->
val != NULL) {
1644 min_depth, max_depth,
1646 ProbingParserTc, ProbingParserTs);
1658 const char *pattern,
1659 uint16_t depth, uint16_t
offset,
1663 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1671 const char *pattern, uint16_t depth, uint16_t
offset,
1674 uint16_t pp_min_depth, uint16_t pp_max_depth)
1677 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1680 PPFunc, pp_min_depth, pp_max_depth);
1685 const char *pattern,
1686 uint16_t depth, uint16_t
offset,
1690 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1705 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
1712 FatalError(
"Unable to alloc SpmGlobalThreadCtx.");
1716 for (j = 0; j < 2; j++) {
1733 int ipproto_map = 0;
1740 for (dir = 0; dir < 2; dir++) {
1743 for (
id = 0;
id < pm_ctx->
max_sig_id;
id++) {
1744 sig = pm_ctx->
map[id];
1745 AppLayerProtoDetectPMFreeSignature(sig);
1754 AppLayerProtoDetectFreeAliases();
1756 AppLayerProtoDetectFreeProbingParsers(alpd_ctx.
ctx_pp);
1782 new_alias->
next = NULL;
1784 if (alpda_ctx == NULL) {
1785 alpda_ctx = new_alias;
1788 while (cur_alias->
next != NULL) {
1789 cur_alias = cur_alias->
next;
1791 cur_alias->
next = new_alias;
1867 const char *ipproto,
const char *alproto,
bool default_enabled)
1871 BUG_ON(ipproto == NULL || alproto == NULL);
1881 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
1883 default_enabled =
true;
1886 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1887 alproto,
".enabled");
1890 }
else if (r > (
int)
sizeof(param)) {
1891 FatalError(
"buffer not big enough to write param.");
1896 SCLogDebug(
"Entry for %s not found.", param);
1897 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1898 alproto,
".", ipproto,
".enabled");
1901 }
else if (r > (
int)
sizeof(param)) {
1902 FatalError(
"buffer not big enough to write param.");
1907 SCLogDebug(
"Entry for %s not found.", param);
1908 if (default_enabled) {
1921 }
else if (strcasecmp(node->
val,
"detection-only") == 0) {
1927 SCLogError(
"Invalid value found for %s.", param);
1952 for (j = 0; j < 2; j++) {
1953 if (max_pat_id == 0) {
1973 for (j = 0; j < 2; j++) {
2000 int ipproto_map, dir;
2003 for (dir = 0; dir < 2; dir++) {
2029 AppLayerProtoDetectPMGetIpprotos(alproto, ipprotos);
2030 AppLayerProtoDetectPPGetIpprotos(alproto, ipprotos);
2031 AppLayerProtoDetectPEGetIpprotos(alproto, ipprotos);
2042 while (cur_alias != NULL) {
2043 if (strcasecmp(alproto_name, cur_alias->
proto_alias) == 0) {
2047 cur_alias = cur_alias->
next;
2053 if (alpd_ctx.
alproto_names[a] != NULL && AppProtoEquals(b, a)) {
2087 for (alproto = 0; alproto !=
ALPROTO_MAX; alproto++) {
2089 alprotos[alproto] = 1;
2097 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
2101 ipprotos[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
2104 ipprotos[IPPROTO_UDP / 8] |= 1 << (IPPROTO_UDP % 8);
2112 SCLogError(
"Expectation on 2 IP protocols are not supported");
2130 alpd_ctx_ut = alpd_ctx;
2131 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
2138 alpd_ctx = alpd_ctx_ut;
2139 memset(&alpd_ctx_ut, 0,
sizeof(alpd_ctx_ut));
2143 static int AppLayerProtoDetectTest01(
void)
2148 const char *buf =
"HTTP";
2162 static int AppLayerProtoDetectTest02(
void)
2167 const char *buf =
"HTTP";
2187 static int AppLayerProtoDetectTest03(
void)
2192 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2194 memset(pm_results, 0,
sizeof(pm_results));
2196 memset(&f, 0x00,
sizeof(f));
2200 const char *buf =
"HTTP";
2219 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2220 &f, l7data,
sizeof(l7data),
2222 pm_results, &rflow);
2232 static int AppLayerProtoDetectTest04(
void)
2237 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2239 memset(&f, 0x00,
sizeof(f));
2241 memset(pm_results, 0,
sizeof(pm_results));
2244 const char *buf =
"200 ";
2260 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2261 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2272 static int AppLayerProtoDetectTest05(
void)
2277 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n<HTML><BODY>Blahblah</BODY></HTML>";
2279 memset(pm_results, 0,
sizeof(pm_results));
2281 memset(&f, 0x00,
sizeof(f));
2284 const char *buf =
"HTTP";
2303 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2304 &f, l7data,
sizeof(l7data),
2316 static int AppLayerProtoDetectTest06(
void)
2321 uint8_t l7data[] =
"220 Welcome to the OISF FTP server\r\n";
2323 memset(pm_results, 0,
sizeof(pm_results));
2325 memset(&f, 0x00,
sizeof(f));
2328 const char *buf =
"HTTP";
2347 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2348 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2359 static int AppLayerProtoDetectTest07(
void)
2364 uint8_t l7data[] =
"220 Welcome to the OISF HTTP/FTP server\r\n";
2366 memset(&f, 0x00,
sizeof(f));
2369 memset(pm_results, 0,
sizeof(pm_results));
2371 const char *buf =
"HTTP";
2386 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2387 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2397 static int AppLayerProtoDetectTest08(
void)
2402 uint8_t l7data[] = {
2403 0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,
2404 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc8,
2405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2406 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,
2407 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,
2408 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
2409 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
2410 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
2411 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,
2412 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,
2413 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,
2414 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,
2415 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,
2416 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,
2417 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
2418 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,
2419 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,
2423 memset(pm_results, 0,
sizeof(pm_results));
2425 memset(&f, 0x00,
sizeof(f));
2428 const char *buf =
"|ff|SMB";
2444 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2445 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2456 static int AppLayerProtoDetectTest09(
void)
2461 uint8_t l7data[] = {
2462 0x00, 0x00, 0x00, 0x66, 0xfe, 0x53, 0x4d, 0x42,
2463 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2464 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
2465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2466 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2467 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2470 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00,
2471 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2472 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2473 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2474 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2478 memset(pm_results, 0,
sizeof(pm_results));
2480 memset(&f, 0x00,
sizeof(f));
2483 const char *buf =
"|fe|SMB";
2499 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2500 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2511 static int AppLayerProtoDetectTest10(
void)
2516 uint8_t l7data[] = {
2517 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2518 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2519 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2520 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2521 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
2522 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
2523 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2524 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2525 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
2528 memset(pm_results, 0,
sizeof(pm_results));
2530 memset(&f, 0x00,
sizeof(f));
2533 const char *buf =
"|05 00|";
2549 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2550 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2565 static int AppLayerProtoDetectTest11(
void)
2570 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2571 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2573 memset(pm_results, 0,
sizeof(pm_results));
2575 memset(&f, 0x00,
sizeof(f));
2587 IPPROTO_TCP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2589 IPPROTO_TCP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2591 IPPROTO_TCP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2616 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2617 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2622 memset(pm_results, 0,
sizeof(pm_results));
2624 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2638 static int AppLayerProtoDetectTest12(
void)
2650 printf(
"failure 1\n");
2656 printf(
"failure 2\n");
2662 printf(
"failure 3\n");
2666 printf(
"failure 4\n");
2670 printf(
"failure 5\n");
2674 printf(
"failure 6\n");
2690 static int AppLayerProtoDetectTest13(
void)
2695 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2696 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2700 memset(&f, 0x00,
sizeof(f));
2712 IPPROTO_UDP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2714 IPPROTO_UDP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2716 IPPROTO_UDP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2737 memset(pm_results, 0,
sizeof(pm_results));
2739 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2740 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2744 memset(pm_results, 0,
sizeof(pm_results));
2746 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2761 static int AppLayerProtoDetectTest14(
void)
2766 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2767 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2771 memset(&f, 0x00,
sizeof(f));
2783 IPPROTO_UDP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2785 IPPROTO_UDP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2787 IPPROTO_UDP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2809 memset(pm_results, 0,
sizeof(pm_results));
2812 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2817 memset(pm_results, 0,
sizeof(pm_results));
2819 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2864 int i = -1, j = -1 , k = -1;
2868 for (i = 0; i < no_of_ip_proto; i++, pp = pp->
next) {
2869 if (pp->ipproto != ip_proto[i].
ipproto)
2873 for (k = 0; k < ip_proto[i].
no_of_port; k++, pp_port = pp_port->
next) {
2874 if (pp_port->port != ip_proto[i].
port[k].
port)
2890 j++, pp_element = pp_element->
next) {
2905 if (pp_element != NULL)
2908 pp_element = pp_port->sp;
2926 if (pp_element != NULL)
2929 if (pp_port != NULL)
2938 printf(
"i = %d, k = %d, j = %d(%s)\n", i, k, j, (dir == 0) ?
"ts" :
"tc");
2943 static uint16_t ProbingParserDummyForTesting(
Flow *f, uint8_t direction,
2944 const uint8_t *input,
2945 uint32_t input_len, uint8_t *rdir)
2950 static int AppLayerProtoDetectTest15(
void)
2958 ProbingParserDummyForTesting, NULL);
2964 ProbingParserDummyForTesting, NULL);
2970 ProbingParserDummyForTesting, NULL);
2977 ProbingParserDummyForTesting, NULL);
2983 ProbingParserDummyForTesting, NULL);
2989 ProbingParserDummyForTesting, NULL);
2995 ProbingParserDummyForTesting, NULL);
3002 ProbingParserDummyForTesting, NULL);
3008 ProbingParserDummyForTesting, NULL);
3016 ProbingParserDummyForTesting, NULL);
3024 ProbingParserDummyForTesting, NULL);
3030 ProbingParserDummyForTesting, NULL);
3037 ProbingParserDummyForTesting, NULL);
3043 ProbingParserDummyForTesting, NULL);
3049 ProbingParserDummyForTesting, NULL);
3051 ProbingParserDummyForTesting, NULL);
3057 ProbingParserDummyForTesting, NULL);
3063 ProbingParserDummyForTesting, NULL);
3069 ProbingParserDummyForTesting, NULL);
3075 ProbingParserDummyForTesting, NULL);
3081 ProbingParserDummyForTesting, NULL);
3087 ProbingParserDummyForTesting, NULL);
3207 23, element_ts_85, element_tc_85,
3215 23, element_ts_90, element_tc_90,
3223 23, element_ts_0, element_tc_0,
3233 element_ts_85_udp, element_tc_85_udp,
3251 if (AppLayerProtoDetectPPTestData(alpd_ctx.
ctx_pp, ip_proto,
3265 static int AppLayerProtoDetectTest16(
void)
3270 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3271 "User-Agent: Mozilla/1.0\r\n"
3272 "Cookie: hellocatch\r\n\r\n";
3273 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3287 printf(
"packet setup failed: ");
3291 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3293 printf(
"flow setup failed: ");
3297 f->
proto = IPPROTO_TCP;
3315 "(msg:\"Test content option\"; "
3327 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3332 if (http_state == NULL) {
3333 printf(
"no http state: ");
3341 printf(
"sig 1 didn't alert, but it should: ");
3348 if (det_ctx != NULL)
3364 static int AppLayerProtoDetectTest17(
void)
3369 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3370 "User-Agent: Mozilla/1.0\r\n"
3371 "Cookie: hellocatch\r\n\r\n";
3372 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3386 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3390 f->
proto = IPPROTO_TCP;
3406 "(msg:\"http over non standar port\"; "
3418 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3423 if (http_state == NULL) {
3424 printf(
"no http state: ");
3432 printf(
"sig 1 didn't alert, but it should: ");
3441 if (det_ctx != NULL)
3457 static int AppLayerProtoDetectTest18(
void)
3462 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3463 "User-Agent: Mozilla/1.0\r\n"
3464 "Cookie: hellocatch\r\n\r\n";
3465 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3479 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3483 f->
proto = IPPROTO_TCP;
3499 "(msg:\"Test content option\"; "
3511 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3516 if (http_state == NULL) {
3517 printf(
"no http state: ");
3525 printf(
"sig 1 alerted, but it should not (it's not ftp): ");
3533 if (det_ctx != NULL)
3549 static int AppLayerProtoDetectTest19(
void)
3553 uint8_t http_buf1[] =
"MPUT one\r\n";
3554 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3568 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3572 f->
proto = IPPROTO_TCP;
3588 "(msg:\"http over non standar port\"; "
3598 STREAM_TOSERVER, http_buf1, http_buf1_len);
3600 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3608 printf(
"sig 1 alerted, but it should not (it's ftp): ");
3617 if (det_ctx != NULL)
3634 UtRegisterTest(
"AppLayerProtoDetectTest01", AppLayerProtoDetectTest01);
3635 UtRegisterTest(
"AppLayerProtoDetectTest02", AppLayerProtoDetectTest02);
3636 UtRegisterTest(
"AppLayerProtoDetectTest03", AppLayerProtoDetectTest03);
3637 UtRegisterTest(
"AppLayerProtoDetectTest04", AppLayerProtoDetectTest04);
3638 UtRegisterTest(
"AppLayerProtoDetectTest05", AppLayerProtoDetectTest05);
3639 UtRegisterTest(
"AppLayerProtoDetectTest06", AppLayerProtoDetectTest06);
3640 UtRegisterTest(
"AppLayerProtoDetectTest07", AppLayerProtoDetectTest07);
3641 UtRegisterTest(
"AppLayerProtoDetectTest08", AppLayerProtoDetectTest08);
3642 UtRegisterTest(
"AppLayerProtoDetectTest09", AppLayerProtoDetectTest09);
3643 UtRegisterTest(
"AppLayerProtoDetectTest10", AppLayerProtoDetectTest10);
3644 UtRegisterTest(
"AppLayerProtoDetectTest11", AppLayerProtoDetectTest11);
3645 UtRegisterTest(
"AppLayerProtoDetectTest12", AppLayerProtoDetectTest12);
3646 UtRegisterTest(
"AppLayerProtoDetectTest13", AppLayerProtoDetectTest13);
3647 UtRegisterTest(
"AppLayerProtoDetectTest14", AppLayerProtoDetectTest14);
3648 UtRegisterTest(
"AppLayerProtoDetectTest15", AppLayerProtoDetectTest15);
3649 UtRegisterTest(
"AppLayerProtoDetectTest16", AppLayerProtoDetectTest16);
3650 UtRegisterTest(
"AppLayerProtoDetectTest17", AppLayerProtoDetectTest17);
3651 UtRegisterTest(
"AppLayerProtoDetectTest18", AppLayerProtoDetectTest18);
3652 UtRegisterTest(
"AppLayerProtoDetectTest19", AppLayerProtoDetectTest19);