184 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
195 uint32_t buflen, uint16_t searchlen,
bool *rflow)
200 SCLogDebug(
"s->co->offset (%"PRIu16
") > searchlen (%"PRIu16
")",
204 if (s->
cd->
depth > searchlen) {
205 SCLogDebug(
"s->co->depth (%"PRIu16
") > searchlen (%"PRIu16
")",
210 const uint8_t *sbuf = buf + s->
cd->
offset;
212 SCLogDebug(
"s->co->offset (%"PRIu16
") s->cd->depth (%"PRIu16
")",
221 uint8_t direction = (
flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
222 SCLogDebug(
"matching, s->direction %s, our dir %s",
223 (s->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient",
224 (
flags & STREAM_TOSERVER) ?
"toserver" :
"toclient");
229 SCLogDebug(
"direction is wrong, rflow = true");
235 SCLogDebug(
"PP can't be run yet as pp_min_depth %u > buflen %u",
243 SCLogDebug(
"found %s/%u, rdir %02x reverse_flow? %s",
245 (rdir && direction != rdir) ?
"true" :
"false");
246 *rflow = (rdir && direction != rdir);
253 SCLogDebug(
"depth reached and answer inconclusive: fail");
268 uint32_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
274 SCLogDebug(
"searchlen %u buflen %u", searchlen, buflen);
280 if (search_cnt == 0) {
288 memset(pm_results_bf, 0,
sizeof(pm_results_bf));
297 s, tctx, f,
flags, buf, buflen, searchlen, rflow);
300 if (AppProtoIsValid(
proto) &&
301 !(pm_results_bf[
proto / 8] & (1 << (
proto % 8))) )
303 pm_results[pm_matches++] =
proto;
309 if (pm_matches == 0 && buflen >= pm_ctx->
pp_max_len) {
321 const uint8_t *buf, uint32_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
336 if (
flags & STREAM_TOSERVER) {
344 m = PMGetProtoInspect(tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
365 if (
flags & STREAM_TOSERVER) {
372 SCLogDebug(
"no matches and in midstream mode, lets try the "
373 "*patterns for the other side");
377 om = PMGetProtoInspect(
378 tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
386 }
else if (om < 0 &&
m &&
m < 0) {
391 }
else if (om == 0 ||
m == 0) {
413 while (pp_port != NULL) {
414 if (pp_port->
dp != NULL && pp_port->
dp->
alproto == alproto) {
415 pp_elem = pp_port->
dp;
418 if (pp_port->
sp != NULL && pp_port->
sp->
alproto == alproto) {
419 pp_elem = pp_port->
sp;
422 pp_port = pp_port->
next;
425 SCReturnPtr(pp_elem,
"AppLayerProtoDetectProbingParserElement *");
445 while (pp_port != NULL) {
446 if (pp_port->
port == port || pp_port->
port == 0) {
449 pp_port = pp_port->
next;
453 SCReturnPtr(pp_port,
"AppLayerProtoDetectProbingParserPort *");
461 static AppProto AppLayerProtoDetectPEGetProto(
Flow *f, uint8_t ipproto, uint8_t
flags)
474 uint8_t
flags,
const uint8_t *buf, uint32_t buflen, uint32_t *alproto_masks, uint8_t *rdir)
477 if ((buflen < pe->min_depth) ||
489 if (AppProtoIsValid(alproto)) {
509 static AppProto AppLayerProtoDetectPPGetProto(
Flow *f,
const uint8_t *buf, uint32_t buflen,
510 uint8_t ipproto,
const uint8_t
flags,
bool *reverse_flow)
518 uint32_t *alproto_masks = NULL;
520 uint8_t idir = (
flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
524 bool probe_is_found =
false;
531 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient");
533 if (dir == STREAM_TOSERVER) {
535 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
537 if (pp_port_dp != NULL) {
538 SCLogDebug(
"toserver - Probing parser found for destination port %"PRIu16, dp);
541 pe1 = pp_port_dp->
dp;
543 SCLogDebug(
"toserver - No probing parser registered for dest port %"PRIu16, dp);
546 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
547 if (pp_port_sp != NULL) {
548 SCLogDebug(
"toserver - Probing parser found for source port %"PRIu16, sp);
551 pe2 = pp_port_sp->
sp;
553 SCLogDebug(
"toserver - No probing parser registered for source port %"PRIu16, sp);
557 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
563 if (pp_port_dp != NULL) {
564 SCLogDebug(
"toclient - Probing parser found for destination port %"PRIu16, dp);
567 pe1 = pp_port_dp->
dp;
569 SCLogDebug(
"toclient - No probing parser registered for dest port %"PRIu16, dp);
572 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
573 if (pp_port_sp != NULL) {
574 SCLogDebug(
"toclient - Probing parser found for source port %"PRIu16, sp);
576 pe2 = pp_port_sp->
sp;
578 SCLogDebug(
"toclient - No probing parser registered for source port %"PRIu16, sp);
583 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_tc);
585 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_ts);
588 if (pe1 == NULL && pe2 == NULL && pe0 == NULL) {
589 SCLogDebug(
"%s - No probing parsers found for either port",
590 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient");
593 probe_is_found =
true;
598 alproto = PPGetProto(pe0, f,
flags, buf, buflen, alproto_masks, &rdir);
599 if (AppProtoIsValid(alproto))
601 alproto = PPGetProto(pe1, f,
flags, buf, buflen, alproto_masks, &rdir);
602 if (AppProtoIsValid(alproto))
604 alproto = PPGetProto(pe2, f,
flags, buf, buflen, alproto_masks, &rdir);
605 if (AppProtoIsValid(alproto))
610 if (pp_port_dp && pp_port_sp)
617 if (alproto_masks[0] == mask) {
619 SCLogDebug(
"%s, mask is now %08x, needed %08x, so done",
620 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient",
621 alproto_masks[0], mask);
624 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient",
625 alproto_masks[0], mask);
631 if (idir == STREAM_TOSERVER) {
632 dir = STREAM_TOCLIENT;
634 dir = STREAM_TOSERVER;
636 SCLogDebug(
"no match + midstream, retry the other direction %s",
637 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient");
638 goto again_midstream;
639 }
else if (!probe_is_found) {
644 if (AppProtoIsValid(alproto) && rdir != 0 && rdir != idir) {
645 SCLogDebug(
"PP found %u, is reverse flow", alproto);
646 *reverse_flow =
true;
650 (idir == STREAM_TOSERVER) ?
"toserver":
"toclient", alproto_masks[0]);
656 static void AppLayerProtoDetectPPGetIpprotos(
AppProto alproto,
665 for (pp = alpd_ctx.
ctx_pp; pp != NULL; pp = pp->
next) {
666 for (pp_port = pp->
port; pp_port != NULL; pp_port = pp_port->
next) {
667 for (pp_pe = pp_port->
dp; pp_pe != NULL; pp_pe = pp_pe->
next) {
671 for (pp_pe = pp_port->
sp; pp_pe != NULL; pp_pe = pp_pe->
next) {
681 static uint32_t AppLayerProtoDetectProbingParserGetMask(
AppProto alproto)
686 FatalError(
"Unknown protocol detected - %u", alproto);
702 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserElement");
723 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserPort");
735 AppLayerProtoDetectProbingParserElementFree(e);
742 AppLayerProtoDetectProbingParserElementFree(e);
760 SCReturnPtr(p,
"AppLayerProtoDetectProbingParser");
770 AppLayerProtoDetectProbingParserPortFree(pt);
780 AppLayerProtoDetectProbingParserElementCreate(
AppProto alproto,
789 pe->
alproto_mask = AppLayerProtoDetectProbingParserGetMask(alproto);
794 if (max_depth != 0 && min_depth >= max_depth) {
796 "register the probing parser. min_depth >= max_depth");
799 if (alproto <= ALPROTO_UNKNOWN || alproto >=
ALPROTO_MAX) {
800 SCLogError(
"Invalid arguments sent to register "
801 "the probing parser. Invalid alproto - %d",
806 SCReturnPtr(pe,
"AppLayerProtoDetectProbingParserElement");
808 AppLayerProtoDetectProbingParserElementFree(pe);
809 SCReturnPtr(NULL,
"AppLayerProtoDetectProbingParserElement");
828 SCReturnPtr(new_pe,
"AppLayerProtoDetectProbingParserElement");
839 printf(
"\nProtocol Detection Configuration\n");
841 for ( ; pp != NULL; pp = pp->
next) {
843 if (pp->
ipproto == IPPROTO_TCP)
844 printf(
"IPProto: TCP\n");
845 else if (pp->
ipproto == IPPROTO_UDP)
846 printf(
"IPProto: UDP\n");
848 printf(
"IPProto: %"PRIu8
"\n", pp->
ipproto);
851 for ( ; pp_port != NULL; pp_port = pp_port->
next) {
852 if (pp_port->
dp != NULL) {
853 printf(
" Port: %"PRIu16
"\n", pp_port->
port);
855 printf(
" Destination port: (max-depth: %"PRIu16
", "
856 "mask - %"PRIu32
")\n",
860 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
863 printf(
" port: %"PRIu16
"\n", pp_pe->
port);
865 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
866 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
872 if (pp_port->
sp == NULL) {
876 printf(
" Source port: (max-depth: %"PRIu16
", "
877 "mask - %"PRIu32
")\n",
881 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
884 printf(
" port: %"PRIu16
"\n", pp_pe->
port);
886 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
887 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
903 if (*head_pe == NULL) {
908 if ((*head_pe)->port == 0) {
909 if (new_pe->
port != 0) {
910 new_pe->
next = *head_pe;
914 while (temp_pe->
next != NULL)
915 temp_pe = temp_pe->
next;
916 temp_pe->
next = new_pe;
920 if (new_pe->
port == 0) {
921 while (temp_pe->
next != NULL)
922 temp_pe = temp_pe->
next;
923 temp_pe->
next = new_pe;
925 while (temp_pe->
next != NULL && temp_pe->
next->
port != 0)
926 temp_pe = temp_pe->
next;
928 temp_pe->
next = new_pe;
942 if (*head_pp == NULL) {
948 while (temp_pp->
next != NULL)
949 temp_pp = temp_pp->
next;
950 temp_pp->
next = new_pp;
961 if (*head_port == NULL) {
962 *head_port = new_port;
966 if ((*head_port)->port == 0) {
967 new_port->
next = *head_port;
968 *head_port = new_port;
971 while (temp_port->
next != NULL && temp_port->
next->
port != 0) {
972 temp_port = temp_port->
next;
975 temp_port->
next = new_port;
986 uint16_t min_depth, uint16_t max_depth,
995 while (curr_pp != NULL) {
996 if (curr_pp->
ipproto == ipproto)
998 curr_pp = curr_pp->
next;
1000 if (curr_pp == NULL) {
1003 AppLayerProtoDetectProbingParserAppend(pp, new_pp);
1009 while (curr_port != NULL) {
1010 if (curr_port->
port == port)
1012 curr_port = curr_port->
next;
1014 if (curr_port == NULL) {
1016 new_port->
port = port;
1017 AppLayerProtoDetectProbingParserPortAppend(&curr_pp->
port, new_port);
1018 curr_port = new_port;
1019 if (direction & STREAM_TOSERVER) {
1027 zero_port = curr_pp->
port;
1028 while (zero_port != NULL && zero_port->
port != 0) {
1029 zero_port = zero_port->
next;
1031 if (zero_port != NULL) {
1034 zero_pe = zero_port->
dp;
1035 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1036 if (curr_port->
dp == NULL)
1046 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1047 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
dp, dup_pe);
1051 zero_pe = zero_port->
sp;
1052 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1053 if (curr_port->
sp == NULL)
1063 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1064 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
sp, dup_pe);
1072 if (direction & STREAM_TOSERVER)
1073 curr_pe = curr_port->
dp;
1075 curr_pe = curr_port->
sp;
1076 while (curr_pe != NULL) {
1077 if (curr_pe->
alproto == alproto) {
1079 "ipproto - %" PRIu8
" Port - %" PRIu16
" "
1080 "App Protocol - NULL, App Protocol(ID) - "
1081 "%" PRIu16
" min_depth - %" PRIu16
" "
1082 "max_dept - %" PRIu16
".",
1083 ipproto, port, alproto, min_depth, max_depth);
1086 curr_pe = curr_pe->
next;
1090 AppLayerProtoDetectProbingParserElementCreate(alproto,
1092 min_depth, max_depth);
1097 if (direction & STREAM_TOSERVER) {
1100 if (curr_port->
dp == NULL)
1109 head_pe = &curr_port->
dp;
1113 if (curr_port->
sp == NULL)
1122 head_pe = &curr_port->
sp;
1124 AppLayerProtoDetectProbingParserElementAppend(head_pe, new_pe);
1126 if (curr_port->
port == 0) {
1128 while (temp_port != NULL && temp_port->
port != 0) {
1129 if (direction & STREAM_TOSERVER) {
1130 if (temp_port->
dp == NULL)
1138 AppLayerProtoDetectProbingParserElementAppend(&temp_port->
dp,
1139 AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1142 if (temp_port->
sp == NULL)
1150 AppLayerProtoDetectProbingParserElementAppend(&temp_port->
sp,
1151 AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1154 temp_port = temp_port->
next;
1164 static void AppLayerProtoDetectPMGetIpprotos(
AppProto alproto,
1171 for (
int j = 0; j < 2; j++) {
1177 ipprotos[ipproto / 8] |= 1 << (ipproto % 8);
1189 typedef struct TempContainer_ {
1191 uint16_t content_len;
1196 uint32_t struct_total_size = 0;
1197 uint32_t content_total_size = 0;
1199 uint8_t *ahb = NULL;
1200 uint8_t *content = NULL;
1201 uint16_t content_len = 0;
1203 TempContainer *struct_offset = NULL;
1204 uint8_t *content_offset = NULL;
1207 if (ctx->
head == NULL)
1210 for (s = ctx->
head; s != NULL; s = s->
next) {
1211 struct_total_size +=
sizeof(TempContainer);
1216 ahb =
SCMalloc(
sizeof(uint8_t) * (struct_total_size + content_total_size));
1220 struct_offset = (TempContainer *)ahb;
1221 content_offset = ahb + struct_total_size;
1222 for (s = ctx->
head; s != NULL; s = s->
next) {
1223 TempContainer *tcdup = (TempContainer *)ahb;
1227 for (; tcdup != struct_offset; tcdup++) {
1228 if (tcdup->content_len != content_len ||
1229 SCMemcmp(tcdup->content, content, tcdup->content_len) != 0)
1236 if (tcdup != struct_offset) {
1237 s->
cd->
id = tcdup->id;
1241 struct_offset->content_len = content_len;
1242 struct_offset->content = content_offset;
1243 content_offset += content_len;
1244 memcpy(struct_offset->content, content, content_len);
1245 struct_offset->id = max_id++;
1246 s->
cd->
id = struct_offset->id;
1272 if (ctx->
map == NULL)
1276 for (s = ctx->
head; s != NULL; ) {
1296 ctx->
map[s->
id] = s;
1338 AppProto alproto, uint8_t direction,
1340 uint16_t pp_min_depth, uint16_t pp_max_depth)
1362 static int AppLayerProtoDetectPMRegisterPattern(uint8_t ipproto,
AppProto alproto,
1363 const char *pattern,
1364 uint16_t depth, uint16_t
offset,
1368 uint16_t pp_min_depth, uint16_t pp_max_depth)
1392 if (depth < cd->content_len)
1395 if (direction & STREAM_TOSERVER)
1402 if (depth < ctx_pm->min_len)
1406 AppLayerProtoDetectPMAddSignature(ctx_pm, cd, alproto, direction,
1407 PPFunc, pp_min_depth, pp_max_depth);
1420 const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t
flags,
bool *reverse_flow)
1423 SCLogDebug(
"buflen %u for %s direction", buflen,
1424 (
flags & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1431 uint16_t pm_matches = AppLayerProtoDetectPMGetProto(
1432 tctx, f, buf, buflen,
flags, pm_results, reverse_flow);
1433 if (pm_matches > 0) {
1435 alproto = pm_results[0];
1438 uint8_t reverse_dir = (
flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER;
1451 pm_alproto = alproto;
1459 alproto = AppLayerProtoDetectPPGetProto(f, buf, buflen, ipproto,
flags, &rflow);
1460 if (AppProtoIsValid(alproto)) {
1462 *reverse_flow =
true;
1470 alproto = AppLayerProtoDetectPEGetProto(f, ipproto,
flags);
1474 if (!AppProtoIsValid(alproto))
1475 alproto = pm_alproto;
1489 while (pp != NULL) {
1491 AppLayerProtoDetectProbingParserFree(pp);
1499 static void AppLayerProtoDetectFreeAliases(
void)
1504 if (cur_alias == NULL)
1508 while (cur_alias != NULL) {
1509 next_alias = cur_alias->
next;
1511 cur_alias = next_alias;
1531 for (j = 0; j < 2; j++) {
1534 if (AppLayerProtoDetectPMSetContentIDs(ctx_pm) < 0)
1540 if (AppLayerProtoDetectPMMapSignatures(ctx_pm) < 0)
1542 if (AppLayerProtoDetectPMPrepareMpm(ctx_pm) < 0)
1549 AppLayerProtoDetectPrintProbingParsers(alpd_ctx.
ctx_pp);
1567 const char *portstr,
1569 uint16_t min_depth, uint16_t max_depth,
1579 while (temp_dp != NULL) {
1580 uint16_t port = temp_dp->
port;
1581 if (port == 0 && temp_dp->
port2 != 0)
1584 AppLayerProtoDetectInsertNewProbingParser(&alpd_ctx.
ctx_pp,
1588 min_depth, max_depth,
1592 if (port == temp_dp->
port2) {
1598 temp_dp = temp_dp->
next;
1607 const char *alproto_name,
1609 uint16_t min_depth, uint16_t max_depth,
1621 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1622 alproto_name,
".detection-ports");
1625 }
else if (r > (
int)
sizeof(param)) {
1626 FatalError(
"buffer not big enough to write param.");
1630 SCLogDebug(
"Entry for %s not found.", param);
1631 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1632 alproto_name,
".", ipproto_name,
".detection-ports");
1635 }
else if (r > (
int)
sizeof(param)) {
1636 FatalError(
"buffer not big enough to write param.");
1645 if (port_node == NULL)
1648 if (port_node != NULL && port_node->
val != NULL) {
1652 min_depth, max_depth,
1654 ProbingParserTs, ProbingParserTc);
1659 if (port_node == NULL)
1662 if (port_node != NULL && port_node->
val != NULL) {
1666 min_depth, max_depth,
1668 ProbingParserTc, ProbingParserTs);
1680 const char *pattern,
1681 uint16_t depth, uint16_t
offset,
1685 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1693 const char *pattern, uint16_t depth, uint16_t
offset,
1696 uint16_t pp_min_depth, uint16_t pp_max_depth)
1699 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1702 PPFunc, pp_min_depth, pp_max_depth);
1707 const char *pattern,
1708 uint16_t depth, uint16_t
offset,
1712 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1727 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
1734 FatalError(
"Unable to alloc SpmGlobalThreadCtx.");
1738 for (j = 0; j < 2; j++) {
1755 int ipproto_map = 0;
1762 for (dir = 0; dir < 2; dir++) {
1765 for (
id = 0;
id < pm_ctx->
max_sig_id;
id++) {
1766 sig = pm_ctx->
map[id];
1767 AppLayerProtoDetectPMFreeSignature(sig);
1776 AppLayerProtoDetectFreeAliases();
1778 AppLayerProtoDetectFreeProbingParsers(alpd_ctx.
ctx_pp);
1804 new_alias->
next = NULL;
1806 if (alpda_ctx == NULL) {
1807 alpda_ctx = new_alias;
1810 while (cur_alias->
next != NULL) {
1811 cur_alias = cur_alias->
next;
1813 cur_alias->
next = new_alias;
1889 const char *ipproto,
const char *alproto,
bool default_enabled)
1893 BUG_ON(ipproto == NULL || alproto == NULL);
1903 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
1905 default_enabled =
true;
1908 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1909 alproto,
".enabled");
1912 }
else if (r > (
int)
sizeof(param)) {
1913 FatalError(
"buffer not big enough to write param.");
1918 SCLogDebug(
"Entry for %s not found.", param);
1919 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1920 alproto,
".", ipproto,
".enabled");
1923 }
else if (r > (
int)
sizeof(param)) {
1924 FatalError(
"buffer not big enough to write param.");
1929 SCLogDebug(
"Entry for %s not found.", param);
1930 if (default_enabled) {
1943 }
else if (strcasecmp(node->
val,
"detection-only") == 0) {
1949 SCLogError(
"Invalid value found for %s.", param);
1974 for (j = 0; j < 2; j++) {
1975 if (max_pat_id == 0) {
1995 for (j = 0; j < 2; j++) {
2022 int ipproto_map, dir;
2025 for (dir = 0; dir < 2; dir++) {
2051 AppLayerProtoDetectPMGetIpprotos(alproto, ipprotos);
2052 AppLayerProtoDetectPPGetIpprotos(alproto, ipprotos);
2053 AppLayerProtoDetectPEGetIpprotos(alproto, ipprotos);
2064 while (cur_alias != NULL) {
2065 if (strcasecmp(alproto_name, cur_alias->
proto_alias) == 0) {
2069 cur_alias = cur_alias->
next;
2075 if (alpd_ctx.
alproto_names[a] != NULL && AppProtoEquals(b, a)) {
2109 for (alproto = 0; alproto !=
ALPROTO_MAX; alproto++) {
2111 alprotos[alproto] = 1;
2119 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
2123 ipprotos[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
2126 ipprotos[IPPROTO_UDP / 8] |= 1 << (IPPROTO_UDP % 8);
2134 SCLogError(
"Expectation on 2 IP protocols are not supported");
2152 alpd_ctx_ut = alpd_ctx;
2153 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
2160 alpd_ctx = alpd_ctx_ut;
2161 memset(&alpd_ctx_ut, 0,
sizeof(alpd_ctx_ut));
2165 static int AppLayerProtoDetectTest01(
void)
2170 const char *buf =
"HTTP";
2184 static int AppLayerProtoDetectTest02(
void)
2189 const char *buf =
"HTTP";
2209 static int AppLayerProtoDetectTest03(
void)
2214 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2216 memset(pm_results, 0,
sizeof(pm_results));
2218 memset(&f, 0x00,
sizeof(f));
2222 const char *buf =
"HTTP";
2241 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2242 &f, l7data,
sizeof(l7data),
2244 pm_results, &rflow);
2254 static int AppLayerProtoDetectTest04(
void)
2259 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2261 memset(&f, 0x00,
sizeof(f));
2263 memset(pm_results, 0,
sizeof(pm_results));
2266 const char *buf =
"200 ";
2282 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2283 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2294 static int AppLayerProtoDetectTest05(
void)
2299 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n<HTML><BODY>Blahblah</BODY></HTML>";
2301 memset(pm_results, 0,
sizeof(pm_results));
2303 memset(&f, 0x00,
sizeof(f));
2306 const char *buf =
"HTTP";
2325 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2326 &f, l7data,
sizeof(l7data),
2338 static int AppLayerProtoDetectTest06(
void)
2343 uint8_t l7data[] =
"220 Welcome to the OISF FTP server\r\n";
2345 memset(pm_results, 0,
sizeof(pm_results));
2347 memset(&f, 0x00,
sizeof(f));
2350 const char *buf =
"HTTP";
2369 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2370 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2381 static int AppLayerProtoDetectTest07(
void)
2386 uint8_t l7data[] =
"220 Welcome to the OISF HTTP/FTP server\r\n";
2388 memset(&f, 0x00,
sizeof(f));
2391 memset(pm_results, 0,
sizeof(pm_results));
2393 const char *buf =
"HTTP";
2408 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2409 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2419 static int AppLayerProtoDetectTest08(
void)
2424 uint8_t l7data[] = {
2425 0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,
2426 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc8,
2427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2428 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,
2429 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,
2430 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
2431 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
2432 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
2433 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,
2434 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,
2435 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,
2436 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,
2437 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,
2438 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,
2439 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
2440 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,
2441 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,
2445 memset(pm_results, 0,
sizeof(pm_results));
2447 memset(&f, 0x00,
sizeof(f));
2450 const char *buf =
"|ff|SMB";
2466 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2467 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2478 static int AppLayerProtoDetectTest09(
void)
2483 uint8_t l7data[] = {
2484 0x00, 0x00, 0x00, 0x66, 0xfe, 0x53, 0x4d, 0x42,
2485 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2486 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
2487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2488 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2489 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2492 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00,
2493 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2500 memset(pm_results, 0,
sizeof(pm_results));
2502 memset(&f, 0x00,
sizeof(f));
2505 const char *buf =
"|fe|SMB";
2521 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2522 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2533 static int AppLayerProtoDetectTest10(
void)
2538 uint8_t l7data[] = {
2539 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2540 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2541 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2542 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2543 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
2544 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
2545 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2546 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2547 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
2550 memset(pm_results, 0,
sizeof(pm_results));
2552 memset(&f, 0x00,
sizeof(f));
2555 const char *buf =
"|05 00|";
2571 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2572 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2587 static int AppLayerProtoDetectTest11(
void)
2592 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2593 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2595 memset(pm_results, 0,
sizeof(pm_results));
2597 memset(&f, 0x00,
sizeof(f));
2609 IPPROTO_TCP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2611 IPPROTO_TCP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2613 IPPROTO_TCP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2638 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2639 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2644 memset(pm_results, 0,
sizeof(pm_results));
2646 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2660 static int AppLayerProtoDetectTest12(
void)
2672 printf(
"failure 1\n");
2678 printf(
"failure 2\n");
2684 printf(
"failure 3\n");
2688 printf(
"failure 4\n");
2692 printf(
"failure 5\n");
2696 printf(
"failure 6\n");
2712 static int AppLayerProtoDetectTest13(
void)
2717 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2718 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2722 memset(&f, 0x00,
sizeof(f));
2734 IPPROTO_UDP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2736 IPPROTO_UDP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2738 IPPROTO_UDP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2759 memset(pm_results, 0,
sizeof(pm_results));
2761 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2762 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2766 memset(pm_results, 0,
sizeof(pm_results));
2768 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2783 static int AppLayerProtoDetectTest14(
void)
2788 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2789 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2793 memset(&f, 0x00,
sizeof(f));
2805 IPPROTO_UDP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2807 IPPROTO_UDP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2809 IPPROTO_UDP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2831 memset(pm_results, 0,
sizeof(pm_results));
2834 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2839 memset(pm_results, 0,
sizeof(pm_results));
2841 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2886 int i = -1, j = -1 , k = -1;
2890 for (i = 0; i < no_of_ip_proto; i++, pp = pp->
next) {
2891 if (pp->ipproto != ip_proto[i].
ipproto)
2895 for (k = 0; k < ip_proto[i].
no_of_port; k++, pp_port = pp_port->
next) {
2896 if (pp_port->port != ip_proto[i].
port[k].
port)
2912 j++, pp_element = pp_element->
next) {
2930 if (pp_element != NULL)
2933 pp_element = pp_port->sp;
2954 if (pp_element != NULL)
2957 if (pp_port != NULL)
2966 printf(
"i = %d, k = %d, j = %d(%s)\n", i, k, j, (dir == 0) ?
"ts" :
"tc");
2971 static uint16_t ProbingParserDummyForTesting(
Flow *f, uint8_t direction,
2972 const uint8_t *input,
2973 uint32_t input_len, uint8_t *rdir)
2978 static int AppLayerProtoDetectTest15(
void)
2986 ProbingParserDummyForTesting, NULL);
2992 ProbingParserDummyForTesting, NULL);
2998 ProbingParserDummyForTesting, NULL);
3005 ProbingParserDummyForTesting, NULL);
3011 ProbingParserDummyForTesting, NULL);
3017 ProbingParserDummyForTesting, NULL);
3023 ProbingParserDummyForTesting, NULL);
3030 ProbingParserDummyForTesting, NULL);
3036 ProbingParserDummyForTesting, NULL);
3044 ProbingParserDummyForTesting, NULL);
3052 ProbingParserDummyForTesting, NULL);
3058 ProbingParserDummyForTesting, NULL);
3065 ProbingParserDummyForTesting, NULL);
3071 ProbingParserDummyForTesting, NULL);
3077 ProbingParserDummyForTesting, NULL);
3079 ProbingParserDummyForTesting, NULL);
3085 ProbingParserDummyForTesting, NULL);
3091 ProbingParserDummyForTesting, NULL);
3097 ProbingParserDummyForTesting, NULL);
3103 ProbingParserDummyForTesting, NULL);
3109 ProbingParserDummyForTesting, NULL);
3115 ProbingParserDummyForTesting, NULL);
3235 23, element_ts_85, element_tc_85,
3243 23, element_ts_90, element_tc_90,
3251 23, element_ts_0, element_tc_0,
3261 element_ts_85_udp, element_tc_85_udp,
3279 if (AppLayerProtoDetectPPTestData(alpd_ctx.
ctx_pp, ip_proto,
3293 static int AppLayerProtoDetectTest16(
void)
3298 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3299 "User-Agent: Mozilla/1.0\r\n"
3300 "Cookie: hellocatch\r\n\r\n";
3301 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3315 printf(
"packet setup failed: ");
3319 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3321 printf(
"flow setup failed: ");
3325 f->
proto = IPPROTO_TCP;
3343 "(msg:\"Test content option\"; "
3355 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3360 if (http_state == NULL) {
3361 printf(
"no http state: ");
3369 printf(
"sig 1 didn't alert, but it should: ");
3376 if (det_ctx != NULL)
3392 static int AppLayerProtoDetectTest17(
void)
3397 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3398 "User-Agent: Mozilla/1.0\r\n"
3399 "Cookie: hellocatch\r\n\r\n";
3400 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3414 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3418 f->
proto = IPPROTO_TCP;
3434 "(msg:\"http over non standar port\"; "
3446 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3451 if (http_state == NULL) {
3452 printf(
"no http state: ");
3460 printf(
"sig 1 didn't alert, but it should: ");
3469 if (det_ctx != NULL)
3485 static int AppLayerProtoDetectTest18(
void)
3490 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3491 "User-Agent: Mozilla/1.0\r\n"
3492 "Cookie: hellocatch\r\n\r\n";
3493 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3507 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3511 f->
proto = IPPROTO_TCP;
3527 "(msg:\"Test content option\"; "
3539 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3544 if (http_state == NULL) {
3545 printf(
"no http state: ");
3553 printf(
"sig 1 alerted, but it should not (it's not ftp): ");
3561 if (det_ctx != NULL)
3577 static int AppLayerProtoDetectTest19(
void)
3581 uint8_t http_buf1[] =
"MPUT one\r\n";
3582 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3596 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3600 f->
proto = IPPROTO_TCP;
3616 "(msg:\"http over non standar port\"; "
3626 STREAM_TOSERVER, http_buf1, http_buf1_len);
3628 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3636 printf(
"sig 1 alerted, but it should not (it's ftp): ");
3645 if (det_ctx != NULL)
3662 UtRegisterTest(
"AppLayerProtoDetectTest01", AppLayerProtoDetectTest01);
3663 UtRegisterTest(
"AppLayerProtoDetectTest02", AppLayerProtoDetectTest02);
3664 UtRegisterTest(
"AppLayerProtoDetectTest03", AppLayerProtoDetectTest03);
3665 UtRegisterTest(
"AppLayerProtoDetectTest04", AppLayerProtoDetectTest04);
3666 UtRegisterTest(
"AppLayerProtoDetectTest05", AppLayerProtoDetectTest05);
3667 UtRegisterTest(
"AppLayerProtoDetectTest06", AppLayerProtoDetectTest06);
3668 UtRegisterTest(
"AppLayerProtoDetectTest07", AppLayerProtoDetectTest07);
3669 UtRegisterTest(
"AppLayerProtoDetectTest08", AppLayerProtoDetectTest08);
3670 UtRegisterTest(
"AppLayerProtoDetectTest09", AppLayerProtoDetectTest09);
3671 UtRegisterTest(
"AppLayerProtoDetectTest10", AppLayerProtoDetectTest10);
3672 UtRegisterTest(
"AppLayerProtoDetectTest11", AppLayerProtoDetectTest11);
3673 UtRegisterTest(
"AppLayerProtoDetectTest12", AppLayerProtoDetectTest12);
3674 UtRegisterTest(
"AppLayerProtoDetectTest13", AppLayerProtoDetectTest13);
3675 UtRegisterTest(
"AppLayerProtoDetectTest14", AppLayerProtoDetectTest14);
3676 UtRegisterTest(
"AppLayerProtoDetectTest15", AppLayerProtoDetectTest15);
3677 UtRegisterTest(
"AppLayerProtoDetectTest16", AppLayerProtoDetectTest16);
3678 UtRegisterTest(
"AppLayerProtoDetectTest17", AppLayerProtoDetectTest17);
3679 UtRegisterTest(
"AppLayerProtoDetectTest18", AppLayerProtoDetectTest18);
3680 UtRegisterTest(
"AppLayerProtoDetectTest19", AppLayerProtoDetectTest19);