190 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
201 uint32_t buflen, uint16_t searchlen,
bool *rflow)
206 SCLogDebug(
"s->co->offset (%"PRIu16
") > searchlen (%"PRIu16
")",
210 if (s->
cd->
depth > searchlen) {
211 SCLogDebug(
"s->co->depth (%"PRIu16
") > searchlen (%"PRIu16
")",
216 const uint8_t *sbuf = buf + s->
cd->
offset;
218 SCLogDebug(
"s->co->offset (%"PRIu16
") s->cd->depth (%"PRIu16
")",
227 uint8_t direction = (
flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
228 SCLogDebug(
"matching, s->direction %s, our dir %s",
229 (s->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient",
230 (
flags & STREAM_TOSERVER) ?
"toserver" :
"toclient");
235 SCLogDebug(
"direction is wrong, rflow = true");
241 SCLogDebug(
"PP can't be run yet as pp_min_depth %u > buflen %u",
249 SCLogDebug(
"found %s/%u, rdir %02x reverse_flow? %s",
251 (rdir && direction != rdir) ?
"true" :
"false");
252 *rflow = (rdir && direction != rdir);
259 SCLogDebug(
"depth reached and answer inconclusive: fail");
274 uint32_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
280 SCLogDebug(
"searchlen %u buflen %u", searchlen, buflen);
286 if (search_cnt == 0) {
294 memset(pm_results_bf, 0,
sizeof(pm_results_bf));
303 s, tctx, f,
flags, buf, buflen, searchlen, rflow);
306 if (AppProtoIsValid(
proto) &&
307 !(pm_results_bf[
proto / 8] & (1 << (
proto % 8))) )
309 pm_results[pm_matches++] =
proto;
315 if (pm_matches == 0 && buflen >= pm_ctx->
pp_max_len) {
327 const uint8_t *buf, uint32_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
342 if (
flags & STREAM_TOSERVER) {
350 m = PMGetProtoInspect(tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
371 if (
flags & STREAM_TOSERVER) {
378 SCLogDebug(
"no matches and in midstream mode, lets try the "
379 "*patterns for the other side");
383 om = PMGetProtoInspect(
384 tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
392 }
else if (om < 0 &&
m &&
m < 0) {
397 }
else if (om == 0 ||
m == 0) {
419 while (pp_port != NULL) {
420 if (pp_port->
dp != NULL && pp_port->
dp->
alproto == alproto) {
421 pp_elem = pp_port->
dp;
424 if (pp_port->
sp != NULL && pp_port->
sp->
alproto == alproto) {
425 pp_elem = pp_port->
sp;
428 pp_port = pp_port->
next;
431 SCReturnPtr(pp_elem,
"AppLayerProtoDetectProbingParserElement *");
451 while (pp_port != NULL) {
456 pp_port = pp_port->
next;
460 SCReturnPtr(pp_port,
"AppLayerProtoDetectProbingParserPort *");
481 uint8_t
flags,
const uint8_t *buf, uint32_t buflen, uint32_t *alproto_masks, uint8_t *rdir,
486 if (alproto_masks != NULL) {
488 if (buflen < pe->min_depth || (alproto_masks[0] &
BIT_U32(*nb_tried))) {
491 *nb_tried = *nb_tried + 1;
494 }
else if (buflen < pe->min_depth) {
505 if (AppProtoIsValid(alproto)) {
508 if (alproto_masks != NULL) {
511 alproto_masks[0] |=
BIT_U32(*nb_tried);
513 *nb_tried = *nb_tried + 1;
528 static AppProto AppLayerProtoDetectPPGetProto(
Flow *f,
const uint8_t *buf, uint32_t buflen,
529 uint8_t ipproto,
const uint8_t
flags,
bool *reverse_flow)
549 uint8_t nb_tried = 0;
550 uint32_t *alproto_masks = NULL;
551 uint8_t idir = (
flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
555 bool probe_is_found =
false;
562 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient");
564 if (dir == STREAM_TOSERVER) {
566 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
568 if (pp_port_dp != NULL) {
569 SCLogDebug(
"toserver - Probing parser found for destination port %"PRIu16, dp);
572 pe1 = pp_port_dp->
dp;
574 SCLogDebug(
"toserver - No probing parser registered for dest port %"PRIu16, dp);
577 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
578 if (pp_port_sp != NULL) {
579 SCLogDebug(
"toserver - Probing parser found for source port %"PRIu16, sp);
582 pe2 = pp_port_sp->
sp;
584 SCLogDebug(
"toserver - No probing parser registered for source port %"PRIu16, sp);
588 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
594 if (pp_port_dp != NULL) {
595 SCLogDebug(
"toclient - Probing parser found for destination port %"PRIu16, dp);
598 pe1 = pp_port_dp->
dp;
600 SCLogDebug(
"toclient - No probing parser registered for dest port %"PRIu16, dp);
603 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
604 if (pp_port_sp != NULL) {
605 SCLogDebug(
"toclient - Probing parser found for source port %"PRIu16, sp);
607 pe2 = pp_port_sp->
sp;
609 SCLogDebug(
"toclient - No probing parser registered for source port %"PRIu16, sp);
617 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_tc);
619 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_ts);
622 if (pe1 == NULL && pe2 == NULL && pe0 == NULL) {
623 SCLogDebug(
"%s - No probing parsers found for either port",
624 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient");
627 probe_is_found =
true;
633 alproto = PPGetProto(pe0, f,
flags, buf, buflen, NULL, &rdir, NULL);
634 if (AppProtoIsValid(alproto))
636 alproto = PPGetProto(pe1, f,
flags, buf, buflen, alproto_masks, &rdir, &nb_tried);
637 if (AppProtoIsValid(alproto))
639 alproto = PPGetProto(pe2, f,
flags, buf, buflen, alproto_masks, &rdir, &nb_tried);
640 if (AppProtoIsValid(alproto))
647 if (alproto_masks[0] ==
BIT_U32(nb_tried) - 1) {
649 SCLogDebug(
"%s, mask is now %08x, needed %08x, so done",
650 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient", alproto_masks[0],
654 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient", alproto_masks[0],
661 if (idir == STREAM_TOSERVER) {
662 dir = STREAM_TOCLIENT;
664 dir = STREAM_TOSERVER;
666 SCLogDebug(
"no match + midstream, retry the other direction %s",
667 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient");
668 goto again_midstream;
669 }
else if (!probe_is_found) {
674 if (AppProtoIsValid(alproto) && rdir != 0 && rdir != idir) {
675 SCLogDebug(
"PP found %u, is reverse flow", alproto);
676 *reverse_flow =
true;
680 (idir == STREAM_TOSERVER) ?
"toserver":
"toclient", alproto_masks[0]);
686 static void AppLayerProtoDetectPPGetIpprotos(
AppProto alproto,
695 for (pp = alpd_ctx.
ctx_pp; pp != NULL; pp = pp->
next) {
696 for (pp_port = pp->
port; pp_port != NULL; pp_port = pp_port->
next) {
697 for (pp_pe = pp_port->
dp; pp_pe != NULL; pp_pe = pp_pe->
next) {
701 for (pp_pe = pp_port->
sp; pp_pe != NULL; pp_pe = pp_pe->
next) {
721 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserElement");
742 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserPort");
754 AppLayerProtoDetectProbingParserElementFree(e);
761 AppLayerProtoDetectProbingParserElementFree(e);
779 SCReturnPtr(p,
"AppLayerProtoDetectProbingParser");
789 AppLayerProtoDetectProbingParserPortFree(pt);
799 AppProto alproto, uint16_t min_depth, uint16_t max_depth)
808 if (max_depth != 0 && min_depth >= max_depth) {
810 "register the probing parser. min_depth >= max_depth");
813 if (alproto <= ALPROTO_UNKNOWN || alproto >=
g_alproto_max) {
814 SCLogError(
"Invalid arguments sent to register "
815 "the probing parser. Invalid alproto - %d",
820 SCReturnPtr(pe,
"AppLayerProtoDetectProbingParserElement");
822 AppLayerProtoDetectProbingParserElementFree(pe);
823 SCReturnPtr(NULL,
"AppLayerProtoDetectProbingParserElement");
840 SCReturnPtr(new_pe,
"AppLayerProtoDetectProbingParserElement");
851 printf(
"\nProtocol Detection Configuration\n");
853 for ( ; pp != NULL; pp = pp->
next) {
855 if (pp->
ipproto == IPPROTO_TCP)
856 printf(
"IPProto: TCP\n");
857 else if (pp->
ipproto == IPPROTO_UDP)
858 printf(
"IPProto: UDP\n");
860 printf(
"IPProto: %"PRIu8
"\n", pp->
ipproto);
863 for ( ; pp_port != NULL; pp_port = pp_port->
next) {
864 if (pp_port->
dp != NULL) {
865 printf(
" Port: %"PRIu16
"\n", pp_port->
port);
867 printf(
" Destination port: (max-depth: %" PRIu16
")\n",
870 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
873 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
874 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
880 if (pp_port->
sp == NULL) {
884 printf(
" Source port: (max-depth: %" PRIu16
")\n", pp_port->
sp_max_depth);
886 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
889 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
890 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
906 if (*head_pe == NULL) {
912 while (temp_pe->
next != NULL)
913 temp_pe = temp_pe->
next;
914 temp_pe->
next = new_pe;
924 if (*head_pp == NULL) {
930 while (temp_pp->
next != NULL)
931 temp_pp = temp_pp->
next;
932 temp_pp->
next = new_pp;
943 if (*head_port == NULL) {
944 *head_port = new_port;
949 if ((*head_port)->port == 0 && (*head_port)->use_ports) {
950 new_port->
next = *head_port;
951 *head_port = new_port;
954 while (temp_port->
next != NULL &&
956 temp_port = temp_port->
next;
959 temp_port->
next = new_port;
967 uint8_t ipproto,
bool use_ports, uint16_t port,
AppProto alproto, uint16_t min_depth,
975 while (curr_pp != NULL) {
976 if (curr_pp->
ipproto == ipproto)
978 curr_pp = curr_pp->
next;
980 if (curr_pp == NULL) {
983 AppLayerProtoDetectProbingParserAppend(pp, new_pp);
989 while (curr_port != NULL) {
991 if (curr_port->
port == port && use_ports)
993 curr_port = curr_port->
next;
995 if (curr_port == NULL) {
997 new_port->
port = port;
999 AppLayerProtoDetectProbingParserPortAppend(&curr_pp->
port, new_port);
1000 curr_port = new_port;
1001 if (direction & STREAM_TOSERVER) {
1009 zero_port = curr_pp->
port;
1011 while (zero_port != NULL && !(zero_port->
port == 0 && zero_port->
use_ports)) {
1012 zero_port = zero_port->
next;
1014 if (zero_port != NULL) {
1017 zero_pe = zero_port->
dp;
1018 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1019 if (curr_port->
dp == NULL)
1029 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1030 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
dp, dup_pe);
1033 zero_pe = zero_port->
sp;
1034 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1035 if (curr_port->
sp == NULL)
1045 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1046 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
sp, dup_pe);
1053 if (direction & STREAM_TOSERVER)
1054 curr_pe = curr_port->
dp;
1056 curr_pe = curr_port->
sp;
1057 while (curr_pe != NULL) {
1058 if (curr_pe->
alproto == alproto) {
1060 "ipproto - %" PRIu8
" Port - %" PRIu16
" "
1061 "App Protocol - NULL, App Protocol(ID) - "
1062 "%" PRIu16
" min_depth - %" PRIu16
" "
1063 "max_dept - %" PRIu16
".",
1064 ipproto, port, alproto, min_depth, max_depth);
1067 curr_pe = curr_pe->
next;
1071 AppLayerProtoDetectProbingParserElementCreate(alproto, min_depth, max_depth);
1076 if (direction & STREAM_TOSERVER) {
1079 if (curr_port->
dp == NULL)
1087 head_pe = &curr_port->
dp;
1091 if (curr_port->
sp == NULL)
1099 head_pe = &curr_port->
sp;
1101 AppLayerProtoDetectProbingParserElementAppend(head_pe, new_pe);
1106 while (temp_port != NULL && !(temp_port->
port == 0 && temp_port->
use_ports)) {
1107 if (direction & STREAM_TOSERVER) {
1108 if (temp_port->
dp == NULL)
1116 AppLayerProtoDetectProbingParserElementAppend(
1117 &temp_port->
dp, AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1119 if (temp_port->
sp == NULL)
1127 AppLayerProtoDetectProbingParserElementAppend(
1128 &temp_port->
sp, AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1130 temp_port = temp_port->
next;
1140 static void AppLayerProtoDetectPMGetIpprotos(
AppProto alproto,
1147 for (
int j = 0; j < 2; j++) {
1153 ipprotos[ipproto / 8] |= 1 << (ipproto % 8);
1165 typedef struct TempContainer_ {
1167 uint16_t content_len;
1172 uint32_t struct_total_size = 0;
1173 uint32_t content_total_size = 0;
1175 uint8_t *ahb = NULL;
1176 uint8_t *content = NULL;
1177 uint16_t content_len = 0;
1179 TempContainer *struct_offset = NULL;
1180 uint8_t *content_offset = NULL;
1183 if (
ctx->head == NULL)
1186 for (s =
ctx->head; s != NULL; s = s->
next) {
1187 struct_total_size +=
sizeof(TempContainer);
1192 ahb =
SCMalloc(
sizeof(uint8_t) * (struct_total_size + content_total_size));
1196 struct_offset = (TempContainer *)ahb;
1197 content_offset = ahb + struct_total_size;
1198 for (s =
ctx->head; s != NULL; s = s->
next) {
1199 TempContainer *tcdup = (TempContainer *)ahb;
1203 for (; tcdup != struct_offset; tcdup++) {
1204 if (tcdup->content_len != content_len ||
1205 SCMemcmp(tcdup->content, content, tcdup->content_len) != 0)
1212 if (tcdup != struct_offset) {
1213 s->
cd->
id = tcdup->id;
1217 struct_offset->content_len = content_len;
1218 struct_offset->content = content_offset;
1219 content_offset += content_len;
1220 memcpy(struct_offset->content, content, content_len);
1221 struct_offset->id = max_id++;
1222 s->
cd->
id = struct_offset->id;
1227 ctx->max_pat_id = max_id;
1248 if (
ctx->map == NULL)
1252 for (s =
ctx->head; s != NULL; ) {
1272 ctx->map[s->
id] = s;
1314 AppProto alproto, uint8_t direction,
1316 uint16_t pp_min_depth, uint16_t pp_max_depth)
1338 static int AppLayerProtoDetectPMRegisterPattern(uint8_t ipproto,
AppProto alproto,
1339 const char *pattern,
1340 uint16_t depth, uint16_t
offset,
1344 uint16_t pp_min_depth, uint16_t pp_max_depth)
1368 if (depth < cd->content_len)
1371 if (direction & STREAM_TOSERVER)
1378 if (depth < ctx_pm->min_len)
1382 AppLayerProtoDetectPMAddSignature(ctx_pm, cd, alproto, direction,
1383 PPFunc, pp_min_depth, pp_max_depth);
1396 const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t
flags,
bool *reverse_flow)
1399 SCLogDebug(
"buflen %u for %s direction", buflen,
1400 (
flags & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1406 uint16_t pm_matches = AppLayerProtoDetectPMGetProto(
1407 tctx, f, buf, buflen,
flags, pm_results, reverse_flow);
1408 if (pm_matches > 0) {
1410 alproto = pm_results[0];
1413 uint8_t reverse_dir = (
flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER;
1426 alproto = AppLayerProtoDetectPPGetProto(f, buf, buflen, ipproto,
flags, reverse_flow);
1427 if (AppProtoIsValid(alproto)) {
1435 alproto = AppLayerProtoDetectPEGetProto(f,
flags);
1450 while (pp != NULL) {
1452 AppLayerProtoDetectProbingParserFree(pp);
1460 static void AppLayerProtoDetectFreeAliases(
void)
1465 if (cur_alias == NULL)
1469 while (cur_alias != NULL) {
1470 next_alias = cur_alias->
next;
1472 cur_alias = next_alias;
1492 for (j = 0; j < 2; j++) {
1495 if (AppLayerProtoDetectPMSetContentIDs(ctx_pm) < 0)
1501 if (AppLayerProtoDetectPMMapSignatures(ctx_pm) < 0)
1503 if (AppLayerProtoDetectPMPrepareMpm(ctx_pm) < 0)
1510 AppLayerProtoDetectPrintProbingParsers(alpd_ctx.
ctx_pp);
1528 const char *portstr,
1530 uint16_t min_depth, uint16_t max_depth,
1538 if (portstr == NULL) {
1541 AppLayerProtoDetectInsertNewProbingParser(&alpd_ctx.
ctx_pp, ipproto,
false, 0, alproto,
1542 min_depth, max_depth, direction, ProbingParser1, ProbingParser2);
1547 while (temp_dp != NULL) {
1548 uint16_t port = temp_dp->
port;
1549 if (port == 0 && temp_dp->
port2 != 0)
1552 AppLayerProtoDetectInsertNewProbingParser(&alpd_ctx.
ctx_pp, ipproto,
true, port,
1553 alproto, min_depth, max_depth, direction, ProbingParser1, ProbingParser2);
1554 if (port == temp_dp->
port2) {
1560 temp_dp = temp_dp->
next;
1569 const char *alproto_name,
1571 uint16_t min_depth, uint16_t max_depth,
1583 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1584 alproto_name,
".detection-ports");
1587 }
else if (r > (
int)
sizeof(param)) {
1588 FatalError(
"buffer not big enough to write param.");
1592 SCLogDebug(
"Entry for %s not found.", param);
1593 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1594 alproto_name,
".", ipproto_name,
".detection-ports");
1597 }
else if (r > (
int)
sizeof(param)) {
1598 FatalError(
"buffer not big enough to write param.");
1607 if (port_node == NULL)
1610 if (port_node != NULL && port_node->
val != NULL) {
1614 min_depth, max_depth,
1616 ProbingParserTs, ProbingParserTc);
1621 if (port_node == NULL)
1624 if (port_node != NULL && port_node->
val != NULL) {
1628 min_depth, max_depth,
1630 ProbingParserTc, ProbingParserTs);
1642 const char *pattern,
1643 uint16_t depth, uint16_t
offset,
1647 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1655 const char *pattern, uint16_t depth, uint16_t
offset,
1658 uint16_t pp_min_depth, uint16_t pp_max_depth)
1661 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1664 PPFunc, pp_min_depth, pp_max_depth);
1669 const char *pattern,
1670 uint16_t depth, uint16_t
offset,
1674 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1689 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
1696 FatalError(
"Unable to alloc SpmGlobalThreadCtx.");
1700 for (j = 0; j < 2; j++) {
1707 FatalError(
"Unable to alloc alproto_names.");
1713 FatalError(
"Unable to alloc expectation_proto.");
1728 int ipproto_map = 0;
1735 for (dir = 0; dir < 2; dir++) {
1738 for (
id = 0;
id < pm_ctx->
max_sig_id;
id++) {
1739 sig = pm_ctx->
map[
id];
1740 AppLayerProtoDetectPMFreeSignature(sig);
1756 AppLayerProtoDetectFreeAliases();
1758 AppLayerProtoDetectFreeProbingParsers(alpd_ctx.
ctx_pp);
1770 FatalError(
"Unable to realloc alproto_names.");
1794 new_alias->
next = NULL;
1796 if (alpda_ctx == NULL) {
1797 alpda_ctx = new_alias;
1800 while (cur_alias->
next != NULL) {
1801 cur_alias = cur_alias->
next;
1803 cur_alias->
next = new_alias;
1867 if (new_proto != f->
alproto) {
1895 const char *ipproto,
const char *alproto,
bool default_enabled)
1899 BUG_ON(ipproto == NULL || alproto == NULL);
1909 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
1911 default_enabled =
true;
1914 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1915 alproto,
".enabled");
1918 }
else if (r > (
int)
sizeof(param)) {
1919 FatalError(
"buffer not big enough to write param.");
1924 SCLogDebug(
"Entry for %s not found.", param);
1925 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1926 alproto,
".", ipproto,
".enabled");
1929 }
else if (r > (
int)
sizeof(param)) {
1930 FatalError(
"buffer not big enough to write param.");
1935 SCLogDebug(
"Entry for %s not found.", param);
1936 if (default_enabled) {
1949 }
else if (strcasecmp(node->
val,
"detection-only") == 0) {
1955 SCLogError(
"Invalid value found for %s.", param);
1980 for (j = 0; j < 2; j++) {
1981 if (max_pat_id == 0) {
2001 for (j = 0; j < 2; j++) {
2028 int ipproto_map, dir;
2031 for (dir = 0; dir < 2; dir++) {
2060 AppLayerProtoDetectPMGetIpprotos(alproto, ipprotos);
2061 AppLayerProtoDetectPPGetIpprotos(alproto, ipprotos);
2062 AppLayerProtoDetectPEGetIpprotos(alproto, ipprotos);
2073 while (cur_alias != NULL) {
2074 if (strcasecmp(alproto_name, cur_alias->
proto_alias) == 0) {
2078 cur_alias = cur_alias->
next;
2084 if (alpd_ctx.
alproto_names[a] != NULL && AppProtoEquals(b, a)) {
2120 alprotos[alproto] = 1;
2126 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
2133 ipprotos[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
2136 ipprotos[IPPROTO_UDP / 8] |= 1 << (IPPROTO_UDP % 8);
2144 SCLogError(
"Expectation on 2 IP protocols are not supported");
2162 alpd_ctx_ut = alpd_ctx;
2163 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
2170 alpd_ctx = alpd_ctx_ut;
2171 memset(&alpd_ctx_ut, 0,
sizeof(alpd_ctx_ut));
2175 static int AppLayerProtoDetectTest01(
void)
2180 const char *buf =
"HTTP";
2194 static int AppLayerProtoDetectTest02(
void)
2199 const char *buf =
"HTTP";
2219 static int AppLayerProtoDetectTest03(
void)
2224 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2226 memset(pm_results, 0,
sizeof(pm_results));
2228 memset(&f, 0x00,
sizeof(f));
2232 const char *buf =
"HTTP";
2251 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2252 &f, l7data,
sizeof(l7data),
2254 pm_results, &rflow);
2264 static int AppLayerProtoDetectTest04(
void)
2269 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2271 memset(&f, 0x00,
sizeof(f));
2273 memset(pm_results, 0,
sizeof(pm_results));
2276 const char *buf =
"200 ";
2292 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2293 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2304 static int AppLayerProtoDetectTest05(
void)
2309 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n<HTML><BODY>Blahblah</BODY></HTML>";
2311 memset(pm_results, 0,
sizeof(pm_results));
2313 memset(&f, 0x00,
sizeof(f));
2316 const char *buf =
"HTTP";
2335 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2336 &f, l7data,
sizeof(l7data),
2348 static int AppLayerProtoDetectTest06(
void)
2353 uint8_t l7data[] =
"220 Welcome to the OISF FTP server\r\n";
2355 memset(pm_results, 0,
sizeof(pm_results));
2357 memset(&f, 0x00,
sizeof(f));
2360 const char *buf =
"HTTP";
2379 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2380 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2391 static int AppLayerProtoDetectTest07(
void)
2396 uint8_t l7data[] =
"220 Welcome to the OISF HTTP/FTP server\r\n";
2398 memset(&f, 0x00,
sizeof(f));
2401 memset(pm_results, 0,
sizeof(pm_results));
2403 const char *buf =
"HTTP";
2418 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2419 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2429 static int AppLayerProtoDetectTest08(
void)
2434 uint8_t l7data[] = {
2435 0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,
2436 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc8,
2437 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,
2439 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,
2440 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
2441 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
2442 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
2443 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,
2444 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,
2445 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,
2446 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,
2447 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,
2448 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,
2449 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
2450 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,
2451 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,
2455 memset(pm_results, 0,
sizeof(pm_results));
2457 memset(&f, 0x00,
sizeof(f));
2460 const char *buf =
"|ff|SMB";
2476 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2477 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2488 static int AppLayerProtoDetectTest09(
void)
2493 uint8_t l7data[] = {
2494 0x00, 0x00, 0x00, 0x66, 0xfe, 0x53, 0x4d, 0x42,
2495 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2496 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
2497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2502 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00,
2503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2504 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2505 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2506 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2510 memset(pm_results, 0,
sizeof(pm_results));
2512 memset(&f, 0x00,
sizeof(f));
2515 const char *buf =
"|fe|SMB";
2531 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2532 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2543 static int AppLayerProtoDetectTest10(
void)
2548 uint8_t l7data[] = {
2549 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2550 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2551 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2552 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2553 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
2554 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
2555 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2556 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2557 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
2560 memset(pm_results, 0,
sizeof(pm_results));
2562 memset(&f, 0x00,
sizeof(f));
2565 const char *buf =
"|05 00|";
2581 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2582 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2597 static int AppLayerProtoDetectTest11(
void)
2602 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2603 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2605 memset(pm_results, 0,
sizeof(pm_results));
2607 memset(&f, 0x00,
sizeof(f));
2619 IPPROTO_TCP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2621 IPPROTO_TCP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2623 IPPROTO_TCP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2648 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2649 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2654 memset(pm_results, 0,
sizeof(pm_results));
2656 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2670 static int AppLayerProtoDetectTest12(
void)
2682 printf(
"failure 1\n");
2688 printf(
"failure 2\n");
2694 printf(
"failure 3\n");
2698 printf(
"failure 4\n");
2702 printf(
"failure 5\n");
2706 printf(
"failure 6\n");
2722 static int AppLayerProtoDetectTest13(
void)
2727 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2728 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2732 memset(&f, 0x00,
sizeof(f));
2744 IPPROTO_UDP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2746 IPPROTO_UDP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2748 IPPROTO_UDP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2769 memset(pm_results, 0,
sizeof(pm_results));
2771 uint32_t
cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2772 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2776 memset(pm_results, 0,
sizeof(pm_results));
2778 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2793 static int AppLayerProtoDetectTest14(
void)
2798 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2799 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2803 memset(&f, 0x00,
sizeof(f));
2815 IPPROTO_UDP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2817 IPPROTO_UDP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2819 IPPROTO_UDP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2841 memset(pm_results, 0,
sizeof(pm_results));
2844 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2849 memset(pm_results, 0,
sizeof(pm_results));
2851 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2894 int i = -1, j = -1 , k = -1;
2898 for (i = 0; i < no_of_ip_proto; i++, pp = pp->
next) {
2899 if (pp->ipproto != ip_proto[i].
ipproto)
2903 for (k = 0; k < ip_proto[i].
no_of_port; k++, pp_port = pp_port->
next) {
2904 if (pp_port->port != ip_proto[i].
port[k].
port)
2916 j++, pp_element = pp_element->
next) {
2928 if (pp_element != NULL)
2931 pp_element = pp_port->sp;
2946 if (pp_element != NULL)
2949 if (pp_port != NULL)
2958 printf(
"i = %d, k = %d, j = %d(%s)\n", i, k, j, (dir == 0) ?
"ts" :
"tc");
2963 static uint16_t ProbingParserDummyForTesting(
Flow *f, uint8_t direction,
2964 const uint8_t *input,
2965 uint32_t input_len, uint8_t *rdir)
2970 static int AppLayerProtoDetectTest15(
void)
2978 ProbingParserDummyForTesting, NULL);
2984 ProbingParserDummyForTesting, NULL);
2990 ProbingParserDummyForTesting, NULL);
2997 ProbingParserDummyForTesting, NULL);
3003 ProbingParserDummyForTesting, NULL);
3009 ProbingParserDummyForTesting, NULL);
3015 ProbingParserDummyForTesting, NULL);
3022 ProbingParserDummyForTesting, NULL);
3028 ProbingParserDummyForTesting, NULL);
3036 ProbingParserDummyForTesting, NULL);
3044 ProbingParserDummyForTesting, NULL);
3050 ProbingParserDummyForTesting, NULL);
3057 ProbingParserDummyForTesting, NULL);
3063 ProbingParserDummyForTesting, NULL);
3069 ProbingParserDummyForTesting, NULL);
3071 ProbingParserDummyForTesting, NULL);
3077 ProbingParserDummyForTesting, NULL);
3083 ProbingParserDummyForTesting, NULL);
3089 ProbingParserDummyForTesting, NULL);
3095 ProbingParserDummyForTesting, NULL);
3101 ProbingParserDummyForTesting, NULL);
3107 ProbingParserDummyForTesting, NULL);
3119 {
"smb",
ALPROTO_SMB, 80, 5, 6 }, {
"ftp",
ALPROTO_FTP, 80, 7, 10 },
3120 {
"jabber",
ALPROTO_JABBER, 0, 12, 23 }, {
"irc",
ALPROTO_IRC, 0, 12, 14 },
3132 {
"dcerpc",
ALPROTO_DCERPC, 81, 9, 10 }, {
"jabber",
ALPROTO_JABBER, 0, 12, 23 },
3133 {
"irc",
ALPROTO_IRC, 0, 12, 14 }, {
"tls",
ALPROTO_TLS, 0, 12, 18 },
3146 {
"jabber",
ALPROTO_JABBER, 0, 12, 23 }, {
"irc",
ALPROTO_IRC, 0, 12, 14 },
3156 {
"jabber",
ALPROTO_JABBER, 0, 12, 23 }, {
"irc",
ALPROTO_IRC, 0, 12, 14 },
3166 {
"irc",
ALPROTO_IRC, 0, 12, 14 }, {
"tls",
ALPROTO_TLS, 0, 12, 18 },
3195 { 85, 23, 23, element_ts_85, element_tc_85,
3198 { 90, 23, 23, element_ts_90, element_tc_90,
3201 { 0, 23, 23, element_ts_0, element_tc_0,
3230 if (AppLayerProtoDetectPPTestData(alpd_ctx.
ctx_pp, ip_proto,
3244 static int AppLayerProtoDetectTest16(
void)
3249 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3250 "User-Agent: Mozilla/1.0\r\n"
3251 "Cookie: hellocatch\r\n\r\n";
3252 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3266 printf(
"packet setup failed: ");
3270 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3272 printf(
"flow setup failed: ");
3276 f->
proto = IPPROTO_TCP;
3294 "(msg:\"Test content option\"; "
3306 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3311 if (http_state == NULL) {
3312 printf(
"no http state: ");
3320 printf(
"sig 1 didn't alert, but it should: ");
3327 if (det_ctx != NULL)
3343 static int AppLayerProtoDetectTest17(
void)
3348 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3349 "User-Agent: Mozilla/1.0\r\n"
3350 "Cookie: hellocatch\r\n\r\n";
3351 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3365 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3369 f->
proto = IPPROTO_TCP;
3385 "(msg:\"http over non standar port\"; "
3397 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3402 if (http_state == NULL) {
3403 printf(
"no http state: ");
3411 printf(
"sig 1 didn't alert, but it should: ");
3420 if (det_ctx != NULL)
3436 static int AppLayerProtoDetectTest18(
void)
3441 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3442 "User-Agent: Mozilla/1.0\r\n"
3443 "Cookie: hellocatch\r\n\r\n";
3444 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3458 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3462 f->
proto = IPPROTO_TCP;
3478 "(msg:\"Test content option\"; "
3490 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3495 if (http_state == NULL) {
3496 printf(
"no http state: ");
3504 printf(
"sig 1 alerted, but it should not (it's not ftp): ");
3512 if (det_ctx != NULL)
3528 static int AppLayerProtoDetectTest19(
void)
3532 uint8_t http_buf1[] =
"MPUT one\r\n";
3533 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3547 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3551 f->
proto = IPPROTO_TCP;
3567 "(msg:\"http over non standar port\"; "
3577 STREAM_TOSERVER, http_buf1, http_buf1_len);
3579 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3587 printf(
"sig 1 alerted, but it should not (it's ftp): ");
3596 if (det_ctx != NULL)
3613 UtRegisterTest(
"AppLayerProtoDetectTest01", AppLayerProtoDetectTest01);
3614 UtRegisterTest(
"AppLayerProtoDetectTest02", AppLayerProtoDetectTest02);
3615 UtRegisterTest(
"AppLayerProtoDetectTest03", AppLayerProtoDetectTest03);
3616 UtRegisterTest(
"AppLayerProtoDetectTest04", AppLayerProtoDetectTest04);
3617 UtRegisterTest(
"AppLayerProtoDetectTest05", AppLayerProtoDetectTest05);
3618 UtRegisterTest(
"AppLayerProtoDetectTest06", AppLayerProtoDetectTest06);
3619 UtRegisterTest(
"AppLayerProtoDetectTest07", AppLayerProtoDetectTest07);
3620 UtRegisterTest(
"AppLayerProtoDetectTest08", AppLayerProtoDetectTest08);
3621 UtRegisterTest(
"AppLayerProtoDetectTest09", AppLayerProtoDetectTest09);
3622 UtRegisterTest(
"AppLayerProtoDetectTest10", AppLayerProtoDetectTest10);
3623 UtRegisterTest(
"AppLayerProtoDetectTest11", AppLayerProtoDetectTest11);
3624 UtRegisterTest(
"AppLayerProtoDetectTest12", AppLayerProtoDetectTest12);
3625 UtRegisterTest(
"AppLayerProtoDetectTest13", AppLayerProtoDetectTest13);
3626 UtRegisterTest(
"AppLayerProtoDetectTest14", AppLayerProtoDetectTest14);
3627 UtRegisterTest(
"AppLayerProtoDetectTest15", AppLayerProtoDetectTest15);
3628 UtRegisterTest(
"AppLayerProtoDetectTest16", AppLayerProtoDetectTest16);
3629 UtRegisterTest(
"AppLayerProtoDetectTest17", AppLayerProtoDetectTest17);
3630 UtRegisterTest(
"AppLayerProtoDetectTest18", AppLayerProtoDetectTest18);
3631 UtRegisterTest(
"AppLayerProtoDetectTest19", AppLayerProtoDetectTest19);