185 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
196 uint32_t buflen, uint16_t searchlen,
bool *rflow)
201 SCLogDebug(
"s->co->offset (%"PRIu16
") > searchlen (%"PRIu16
")",
205 if (s->
cd->
depth > searchlen) {
206 SCLogDebug(
"s->co->depth (%"PRIu16
") > searchlen (%"PRIu16
")",
211 const uint8_t *sbuf = buf + s->
cd->
offset;
213 SCLogDebug(
"s->co->offset (%"PRIu16
") s->cd->depth (%"PRIu16
")",
222 uint8_t direction = (
flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
223 SCLogDebug(
"matching, s->direction %s, our dir %s",
224 (s->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient",
225 (
flags & STREAM_TOSERVER) ?
"toserver" :
"toclient");
230 SCLogDebug(
"direction is wrong, rflow = true");
236 SCLogDebug(
"PP can't be run yet as pp_min_depth %u > buflen %u",
244 SCLogDebug(
"found %s/%u, rdir %02x reverse_flow? %s",
246 (rdir && direction != rdir) ?
"true" :
"false");
247 *rflow = (rdir && direction != rdir);
254 SCLogDebug(
"depth reached and answer inconclusive: fail");
269 uint32_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
275 SCLogDebug(
"searchlen %u buflen %u", searchlen, buflen);
281 if (search_cnt == 0) {
289 memset(pm_results_bf, 0,
sizeof(pm_results_bf));
298 s, tctx, f,
flags, buf, buflen, searchlen, rflow);
301 if (AppProtoIsValid(
proto) &&
302 !(pm_results_bf[
proto / 8] & (1 << (
proto % 8))) )
304 pm_results[pm_matches++] =
proto;
310 if (pm_matches == 0 && buflen >= pm_ctx->
pp_max_len) {
322 const uint8_t *buf, uint32_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
337 if (
flags & STREAM_TOSERVER) {
345 m = PMGetProtoInspect(tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
366 if (
flags & STREAM_TOSERVER) {
373 SCLogDebug(
"no matches and in midstream mode, lets try the "
374 "*patterns for the other side");
378 om = PMGetProtoInspect(
379 tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
387 }
else if (om < 0 &&
m &&
m < 0) {
392 }
else if (om == 0 ||
m == 0) {
414 while (pp_port != NULL) {
415 if (pp_port->
dp != NULL && pp_port->
dp->
alproto == alproto) {
416 pp_elem = pp_port->
dp;
419 if (pp_port->
sp != NULL && pp_port->
sp->
alproto == alproto) {
420 pp_elem = pp_port->
sp;
423 pp_port = pp_port->
next;
426 SCReturnPtr(pp_elem,
"AppLayerProtoDetectProbingParserElement *");
446 while (pp_port != NULL) {
447 if (pp_port->
port == port || pp_port->
port == 0) {
450 pp_port = pp_port->
next;
454 SCReturnPtr(pp_port,
"AppLayerProtoDetectProbingParserPort *");
462 static AppProto AppLayerProtoDetectPEGetProto(
Flow *f, uint8_t ipproto, uint8_t
flags)
475 uint8_t
flags,
const uint8_t *buf, uint32_t buflen, uint32_t *alproto_masks, uint8_t *rdir)
478 if ((buflen < pe->min_depth) ||
490 if (AppProtoIsValid(alproto)) {
510 static AppProto AppLayerProtoDetectPPGetProto(
Flow *f,
const uint8_t *buf, uint32_t buflen,
511 uint8_t ipproto,
const uint8_t
flags,
bool *reverse_flow)
519 uint32_t *alproto_masks;
521 uint8_t idir = (
flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
525 bool probe_is_found =
false;
532 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient");
534 if (dir == STREAM_TOSERVER) {
536 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
538 if (pp_port_dp != NULL) {
539 SCLogDebug(
"toserver - Probing parser found for destination port %"PRIu16, dp);
542 pe1 = pp_port_dp->
dp;
544 SCLogDebug(
"toserver - No probing parser registered for dest port %"PRIu16, dp);
547 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
548 if (pp_port_sp != NULL) {
549 SCLogDebug(
"toserver - Probing parser found for source port %"PRIu16, sp);
552 pe2 = pp_port_sp->
sp;
554 SCLogDebug(
"toserver - No probing parser registered for source port %"PRIu16, sp);
558 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
564 if (pp_port_dp != NULL) {
565 SCLogDebug(
"toclient - Probing parser found for destination port %"PRIu16, dp);
568 pe1 = pp_port_dp->
dp;
570 SCLogDebug(
"toclient - No probing parser registered for dest port %"PRIu16, dp);
573 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
574 if (pp_port_sp != NULL) {
575 SCLogDebug(
"toclient - Probing parser found for source port %"PRIu16, sp);
577 pe2 = pp_port_sp->
sp;
579 SCLogDebug(
"toclient - No probing parser registered for source port %"PRIu16, sp);
584 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_tc);
586 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_ts);
589 if (pe1 == NULL && pe2 == NULL && pe0 == NULL) {
590 SCLogDebug(
"%s - No probing parsers found for either port",
591 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient");
594 probe_is_found =
true;
599 alproto = PPGetProto(pe0, f,
flags, buf, buflen, alproto_masks, &rdir);
600 if (AppProtoIsValid(alproto))
602 alproto = PPGetProto(pe1, f,
flags, buf, buflen, alproto_masks, &rdir);
603 if (AppProtoIsValid(alproto))
605 alproto = PPGetProto(pe2, f,
flags, buf, buflen, alproto_masks, &rdir);
606 if (AppProtoIsValid(alproto))
611 if (pp_port_dp && pp_port_sp)
618 if (alproto_masks[0] == mask) {
620 SCLogDebug(
"%s, mask is now %08x, needed %08x, so done",
621 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient",
622 alproto_masks[0], mask);
625 (dir == STREAM_TOSERVER) ?
"toserver":
"toclient",
626 alproto_masks[0], mask);
632 if (idir == STREAM_TOSERVER) {
633 dir = STREAM_TOCLIENT;
635 dir = STREAM_TOSERVER;
637 SCLogDebug(
"no match + midstream, retry the other direction %s",
638 (dir == STREAM_TOSERVER) ?
"toserver" :
"toclient");
639 goto again_midstream;
640 }
else if (!probe_is_found) {
645 if (AppProtoIsValid(alproto) && rdir != 0 && rdir != idir) {
646 SCLogDebug(
"PP found %u, is reverse flow", alproto);
647 *reverse_flow =
true;
651 (idir == STREAM_TOSERVER) ?
"toserver":
"toclient", alproto_masks[0]);
657 static void AppLayerProtoDetectPPGetIpprotos(
AppProto alproto,
666 for (pp = alpd_ctx.
ctx_pp; pp != NULL; pp = pp->
next) {
667 for (pp_port = pp->
port; pp_port != NULL; pp_port = pp_port->
next) {
668 for (pp_pe = pp_port->
dp; pp_pe != NULL; pp_pe = pp_pe->
next) {
672 for (pp_pe = pp_port->
sp; pp_pe != NULL; pp_pe = pp_pe->
next) {
682 static uint32_t AppLayerProtoDetectProbingParserGetMask(
AppProto alproto)
703 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserElement");
724 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserPort");
736 AppLayerProtoDetectProbingParserElementFree(e);
743 AppLayerProtoDetectProbingParserElementFree(e);
762 SCReturnPtr(p,
"AppLayerProtoDetectProbingParser");
772 AppLayerProtoDetectProbingParserPortFree(pt);
782 AppLayerProtoDetectProbingParserElementCreate(
AppProto alproto,
791 pe->
alproto_mask = AppLayerProtoDetectProbingParserGetMask(alproto);
796 if (max_depth != 0 && min_depth >= max_depth) {
798 "register the probing parser. min_depth >= max_depth");
801 if (alproto <= ALPROTO_UNKNOWN || alproto >=
ALPROTO_MAX) {
803 "the probing parser. Invalid alproto - %d", alproto);
807 SCReturnPtr(pe,
"AppLayerProtoDetectProbingParserElement");
809 AppLayerProtoDetectProbingParserElementFree(pe);
810 SCReturnPtr(NULL,
"AppLayerProtoDetectProbingParserElement");
829 SCReturnPtr(new_pe,
"AppLayerProtoDetectProbingParserElement");
840 printf(
"\nProtocol Detection Configuration\n");
842 for ( ; pp != NULL; pp = pp->
next) {
844 if (pp->
ipproto == IPPROTO_TCP)
845 printf(
"IPProto: TCP\n");
846 else if (pp->
ipproto == IPPROTO_UDP)
847 printf(
"IPProto: UDP\n");
849 printf(
"IPProto: %"PRIu8
"\n", pp->
ipproto);
852 for ( ; pp_port != NULL; pp_port = pp_port->
next) {
853 if (pp_port->
dp != NULL) {
854 printf(
" Port: %"PRIu16
"\n", pp_port->
port);
856 printf(
" Destination port: (max-depth: %"PRIu16
", "
857 "mask - %"PRIu32
")\n",
861 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
864 printf(
" alproto: ALPROTO_HTTP1\n");
866 printf(
" alproto: ALPROTO_FTP\n");
868 printf(
" alproto: ALPROTO_FTPDATA\n");
870 printf(
" alproto: ALPROTO_SMTP\n");
872 printf(
" alproto: ALPROTO_TLS\n");
874 printf(
" alproto: ALPROTO_SSH\n");
876 printf(
" alproto: ALPROTO_IMAP\n");
878 printf(
" alproto: ALPROTO_JABBER\n");
880 printf(
" alproto: ALPROTO_SMB\n");
882 printf(
" alproto: ALPROTO_DCERPC\n");
884 printf(
" alproto: ALPROTO_IRC\n");
886 printf(
" alproto: ALPROTO_DNS\n");
888 printf(
" alproto: ALPROTO_MODBUS\n");
890 printf(
" alproto: ALPROTO_ENIP\n");
892 printf(
" alproto: ALPROTO_NFS\n");
894 printf(
" alproto: ALPROTO_NTP\n");
896 printf(
" alproto: ALPROTO_TFTP\n");
898 printf(
" alproto: ALPROTO_IKE\n");
900 printf(
" alproto: ALPROTO_KRB5\n");
902 printf(
" alproto: ALPROTO_DHCP\n");
904 printf(
" alproto: ALPROTO_QUIC\n");
906 printf(
" alproto: ALPROTO_SNMP\n");
908 printf(
" alproto: ALPROTO_SIP\n");
910 printf(
" alproto: ALPROTO_TEMPLATE_RUST\n");
912 printf(
" alproto: ALPROTO_RFB\n");
914 printf(
" alproto: ALPROTO_MQTT\n");
916 printf(
" alproto: ALPROTO_PGSQL\n");
918 printf(
" alproto: ALPROTO_TELNET\n");
920 printf(
" alproto: ALPROTO_TEMPLATE\n");
922 printf(
" alproto: ALPROTO_DNP3\n");
924 printf(
"impossible\n");
926 printf(
" port: %"PRIu16
"\n", pp_pe->
port);
928 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
929 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
935 if (pp_port->
sp == NULL) {
939 printf(
" Source port: (max-depth: %"PRIu16
", "
940 "mask - %"PRIu32
")\n",
944 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
947 printf(
" alproto: ALPROTO_HTTP1\n");
949 printf(
" alproto: ALPROTO_FTP\n");
951 printf(
" alproto: ALPROTO_FTPDATA\n");
953 printf(
" alproto: ALPROTO_SMTP\n");
955 printf(
" alproto: ALPROTO_TLS\n");
957 printf(
" alproto: ALPROTO_SSH\n");
959 printf(
" alproto: ALPROTO_IMAP\n");
961 printf(
" alproto: ALPROTO_JABBER\n");
963 printf(
" alproto: ALPROTO_SMB\n");
965 printf(
" alproto: ALPROTO_DCERPC\n");
967 printf(
" alproto: ALPROTO_IRC\n");
969 printf(
" alproto: ALPROTO_DNS\n");
971 printf(
" alproto: ALPROTO_MODBUS\n");
973 printf(
" alproto: ALPROTO_ENIP\n");
975 printf(
" alproto: ALPROTO_NFS\n");
977 printf(
" alproto: ALPROTO_NTP\n");
979 printf(
" alproto: ALPROTO_TFTP\n");
981 printf(
" alproto: ALPROTO_IKE\n");
983 printf(
" alproto: ALPROTO_KRB5\n");
985 printf(
" alproto: ALPROTO_QUIC\n");
987 printf(
" alproto: ALPROTO_DHCP\n");
989 printf(
" alproto: ALPROTO_SNMP\n");
991 printf(
" alproto: ALPROTO_SIP\n");
993 printf(
" alproto: ALPROTO_TEMPLATE_RUST\n");
995 printf(
" alproto: ALPROTO_RFB\n");
997 printf(
" alproto: ALPROTO_MQTT\n");
999 printf(
" alproto: ALPROTO_PGSQL\n");
1001 printf(
" alproto: ALPROTO_TELNET\n");
1003 printf(
" alproto: ALPROTO_TEMPLATE\n");
1005 printf(
" alproto: ALPROTO_DNP3\n");
1007 printf(
"impossible\n");
1009 printf(
" port: %"PRIu16
"\n", pp_pe->
port);
1011 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
1012 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
1028 if (*head_pe == NULL) {
1033 if ((*head_pe)->port == 0) {
1034 if (new_pe->
port != 0) {
1035 new_pe->
next = *head_pe;
1039 while (temp_pe->
next != NULL)
1040 temp_pe = temp_pe->
next;
1041 temp_pe->
next = new_pe;
1045 if (new_pe->
port == 0) {
1046 while (temp_pe->
next != NULL)
1047 temp_pe = temp_pe->
next;
1048 temp_pe->
next = new_pe;
1050 while (temp_pe->
next != NULL && temp_pe->
next->
port != 0)
1051 temp_pe = temp_pe->
next;
1053 temp_pe->
next = new_pe;
1067 if (*head_pp == NULL) {
1073 while (temp_pp->
next != NULL)
1074 temp_pp = temp_pp->
next;
1075 temp_pp->
next = new_pp;
1086 if (*head_port == NULL) {
1087 *head_port = new_port;
1091 if ((*head_port)->port == 0) {
1092 new_port->
next = *head_port;
1093 *head_port = new_port;
1096 while (temp_port->
next != NULL && temp_port->
next->
port != 0) {
1097 temp_port = temp_port->
next;
1100 temp_port->
next = new_port;
1111 uint16_t min_depth, uint16_t max_depth,
1120 while (curr_pp != NULL) {
1121 if (curr_pp->
ipproto == ipproto)
1123 curr_pp = curr_pp->
next;
1125 if (curr_pp == NULL) {
1128 AppLayerProtoDetectProbingParserAppend(pp, new_pp);
1134 while (curr_port != NULL) {
1135 if (curr_port->
port == port)
1137 curr_port = curr_port->
next;
1139 if (curr_port == NULL) {
1141 new_port->
port = port;
1142 AppLayerProtoDetectProbingParserPortAppend(&curr_pp->
port, new_port);
1143 curr_port = new_port;
1144 if (direction & STREAM_TOSERVER) {
1152 zero_port = curr_pp->
port;
1153 while (zero_port != NULL && zero_port->
port != 0) {
1154 zero_port = zero_port->
next;
1156 if (zero_port != NULL) {
1159 zero_pe = zero_port->
dp;
1160 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1161 if (curr_port->
dp == NULL)
1171 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1172 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
dp, dup_pe);
1176 zero_pe = zero_port->
sp;
1177 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1178 if (curr_port->
sp == NULL)
1188 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1189 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
sp, dup_pe);
1197 if (direction & STREAM_TOSERVER)
1198 curr_pe = curr_port->
dp;
1200 curr_pe = curr_port->
sp;
1201 while (curr_pe != NULL) {
1202 if (curr_pe->
alproto == alproto) {
1204 "ipproto - %"PRIu8
" Port - %"PRIu16
" "
1205 "App Protocol - NULL, App Protocol(ID) - "
1206 "%"PRIu16
" min_depth - %"PRIu16
" "
1207 "max_dept - %"PRIu16
".",
1208 ipproto, port, alproto,
1209 min_depth, max_depth);
1212 curr_pe = curr_pe->
next;
1216 AppLayerProtoDetectProbingParserElementCreate(alproto,
1218 min_depth, max_depth);
1223 if (direction & STREAM_TOSERVER) {
1226 if (curr_port->
dp == NULL)
1235 head_pe = &curr_port->
dp;
1239 if (curr_port->
sp == NULL)
1248 head_pe = &curr_port->
sp;
1250 AppLayerProtoDetectProbingParserElementAppend(head_pe, new_pe);
1252 if (curr_port->
port == 0) {
1254 while (temp_port != NULL && temp_port->
port != 0) {
1255 if (direction & STREAM_TOSERVER) {
1256 if (temp_port->
dp == NULL)
1264 AppLayerProtoDetectProbingParserElementAppend(&temp_port->
dp,
1265 AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1268 if (temp_port->
sp == NULL)
1276 AppLayerProtoDetectProbingParserElementAppend(&temp_port->
sp,
1277 AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1280 temp_port = temp_port->
next;
1290 static void AppLayerProtoDetectPMGetIpprotos(
AppProto alproto,
1297 for (
int j = 0; j < 2; j++) {
1303 ipprotos[ipproto / 8] |= 1 << (ipproto % 8);
1315 typedef struct TempContainer_ {
1317 uint16_t content_len;
1322 uint32_t struct_total_size = 0;
1323 uint32_t content_total_size = 0;
1325 uint8_t *ahb = NULL;
1326 uint8_t *content = NULL;
1327 uint16_t content_len = 0;
1329 TempContainer *struct_offset = NULL;
1330 uint8_t *content_offset = NULL;
1333 if (ctx->
head == NULL)
1336 for (s = ctx->
head; s != NULL; s = s->
next) {
1337 struct_total_size +=
sizeof(TempContainer);
1342 ahb =
SCMalloc(
sizeof(uint8_t) * (struct_total_size + content_total_size));
1346 struct_offset = (TempContainer *)ahb;
1347 content_offset = ahb + struct_total_size;
1348 for (s = ctx->
head; s != NULL; s = s->
next) {
1349 TempContainer *tcdup = (TempContainer *)ahb;
1353 for (; tcdup != struct_offset; tcdup++) {
1354 if (tcdup->content_len != content_len ||
1355 SCMemcmp(tcdup->content, content, tcdup->content_len) != 0)
1362 if (tcdup != struct_offset) {
1363 s->
cd->
id = tcdup->id;
1367 struct_offset->content_len = content_len;
1368 struct_offset->content = content_offset;
1369 content_offset += content_len;
1370 memcpy(struct_offset->content, content, content_len);
1371 struct_offset->id = max_id++;
1372 s->
cd->
id = struct_offset->id;
1398 if (ctx->
map == NULL)
1403 for (s = ctx->
head; s != NULL; ) {
1423 ctx->
map[s->
id] = s;
1465 AppProto alproto, uint8_t direction,
1467 uint16_t pp_min_depth, uint16_t pp_max_depth)
1489 static int AppLayerProtoDetectPMRegisterPattern(uint8_t ipproto,
AppProto alproto,
1490 const char *pattern,
1491 uint16_t depth, uint16_t
offset,
1495 uint16_t pp_min_depth, uint16_t pp_max_depth)
1519 if (depth < cd->content_len)
1522 if (direction & STREAM_TOSERVER)
1529 if (depth < ctx_pm->min_len)
1533 AppLayerProtoDetectPMAddSignature(ctx_pm, cd, alproto, direction,
1534 PPFunc, pp_min_depth, pp_max_depth);
1547 const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t
flags,
bool *reverse_flow)
1550 SCLogDebug(
"buflen %u for %s direction", buflen,
1551 (
flags & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1558 uint16_t pm_matches = AppLayerProtoDetectPMGetProto(
1559 tctx, f, buf, buflen,
flags, pm_results, reverse_flow);
1560 if (pm_matches > 0) {
1562 alproto = pm_results[0];
1565 uint8_t reverse_dir = (
flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER;
1578 pm_alproto = alproto;
1586 alproto = AppLayerProtoDetectPPGetProto(f, buf, buflen, ipproto,
flags, &rflow);
1587 if (AppProtoIsValid(alproto)) {
1589 *reverse_flow =
true;
1597 alproto = AppLayerProtoDetectPEGetProto(f, ipproto,
flags);
1601 if (!AppProtoIsValid(alproto))
1602 alproto = pm_alproto;
1616 while (pp != NULL) {
1618 AppLayerProtoDetectProbingParserFree(pp);
1626 static void AppLayerProtoDetectFreeAliases(
void)
1631 if (cur_alias == NULL)
1635 while (cur_alias != NULL) {
1636 next_alias = cur_alias->
next;
1638 cur_alias = next_alias;
1658 for (j = 0; j < 2; j++) {
1661 if (AppLayerProtoDetectPMSetContentIDs(ctx_pm) < 0)
1667 if (AppLayerProtoDetectPMMapSignatures(ctx_pm) < 0)
1669 if (AppLayerProtoDetectPMPrepareMpm(ctx_pm) < 0)
1676 AppLayerProtoDetectPrintProbingParsers(alpd_ctx.
ctx_pp);
1694 const char *portstr,
1696 uint16_t min_depth, uint16_t max_depth,
1706 while (temp_dp != NULL) {
1707 uint16_t port = temp_dp->
port;
1708 if (port == 0 && temp_dp->
port2 != 0)
1710 for ( ; port <= temp_dp->
port2; port++) {
1711 AppLayerProtoDetectInsertNewProbingParser(&alpd_ctx.
ctx_pp,
1715 min_depth, max_depth,
1720 temp_dp = temp_dp->
next;
1729 const char *alproto_name,
1731 uint16_t min_depth, uint16_t max_depth,
1743 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1744 alproto_name,
".detection-ports");
1747 }
else if (r > (
int)
sizeof(param)) {
1752 SCLogDebug(
"Entry for %s not found.", param);
1753 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1754 alproto_name,
".", ipproto_name,
".detection-ports");
1757 }
else if (r > (
int)
sizeof(param)) {
1767 if (port_node == NULL)
1770 if (port_node != NULL && port_node->
val != NULL) {
1774 min_depth, max_depth,
1776 ProbingParserTs, ProbingParserTc);
1781 if (port_node == NULL)
1784 if (port_node != NULL && port_node->
val != NULL) {
1788 min_depth, max_depth,
1790 ProbingParserTc, ProbingParserTs);
1802 const char *pattern,
1803 uint16_t depth, uint16_t
offset,
1807 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1815 const char *pattern, uint16_t depth, uint16_t
offset,
1818 uint16_t pp_min_depth, uint16_t pp_max_depth)
1821 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1824 PPFunc, pp_min_depth, pp_max_depth);
1829 const char *pattern,
1830 uint16_t depth, uint16_t
offset,
1834 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1849 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
1860 for (j = 0; j < 2; j++) {
1877 int ipproto_map = 0;
1884 for (dir = 0; dir < 2; dir++) {
1887 for (
id = 0;
id < pm_ctx->
max_sig_id;
id++) {
1888 sig = pm_ctx->
map[id];
1889 AppLayerProtoDetectPMFreeSignature(sig);
1898 AppLayerProtoDetectFreeAliases();
1900 AppLayerProtoDetectFreeProbingParsers(alpd_ctx.
ctx_pp);
1926 new_alias->
next = NULL;
1928 if (alpda_ctx == NULL) {
1929 alpda_ctx = new_alias;
1932 while (cur_alias->
next != NULL) {
1933 cur_alias = cur_alias->
next;
1935 cur_alias->
next = new_alias;
2010 const char *ipproto,
const char *alproto,
bool default_enabled)
2014 BUG_ON(ipproto == NULL || alproto == NULL);
2024 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
2025 alproto,
".enabled");
2028 }
else if (r > (
int)
sizeof(param)) {
2034 SCLogDebug(
"Entry for %s not found.", param);
2035 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
2036 alproto,
".", ipproto,
".enabled");
2039 }
else if (r > (
int)
sizeof(param)) {
2045 SCLogDebug(
"Entry for %s not found.", param);
2046 if (default_enabled) {
2059 }
else if (strcasecmp(node->
val,
"detection-only") == 0) {
2090 for (j = 0; j < 2; j++) {
2091 if (max_pat_id == 0) {
2112 for (j = 0; j < 2; j++) {
2139 int ipproto_map, dir;
2142 for (dir = 0; dir < 2; dir++) {
2168 AppLayerProtoDetectPMGetIpprotos(alproto, ipprotos);
2169 AppLayerProtoDetectPPGetIpprotos(alproto, ipprotos);
2170 AppLayerProtoDetectPEGetIpprotos(alproto, ipprotos);
2181 while (cur_alias != NULL) {
2182 if (strcasecmp(alproto_name, cur_alias->
proto_alias) == 0) {
2186 cur_alias = cur_alias->
next;
2192 if (alpd_ctx.
alproto_names[a] != NULL && AppProtoEquals(b, a)) {
2226 for (alproto = 0; alproto !=
ALPROTO_MAX; alproto++) {
2228 alprotos[alproto] = 1;
2236 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
2240 ipprotos[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
2243 ipprotos[IPPROTO_UDP / 8] |= 1 << (IPPROTO_UDP % 8);
2252 "Expectation on 2 IP protocols are not supported");
2269 alpd_ctx_ut = alpd_ctx;
2270 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
2277 alpd_ctx = alpd_ctx_ut;
2278 memset(&alpd_ctx_ut, 0,
sizeof(alpd_ctx_ut));
2282 static int AppLayerProtoDetectTest01(
void)
2287 const char *buf =
"HTTP";
2301 static int AppLayerProtoDetectTest02(
void)
2306 const char *buf =
"HTTP";
2326 static int AppLayerProtoDetectTest03(
void)
2331 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2333 memset(pm_results, 0,
sizeof(pm_results));
2335 memset(&f, 0x00,
sizeof(f));
2339 const char *buf =
"HTTP";
2358 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2359 &f, l7data,
sizeof(l7data),
2361 pm_results, &rflow);
2371 static int AppLayerProtoDetectTest04(
void)
2376 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2378 memset(&f, 0x00,
sizeof(f));
2380 memset(pm_results, 0,
sizeof(pm_results));
2383 const char *buf =
"200 ";
2399 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2400 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2411 static int AppLayerProtoDetectTest05(
void)
2416 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n<HTML><BODY>Blahblah</BODY></HTML>";
2418 memset(pm_results, 0,
sizeof(pm_results));
2420 memset(&f, 0x00,
sizeof(f));
2423 const char *buf =
"HTTP";
2442 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2443 &f, l7data,
sizeof(l7data),
2455 static int AppLayerProtoDetectTest06(
void)
2460 uint8_t l7data[] =
"220 Welcome to the OISF FTP server\r\n";
2462 memset(pm_results, 0,
sizeof(pm_results));
2464 memset(&f, 0x00,
sizeof(f));
2467 const char *buf =
"HTTP";
2486 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2487 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2498 static int AppLayerProtoDetectTest07(
void)
2503 uint8_t l7data[] =
"220 Welcome to the OISF HTTP/FTP server\r\n";
2505 memset(&f, 0x00,
sizeof(f));
2508 memset(pm_results, 0,
sizeof(pm_results));
2510 const char *buf =
"HTTP";
2525 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2526 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2536 static int AppLayerProtoDetectTest08(
void)
2541 uint8_t l7data[] = {
2542 0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,
2543 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc8,
2544 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,
2546 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,
2547 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
2548 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
2549 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
2550 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,
2551 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,
2552 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,
2553 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,
2554 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,
2555 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,
2556 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
2557 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,
2558 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,
2562 memset(pm_results, 0,
sizeof(pm_results));
2564 memset(&f, 0x00,
sizeof(f));
2567 const char *buf =
"|ff|SMB";
2583 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2584 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2595 static int AppLayerProtoDetectTest09(
void)
2600 uint8_t l7data[] = {
2601 0x00, 0x00, 0x00, 0x66, 0xfe, 0x53, 0x4d, 0x42,
2602 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2603 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
2604 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2605 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2606 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2607 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2608 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2609 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00,
2610 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2611 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2617 memset(pm_results, 0,
sizeof(pm_results));
2619 memset(&f, 0x00,
sizeof(f));
2622 const char *buf =
"|fe|SMB";
2638 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2639 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2650 static int AppLayerProtoDetectTest10(
void)
2655 uint8_t l7data[] = {
2656 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2657 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2658 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2659 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2660 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
2661 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
2662 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2663 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2664 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
2667 memset(pm_results, 0,
sizeof(pm_results));
2669 memset(&f, 0x00,
sizeof(f));
2672 const char *buf =
"|05 00|";
2688 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2689 &f, l7data,
sizeof(l7data), STREAM_TOCLIENT,
2704 static int AppLayerProtoDetectTest11(
void)
2709 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2710 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2712 memset(pm_results, 0,
sizeof(pm_results));
2714 memset(&f, 0x00,
sizeof(f));
2726 IPPROTO_TCP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2728 IPPROTO_TCP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2730 IPPROTO_TCP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2755 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2756 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2761 memset(pm_results, 0,
sizeof(pm_results));
2762 cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2763 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2777 static int AppLayerProtoDetectTest12(
void)
2789 printf(
"failure 1\n");
2795 printf(
"failure 2\n");
2801 printf(
"failure 3\n");
2805 printf(
"failure 4\n");
2809 printf(
"failure 5\n");
2813 printf(
"failure 6\n");
2829 static int AppLayerProtoDetectTest13(
void)
2834 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2835 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2839 memset(&f, 0x00,
sizeof(f));
2851 IPPROTO_UDP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2853 IPPROTO_UDP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2855 IPPROTO_UDP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2876 memset(pm_results, 0,
sizeof(pm_results));
2878 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2879 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2883 memset(pm_results, 0,
sizeof(pm_results));
2884 cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2885 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
2900 static int AppLayerProtoDetectTest14(
void)
2905 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2906 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2910 memset(&f, 0x00,
sizeof(f));
2922 IPPROTO_UDP,
ALPROTO_HTTP1,
"TRACE", 5, 0, STREAM_TOSERVER);
2924 IPPROTO_UDP,
ALPROTO_HTTP1,
"OPTIONS", 7, 0, STREAM_TOSERVER);
2926 IPPROTO_UDP,
ALPROTO_HTTP1,
"CONNECT", 7, 0, STREAM_TOSERVER);
2948 memset(pm_results, 0,
sizeof(pm_results));
2950 cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2951 &f, l7data,
sizeof(l7data), STREAM_TOSERVER,
2956 memset(pm_results, 0,
sizeof(pm_results));
2957 cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2958 &f, l7data_resp,
sizeof(l7data_resp), STREAM_TOCLIENT,
3003 int i = -1, j = -1 , k = -1;
3007 for (i = 0; i < no_of_ip_proto; i++, pp = pp->
next) {
3008 if (pp->ipproto != ip_proto[i].
ipproto)
3012 for (k = 0; k < ip_proto[i].
no_of_port; k++, pp_port = pp_port->
next) {
3013 if (pp_port->port != ip_proto[i].
port[k].
port)
3029 j++, pp_element = pp_element->
next) {
3047 if (pp_element != NULL)
3050 pp_element = pp_port->sp;
3071 if (pp_element != NULL)
3074 if (pp_port != NULL)
3083 printf(
"i = %d, k = %d, j = %d(%s)\n", i, k, j, (dir == 0) ?
"ts" :
"tc");
3088 static uint16_t ProbingParserDummyForTesting(
Flow *f, uint8_t direction,
3089 const uint8_t *input,
3090 uint32_t input_len, uint8_t *rdir)
3095 static int AppLayerProtoDetectTest15(
void)
3103 ProbingParserDummyForTesting, NULL);
3109 ProbingParserDummyForTesting, NULL);
3115 ProbingParserDummyForTesting, NULL);
3122 ProbingParserDummyForTesting, NULL);
3128 ProbingParserDummyForTesting, NULL);
3134 ProbingParserDummyForTesting, NULL);
3140 ProbingParserDummyForTesting, NULL);
3147 ProbingParserDummyForTesting, NULL);
3153 ProbingParserDummyForTesting, NULL);
3161 ProbingParserDummyForTesting, NULL);
3169 ProbingParserDummyForTesting, NULL);
3175 ProbingParserDummyForTesting, NULL);
3182 ProbingParserDummyForTesting, NULL);
3188 ProbingParserDummyForTesting, NULL);
3194 ProbingParserDummyForTesting, NULL);
3196 ProbingParserDummyForTesting, NULL);
3202 ProbingParserDummyForTesting, NULL);
3208 ProbingParserDummyForTesting, NULL);
3214 ProbingParserDummyForTesting, NULL);
3220 ProbingParserDummyForTesting, NULL);
3226 ProbingParserDummyForTesting, NULL);
3232 ProbingParserDummyForTesting, NULL);
3352 23, element_ts_85, element_tc_85,
3360 23, element_ts_90, element_tc_90,
3368 23, element_ts_0, element_tc_0,
3378 element_ts_85_udp, element_tc_85_udp,
3396 if (AppLayerProtoDetectPPTestData(alpd_ctx.
ctx_pp, ip_proto,
3410 static int AppLayerProtoDetectTest16(
void)
3415 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3416 "User-Agent: Mozilla/1.0\r\n"
3417 "Cookie: hellocatch\r\n\r\n";
3418 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3432 printf(
"packet setup failed: ");
3436 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3438 printf(
"flow setup failed: ");
3442 f->
proto = IPPROTO_TCP;
3460 "(msg:\"Test content option\"; "
3473 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3480 if (http_state == NULL) {
3481 printf(
"no http state: ");
3489 printf(
"sig 1 didn't alert, but it should: ");
3496 if (det_ctx != NULL)
3512 static int AppLayerProtoDetectTest17(
void)
3517 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3518 "User-Agent: Mozilla/1.0\r\n"
3519 "Cookie: hellocatch\r\n\r\n";
3520 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3534 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3538 f->
proto = IPPROTO_TCP;
3554 "(msg:\"http over non standar port\"; "
3567 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3574 if (http_state == NULL) {
3575 printf(
"no http state: ");
3583 printf(
"sig 1 didn't alert, but it should: ");
3592 if (det_ctx != NULL)
3608 static int AppLayerProtoDetectTest18(
void)
3613 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3614 "User-Agent: Mozilla/1.0\r\n"
3615 "Cookie: hellocatch\r\n\r\n";
3616 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3630 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3634 f->
proto = IPPROTO_TCP;
3650 "(msg:\"Test content option\"; "
3663 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3670 if (http_state == NULL) {
3671 printf(
"no http state: ");
3679 printf(
"sig 1 alerted, but it should not (it's not ftp): ");
3687 if (det_ctx != NULL)
3703 static int AppLayerProtoDetectTest19(
void)
3707 uint8_t http_buf1[] =
"MPUT one\r\n";
3708 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3722 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3726 f->
proto = IPPROTO_TCP;
3742 "(msg:\"http over non standar port\"; "
3753 STREAM_TOSERVER, http_buf1, http_buf1_len);
3755 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3765 printf(
"sig 1 alerted, but it should not (it's ftp): ");
3774 if (det_ctx != NULL)
3791 UtRegisterTest(
"AppLayerProtoDetectTest01", AppLayerProtoDetectTest01);
3792 UtRegisterTest(
"AppLayerProtoDetectTest02", AppLayerProtoDetectTest02);
3793 UtRegisterTest(
"AppLayerProtoDetectTest03", AppLayerProtoDetectTest03);
3794 UtRegisterTest(
"AppLayerProtoDetectTest04", AppLayerProtoDetectTest04);
3795 UtRegisterTest(
"AppLayerProtoDetectTest05", AppLayerProtoDetectTest05);
3796 UtRegisterTest(
"AppLayerProtoDetectTest06", AppLayerProtoDetectTest06);
3797 UtRegisterTest(
"AppLayerProtoDetectTest07", AppLayerProtoDetectTest07);
3798 UtRegisterTest(
"AppLayerProtoDetectTest08", AppLayerProtoDetectTest08);
3799 UtRegisterTest(
"AppLayerProtoDetectTest09", AppLayerProtoDetectTest09);
3800 UtRegisterTest(
"AppLayerProtoDetectTest10", AppLayerProtoDetectTest10);
3801 UtRegisterTest(
"AppLayerProtoDetectTest11", AppLayerProtoDetectTest11);
3802 UtRegisterTest(
"AppLayerProtoDetectTest12", AppLayerProtoDetectTest12);
3803 UtRegisterTest(
"AppLayerProtoDetectTest13", AppLayerProtoDetectTest13);
3804 UtRegisterTest(
"AppLayerProtoDetectTest14", AppLayerProtoDetectTest14);
3805 UtRegisterTest(
"AppLayerProtoDetectTest15", AppLayerProtoDetectTest15);
3806 UtRegisterTest(
"AppLayerProtoDetectTest16", AppLayerProtoDetectTest16);
3807 UtRegisterTest(
"AppLayerProtoDetectTest17", AppLayerProtoDetectTest17);
3808 UtRegisterTest(
"AppLayerProtoDetectTest18", AppLayerProtoDetectTest18);
3809 UtRegisterTest(
"AppLayerProtoDetectTest19", AppLayerProtoDetectTest19);