179 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
190 uint16_t buflen, uint16_t searchlen,
bool *rflow)
195 SCLogDebug(
"s->co->offset (%"PRIu16
") > searchlen (%"PRIu16
")",
199 if (s->
cd->
depth > searchlen) {
200 SCLogDebug(
"s->co->depth (%"PRIu16
") > searchlen (%"PRIu16
")",
205 const uint8_t *sbuf = buf + s->
cd->
offset;
207 SCLogDebug(
"s->co->offset (%"PRIu16
") s->cd->depth (%"PRIu16
")",
217 SCLogDebug(
"matching, s->direction %s, our dir %s",
224 SCLogDebug(
"direction is wrong, rflow = true");
230 SCLogDebug(
"PP can't be run yet as pp_min_depth %u > buflen %u",
238 SCLogDebug(
"found %s/%u, rdir %02x reverse_flow? %s",
240 (rdir && direction != rdir) ?
"true" :
"false");
241 *rflow = (rdir && direction != rdir);
248 SCLogDebug(
"depth reached and answer inconclusive: fail");
263 uint16_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
268 SCLogDebug(
"searchlen %u buflen %u", searchlen, buflen);
274 if (search_cnt == 0) {
282 memset(pm_results_bf, 0,
sizeof(pm_results_bf));
291 s, tctx, f,
flags, buf, buflen, searchlen, rflow);
294 if (AppProtoIsValid(
proto) &&
295 !(pm_results_bf[
proto / 8] & (1 << (
proto % 8))) )
297 pm_results[pm_matches++] =
proto;
303 if (pm_matches == 0 && buflen >= pm_ctx->
pp_max_len) {
315 const uint8_t *buf, uint16_t buflen, uint8_t
flags,
AppProto *pm_results,
bool *rflow)
338 m = PMGetProtoInspect(tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
366 SCLogDebug(
"no matches and in midstream mode, lets try the "
367 "*patterns for the other side");
371 om = PMGetProtoInspect(
372 tctx, pm_ctx, mpm_tctx, f, buf, buflen,
flags, pm_results, rflow);
380 }
else if (om < 0 &&
m &&
m < 0) {
385 }
else if (om == 0 ||
m == 0) {
407 while (pp_port != NULL) {
408 if (pp_port->
dp != NULL && pp_port->
dp->
alproto == alproto) {
409 pp_elem = pp_port->
dp;
412 if (pp_port->
sp != NULL && pp_port->
sp->
alproto == alproto) {
413 pp_elem = pp_port->
sp;
416 pp_port = pp_port->
next;
419 SCReturnPtr(pp_elem,
"AppLayerProtoDetectProbingParserElement *");
439 while (pp_port != NULL) {
440 if (pp_port->
port == port || pp_port->
port == 0) {
443 pp_port = pp_port->
next;
447 SCReturnPtr(pp_port,
"AppLayerProtoDetectProbingParserPort *");
455 static AppProto AppLayerProtoDetectPEGetProto(
Flow *f, uint8_t ipproto, uint8_t
flags)
468 uint8_t
flags,
const uint8_t *buf, uint32_t buflen, uint32_t *alproto_masks, uint8_t *rdir)
471 if ((buflen < pe->min_depth) ||
483 if (AppProtoIsValid(alproto)) {
503 static AppProto AppLayerProtoDetectPPGetProto(
Flow *f,
const uint8_t *buf, uint32_t buflen,
504 uint8_t ipproto,
const uint8_t
flags,
bool *reverse_flow)
512 uint32_t *alproto_masks;
518 bool probe_is_found =
false;
529 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
531 if (pp_port_dp != NULL) {
532 SCLogDebug(
"toserver - Probing parser found for destination port %"PRIu16, dp);
535 pe1 = pp_port_dp->
dp;
537 SCLogDebug(
"toserver - No probing parser registered for dest port %"PRIu16, dp);
540 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
541 if (pp_port_sp != NULL) {
542 SCLogDebug(
"toserver - Probing parser found for source port %"PRIu16, sp);
545 pe2 = pp_port_sp->
sp;
547 SCLogDebug(
"toserver - No probing parser registered for source port %"PRIu16, sp);
551 pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, dp);
553 if (pp_port_dp != NULL) {
554 SCLogDebug(
"toclient - Probing parser found for destination port %"PRIu16, dp);
557 pe1 = pp_port_dp->
dp;
559 SCLogDebug(
"toclient - No probing parser registered for dest port %"PRIu16, dp);
562 pp_port_sp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.
ctx_pp, ipproto, sp);
563 if (pp_port_sp != NULL) {
564 SCLogDebug(
"toclient - Probing parser found for source port %"PRIu16, sp);
566 pe2 = pp_port_sp->
sp;
568 SCLogDebug(
"toclient - No probing parser registered for source port %"PRIu16, sp);
573 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_tc);
575 pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.
ctx_pp, ipproto, f->
alproto_ts);
578 if (pe1 == NULL && pe2 == NULL && pe0 == NULL) {
579 SCLogDebug(
"%s - No probing parsers found for either port",
583 probe_is_found =
true;
588 alproto = PPGetProto(pe0, f,
flags, buf, buflen, alproto_masks, &rdir);
589 if (AppProtoIsValid(alproto))
591 alproto = PPGetProto(pe1, f,
flags, buf, buflen, alproto_masks, &rdir);
592 if (AppProtoIsValid(alproto))
594 alproto = PPGetProto(pe2, f,
flags, buf, buflen, alproto_masks, &rdir);
595 if (AppProtoIsValid(alproto))
600 if (pp_port_dp && pp_port_sp)
607 if (alproto_masks[0] == mask) {
609 SCLogDebug(
"%s, mask is now %08x, needed %08x, so done",
611 alproto_masks[0], mask);
615 alproto_masks[0], mask);
626 SCLogDebug(
"no match + midstream, retry the other direction %s",
628 goto again_midstream;
629 }
else if (!probe_is_found) {
634 if (AppProtoIsValid(alproto) && rdir != 0 && rdir != idir) {
635 SCLogDebug(
"PP found %u, is reverse flow", alproto);
636 *reverse_flow =
true;
646 static void AppLayerProtoDetectPPGetIpprotos(
AppProto alproto,
655 for (pp = alpd_ctx.
ctx_pp; pp != NULL; pp = pp->
next) {
656 for (pp_port = pp->
port; pp_port != NULL; pp_port = pp_port->
next) {
657 for (pp_pe = pp_port->
dp; pp_pe != NULL; pp_pe = pp_pe->
next) {
661 for (pp_pe = pp_port->
sp; pp_pe != NULL; pp_pe = pp_pe->
next) {
671 static uint32_t AppLayerProtoDetectProbingParserGetMask(
AppProto alproto)
692 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserElement");
713 SCReturnPtr(p,
"AppLayerProtoDetectProbingParserPort");
725 AppLayerProtoDetectProbingParserElementFree(e);
732 AppLayerProtoDetectProbingParserElementFree(e);
751 SCReturnPtr(p,
"AppLayerProtoDetectProbingParser");
761 AppLayerProtoDetectProbingParserPortFree(pt);
771 AppLayerProtoDetectProbingParserElementCreate(
AppProto alproto,
780 pe->
alproto_mask = AppLayerProtoDetectProbingParserGetMask(alproto);
785 if (max_depth != 0 && min_depth >= max_depth) {
787 "register the probing parser. min_depth >= max_depth");
790 if (alproto <= ALPROTO_UNKNOWN || alproto >=
ALPROTO_MAX) {
792 "the probing parser. Invalid alproto - %d", alproto);
796 SCReturnPtr(pe,
"AppLayerProtoDetectProbingParserElement");
798 AppLayerProtoDetectProbingParserElementFree(pe);
799 SCReturnPtr(NULL,
"AppLayerProtoDetectProbingParserElement");
818 SCReturnPtr(new_pe,
"AppLayerProtoDetectProbingParserElement");
829 printf(
"\nProtocol Detection Configuration\n");
831 for ( ; pp != NULL; pp = pp->
next) {
833 if (pp->
ipproto == IPPROTO_TCP)
834 printf(
"IPProto: TCP\n");
835 else if (pp->
ipproto == IPPROTO_UDP)
836 printf(
"IPProto: UDP\n");
838 printf(
"IPProto: %"PRIu8
"\n", pp->
ipproto);
841 for ( ; pp_port != NULL; pp_port = pp_port->
next) {
842 if (pp_port->
dp != NULL) {
843 printf(
" Port: %"PRIu16
"\n", pp_port->
port);
845 printf(
" Destination port: (max-depth: %"PRIu16
", "
846 "mask - %"PRIu32
")\n",
850 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
853 printf(
" alproto: ALPROTO_HTTP1\n");
855 printf(
" alproto: ALPROTO_FTP\n");
857 printf(
" alproto: ALPROTO_FTPDATA\n");
859 printf(
" alproto: ALPROTO_SMTP\n");
861 printf(
" alproto: ALPROTO_TLS\n");
863 printf(
" alproto: ALPROTO_SSH\n");
865 printf(
" alproto: ALPROTO_IMAP\n");
867 printf(
" alproto: ALPROTO_JABBER\n");
869 printf(
" alproto: ALPROTO_SMB\n");
871 printf(
" alproto: ALPROTO_DCERPC\n");
873 printf(
" alproto: ALPROTO_IRC\n");
875 printf(
" alproto: ALPROTO_DNS\n");
877 printf(
" alproto: ALPROTO_MODBUS\n");
879 printf(
" alproto: ALPROTO_ENIP\n");
881 printf(
" alproto: ALPROTO_NFS\n");
883 printf(
" alproto: ALPROTO_NTP\n");
885 printf(
" alproto: ALPROTO_TFTP\n");
887 printf(
" alproto: ALPROTO_IKEV2\n");
889 printf(
" alproto: ALPROTO_KRB5\n");
891 printf(
" alproto: ALPROTO_DHCP\n");
893 printf(
" alproto: ALPROTO_SNMP\n");
895 printf(
" alproto: ALPROTO_SIP\n");
897 printf(
" alproto: ALPROTO_TEMPLATE_RUST\n");
899 printf(
" alproto: ALPROTO_RFB\n");
901 printf(
" alproto: ALPROTO_MQTT\n");
903 printf(
" alproto: ALPROTO_TEMPLATE\n");
905 printf(
" alproto: ALPROTO_DNP3\n");
907 printf(
"impossible\n");
909 printf(
" port: %"PRIu16
"\n", pp_pe->
port);
911 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
912 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
918 if (pp_port->
sp == NULL) {
922 printf(
" Source port: (max-depth: %"PRIu16
", "
923 "mask - %"PRIu32
")\n",
927 for ( ; pp_pe != NULL; pp_pe = pp_pe->
next) {
930 printf(
" alproto: ALPROTO_HTTP1\n");
932 printf(
" alproto: ALPROTO_FTP\n");
934 printf(
" alproto: ALPROTO_FTPDATA\n");
936 printf(
" alproto: ALPROTO_SMTP\n");
938 printf(
" alproto: ALPROTO_TLS\n");
940 printf(
" alproto: ALPROTO_SSH\n");
942 printf(
" alproto: ALPROTO_IMAP\n");
944 printf(
" alproto: ALPROTO_JABBER\n");
946 printf(
" alproto: ALPROTO_SMB\n");
948 printf(
" alproto: ALPROTO_DCERPC\n");
950 printf(
" alproto: ALPROTO_IRC\n");
952 printf(
" alproto: ALPROTO_DNS\n");
954 printf(
" alproto: ALPROTO_MODBUS\n");
956 printf(
" alproto: ALPROTO_ENIP\n");
958 printf(
" alproto: ALPROTO_NFS\n");
960 printf(
" alproto: ALPROTO_NTP\n");
962 printf(
" alproto: ALPROTO_TFTP\n");
964 printf(
" alproto: ALPROTO_IKEV2\n");
966 printf(
" alproto: ALPROTO_KRB5\n");
968 printf(
" alproto: ALPROTO_DHCP\n");
970 printf(
" alproto: ALPROTO_SNMP\n");
972 printf(
" alproto: ALPROTO_SIP\n");
974 printf(
" alproto: ALPROTO_TEMPLATE_RUST\n");
976 printf(
" alproto: ALPROTO_RFB\n");
978 printf(
" alproto: ALPROTO_MQTT\n");
980 printf(
" alproto: ALPROTO_TEMPLATE\n");
982 printf(
" alproto: ALPROTO_DNP3\n");
984 printf(
"impossible\n");
986 printf(
" port: %"PRIu16
"\n", pp_pe->
port);
988 printf(
" min_depth: %"PRIu32
"\n", pp_pe->
min_depth);
989 printf(
" max_depth: %"PRIu32
"\n", pp_pe->
max_depth);
1005 if (*head_pe == NULL) {
1010 if ((*head_pe)->port == 0) {
1011 if (new_pe->
port != 0) {
1012 new_pe->
next = *head_pe;
1016 while (temp_pe->
next != NULL)
1017 temp_pe = temp_pe->
next;
1018 temp_pe->
next = new_pe;
1022 if (new_pe->
port == 0) {
1023 while (temp_pe->
next != NULL)
1024 temp_pe = temp_pe->
next;
1025 temp_pe->
next = new_pe;
1027 while (temp_pe->
next != NULL && temp_pe->
next->
port != 0)
1028 temp_pe = temp_pe->
next;
1030 temp_pe->
next = new_pe;
1044 if (*head_pp == NULL) {
1050 while (temp_pp->
next != NULL)
1051 temp_pp = temp_pp->
next;
1052 temp_pp->
next = new_pp;
1063 if (*head_port == NULL) {
1064 *head_port = new_port;
1068 if ((*head_port)->port == 0) {
1069 new_port->
next = *head_port;
1070 *head_port = new_port;
1073 while (temp_port->
next != NULL && temp_port->
next->
port != 0) {
1074 temp_port = temp_port->
next;
1077 temp_port->
next = new_port;
1088 uint16_t min_depth, uint16_t max_depth,
1097 while (curr_pp != NULL) {
1098 if (curr_pp->
ipproto == ipproto)
1100 curr_pp = curr_pp->
next;
1102 if (curr_pp == NULL) {
1105 AppLayerProtoDetectProbingParserAppend(pp, new_pp);
1111 while (curr_port != NULL) {
1112 if (curr_port->
port == port)
1114 curr_port = curr_port->
next;
1116 if (curr_port == NULL) {
1118 new_port->
port = port;
1119 AppLayerProtoDetectProbingParserPortAppend(&curr_pp->
port, new_port);
1120 curr_port = new_port;
1129 zero_port = curr_pp->
port;
1130 while (zero_port != NULL && zero_port->
port != 0) {
1131 zero_port = zero_port->
next;
1133 if (zero_port != NULL) {
1136 zero_pe = zero_port->
dp;
1137 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1138 if (curr_port->
dp == NULL)
1148 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1149 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
dp, dup_pe);
1153 zero_pe = zero_port->
sp;
1154 for ( ; zero_pe != NULL; zero_pe = zero_pe->
next) {
1155 if (curr_port->
sp == NULL)
1165 AppLayerProtoDetectProbingParserElementDuplicate(zero_pe);
1166 AppLayerProtoDetectProbingParserElementAppend(&curr_port->
sp, dup_pe);
1175 curr_pe = curr_port->
dp;
1177 curr_pe = curr_port->
sp;
1178 while (curr_pe != NULL) {
1179 if (curr_pe->
alproto == alproto) {
1181 "ipproto - %"PRIu8
" Port - %"PRIu16
" "
1182 "App Protocol - NULL, App Protocol(ID) - "
1183 "%"PRIu16
" min_depth - %"PRIu16
" "
1184 "max_dept - %"PRIu16
".",
1185 ipproto, port, alproto,
1186 min_depth, max_depth);
1189 curr_pe = curr_pe->
next;
1193 AppLayerProtoDetectProbingParserElementCreate(alproto,
1195 min_depth, max_depth);
1203 if (curr_port->
dp == NULL)
1212 head_pe = &curr_port->
dp;
1216 if (curr_port->
sp == NULL)
1225 head_pe = &curr_port->
sp;
1227 AppLayerProtoDetectProbingParserElementAppend(head_pe, new_pe);
1229 if (curr_port->
port == 0) {
1231 while (temp_port != NULL && temp_port->
port != 0) {
1233 if (temp_port->
dp == NULL)
1241 AppLayerProtoDetectProbingParserElementAppend(&temp_port->
dp,
1242 AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1245 if (temp_port->
sp == NULL)
1253 AppLayerProtoDetectProbingParserElementAppend(&temp_port->
sp,
1254 AppLayerProtoDetectProbingParserElementDuplicate(curr_pe));
1257 temp_port = temp_port->
next;
1267 static void AppLayerProtoDetectPMGetIpprotos(
AppProto alproto,
1274 for (
int j = 0; j < 2; j++) {
1280 ipprotos[ipproto / 8] |= 1 << (ipproto % 8);
1292 typedef struct TempContainer_ {
1294 uint16_t content_len;
1299 uint32_t struct_total_size = 0;
1300 uint32_t content_total_size = 0;
1302 uint8_t *ahb = NULL;
1303 uint8_t *content = NULL;
1304 uint8_t content_len = 0;
1306 TempContainer *struct_offset = NULL;
1307 uint8_t *content_offset = NULL;
1310 if (ctx->
head == NULL)
1313 for (s = ctx->
head; s != NULL; s = s->
next) {
1314 struct_total_size +=
sizeof(TempContainer);
1319 ahb =
SCMalloc(
sizeof(uint8_t) * (struct_total_size + content_total_size));
1323 struct_offset = (TempContainer *)ahb;
1324 content_offset = ahb + struct_total_size;
1325 for (s = ctx->
head; s != NULL; s = s->
next) {
1326 TempContainer *tcdup = (TempContainer *)ahb;
1330 for (; tcdup != struct_offset; tcdup++) {
1331 if (tcdup->content_len != content_len ||
1332 SCMemcmp(tcdup->content, content, tcdup->content_len) != 0)
1339 if (tcdup != struct_offset) {
1340 s->
cd->
id = tcdup->id;
1344 struct_offset->content_len = content_len;
1345 struct_offset->content = content_offset;
1346 content_offset += content_len;
1347 memcpy(struct_offset->content, content, content_len);
1348 struct_offset->id = max_id++;
1349 s->
cd->
id = struct_offset->id;
1375 if (ctx->
map == NULL)
1380 for (s = ctx->
head; s != NULL; ) {
1400 ctx->
map[s->
id] = s;
1442 AppProto alproto, uint8_t direction,
1444 uint16_t pp_min_depth, uint16_t pp_max_depth)
1466 static int AppLayerProtoDetectPMRegisterPattern(uint8_t ipproto,
AppProto alproto,
1467 const char *pattern,
1468 uint16_t depth, uint16_t
offset,
1472 uint16_t pp_min_depth, uint16_t pp_max_depth)
1496 if (depth < cd->content_len)
1506 if (depth < ctx_pm->min_len)
1510 AppLayerProtoDetectPMAddSignature(ctx_pm, cd, alproto, direction,
1511 PPFunc, pp_min_depth, pp_max_depth);
1524 const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t
flags,
bool *reverse_flow)
1527 SCLogDebug(
"buflen %u for %s direction", buflen,
1535 uint16_t pm_matches = AppLayerProtoDetectPMGetProto(
1536 tctx, f, buf, buflen,
flags, pm_results, reverse_flow);
1537 if (pm_matches > 0) {
1539 alproto = pm_results[0];
1555 pm_alproto = alproto;
1563 alproto = AppLayerProtoDetectPPGetProto(f, buf, buflen, ipproto,
flags, &rflow);
1564 if (AppProtoIsValid(alproto)) {
1566 *reverse_flow =
true;
1574 alproto = AppLayerProtoDetectPEGetProto(f, ipproto,
flags);
1578 if (!AppProtoIsValid(alproto))
1579 alproto = pm_alproto;
1593 while (pp != NULL) {
1595 AppLayerProtoDetectProbingParserFree(pp);
1614 for (j = 0; j < 2; j++) {
1617 if (AppLayerProtoDetectPMSetContentIDs(ctx_pm) < 0)
1623 if (AppLayerProtoDetectPMMapSignatures(ctx_pm) < 0)
1625 if (AppLayerProtoDetectPMPrepareMpm(ctx_pm) < 0)
1632 AppLayerProtoDetectPrintProbingParsers(alpd_ctx.
ctx_pp);
1650 const char *portstr,
1652 uint16_t min_depth, uint16_t max_depth,
1662 while (temp_dp != NULL) {
1663 uint32_t port = temp_dp->
port;
1664 if (port == 0 && temp_dp->
port2 != 0)
1666 for ( ; port <= temp_dp->
port2; port++) {
1667 AppLayerProtoDetectInsertNewProbingParser(&alpd_ctx.
ctx_pp,
1671 min_depth, max_depth,
1676 temp_dp = temp_dp->
next;
1685 const char *alproto_name,
1687 uint16_t min_depth, uint16_t max_depth,
1699 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1700 alproto_name,
".detection-ports");
1703 }
else if (r > (
int)
sizeof(param)) {
1708 SCLogDebug(
"Entry for %s not found.", param);
1709 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1710 alproto_name,
".", ipproto_name,
".detection-ports");
1713 }
else if (r > (
int)
sizeof(param)) {
1723 if (port_node == NULL)
1726 if (port_node != NULL && port_node->
val != NULL) {
1730 min_depth, max_depth,
1732 ProbingParserTs, ProbingParserTc);
1737 if (port_node == NULL)
1740 if (port_node != NULL && port_node->
val != NULL) {
1744 min_depth, max_depth,
1746 ProbingParserTc, ProbingParserTs);
1758 const char *pattern,
1759 uint16_t depth, uint16_t
offset,
1763 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1771 const char *pattern, uint16_t depth, uint16_t
offset,
1774 uint16_t pp_min_depth, uint16_t pp_max_depth)
1777 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1780 PPFunc, pp_min_depth, pp_max_depth);
1785 const char *pattern,
1786 uint16_t depth, uint16_t
offset,
1790 int r = AppLayerProtoDetectPMRegisterPattern(ipproto, alproto,
1805 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
1816 for (j = 0; j < 2; j++) {
1833 int ipproto_map = 0;
1840 for (dir = 0; dir < 2; dir++) {
1843 for (
id = 0;
id < pm_ctx->
max_sig_id;
id++) {
1844 sig = pm_ctx->
map[id];
1845 AppLayerProtoDetectPMFreeSignature(sig);
1854 AppLayerProtoDetectFreeProbingParsers(alpd_ctx.
ctx_pp);
1932 const char *alproto)
1936 BUG_ON(ipproto == NULL || alproto == NULL);
1946 r = snprintf(param,
sizeof(param),
"%s%s%s",
"app-layer.protocols.",
1947 alproto,
".enabled");
1950 }
else if (r > (
int)
sizeof(param)) {
1956 SCLogDebug(
"Entry for %s not found.", param);
1957 r = snprintf(param,
sizeof(param),
"%s%s%s%s%s",
"app-layer.protocols.",
1958 alproto,
".", ipproto,
".enabled");
1961 }
else if (r > (
int)
sizeof(param)) {
1967 SCLogDebug(
"Entry for %s not found.", param);
1977 }
else if (strcasecmp(node->
val,
"detection-only") == 0) {
2003 for (j = 0; j < 2; j++) {
2004 if (max_pat_id == 0) {
2025 for (j = 0; j < 2; j++) {
2052 int ipproto_map, dir;
2055 for (dir = 0; dir < 2; dir++) {
2081 AppLayerProtoDetectPMGetIpprotos(alproto, ipprotos);
2082 AppLayerProtoDetectPPGetIpprotos(alproto, ipprotos);
2083 AppLayerProtoDetectPEGetIpprotos(alproto, ipprotos);
2096 if (alpd_ctx.
alproto_names[a] != NULL && AppProtoEquals(b, a)) {
2118 for (alproto = 0; alproto !=
ALPROTO_MAX; alproto++) {
2120 alprotos[alproto] = 1;
2128 static void AppLayerProtoDetectPEGetIpprotos(
AppProto alproto,
2132 ipprotos[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
2135 ipprotos[IPPROTO_UDP / 8] |= 1 << (IPPROTO_UDP % 8);
2144 "Expectation on 2 IP protocols are not supported");
2161 alpd_ctx_ut = alpd_ctx;
2162 memset(&alpd_ctx, 0,
sizeof(alpd_ctx));
2169 alpd_ctx = alpd_ctx_ut;
2170 memset(&alpd_ctx_ut, 0,
sizeof(alpd_ctx_ut));
2174 static int AppLayerProtoDetectTest01(
void)
2179 const char *buf =
"HTTP";
2193 static int AppLayerProtoDetectTest02(
void)
2198 const char *buf =
"HTTP";
2218 static int AppLayerProtoDetectTest03(
void)
2223 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2225 memset(pm_results, 0,
sizeof(pm_results));
2227 memset(&f, 0x00,
sizeof(f));
2231 const char *buf =
"HTTP";
2250 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2251 &f, l7data,
sizeof(l7data),
2253 pm_results, &rflow);
2263 static int AppLayerProtoDetectTest04(
void)
2268 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n";
2270 memset(&f, 0x00,
sizeof(f));
2272 memset(pm_results, 0,
sizeof(pm_results));
2275 const char *buf =
"200 ";
2291 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2303 static int AppLayerProtoDetectTest05(
void)
2308 uint8_t l7data[] =
"HTTP/1.1 200 OK\r\nServer: Apache/1.0\r\n\r\n<HTML><BODY>Blahblah</BODY></HTML>";
2310 memset(pm_results, 0,
sizeof(pm_results));
2312 memset(&f, 0x00,
sizeof(f));
2315 const char *buf =
"HTTP";
2334 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2335 &f, l7data,
sizeof(l7data),
2347 static int AppLayerProtoDetectTest06(
void)
2352 uint8_t l7data[] =
"220 Welcome to the OISF FTP server\r\n";
2354 memset(pm_results, 0,
sizeof(pm_results));
2356 memset(&f, 0x00,
sizeof(f));
2359 const char *buf =
"HTTP";
2378 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2390 static int AppLayerProtoDetectTest07(
void)
2395 uint8_t l7data[] =
"220 Welcome to the OISF HTTP/FTP server\r\n";
2397 memset(&f, 0x00,
sizeof(f));
2400 memset(pm_results, 0,
sizeof(pm_results));
2402 const char *buf =
"HTTP";
2417 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2428 static int AppLayerProtoDetectTest08(
void)
2433 uint8_t l7data[] = {
2434 0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,
2435 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc8,
2436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2437 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,
2438 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,
2439 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
2440 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
2441 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
2442 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,
2443 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,
2444 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,
2445 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,
2446 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,
2447 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,
2448 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
2449 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,
2450 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,
2454 memset(pm_results, 0,
sizeof(pm_results));
2456 memset(&f, 0x00,
sizeof(f));
2459 const char *buf =
"|ff|SMB";
2475 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2487 static int AppLayerProtoDetectTest09(
void)
2492 uint8_t l7data[] = {
2493 0x00, 0x00, 0x00, 0x66, 0xfe, 0x53, 0x4d, 0x42,
2494 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2495 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
2496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2501 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00,
2502 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2504 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2505 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2509 memset(pm_results, 0,
sizeof(pm_results));
2511 memset(&f, 0x00,
sizeof(f));
2514 const char *buf =
"|fe|SMB";
2530 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2542 static int AppLayerProtoDetectTest10(
void)
2547 uint8_t l7data[] = {
2548 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2549 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2550 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2551 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2552 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
2553 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
2554 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2555 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2556 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
2559 memset(pm_results, 0,
sizeof(pm_results));
2561 memset(&f, 0x00,
sizeof(f));
2564 const char *buf =
"|05 00|";
2580 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2596 static int AppLayerProtoDetectTest11(
void)
2601 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2602 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2604 memset(pm_results, 0,
sizeof(pm_results));
2606 memset(&f, 0x00,
sizeof(f));
2647 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2653 memset(pm_results, 0,
sizeof(pm_results));
2654 cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2669 static int AppLayerProtoDetectTest12(
void)
2681 printf(
"failure 1\n");
2687 printf(
"failure 2\n");
2693 printf(
"failure 3\n");
2697 printf(
"failure 4\n");
2701 printf(
"failure 5\n");
2705 printf(
"failure 6\n");
2721 static int AppLayerProtoDetectTest13(
void)
2726 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2727 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2731 memset(&f, 0x00,
sizeof(f));
2768 memset(pm_results, 0,
sizeof(pm_results));
2770 uint32_t cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2775 memset(pm_results, 0,
sizeof(pm_results));
2776 cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2792 static int AppLayerProtoDetectTest14(
void)
2797 uint8_t l7data[] =
"CONNECT www.ssllabs.com:443 HTTP/1.0\r\n";
2798 uint8_t l7data_resp[] =
"HTTP/1.1 405 Method Not Allowed\r\n";
2802 memset(&f, 0x00,
sizeof(f));
2840 memset(pm_results, 0,
sizeof(pm_results));
2842 cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2848 memset(pm_results, 0,
sizeof(pm_results));
2849 cnt = AppLayerProtoDetectPMGetProto(
alpd_tctx,
2895 int i = -1, j = -1 , k = -1;
2899 for (i = 0; i < no_of_ip_proto; i++, pp = pp->
next) {
2900 if (pp->ipproto != ip_proto[i].
ipproto)
2904 for (k = 0; k < ip_proto[i].
no_of_port; k++, pp_port = pp_port->
next) {
2905 if (pp_port->port != ip_proto[i].
port[k].
port)
2921 j++, pp_element = pp_element->
next) {
2939 if (pp_element != NULL)
2942 pp_element = pp_port->sp;
2963 if (pp_element != NULL)
2966 if (pp_port != NULL)
2975 printf(
"i = %d, k = %d, j = %d(%s)\n", i, k, j, (dir == 0) ?
"ts" :
"tc");
2980 static uint16_t ProbingParserDummyForTesting(
Flow *f, uint8_t direction,
2981 const uint8_t *input,
2982 uint32_t input_len, uint8_t *rdir)
2987 static int AppLayerProtoDetectTest15(
void)
2995 ProbingParserDummyForTesting, NULL);
3001 ProbingParserDummyForTesting, NULL);
3007 ProbingParserDummyForTesting, NULL);
3014 ProbingParserDummyForTesting, NULL);
3020 ProbingParserDummyForTesting, NULL);
3026 ProbingParserDummyForTesting, NULL);
3032 ProbingParserDummyForTesting, NULL);
3039 ProbingParserDummyForTesting, NULL);
3045 ProbingParserDummyForTesting, NULL);
3053 ProbingParserDummyForTesting, NULL);
3061 ProbingParserDummyForTesting, NULL);
3067 ProbingParserDummyForTesting, NULL);
3074 ProbingParserDummyForTesting, NULL);
3080 ProbingParserDummyForTesting, NULL);
3086 ProbingParserDummyForTesting, NULL);
3088 ProbingParserDummyForTesting, NULL);
3094 ProbingParserDummyForTesting, NULL);
3100 ProbingParserDummyForTesting, NULL);
3106 ProbingParserDummyForTesting, NULL);
3112 ProbingParserDummyForTesting, NULL);
3118 ProbingParserDummyForTesting, NULL);
3124 ProbingParserDummyForTesting, NULL);
3244 23, element_ts_85, element_tc_85,
3252 23, element_ts_90, element_tc_90,
3260 23, element_ts_0, element_tc_0,
3270 element_ts_85_udp, element_tc_85_udp,
3288 if (AppLayerProtoDetectPPTestData(alpd_ctx.
ctx_pp, ip_proto,
3302 static int AppLayerProtoDetectTest16(
void)
3307 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3308 "User-Agent: Mozilla/1.0\r\n"
3309 "Cookie: hellocatch\r\n\r\n";
3310 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3324 printf(
"packet setup failed: ");
3328 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3330 printf(
"flow setup failed: ");
3334 f->
proto = IPPROTO_TCP;
3352 "(msg:\"Test content option\"; "
3365 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3372 if (http_state == NULL) {
3373 printf(
"no http state: ");
3381 printf(
"sig 1 didn't alert, but it should: ");
3388 if (det_ctx != NULL)
3404 static int AppLayerProtoDetectTest17(
void)
3409 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3410 "User-Agent: Mozilla/1.0\r\n"
3411 "Cookie: hellocatch\r\n\r\n";
3412 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3426 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3430 f->
proto = IPPROTO_TCP;
3446 "(msg:\"http over non standar port\"; "
3459 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3466 if (http_state == NULL) {
3467 printf(
"no http state: ");
3475 printf(
"sig 1 didn't alert, but it should: ");
3484 if (det_ctx != NULL)
3500 static int AppLayerProtoDetectTest18(
void)
3505 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
3506 "User-Agent: Mozilla/1.0\r\n"
3507 "Cookie: hellocatch\r\n\r\n";
3508 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3522 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3526 f->
proto = IPPROTO_TCP;
3542 "(msg:\"Test content option\"; "
3555 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3562 if (http_state == NULL) {
3563 printf(
"no http state: ");
3571 printf(
"sig 1 alerted, but it should not (it's not ftp): ");
3579 if (det_ctx != NULL)
3595 static int AppLayerProtoDetectTest19(
void)
3599 uint8_t http_buf1[] =
"MPUT one\r\n";
3600 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
3614 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1024, 80);
3618 f->
proto = IPPROTO_TCP;
3634 "(msg:\"http over non standar port\"; "
3647 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
3657 printf(
"sig 1 alerted, but it should not (it's ftp): ");
3666 if (det_ctx != NULL)
3683 UtRegisterTest(
"AppLayerProtoDetectTest01", AppLayerProtoDetectTest01);
3684 UtRegisterTest(
"AppLayerProtoDetectTest02", AppLayerProtoDetectTest02);
3685 UtRegisterTest(
"AppLayerProtoDetectTest03", AppLayerProtoDetectTest03);
3686 UtRegisterTest(
"AppLayerProtoDetectTest04", AppLayerProtoDetectTest04);
3687 UtRegisterTest(
"AppLayerProtoDetectTest05", AppLayerProtoDetectTest05);
3688 UtRegisterTest(
"AppLayerProtoDetectTest06", AppLayerProtoDetectTest06);
3689 UtRegisterTest(
"AppLayerProtoDetectTest07", AppLayerProtoDetectTest07);
3690 UtRegisterTest(
"AppLayerProtoDetectTest08", AppLayerProtoDetectTest08);
3691 UtRegisterTest(
"AppLayerProtoDetectTest09", AppLayerProtoDetectTest09);
3692 UtRegisterTest(
"AppLayerProtoDetectTest10", AppLayerProtoDetectTest10);
3693 UtRegisterTest(
"AppLayerProtoDetectTest11", AppLayerProtoDetectTest11);
3694 UtRegisterTest(
"AppLayerProtoDetectTest12", AppLayerProtoDetectTest12);
3695 UtRegisterTest(
"AppLayerProtoDetectTest13", AppLayerProtoDetectTest13);
3696 UtRegisterTest(
"AppLayerProtoDetectTest14", AppLayerProtoDetectTest14);
3697 UtRegisterTest(
"AppLayerProtoDetectTest15", AppLayerProtoDetectTest15);
3698 UtRegisterTest(
"AppLayerProtoDetectTest16", AppLayerProtoDetectTest16);
3699 UtRegisterTest(
"AppLayerProtoDetectTest17", AppLayerProtoDetectTest17);
3700 UtRegisterTest(
"AppLayerProtoDetectTest18", AppLayerProtoDetectTest18);
3701 UtRegisterTest(
"AppLayerProtoDetectTest19", AppLayerProtoDetectTest19);