suricata
app-layer-detect-proto.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  */
24 
25 #ifndef __APP_LAYER_DETECT_PROTO__H__
26 #define __APP_LAYER_DETECT_PROTO__H__
27 
29 
31  uint8_t *input, uint32_t input_len);
32 
33 /***** Protocol Retrieval *****/
34 
35 /**
36  * \brief Returns the app layer protocol given a buffer.
37  *
38  * \param tctx Pointer to the app layer protocol detection thread context.
39  * \param f Pointer to the flow.
40  * \param buf The buffer to be inspected.
41  * \param buflen The length of the above buffer.
42  * \param ipproto The ip protocol.
43  * \param direction The direction bitfield - STREAM_TOSERVER/STREAM_TOCLIENT.
44  *
45  * \retval The app layer protocol.
46  */
48  Flow *f,
49  uint8_t *buf, uint32_t buflen,
50  uint8_t ipproto, uint8_t direction);
51 
52 /***** State Preparation *****/
53 
54 /**
55  * \brief Prepares the internal state for protocol detection.
56  * This needs to be called once all the patterns and probing parser
57  * ports have been registered.
58  */
60 
61 /***** PP registration *****/
62 
63 void AppLayerProtoDetectPPRegister(uint8_t ipproto,
64  const char *portstr,
65  AppProto alproto,
66  uint16_t min_depth, uint16_t max_depth,
67  uint8_t direction,
68  ProbingParserFPtr ProbingParser1,
69  ProbingParserFPtr ProbingParser2);
70 /**
71  * \retval bool 0 if no config was found, 1 if config was found
72  */
73 int AppLayerProtoDetectPPParseConfPorts(const char *ipproto_name,
74  uint8_t ipproto,
75  const char *alproto_name,
76  AppProto alproto,
77  uint16_t min_depth, uint16_t max_depth,
78  ProbingParserFPtr ProbingParserTs,
79  ProbingParserFPtr ProbingParserTc);
80 
81 /***** PM registration *****/
82 
83 /**
84  * \brief Registers a case-sensitive pattern for protocol detection.
85  */
86 int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto,
87  const char *pattern,
88  uint16_t depth, uint16_t offset,
89  uint8_t direction);
90 /**
91  * \brief Registers a case-insensitive pattern for protocol detection.
92  */
93 int AppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto,
94  const char *pattern,
95  uint16_t depth, uint16_t offset,
96  uint8_t direction);
97 
98 /***** Setup/General Registration *****/
99 
100 /**
101  * \brief The first function to be called. This initializes a global
102  * protocol detection context.
103  *
104  * \retval 0 On succcess;
105  * \retval -1 On failure.
106  */
107 int AppLayerProtoDetectSetup(void);
108 
109 /**
110  * \brief Reset proto detect for flow
111  */
113 
114 void AppLayerRequestProtocolChange(Flow *f, uint16_t dp, AppProto expect_proto);
116 
117 /**
118  * \brief Cleans up the app layer protocol detection phase.
119  */
121 
122 /**
123  * \brief Registers a protocol for protocol detection phase.
124  *
125  * This is the first function to be called after calling the
126  * setup function, AppLayerProtoDetectSetup(), before calling any other
127  * app layer functions, AppLayerParser or AppLayerProtoDetect, alike.
128  * With this function you are associating/registering a string
129  * that can be used by users to write rules, i.e.
130  * you register the http protocol for protocol detection using
131  * AppLayerProtoDetectRegisterProtocol(ctx, ALPROTO_HTTP, "http"),
132  * following which you can write rules like -
133  * alert http any any -> any any (sid:1;)
134  * which basically matches on the HTTP protocol.
135  *
136  * \param alproto The protocol.
137  * \param alproto_str The string to associate with the above "alproto".
138  * Please send a static string that won't be destroyed
139  * post making this call, since this function won't
140  * create a copy of the received argument.
141  *
142  * \retval 0 On success;
143  * -1 On failure.
144  */
145 void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name);
146 
147 /**
148  * \brief Given a protocol name, checks if proto detection is enabled in
149  * the conf file.
150  *
151  * \param alproto Name of the app layer protocol.
152  *
153  * \retval 1 If enabled.
154  * \retval 0 If disabled.
155  */
156 int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto,
157  const char *alproto);
158 
159 /**
160  * \brief Inits and returns an app layer protocol detection thread context.
161 
162  * \param ctx Pointer to the app layer protocol detection context.
163  *
164  * \retval Pointer to the thread context, on success;
165  * NULL, on failure.
166  */
168 
169 /**
170  * \brief Destroys the app layer protocol detection thread context.
171  *
172  * \param tctx Pointer to the app layer protocol detection thread context.
173  */
175 
176 /***** Utility *****/
177 
178 void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos);
179 AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name);
180 const char *AppLayerProtoDetectGetProtoName(AppProto alproto);
182 
183 void AppLayerRegisterExpectationProto(uint8_t proto, AppProto alproto);
184 
185 /***** Unittests *****/
186 
187 #ifdef UNITTESTS
188 
189 /**
190  * \brief Backs up the internal context used by the app layer proto detection
191  * module.
192  */
194 
195 /**
196  * \brief Restores back the internal context used by the app layer proto
197  * detection module, that was previously backed up by calling
198  * AppLayerProtoDetectUnittestCtxBackup().
199  */
201 
202 /**
203  * \brief Register unittests for app layer proto detection module.
204  */
206 
207 #endif /* UNITTESTS */
208 
209 #endif /* __APP_LAYER_DETECT_PROTO__H__ */
AppProto(* ProbingParserFPtr)(Flow *f, uint8_t *input, uint32_t input_len)
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
uint64_t offset
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *tctx)
Destroys the app layer protocol detection thread context.
void AppLayerProtoDetectUnittestsRegister(void)
Register unittests for app layer proto detection module.
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
void AppLayerRequestProtocolChange(Flow *f, uint16_t dp, AppProto expect_proto)
request applayer to wrap up this protocol and rerun protocol detection.
int AppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-insensitive pattern for protocol detection.
void AppLayerProtoDetectUnittestCtxBackup(void)
Backs up the internal context used by the app layer proto detection module.
uint16_t AppProto
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction)
Returns the app layer protocol given a buffer.
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
uint8_t proto
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
void AppLayerRegisterExpectationProto(uint8_t proto, AppProto alproto)
int AppLayerProtoDetectPPParseConfPorts(const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
void AppLayerProtoDetectUnittestCtxRestore(void)
Restores back the internal context used by the app layer proto detection module, that was previously ...
void AppLayerProtoDetectReset(Flow *)
Reset proto detect for flow.
void AppLayerProtoDetectPPRegister(uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2)
register parser at a port
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
void AppLayerRequestProtocolTLSUpgrade(Flow *f)
request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS...
The app layer protocol detection thread context.
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-sensitive pattern for protocol detection.
Flow data structure.
Definition: flow.h:327