suricata
app-layer-events.c
Go to the documentation of this file.
1 /* Copyright (C) 2014-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  */
24 
25 #include "suricata-common.h"
26 #include "rust.h"
27 #include "app-layer-events.h"
28 #include "util-enum.h"
29 
30 int SCAppLayerGetEventIdByName(const char *event_name, SCEnumCharMap *table, uint8_t *event_id)
31 {
32  int value = SCMapEnumNameToValue(event_name, table);
33  if (value == -1) {
34  SCLogError("event \"%s\" not present in enum table.", event_name);
35  /* this should be treated as fatal */
36  return -1;
37  } else if (value < -1 || value > UINT8_MAX) {
38  SCLogError("event \"%s\" has out of range value", event_name);
39  /* this should be treated as fatal */
40  return -1;
41  }
42  *event_id = (uint8_t)value;
43  return 0;
44 }
45 
46 /* events raised during protocol detection are stored in the
47  * packets storage, not in the flow. */
49  { "APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS",
51  { "APPLAYER_WRONG_DIRECTION_FIRST_DATA",
53  { "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION",
55  { "APPLAYER_PROTO_DETECTION_SKIPPED",
57  { "APPLAYER_NO_TLS_AFTER_STARTTLS",
59  { "APPLAYER_UNEXPECTED_PROTOCOL",
61  { NULL,
62  -1 },
63 };
64 
66  uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
67 {
68  *event_name = SCMapEnumValueToName(event_id, app_layer_event_pkt_table);
69  if (*event_name == NULL) {
70  SCLogError("event \"%d\" not present in "
71  "app-layer-event's enum map table.",
72  event_id);
73  /* yes this is fatal */
74  return -1;
75  }
76 
77  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
78 
79  return 0;
80 }
81 
82 int AppLayerGetPktEventInfo(const char *event_name, uint8_t *event_id)
83 {
84  return SCAppLayerGetEventIdByName(event_name, app_layer_event_pkt_table, event_id);
85 }
86 
87 #define DECODER_EVENTS_BUFFER_STEPS 8
88 
89 /**
90  * \brief Set an app layer decoder event.
91  *
92  * \param sevents Pointer to a AppLayerDecoderEvents pointer. If *sevents is NULL
93  * memory will be allocated.
94  * \param event The event to be stored.
95  */
97 {
98  if (*sevents == NULL) {
99  AppLayerDecoderEvents *new_devents = SCCalloc(1, sizeof(AppLayerDecoderEvents));
100  if (new_devents == NULL)
101  return;
102 
103  *sevents = new_devents;
104 
105  }
106  if ((*sevents)->cnt == UCHAR_MAX) {
107  /* we're full */
108  return;
109  }
110  if ((*sevents)->cnt == (*sevents)->events_buffer_size) {
111  int steps = DECODER_EVENTS_BUFFER_STEPS;
112  if (UCHAR_MAX - (*sevents)->cnt < steps)
113  steps = UCHAR_MAX - (*sevents)->cnt < steps;
114 
115  void *ptr = SCRealloc((*sevents)->events,
116  ((*sevents)->cnt + steps) * sizeof(uint8_t));
117  if (ptr == NULL) {
118  /* couldn't grow buffer, but no reason to free old
119  * so we keep the events that may already be here */
120  return;
121  }
122  (*sevents)->events = ptr;
123  (*sevents)->events_buffer_size += steps;
124  }
125 
126  (*sevents)->events[(*sevents)->cnt++] = event;
127 }
128 
130 {
131  if (events != NULL) {
132  events->cnt = 0;
133  events->event_last_logged = 0;
134  }
135 }
136 
138 {
139  if (events && *events != NULL) {
140  if ((*events)->events != NULL)
141  SCFree((*events)->events);
142  SCFree(*events);
143  *events = NULL;
144  }
145 }
146 
148  { "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM },
149  { "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
150  { "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION },
151  { "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR },
152  { "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR },
153  { "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR },
154  { "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
155  { "LZMA_IO_ERROR", FILE_DECODER_EVENT_LZMA_IO_ERROR },
156  { "LZMA_HEADER_TOO_SHORT_ERROR", FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR },
157  { "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
158  { "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
159  { "LZMA_XZ_ERROR", FILE_DECODER_EVENT_LZMA_XZ_ERROR },
160  { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
161  {
162  "TOO_MANY_BUFFERS",
164  },
165  {
166  "POST_MATCH_QUEUE_FAILED",
168  },
169  { NULL, -1 },
170 };
171 
173  const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
174 {
175  if (SCAppLayerGetEventIdByName(event_name, det_ctx_event_table, event_id) == 0) {
176  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
177  return 0;
178  }
179  return -1;
180 }
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:51
FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
@ FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
Definition: detect.h:1476
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
Definition: detect.h:1480
FILE_DECODER_EVENT_LZMA_XZ_ERROR
@ FILE_DECODER_EVENT_LZMA_XZ_ERROR
Definition: detect.h:1479
FILE_DECODER_EVENT_INVALID_SWF_LENGTH
@ FILE_DECODER_EVENT_INVALID_SWF_LENGTH
Definition: detect.h:1469
FILE_DECODER_EVENT_LZMA_DECODER_ERROR
@ FILE_DECODER_EVENT_LZMA_DECODER_ERROR
Definition: detect.h:1477
det_ctx_event_table
SCEnumCharMap det_ctx_event_table[]
Definition: app-layer-events.c:147
AppLayerDecoderEvents_::event_last_logged
uint8_t event_last_logged
Definition: app-layer-events.h:41
rust.h
AppLayerEventType
enum AppLayerEventType AppLayerEventType
Definition: app-layer-parser.h:43
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-events.c:172
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:49
AppLayerDecoderEventsResetEvents
void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
Definition: app-layer-events.c:129
FILE_DECODER_EVENT_Z_BUF_ERROR
@ FILE_DECODER_EVENT_Z_BUF_ERROR
Definition: detect.h:1473
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:33
FILE_DECODER_EVENT_Z_STREAM_ERROR
@ FILE_DECODER_EVENT_Z_STREAM_ERROR
Definition: detect.h:1472
SCAppLayerDecoderEventsSetEventRaw
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:96
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:50
FILE_DECODER_EVENT_LZMA_IO_ERROR
@ FILE_DECODER_EVENT_LZMA_IO_ERROR
Definition: detect.h:1475
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:46
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, uint8_t *event_id)
Definition: app-layer-events.c:82
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
@ FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
Definition: detect.h:1478
AppLayerDecoderEvents_::cnt
uint8_t cnt
Definition: app-layer-events.h:37
DETECT_EVENT_TOO_MANY_BUFFERS
@ DETECT_EVENT_TOO_MANY_BUFFERS
Definition: detect.h:1482
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
DETECT_EVENT_POST_MATCH_QUEUE_FAILED
@ DETECT_EVENT_POST_MATCH_QUEUE_FAILED
Definition: detect.h:1483
SCMapEnumValueToName
const char * SCMapEnumValueToName(int enum_value, SCEnumCharMap *table)
Maps an enum value to a string name, from the supplied table.
Definition: util-enum.c:68
app_layer_event_pkt_table
SCEnumCharMap app_layer_event_pkt_table[]
Definition: app-layer-events.c:48
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
suricata-common.h
SCEnumCharMap_
Definition: util-enum.h:27
DECODER_EVENTS_BUFFER_STEPS
#define DECODER_EVENTS_BUFFER_STEPS
Definition: app-layer-events.c:87
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:48
SCAppLayerDecoderEventsFreeEvents
void SCAppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:137
app-layer-events.h
FILE_DECODER_EVENT_Z_DATA_ERROR
@ FILE_DECODER_EVENT_Z_DATA_ERROR
Definition: detect.h:1471
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
Definition: detect.h:1474
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:271
SCFree
#define SCFree(p)
Definition: util-mem.h:61
FILE_DECODER_EVENT_INVALID_SWF_VERSION
@ FILE_DECODER_EVENT_INVALID_SWF_VERSION
Definition: detect.h:1470
AppLayerGetEventInfoById
int AppLayerGetEventInfoById(uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-events.c:65
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-enum.h
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:47
FILE_DECODER_EVENT_NO_MEM
@ FILE_DECODER_EVENT_NO_MEM
Definition: detect.h:1468
SCAppLayerGetEventIdByName
int SCAppLayerGetEventIdByName(const char *event_name, SCEnumCharMap *table, uint8_t *event_id)
Definition: app-layer-events.c:30