suricata
app-layer-events.c
Go to the documentation of this file.
1 /* Copyright (C) 2014-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  */
24 
25 #include "suricata-common.h"
26 #include "decode.h"
27 #include "flow.h"
28 #include "app-layer-events.h"
29 #include "app-layer-parser.h"
30 #include "util-enum.h"
31 
32 /* events raised during protocol detection are stored in the
33  * packets storage, not in the flow. */
34 SCEnumCharMap app_layer_event_pkt_table[ ] = {
35  { "APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS",
36  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS },
37  { "APPLAYER_WRONG_DIRECTION_FIRST_DATA",
38  APPLAYER_WRONG_DIRECTION_FIRST_DATA },
39  { "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION",
40  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION },
41  { "APPLAYER_PROTO_DETECTION_SKIPPED",
42  APPLAYER_PROTO_DETECTION_SKIPPED },
43  { "APPLAYER_NO_TLS_AFTER_STARTTLS",
44  APPLAYER_NO_TLS_AFTER_STARTTLS },
45  { "APPLAYER_UNEXPECTED_PROTOCOL",
46  APPLAYER_UNEXPECTED_PROTOCOL },
47  { NULL,
48  -1 },
49 };
50 
51 int AppLayerGetEventInfoById(int event_id, const char **event_name,
52  AppLayerEventType *event_type)
53 {
54  *event_name = SCMapEnumValueToName(event_id, app_layer_event_pkt_table);
55  if (*event_name == NULL) {
56  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in "
57  "app-layer-event's enum map table.", event_id);
58  /* yes this is fatal */
59  return -1;
60  }
61 
62  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
63 
64  return 0;
65 }
66 
67 int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
68 {
69  *event_id = SCMapEnumNameToValue(event_name, app_layer_event_pkt_table);
70  if (*event_id == -1) {
71  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
72  "app-layer-event's packet event table.", event_name);
73  /* this should be treated as fatal */
74  return -1;
75  }
76 
77  return 0;
78 }
79 
80 #define DECODER_EVENTS_BUFFER_STEPS 8
81 
82 /**
83  * \brief Set an app layer decoder event.
84  *
85  * \param sevents Pointer to a AppLayerDecoderEvents pointer. If *sevents is NULL
86  * memory will be allocated.
87  * \param event The event to be stored.
88  */
89 void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
90 {
91  if (*sevents == NULL) {
92  AppLayerDecoderEvents *new_devents = SCMalloc(sizeof(AppLayerDecoderEvents));
93  if (new_devents == NULL)
94  return;
95 
96  memset(new_devents, 0, sizeof(AppLayerDecoderEvents));
97  *sevents = new_devents;
98 
99  }
100  if ((*sevents)->cnt == UCHAR_MAX) {
101  /* we're full */
102  return;
103  }
104  if ((*sevents)->cnt == (*sevents)->events_buffer_size) {
105  int steps = DECODER_EVENTS_BUFFER_STEPS;
106  if (UCHAR_MAX - (*sevents)->cnt < steps)
107  steps = UCHAR_MAX - (*sevents)->cnt < steps;
108 
109  void *ptr = SCRealloc((*sevents)->events,
110  ((*sevents)->cnt + steps) * sizeof(uint8_t));
111  if (ptr == NULL) {
112  /* couldn't grow buffer, but no reason to free old
113  * so we keep the events that may already be here */
114  return;
115  }
116  (*sevents)->events = ptr;
117  (*sevents)->events_buffer_size += steps;
118  }
119 
120  (*sevents)->events[(*sevents)->cnt++] = event;
121 }
122 
123 void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
124 {
125  if (events != NULL)
126  events->cnt = 0;
127 }
128 
129 
130 void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
131 {
132  if (events && *events != NULL) {
133  if ((*events)->events != NULL)
134  SCFree((*events)->events);
135  SCFree(*events);
136  *events = NULL;
137  }
138 }
139 
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:130
AppLayerDecoderEventsResetEvents
void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
Definition: app-layer-events.c:123
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
APP_LAYER_EVENT_TYPE_PACKET
@ APP_LAYER_EVENT_TYPE_PACKET
Definition: app-layer-events.h:58
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
decode.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
AppLayerGetEventInfoById
int AppLayerGetEventInfoById(int event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-events.c:51
app-layer-parser.h
AppLayerDecoderEvents_::cnt
uint8_t cnt
Definition: app-layer-events.h:38
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SCMapEnumValueToName
const char * SCMapEnumValueToName(int enum_value, SCEnumCharMap *table)
Maps an enum value to a string name, from the supplied table.
Definition: util-enum.c:68
app_layer_event_pkt_table
SCEnumCharMap app_layer_event_pkt_table[]
Definition: app-layer-events.c:34
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
suricata-common.h
SCEnumCharMap_
Definition: util-enum.h:27
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DECODER_EVENTS_BUFFER_STEPS
#define DECODER_EVENTS_BUFFER_STEPS
Definition: app-layer-events.c:80
app-layer-events.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
Definition: app-layer-events.c:67
SC_ERR_INVALID_ENUM_MAP
@ SC_ERR_INVALID_ENUM_MAP
Definition: util-error.h:45
flow.h
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
util-enum.h