suricata
app-layer-ftp.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22  * \author Eric Leblond <eric@regit.org>
23  * \author Jeff Lucovsky <jlucovsky@oisf.net>
24  *
25  * App Layer Parser for FTP
26  */
27 
28 #include "suricata-common.h"
29 
30 #include "app-layer-ftp.h"
31 #include "app-layer.h"
32 #include "app-layer-parser.h"
33 #include "app-layer-expectation.h"
34 #include "app-layer-detect-proto.h"
35 #include "app-layer-events.h"
36 
37 #include "rust.h"
38 
39 #include "util-misc.h"
40 #include "util-mpm.h"
41 #include "util-validate.h"
42 
43 typedef struct FTPThreadCtx_ {
47 
48 #define FTP_MPM mpm_default_matcher
49 
50 static MpmCtx *ftp_mpm_ctx = NULL;
51 
52 uint64_t ftp_config_memcap = 0;
53 uint32_t ftp_config_maxtx = 1024;
54 uint32_t ftp_max_line_len = 4096;
55 
56 SC_ATOMIC_DECLARE(uint64_t, ftp_memuse);
57 SC_ATOMIC_DECLARE(uint64_t, ftp_memcap);
58 
59 static FTPTransaction *FTPGetOldestTx(const FtpState *, FTPTransaction *);
60 
61 static void FTPParseMemcap(void)
62 {
63  SCFTPGetConfigValues(&ftp_config_memcap, &ftp_config_maxtx, &ftp_max_line_len);
64 
65  SC_ATOMIC_INIT(ftp_memuse);
66  SC_ATOMIC_INIT(ftp_memcap);
67 }
68 
69 static void FTPIncrMemuse(uint64_t size)
70 {
71  (void)SC_ATOMIC_ADD(ftp_memuse, size);
72 }
73 
74 static void FTPDecrMemuse(uint64_t size)
75 {
76  (void)SC_ATOMIC_SUB(ftp_memuse, size);
77 }
78 
79 uint64_t FTPMemuseGlobalCounter(void)
80 {
81  uint64_t tmpval = SC_ATOMIC_GET(ftp_memuse);
82  return tmpval;
83 }
84 
85 uint64_t FTPMemcapGlobalCounter(void)
86 {
87  uint64_t tmpval = SC_ATOMIC_GET(ftp_memcap);
88  return tmpval;
89 }
90 
91 int FTPSetMemcap(uint64_t size)
92 {
93  if ((uint64_t)SC_ATOMIC_GET(ftp_memcap) < size) {
94  SC_ATOMIC_SET(ftp_memcap, size);
95  return 1;
96  }
97 
98  return 0;
99 }
100 
101 /**
102  * \brief Check if alloc'ing "size" would mean we're over memcap
103  *
104  * \retval 1 if in bounds
105  * \retval 0 if not in bounds
106  */
107 static int FTPCheckMemcap(uint64_t size)
108 {
109  if (ftp_config_memcap == 0 || size + SC_ATOMIC_GET(ftp_memuse) <= ftp_config_memcap)
110  return 1;
111  (void) SC_ATOMIC_ADD(ftp_memcap, 1);
112  return 0;
113 }
114 
115 static void *FTPCalloc(size_t n, size_t size)
116 {
117  if (FTPCheckMemcap((uint32_t)(n * size)) == 0) {
119  return NULL;
120  }
121 
122  void *ptr = SCCalloc(n, size);
123 
124  if (unlikely(ptr == NULL)) {
126  return NULL;
127  }
128 
129  FTPIncrMemuse((uint64_t)(n * size));
130  return ptr;
131 }
132 
133 static void *FTPRealloc(void *ptr, size_t orig_size, size_t size)
134 {
135  if (FTPCheckMemcap((uint32_t)(size - orig_size)) == 0) {
137  return NULL;
138  }
139 
140  void *rptr = SCRealloc(ptr, size);
141  if (rptr == NULL) {
143  return NULL;
144  }
145 
146  if (size > orig_size) {
147  FTPIncrMemuse(size - orig_size);
148  } else {
149  FTPDecrMemuse(orig_size - size);
150  }
151 
152  return rptr;
153 }
154 
155 static void FTPFree(void *ptr, size_t size)
156 {
157  SCFree(ptr);
158 
159  FTPDecrMemuse((uint64_t)size);
160 }
161 
162 static FTPResponseWrapper *FTPResponseWrapperAlloc(FTPResponseLine *response)
163 {
164  FTPResponseWrapper *wrapper = FTPCalloc(1, sizeof(FTPResponseWrapper));
165  if (likely(wrapper)) {
166  FTPIncrMemuse(response->total_size);
167  wrapper->response = response;
168  }
169  return wrapper;
170 }
171 
172 static void FTPResponseWrapperFree(FTPResponseWrapper *wrapper)
173 {
174  if (wrapper->response) {
175  FTPDecrMemuse(wrapper->response->total_size);
176  SCFTPFreeResponseLine(wrapper->response);
177  }
178 
179  FTPFree(wrapper, sizeof(FTPResponseWrapper));
180 }
181 
182 static void *FTPLocalStorageAlloc(void)
183 {
184  /* needed by the mpm */
185  FTPThreadCtx *td = SCCalloc(1, sizeof(*td));
186  if (td == NULL) {
187  exit(EXIT_FAILURE);
188  }
189 
190  td->pmq = SCCalloc(1, sizeof(*td->pmq));
191  if (td->pmq == NULL) {
192  exit(EXIT_FAILURE);
193  }
194  PmqSetup(td->pmq);
195 
196  td->ftp_mpm_thread_ctx = SCCalloc(1, sizeof(MpmThreadCtx));
197  if (unlikely(td->ftp_mpm_thread_ctx == NULL)) {
198  exit(EXIT_FAILURE);
199  }
201  return td;
202 }
203 
204 static void FTPLocalStorageFree(void *ptr)
205 {
206  FTPThreadCtx *td = ptr;
207  if (td != NULL) {
208  if (td->pmq != NULL) {
209  PmqFree(td->pmq);
210  SCFree(td->pmq);
211  }
212 
213  if (td->ftp_mpm_thread_ctx != NULL) {
216  }
217 
218  SCFree(td);
219  }
220 }
221 static FTPTransaction *FTPTransactionCreate(FtpState *state)
222 {
223  SCEnter();
224  FTPTransaction *firsttx = TAILQ_FIRST(&state->tx_list);
225  if (firsttx && state->tx_cnt - firsttx->tx_id > ftp_config_maxtx) {
226  // FTP does not set events yet...
227  return NULL;
228  }
229  FTPTransaction *tx = FTPCalloc(1, sizeof(*tx));
230  if (tx == NULL) {
231  return NULL;
232  }
233 
234  TAILQ_INSERT_TAIL(&state->tx_list, tx, next);
235  tx->tx_id = state->tx_cnt++;
236 
237  TAILQ_INIT(&tx->response_list);
238 
239  SCLogDebug("new transaction %p (state tx cnt %"PRIu64")", tx, state->tx_cnt);
240  return tx;
241 }
242 
243 static void FTPTransactionFree(FTPTransaction *tx)
244 {
245  SCEnter();
246 
247  SCAppLayerTxDataCleanup(&tx->tx_data);
248 
249  if (tx->request) {
250  FTPFree(tx->request, tx->request_length);
251  }
252 
253  FTPResponseWrapper *wrapper;
254  while ((wrapper = TAILQ_FIRST(&tx->response_list))) {
255  TAILQ_REMOVE(&tx->response_list, wrapper, next);
256  FTPResponseWrapperFree(wrapper);
257  }
258 
259  FTPFree(tx, sizeof(*tx));
260 }
261 
262 typedef struct FtpInput_ {
263  const uint8_t *buf;
264  int32_t consumed;
265  int32_t len;
266  int32_t orig_len;
268 
269 static AppLayerResult FTPGetLineForDirection(
270  FtpLineState *line, FtpInput *input, bool *current_line_truncated)
271 {
272  SCEnter();
273 
274  /* we have run out of input */
275  if (input->len <= 0)
276  return APP_LAYER_ERROR;
277 
278  uint8_t *lf_idx = memchr(input->buf + input->consumed, 0x0a, input->len);
279 
280  if (lf_idx == NULL) {
281  if (!(*current_line_truncated) && (uint32_t)input->len >= ftp_max_line_len) {
282  *current_line_truncated = true;
283  line->buf = input->buf;
284  line->len = ftp_max_line_len;
285  line->delim_len = 0;
286  input->len = 0;
288  }
289  SCReturnStruct(APP_LAYER_INCOMPLETE(input->consumed, input->len + 1));
290  } else if (*current_line_truncated) {
291  // Whatever came in with first LF should also get discarded
292  *current_line_truncated = false;
293  line->len = 0;
294  line->delim_len = 0;
295  input->len = 0;
297  } else {
298  // There could be one chunk of command data that has LF but post the line limit
299  // e.g. input_len = 5077
300  // lf_idx = 5010
301  // max_line_len = 4096
302  uint32_t o_consumed = input->consumed;
303  input->consumed = (uint32_t)(lf_idx - input->buf + 1);
304  line->len = input->consumed - o_consumed;
305  input->len -= line->len;
306  line->lf_found = true;
307  DEBUG_VALIDATE_BUG_ON((input->consumed + input->len) != input->orig_len);
308  line->buf = input->buf + o_consumed;
309  if (line->len >= ftp_max_line_len) {
310  *current_line_truncated = true;
311  line->len = ftp_max_line_len;
313  }
314  if (input->consumed >= 2 && input->buf[input->consumed - 2] == 0x0D) {
315  line->delim_len = 2;
316  line->len -= 2;
317  } else {
318  line->delim_len = 1;
319  line->len -= 1;
320  }
322  }
323 }
324 
325 /**
326  * \brief This function is called to determine and set which command is being
327  * transferred to the ftp server
328  * \param thread context
329  * \param input input line of the command
330  * \param len of the command
331  * \param cmd_descriptor when the command has been parsed
332  *
333  * \retval 1 when the command is parsed, 0 otherwise
334  */
335 static int FTPParseRequestCommand(
336  FTPThreadCtx *td, FtpLineState *line, FtpCommandInfo *cmd_descriptor)
337 {
338  SCEnter();
339 
340  /* I don't like this pmq reset here. We'll devise a method later, that
341  * should make the use of the mpm very efficient */
342  PmqReset(td->pmq);
343  int mpm_cnt = mpm_table[FTP_MPM].Search(
344  ftp_mpm_ctx, td->ftp_mpm_thread_ctx, td->pmq, line->buf, line->len);
345  if (mpm_cnt) {
346  uint8_t command_code;
347  if (SCGetFtpCommandInfo(td->pmq->rule_id_array[0], NULL, &command_code, NULL)) {
348  cmd_descriptor->command_code = command_code;
349  /* FTP command indices are expressed in Rust as a u8 */
350  cmd_descriptor->command_index = (uint8_t)td->pmq->rule_id_array[0];
351  SCReturnInt(1);
352  } else {
353  /* Where is out command? */
355  }
356 #ifdef DEBUG
357  if (SCLogDebugEnabled()) {
358  const char *command_name = NULL;
359  (void)SCGetFtpCommandInfo(td->pmq->rule_id_array[0], &command_name, NULL, NULL);
360  SCLogDebug("matching FTP command is %s [code: %d, index %d]", command_name,
361  command_code, td->pmq->rule_id_array[0]);
362  }
363 #endif
364  }
365 
366  cmd_descriptor->command_code = FTP_COMMAND_UNKNOWN;
367  SCReturnInt(0);
368 }
369 
370 static void FtpTransferCmdFree(void *data)
371 {
372  FtpTransferCmd *cmd = (FtpTransferCmd *)data;
373  if (cmd == NULL)
374  return;
375  if (cmd->file_name) {
376  FTPFree((void *)cmd->file_name, cmd->file_len + 1);
377  }
378  SCFTPTransferCmdFree(cmd);
379  FTPDecrMemuse((uint64_t)sizeof(FtpTransferCmd));
380 }
381 
382 static uint32_t CopyCommandLine(uint8_t **dest, FtpLineState *line)
383 {
384  if (likely(line->len)) {
385  uint8_t *where = FTPCalloc(line->len + 1, sizeof(char));
386  if (unlikely(where == NULL)) {
387  return 0;
388  }
389  memcpy(where, line->buf, line->len);
390 
391  /* Remove trailing newlines/carriage returns */
392  while (line->len && isspace((unsigned char)where[line->len - 1])) {
393  line->len--;
394  }
395 
396  where[line->len] = '\0';
397  *dest = where;
398  }
399  /* either 0 or actual */
400  return line->len ? line->len + 1 : 0;
401 }
402 
403 #include "util-print.h"
404 
405 /**
406  * \brief This function is called to retrieve a ftp request
407  * \param ftp_state the ftp state structure for the parser
408  *
409  * \retval APP_LAYER_OK when input was process successfully
410  * \retval APP_LAYER_ERROR when a unrecoverable error was encountered
411  */
412 static AppLayerResult FTPParseRequest(Flow *f, void *ftp_state, AppLayerParserState *pstate,
413  StreamSlice stream_slice, void *local_data)
414 {
415  FTPThreadCtx *thread_data = local_data;
416 
417  SCEnter();
418  /* PrintRawDataFp(stdout, input,input_len); */
419 
420  FtpState *state = (FtpState *)ftp_state;
421  void *ptmp;
422 
423  const uint8_t *input = StreamSliceGetData(&stream_slice);
424  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
425 
426  if (input == NULL && SCAppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TS)) {
428  } else if (input == NULL || input_len == 0) {
430  }
431 
432  FtpInput ftpi = { .buf = input, .len = input_len, .orig_len = input_len, .consumed = 0 };
433  FtpLineState line = { .buf = NULL, .len = 0, .delim_len = 0, .lf_found = false };
434 
435  uint8_t direction = STREAM_TOSERVER;
436  AppLayerResult res;
437  while (1) {
438  res = FTPGetLineForDirection(&line, &ftpi, &state->current_line_truncated_ts);
439  if (res.status == 1) {
440  return res;
441  } else if (res.status == -1) {
442  break;
443  }
444 
445  FtpCommandInfo cmd_descriptor;
446  if (!FTPParseRequestCommand(thread_data, &line, &cmd_descriptor)) {
447  state->command = FTP_COMMAND_UNKNOWN;
448  continue;
449  }
450 
451  state->command = cmd_descriptor.command_code;
452  FTPTransaction *tx = FTPTransactionCreate(state);
453  if (unlikely(tx == NULL))
455  tx->tx_data.updated_ts = true;
456  state->curr_tx = tx;
457 
458  tx->command_descriptor = cmd_descriptor;
459  tx->request_length = CopyCommandLine(&tx->request, &line);
461 
462  if (line.lf_found) {
463  state->current_line_truncated_ts = false;
464  }
465  if (tx->request_truncated) {
466  SCAppLayerDecoderEventsSetEventRaw(&tx->tx_data.events, FtpEventRequestCommandTooLong);
467  }
468 
469  /* change direction (default to server) so expectation will handle
470  * the correct message when expectation will match.
471  * For ftp active mode, data connection direction is opposite to
472  * control direction.
473  */
474  if ((state->active && state->command == FTP_COMMAND_STOR) ||
475  (!state->active && state->command == FTP_COMMAND_RETR)) {
476  direction = STREAM_TOCLIENT;
477  }
478 
479  switch (state->command) {
480  case FTP_COMMAND_EPRT:
481  // fallthrough
482  case FTP_COMMAND_PORT:
483  if (line.len + 1 > state->port_line_size) {
484  /* Allocate an extra byte for a NULL terminator */
485  ptmp = FTPRealloc(state->port_line, state->port_line_size, line.len + 1);
486  if (ptmp == NULL) {
487  if (state->port_line) {
488  FTPFree(state->port_line, state->port_line_size);
489  state->port_line = NULL;
490  state->port_line_size = 0;
491  state->port_line_len = 0;
492  }
494  }
495  state->port_line = ptmp;
496  state->port_line_size = line.len + 1;
497  }
498  memcpy(state->port_line, line.buf, line.len);
499  state->port_line_len = line.len;
500  break;
501  case FTP_COMMAND_RETR:
502  // fallthrough
503  case FTP_COMMAND_STOR: {
504  /* Ensure that there is a negotiated dyn port and a file
505  * name -- need more than 5 chars: cmd [4], space, <filename>
506  */
507  if (state->dyn_port == 0 || line.len < 6) {
509  }
510  FtpTransferCmd *data = SCFTPTransferCmdNew();
511  if (data == NULL)
513  FTPIncrMemuse((uint64_t)(sizeof *data));
514  data->data_free = FtpTransferCmdFree;
515 
516  /*
517  * Min size has been checked in FTPParseRequestCommand
518  * SC_FILENAME_MAX includes the null
519  */
520  uint32_t file_name_len = MIN(SC_FILENAME_MAX - 1, line.len - 5);
521 #if SC_FILENAME_MAX > UINT16_MAX
522 #error SC_FILENAME_MAX is greater than UINT16_MAX
523 #endif
524  data->file_name = FTPCalloc(file_name_len + 1, sizeof(char));
525  if (data->file_name == NULL) {
526  FtpTransferCmdFree(data);
528  }
529  data->file_name[file_name_len] = 0;
530  data->file_len = (uint16_t)file_name_len;
531  memcpy(data->file_name, line.buf + 5, file_name_len);
532  data->cmd = state->command;
533  data->flow_id = FlowGetId(f);
534  data->direction = direction;
535  int ret = AppLayerExpectationCreate(f, direction,
536  0, state->dyn_port, ALPROTO_FTPDATA, data);
537  if (ret == -1) {
538  FtpTransferCmdFree(data);
539  SCLogDebug("No expectation created.");
541  } else {
542  SCLogDebug("Expectation created [direction: %s, dynamic port %"PRIu16"].",
543  state->active ? "to server" : "to client",
544  state->dyn_port);
545  }
546 
547  /* reset the dyn port to avoid duplicate */
548  state->dyn_port = 0;
549  /* reset active/passive indicator */
550  state->active = false;
551  } break;
552  default:
553  break;
554  }
555  if (line.len >= ftp_max_line_len) {
556  ftpi.consumed = ftpi.len + 1;
557  break;
558  }
559  }
560 
562 }
563 
564 static int FTPParsePassiveResponse(FtpState *state, const uint8_t *input, uint32_t input_len)
565 {
566  uint16_t dyn_port = SCFTPParsePortPasv(input, input_len);
567  if (dyn_port == 0) {
568  return -1;
569  }
570  SCLogDebug("FTP passive mode (v4): dynamic port %"PRIu16"", dyn_port);
571  state->active = false;
572  state->dyn_port = dyn_port;
573  state->curr_tx->dyn_port = dyn_port;
574  state->curr_tx->active = false;
575 
576  return 0;
577 }
578 
579 static int FTPParsePassiveResponseV6(FtpState *state, const uint8_t *input, uint32_t input_len)
580 {
581  uint16_t dyn_port = SCFTPParsePortEpsv(input, input_len);
582  if (dyn_port == 0) {
583  return -1;
584  }
585  SCLogDebug("FTP passive mode (v6): dynamic port %"PRIu16"", dyn_port);
586  state->active = false;
587  state->dyn_port = dyn_port;
588  state->curr_tx->dyn_port = dyn_port;
589  state->curr_tx->active = false;
590  return 0;
591 }
592 
593 /**
594  * \brief Handle preliminary replies -- keep tx open
595  * \retval bool True for a positive preliminary reply; false otherwise
596  *
597  * 1yz Positive Preliminary reply
598  *
599  * The requested action is being initiated; expect another
600  * reply before proceeding with a new command
601  */
602 static inline bool FTPIsPPR(const uint8_t *input, uint32_t input_len)
603 {
604  return input_len >= 4 && isdigit(input[0]) && input[0] == '1' &&
605  isdigit(input[1]) && isdigit(input[2]) && isspace(input[3]);
606 }
607 
608 /**
609  * \brief This function is called to retrieve a ftp response
610  * \param ftp_state the ftp state structure for the parser
611  * \param input input line of the command
612  * \param input_len length of the request
613  * \param output the resulting output
614  *
615  * \retval 1 when the command is parsed, 0 otherwise
616  */
617 static AppLayerResult FTPParseResponse(Flow *f, void *ftp_state, AppLayerParserState *pstate,
618  StreamSlice stream_slice, void *local_data)
619 {
620  FtpState *state = (FtpState *)ftp_state;
621 
622  const uint8_t *input = StreamSliceGetData(&stream_slice);
623  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
624 
625  if (unlikely(input_len == 0)) {
627  }
628  FtpInput ftpi = { .buf = input, .len = input_len, .orig_len = input_len, .consumed = 0 };
629  FtpLineState line = { .buf = NULL, .len = 0, .delim_len = 0, .lf_found = false };
630 
631  FTPTransaction *lasttx = TAILQ_FIRST(&state->tx_list);
632  AppLayerResult res;
633  while (1) {
634  res = FTPGetLineForDirection(&line, &ftpi, &state->current_line_truncated_tc);
635  if (res.status == 1) {
636  return res;
637  } else if (res.status == -1) {
638  break;
639  }
640  FTPTransaction *tx = FTPGetOldestTx(state, lasttx);
641  if (tx == NULL) {
642  tx = FTPTransactionCreate(state);
643  }
644  if (unlikely(tx == NULL)) {
646  }
647  lasttx = tx;
648  tx->tx_data.updated_tc = true;
649  if (state->command == FTP_COMMAND_UNKNOWN) {
650  /* unknown */
651  tx->command_descriptor.command_code = FTP_COMMAND_UNKNOWN;
652  }
653 
654  state->curr_tx = tx;
655  uint16_t dyn_port;
656  switch (state->command) {
657  case FTP_COMMAND_AUTH_TLS:
658  if (line.len >= 4 && SCMemcmp("234 ", line.buf, 4) == 0) {
660  }
661  break;
662 
663  case FTP_COMMAND_EPRT:
664  dyn_port = SCFTPParsePortEprt(state->port_line, state->port_line_len);
665  if (dyn_port == 0) {
666  goto tx_complete;
667  }
668  state->dyn_port = dyn_port;
669  state->active = true;
670  tx->dyn_port = dyn_port;
671  tx->active = true;
672  SCLogDebug("FTP active mode (v6): dynamic port %" PRIu16 "", dyn_port);
673  break;
674 
675  case FTP_COMMAND_PORT:
676  dyn_port = SCFTPParsePort(state->port_line, state->port_line_len);
677  if (dyn_port == 0) {
678  goto tx_complete;
679  }
680  state->dyn_port = dyn_port;
681  state->active = true;
682  tx->dyn_port = state->dyn_port;
683  tx->active = true;
684  SCLogDebug("FTP active mode (v4): dynamic port %" PRIu16 "", dyn_port);
685  break;
686 
687  case FTP_COMMAND_PASV:
688  if (line.len >= 4 && SCMemcmp("227 ", line.buf, 4) == 0) {
689  FTPParsePassiveResponse(ftp_state, line.buf, line.len);
690  }
691  break;
692 
693  case FTP_COMMAND_EPSV:
694  if (line.len >= 4 && SCMemcmp("229 ", line.buf, 4) == 0) {
695  FTPParsePassiveResponseV6(ftp_state, line.buf, line.len);
696  }
697  break;
698  default:
699  break;
700  }
701 
702  if (likely(line.len)) {
703  FTPResponseLine *response = SCFTPParseResponseLine((const char *)line.buf, line.len);
704  if (likely(response)) {
705  FTPResponseWrapper *wrapper = FTPResponseWrapperAlloc(response);
706  if (likely(wrapper)) {
707  response->truncated = state->current_line_truncated_tc;
708  if (response->truncated) {
710  &tx->tx_data.events, FtpEventResponseCommandTooLong);
711  }
712  if (line.lf_found) {
713  state->current_line_truncated_tc = false;
714  }
715  TAILQ_INSERT_TAIL(&tx->response_list, wrapper, next);
716  } else {
717  SCFTPFreeResponseLine(response);
718  }
719  } else {
720  SCLogDebug("unable to parse FTP response line \"%s\"", line.buf);
721  }
722  }
723 
724  /* Handle preliminary replies -- keep tx open */
725  if (FTPIsPPR(line.buf, line.len)) {
726  continue;
727  }
728  tx_complete:
729  tx->done = true;
730 
731  if (line.len >= ftp_max_line_len) {
732  ftpi.consumed = ftpi.len + 1;
733  break;
734  }
735  }
736 
738 }
739 
740 
741 #ifdef DEBUG
742 static SCMutex ftp_state_mem_lock = SCMUTEX_INITIALIZER;
743 static uint64_t ftp_state_memuse = 0;
744 static uint64_t ftp_state_memcnt = 0;
745 #endif
746 
747 static void *FTPStateAlloc(void *orig_state, AppProto proto_orig)
748 {
749  void *s = FTPCalloc(1, sizeof(FtpState));
750  if (unlikely(s == NULL))
751  return NULL;
752 
753  FtpState *ftp_state = (FtpState *) s;
754  TAILQ_INIT(&ftp_state->tx_list);
755 
756 #ifdef DEBUG
757  SCMutexLock(&ftp_state_mem_lock);
758  ftp_state_memcnt++;
759  ftp_state_memuse+=sizeof(FtpState);
760  SCMutexUnlock(&ftp_state_mem_lock);
761 #endif
762  return s;
763 }
764 
765 static void FTPStateFree(void *s)
766 {
767  FtpState *fstate = (FtpState *) s;
768  if (fstate->port_line != NULL)
769  FTPFree(fstate->port_line, fstate->port_line_size);
770 
771  FTPTransaction *tx = NULL;
772  while ((tx = TAILQ_FIRST(&fstate->tx_list))) {
773  TAILQ_REMOVE(&fstate->tx_list, tx, next);
774 #ifdef DEBUG
775  if (SCLogDebugEnabled()) {
776  const char *command_name = NULL;
777  (void)SCGetFtpCommandInfo(
778  tx->command_descriptor.command_index, &command_name, NULL, NULL);
779  SCLogDebug("[%s] state %p id %" PRIu64 ", Freeing %d bytes at %p",
780  command_name != NULL ? command_name : "n/a", s, tx->tx_id, tx->request_length,
781  tx->request);
782  }
783 #endif
784 
785  FTPTransactionFree(tx);
786  }
787 
788  FTPFree(s, sizeof(FtpState));
789 #ifdef DEBUG
790  SCMutexLock(&ftp_state_mem_lock);
791  ftp_state_memcnt--;
792  ftp_state_memuse-=sizeof(FtpState);
793  SCMutexUnlock(&ftp_state_mem_lock);
794 #endif
795 }
796 
797 /**
798  * \brief This function returns the oldest open transaction; if none
799  * are open, then the oldest transaction is returned
800  * \param ftp_state the ftp state structure for the parser
801  * \param starttx the ftp transaction where to start looking
802  *
803  * \retval transaction pointer when a transaction was found; NULL otherwise.
804  */
805 static FTPTransaction *FTPGetOldestTx(const FtpState *ftp_state, FTPTransaction *starttx)
806 {
807  if (unlikely(!ftp_state)) {
808  SCLogDebug("NULL state object; no transactions available");
809  return NULL;
810  }
811  FTPTransaction *tx = starttx;
812  FTPTransaction *lasttx = NULL;
813  while(tx != NULL) {
814  /* Return oldest open tx */
815  if (!tx->done) {
816  SCLogDebug("Returning tx %p id %"PRIu64, tx, tx->tx_id);
817  return tx;
818  }
819  /* save for the end */
820  lasttx = tx;
821  tx = TAILQ_NEXT(tx, next);
822  }
823  /* All tx are closed; return last element */
824  if (lasttx)
825  SCLogDebug("Returning OLDEST tx %p id %"PRIu64, lasttx, lasttx->tx_id);
826  return lasttx;
827 }
828 
829 static void *FTPGetTx(void *state, uint64_t tx_id)
830 {
831  FtpState *ftp_state = (FtpState *)state;
832  if (ftp_state) {
833  FTPTransaction *tx = NULL;
834 
835  if (ftp_state->curr_tx == NULL)
836  return NULL;
837  if (ftp_state->curr_tx->tx_id == tx_id)
838  return ftp_state->curr_tx;
839 
840  TAILQ_FOREACH(tx, &ftp_state->tx_list, next) {
841  if (tx->tx_id == tx_id)
842  return tx;
843  }
844  }
845  return NULL;
846 }
847 
848 static AppLayerTxData *FTPGetTxData(void *vtx)
849 {
850  FTPTransaction *tx = (FTPTransaction *)vtx;
851  return &tx->tx_data;
852 }
853 
854 static AppLayerStateData *FTPGetStateData(void *vstate)
855 {
856  FtpState *s = (FtpState *)vstate;
857  return &s->state_data;
858 }
859 
860 static void FTPStateTransactionFree(void *state, uint64_t tx_id)
861 {
862  FtpState *ftp_state = state;
863  FTPTransaction *tx = NULL;
864  TAILQ_FOREACH(tx, &ftp_state->tx_list, next) {
865  if (tx_id < tx->tx_id)
866  break;
867  else if (tx_id > tx->tx_id)
868  continue;
869 
870  if (tx == ftp_state->curr_tx)
871  ftp_state->curr_tx = NULL;
872  TAILQ_REMOVE(&ftp_state->tx_list, tx, next);
873  FTPTransactionFree(tx);
874  break;
875  }
876 }
877 
878 static uint64_t FTPGetTxCnt(void *state)
879 {
880  uint64_t cnt = 0;
881  FtpState *ftp_state = state;
882  if (ftp_state) {
883  cnt = ftp_state->tx_cnt;
884  }
885  SCLogDebug("returning state %p %"PRIu64, state, cnt);
886  return cnt;
887 }
888 
889 static int FTPGetAlstateProgress(void *vtx, uint8_t direction)
890 {
891  SCLogDebug("tx %p", vtx);
892  FTPTransaction *tx = vtx;
893 
894  /* having a tx implies request side is done */
895  if (direction == STREAM_TOSERVER) {
896  return FTP_STATE_FINISHED;
897  }
898  if (!tx->done) {
899  return FTP_STATE_IN_PROGRESS;
900  }
901 
902  return FTP_STATE_FINISHED;
903 }
904 
905 static AppProto FTPUserProbingParser(
906  const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
907 {
908  if (f->alproto_tc == ALPROTO_POP3) {
909  // POP traffic begins by same "USER" pattern as FTP
910  return ALPROTO_FAILED;
911  }
912  return ALPROTO_FTP;
913 }
914 
915 static AppProto FTPServerProbingParser(
916  const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
917 {
918  // another check for minimum length
919  if (len < 5) {
920  return ALPROTO_UNKNOWN;
921  }
922  // begins by 220
923  if (input[0] != '2' || input[1] != '2' || input[2] != '0') {
924  return ALPROTO_FAILED;
925  }
926  // followed by space or hypen
927  if (input[3] != ' ' && input[3] != '-') {
928  return ALPROTO_FAILED;
929  }
930  if (f->alproto_ts == ALPROTO_FTP || (f->todstbytecnt > 4 && f->alproto_ts == ALPROTO_UNKNOWN)) {
931  // only validates FTP if client side was FTP
932  // or if client side is unknown despite having received bytes
933  if (memchr(input + 4, '\n', len - 4) != NULL) {
934  return ALPROTO_FTP;
935  }
936  }
937  return ALPROTO_UNKNOWN;
938 }
939 
940 static int FTPRegisterPatternsForProtocolDetection(void)
941 {
943  IPPROTO_TCP, ALPROTO_FTP, "220 (", 5, 0, STREAM_TOCLIENT) < 0) {
944  return -1;
945  }
947  IPPROTO_TCP, ALPROTO_FTP, "FEAT", 4, 0, STREAM_TOSERVER) < 0) {
948  return -1;
949  }
950  if (SCAppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0,
951  STREAM_TOSERVER, FTPUserProbingParser, 5, 5) < 0) {
952  return -1;
953  }
955  IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER) < 0) {
956  return -1;
957  }
959  IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER) < 0) {
960  return -1;
961  }
962  // Only check FTP on known ports as the banner has nothing special beyond
963  // the response code shared with SMTP.
965  "tcp", IPPROTO_TCP, "ftp", ALPROTO_FTP, 0, 5, NULL, FTPServerProbingParser)) {
966  // STREAM_TOSERVER here means use 21 as flow destination port
967  // and NULL, FTPServerProbingParser means use probing parser to client
968  SCAppLayerProtoDetectPPRegister(IPPROTO_TCP, "21", ALPROTO_FTP, 0, 5, STREAM_TOSERVER, NULL,
969  FTPServerProbingParser);
970  }
971  return 0;
972 }
973 
974 
976 
977 /**
978  * \brief This function is called to retrieve a ftp request
979  * \param ftp_state the ftp state structure for the parser
980  * \param output the resulting output
981  *
982  * \retval 1 when the command is parsed, 0 otherwise
983  */
984 static AppLayerResult FTPDataParse(Flow *f, FtpDataState *ftpdata_state,
985  AppLayerParserState *pstate, StreamSlice stream_slice, void *local_data, uint8_t direction)
986 {
987  const uint8_t *input = StreamSliceGetData(&stream_slice);
988  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
989  const bool eof = (direction & STREAM_TOSERVER)
992 
993  SCTxDataUpdateFileFlags(&ftpdata_state->tx_data, ftpdata_state->state_data.file_flags);
994  if (ftpdata_state->tx_data.file_tx == 0)
995  ftpdata_state->tx_data.file_tx = direction & (STREAM_TOSERVER | STREAM_TOCLIENT);
996  if (direction & STREAM_TOSERVER) {
997  ftpdata_state->tx_data.updated_ts = true;
998  } else {
999  ftpdata_state->tx_data.updated_tc = true;
1000  }
1001  /* we depend on detection engine for file pruning */
1002  const uint16_t flags = SCFileFlowFlagsToFlags(ftpdata_state->tx_data.file_flags, direction);
1003  int ret = 0;
1004 
1005  SCLogDebug("FTP-DATA input_len %u flags %04x dir %d/%s EOF %s", input_len, flags, direction,
1006  (direction & STREAM_TOSERVER) ? "toserver" : "toclient", eof ? "true" : "false");
1007 
1008  SCLogDebug("FTP-DATA flags %04x dir %d", flags, direction);
1009  if (input_len && ftpdata_state->files == NULL) {
1010  FtpTransferCmd *data =
1011  (FtpTransferCmd *)FlowGetStorageById(f, AppLayerExpectationGetFlowId());
1012  if (data == NULL) {
1014  }
1015 
1016  /* we shouldn't get data in the wrong dir. Don't set things up for this dir */
1017  if ((direction & data->direction) == 0) {
1018  // TODO set event for data in wrong direction
1019  SCLogDebug("input %u not for our direction (%s): %s/%s", input_len,
1020  (direction & STREAM_TOSERVER) ? "toserver" : "toclient",
1021  data->cmd == FTP_COMMAND_STOR ? "STOR" : "RETR",
1022  (data->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1024  }
1025 
1026  ftpdata_state->files = FileContainerAlloc();
1027  if (ftpdata_state->files == NULL) {
1030  }
1031 
1032  ftpdata_state->file_name = data->file_name;
1033  ftpdata_state->file_len = data->file_len;
1034  data->file_name = NULL;
1035  data->file_len = 0;
1036  f->parent_id = data->flow_id;
1037  ftpdata_state->command = data->cmd;
1038  switch (data->cmd) {
1039  case FTP_COMMAND_STOR:
1040  ftpdata_state->direction = data->direction;
1041  SCLogDebug("STOR data to %s",
1042  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1043  break;
1044  case FTP_COMMAND_RETR:
1045  ftpdata_state->direction = data->direction;
1046  SCLogDebug("RETR data to %s",
1047  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1048  break;
1049  default:
1050  break;
1051  }
1052 
1053  /* open with fixed track_id 0 as we can have just one
1054  * file per ftp-data flow. */
1055  if (FileOpenFileWithId(ftpdata_state->files, &sbcfg,
1056  0ULL, (uint8_t *) ftpdata_state->file_name,
1057  ftpdata_state->file_len,
1058  input, input_len, flags) != 0) {
1059  SCLogDebug("Can't open file");
1060  ret = -1;
1061  }
1063  ftpdata_state->tx_data.files_opened = 1;
1064  } else {
1065  if (ftpdata_state->state == FTPDATA_STATE_FINISHED) {
1066  SCLogDebug("state is already finished");
1067  DEBUG_VALIDATE_BUG_ON(input_len); // data after state finished is a bug.
1069  }
1070  if ((direction & ftpdata_state->direction) == 0) {
1071  if (input_len) {
1072  // TODO set event for data in wrong direction
1073  }
1074  SCLogDebug("input %u not for us (%s): %s/%s", input_len,
1075  (direction & STREAM_TOSERVER) ? "toserver" : "toclient",
1076  ftpdata_state->command == FTP_COMMAND_STOR ? "STOR" : "RETR",
1077  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1079  }
1080  if (input_len != 0) {
1081  ret = FileAppendData(ftpdata_state->files, &sbcfg, input, input_len);
1082  if (ret == -2) {
1083  ret = 0;
1084  SCLogDebug("FileAppendData() - file no longer being extracted");
1085  goto out;
1086  } else if (ret < 0) {
1087  SCLogDebug("FileAppendData() failed: %d", ret);
1088  ret = -2;
1089  goto out;
1090  }
1091  }
1092  }
1093 
1094  DEBUG_VALIDATE_BUG_ON((direction & ftpdata_state->direction) == 0); // should be unreachable
1095  if (eof) {
1096  ret = FileCloseFile(ftpdata_state->files, &sbcfg, NULL, 0, flags);
1097  ftpdata_state->state = FTPDATA_STATE_FINISHED;
1098  SCLogDebug("closed because of eof: state now FTPDATA_STATE_FINISHED");
1099  }
1100 out:
1101  if (ret < 0) {
1103  }
1105 }
1106 
1107 static AppLayerResult FTPDataParseRequest(Flow *f, void *ftp_state, AppLayerParserState *pstate,
1108  StreamSlice stream_slice, void *local_data)
1109 {
1110  return FTPDataParse(f, ftp_state, pstate, stream_slice, local_data, STREAM_TOSERVER);
1111 }
1112 
1113 static AppLayerResult FTPDataParseResponse(Flow *f, void *ftp_state, AppLayerParserState *pstate,
1114  StreamSlice stream_slice, void *local_data)
1115 {
1116  return FTPDataParse(f, ftp_state, pstate, stream_slice, local_data, STREAM_TOCLIENT);
1117 }
1118 
1119 #ifdef DEBUG
1120 static SCMutex ftpdata_state_mem_lock = SCMUTEX_INITIALIZER;
1121 static uint64_t ftpdata_state_memuse = 0;
1122 static uint64_t ftpdata_state_memcnt = 0;
1123 #endif
1124 
1125 static void *FTPDataStateAlloc(void *orig_state, AppProto proto_orig)
1126 {
1127  void *s = FTPCalloc(1, sizeof(FtpDataState));
1128  if (unlikely(s == NULL))
1129  return NULL;
1130 
1131  FtpDataState *state = (FtpDataState *) s;
1132  state->state = FTPDATA_STATE_IN_PROGRESS;
1133 
1134 #ifdef DEBUG
1135  SCMutexLock(&ftpdata_state_mem_lock);
1136  ftpdata_state_memcnt++;
1137  ftpdata_state_memuse+=sizeof(FtpDataState);
1138  SCMutexUnlock(&ftpdata_state_mem_lock);
1139 #endif
1140  return s;
1141 }
1142 
1143 static void FTPDataStateFree(void *s)
1144 {
1145  FtpDataState *fstate = (FtpDataState *) s;
1146 
1147  SCAppLayerTxDataCleanup(&fstate->tx_data);
1148 
1149  if (fstate->file_name != NULL) {
1150  FTPFree(fstate->file_name, fstate->file_len + 1);
1151  }
1152 
1153  FileContainerFree(fstate->files, &sbcfg);
1154 
1155  FTPFree(s, sizeof(FtpDataState));
1156 #ifdef DEBUG
1157  SCMutexLock(&ftpdata_state_mem_lock);
1158  ftpdata_state_memcnt--;
1159  ftpdata_state_memuse-=sizeof(FtpDataState);
1160  SCMutexUnlock(&ftpdata_state_mem_lock);
1161 #endif
1162 }
1163 
1164 static AppLayerTxData *FTPDataGetTxData(void *vtx)
1165 {
1166  FtpDataState *ftp_state = (FtpDataState *)vtx;
1167  return &ftp_state->tx_data;
1168 }
1169 
1170 static AppLayerStateData *FTPDataGetStateData(void *vstate)
1171 {
1172  FtpDataState *ftp_state = (FtpDataState *)vstate;
1173  return &ftp_state->state_data;
1174 }
1175 
1176 static void FTPDataStateTransactionFree(void *state, uint64_t tx_id)
1177 {
1178  /* do nothing */
1179 }
1180 
1181 static void *FTPDataGetTx(void *state, uint64_t tx_id)
1182 {
1183  FtpDataState *ftp_state = (FtpDataState *)state;
1184  return ftp_state;
1185 }
1186 
1187 static uint64_t FTPDataGetTxCnt(void *state)
1188 {
1189  /* ftp-data is single tx */
1190  return 1;
1191 }
1192 
1193 static int FTPDataGetAlstateProgress(void *tx, uint8_t direction)
1194 {
1195  FtpDataState *ftpdata_state = (FtpDataState *)tx;
1196  if (direction == ftpdata_state->direction)
1197  return ftpdata_state->state;
1198  else
1199  return FTPDATA_STATE_FINISHED;
1200 }
1201 
1202 static AppLayerGetFileState FTPDataStateGetTxFiles(void *tx, uint8_t direction)
1203 {
1204  FtpDataState *ftpdata_state = (FtpDataState *)tx;
1205  AppLayerGetFileState files = { .fc = NULL, .cfg = &sbcfg };
1206 
1207  if (direction == ftpdata_state->direction)
1208  files.fc = ftpdata_state->files;
1209 
1210  return files;
1211 }
1212 
1213 static void FTPSetMpmState(void)
1214 {
1215  ftp_mpm_ctx = SCCalloc(1, sizeof(MpmCtx));
1216  if (unlikely(ftp_mpm_ctx == NULL)) {
1217  exit(EXIT_FAILURE);
1218  }
1219  MpmInitCtx(ftp_mpm_ctx, FTP_MPM);
1220 
1221  SCFTPSetMpmState(ftp_mpm_ctx);
1222  mpm_table[FTP_MPM].Prepare(NULL, ftp_mpm_ctx);
1223 }
1224 
1225 static void FTPFreeMpmState(void)
1226 {
1227  if (ftp_mpm_ctx != NULL) {
1228  mpm_table[FTP_MPM].DestroyCtx(ftp_mpm_ctx);
1229  SCFree(ftp_mpm_ctx);
1230  ftp_mpm_ctx = NULL;
1231  }
1232 }
1233 
1234 /** \brief FTP tx iterator, specialized for its linked list
1235  *
1236  * \retval txptr or NULL if no more txs in list
1237  */
1238 static AppLayerGetTxIterTuple FTPGetTxIterator(const uint8_t ipproto, const AppProto alproto,
1239  void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
1240 {
1241  FtpState *ftp_state = (FtpState *)alstate;
1242  AppLayerGetTxIterTuple no_tuple = { NULL, 0, false };
1243  if (ftp_state) {
1244  FTPTransaction *tx_ptr;
1245  if (state->un.ptr == NULL) {
1246  tx_ptr = TAILQ_FIRST(&ftp_state->tx_list);
1247  } else {
1248  tx_ptr = (FTPTransaction *)state->un.ptr;
1249  }
1250  if (tx_ptr) {
1251  while (tx_ptr->tx_id < min_tx_id) {
1252  tx_ptr = TAILQ_NEXT(tx_ptr, next);
1253  if (!tx_ptr) {
1254  return no_tuple;
1255  }
1256  }
1257  if (tx_ptr->tx_id >= max_tx_id) {
1258  return no_tuple;
1259  }
1260  state->un.ptr = TAILQ_NEXT(tx_ptr, next);
1261  AppLayerGetTxIterTuple tuple = {
1262  .tx_ptr = tx_ptr,
1263  .tx_id = tx_ptr->tx_id,
1264  .has_next = (state->un.ptr != NULL),
1265  };
1266  return tuple;
1267  }
1268  }
1269  return no_tuple;
1270 }
1271 
1273 {
1274  const char *proto_name = "ftp";
1275  const char *proto_data_name = "ftp-data";
1276 
1277  /** FTP */
1278  if (SCAppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) {
1280  if (FTPRegisterPatternsForProtocolDetection() < 0 )
1281  return;
1283  }
1284 
1285  if (SCAppLayerParserConfParserEnabled("tcp", proto_name)) {
1286  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_FTP, STREAM_TOSERVER,
1287  FTPParseRequest);
1288  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_FTP, STREAM_TOCLIENT,
1289  FTPParseResponse);
1290  AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_FTP, FTPStateAlloc, FTPStateFree);
1292  IPPROTO_TCP, ALPROTO_FTP, STREAM_TOSERVER | STREAM_TOCLIENT);
1293 
1294  AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_FTP, FTPStateTransactionFree);
1295 
1296  AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_FTP, FTPGetTx);
1297  AppLayerParserRegisterTxDataFunc(IPPROTO_TCP, ALPROTO_FTP, FTPGetTxData);
1298  AppLayerParserRegisterGetTxIterator(IPPROTO_TCP, ALPROTO_FTP, FTPGetTxIterator);
1299  AppLayerParserRegisterStateDataFunc(IPPROTO_TCP, ALPROTO_FTP, FTPGetStateData);
1300 
1301  AppLayerParserRegisterLocalStorageFunc(IPPROTO_TCP, ALPROTO_FTP, FTPLocalStorageAlloc,
1302  FTPLocalStorageFree);
1303  AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_FTP, FTPGetTxCnt);
1304 
1305  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_FTP, FTPGetAlstateProgress);
1306 
1308  ALPROTO_FTP, FTP_STATE_FINISHED, FTP_STATE_FINISHED);
1309 
1311  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_FTPDATA, STREAM_TOSERVER,
1312  FTPDataParseRequest);
1313  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_FTPDATA, STREAM_TOCLIENT,
1314  FTPDataParseResponse);
1315  AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataStateAlloc, FTPDataStateFree);
1317  IPPROTO_TCP, ALPROTO_FTPDATA, STREAM_TOSERVER | STREAM_TOCLIENT);
1318  AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataStateTransactionFree);
1319 
1320  AppLayerParserRegisterGetTxFilesFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataStateGetTxFiles);
1321 
1322  AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetTx);
1323  AppLayerParserRegisterTxDataFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetTxData);
1324  AppLayerParserRegisterStateDataFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetStateData);
1325 
1326  AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetTxCnt);
1327 
1328  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetAlstateProgress);
1329 
1331  ALPROTO_FTPDATA, FTPDATA_STATE_FINISHED, FTPDATA_STATE_FINISHED);
1332 
1333  AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_FTP, ftp_get_event_info);
1334  AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_FTP, ftp_get_event_info_by_id);
1335 
1338 
1339  sbcfg.buf_size = 4096;
1340  sbcfg.Calloc = FTPCalloc;
1341  sbcfg.Realloc = FTPRealloc;
1342  sbcfg.Free = FTPFree;
1343 
1344  FTPParseMemcap();
1345  } else {
1346  SCLogInfo("Parser disabled for %s protocol. Protocol detection still on.", proto_name);
1347  }
1348 
1349  FTPSetMpmState();
1350 
1351 #ifdef UNITTESTS
1353 #endif
1354 }
1355 
1356 /*
1357  * \brief Returns the ending offset of the next line from a multi-line buffer.
1358  *
1359  * "Buffer" refers to a FTP response in a single buffer containing multiple lines.
1360  * Here, "next line" is defined as terminating on
1361  * - Newline character
1362  * - Null character
1363  *
1364  * \param buffer Contains zero or more characters.
1365  * \param len Size, in bytes, of buffer.
1366  *
1367  * \retval Offset from the start of buffer indicating the where the
1368  * next "line ends". The characters between the input buffer and this
1369  * value comprise the line.
1370  *
1371  * NULL is found first or a newline isn't found, then UINT16_MAX is returned.
1372  */
1373 uint16_t JsonGetNextLineFromBuffer(const char *buffer, const uint16_t len)
1374 {
1375  if (!buffer || *buffer == '\0') {
1376  return UINT16_MAX;
1377  }
1378 
1379  char *c = strchr(buffer, '\n');
1380  return c == NULL ? len : (uint16_t)(c - buffer + 1);
1381 }
1382 
1383 bool EveFTPDataAddMetadata(void *vtx, SCJsonBuilder *jb)
1384 {
1385  const FtpDataState *ftp_state = (FtpDataState *)vtx;
1386  SCJbOpenObject(jb, "ftp_data");
1387 
1388  if (ftp_state->file_name) {
1389  SCJbSetStringFromBytes(jb, "filename", ftp_state->file_name, ftp_state->file_len);
1390  }
1391  switch (ftp_state->command) {
1392  case FTP_COMMAND_STOR:
1393  JB_SET_STRING(jb, "command", "STOR");
1394  break;
1395  case FTP_COMMAND_RETR:
1396  JB_SET_STRING(jb, "command", "RETR");
1397  break;
1398  default:
1399  break;
1400  }
1401  SCJbClose(jb);
1402  return true;
1403 }
1404 
1405 /**
1406  * \brief Free memory allocated for global FTP parser state.
1407  */
1409 {
1410  FTPFreeMpmState();
1411 }
1412 
1413 /* UNITTESTS */
1414 #ifdef UNITTESTS
1415 #include "flow-util.h"
1416 #include "stream-tcp.h"
1417 
1418 /** \test Send a get request in one chunk. */
1419 static int FTPParserTest01(void)
1420 {
1421  Flow f;
1422  uint8_t ftpbuf[] = "PORT 192,168,1,1,0,80\r\n";
1423  uint32_t ftplen = sizeof(ftpbuf) - 1; /* minus the \0 */
1424  TcpSession ssn;
1426 
1427  memset(&f, 0, sizeof(f));
1428  memset(&ssn, 0, sizeof(ssn));
1429 
1430  f.protoctx = (void *)&ssn;
1431  f.proto = IPPROTO_TCP;
1432  f.alproto = ALPROTO_FTP;
1433 
1434  StreamTcpInitConfig(true);
1435 
1436  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1437  STREAM_TOSERVER | STREAM_EOF, ftpbuf, ftplen);
1438  FAIL_IF(r != 0);
1439 
1440  FtpState *ftp_state = f.alstate;
1441  FAIL_IF_NULL(ftp_state);
1442  FAIL_IF(ftp_state->command != FTP_COMMAND_PORT);
1443 
1444  FLOW_DESTROY(&f);
1446  StreamTcpFreeConfig(true);
1447  PASS;
1448 }
1449 
1450 /** \test Supply RETR without a filename */
1451 static int FTPParserTest11(void)
1452 {
1453  Flow f;
1454  uint8_t ftpbuf1[] = "PORT 192,168,1,1,0,80\r\n";
1455  uint8_t ftpbuf2[] = "RETR\r\n";
1456  uint8_t ftpbuf3[] = "227 OK\r\n";
1457  TcpSession ssn;
1458 
1460 
1461  memset(&f, 0, sizeof(f));
1462  memset(&ssn, 0, sizeof(ssn));
1463 
1464  f.protoctx = (void *)&ssn;
1465  f.proto = IPPROTO_TCP;
1466  f.alproto = ALPROTO_FTP;
1467 
1468  StreamTcpInitConfig(true);
1469 
1470  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1471  STREAM_TOSERVER | STREAM_START, ftpbuf1,
1472  sizeof(ftpbuf1) - 1);
1473  FAIL_IF(r != 0);
1474 
1475  /* Response */
1476  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1477  STREAM_TOCLIENT,
1478  ftpbuf3,
1479  sizeof(ftpbuf3) - 1);
1480  FAIL_IF(r != 0);
1481 
1482  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1483  STREAM_TOSERVER, ftpbuf2,
1484  sizeof(ftpbuf2) - 1);
1485  FAIL_IF(r == 0);
1486 
1487  FtpState *ftp_state = f.alstate;
1488  FAIL_IF_NULL(ftp_state);
1489 
1490  FAIL_IF(ftp_state->command != FTP_COMMAND_RETR);
1491 
1492  FLOW_DESTROY(&f);
1494  StreamTcpFreeConfig(true);
1495  PASS;
1496 }
1497 
1498 /** \test Supply STOR without a filename */
1499 static int FTPParserTest12(void)
1500 {
1501  Flow f;
1502  uint8_t ftpbuf1[] = "PORT 192,168,1,1,0,80\r\n";
1503  uint8_t ftpbuf2[] = "STOR\r\n";
1504  uint8_t ftpbuf3[] = "227 OK\r\n";
1505  TcpSession ssn;
1506 
1508 
1509  memset(&f, 0, sizeof(f));
1510  memset(&ssn, 0, sizeof(ssn));
1511 
1512  f.protoctx = (void *)&ssn;
1513  f.proto = IPPROTO_TCP;
1514  f.alproto = ALPROTO_FTP;
1515 
1516  StreamTcpInitConfig(true);
1517 
1518  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1519  STREAM_TOSERVER | STREAM_START, ftpbuf1,
1520  sizeof(ftpbuf1) - 1);
1521  FAIL_IF(r != 0);
1522 
1523  /* Response */
1524  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1525  STREAM_TOCLIENT,
1526  ftpbuf3,
1527  sizeof(ftpbuf3) - 1);
1528  FAIL_IF(r != 0);
1529 
1530  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1531  STREAM_TOSERVER, ftpbuf2,
1532  sizeof(ftpbuf2) - 1);
1533  FAIL_IF(r == 0);
1534 
1535  FtpState *ftp_state = f.alstate;
1536  FAIL_IF_NULL(ftp_state);
1537 
1538  FAIL_IF(ftp_state->command != FTP_COMMAND_STOR);
1539 
1540  FLOW_DESTROY(&f);
1542  StreamTcpFreeConfig(true);
1543  PASS;
1544 }
1545 #endif /* UNITTESTS */
1546 
1548 {
1549 #ifdef UNITTESTS
1550  UtRegisterTest("FTPParserTest01", FTPParserTest01);
1551  UtRegisterTest("FTPParserTest11", FTPParserTest11);
1552  UtRegisterTest("FTPParserTest12", FTPParserTest12);
1553 #endif /* UNITTESTS */
1554 }
1555 
MpmInitThreadCtx
void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t matcher)
Definition: util-mpm.c:195
FTPTransaction_::request_truncated
bool request_truncated
Definition: app-layer-ftp.h:69
PmqReset
void PmqReset(PrefilterRuleStore *pmq)
Reset a Pmq for reusage. Meant to be called after a single search.
Definition: util-prefilter.c:102
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:500
len
uint8_t len
Definition: app-layer-dnp3.h:2
SCAppLayerParserStateIssetFlag
uint16_t SCAppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1829
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
FTPTransaction_::request
uint8_t * request
Definition: app-layer-ftp.h:68
AppLayerGetTxIterState::ptr
void * ptr
Definition: app-layer-parser.h:136
FTPThreadCtx_
Definition: app-layer-ftp.c:43
StreamingBufferConfig_::buf_size
uint32_t buf_size
Definition: util-streaming-buffer.h:66
AppLayerParserRegisterLocalStorageFunc
void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto, void *(*LocalStorageAlloc)(void), void(*LocalStorageFree)(void *))
Definition: app-layer-parser.c:460
SCFileFlowFlagsToFlags
uint16_t SCFileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
Definition: util-file.c:215
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:262
FtpState_::active
bool active
Definition: app-layer-ftp.h:88
flow-util.h
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:479
FtpDataState_::state
uint8_t state
Definition: app-layer-ftp.h:116
StreamingBufferConfig_::Calloc
void *(* Calloc)(size_t n, size_t size)
Definition: util-streaming-buffer.h:69
MpmThreadCtx_
Definition: util-mpm.h:48
stream-tcp.h
StreamSlice
struct StreamSlice StreamSlice
Definition: app-layer-parser.h:38
FtpState
struct FtpState_ FtpState
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
EveFTPDataAddMetadata
bool EveFTPDataAddMetadata(void *vtx, SCJsonBuilder *jb)
Definition: app-layer-ftp.c:1383
AppLayerExpectationGetFlowId
FlowStorageId AppLayerExpectationGetFlowId(void)
Definition: app-layer-expectation.c:288
PrefilterRuleStore_
structure for storing potential rule matches
Definition: util-prefilter.h:34
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
FtpCommandInfo_
Definition: app-layer-ftp.h:55
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
Flow_::proto
uint8_t proto
Definition: flow.h:370
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
FtpState_::command
FtpRequestCommand command
Definition: app-layer-ftp.h:97
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:71
SCAppLayerProtoDetectPMRegisterPatternCI
int SCAppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-insensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1648
STREAMING_BUFFER_CONFIG_INITIALIZER
#define STREAMING_BUFFER_CONFIG_INITIALIZER
Definition: util-streaming-buffer.h:74
FileContainerFree
void FileContainerFree(FileContainer *ffc, const StreamingBufferConfig *cfg)
Free a FileContainer.
Definition: util-file.c:515
Flow_
Flow data structure.
Definition: flow.h:348
FTPTransaction_::done
bool done
Definition: app-layer-ftp.h:75
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:548
FtpState_::current_line_truncated_tc
bool current_line_truncated_tc
Definition: app-layer-ftp.h:95
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:510
FTPTransaction_::tx_data
AppLayerTxData tx_data
Definition: app-layer-ftp.h:64
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
FtpDataState_::command
FtpRequestCommand command
Definition: app-layer-ftp.h:115
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:79
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
rust.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
FtpLineState_::buf
const uint8_t * buf
Definition: app-layer-ftp.h:38
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: app-layer-parser.h:42
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
FtpDataState_::file_len
int16_t file_len
Definition: app-layer-ftp.h:114
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:294
FTPResponseWrapper_
Definition: app-layer-ftp.h:44
app-layer-ftp.h
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:53
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FtpDataState_::direction
uint8_t direction
Definition: app-layer-ftp.h:117
FtpInput_::len
int32_t len
Definition: app-layer-ftp.c:265
SC_ELIMIT
@ SC_ELIMIT
Definition: util-error.h:31
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(uint64_t, ftp_memuse)
SCAppLayerProtoDetectPMRegisterPatternCSwPP
int SCAppLayerProtoDetectPMRegisterPatternCSwPP(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction, ProbingParserFPtr PPFunc, uint16_t pp_min_depth, uint16_t pp_max_depth)
Definition: app-layer-detect-proto.c:1636
SC_ENOMEM
@ SC_ENOMEM
Definition: util-error.h:29
FTPParserCleanup
void FTPParserCleanup(void)
Free memory allocated for global FTP parser state.
Definition: app-layer-ftp.c:1408
SCAppLayerDecoderEventsSetEventRaw
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:96
SCAppLayerProtoDetectConfProtoDetectionEnabled
int SCAppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:1941
MpmInitCtx
void MpmInitCtx(MpmCtx *mpm_ctx, uint8_t matcher)
Definition: util-mpm.c:209
ftp_max_line_len
uint32_t ftp_max_line_len
Definition: app-layer-ftp.c:54
FtpState_
Definition: app-layer-ftp.h:87
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
AppLayerResult
struct AppLayerResult AppLayerResult
Definition: app-layer-parser.h:39
APP_LAYER_INCOMPLETE
#define APP_LAYER_INCOMPLETE(c, n)
Definition: app-layer-parser.h:89
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:312
MpmDestroyThreadCtx
void MpmDestroyThreadCtx(MpmThreadCtx *mpm_thread_ctx, const uint16_t matcher)
Definition: util-mpm.c:202
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:31
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:250
FtpState_::port_line
uint8_t * port_line
Definition: app-layer-ftp.h:101
AppLayerParserState_
Definition: app-layer-parser.c:135
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FTPThreadCtx_::pmq
PrefilterRuleStore * pmq
Definition: app-layer-ftp.c:45
SCAppLayerParserConfParserEnabled
int SCAppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:345
SC_FILENAME_MAX
#define SC_FILENAME_MAX
Definition: util-file.h:90
SCAppLayerParserRegisterLogger
void SCAppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:491
AppLayerGetTxIterTuple
struct AppLayerGetTxIterTuple AppLayerGetTxIterTuple
Definition: app-layer-parser.h:40
FtpState_::curr_tx
FTPTransaction * curr_tx
Definition: app-layer-ftp.h:90
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
FtpDataState_::state_data
AppLayerStateData state_data
Definition: app-layer-ftp.h:119
AppLayerGetFileState
struct AppLayerGetFileState AppLayerGetFileState
Definition: app-layer-parser.h:41
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:281
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void *, AppProto), void(*StateFree)(void *))
Definition: app-layer-parser.c:435
FtpLineState_::lf_found
bool lf_found
Definition: app-layer-ftp.h:41
app-layer-parser.h
Flow_::todstbytecnt
uint64_t todstbytecnt
Definition: flow.h:489
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:595
FtpState_::state_data
AppLayerStateData state_data
Definition: app-layer-ftp.h:105
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
FTPParserRegisterTests
void FTPParserRegisterTests(void)
Definition: app-layer-ftp.c:1547
RegisterFTPParsers
void RegisterFTPParsers(void)
Definition: app-layer-ftp.c:1272
FTPTransaction_::command_descriptor
FtpCommandInfo command_descriptor
Definition: app-layer-ftp.h:72
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1840
AppLayerExpectationCreate
int AppLayerExpectationCreate(Flow *f, int direction, Port src, Port dst, AppProto alproto, void *data)
Definition: app-layer-expectation.c:219
AppLayerGetTxIterState
Definition: app-layer-parser.h:134
FtpCommandInfo_::command_code
FtpRequestCommand command_code
Definition: app-layer-ftp.h:57
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:54
ftp_config_memcap
uint64_t ftp_config_memcap
Definition: app-layer-ftp.c:52
AppLayerRegisterExpectationProto
void AppLayerRegisterExpectationProto(uint8_t proto, AppProto alproto)
Definition: app-layer-detect-proto.c:2117
FTPResponseWrapper_::response
FTPResponseLine * response
Definition: app-layer-ftp.h:45
FileOpenFileWithId
int FileOpenFileWithId(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:966
AppLayerParserRegisterGetTxFilesFunc
void AppLayerParserRegisterGetTxFilesFunc(uint8_t ipproto, AppProto alproto, AppLayerGetFileState(*GetTxFiles)(void *, uint8_t))
Definition: app-layer-parser.c:472
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1741
FtpDataState
struct FtpDataState_ FtpDataState
FileAppendData
int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The last file in the FileContainer will be us...
Definition: util-file.c:765
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:85
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:180
FtpInput
struct FtpInput_ FtpInput
FtpDataState_::tx_data
AppLayerTxData tx_data
Definition: app-layer-ftp.h:118
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:229
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:402
FtpInput_::orig_len
int32_t orig_len
Definition: app-layer-ftp.c:266
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SCAppLayerProtoDetectPPRegister
void SCAppLayerProtoDetectPPRegister(uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2)
register parser at a port
Definition: app-layer-detect-proto.c:1526
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:530
APP_LAYER_OK
#define APP_LAYER_OK
Definition: app-layer-parser.h:77
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
SCReturnStruct
#define SCReturnStruct(x)
Definition: util-debug.h:301
FTPTransaction_::request_length
uint32_t request_length
Definition: app-layer-ftp.h:67
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
util-mpm.h
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
FtpLineState_
Definition: app-layer-ftp.h:35
suricata-common.h
ftp_config_maxtx
uint32_t ftp_config_maxtx
Definition: app-layer-ftp.c:53
SCAppLayerParserRegisterParserAcceptableDataDirection
void SCAppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:414
FtpState_::port_line_len
uint32_t port_line_len
Definition: app-layer-ftp.h:99
FtpState_::dyn_port
uint16_t dyn_port
Definition: app-layer-ftp.h:103
TAILQ_NEXT
#define TAILQ_NEXT(elm, field)
Definition: queue.h:307
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
AppLayerParserRegisterStateDataFunc
void AppLayerParserRegisterStateDataFunc(uint8_t ipproto, AppProto alproto, AppLayerStateData *(*GetStateData)(void *state))
Definition: app-layer-parser.c:616
AppLayerParserRegisterTxDataFunc
void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, AppLayerTxData *(*GetTxData)(void *tx))
Definition: app-layer-parser.c:606
Flow_::parent_id
int64_t parent_id
Definition: flow.h:422
SCAppLayerRequestProtocolTLSUpgrade
bool SCAppLayerRequestProtocolTLSUpgrade(Flow *f)
request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS....
Definition: app-layer-detect-proto.c:1832
FtpDataState_
Definition: app-layer-ftp.h:109
AppLayerStateData
struct AppLayerStateData AppLayerStateData
Definition: app-layer-parser.h:44
app-layer-events.h
util-validate.h
StreamingBufferConfig_
Definition: util-streaming-buffer.h:65
FTPSetMemcap
int FTPSetMemcap(uint64_t size)
Definition: app-layer-ftp.c:91
FtpLineState_::delim_len
uint8_t delim_len
Definition: app-layer-ftp.h:40
AppLayerParserRegisterGetTxIterator
void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, AppLayerGetTxIteratorFunc Func)
Definition: app-layer-parser.c:540
MpmTableElmt_::Prepare
int(* Prepare)(MpmConfig *, struct MpmCtx_ *)
Definition: util-mpm.h:177
MpmTableElmt_::DestroyCtx
void(* DestroyCtx)(struct MpmCtx_ *)
Definition: util-mpm.h:156
FlowFreeStorageById
void FlowFreeStorageById(Flow *f, FlowStorageId id)
Definition: flow-storage.c:55
FileCloseFile
int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1061
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:443
Flow_::alstate
void * alstate
Definition: flow.h:471
SCAppLayerProtoDetectPPParseConfPorts
int SCAppLayerProtoDetectPPParseConfPorts(const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
Definition: app-layer-detect-proto.c:1562
StreamingBufferConfig_::Free
void(* Free)(void *ptr, size_t size)
Definition: util-streaming-buffer.h:71
FtpCommandInfo_::command_index
uint8_t command_index
Definition: app-layer-ftp.h:56
FtpState_::tx_cnt
uint64_t tx_cnt
Definition: app-layer-ftp.h:92
FtpState_::current_line_truncated_ts
bool current_line_truncated_ts
Definition: app-layer-ftp.h:94
sc_errno
thread_local SCError sc_errno
Definition: util-error.c:31
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
FtpLineState_::len
uint32_t len
Definition: app-layer-ftp.h:39
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:520
APP_LAYER_ERROR
#define APP_LAYER_ERROR
Definition: app-layer-parser.h:81
FtpState_::port_line_size
uint32_t port_line_size
Definition: app-layer-ftp.h:100
PmqFree
void PmqFree(PrefilterRuleStore *pmq)
Cleanup and free a Pmq.
Definition: util-prefilter.c:126
FTP_MPM
#define FTP_MPM
Definition: app-layer-ftp.c:48
FTPTransaction_::tx_id
uint64_t tx_id
Definition: app-layer-ftp.h:62
FTPTransaction_::dyn_port
uint16_t dyn_port
Definition: app-layer-ftp.h:74
FTPTransaction_::active
bool active
Definition: app-layer-ftp.h:76
AppLayerParserRegisterGetEventInfoById
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(uint8_t event_id, const char **event_name, AppLayerEventType *event_type))
Definition: app-layer-parser.c:563
FtpDataState_::files
FileContainer * files
Definition: app-layer-ftp.h:112
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
MpmCtx_
Definition: util-mpm.h:95
TcpSession_
Definition: stream-tcp-private.h:283
JsonGetNextLineFromBuffer
uint16_t JsonGetNextLineFromBuffer(const char *buffer, const uint16_t len)
Definition: app-layer-ftp.c:1373
util-misc.h
FTPTransaction_
Definition: app-layer-ftp.h:60
FTPThreadCtx
struct FTPThreadCtx_ FTPThreadCtx
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:444
FtpInput_::buf
const uint8_t * buf
Definition: app-layer-ftp.c:263
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:285
SCMemcmp
#define SCMemcmp(a, b, c)
Definition: util-memcmp.h:290
SCMutex
#define SCMutex
Definition: threads-debug.h:114
FTPThreadCtx_::ftp_mpm_thread_ctx
MpmThreadCtx * ftp_mpm_thread_ctx
Definition: app-layer-ftp.c:44
SCLogDebugEnabled
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:767
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FtpInput_::consumed
int32_t consumed
Definition: app-layer-ftp.c:264
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PmqSetup
int PmqSetup(PrefilterRuleStore *pmq)
Setup a pmq.
Definition: util-prefilter.c:37
StreamingBufferConfig_::Realloc
void *(* Realloc)(void *ptr, size_t orig_size, size_t size)
Definition: util-streaming-buffer.h:70
FtpDataState_::file_name
uint8_t * file_name
Definition: app-layer-ftp.h:111
FtpInput_
Definition: app-layer-ftp.c:262
AppLayerGetTxIterState::un
union AppLayerGetTxIterState::@7 un
app-layer.h
PrefilterRuleStore_::rule_id_array
SigIntId * rule_id_array
Definition: util-prefilter.h:38