48 #define FTP_MPM mpm_default_matcher
50 static MpmCtx *ftp_mpm_ctx = NULL;
61 static void FTPParseMemcap(
void)
69 static void FTPIncrMemuse(uint64_t size)
74 static void FTPDecrMemuse(uint64_t size)
107 static int FTPCheckMemcap(uint64_t size)
115 static void *FTPCalloc(
size_t n,
size_t size)
117 if (FTPCheckMemcap((uint32_t)(n * size)) == 0) {
129 FTPIncrMemuse((uint64_t)(n * size));
133 static void *FTPRealloc(
void *ptr,
size_t orig_size,
size_t size)
135 if (FTPCheckMemcap((uint32_t)(size - orig_size)) == 0) {
146 if (size > orig_size) {
147 FTPIncrMemuse(size - orig_size);
149 FTPDecrMemuse(orig_size - size);
155 static void FTPFree(
void *ptr,
size_t size)
159 FTPDecrMemuse((uint64_t)size);
166 FTPIncrMemuse(response->total_size);
175 FTPDecrMemuse(wrapper->
response->total_size);
176 SCFTPFreeResponseLine(wrapper->
response);
182 static void *FTPLocalStorageAlloc(
void)
191 if (td->
pmq == NULL) {
204 static void FTPLocalStorageFree(
void *ptr)
208 if (td->
pmq != NULL) {
239 SCLogDebug(
"new transaction %p (state tx cnt %"PRIu64
")", tx, state->
tx_cnt);
247 SCAppLayerTxDataCleanup(&tx->
tx_data);
254 while ((wrapper =
TAILQ_FIRST(&tx->response_list))) {
256 FTPResponseWrapperFree(wrapper);
259 FTPFree(tx,
sizeof(*tx));
278 uint8_t *lf_idx = memchr(input->
buf + input->
consumed, 0x0a, input->
len);
280 if (lf_idx == NULL) {
282 *current_line_truncated =
true;
290 }
else if (*current_line_truncated) {
292 *current_line_truncated =
false;
302 uint32_t o_consumed = input->
consumed;
303 input->
consumed = (uint32_t)(lf_idx - input->
buf + 1);
308 line->
buf = input->
buf + o_consumed;
310 *current_line_truncated =
true;
335 static int FTPParseRequestCommand(
346 uint8_t command_code;
347 if (SCGetFtpCommandInfo(td->
pmq->
rule_id_array[0], NULL, &command_code, NULL)) {
358 const char *command_name = NULL;
359 (void)SCGetFtpCommandInfo(td->
pmq->
rule_id_array[0], &command_name, NULL, NULL);
360 SCLogDebug(
"matching FTP command is %s [code: %d, index %d]", command_name,
370 static void FtpTransferCmdFree(
void *data)
372 FtpTransferCmd *cmd = (FtpTransferCmd *)data;
375 if (cmd->file_name) {
376 FTPFree((
void *)cmd->file_name, cmd->file_len + 1);
378 SCFTPTransferCmdFree(cmd);
379 FTPDecrMemuse((uint64_t)
sizeof(FtpTransferCmd));
382 static uint32_t CopyCommandLine(uint8_t **dest,
FtpLineState *line)
385 uint8_t *where = FTPCalloc(line->
len + 1,
sizeof(
char));
389 memcpy(where, line->
buf, line->
len);
392 while (line->
len && isspace((
unsigned char)where[line->
len - 1])) {
396 where[line->
len] =
'\0';
400 return line->
len ? line->
len + 1 : 0;
423 const uint8_t *input = StreamSliceGetData(&stream_slice);
424 uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
428 }
else if (input == NULL || input_len == 0) {
432 FtpInput ftpi = { .
buf = input, .len = input_len, .orig_len = input_len, .consumed = 0 };
433 FtpLineState line = { .
buf = NULL, .len = 0, .delim_len = 0, .lf_found =
false };
435 uint8_t direction = STREAM_TOSERVER;
439 if (res.status == 1) {
441 }
else if (res.status == -1) {
446 if (!FTPParseRequestCommand(thread_data, &line, &cmd_descriptor)) {
447 state->
command = FTP_COMMAND_UNKNOWN;
476 direction = STREAM_TOCLIENT;
480 case FTP_COMMAND_EPRT:
482 case FTP_COMMAND_PORT:
501 case FTP_COMMAND_RETR:
503 case FTP_COMMAND_STOR: {
510 FtpTransferCmd *data = SCFTPTransferCmdNew();
513 FTPIncrMemuse((uint64_t)(
sizeof *data));
514 data->data_free = FtpTransferCmdFree;
521 #if SC_FILENAME_MAX > UINT16_MAX
522 #error SC_FILENAME_MAX is greater than UINT16_MAX
524 data->file_name = FTPCalloc(file_name_len + 1,
sizeof(
char));
525 if (data->file_name == NULL) {
526 FtpTransferCmdFree(data);
529 data->file_name[file_name_len] = 0;
530 data->file_len = (uint16_t)file_name_len;
531 memcpy(data->file_name, line.
buf + 5, file_name_len);
533 data->flow_id = FlowGetId(f);
534 data->direction = direction;
538 FtpTransferCmdFree(data);
542 SCLogDebug(
"Expectation created [direction: %s, dynamic port %"PRIu16
"].",
543 state->
active ?
"to server" :
"to client",
564 static int FTPParsePassiveResponse(
FtpState *state,
const uint8_t *input, uint32_t input_len)
566 uint16_t dyn_port = SCFTPParsePortPasv(input, input_len);
570 SCLogDebug(
"FTP passive mode (v4): dynamic port %"PRIu16
"", dyn_port);
579 static int FTPParsePassiveResponseV6(
FtpState *state,
const uint8_t *input, uint32_t input_len)
581 uint16_t dyn_port = SCFTPParsePortEpsv(input, input_len);
585 SCLogDebug(
"FTP passive mode (v6): dynamic port %"PRIu16
"", dyn_port);
602 static inline bool FTPIsPPR(
const uint8_t *input, uint32_t input_len)
604 return input_len >= 4 && isdigit(input[0]) && input[0] ==
'1' &&
605 isdigit(input[1]) && isdigit(input[2]) && isspace(input[3]);
622 const uint8_t *input = StreamSliceGetData(&stream_slice);
623 uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
628 FtpInput ftpi = { .
buf = input, .len = input_len, .orig_len = input_len, .consumed = 0 };
629 FtpLineState line = { .
buf = NULL, .len = 0, .delim_len = 0, .lf_found =
false };
635 if (res.status == 1) {
637 }
else if (res.status == -1) {
642 tx = FTPTransactionCreate(state);
649 if (state->
command == FTP_COMMAND_UNKNOWN) {
657 case FTP_COMMAND_AUTH_TLS:
663 case FTP_COMMAND_EPRT:
672 SCLogDebug(
"FTP active mode (v6): dynamic port %" PRIu16
"", dyn_port);
675 case FTP_COMMAND_PORT:
684 SCLogDebug(
"FTP active mode (v4): dynamic port %" PRIu16
"", dyn_port);
687 case FTP_COMMAND_PASV:
689 FTPParsePassiveResponse(ftp_state, line.
buf, line.
len);
693 case FTP_COMMAND_EPSV:
695 FTPParsePassiveResponseV6(ftp_state, line.
buf, line.
len);
703 FTPResponseLine *response = SCFTPParseResponseLine((
const char *)line.
buf, line.
len);
708 if (response->truncated) {
710 &tx->
tx_data.events, FtpEventResponseCommandTooLong);
717 SCFTPFreeResponseLine(response);
720 SCLogDebug(
"unable to parse FTP response line \"%s\"", line.
buf);
725 if (FTPIsPPR(line.
buf, line.
len)) {
743 static uint64_t ftp_state_memuse = 0;
744 static uint64_t ftp_state_memcnt = 0;
747 static void *FTPStateAlloc(
void *orig_state,
AppProto proto_orig)
749 void *s = FTPCalloc(1,
sizeof(
FtpState));
765 static void FTPStateFree(
void *s)
776 const char *command_name = NULL;
777 (void)SCGetFtpCommandInfo(
779 SCLogDebug(
"[%s] state %p id %" PRIu64
", Freeing %d bytes at %p",
785 FTPTransactionFree(tx);
808 SCLogDebug(
"NULL state object; no transactions available");
825 SCLogDebug(
"Returning OLDEST tx %p id %"PRIu64, lasttx, lasttx->
tx_id);
829 static void *FTPGetTx(
void *state, uint64_t tx_id)
835 if (ftp_state->
curr_tx == NULL)
841 if (tx->
tx_id == tx_id)
860 static void FTPStateTransactionFree(
void *state, uint64_t tx_id)
865 if (tx_id < tx->tx_id)
867 else if (tx_id > tx->
tx_id)
873 FTPTransactionFree(tx);
878 static uint64_t FTPGetTxCnt(
void *state)
889 static int FTPGetAlstateProgress(
void *vtx, uint8_t direction)
895 if (direction == STREAM_TOSERVER) {
896 return FTP_STATE_FINISHED;
899 return FTP_STATE_IN_PROGRESS;
902 return FTP_STATE_FINISHED;
905 static AppProto FTPUserProbingParser(
906 const Flow *f, uint8_t direction,
const uint8_t *input, uint32_t
len, uint8_t *rdir)
915 static AppProto FTPServerProbingParser(
916 const Flow *f, uint8_t direction,
const uint8_t *input, uint32_t
len, uint8_t *rdir)
923 if (input[0] !=
'2' || input[1] !=
'2' || input[2] !=
'0') {
927 if (input[3] !=
' ' && input[3] !=
'-') {
933 if (memchr(input + 4,
'\n',
len - 4) != NULL) {
940 static int FTPRegisterPatternsForProtocolDetection(
void)
943 IPPROTO_TCP,
ALPROTO_FTP,
"220 (", 5, 0, STREAM_TOCLIENT) < 0) {
947 IPPROTO_TCP,
ALPROTO_FTP,
"FEAT", 4, 0, STREAM_TOSERVER) < 0) {
951 STREAM_TOSERVER, FTPUserProbingParser, 5, 5) < 0) {
955 IPPROTO_TCP,
ALPROTO_FTP,
"PASS ", 5, 0, STREAM_TOSERVER) < 0) {
959 IPPROTO_TCP,
ALPROTO_FTP,
"PORT ", 5, 0, STREAM_TOSERVER) < 0) {
965 "tcp", IPPROTO_TCP,
"ftp",
ALPROTO_FTP, 0, 5, NULL, FTPServerProbingParser)) {
969 FTPServerProbingParser);
987 const uint8_t *input = StreamSliceGetData(&stream_slice);
988 uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
989 const bool eof = (direction & STREAM_TOSERVER)
993 SCTxDataUpdateFileFlags(&ftpdata_state->
tx_data, ftpdata_state->
state_data.file_flags);
994 if (ftpdata_state->
tx_data.file_tx == 0)
995 ftpdata_state->
tx_data.file_tx = direction & (STREAM_TOSERVER | STREAM_TOCLIENT);
996 if (direction & STREAM_TOSERVER) {
997 ftpdata_state->
tx_data.updated_ts =
true;
999 ftpdata_state->
tx_data.updated_tc =
true;
1005 SCLogDebug(
"FTP-DATA input_len %u flags %04x dir %d/%s EOF %s", input_len,
flags, direction,
1006 (direction & STREAM_TOSERVER) ?
"toserver" :
"toclient", eof ?
"true" :
"false");
1009 if (input_len && ftpdata_state->
files == NULL) {
1010 FtpTransferCmd *data =
1017 if ((direction & data->direction) == 0) {
1019 SCLogDebug(
"input %u not for our direction (%s): %s/%s", input_len,
1020 (direction & STREAM_TOSERVER) ?
"toserver" :
"toclient",
1021 data->cmd == FTP_COMMAND_STOR ?
"STOR" :
"RETR",
1022 (data->direction & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1027 if (ftpdata_state->
files == NULL) {
1032 ftpdata_state->
file_name = data->file_name;
1033 ftpdata_state->
file_len = data->file_len;
1034 data->file_name = NULL;
1037 ftpdata_state->
command = data->cmd;
1038 switch (data->cmd) {
1039 case FTP_COMMAND_STOR:
1040 ftpdata_state->
direction = data->direction;
1042 (ftpdata_state->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1044 case FTP_COMMAND_RETR:
1045 ftpdata_state->
direction = data->direction;
1047 (ftpdata_state->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1056 0ULL, (uint8_t *) ftpdata_state->
file_name,
1058 input, input_len,
flags) != 0) {
1063 ftpdata_state->
tx_data.files_opened = 1;
1065 if (ftpdata_state->
state == FTPDATA_STATE_FINISHED) {
1070 if ((direction & ftpdata_state->
direction) == 0) {
1074 SCLogDebug(
"input %u not for us (%s): %s/%s", input_len,
1075 (direction & STREAM_TOSERVER) ?
"toserver" :
"toclient",
1076 ftpdata_state->
command == FTP_COMMAND_STOR ?
"STOR" :
"RETR",
1077 (ftpdata_state->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1080 if (input_len != 0) {
1084 SCLogDebug(
"FileAppendData() - file no longer being extracted");
1086 }
else if (ret < 0) {
1087 SCLogDebug(
"FileAppendData() failed: %d", ret);
1097 ftpdata_state->
state = FTPDATA_STATE_FINISHED;
1098 SCLogDebug(
"closed because of eof: state now FTPDATA_STATE_FINISHED");
1110 return FTPDataParse(f, ftp_state, pstate, stream_slice, local_data, STREAM_TOSERVER);
1116 return FTPDataParse(f, ftp_state, pstate, stream_slice, local_data, STREAM_TOCLIENT);
1121 static uint64_t ftpdata_state_memuse = 0;
1122 static uint64_t ftpdata_state_memcnt = 0;
1125 static void *FTPDataStateAlloc(
void *orig_state,
AppProto proto_orig)
1132 state->
state = FTPDATA_STATE_IN_PROGRESS;
1136 ftpdata_state_memcnt++;
1143 static void FTPDataStateFree(
void *s)
1147 SCAppLayerTxDataCleanup(&fstate->
tx_data);
1158 ftpdata_state_memcnt--;
1176 static void FTPDataStateTransactionFree(
void *state, uint64_t tx_id)
1181 static void *FTPDataGetTx(
void *state, uint64_t tx_id)
1187 static uint64_t FTPDataGetTxCnt(
void *state)
1193 static int FTPDataGetAlstateProgress(
void *tx, uint8_t direction)
1196 if (direction == ftpdata_state->
direction)
1197 return ftpdata_state->
state;
1199 return FTPDATA_STATE_FINISHED;
1207 if (direction == ftpdata_state->
direction)
1208 files.fc = ftpdata_state->
files;
1213 static void FTPSetMpmState(
void)
1216 if (
unlikely(ftp_mpm_ctx == NULL)) {
1221 SCFTPSetMpmState(ftp_mpm_ctx);
1225 static void FTPFreeMpmState(
void)
1227 if (ftp_mpm_ctx != NULL) {
1245 if (state->
un.
ptr == NULL) {
1251 while (tx_ptr->
tx_id < min_tx_id) {
1257 if (tx_ptr->
tx_id >= max_tx_id) {
1264 .has_next = (state->
un.
ptr != NULL),
1274 const char *proto_name =
"ftp";
1275 const char *proto_data_name =
"ftp-data";
1280 if (FTPRegisterPatternsForProtocolDetection() < 0 )
1292 IPPROTO_TCP,
ALPROTO_FTP, STREAM_TOSERVER | STREAM_TOCLIENT);
1302 FTPLocalStorageFree);
1308 ALPROTO_FTP, FTP_STATE_FINISHED, FTP_STATE_FINISHED);
1312 FTPDataParseRequest);
1314 FTPDataParseResponse);
1340 sbcfg.
Calloc = FTPCalloc;
1342 sbcfg.
Free = FTPFree;
1346 SCLogInfo(
"Parser disabled for %s protocol. Protocol detection still on.", proto_name);
1375 if (!buffer || *buffer ==
'\0') {
1379 char *c = strchr(buffer,
'\n');
1380 return c == NULL ?
len : (uint16_t)(c - buffer + 1);
1386 SCJbOpenObject(jb,
"ftp_data");
1389 SCJbSetStringFromBytes(jb,
"filename", ftp_state->
file_name, ftp_state->
file_len);
1392 case FTP_COMMAND_STOR:
1395 case FTP_COMMAND_RETR:
1419 static int FTPParserTest01(
void)
1422 uint8_t ftpbuf[] =
"PORT 192,168,1,1,0,80\r\n";
1423 uint32_t ftplen =
sizeof(ftpbuf) - 1;
1427 memset(&f, 0,
sizeof(f));
1428 memset(&ssn, 0,
sizeof(ssn));
1431 f.
proto = IPPROTO_TCP;
1437 STREAM_TOSERVER | STREAM_EOF, ftpbuf, ftplen);
1451 static int FTPParserTest11(
void)
1454 uint8_t ftpbuf1[] =
"PORT 192,168,1,1,0,80\r\n";
1455 uint8_t ftpbuf2[] =
"RETR\r\n";
1456 uint8_t ftpbuf3[] =
"227 OK\r\n";
1461 memset(&f, 0,
sizeof(f));
1462 memset(&ssn, 0,
sizeof(ssn));
1465 f.
proto = IPPROTO_TCP;
1471 STREAM_TOSERVER | STREAM_START, ftpbuf1,
1472 sizeof(ftpbuf1) - 1);
1479 sizeof(ftpbuf3) - 1);
1483 STREAM_TOSERVER, ftpbuf2,
1484 sizeof(ftpbuf2) - 1);
1499 static int FTPParserTest12(
void)
1502 uint8_t ftpbuf1[] =
"PORT 192,168,1,1,0,80\r\n";
1503 uint8_t ftpbuf2[] =
"STOR\r\n";
1504 uint8_t ftpbuf3[] =
"227 OK\r\n";
1509 memset(&f, 0,
sizeof(f));
1510 memset(&ssn, 0,
sizeof(ssn));
1513 f.
proto = IPPROTO_TCP;
1519 STREAM_TOSERVER | STREAM_START, ftpbuf1,
1520 sizeof(ftpbuf1) - 1);
1527 sizeof(ftpbuf3) - 1);
1531 STREAM_TOSERVER, ftpbuf2,
1532 sizeof(ftpbuf2) - 1);