suricata
app-layer-ftp.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22  * \author Eric Leblond <eric@regit.org>
23  * \author Jeff Lucovsky <jlucovsky@oisf.net>
24  *
25  * App Layer Parser for FTP
26  */
27 
28 #include "suricata-common.h"
29 
30 #include "app-layer-ftp.h"
31 #include "app-layer.h"
32 #include "app-layer-parser.h"
33 #include "app-layer-expectation.h"
34 #include "app-layer-detect-proto.h"
35 #include "app-layer-events.h"
36 
37 #include "rust.h"
38 
39 #include "util-misc.h"
40 #include "util-mpm.h"
41 #include "util-validate.h"
42 
43 typedef struct FTPThreadCtx_ {
47 
48 #define FTP_MPM mpm_default_matcher
49 
50 static MpmCtx *ftp_mpm_ctx = NULL;
51 
52 uint64_t ftp_config_memcap = 0;
53 uint32_t ftp_config_maxtx = 1024;
54 uint32_t ftp_max_line_len = 4096;
55 
56 SC_ATOMIC_DECLARE(uint64_t, ftp_memuse);
57 SC_ATOMIC_DECLARE(uint64_t, ftp_memcap);
58 
59 static FTPTransaction *FTPGetOldestTx(const FtpState *, FTPTransaction *);
60 
61 static void FTPParseMemcap(void)
62 {
63  SCFTPGetConfigValues(&ftp_config_memcap, &ftp_config_maxtx, &ftp_max_line_len);
64 
65  SC_ATOMIC_INIT(ftp_memuse);
66  SC_ATOMIC_INIT(ftp_memcap);
67 }
68 
69 static void FTPIncrMemuse(uint64_t size)
70 {
71  (void)SC_ATOMIC_ADD(ftp_memuse, size);
72 }
73 
74 static void FTPDecrMemuse(uint64_t size)
75 {
76  (void)SC_ATOMIC_SUB(ftp_memuse, size);
77 }
78 
79 uint64_t FTPMemuseGlobalCounter(void)
80 {
81  uint64_t tmpval = SC_ATOMIC_GET(ftp_memuse);
82  return tmpval;
83 }
84 
85 uint64_t FTPMemcapGlobalCounter(void)
86 {
87  uint64_t tmpval = SC_ATOMIC_GET(ftp_memcap);
88  return tmpval;
89 }
90 
91 int FTPSetMemcap(uint64_t size)
92 {
93  if ((uint64_t)SC_ATOMIC_GET(ftp_memcap) < size) {
94  SC_ATOMIC_SET(ftp_memcap, size);
95  return 1;
96  }
97 
98  return 0;
99 }
100 
101 /**
102  * \brief Check if alloc'ing "size" would mean we're over memcap
103  *
104  * \retval 1 if in bounds
105  * \retval 0 if not in bounds
106  */
107 static int FTPCheckMemcap(uint64_t size)
108 {
109  if (ftp_config_memcap == 0 || size + SC_ATOMIC_GET(ftp_memuse) <= ftp_config_memcap)
110  return 1;
111  (void) SC_ATOMIC_ADD(ftp_memcap, 1);
112  return 0;
113 }
114 
115 static void *FTPCalloc(size_t n, size_t size)
116 {
117  if (FTPCheckMemcap((uint32_t)(n * size)) == 0) {
119  return NULL;
120  }
121 
122  void *ptr = SCCalloc(n, size);
123 
124  if (unlikely(ptr == NULL)) {
126  return NULL;
127  }
128 
129  FTPIncrMemuse((uint64_t)(n * size));
130  return ptr;
131 }
132 
133 static void *FTPRealloc(void *ptr, size_t orig_size, size_t size)
134 {
135  if (FTPCheckMemcap((uint32_t)(size - orig_size)) == 0) {
137  return NULL;
138  }
139 
140  void *rptr = SCRealloc(ptr, size);
141  if (rptr == NULL) {
143  return NULL;
144  }
145 
146  if (size > orig_size) {
147  FTPIncrMemuse(size - orig_size);
148  } else {
149  FTPDecrMemuse(orig_size - size);
150  }
151 
152  return rptr;
153 }
154 
155 static void FTPFree(void *ptr, size_t size)
156 {
157  SCFree(ptr);
158 
159  FTPDecrMemuse((uint64_t)size);
160 }
161 
162 static FTPResponseWrapper *FTPResponseWrapperAlloc(FTPResponseLine *response)
163 {
164  FTPResponseWrapper *wrapper = FTPCalloc(1, sizeof(FTPResponseWrapper));
165  if (likely(wrapper)) {
166  FTPIncrMemuse(response->total_size);
167  wrapper->response = response;
168  }
169  return wrapper;
170 }
171 
172 static void FTPResponseWrapperFree(FTPResponseWrapper *wrapper)
173 {
174  if (wrapper->response) {
175  FTPDecrMemuse(wrapper->response->total_size);
176  SCFTPFreeResponseLine(wrapper->response);
177  }
178 
179  FTPFree(wrapper, sizeof(FTPResponseWrapper));
180 }
181 
182 static void *FTPLocalStorageAlloc(void)
183 {
184  /* needed by the mpm */
185  FTPThreadCtx *td = SCCalloc(1, sizeof(*td));
186  if (td == NULL) {
187  exit(EXIT_FAILURE);
188  }
189 
190  td->pmq = SCCalloc(1, sizeof(*td->pmq));
191  if (td->pmq == NULL) {
192  exit(EXIT_FAILURE);
193  }
194  PmqSetup(td->pmq);
195 
196  td->ftp_mpm_thread_ctx = SCCalloc(1, sizeof(MpmThreadCtx));
197  if (unlikely(td->ftp_mpm_thread_ctx == NULL)) {
198  exit(EXIT_FAILURE);
199  }
200  MpmInitThreadCtx(td->ftp_mpm_thread_ctx, ftp_mpm_ctx, FTP_MPM);
201  return td;
202 }
203 
204 static void FTPLocalStorageFree(void *ptr)
205 {
206  FTPThreadCtx *td = ptr;
207  if (td != NULL) {
208  if (td->pmq != NULL) {
209  PmqFree(td->pmq);
210  SCFree(td->pmq);
211  }
212 
213  if (td->ftp_mpm_thread_ctx != NULL) {
216  }
217 
218  SCFree(td);
219  }
220 }
221 static FTPTransaction *FTPTransactionCreate(FtpState *state)
222 {
223  SCEnter();
224  FTPTransaction *firsttx = TAILQ_FIRST(&state->tx_list);
225  if (firsttx && state->tx_cnt - firsttx->tx_id > ftp_config_maxtx) {
226  FTPTransaction *tx_old;
227  TAILQ_FOREACH (tx_old, &state->tx_list, next) {
228  if (!tx_old->done) {
229  tx_old->done = true;
230  tx_old->tx_data.updated_ts = true;
231  tx_old->tx_data.updated_tc = true;
233  &tx_old->tx_data.events, FtpEventTooManyTransactions);
234  break;
235  }
236  }
237  }
238  FTPTransaction *tx = FTPCalloc(1, sizeof(*tx));
239  if (tx == NULL) {
240  return NULL;
241  }
242 
243  TAILQ_INSERT_TAIL(&state->tx_list, tx, next);
244  tx->tx_id = state->tx_cnt++;
245 
246  TAILQ_INIT(&tx->response_list);
247 
248  SCLogDebug("new transaction %p (state tx cnt %"PRIu64")", tx, state->tx_cnt);
249  return tx;
250 }
251 
252 static void FTPTransactionFree(FTPTransaction *tx)
253 {
254  SCEnter();
255 
257 
258  if (tx->request) {
259  FTPFree(tx->request, tx->request_length);
260  }
261 
262  FTPResponseWrapper *wrapper;
263  while ((wrapper = TAILQ_FIRST(&tx->response_list))) {
264  TAILQ_REMOVE(&tx->response_list, wrapper, next);
265  FTPResponseWrapperFree(wrapper);
266  }
267 
268  FTPFree(tx, sizeof(*tx));
269 }
270 
271 typedef struct FtpInput_ {
272  const uint8_t *buf;
273  int32_t consumed;
274  int32_t len;
275  int32_t orig_len;
277 
278 static AppLayerResult FTPGetLineForDirection(
279  FtpLineState *line, FtpInput *input, bool *current_line_truncated)
280 {
281  SCEnter();
282 
283  /* we have run out of input */
284  if (input->len <= 0)
285  return APP_LAYER_ERROR;
286 
287  const uint8_t *lf_idx = memchr(input->buf + input->consumed, 0x0a, input->len);
288 
289  if (lf_idx == NULL) {
290  if (!(*current_line_truncated) && (uint32_t)input->len >= ftp_max_line_len) {
291  *current_line_truncated = true;
292  line->buf = input->buf;
293  line->len = ftp_max_line_len;
294  line->delim_len = 0;
295  input->len = 0;
297  }
298  SCReturnStruct(APP_LAYER_INCOMPLETE(input->consumed, input->len + 1));
299  } else if (*current_line_truncated) {
300  // Whatever came in with first LF should also get discarded
301  *current_line_truncated = false;
302  line->len = 0;
303  line->delim_len = 0;
304  input->len = 0;
306  } else {
307  // There could be one chunk of command data that has LF but post the line limit
308  // e.g. input_len = 5077
309  // lf_idx = 5010
310  // max_line_len = 4096
311  uint32_t o_consumed = input->consumed;
312  input->consumed = (uint32_t)(lf_idx - input->buf + 1);
313  line->len = input->consumed - o_consumed;
314  input->len -= line->len;
315  line->lf_found = true;
316  DEBUG_VALIDATE_BUG_ON((input->consumed + input->len) != input->orig_len);
317  line->buf = input->buf + o_consumed;
318  if (line->len >= ftp_max_line_len) {
319  *current_line_truncated = true;
320  line->len = ftp_max_line_len;
322  }
323  if (input->consumed >= 2 && input->buf[input->consumed - 2] == 0x0D) {
324  line->delim_len = 2;
325  line->len -= 2;
326  } else {
327  line->delim_len = 1;
328  line->len -= 1;
329  }
331  }
332 }
333 
334 /**
335  * \brief This function is called to determine and set which command is being
336  * transferred to the ftp server
337  * \param thread context
338  * \param input input line of the command
339  * \param len of the command
340  * \param cmd_descriptor when the command has been parsed
341  *
342  * \retval 1 when the command is parsed, 0 otherwise
343  */
344 static int FTPParseRequestCommand(
345  FTPThreadCtx *td, FtpLineState *line, FtpCommandInfo *cmd_descriptor)
346 {
347  SCEnter();
348 
349  /* I don't like this pmq reset here. We'll devise a method later, that
350  * should make the use of the mpm very efficient */
351  PmqReset(td->pmq);
352  int mpm_cnt = mpm_table[FTP_MPM].Search(
353  ftp_mpm_ctx, td->ftp_mpm_thread_ctx, td->pmq, line->buf, line->len);
354  if (mpm_cnt) {
355  uint8_t command_code;
356  if (SCGetFtpCommandInfo(td->pmq->rule_id_array[0], NULL, &command_code, NULL)) {
357  cmd_descriptor->command_code = command_code;
358  /* FTP command indices are expressed in Rust as a u8 */
359  cmd_descriptor->command_index = (uint8_t)td->pmq->rule_id_array[0];
360  SCReturnInt(1);
361  } else {
362  /* Where is out command? */
364  }
365 #ifdef DEBUG
366  if (SCLogDebugEnabled()) {
367  const char *command_name = NULL;
368  (void)SCGetFtpCommandInfo(td->pmq->rule_id_array[0], &command_name, NULL, NULL);
369  SCLogDebug("matching FTP command is %s [code: %d, index %d]", command_name,
370  command_code, td->pmq->rule_id_array[0]);
371  }
372 #endif
373  }
374 
375  cmd_descriptor->command_code = FTP_COMMAND_UNKNOWN;
376  SCReturnInt(0);
377 }
378 
379 static void FtpTransferCmdFree(void *data)
380 {
381  FtpTransferCmd *cmd = (FtpTransferCmd *)data;
382  if (cmd == NULL)
383  return;
384  if (cmd->file_name) {
385  FTPFree((void *)cmd->file_name, cmd->file_len + 1);
386  }
387  SCFTPTransferCmdFree(cmd);
388  FTPDecrMemuse((uint64_t)sizeof(FtpTransferCmd));
389 }
390 
391 static uint32_t CopyCommandLine(uint8_t **dest, FtpLineState *line)
392 {
393  if (likely(line->len)) {
394  uint8_t *where = FTPCalloc(line->len + 1, sizeof(char));
395  if (unlikely(where == NULL)) {
396  return 0;
397  }
398  memcpy(where, line->buf, line->len);
399 
400  /* Remove trailing newlines/carriage returns */
401  while (line->len && isspace((unsigned char)where[line->len - 1])) {
402  line->len--;
403  }
404 
405  where[line->len] = '\0';
406  *dest = where;
407  }
408  /* either 0 or actual */
409  return line->len ? line->len + 1 : 0;
410 }
411 
412 #include "util-print.h"
413 
414 /**
415  * \brief This function is called to retrieve a ftp request
416  * \param ftp_state the ftp state structure for the parser
417  *
418  * \retval APP_LAYER_OK when input was process successfully
419  * \retval APP_LAYER_ERROR when a unrecoverable error was encountered
420  */
421 static AppLayerResult FTPParseRequest(Flow *f, void *ftp_state, AppLayerParserState *pstate,
422  StreamSlice stream_slice, void *local_data)
423 {
424  FTPThreadCtx *thread_data = local_data;
425 
426  SCEnter();
427  /* PrintRawDataFp(stdout, input,input_len); */
428 
429  FtpState *state = (FtpState *)ftp_state;
430  void *ptmp;
431 
432  const uint8_t *input = StreamSliceGetData(&stream_slice);
433  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
434 
435  if (input == NULL && SCAppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TS)) {
437  } else if (input == NULL || input_len == 0) {
439  }
440 
441  FtpInput ftpi = { .buf = input, .len = input_len, .orig_len = input_len, .consumed = 0 };
442  FtpLineState line = { .buf = NULL, .len = 0, .delim_len = 0, .lf_found = false };
443 
444  uint8_t direction = STREAM_TOSERVER;
445  AppLayerResult res;
446  while (1) {
447  res = FTPGetLineForDirection(&line, &ftpi, &state->current_line_truncated_ts);
448  if (res.status == 1) {
449  return res;
450  } else if (res.status == -1) {
451  break;
452  }
453 
454  FtpCommandInfo cmd_descriptor;
455  if (!FTPParseRequestCommand(thread_data, &line, &cmd_descriptor)) {
456  state->command = FTP_COMMAND_UNKNOWN;
457  continue;
458  }
459 
460  state->command = cmd_descriptor.command_code;
461  FTPTransaction *tx = FTPTransactionCreate(state);
462  if (unlikely(tx == NULL))
464  tx->tx_data.updated_ts = true;
465  state->curr_tx = tx;
466 
467  tx->command_descriptor = cmd_descriptor;
468  tx->request_length = CopyCommandLine(&tx->request, &line);
470 
471  if (line.lf_found) {
472  state->current_line_truncated_ts = false;
473  }
474  if (tx->request_truncated) {
475  SCAppLayerDecoderEventsSetEventRaw(&tx->tx_data.events, FtpEventRequestCommandTooLong);
476  }
477 
478  /* change direction (default to server) so expectation will handle
479  * the correct message when expectation will match.
480  * For ftp active mode, data connection direction is opposite to
481  * control direction.
482  */
483  if ((state->active &&
484  (state->command == FTP_COMMAND_STOR || state->command == FTP_COMMAND_APPE ||
485  state->command == FTP_COMMAND_STOU)) ||
486  (!state->active &&
487  (state->command == FTP_COMMAND_RETR || state->command == FTP_COMMAND_NLST ||
488  state->command == FTP_COMMAND_LIST ||
489  state->command == FTP_COMMAND_MLSD))) {
490  direction = STREAM_TOCLIENT;
491  }
492 
493  bool has_file = false;
494 
495  switch (state->command) {
496  case FTP_COMMAND_EPRT:
497  // fallthrough
498  case FTP_COMMAND_PORT:
499  if (line.len + 1 > state->port_line_size) {
500  /* Allocate an extra byte for a NULL terminator */
501  ptmp = FTPRealloc(state->port_line, state->port_line_size, line.len + 1);
502  if (ptmp == NULL) {
503  if (state->port_line) {
504  FTPFree(state->port_line, state->port_line_size);
505  state->port_line = NULL;
506  state->port_line_size = 0;
507  state->port_line_len = 0;
508  }
510  }
511  state->port_line = ptmp;
512  state->port_line_size = line.len + 1;
513  }
514  memcpy(state->port_line, line.buf, line.len);
515  state->port_line_len = line.len;
516  break;
517  case FTP_COMMAND_RETR:
518  // fallthrough
519  case FTP_COMMAND_STOR:
520  // fallthrough
521  case FTP_COMMAND_APPE:
522  /* Ensure that there is a file name
523  * -- need more than 5 chars: cmd [4], space, <filename>
524  */
525  if (line.len < 6) {
527  &tx->tx_data.events, FtpEventFileWithoutName);
528  break;
529  }
530  has_file = true;
531  /* fallthrough */
532  case FTP_COMMAND_STOU:
533  if (line.len >= 6) {
534  has_file = true;
535  }
536  /* fallthrough */
537  case FTP_COMMAND_NLST:
538  case FTP_COMMAND_LIST:
539  case FTP_COMMAND_MLSD: {
540  /* Ensure a port has been negotiated. */
541  if (state->dyn_port == 0) {
542  SCAppLayerDecoderEventsSetEventRaw(&tx->tx_data.events, FtpEventFileBeforePort);
543  break;
544  }
545 
546  FtpTransferCmd *data = SCFTPTransferCmdNew();
547  if (data == NULL)
549  FTPIncrMemuse((uint64_t)(sizeof *data));
550  data->cmd = state->command;
551  data->flow_id = FlowGetId(f);
552  data->direction = direction;
553  data->data_free = FtpTransferCmdFree;
554 
555  /*
556  * Min size has been checked in FTPParseRequestCommand
557  * SC_FILENAME_MAX includes the null
558  */
559  if (has_file) {
560  uint32_t file_name_len = MIN(SC_FILENAME_MAX - 1, line.len - 5);
561 #if SC_FILENAME_MAX > UINT16_MAX
562 #error SC_FILENAME_MAX is greater than UINT16_MAX
563 #endif
564  data->file_name = FTPCalloc(file_name_len + 1, sizeof(char));
565  if (data->file_name == NULL) {
566  FtpTransferCmdFree(data);
568  }
569  data->file_name[file_name_len] = 0;
570  data->file_len = (uint16_t)file_name_len;
571  memcpy(data->file_name, line.buf + 5, file_name_len);
572  } else if (state->command == FTP_COMMAND_STOU) {
573  const char default_file_name[] = "<stou>";
574  uint32_t file_name_len = sizeof(default_file_name);
575  data->file_name = FTPCalloc(file_name_len, sizeof(char));
576  if (data->file_name == NULL) {
577  FtpTransferCmdFree(data);
579  }
580  data->file_name[file_name_len - 1] = 0;
581  data->file_len = (uint16_t)file_name_len - 1;
582  memcpy(data->file_name, default_file_name, file_name_len);
583  }
584  int ret = AppLayerExpectationCreate(
585  f, direction, 0, state->dyn_port, ALPROTO_FTPDATA, data);
586  if (ret == -1) {
587  FtpTransferCmdFree(data);
588  SCLogDebug("No expectation created.");
590  } else {
591  SCLogDebug("Expectation created [direction: %s, dynamic port %" PRIu16 "].",
592  state->active ? "to server" : "to client", state->dyn_port);
593  }
594 
595  /* reset the dyn port to avoid duplicate */
596  state->dyn_port = 0;
597  /* reset active/passive indicator */
598  state->active = false;
599 
600  break;
601  }
602  default:
603  break;
604  }
605  if (line.len >= ftp_max_line_len) {
606  ftpi.consumed = ftpi.len + 1;
607  break;
608  }
609  SCAppLayerParserTriggerRawStreamInspection(f, STREAM_TOSERVER);
610  }
611 
613 }
614 
615 static int FTPParsePassiveResponse(FtpState *state, const uint8_t *input, uint32_t input_len)
616 {
617  uint16_t dyn_port = SCFTPParsePortPasv(input, input_len);
618  if (dyn_port == 0) {
619  return -1;
620  }
621  SCLogDebug("FTP passive mode (v4): dynamic port %"PRIu16"", dyn_port);
622  state->active = false;
623  state->dyn_port = dyn_port;
624  state->curr_tx->dyn_port = dyn_port;
625  state->curr_tx->active = false;
626 
627  return 0;
628 }
629 
630 static int FTPParsePassiveResponseV6(FtpState *state, const uint8_t *input, uint32_t input_len)
631 {
632  uint16_t dyn_port = SCFTPParsePortEpsv(input, input_len);
633  if (dyn_port == 0) {
634  return -1;
635  }
636  SCLogDebug("FTP passive mode (v6): dynamic port %"PRIu16"", dyn_port);
637  state->active = false;
638  state->dyn_port = dyn_port;
639  state->curr_tx->dyn_port = dyn_port;
640  state->curr_tx->active = false;
641  return 0;
642 }
643 
644 /**
645  * \brief Handle preliminary replies -- keep tx open
646  * \retval bool True for a positive preliminary reply; false otherwise
647  *
648  * 1yz Positive Preliminary reply
649  *
650  * The requested action is being initiated; expect another
651  * reply before proceeding with a new command
652  */
653 static inline bool FTPIsPPR(const uint8_t *input, uint32_t input_len)
654 {
655  return input_len >= 4 && isdigit(input[0]) && input[0] == '1' &&
656  isdigit(input[1]) && isdigit(input[2]) && isspace(input[3]);
657 }
658 
659 /**
660  * \brief This function is called to retrieve a ftp response
661  * \param ftp_state the ftp state structure for the parser
662  * \param input input line of the command
663  * \param input_len length of the request
664  * \param output the resulting output
665  *
666  * \retval 1 when the command is parsed, 0 otherwise
667  */
668 static AppLayerResult FTPParseResponse(Flow *f, void *ftp_state, AppLayerParserState *pstate,
669  StreamSlice stream_slice, void *local_data)
670 {
671  FtpState *state = (FtpState *)ftp_state;
672 
673  const uint8_t *input = StreamSliceGetData(&stream_slice);
674  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
675 
676  if (unlikely(input_len == 0)) {
678  }
679  FtpInput ftpi = { .buf = input, .len = input_len, .orig_len = input_len, .consumed = 0 };
680  FtpLineState line = { .buf = NULL, .len = 0, .delim_len = 0, .lf_found = false };
681 
682  FTPTransaction *lasttx = TAILQ_FIRST(&state->tx_list);
683  AppLayerResult res;
684  while (1) {
685  res = FTPGetLineForDirection(&line, &ftpi, &state->current_line_truncated_tc);
686  if (res.status == 1) {
687  return res;
688  } else if (res.status == -1) {
689  break;
690  }
691  FTPTransaction *tx = FTPGetOldestTx(state, lasttx);
692  if (tx == NULL) {
693  tx = FTPTransactionCreate(state);
694  if (tx != NULL) {
695  /* This is a TC only transaction, skip TS inspection. */
696  tx->tx_data.flags |= APP_LAYER_TX_SKIP_INSPECT_TS;
697  }
698  }
699  if (unlikely(tx == NULL)) {
701  }
702  lasttx = tx;
703  tx->tx_data.updated_tc = true;
704  if (state->command == FTP_COMMAND_UNKNOWN) {
705  /* unknown */
706  tx->command_descriptor.command_code = FTP_COMMAND_UNKNOWN;
707  }
708 
709  state->curr_tx = tx;
710  uint16_t dyn_port;
711  switch (state->command) {
712  case FTP_COMMAND_AUTH_TLS:
713  if (line.len >= 4 && SCMemcmp("234 ", line.buf, 4) == 0) {
715  }
716  break;
717 
718  case FTP_COMMAND_EPRT:
719  dyn_port = SCFTPParsePortEprt(state->port_line, state->port_line_len);
720  if (dyn_port == 0) {
721  goto tx_complete;
722  }
723  state->dyn_port = dyn_port;
724  state->active = true;
725  tx->dyn_port = dyn_port;
726  tx->active = true;
727  SCLogDebug("FTP active mode (v6): dynamic port %" PRIu16 "", dyn_port);
728  break;
729 
730  case FTP_COMMAND_PORT:
731  dyn_port = SCFTPParsePort(state->port_line, state->port_line_len);
732  if (dyn_port == 0) {
733  goto tx_complete;
734  }
735  state->dyn_port = dyn_port;
736  state->active = true;
737  tx->dyn_port = state->dyn_port;
738  tx->active = true;
739  SCLogDebug("FTP active mode (v4): dynamic port %" PRIu16 "", dyn_port);
740  break;
741 
742  case FTP_COMMAND_PASV:
743  if (line.len >= 4 && SCMemcmp("227 ", line.buf, 4) == 0) {
744  FTPParsePassiveResponse(ftp_state, line.buf, line.len);
745  }
746  break;
747 
748  case FTP_COMMAND_EPSV:
749  if (line.len >= 4 && SCMemcmp("229 ", line.buf, 4) == 0) {
750  FTPParsePassiveResponseV6(ftp_state, line.buf, line.len);
751  }
752  break;
753  default:
754  break;
755  }
756 
757  if (likely(line.len)) {
758  FTPResponseLine *response = SCFTPParseResponseLine((const char *)line.buf, line.len);
759  if (likely(response)) {
760  FTPResponseWrapper *wrapper = FTPResponseWrapperAlloc(response);
761  if (likely(wrapper)) {
762  response->truncated = state->current_line_truncated_tc;
763  if (response->truncated) {
765  &tx->tx_data.events, FtpEventResponseCommandTooLong);
766  }
767  if (line.lf_found) {
768  state->current_line_truncated_tc = false;
769  }
770  TAILQ_INSERT_TAIL(&tx->response_list, wrapper, next);
771  } else {
772  SCFTPFreeResponseLine(response);
773  }
774  } else {
775  SCLogDebug("unable to parse FTP response line \"%s\"", line.buf);
776  }
777  }
778 
779  /* Handle preliminary replies -- keep tx open */
780  if (FTPIsPPR(line.buf, line.len)) {
781  continue;
782  }
783  tx_complete:
784  tx->done = true;
785  SCAppLayerParserTriggerRawStreamInspection(f, STREAM_TOCLIENT);
786 
787  if (line.len >= ftp_max_line_len) {
788  ftpi.consumed = ftpi.len + 1;
789  break;
790  }
791  }
792 
794 }
795 
796 
797 #ifdef DEBUG
798 static SCMutex ftp_state_mem_lock = SCMUTEX_INITIALIZER;
799 static uint64_t ftp_state_memuse = 0;
800 static uint64_t ftp_state_memcnt = 0;
801 #endif
802 
803 static void *FTPStateAlloc(void *orig_state, AppProto proto_orig)
804 {
805  void *s = FTPCalloc(1, sizeof(FtpState));
806  if (unlikely(s == NULL))
807  return NULL;
808 
809  FtpState *ftp_state = (FtpState *) s;
810  TAILQ_INIT(&ftp_state->tx_list);
811 
812 #ifdef DEBUG
813  SCMutexLock(&ftp_state_mem_lock);
814  ftp_state_memcnt++;
815  ftp_state_memuse+=sizeof(FtpState);
816  SCMutexUnlock(&ftp_state_mem_lock);
817 #endif
818  return s;
819 }
820 
821 static void FTPStateFree(void *s)
822 {
823  FtpState *fstate = (FtpState *) s;
824  if (fstate->port_line != NULL)
825  FTPFree(fstate->port_line, fstate->port_line_size);
826 
827  FTPTransaction *tx = NULL;
828  while ((tx = TAILQ_FIRST(&fstate->tx_list))) {
829  TAILQ_REMOVE(&fstate->tx_list, tx, next);
830 #ifdef DEBUG
831  if (SCLogDebugEnabled()) {
832  const char *command_name = NULL;
833  (void)SCGetFtpCommandInfo(
834  tx->command_descriptor.command_index, &command_name, NULL, NULL);
835  SCLogDebug("[%s] state %p id %" PRIu64 ", Freeing %d bytes at %p",
836  command_name != NULL ? command_name : "n/a", s, tx->tx_id, tx->request_length,
837  tx->request);
838  }
839 #endif
840 
841  FTPTransactionFree(tx);
842  }
843 
844  FTPFree(s, sizeof(FtpState));
845 #ifdef DEBUG
846  SCMutexLock(&ftp_state_mem_lock);
847  ftp_state_memcnt--;
848  ftp_state_memuse-=sizeof(FtpState);
849  SCMutexUnlock(&ftp_state_mem_lock);
850 #endif
851 }
852 
853 /**
854  * \brief This function returns the oldest open transaction; if none
855  * are open, then the oldest transaction is returned
856  * \param ftp_state the ftp state structure for the parser
857  * \param starttx the ftp transaction where to start looking
858  *
859  * \retval transaction pointer when a transaction was found; NULL otherwise.
860  */
861 static FTPTransaction *FTPGetOldestTx(const FtpState *ftp_state, FTPTransaction *starttx)
862 {
863  if (unlikely(!ftp_state)) {
864  SCLogDebug("NULL state object; no transactions available");
865  return NULL;
866  }
867  FTPTransaction *tx = starttx;
868  FTPTransaction *lasttx = NULL;
869  while(tx != NULL) {
870  /* Return oldest open tx */
871  if (!tx->done) {
872  SCLogDebug("Returning tx %p id %"PRIu64, tx, tx->tx_id);
873  return tx;
874  }
875  /* save for the end */
876  lasttx = tx;
877  tx = TAILQ_NEXT(tx, next);
878  }
879  /* All tx are closed; return last element */
880  if (lasttx)
881  SCLogDebug("Returning OLDEST tx %p id %"PRIu64, lasttx, lasttx->tx_id);
882  return lasttx;
883 }
884 
885 static void *FTPGetTx(void *state, uint64_t tx_id)
886 {
887  FtpState *ftp_state = (FtpState *)state;
888  if (ftp_state) {
889  FTPTransaction *tx = NULL;
890 
891  if (ftp_state->curr_tx == NULL)
892  return NULL;
893  if (ftp_state->curr_tx->tx_id == tx_id)
894  return ftp_state->curr_tx;
895 
896  TAILQ_FOREACH(tx, &ftp_state->tx_list, next) {
897  if (tx->tx_id == tx_id)
898  return tx;
899  }
900  }
901  return NULL;
902 }
903 
904 static AppLayerTxData *FTPGetTxData(void *vtx)
905 {
906  FTPTransaction *tx = (FTPTransaction *)vtx;
907  return &tx->tx_data;
908 }
909 
910 static AppLayerStateData *FTPGetStateData(void *vstate)
911 {
912  FtpState *s = (FtpState *)vstate;
913  return &s->state_data;
914 }
915 
916 static void FTPStateTransactionFree(void *state, uint64_t tx_id)
917 {
918  FtpState *ftp_state = state;
919  FTPTransaction *tx = NULL;
920  TAILQ_FOREACH(tx, &ftp_state->tx_list, next) {
921  if (tx_id < tx->tx_id)
922  break;
923  else if (tx_id > tx->tx_id)
924  continue;
925 
926  if (tx == ftp_state->curr_tx)
927  ftp_state->curr_tx = NULL;
928  TAILQ_REMOVE(&ftp_state->tx_list, tx, next);
929  FTPTransactionFree(tx);
930  break;
931  }
932 }
933 
934 static uint64_t FTPGetTxCnt(void *state)
935 {
936  uint64_t cnt = 0;
937  FtpState *ftp_state = state;
938  if (ftp_state) {
939  cnt = ftp_state->tx_cnt;
940  }
941  SCLogDebug("returning state %p %"PRIu64, state, cnt);
942  return cnt;
943 }
944 
945 static int FTPGetAlstateProgress(void *vtx, uint8_t direction)
946 {
947  SCLogDebug("tx %p", vtx);
948  FTPTransaction *tx = vtx;
949 
950  /* having a tx implies request side is done */
951  if (direction == STREAM_TOSERVER) {
952  return FTP_STATE_FINISHED;
953  }
954  if (!tx->done) {
955  return FTP_STATE_IN_PROGRESS;
956  }
957 
958  return FTP_STATE_FINISHED;
959 }
960 
961 static AppProto FTPUserProbingParser(
962  const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
963 {
964  if (f->alproto_tc == ALPROTO_POP3) {
965  // POP traffic begins by same "USER" pattern as FTP
966  return ALPROTO_FAILED;
967  }
968  return ALPROTO_FTP;
969 }
970 
971 static AppProto FTPQuitProbingParser(
972  const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
973 {
974  // another check for minimum length
975  if (len < 5) {
976  return ALPROTO_UNKNOWN;
977  }
978  // begins by QUIT
979  if (SCMemcmp(input, "QUIT", 4) != 0) {
980  return ALPROTO_FAILED;
981  }
982  return ALPROTO_FTP;
983 }
984 
985 static AppProto FTPServerProbingParser(
986  const Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
987 {
988  // another check for minimum length
989  if (len < 5) {
990  return ALPROTO_UNKNOWN;
991  }
992  // begins by 220
993  if (input[0] != '2' || input[1] != '2' || input[2] != '0') {
994  return ALPROTO_FAILED;
995  }
996  // followed by space or hypen
997  if (input[3] != ' ' && input[3] != '-') {
998  return ALPROTO_FAILED;
999  }
1000  if (f->alproto_ts == ALPROTO_FTP || (f->todstbytecnt > 4 && f->alproto_ts == ALPROTO_UNKNOWN)) {
1001  // only validates FTP if client side was FTP
1002  // or if client side is unknown despite having received bytes
1003  if (memchr(input + 4, '\n', len - 4) != NULL) {
1004  return ALPROTO_FTP;
1005  }
1006  }
1007  return ALPROTO_UNKNOWN;
1008 }
1009 
1010 static int FTPRegisterPatternsForProtocolDetection(void)
1011 {
1013  IPPROTO_TCP, ALPROTO_FTP, "220 (", 5, 0, STREAM_TOCLIENT) < 0) {
1014  return -1;
1015  }
1017  IPPROTO_TCP, ALPROTO_FTP, "FEAT", 4, 0, STREAM_TOSERVER) < 0) {
1018  return -1;
1019  }
1020  if (SCAppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0,
1021  STREAM_TOSERVER, FTPUserProbingParser, 5, 5) < 0) {
1022  return -1;
1023  }
1024 
1026  IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER) < 0) {
1027  return -1;
1028  }
1029  // Only check FTP on known ports as the banner has nothing special beyond
1030  // the response code shared with SMTP.
1032  "tcp", IPPROTO_TCP, "ftp", ALPROTO_FTP, 0, 5, NULL, FTPServerProbingParser)) {
1033  // STREAM_TOSERVER here means use 21 as flow destination port
1034  // and FTPServerProbingParser is probing parser to client
1035  SCAppLayerProtoDetectPPRegister(IPPROTO_TCP, "21", ALPROTO_FTP, 0, 5, STREAM_TOSERVER,
1036  FTPQuitProbingParser, FTPServerProbingParser);
1037  }
1038  return 0;
1039 }
1040 
1041 
1043 
1044 /**
1045  * \brief This function is called to retrieve a ftp request
1046  * \param ftp_state the ftp state structure for the parser
1047  * \param output the resulting output
1048  *
1049  * \retval 1 when the command is parsed, 0 otherwise
1050  */
1051 static AppLayerResult FTPDataParse(Flow *f, FtpDataState *ftpdata_state,
1052  AppLayerParserState *pstate, StreamSlice stream_slice, void *local_data, uint8_t direction)
1053 {
1054  const uint8_t *input = StreamSliceGetData(&stream_slice);
1055  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
1056  const bool eof = (direction & STREAM_TOSERVER)
1057  ? SCAppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TS) != 0
1058  : SCAppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TC) != 0;
1059 
1060  SCTxDataUpdateFileFlags(&ftpdata_state->tx_data, ftpdata_state->state_data.file_flags);
1061  if (ftpdata_state->tx_data.file_tx == 0)
1062  ftpdata_state->tx_data.file_tx = direction & (STREAM_TOSERVER | STREAM_TOCLIENT);
1063  if (direction & STREAM_TOSERVER) {
1064  ftpdata_state->tx_data.updated_ts = true;
1065  } else {
1066  ftpdata_state->tx_data.updated_tc = true;
1067  }
1068  /* we depend on detection engine for file pruning */
1069  const uint16_t flags = SCFileFlowFlagsToFlags(ftpdata_state->tx_data.file_flags, direction);
1070  int ret = 0;
1071 
1072  SCLogDebug("FTP-DATA input_len %u flags %04x dir %d/%s EOF %s", input_len, flags, direction,
1073  (direction & STREAM_TOSERVER) ? "toserver" : "toclient", eof ? "true" : "false");
1074 
1075  SCLogDebug("FTP-DATA flags %04x dir %d", flags, direction);
1076  if (!ftpdata_state->initialized && input_len) {
1077  FtpTransferCmd *data =
1078  (FtpTransferCmd *)SCFlowGetStorageById(f, AppLayerExpectationGetFlowId());
1079  if (data == NULL) {
1081  }
1082 
1083  /* we shouldn't get data in the wrong dir. Don't set things up for this dir */
1084  if ((direction & data->direction) == 0) {
1085  // TODO set event for data in wrong direction
1086  SCLogDebug("input %u not for our direction (%s): %s/%s", input_len,
1087  (direction & STREAM_TOSERVER) ? "toserver" : "toclient",
1088  data->cmd == FTP_COMMAND_STOR ? "STOR" : "RETR",
1089  (data->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1091  }
1092 
1093  if (data->file_name) {
1094  ftpdata_state->files = FileContainerAlloc();
1095  if (ftpdata_state->files == NULL) {
1098  }
1099 
1100  ftpdata_state->file_name = data->file_name;
1101  ftpdata_state->file_len = data->file_len;
1102  data->file_name = NULL;
1103  data->file_len = 0;
1104  }
1105  f->parent_id = data->flow_id;
1106  ftpdata_state->command = data->cmd;
1107  switch (data->cmd) {
1108  case FTP_COMMAND_STOR:
1109  ftpdata_state->direction = data->direction;
1110  SCLogDebug("STOR data to %s",
1111  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1112  break;
1113  case FTP_COMMAND_APPE:
1114  ftpdata_state->direction = data->direction;
1115  SCLogDebug("APPE data to %s",
1116  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1117  break;
1118  case FTP_COMMAND_STOU:
1119  ftpdata_state->direction = data->direction;
1120  SCLogDebug("STOU data to %s",
1121  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1122  break;
1123  case FTP_COMMAND_RETR:
1124  ftpdata_state->direction = data->direction;
1125  SCLogDebug("RETR data to %s",
1126  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1127  break;
1128  case FTP_COMMAND_NLST:
1129  ftpdata_state->direction = data->direction;
1130  SCLogDebug("NLST data to %s",
1131  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1132  break;
1133  case FTP_COMMAND_LIST:
1134  ftpdata_state->direction = data->direction;
1135  SCLogDebug("LIST data to %s",
1136  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1137  break;
1138  case FTP_COMMAND_MLSD:
1139  ftpdata_state->direction = data->direction;
1140  SCLogDebug("MLSD data to %s",
1141  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1142  break;
1143  default:
1144  break;
1145  }
1146 
1147  if (ftpdata_state->file_name) {
1148  /* open with fixed track_id 0 as we can have just one
1149  * file per ftp-data flow. */
1150  if (FileOpenFileWithId(ftpdata_state->files, &sbcfg, 0ULL,
1151  (uint8_t *)ftpdata_state->file_name, ftpdata_state->file_len, input,
1152  input_len, flags) != 0) {
1153  SCLogDebug("Can't open file");
1154  ret = -1;
1155  }
1156  ftpdata_state->tx_data.files_opened = 1;
1157  }
1159 
1160  ftpdata_state->initialized = true;
1161  } else {
1162  if ((direction & ftpdata_state->direction) == 0) {
1163  if (input_len) {
1164  // TODO set event for data in wrong direction
1165  }
1166  SCLogDebug("input %u not for us (%s): %s/%s", input_len,
1167  (direction & STREAM_TOSERVER) ? "toserver" : "toclient",
1168  ftpdata_state->command == FTP_COMMAND_STOR ? "STOR" : "RETR",
1169  (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
1171  }
1172  if (ftpdata_state->state == FTPDATA_STATE_FINISHED) {
1173  SCLogDebug("state is already finished");
1174  DEBUG_VALIDATE_BUG_ON(input_len); // data after state finished is a bug.
1176  }
1177  if (ftpdata_state->file_name && input_len != 0) {
1178  ret = FileAppendData(ftpdata_state->files, &sbcfg, input, input_len);
1179  if (ret == -2) {
1180  ret = 0;
1181  SCLogDebug("FileAppendData() - file no longer being extracted");
1182  goto out;
1183  } else if (ret < 0) {
1184  SCLogDebug("FileAppendData() failed: %d", ret);
1185  ret = -2;
1186  goto out;
1187  }
1188  }
1189  }
1190 
1191  DEBUG_VALIDATE_BUG_ON((direction & ftpdata_state->direction) == 0); // should be unreachable
1192  if (eof) {
1193  if (ftpdata_state->file_name) {
1194  ret = FileCloseFile(ftpdata_state->files, &sbcfg, NULL, 0, flags);
1195  }
1196  ftpdata_state->state = FTPDATA_STATE_FINISHED;
1197  SCLogDebug("closed because of eof: state now FTPDATA_STATE_FINISHED");
1198  }
1199 out:
1200  if (ret < 0) {
1202  }
1204 }
1205 
1206 static AppLayerResult FTPDataParseRequest(Flow *f, void *ftp_state, AppLayerParserState *pstate,
1207  StreamSlice stream_slice, void *local_data)
1208 {
1209  return FTPDataParse(f, ftp_state, pstate, stream_slice, local_data, STREAM_TOSERVER);
1210 }
1211 
1212 static AppLayerResult FTPDataParseResponse(Flow *f, void *ftp_state, AppLayerParserState *pstate,
1213  StreamSlice stream_slice, void *local_data)
1214 {
1215  return FTPDataParse(f, ftp_state, pstate, stream_slice, local_data, STREAM_TOCLIENT);
1216 }
1217 
1218 #ifdef DEBUG
1219 static SCMutex ftpdata_state_mem_lock = SCMUTEX_INITIALIZER;
1220 static uint64_t ftpdata_state_memuse = 0;
1221 static uint64_t ftpdata_state_memcnt = 0;
1222 #endif
1223 
1224 static void *FTPDataStateAlloc(void *orig_state, AppProto proto_orig)
1225 {
1226  void *s = FTPCalloc(1, sizeof(FtpDataState));
1227  if (unlikely(s == NULL))
1228  return NULL;
1229 
1230  FtpDataState *state = (FtpDataState *) s;
1231  state->state = FTPDATA_STATE_IN_PROGRESS;
1232 
1233 #ifdef DEBUG
1234  SCMutexLock(&ftpdata_state_mem_lock);
1235  ftpdata_state_memcnt++;
1236  ftpdata_state_memuse+=sizeof(FtpDataState);
1237  SCMutexUnlock(&ftpdata_state_mem_lock);
1238 #endif
1239  return s;
1240 }
1241 
1242 static void FTPDataStateFree(void *s)
1243 {
1244  FtpDataState *fstate = (FtpDataState *) s;
1245 
1246  SCAppLayerTxDataCleanup(&fstate->tx_data);
1247 
1248  if (fstate->file_name != NULL) {
1249  FTPFree(fstate->file_name, fstate->file_len + 1);
1250  }
1251 
1252  FileContainerFree(fstate->files, &sbcfg);
1253 
1254  FTPFree(s, sizeof(FtpDataState));
1255 #ifdef DEBUG
1256  SCMutexLock(&ftpdata_state_mem_lock);
1257  ftpdata_state_memcnt--;
1258  ftpdata_state_memuse-=sizeof(FtpDataState);
1259  SCMutexUnlock(&ftpdata_state_mem_lock);
1260 #endif
1261 }
1262 
1263 static AppLayerTxData *FTPDataGetTxData(void *vtx)
1264 {
1265  FtpDataState *ftp_state = (FtpDataState *)vtx;
1266  return &ftp_state->tx_data;
1267 }
1268 
1269 static AppLayerStateData *FTPDataGetStateData(void *vstate)
1270 {
1271  FtpDataState *ftp_state = (FtpDataState *)vstate;
1272  return &ftp_state->state_data;
1273 }
1274 
1275 static void FTPDataStateTransactionFree(void *state, uint64_t tx_id)
1276 {
1277  /* do nothing */
1278 }
1279 
1280 static void *FTPDataGetTx(void *state, uint64_t tx_id)
1281 {
1282  FtpDataState *ftp_state = (FtpDataState *)state;
1283  return ftp_state;
1284 }
1285 
1286 static uint64_t FTPDataGetTxCnt(void *state)
1287 {
1288  /* ftp-data is single tx */
1289  return 1;
1290 }
1291 
1292 static int FTPDataGetAlstateProgress(void *tx, uint8_t direction)
1293 {
1294  FtpDataState *ftpdata_state = (FtpDataState *)tx;
1295  if (direction == ftpdata_state->direction)
1296  return ftpdata_state->state;
1297  else
1298  return FTPDATA_STATE_FINISHED;
1299 }
1300 
1301 static AppLayerGetFileState FTPDataStateGetTxFiles(void *tx, uint8_t direction)
1302 {
1303  FtpDataState *ftpdata_state = (FtpDataState *)tx;
1304  AppLayerGetFileState files = { .fc = NULL, .cfg = &sbcfg };
1305 
1306  if (direction == ftpdata_state->direction)
1307  files.fc = ftpdata_state->files;
1308 
1309  return files;
1310 }
1311 
1312 static void FTPSetMpmState(void)
1313 {
1314  ftp_mpm_ctx = SCCalloc(1, sizeof(MpmCtx));
1315  if (unlikely(ftp_mpm_ctx == NULL)) {
1316  exit(EXIT_FAILURE);
1317  }
1318  MpmInitCtx(ftp_mpm_ctx, FTP_MPM);
1319 
1320  SCFTPSetMpmState(ftp_mpm_ctx);
1321  mpm_table[FTP_MPM].Prepare(NULL, ftp_mpm_ctx);
1322 }
1323 
1324 static void FTPFreeMpmState(void)
1325 {
1326  if (ftp_mpm_ctx != NULL) {
1327  mpm_table[FTP_MPM].DestroyCtx(ftp_mpm_ctx);
1328  SCFree(ftp_mpm_ctx);
1329  ftp_mpm_ctx = NULL;
1330  }
1331 }
1332 
1333 /** \brief FTP tx iterator, specialized for its linked list
1334  *
1335  * \retval txptr or NULL if no more txs in list
1336  */
1337 static AppLayerGetTxIterTuple FTPGetTxIterator(const uint8_t ipproto, const AppProto alproto,
1338  void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
1339 {
1340  FtpState *ftp_state = (FtpState *)alstate;
1341  AppLayerGetTxIterTuple no_tuple = { NULL, 0, false };
1342  if (ftp_state) {
1343  FTPTransaction *tx_ptr;
1344  if (state->un.ptr == NULL) {
1345  tx_ptr = TAILQ_FIRST(&ftp_state->tx_list);
1346  } else {
1347  tx_ptr = (FTPTransaction *)state->un.ptr;
1348  }
1349  if (tx_ptr) {
1350  while (tx_ptr->tx_id < min_tx_id) {
1351  tx_ptr = TAILQ_NEXT(tx_ptr, next);
1352  if (!tx_ptr) {
1353  return no_tuple;
1354  }
1355  }
1356  if (tx_ptr->tx_id >= max_tx_id) {
1357  return no_tuple;
1358  }
1359  state->un.ptr = TAILQ_NEXT(tx_ptr, next);
1360  AppLayerGetTxIterTuple tuple = {
1361  .tx_ptr = tx_ptr,
1362  .tx_id = tx_ptr->tx_id,
1363  .has_next = (state->un.ptr != NULL),
1364  };
1365  return tuple;
1366  }
1367  }
1368  return no_tuple;
1369 }
1370 
1372 {
1373  const char *proto_name = "ftp";
1374  const char *proto_data_name = "ftp-data";
1375 
1376  /** FTP */
1377  if (SCAppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) {
1379  if (FTPRegisterPatternsForProtocolDetection() < 0 )
1380  return;
1382  }
1383 
1384  if (SCAppLayerParserConfParserEnabled("tcp", proto_name)) {
1385  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_FTP, STREAM_TOSERVER,
1386  FTPParseRequest);
1387  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_FTP, STREAM_TOCLIENT,
1388  FTPParseResponse);
1389  AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_FTP, FTPStateAlloc, FTPStateFree);
1391  IPPROTO_TCP, ALPROTO_FTP, STREAM_TOSERVER | STREAM_TOCLIENT);
1392 
1393  AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_FTP, FTPStateTransactionFree);
1394 
1395  AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_FTP, FTPGetTx);
1396  AppLayerParserRegisterTxDataFunc(IPPROTO_TCP, ALPROTO_FTP, FTPGetTxData);
1397  AppLayerParserRegisterGetTxIterator(IPPROTO_TCP, ALPROTO_FTP, FTPGetTxIterator);
1398  AppLayerParserRegisterStateDataFunc(IPPROTO_TCP, ALPROTO_FTP, FTPGetStateData);
1399 
1400  AppLayerParserRegisterLocalStorageFunc(IPPROTO_TCP, ALPROTO_FTP, FTPLocalStorageAlloc,
1401  FTPLocalStorageFree);
1402  AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_FTP, FTPGetTxCnt);
1403 
1404  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_FTP, FTPGetAlstateProgress);
1405 
1407  ALPROTO_FTP, FTP_STATE_FINISHED, FTP_STATE_FINISHED);
1408 
1410  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_FTPDATA, STREAM_TOSERVER,
1411  FTPDataParseRequest);
1412  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_FTPDATA, STREAM_TOCLIENT,
1413  FTPDataParseResponse);
1414  AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataStateAlloc, FTPDataStateFree);
1416  IPPROTO_TCP, ALPROTO_FTPDATA, STREAM_TOSERVER | STREAM_TOCLIENT);
1417  AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataStateTransactionFree);
1418 
1419  AppLayerParserRegisterGetTxFilesFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataStateGetTxFiles);
1420 
1421  AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetTx);
1422  AppLayerParserRegisterTxDataFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetTxData);
1423  AppLayerParserRegisterStateDataFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetStateData);
1424 
1425  AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetTxCnt);
1426 
1427  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_FTPDATA, FTPDataGetAlstateProgress);
1428 
1430  ALPROTO_FTPDATA, FTPDATA_STATE_FINISHED, FTPDATA_STATE_FINISHED);
1431 
1432  AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_FTP, ftp_get_event_info);
1433  AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_FTP, ftp_get_event_info_by_id);
1434 
1437 
1438  sbcfg.buf_size = 4096;
1439  sbcfg.Calloc = FTPCalloc;
1440  sbcfg.Realloc = FTPRealloc;
1441  sbcfg.Free = FTPFree;
1442 
1443  FTPParseMemcap();
1444  } else {
1445  SCLogInfo("Parser disabled for %s protocol. Protocol detection still on.", proto_name);
1446  }
1447 
1448  FTPSetMpmState();
1449 
1450 #ifdef UNITTESTS
1452 #endif
1453 }
1454 
1455 /*
1456  * \brief Returns the ending offset of the next line from a multi-line buffer.
1457  *
1458  * "Buffer" refers to a FTP response in a single buffer containing multiple lines.
1459  * Here, "next line" is defined as terminating on
1460  * - Newline character
1461  * - Null character
1462  *
1463  * \param buffer Contains zero or more characters.
1464  * \param len Size, in bytes, of buffer.
1465  *
1466  * \retval Offset from the start of buffer indicating the where the
1467  * next "line ends". The characters between the input buffer and this
1468  * value comprise the line.
1469  *
1470  * NULL is found first or a newline isn't found, then UINT16_MAX is returned.
1471  */
1472 uint16_t JsonGetNextLineFromBuffer(const char *buffer, const uint16_t len)
1473 {
1474  if (!buffer || *buffer == '\0') {
1475  return UINT16_MAX;
1476  }
1477 
1478  const char *c = strchr(buffer, '\n');
1479  return c == NULL ? len : (uint16_t)(c - buffer + 1);
1480 }
1481 
1482 bool EveFTPDataAddMetadata(void *vtx, SCJsonBuilder *jb)
1483 {
1484  const FtpDataState *ftp_state = (FtpDataState *)vtx;
1485  SCJbOpenObject(jb, "ftp_data");
1486 
1487  if (ftp_state->file_name) {
1488  SCJbSetStringFromBytes(jb, "filename", ftp_state->file_name, ftp_state->file_len);
1489  }
1490  switch (ftp_state->command) {
1491  case FTP_COMMAND_STOR:
1492  JB_SET_STRING(jb, "command", "STOR");
1493  break;
1494  case FTP_COMMAND_APPE:
1495  JB_SET_STRING(jb, "command", "APPE");
1496  break;
1497  case FTP_COMMAND_STOU:
1498  JB_SET_STRING(jb, "command", "STOU");
1499  break;
1500  case FTP_COMMAND_RETR:
1501  JB_SET_STRING(jb, "command", "RETR");
1502  break;
1503  case FTP_COMMAND_NLST:
1504  JB_SET_STRING(jb, "command", "NLST");
1505  break;
1506  case FTP_COMMAND_LIST:
1507  JB_SET_STRING(jb, "command", "LIST");
1508  break;
1509  case FTP_COMMAND_MLSD:
1510  JB_SET_STRING(jb, "command", "MLSD");
1511  break;
1512  default:
1513  break;
1514  }
1515  SCJbClose(jb);
1516  return true;
1517 }
1518 
1519 /**
1520  * \brief Free memory allocated for global FTP parser state.
1521  */
1523 {
1524  FTPFreeMpmState();
1525 }
1526 
1527 /* UNITTESTS */
1528 #ifdef UNITTESTS
1529 #include "flow-util.h"
1530 #include "stream-tcp.h"
1531 
1532 /** \test Send a get request in one chunk. */
1533 static int FTPParserTest01(void)
1534 {
1535  Flow f;
1536  uint8_t ftpbuf[] = "PORT 192,168,1,1,0,80\r\n";
1537  uint32_t ftplen = sizeof(ftpbuf) - 1; /* minus the \0 */
1538  TcpSession ssn;
1540 
1541  memset(&f, 0, sizeof(f));
1542  memset(&ssn, 0, sizeof(ssn));
1543 
1544  f.protoctx = (void *)&ssn;
1545  f.proto = IPPROTO_TCP;
1546  f.alproto = ALPROTO_FTP;
1547 
1548  StreamTcpInitConfig(true);
1549 
1550  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1551  STREAM_TOSERVER | STREAM_EOF, ftpbuf, ftplen);
1552  FAIL_IF(r != 0);
1553 
1554  FtpState *ftp_state = f.alstate;
1555  FAIL_IF_NULL(ftp_state);
1556  FAIL_IF(ftp_state->command != FTP_COMMAND_PORT);
1557 
1558  FLOW_DESTROY(&f);
1560  StreamTcpFreeConfig(true);
1561  PASS;
1562 }
1563 
1564 /** \test Supply RETR without a filename */
1565 static int FTPParserTest11(void)
1566 {
1567  Flow f;
1568  uint8_t ftpbuf1[] = "PORT 192,168,1,1,0,80\r\n";
1569  uint8_t ftpbuf2[] = "RETR\r\n";
1570  uint8_t ftpbuf3[] = "227 OK\r\n";
1571  TcpSession ssn;
1572 
1574 
1575  memset(&f, 0, sizeof(f));
1576  memset(&ssn, 0, sizeof(ssn));
1577 
1578  f.protoctx = (void *)&ssn;
1579  f.proto = IPPROTO_TCP;
1580  f.alproto = ALPROTO_FTP;
1581 
1582  StreamTcpInitConfig(true);
1583 
1584  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1585  STREAM_TOSERVER | STREAM_START, ftpbuf1,
1586  sizeof(ftpbuf1) - 1);
1587  FAIL_IF(r != 0);
1588 
1589  /* Response */
1590  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1591  STREAM_TOCLIENT,
1592  ftpbuf3,
1593  sizeof(ftpbuf3) - 1);
1594  FAIL_IF(r != 0);
1595 
1596  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1597  STREAM_TOSERVER, ftpbuf2,
1598  sizeof(ftpbuf2) - 1);
1599  FAIL_IF(r != 0);
1600 
1601  FtpState *ftp_state = f.alstate;
1602  FAIL_IF_NULL(ftp_state);
1603 
1604  FAIL_IF(ftp_state->command != FTP_COMMAND_RETR);
1605 
1606  FLOW_DESTROY(&f);
1608  StreamTcpFreeConfig(true);
1609  PASS;
1610 }
1611 
1612 /** \test Supply STOR without a filename */
1613 static int FTPParserTest12(void)
1614 {
1615  Flow f;
1616  uint8_t ftpbuf1[] = "PORT 192,168,1,1,0,80\r\n";
1617  uint8_t ftpbuf2[] = "STOR\r\n";
1618  uint8_t ftpbuf3[] = "227 OK\r\n";
1619  TcpSession ssn;
1620 
1622 
1623  memset(&f, 0, sizeof(f));
1624  memset(&ssn, 0, sizeof(ssn));
1625 
1626  f.protoctx = (void *)&ssn;
1627  f.proto = IPPROTO_TCP;
1628  f.alproto = ALPROTO_FTP;
1629 
1630  StreamTcpInitConfig(true);
1631 
1632  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1633  STREAM_TOSERVER | STREAM_START, ftpbuf1,
1634  sizeof(ftpbuf1) - 1);
1635  FAIL_IF(r != 0);
1636 
1637  /* Response */
1638  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1639  STREAM_TOCLIENT,
1640  ftpbuf3,
1641  sizeof(ftpbuf3) - 1);
1642  FAIL_IF(r != 0);
1643 
1644  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
1645  STREAM_TOSERVER, ftpbuf2,
1646  sizeof(ftpbuf2) - 1);
1647  FAIL_IF(r != 0);
1648 
1649  FtpState *ftp_state = f.alstate;
1650  FAIL_IF_NULL(ftp_state);
1651 
1652  FAIL_IF(ftp_state->command != FTP_COMMAND_STOR);
1653 
1654  FLOW_DESTROY(&f);
1656  StreamTcpFreeConfig(true);
1657  PASS;
1658 }
1659 #endif /* UNITTESTS */
1660 
1662 {
1663 #ifdef UNITTESTS
1664  UtRegisterTest("FTPParserTest01", FTPParserTest01);
1665  UtRegisterTest("FTPParserTest11", FTPParserTest11);
1666  UtRegisterTest("FTPParserTest12", FTPParserTest12);
1667 #endif /* UNITTESTS */
1668 }
FTPTransaction_::request_truncated
bool request_truncated
Definition: app-layer-ftp.h:70
PmqReset
void PmqReset(PrefilterRuleStore *pmq)
Reset a Pmq for reusage. Meant to be called after a single search.
Definition: util-prefilter.c:102
StreamSlice
Definition: app-layer-parser.h:117
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:504
len
uint8_t len
Definition: app-layer-dnp3.h:2
AppLayerTxData::flags
uint8_t flags
Definition: app-layer-parser.h:173
SCAppLayerParserStateIssetFlag
uint16_t SCAppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1857
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
FTPTransaction_::request
uint8_t * request
Definition: app-layer-ftp.h:69
AppLayerGetTxIterState::ptr
void * ptr
Definition: app-layer-parser.h:141
FTPThreadCtx_
Definition: app-layer-ftp.c:43
StreamingBufferConfig_::buf_size
uint32_t buf_size
Definition: util-streaming-buffer.h:66
AppLayerParserRegisterLocalStorageFunc
void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto, void *(*LocalStorageAlloc)(void), void(*LocalStorageFree)(void *))
Definition: app-layer-parser.c:464
SCFileFlowFlagsToFlags
uint16_t SCFileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
Definition: util-file.c:215
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:262
FtpState_::active
bool active
Definition: app-layer-ftp.h:89
flow-util.h
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:479
FtpDataState_::state
uint8_t state
Definition: app-layer-ftp.h:117
StreamingBufferConfig_::Calloc
void *(* Calloc)(size_t n, size_t size)
Definition: util-streaming-buffer.h:69
MpmThreadCtx_
Definition: util-mpm.h:48
stream-tcp.h
FtpState
struct FtpState_ FtpState
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
EveFTPDataAddMetadata
bool EveFTPDataAddMetadata(void *vtx, SCJsonBuilder *jb)
Definition: app-layer-ftp.c:1482
SCFlowGetStorageById
void * SCFlowGetStorageById(const Flow *f, SCFlowStorageId id)
Definition: flow-storage.c:40
PrefilterRuleStore_
structure for storing potential rule matches
Definition: util-prefilter.h:34
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
SCAppLayerTxDataCleanup
void SCAppLayerTxDataCleanup(AppLayerTxData *txd)
Definition: app-layer-parser.c:759
FtpCommandInfo_
Definition: app-layer-ftp.h:56
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
Flow_::proto
uint8_t proto
Definition: flow.h:376
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
FtpState_::command
FtpRequestCommand command
Definition: app-layer-ftp.h:98
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:71
SCAppLayerProtoDetectPMRegisterPatternCI
int SCAppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-insensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1673
STREAMING_BUFFER_CONFIG_INITIALIZER
#define STREAMING_BUFFER_CONFIG_INITIALIZER
Definition: util-streaming-buffer.h:74
AppLayerStateData
Definition: app-layer-parser.h:146
FileContainerFree
void FileContainerFree(FileContainer *ffc, const StreamingBufferConfig *cfg)
Free a FileContainer.
Definition: util-file.c:515
Flow_
Flow data structure.
Definition: flow.h:354
FTPTransaction_::done
bool done
Definition: app-layer-ftp.h:76
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:552
FtpState_::current_line_truncated_tc
bool current_line_truncated_tc
Definition: app-layer-ftp.h:96
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:514
FTPTransaction_::tx_data
AppLayerTxData tx_data
Definition: app-layer-ftp.h:65
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
FtpDataState_::command
FtpRequestCommand command
Definition: app-layer-ftp.h:116
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:79
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
rust.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:416
FtpLineState_::buf
const uint8_t * buf
Definition: app-layer-ftp.h:39
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:122
FtpDataState_::file_len
int16_t file_len
Definition: app-layer-ftp.h:115
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:294
FTPResponseWrapper_
Definition: app-layer-ftp.h:45
app-layer-ftp.h
Flow_::protoctx
void * protoctx
Definition: flow.h:433
AppLayerGetTxIterTuple::tx_ptr
void * tx_ptr
Definition: app-layer-parser.h:151
FtpDataState_::direction
uint8_t direction
Definition: app-layer-ftp.h:118
FtpInput_::len
int32_t len
Definition: app-layer-ftp.c:274
SC_ELIMIT
@ SC_ELIMIT
Definition: util-error.h:31
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(uint64_t, ftp_memuse)
SCAppLayerProtoDetectPMRegisterPatternCSwPP
int SCAppLayerProtoDetectPMRegisterPatternCSwPP(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction, ProbingParserFPtr PPFunc, uint16_t pp_min_depth, uint16_t pp_max_depth)
Definition: app-layer-detect-proto.c:1651
SC_ENOMEM
@ SC_ENOMEM
Definition: util-error.h:29
FTPParserCleanup
void FTPParserCleanup(void)
Free memory allocated for global FTP parser state.
Definition: app-layer-ftp.c:1522
SCAppLayerDecoderEventsSetEventRaw
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:96
SCAppLayerProtoDetectConfProtoDetectionEnabled
int SCAppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:1995
MpmInitCtx
void MpmInitCtx(MpmCtx *mpm_ctx, uint8_t matcher)
Definition: util-mpm.c:209
ftp_max_line_len
uint32_t ftp_max_line_len
Definition: app-layer-ftp.c:54
AppLayerResult
Definition: app-layer-parser.h:111
SCAppLayerParserTriggerRawStreamInspection
void SCAppLayerParserTriggerRawStreamInspection(Flow *f, int direction)
Definition: app-layer-parser.c:1565
FtpState_
Definition: app-layer-ftp.h:88
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:498
APP_LAYER_INCOMPLETE
#define APP_LAYER_INCOMPLETE(c, n)
Definition: app-layer-parser.h:70
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:312
MpmDestroyThreadCtx
void MpmDestroyThreadCtx(MpmThreadCtx *mpm_thread_ctx, const uint16_t matcher)
Definition: util-mpm.c:202
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:36
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:250
FtpState_::port_line
uint8_t * port_line
Definition: app-layer-ftp.h:102
AppLayerParserState_
Definition: app-layer-parser.c:135
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
AppLayerTxData
Definition: app-layer-parser.h:163
FTPThreadCtx_::pmq
PrefilterRuleStore * pmq
Definition: app-layer-ftp.c:45
SCAppLayerParserConfParserEnabled
int SCAppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:345
SC_FILENAME_MAX
#define SC_FILENAME_MAX
Definition: util-file.h:129
SCAppLayerParserRegisterLogger
void SCAppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:495
FtpDataState_::initialized
bool initialized
Definition: app-layer-ftp.h:121
FtpState_::curr_tx
FTPTransaction * curr_tx
Definition: app-layer-ftp.h:91
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:120
FtpDataState_::state_data
AppLayerStateData state_data
Definition: app-layer-ftp.h:120
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void *, AppProto), void(*StateFree)(void *))
Definition: app-layer-parser.c:453
FtpLineState_::lf_found
bool lf_found
Definition: app-layer-ftp.h:42
app-layer-parser.h
Flow_::todstbytecnt
uint64_t todstbytecnt
Definition: flow.h:497
SCFlowFreeStorageById
void SCFlowFreeStorageById(Flow *f, SCFlowStorageId id)
Definition: flow-storage.c:50
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:599
FtpState_::state_data
AppLayerStateData state_data
Definition: app-layer-ftp.h:106
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
FTPParserRegisterTests
void FTPParserRegisterTests(void)
Definition: app-layer-ftp.c:1661
RegisterFTPParsers
void RegisterFTPParsers(void)
Definition: app-layer-ftp.c:1371
FTPTransaction_::command_descriptor
FtpCommandInfo command_descriptor
Definition: app-layer-ftp.h:73
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1868
AppLayerExpectationCreate
int AppLayerExpectationCreate(Flow *f, int direction, Port src, Port dst, AppProto alproto, void *data)
Definition: app-layer-expectation.c:217
AppLayerGetTxIterState
Definition: app-layer-parser.h:139
FtpCommandInfo_::command_code
FtpRequestCommand command_code
Definition: app-layer-ftp.h:58
ftp_config_memcap
uint64_t ftp_config_memcap
Definition: app-layer-ftp.c:52
AppLayerRegisterExpectationProto
void AppLayerRegisterExpectationProto(uint8_t proto, AppProto alproto)
Definition: app-layer-detect-proto.c:2171
FTPResponseWrapper_::response
FTPResponseLine * response
Definition: app-layer-ftp.h:46
FileOpenFileWithId
int FileOpenFileWithId(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:966
AppLayerParserRegisterGetTxFilesFunc
void AppLayerParserRegisterGetTxFilesFunc(uint8_t ipproto, AppProto alproto, AppLayerGetFileState(*GetTxFiles)(void *, uint8_t))
Definition: app-layer-parser.c:476
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1782
AppLayerGetTxIterTuple
Definition: app-layer-parser.h:150
FtpDataState
struct FtpDataState_ FtpDataState
FileAppendData
int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The last file in the FileContainer will be us...
Definition: util-file.c:765
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:85
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:186
FtpInput
struct FtpInput_ FtpInput
FtpDataState_::tx_data
AppLayerTxData tx_data
Definition: app-layer-ftp.h:119
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:420
FtpInput_::orig_len
int32_t orig_len
Definition: app-layer-ftp.c:275
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SCAppLayerProtoDetectPPRegister
void SCAppLayerProtoDetectPPRegister(uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2)
register parser at a port
Definition: app-layer-detect-proto.c:1541
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:534
APP_LAYER_OK
#define APP_LAYER_OK
Definition: app-layer-parser.h:58
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
SCReturnStruct
#define SCReturnStruct(x)
Definition: util-debug.h:304
FTPTransaction_::request_length
uint32_t request_length
Definition: app-layer-ftp.h:68
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
util-mpm.h
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:866
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1306
AppLayerGetFileState
Definition: util-file.h:44
FtpLineState_
Definition: app-layer-ftp.h:36
suricata-common.h
AppLayerGetFileState::fc
FileContainer * fc
Definition: util-file.h:45
ftp_config_maxtx
uint32_t ftp_config_maxtx
Definition: app-layer-ftp.c:53
AppLayerTxData::updated_tc
bool updated_tc
Definition: app-layer-parser.h:170
SCAppLayerParserRegisterParserAcceptableDataDirection
void SCAppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:432
FtpState_::port_line_len
uint32_t port_line_len
Definition: app-layer-ftp.h:100
FtpState_::dyn_port
uint16_t dyn_port
Definition: app-layer-ftp.h:104
AppLayerTxData::files_opened
uint32_t files_opened
track file open/logs so we can know how long to keep the tx
Definition: app-layer-parser.h:179
TAILQ_NEXT
#define TAILQ_NEXT(elm, field)
Definition: queue.h:307
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
AppLayerParserRegisterStateDataFunc
void AppLayerParserRegisterStateDataFunc(uint8_t ipproto, AppProto alproto, AppLayerStateData *(*GetStateData)(void *state))
Definition: app-layer-parser.c:620
AppLayerParserRegisterTxDataFunc
void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, AppLayerTxData *(*GetTxData)(void *tx))
Definition: app-layer-parser.c:610
Flow_::parent_id
int64_t parent_id
Definition: flow.h:430
SCAppLayerRequestProtocolTLSUpgrade
bool SCAppLayerRequestProtocolTLSUpgrade(Flow *f)
request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS....
Definition: app-layer-detect-proto.c:1873
FtpDataState_
Definition: app-layer-ftp.h:110
app-layer-events.h
util-validate.h
StreamingBufferConfig_
Definition: util-streaming-buffer.h:65
FTPSetMemcap
int FTPSetMemcap(uint64_t size)
Definition: app-layer-ftp.c:91
FtpLineState_::delim_len
uint8_t delim_len
Definition: app-layer-ftp.h:41
AppLayerParserRegisterGetTxIterator
void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, AppLayerGetTxIteratorFunc Func)
Definition: app-layer-parser.c:544
MpmTableElmt_::Prepare
int(* Prepare)(MpmConfig *, struct MpmCtx_ *)
Definition: util-mpm.h:179
MpmTableElmt_::DestroyCtx
void(* DestroyCtx)(struct MpmCtx_ *)
Definition: util-mpm.h:158
AppLayerResult::status
int32_t status
Definition: app-layer-parser.h:112
FileCloseFile
int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1050
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:451
Flow_::alstate
void * alstate
Definition: flow.h:479
SCAppLayerProtoDetectPPParseConfPorts
int SCAppLayerProtoDetectPPParseConfPorts(const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
Definition: app-layer-detect-proto.c:1577
StreamingBufferConfig_::Free
void(* Free)(void *ptr, size_t size)
Definition: util-streaming-buffer.h:71
FtpCommandInfo_::command_index
uint8_t command_index
Definition: app-layer-ftp.h:57
FtpState_::tx_cnt
uint64_t tx_cnt
Definition: app-layer-ftp.h:93
FtpState_::current_line_truncated_ts
bool current_line_truncated_ts
Definition: app-layer-ftp.h:95
sc_errno
thread_local SCError sc_errno
Definition: util-error.c:31
MpmInitThreadCtx
void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, MpmCtx *mpm_ctx, uint16_t matcher)
Definition: util-mpm.c:195
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
AppLayerExpectationGetFlowId
SCFlowStorageId AppLayerExpectationGetFlowId(void)
Definition: app-layer-expectation.c:286
FtpLineState_::len
uint32_t len
Definition: app-layer-ftp.h:40
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:524
APP_LAYER_ERROR
#define APP_LAYER_ERROR
Definition: app-layer-parser.h:62
FtpState_::port_line_size
uint32_t port_line_size
Definition: app-layer-ftp.h:101
PmqFree
void PmqFree(PrefilterRuleStore *pmq)
Cleanup and free a Pmq.
Definition: util-prefilter.c:126
FTP_MPM
#define FTP_MPM
Definition: app-layer-ftp.c:48
FTPTransaction_::tx_id
uint64_t tx_id
Definition: app-layer-ftp.h:63
FTPTransaction_::dyn_port
uint16_t dyn_port
Definition: app-layer-ftp.h:75
FTPTransaction_::active
bool active
Definition: app-layer-ftp.h:77
AppLayerTxData::events
AppLayerDecoderEvents * events
Definition: app-layer-parser.h:205
AppLayerParserRegisterGetEventInfoById
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(uint8_t event_id, const char **event_name, AppLayerEventType *event_type))
Definition: app-layer-parser.c:567
FtpDataState_::files
FileContainer * files
Definition: app-layer-ftp.h:113
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
MpmCtx_
Definition: util-mpm.h:97
TcpSession_
Definition: stream-tcp-private.h:283
JsonGetNextLineFromBuffer
uint16_t JsonGetNextLineFromBuffer(const char *buffer, const uint16_t len)
Definition: app-layer-ftp.c:1472
util-misc.h
AppLayerTxData::file_flags
uint16_t file_flags
Definition: app-layer-parser.h:183
FTPTransaction_
Definition: app-layer-ftp.h:61
FTPThreadCtx
struct FTPThreadCtx_ FTPThreadCtx
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:452
FtpInput_::buf
const uint8_t * buf
Definition: app-layer-ftp.c:272
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
SCMemcmp
#define SCMemcmp(a, b, c)
Definition: util-memcmp.h:290
SCMutex
#define SCMutex
Definition: threads-debug.h:114
FTPThreadCtx_::ftp_mpm_thread_ctx
MpmThreadCtx * ftp_mpm_thread_ctx
Definition: app-layer-ftp.c:44
SCLogDebugEnabled
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:768
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
FtpInput_::consumed
int32_t consumed
Definition: app-layer-ftp.c:273
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PmqSetup
int PmqSetup(PrefilterRuleStore *pmq)
Setup a pmq.
Definition: util-prefilter.c:37
AppLayerStateData::file_flags
uint16_t file_flags
Definition: app-layer-parser.h:147
StreamingBufferConfig_::Realloc
void *(* Realloc)(void *ptr, size_t orig_size, size_t size)
Definition: util-streaming-buffer.h:70
FtpDataState_::file_name
uint8_t * file_name
Definition: app-layer-ftp.h:112
FtpInput_
Definition: app-layer-ftp.c:271
AppLayerGetTxIterState::un
union AppLayerGetTxIterState::@7 un
AppLayerTxData::file_tx
uint8_t file_tx
Definition: app-layer-parser.h:190
AppLayerTxData::updated_ts
bool updated_ts
Definition: app-layer-parser.h:171
app-layer.h
PrefilterRuleStore_::rule_id_array
SigIntId * rule_id_array
Definition: util-prefilter.h:38