46 #define FTP_MPM mpm_default_matcher
48 static MpmCtx *ftp_mpm_ctx = NULL;
59 static void FTPParseMemcap(
void)
67 static void FTPIncrMemuse(uint64_t size)
72 static void FTPDecrMemuse(uint64_t size)
105 static int FTPCheckMemcap(uint64_t size)
113 static void *FTPCalloc(
size_t n,
size_t size)
115 if (FTPCheckMemcap((uint32_t)(n * size)) == 0) {
127 FTPIncrMemuse((uint64_t)(n * size));
131 static void *FTPRealloc(
void *ptr,
size_t orig_size,
size_t size)
133 if (FTPCheckMemcap((uint32_t)(size - orig_size)) == 0) {
144 if (size > orig_size) {
145 FTPIncrMemuse(size - orig_size);
147 FTPDecrMemuse(orig_size - size);
153 static void FTPFree(
void *ptr,
size_t size)
157 FTPDecrMemuse((uint64_t)size);
164 FTPIncrMemuse(response->total_size);
173 FTPDecrMemuse(wrapper->
response->total_size);
174 SCFTPFreeResponseLine(wrapper->
response);
180 static void *FTPLocalStorageAlloc(
void)
189 if (td->
pmq == NULL) {
202 static void FTPLocalStorageFree(
void *ptr)
206 if (td->
pmq != NULL) {
237 SCLogDebug(
"new transaction %p (state tx cnt %"PRIu64
")", tx, state->
tx_cnt);
245 SCAppLayerTxDataCleanup(&tx->
tx_data);
252 while ((wrapper =
TAILQ_FIRST(&tx->response_list))) {
254 FTPResponseWrapperFree(wrapper);
257 FTPFree(tx,
sizeof(*tx));
267 static AppLayerResult FTPGetLineForDirection(
276 uint8_t *lf_idx = memchr(input->
buf + input->
consumed, 0x0a, input->
len);
278 if (lf_idx == NULL) {
280 *current_line_truncated =
true;
288 }
else if (*current_line_truncated) {
290 *current_line_truncated =
false;
300 uint32_t o_consumed = input->
consumed;
301 input->
consumed = (uint32_t)(lf_idx - input->
buf + 1);
306 line->
buf = input->
buf + o_consumed;
308 *current_line_truncated =
true;
333 static int FTPParseRequestCommand(
344 uint8_t command_code;
345 if (SCGetFtpCommandInfo(td->
pmq->
rule_id_array[0], NULL, &command_code, NULL)) {
356 const char *command_name = NULL;
357 (void)SCGetFtpCommandInfo(td->
pmq->
rule_id_array[0], &command_name, NULL, NULL);
358 SCLogDebug(
"matching FTP command is %s [code: %d, index %d]", command_name,
368 static void FtpTransferCmdFree(
void *data)
370 FtpTransferCmd *cmd = (FtpTransferCmd *)data;
373 if (cmd->file_name) {
374 FTPFree((
void *)cmd->file_name, cmd->file_len + 1);
376 SCFTPTransferCmdFree(cmd);
377 FTPDecrMemuse((uint64_t)
sizeof(FtpTransferCmd));
380 static uint32_t CopyCommandLine(uint8_t **dest,
FtpLineState *line)
383 uint8_t *where = FTPCalloc(line->
len + 1,
sizeof(
char));
387 memcpy(where, line->
buf, line->
len);
390 while (line->
len && isspace((
unsigned char)where[line->
len - 1])) {
394 where[line->
len] =
'\0';
398 return line->
len ? line->
len + 1 : 0;
411 StreamSlice stream_slice,
void *local_data)
421 const uint8_t *input = StreamSliceGetData(&stream_slice);
422 uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
426 }
else if (input == NULL || input_len == 0) {
430 FtpInput ftpi = { .
buf = input, .len = input_len, .orig_len = input_len, .consumed = 0 };
431 FtpLineState line = { .
buf = NULL, .len = 0, .delim_len = 0, .lf_found =
false };
433 uint8_t direction = STREAM_TOSERVER;
437 if (res.status == 1) {
439 }
else if (res.status == -1) {
444 if (!FTPParseRequestCommand(thread_data, &line, &cmd_descriptor)) {
445 state->
command = FTP_COMMAND_UNKNOWN;
474 direction = STREAM_TOCLIENT;
478 case FTP_COMMAND_EPRT:
480 case FTP_COMMAND_PORT:
499 case FTP_COMMAND_RETR:
501 case FTP_COMMAND_STOR: {
508 FtpTransferCmd *data = SCFTPTransferCmdNew();
511 FTPIncrMemuse((uint64_t)(
sizeof *data));
512 data->data_free = FtpTransferCmdFree;
519 #if SC_FILENAME_MAX > UINT16_MAX
520 #error SC_FILENAME_MAX is greater than UINT16_MAX
522 data->file_name = FTPCalloc(file_name_len + 1,
sizeof(
char));
523 if (data->file_name == NULL) {
524 FtpTransferCmdFree(data);
527 data->file_name[file_name_len] = 0;
528 data->file_len = (uint16_t)file_name_len;
529 memcpy(data->file_name, line.
buf + 5, file_name_len);
531 data->flow_id = FlowGetId(f);
532 data->direction = direction;
536 FtpTransferCmdFree(data);
540 SCLogDebug(
"Expectation created [direction: %s, dynamic port %"PRIu16
"].",
541 state->
active ?
"to server" :
"to client",
562 static int FTPParsePassiveResponse(
FtpState *state,
const uint8_t *input, uint32_t input_len)
564 uint16_t dyn_port = SCFTPParsePortPasv(input, input_len);
568 SCLogDebug(
"FTP passive mode (v4): dynamic port %"PRIu16
"", dyn_port);
577 static int FTPParsePassiveResponseV6(
FtpState *state,
const uint8_t *input, uint32_t input_len)
579 uint16_t dyn_port = SCFTPParsePortEpsv(input, input_len);
583 SCLogDebug(
"FTP passive mode (v6): dynamic port %"PRIu16
"", dyn_port);
600 static inline bool FTPIsPPR(
const uint8_t *input, uint32_t input_len)
602 return input_len >= 4 && isdigit(input[0]) && input[0] ==
'1' &&
603 isdigit(input[1]) && isdigit(input[2]) && isspace(input[3]);
616 StreamSlice stream_slice,
void *local_data)
620 const uint8_t *input = StreamSliceGetData(&stream_slice);
621 uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
626 FtpInput ftpi = { .
buf = input, .len = input_len, .orig_len = input_len, .consumed = 0 };
627 FtpLineState line = { .
buf = NULL, .len = 0, .delim_len = 0, .lf_found =
false };
633 if (res.status == 1) {
635 }
else if (res.status == -1) {
640 tx = FTPTransactionCreate(state);
647 if (state->
command == FTP_COMMAND_UNKNOWN) {
655 case FTP_COMMAND_AUTH_TLS:
661 case FTP_COMMAND_EPRT:
670 SCLogDebug(
"FTP active mode (v6): dynamic port %" PRIu16
"", dyn_port);
673 case FTP_COMMAND_PORT:
682 SCLogDebug(
"FTP active mode (v4): dynamic port %" PRIu16
"", dyn_port);
685 case FTP_COMMAND_PASV:
687 FTPParsePassiveResponse(ftp_state, line.
buf, line.
len);
691 case FTP_COMMAND_EPSV:
693 FTPParsePassiveResponseV6(ftp_state, line.
buf, line.
len);
701 FTPResponseLine *response = SCFTPParseResponseLine((
const char *)line.
buf, line.
len);
706 if (response->truncated) {
708 &tx->
tx_data.events, FtpEventResponseCommandTooLong);
715 SCFTPFreeResponseLine(response);
718 SCLogDebug(
"unable to parse FTP response line \"%s\"", line.
buf);
723 if (FTPIsPPR(line.
buf, line.
len)) {
741 static uint64_t ftp_state_memuse = 0;
742 static uint64_t ftp_state_memcnt = 0;
745 static void *FTPStateAlloc(
void *orig_state,
AppProto proto_orig)
747 void *s = FTPCalloc(1,
sizeof(
FtpState));
763 static void FTPStateFree(
void *s)
774 const char *command_name = NULL;
775 (void)SCGetFtpCommandInfo(
777 SCLogDebug(
"[%s] state %p id %" PRIu64
", Freeing %d bytes at %p",
783 FTPTransactionFree(tx);
806 SCLogDebug(
"NULL state object; no transactions available");
823 SCLogDebug(
"Returning OLDEST tx %p id %"PRIu64, lasttx, lasttx->
tx_id);
827 static void *FTPGetTx(
void *state, uint64_t tx_id)
833 if (ftp_state->
curr_tx == NULL)
839 if (tx->
tx_id == tx_id)
852 static AppLayerStateData *FTPGetStateData(
void *vstate)
858 static void FTPStateTransactionFree(
void *state, uint64_t tx_id)
863 if (tx_id < tx->tx_id)
865 else if (tx_id > tx->
tx_id)
871 FTPTransactionFree(tx);
876 static uint64_t FTPGetTxCnt(
void *state)
887 static int FTPGetAlstateProgress(
void *vtx, uint8_t direction)
893 if (direction == STREAM_TOSERVER) {
894 return FTP_STATE_FINISHED;
897 return FTP_STATE_IN_PROGRESS;
900 return FTP_STATE_FINISHED;
903 static AppProto FTPUserProbingParser(
904 Flow *f, uint8_t direction,
const uint8_t *input, uint32_t
len, uint8_t *rdir)
913 static AppProto FTPServerProbingParser(
914 Flow *f, uint8_t direction,
const uint8_t *input, uint32_t
len, uint8_t *rdir)
921 if (input[0] !=
'2' || input[1] !=
'2' || input[2] !=
'0') {
925 if (input[3] !=
' ' && input[3] !=
'-') {
931 if (memchr(input + 4,
'\n',
len - 4) != NULL) {
938 static int FTPRegisterPatternsForProtocolDetection(
void)
941 IPPROTO_TCP,
ALPROTO_FTP,
"220 (", 5, 0, STREAM_TOCLIENT) < 0) {
945 IPPROTO_TCP,
ALPROTO_FTP,
"FEAT", 4, 0, STREAM_TOSERVER) < 0) {
949 STREAM_TOSERVER, FTPUserProbingParser, 5, 5) < 0) {
953 IPPROTO_TCP,
ALPROTO_FTP,
"PASS ", 5, 0, STREAM_TOSERVER) < 0) {
957 IPPROTO_TCP,
ALPROTO_FTP,
"PORT ", 5, 0, STREAM_TOSERVER) < 0) {
963 "tcp", IPPROTO_TCP,
"ftp",
ALPROTO_FTP, 0, 5, NULL, FTPServerProbingParser)) {
967 FTPServerProbingParser);
983 AppLayerParserState *pstate, StreamSlice stream_slice,
void *local_data, uint8_t direction)
985 const uint8_t *input = StreamSliceGetData(&stream_slice);
986 uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
987 const bool eof = (direction & STREAM_TOSERVER)
991 SCTxDataUpdateFileFlags(&ftpdata_state->
tx_data, ftpdata_state->
state_data.file_flags);
992 if (ftpdata_state->
tx_data.file_tx == 0)
993 ftpdata_state->
tx_data.file_tx = direction & (STREAM_TOSERVER | STREAM_TOCLIENT);
994 if (direction & STREAM_TOSERVER) {
995 ftpdata_state->
tx_data.updated_ts =
true;
997 ftpdata_state->
tx_data.updated_tc =
true;
1003 SCLogDebug(
"FTP-DATA input_len %u flags %04x dir %d/%s EOF %s", input_len,
flags, direction,
1004 (direction & STREAM_TOSERVER) ?
"toserver" :
"toclient", eof ?
"true" :
"false");
1007 if (input_len && ftpdata_state->
files == NULL) {
1008 FtpTransferCmd *data =
1015 if ((direction & data->direction) == 0) {
1017 SCLogDebug(
"input %u not for our direction (%s): %s/%s", input_len,
1018 (direction & STREAM_TOSERVER) ?
"toserver" :
"toclient",
1019 data->cmd == FTP_COMMAND_STOR ?
"STOR" :
"RETR",
1020 (data->direction & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1025 if (ftpdata_state->
files == NULL) {
1030 ftpdata_state->
file_name = data->file_name;
1031 ftpdata_state->
file_len = data->file_len;
1032 data->file_name = NULL;
1035 ftpdata_state->
command = data->cmd;
1036 switch (data->cmd) {
1037 case FTP_COMMAND_STOR:
1038 ftpdata_state->
direction = data->direction;
1040 (ftpdata_state->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1042 case FTP_COMMAND_RETR:
1043 ftpdata_state->
direction = data->direction;
1045 (ftpdata_state->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1054 0ULL, (uint8_t *) ftpdata_state->
file_name,
1056 input, input_len,
flags) != 0) {
1061 ftpdata_state->
tx_data.files_opened = 1;
1063 if (ftpdata_state->
state == FTPDATA_STATE_FINISHED) {
1068 if ((direction & ftpdata_state->
direction) == 0) {
1072 SCLogDebug(
"input %u not for us (%s): %s/%s", input_len,
1073 (direction & STREAM_TOSERVER) ?
"toserver" :
"toclient",
1074 ftpdata_state->
command == FTP_COMMAND_STOR ?
"STOR" :
"RETR",
1075 (ftpdata_state->
direction & STREAM_TOSERVER) ?
"toserver" :
"toclient");
1078 if (input_len != 0) {
1082 SCLogDebug(
"FileAppendData() - file no longer being extracted");
1084 }
else if (ret < 0) {
1085 SCLogDebug(
"FileAppendData() failed: %d", ret);
1095 ftpdata_state->
state = FTPDATA_STATE_FINISHED;
1096 SCLogDebug(
"closed because of eof: state now FTPDATA_STATE_FINISHED");
1106 StreamSlice stream_slice,
void *local_data)
1108 return FTPDataParse(f, ftp_state, pstate, stream_slice, local_data, STREAM_TOSERVER);
1112 StreamSlice stream_slice,
void *local_data)
1114 return FTPDataParse(f, ftp_state, pstate, stream_slice, local_data, STREAM_TOCLIENT);
1119 static uint64_t ftpdata_state_memuse = 0;
1120 static uint64_t ftpdata_state_memcnt = 0;
1123 static void *FTPDataStateAlloc(
void *orig_state,
AppProto proto_orig)
1130 state->
state = FTPDATA_STATE_IN_PROGRESS;
1134 ftpdata_state_memcnt++;
1141 static void FTPDataStateFree(
void *s)
1145 SCAppLayerTxDataCleanup(&fstate->
tx_data);
1156 ftpdata_state_memcnt--;
1168 static AppLayerStateData *FTPDataGetStateData(
void *vstate)
1174 static void FTPDataStateTransactionFree(
void *state, uint64_t tx_id)
1179 static void *FTPDataGetTx(
void *state, uint64_t tx_id)
1185 static uint64_t FTPDataGetTxCnt(
void *state)
1191 static int FTPDataGetAlstateProgress(
void *tx, uint8_t direction)
1194 if (direction == ftpdata_state->
direction)
1195 return ftpdata_state->
state;
1197 return FTPDATA_STATE_FINISHED;
1200 static AppLayerGetFileState FTPDataStateGetTxFiles(
void *tx, uint8_t direction)
1203 AppLayerGetFileState files = { .fc = NULL, .cfg = &sbcfg };
1205 if (direction == ftpdata_state->
direction)
1206 files.fc = ftpdata_state->
files;
1211 static void FTPSetMpmState(
void)
1214 if (
unlikely(ftp_mpm_ctx == NULL)) {
1219 SCFTPSetMpmState(ftp_mpm_ctx);
1223 static void FTPFreeMpmState(
void)
1225 if (ftp_mpm_ctx != NULL) {
1236 static AppLayerGetTxIterTuple FTPGetTxIterator(
const uint8_t ipproto,
const AppProto alproto,
1240 AppLayerGetTxIterTuple no_tuple = { NULL, 0,
false };
1243 if (state->
un.
ptr == NULL) {
1249 while (tx_ptr->
tx_id < min_tx_id) {
1255 if (tx_ptr->
tx_id >= max_tx_id) {
1259 AppLayerGetTxIterTuple tuple = {
1262 .has_next = (state->
un.
ptr != NULL),
1272 const char *proto_name =
"ftp";
1273 const char *proto_data_name =
"ftp-data";
1278 if (FTPRegisterPatternsForProtocolDetection() < 0 )
1299 FTPLocalStorageFree);
1305 ALPROTO_FTP, FTP_STATE_FINISHED, FTP_STATE_FINISHED);
1309 FTPDataParseRequest);
1311 FTPDataParseResponse);
1336 sbcfg.
Calloc = FTPCalloc;
1338 sbcfg.
Free = FTPFree;
1342 SCLogInfo(
"Parser disabled for %s protocol. Protocol detection still on.", proto_name);
1371 if (!buffer || *buffer ==
'\0') {
1375 char *c = strchr(buffer,
'\n');
1376 return c == NULL ?
len : (uint16_t)(c - buffer + 1);
1382 SCJbOpenObject(jb,
"ftp_data");
1385 SCJbSetStringFromBytes(jb,
"filename", ftp_state->
file_name, ftp_state->
file_len);
1388 case FTP_COMMAND_STOR:
1391 case FTP_COMMAND_RETR:
1414 static int FTPParserTest01(
void)
1417 uint8_t ftpbuf[] =
"PORT 192,168,1,1,0,80\r\n";
1418 uint32_t ftplen =
sizeof(ftpbuf) - 1;
1422 memset(&f, 0,
sizeof(f));
1423 memset(&ssn, 0,
sizeof(ssn));
1426 f.
proto = IPPROTO_TCP;
1432 STREAM_TOSERVER | STREAM_EOF, ftpbuf, ftplen);
1445 static int FTPParserTest11(
void)
1448 uint8_t ftpbuf1[] =
"PORT 192,168,1,1,0,80\r\n";
1449 uint8_t ftpbuf2[] =
"RETR\r\n";
1450 uint8_t ftpbuf3[] =
"227 OK\r\n";
1455 memset(&f, 0,
sizeof(f));
1456 memset(&ssn, 0,
sizeof(ssn));
1459 f.
proto = IPPROTO_TCP;
1465 STREAM_TOSERVER | STREAM_START, ftpbuf1,
1466 sizeof(ftpbuf1) - 1);
1473 sizeof(ftpbuf3) - 1);
1477 STREAM_TOSERVER, ftpbuf2,
1478 sizeof(ftpbuf2) - 1);
1492 static int FTPParserTest12(
void)
1495 uint8_t ftpbuf1[] =
"PORT 192,168,1,1,0,80\r\n";
1496 uint8_t ftpbuf2[] =
"STOR\r\n";
1497 uint8_t ftpbuf3[] =
"227 OK\r\n";
1502 memset(&f, 0,
sizeof(f));
1503 memset(&ssn, 0,
sizeof(ssn));
1506 f.
proto = IPPROTO_TCP;
1512 STREAM_TOSERVER | STREAM_START, ftpbuf1,
1513 sizeof(ftpbuf1) - 1);
1520 sizeof(ftpbuf3) - 1);
1524 STREAM_TOSERVER, ftpbuf2,
1525 sizeof(ftpbuf2) - 1);