suricata
app-layer-nfs-udp.c
Go to the documentation of this file.
1 /* Copyright (C) 2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * NFS application layer detector and parser
24  */
25 
26 #include "suricata-common.h"
27 #include "stream.h"
28 #include "conf.h"
29 
30 #include "util-unittest.h"
31 
32 #include "app-layer-detect-proto.h"
33 #include "app-layer-parser.h"
34 
35 #include "app-layer-nfs-udp.h"
36 
37 #include "rust.h"
38 #include "rust-nfs-nfs-gen.h"
39 
40 /* The default port to probe for echo traffic if not provided in the
41  * configuration file. */
42 #define NFS_DEFAULT_PORT "2049"
43 
44 /* The minimum size for a RFC message. For some protocols this might
45  * be the size of a header. TODO actual min size is likely larger */
46 #define NFS_MIN_FRAME_LEN 32
47 
48 /* Enum of app-layer events for an echo protocol. Normally you might
49  * have events for errors in parsing data, like unexpected data being
50  * received. For echo we'll make something up, and log an app-layer
51  * level alert if an empty message is received.
52  *
53  * Example rule:
54  *
55  * alert nfs any any -> any any (msg:"SURICATA NFS empty message"; \
56  * app-layer-event:nfs.empty_message; sid:X; rev:Y;)
57  */
58 enum {
60 };
61 
63  {"EMPTY_MESSAGE", NFS_DECODER_EVENT_EMPTY_MESSAGE},
64  { NULL, 0 }
65 };
66 
67 static void *NFSStateAlloc(void)
68 {
69  return rs_nfs_state_new();
70 }
71 
72 static void NFSStateFree(void *state)
73 {
74  rs_nfs_state_free(state);
75 }
76 
77 /**
78  * \brief Callback from the application layer to have a transaction freed.
79  *
80  * \param state a void pointer to the NFSState object.
81  * \param tx_id the transaction ID to free.
82  */
83 static void NFSStateTxFree(void *state, uint64_t tx_id)
84 {
85  rs_nfs_state_tx_free(state, tx_id);
86 }
87 
88 static int NFSStateGetEventInfo(const char *event_name, int *event_id,
90 {
91  return rs_nfs_state_get_event_info(event_name, event_id, event_type);
92 }
93 
94 static int NFSStateGetEventInfoById(int event_id, const char **event_name,
96 {
97  *event_name = "NFS UDP event name (generic)";
99  return 0;
100 }
101 
102 static AppLayerDecoderEvents *NFSGetEvents(void *tx)
103 {
104  return rs_nfs_state_get_events(tx);
105 }
106 
107 /**
108  * \brief Probe the input to see if it looks like echo.
109  *
110  * \retval ALPROTO_NFS if it looks like echo, otherwise
111  * ALPROTO_UNKNOWN.
112  */
113 static AppProto NFSProbingParser(Flow *f, uint8_t direction,
114  const uint8_t *input, uint32_t input_len, uint8_t *rdir)
115 {
116  SCLogDebug("probing");
117  if (input_len < NFS_MIN_FRAME_LEN) {
118  SCLogDebug("unknown");
119  return ALPROTO_UNKNOWN;
120  }
121 
122  int8_t r = 0;
123  if (direction & STREAM_TOSERVER)
124  r = rs_nfs_probe_udp_ts(input, input_len);
125  else
126  r = rs_nfs_probe_udp_tc(input, input_len);
127 
128  if (r == 1) {
129  SCLogDebug("nfs");
130  return ALPROTO_NFS;
131  } else if (r == -1) {
132  SCLogDebug("failed");
133  return ALPROTO_FAILED;
134  }
135 
136  SCLogDebug("Protocol not detected as ALPROTO_NFS.");
137  return ALPROTO_UNKNOWN;
138 }
139 
140 static int NFSParseRequest(Flow *f, void *state,
141  AppLayerParserState *pstate, const uint8_t *input, uint32_t input_len,
142  void *local_data, const uint8_t flags)
143 {
144  uint16_t file_flags = FileFlowToFlags(f, STREAM_TOSERVER);
145  rs_nfs_setfileflags(0, state, file_flags);
146 
147  return rs_nfs_parse_request_udp(f, state, pstate, input, input_len, local_data);
148 }
149 
150 static int NFSParseResponse(Flow *f, void *state, AppLayerParserState *pstate,
151  const uint8_t *input, uint32_t input_len, void *local_data,
152  const uint8_t flags)
153 {
154  uint16_t file_flags = FileFlowToFlags(f, STREAM_TOCLIENT);
155  rs_nfs_setfileflags(1, state, file_flags);
156 
157  return rs_nfs_parse_response_udp(f, state, pstate, input, input_len, local_data);
158 }
159 
160 static uint64_t NFSGetTxCnt(void *state)
161 {
162  return rs_nfs_state_get_tx_count(state);
163 }
164 
165 static void *NFSGetTx(void *state, uint64_t tx_id)
166 {
167  return rs_nfs_state_get_tx(state, tx_id);
168 }
169 
170 static AppLayerGetTxIterTuple RustNFSGetTxIterator(
171  const uint8_t ipproto, const AppProto alproto,
172  void *alstate, uint64_t min_tx_id, uint64_t max_tx_id,
173  AppLayerGetTxIterState *istate)
174 {
175  return rs_nfs_state_get_tx_iterator(alstate, min_tx_id, (uint64_t *)istate);
176 }
177 
178 static void NFSSetTxLogged(void *state, void *vtx, LoggerId logged)
179 {
180  rs_nfs_tx_set_logged(state, vtx, logged);
181 }
182 
183 static LoggerId NFSGetTxLogged(void *state, void *vtx)
184 {
185  return rs_nfs_tx_get_logged(state, vtx);
186 }
187 
188 /**
189  * \brief Called by the application layer.
190  *
191  * In most cases 1 can be returned here.
192  */
193 static int NFSGetAlstateProgressCompletionStatus(uint8_t direction) {
194  return rs_nfs_state_progress_completion_status(direction);
195 }
196 
197 /**
198  * \brief Return the state of a transaction in a given direction.
199  *
200  * In the case of the echo protocol, the existence of a transaction
201  * means that the request is done. However, some protocols that may
202  * need multiple chunks of data to complete the request may need more
203  * than just the existence of a transaction for the request to be
204  * considered complete.
205  *
206  * For the response to be considered done, the response for a request
207  * needs to be seen. The response_done flag is set on response for
208  * checking here.
209  */
210 static int NFSGetStateProgress(void *tx, uint8_t direction)
211 {
212  return rs_nfs_tx_get_alstate_progress(tx, direction);
213 }
214 
215 /**
216  * \brief get stored tx detect state
217  */
218 static DetectEngineState *NFSGetTxDetectState(void *vtx)
219 {
220  return rs_nfs_state_get_tx_detect_state(vtx);
221 }
222 
223 /**
224  * \brief set store tx detect state
225  */
226 static int NFSSetTxDetectState(void *vtx, DetectEngineState *s)
227 {
228  rs_nfs_state_set_tx_detect_state(vtx, s);
229  return 0;
230 }
231 
232 static FileContainer *NFSGetFiles(void *state, uint8_t direction)
233 {
234  return rs_nfs_getfiles(direction, state);
235 }
236 
237 static void NFSSetDetectFlags(void *tx, uint8_t dir, uint64_t flags)
238 {
239  rs_nfs_tx_set_detect_flags(tx, dir, flags);
240 }
241 
242 static uint64_t NFSGetDetectFlags(void *tx, uint8_t dir)
243 {
244  return rs_nfs_tx_get_detect_flags(tx, dir);
245 }
246 
248 static SuricataFileContext sfc = { &sbcfg };
249 
251 {
252  const char *proto_name = "nfs";
253 
254  /* Check if NFS TCP detection is enabled. If it does not exist in
255  * the configuration file then it will be enabled by default. */
256  if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) {
257 
258  rs_nfs_init(&sfc);
259 
260  SCLogDebug("NFS UDP protocol detection enabled.");
261 
263 
264  if (RunmodeIsUnittests()) {
265 
266  SCLogDebug("Unittest mode, registering default configuration.");
269  NFSProbingParser, NFSProbingParser);
270 
271  }
272  else {
273 
274  if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP,
275  proto_name, ALPROTO_NFS, 0, NFS_MIN_FRAME_LEN,
276  NFSProbingParser, NFSProbingParser)) {
277  SCLogDebug("No NFS app-layer configuration, enabling NFS"
278  " detection TCP detection on port %s.",
280  AppLayerProtoDetectPPRegister(IPPROTO_UDP,
283  NFSProbingParser, NFSProbingParser);
284  }
285 
286  }
287 
288  }
289 
290  else {
291  SCLogDebug("Protocol detecter and parser disabled for NFS.");
292  return;
293  }
294 
295  if (AppLayerParserConfParserEnabled("udp", proto_name))
296  {
297  SCLogDebug("Registering NFS protocol parser.");
298 
299  /* Register functions for state allocation and freeing. A
300  * state is allocated for every new NFS flow. */
302  NFSStateAlloc, NFSStateFree);
303 
304  /* Register request parser for parsing frame from server to client. */
306  STREAM_TOSERVER, NFSParseRequest);
307 
308  /* Register response parser for parsing frames from server to client. */
310  STREAM_TOCLIENT, NFSParseResponse);
311 
312  /* Register a function to be called by the application layer
313  * when a transaction is to be freed. */
315  NFSStateTxFree);
316 
318  NFSGetTxLogged, NFSSetTxLogged);
319 
320  /* Register a function to return the current transaction count. */
322  NFSGetTxCnt);
323 
324  /* Transaction handling. */
326  NFSGetAlstateProgressCompletionStatus);
328  ALPROTO_NFS, NFSGetStateProgress);
330  NFSGetTx);
332  RustNFSGetTxIterator);
333 
334  AppLayerParserRegisterGetFilesFunc(IPPROTO_UDP, ALPROTO_NFS, NFSGetFiles);
335 
336  /* What is this being registered for? */
338  NFSGetTxDetectState, NFSSetTxDetectState);
339 
341  NFSStateGetEventInfo);
342 
344  NFSStateGetEventInfoById);
345 
347  NFSGetEvents);
348 
350  NFSGetDetectFlags, NFSSetDetectFlags);
351 
352  }
353  else {
354  SCLogNotice("NFS protocol parsing disabled.");
355  }
356 
357 #ifdef UNITTESTS
360 #endif
361 }
362 
363 #ifdef UNITTESTS
364 #endif
365 
367 {
368 #ifdef UNITTESTS
369 #endif
370 }
#define STREAMING_BUFFER_CONFIG_INITIALIZER
enum AppLayerEventType_ AppLayerEventType
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
void AppLayerProtoDetectPPRegister(uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2)
register parser at a port
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
uint32_t event_type
LoggerId
int logged
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
void AppLayerParserRegisterDetectFlagsFuncs(uint8_t ipproto, AppProto alproto, uint64_t(*GetTxDetectFlags)(void *tx, uint8_t dir), void(*SetTxDetectFlags)(void *tx, uint8_t dir, uint64_t))
void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto, DetectEngineState *(*GetTxDetectState)(void *tx), int(*SetTxDetectState)(void *tx, DetectEngineState *))
void RegisterNFSUDPParsers(void)
void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto alproto, AppLayerDecoderEvents *(*StateGetEvents)(void *))
void AppLayerParserRegisterLoggerFuncs(uint8_t ipproto, AppProto alproto, LoggerId(*StateGetTxLogged)(void *, void *), void(*StateSetTxLogged)(void *, void *, LoggerId))
uint16_t AppProto
void NFSUDPParserRegisterTests(void)
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests and when...
Data structure to store app layer decoder events.
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto, FileContainer *(*StateGetFiles)(void *, uint8_t))
int AppLayerProtoDetectPPParseConfPorts(const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
#define NFS_MIN_FRAME_LEN
#define STREAM_TOCLIENT
Definition: stream.h:32
void AppLayerParserRegisterGetStateProgressCompletionStatus(AppProto alproto, int(*StateGetProgressCompletionStatus)(uint8_t direction))
int RunmodeIsUnittests(void)
Definition: suricata.c:267
SCEnumCharMap nfs_udp_decoder_event_table[]
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(int event_id, const char **event_name, AppLayerEventType *event_type))
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:269
uint16_t tx_id
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
#define STREAM_TOSERVER
Definition: stream.h:31
void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, AppLayerGetTxIteratorFunc Func)
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition: util-file.c:217
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void), void(*StateFree)(void *))
#define NFS_DEFAULT_PORT
Flow data structure.
Definition: flow.h:325
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))