suricata
app-layer-parser.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Generic App-layer parsing functions.
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer-parser.h"
28 
29 #include "flow.h"
30 #include "flow-private.h"
31 #include "flow-util.h"
32 
33 #include "app-layer-frames.h"
34 
35 #include "stream-tcp.h"
36 
37 #include "util-validate.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-detect-proto.h"
41 
42 #include "app-layer-ftp.h"
43 #include "app-layer-smtp.h"
44 
45 #include "app-layer-smb.h"
46 #include "app-layer-htp.h"
47 #include "app-layer-ssl.h"
48 #include "app-layer-ssh.h"
49 #include "app-layer-modbus.h"
50 #include "app-layer-dnp3.h"
51 #include "app-layer-nfs-tcp.h"
52 #include "app-layer-nfs-udp.h"
53 #include "app-layer-tftp.h"
54 #include "app-layer-ike.h"
55 #include "app-layer-http2.h"
56 #include "app-layer-imap.h"
57 
58 struct AppLayerParserThreadCtx_ {
59  void *(*alproto_local_storage)[FLOW_PROTO_MAX];
60 };
61 
62 
63 /**
64  * \brief App layer protocol parser context.
65  */
66 typedef struct AppLayerParserProtoCtx_
67 {
68  /* 0 - to_server, 1 - to_client. */
69  AppLayerParserFPtr Parser[2];
70 
71  bool logger;
72 
73  /* Indicates the direction the parser is ready to see the data
74  * the first time for a flow. Values accepted -
75  * STREAM_TOSERVER, STREAM_TOCLIENT */
76  uint8_t first_data_dir;
77 
78  uint32_t logger_bits; /**< registered loggers for this proto */
79 
80  void *(*StateAlloc)(void *, AppProto);
81  void (*StateFree)(void *);
82  void (*StateTransactionFree)(void *, uint64_t);
83  void *(*LocalStorageAlloc)(void);
84  void (*LocalStorageFree)(void *);
85 
86  /** get FileContainer reference from the TX. MUST return a non-NULL reference if the TX
87  * has or may have files in the requested direction at some point. */
88  AppLayerGetFileState (*GetTxFiles)(void *, uint8_t);
89 
90  int (*StateGetProgress)(void *alstate, uint8_t direction);
91  uint64_t (*StateGetTxCnt)(void *alstate);
92  void *(*StateGetTx)(void *alstate, uint64_t tx_id);
93  AppLayerGetTxIteratorFunc StateGetTxIterator;
94  int complete_ts;
95  int complete_tc;
96  int (*StateGetEventInfoById)(
97  uint8_t event_id, const char **event_name, AppLayerEventType *event_type);
98  int (*StateGetEventInfo)(
99  const char *event_name, uint8_t *event_id, AppLayerEventType *event_type);
100 
101  AppLayerStateData *(*GetStateData)(void *state);
102  AppLayerTxData *(*GetTxData)(void *tx);
103  bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig);
104 
105  void (*SetStreamDepthFlag)(void *tx, uint8_t flags);
106 
107  AppLayerParserGetFrameIdByNameFn GetFrameIdByName;
108  AppLayerParserGetFrameNameByIdFn GetFrameNameById;
109 
110  /* each app-layer has its own value */
111  uint32_t stream_depth;
112 
113  /* Option flags such as supporting gaps or not. */
114  uint32_t option_flags;
115  /* coccinelle: AppLayerParserProtoCtx:option_flags:APP_LAYER_PARSER_OPT_ */
116 
117  uint32_t internal_flags;
118  /* coccinelle: AppLayerParserProtoCtx:internal_flags:APP_LAYER_PARSER_INT_ */
119 
120 #ifdef UNITTESTS
121  void (*RegisterUnittests)(void);
122 #endif
123 } AppLayerParserProtoCtx;
124 
125 typedef struct AppLayerParserCtx_ {
126  AppLayerParserProtoCtx (*ctxs)[FLOW_PROTO_MAX];
127 } AppLayerParserCtx;
128 
129 struct AppLayerParserState_ {
130  /* coccinelle: AppLayerParserState:flags:APP_LAYER_PARSER_ */
131  uint16_t flags;
132 
133  /* Indicates the current transaction that is being inspected.
134  * We have a var per direction. */
135  uint64_t inspect_id[2];
136  /* Indicates the current transaction being logged. Unlike inspect_id,
137  * we don't need a var per direction since we don't log a transaction
138  * unless we have the entire transaction. */
139  uint64_t log_id;
140 
141  uint64_t min_id;
142 
143  /* Used to store decoder events. */
144  AppLayerDecoderEvents *decoder_events;
145 
146  FramesContainer *frames;
147 };
148 
149 enum ExceptionPolicy g_applayerparser_error_policy = EXCEPTION_POLICY_NOT_SET;
150 
151 static void AppLayerConfig(void)
152 {
153  g_applayerparser_error_policy = ExceptionPolicyParse("app-layer.error-policy", true);
154 }
155 
156 enum ExceptionPolicy AppLayerErrorGetExceptionPolicy(void)
157 {
158  return g_applayerparser_error_policy;
159 }
160 
161 static void AppLayerParserFramesFreeContainer(FramesContainer *frames)
162 {
163  if (frames != NULL) {
164  FramesFree(&frames->toserver);
165  FramesFree(&frames->toclient);
166  SCFree(frames);
167  }
168 }
169 
170 void AppLayerFramesFreeContainer(Flow *f)
171 {
172  if (f == NULL || f->alparser == NULL || f->alparser->frames == NULL)
173  return;
174  AppLayerParserFramesFreeContainer(f->alparser->frames);
175  f->alparser->frames = NULL;
176 }
177 
178 FramesContainer *AppLayerFramesGetContainer(Flow *f)
179 {
180  if (f == NULL || f->alparser == NULL)
181  return NULL;
182  return f->alparser->frames;
183 }
184 
185 FramesContainer *AppLayerFramesSetupContainer(Flow *f)
186 {
187 #ifdef UNITTESTS
188  if (f == NULL || f->alparser == NULL || (f->proto == IPPROTO_TCP && f->protoctx == NULL))
189  return NULL;
190 #endif
191  DEBUG_VALIDATE_BUG_ON(f == NULL || f->alparser == NULL);
192  if (f->alparser->frames == NULL) {
193  f->alparser->frames = SCCalloc(1, sizeof(FramesContainer));
194  if (f->alparser->frames == NULL) {
195  return NULL;
196  }
197 #ifdef DEBUG
198  f->alparser->frames->toserver.ipproto = f->proto;
199  f->alparser->frames->toserver.alproto = f->alproto;
200  f->alparser->frames->toclient.ipproto = f->proto;
201  f->alparser->frames->toclient.alproto = f->alproto;
202 #endif
203  }
204  return f->alparser->frames;
205 }
206 
207 #ifdef UNITTESTS
208 void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
209 {
210  struct AppLayerParserState_ *s = ptr;
211  *i1 = s->inspect_id[0];
212  *i2 = s->inspect_id[1];
213  *log = s->log_id;
214  *min = s->min_id;
215 }
216 #endif
217 
218 /* Static global version of the parser context.
219  * Post 2.0 let's look at changing this to move it out to app-layer.c. */
220 static AppLayerParserCtx alp_ctx;
221 
222 int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
223 {
224  uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
225 
226  return (alp_ctx.ctxs[alproto][ipproto_map].StateAlloc != NULL) ? 1 : 0;
227 }
228 
229 AppLayerParserState *AppLayerParserStateAlloc(void)
230 {
231  SCEnter();
232 
233  AppLayerParserState *pstate = (AppLayerParserState *)SCCalloc(1, sizeof(*pstate));
234  if (pstate == NULL)
235  goto end;
236 
237  end:
238  SCReturnPtr(pstate, "AppLayerParserState");
239 }
240 
241 void AppLayerParserStateFree(AppLayerParserState *pstate)
242 {
243  SCEnter();
244 
245  if (pstate->decoder_events != NULL)
246  AppLayerDecoderEventsFreeEvents(&pstate->decoder_events);
247  AppLayerParserFramesFreeContainer(pstate->frames);
248  SCFree(pstate);
249 
250  SCReturn;
251 }
252 
253 int AppLayerParserSetup(void)
254 {
255  SCEnter();
256  // initial allocation that will later be grown using realloc,
257  // when new protocols register themselves and make g_alproto_max grow
258  alp_ctx.ctxs = SCCalloc(g_alproto_max, sizeof(AppLayerParserProtoCtx[FLOW_PROTO_MAX]));
259  if (unlikely(alp_ctx.ctxs == NULL)) {
260  FatalError("Unable to alloc alp_ctx.ctxs.");
261  }
262  SCReturnInt(0);
263 }
264 
265 void AppLayerParserPostStreamSetup(void)
266 {
267  /* lets set a default value for stream_depth */
268  for (int flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
269  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
270  if (!(alp_ctx.ctxs[alproto][flow_proto].internal_flags &
271  APP_LAYER_PARSER_INT_STREAM_DEPTH_SET)) {
272  alp_ctx.ctxs[alproto][flow_proto].stream_depth = stream_config.reassembly_depth;
273  }
274  }
275  }
276 }
277 
278 int AppLayerParserDeSetup(void)
279 {
280  SCEnter();
281 
282  SCFree(alp_ctx.ctxs);
283 
284  FTPParserCleanup();
285  SMTPParserCleanup();
286 
287  SCReturnInt(0);
288 }
289 
290 AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void)
291 {
292  SCEnter();
293 
294  AppLayerParserThreadCtx *tctx = SCCalloc(1, sizeof(*tctx));
295  if (tctx == NULL)
296  goto end;
297 
298  tctx->alproto_local_storage = SCCalloc(g_alproto_max, sizeof(void *[FLOW_PROTO_MAX]));
299  if (unlikely(tctx->alproto_local_storage == NULL)) {
300  SCFree(tctx);
301  tctx = NULL;
302  goto end;
303  }
304  for (uint8_t flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
305  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
306  uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto);
307 
308  tctx->alproto_local_storage[alproto][flow_proto] =
309  AppLayerParserGetProtocolParserLocalStorage(ipproto, alproto);
310  }
311  }
312 
313  end:
314  SCReturnPtr(tctx, "void *");
315 }
316 
317 void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
318 {
319  SCEnter();
320 
321  for (uint8_t flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
322  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
323  uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto);
324 
325  AppLayerParserDestroyProtocolParserLocalStorage(
326  ipproto, alproto, tctx->alproto_local_storage[alproto][flow_proto]);
327  }
328  }
329 
330  SCFree(tctx->alproto_local_storage);
331  SCFree(tctx);
332  SCReturn;
333 }
334 
335 /** \brief check if a parser is enabled in the config
336  * Returns enabled always if: were running unittests
337  */
338 int AppLayerParserConfParserEnabled(const char *ipproto,
339  const char *alproto_name)
340 {
341  SCEnter();
342 
343  int enabled = 1;
344  char param[100];
345  ConfNode *node;
346  int r;
347 
348  if (RunmodeIsUnittests())
349  goto enabled;
350 
351  r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
352  alproto_name, ".enabled");
353  if (r < 0) {
354  FatalError("snprintf failure.");
355  } else if (r > (int)sizeof(param)) {
356  FatalError("buffer not big enough to write param.");
357  }
358 
359  node = ConfGetNode(param);
360  if (node == NULL) {
361  SCLogDebug("Entry for %s not found.", param);
362  r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.",
363  alproto_name, ".", ipproto, ".enabled");
364  if (r < 0) {
365  FatalError("snprintf failure.");
366  } else if (r > (int)sizeof(param)) {
367  FatalError("buffer not big enough to write param.");
368  }
369 
370  node = ConfGetNode(param);
371  if (node == NULL) {
372  SCLogDebug("Entry for %s not found.", param);
373  goto enabled;
374  }
375  }
376 
377  if (ConfValIsTrue(node->val)) {
378  goto enabled;
379  } else if (ConfValIsFalse(node->val)) {
380  goto disabled;
381  } else if (strcasecmp(node->val, "detection-only") == 0) {
382  goto disabled;
383  } else {
384  SCLogError("Invalid value found for %s.", param);
385  exit(EXIT_FAILURE);
386  }
387 
388  disabled:
389  enabled = 0;
390  enabled:
391  SCReturnInt(enabled);
392 }
393 
394 /***** Parser related registration *****/
395 
396 int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto,
397  uint8_t direction,
398  AppLayerParserFPtr Parser)
399 {
400  SCEnter();
401 
402  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)]
403  .Parser[(direction & STREAM_TOSERVER) ? 0 : 1] = Parser;
404 
405  SCReturnInt(0);
406 }
407 
408 void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto,
409  uint8_t direction)
410 {
411  SCEnter();
412 
413  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].first_data_dir |=
414  (direction & (STREAM_TOSERVER | STREAM_TOCLIENT));
415 
416  SCReturn;
417 }
418 
419 void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto,
420  uint32_t flags)
421 {
422  SCEnter();
423 
424  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].option_flags |= flags;
425 
426  SCReturn;
427 }
428 
429 void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto,
430  void *(*StateAlloc)(void *, AppProto), void (*StateFree)(void *))
431 {
432  SCEnter();
433 
434  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateAlloc = StateAlloc;
435  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateFree = StateFree;
436 
437  SCReturn;
438 }
439 
440 void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto,
441  void *(*LocalStorageAlloc)(void),
442  void (*LocalStorageFree)(void *))
443 {
444  SCEnter();
445 
446  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc = LocalStorageAlloc;
447  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree = LocalStorageFree;
448 
449  SCReturn;
450 }
451 
452 void AppLayerParserRegisterGetTxFilesFunc(
453  uint8_t ipproto, AppProto alproto, AppLayerGetFileState (*GetTxFiles)(void *, uint8_t))
454 {
455  SCEnter();
456 
457  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxFiles = GetTxFiles;
458 
459  SCReturn;
460 }
461 
462 void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits)
463 {
464  SCEnter();
465 
466  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].logger_bits = bits;
467 
468  SCReturn;
469 }
470 
471 void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
472 {
473  SCEnter();
474 
475  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].logger = true;
476 
477  SCReturn;
478 }
479 
480 void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto,
481  int (*StateGetProgress)(void *alstate, uint8_t direction))
482 {
483  SCEnter();
484 
485  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetProgress = StateGetProgress;
486 
487  SCReturn;
488 }
489 
490 void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto,
491  void (*StateTransactionFree)(void *, uint64_t))
492 {
493  SCEnter();
494 
495  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateTransactionFree = StateTransactionFree;
496 
497  SCReturn;
498 }
499 
500 void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto,
501  uint64_t (*StateGetTxCnt)(void *alstate))
502 {
503  SCEnter();
504 
505  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxCnt = StateGetTxCnt;
506 
507  SCReturn;
508 }
509 
510 void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto,
511  void *(StateGetTx)(void *alstate, uint64_t tx_id))
512 {
513  SCEnter();
514 
515  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTx = StateGetTx;
516 
517  SCReturn;
518 }
519 
520 void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto,
521  AppLayerGetTxIteratorFunc Func)
522 {
523  SCEnter();
524  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxIterator = Func;
525  SCReturn;
526 }
527 
528 void AppLayerParserRegisterStateProgressCompletionStatus(
529  AppProto alproto, const int ts, const int tc)
530 {
531  BUG_ON(ts == 0);
532  BUG_ON(tc == 0);
533  BUG_ON(!AppProtoIsValid(alproto));
534  BUG_ON(alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts != 0 &&
535  alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts != ts);
536  BUG_ON(alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc != 0 &&
537  alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc != tc);
538 
539  alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts = ts;
540  alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc = tc;
541 }
542 
543 void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto,
544  int (*StateGetEventInfoById)(
545  uint8_t event_id, const char **event_name, AppLayerEventType *event_type))
546 {
547  SCEnter();
548 
549  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetEventInfoById =
550  StateGetEventInfoById;
551 
552  SCReturn;
553 }
554 
555 void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto,
556  AppLayerParserGetFrameIdByNameFn GetIdByNameFunc,
557  AppLayerParserGetFrameNameByIdFn GetNameByIdFunc)
558 {
559  SCEnter();
560  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName = GetIdByNameFunc;
561  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById = GetNameByIdFunc;
562  SCReturn;
563 }
564 
565 void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
566  int (*StateGetEventInfo)(
567  const char *event_name, uint8_t *event_id, AppLayerEventType *event_type))
568 {
569  SCEnter();
570 
571  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetEventInfo = StateGetEventInfo;
572 
573  SCReturn;
574 }
575 
576 void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto,
577  AppLayerTxData *(*GetTxData)(void *tx))
578 {
579  SCEnter();
580 
581  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxData = GetTxData;
582 
583  SCReturn;
584 }
585 
586 void AppLayerParserRegisterStateDataFunc(
587  uint8_t ipproto, AppProto alproto, AppLayerStateData *(*GetStateData)(void *state))
588 {
589  SCEnter();
590 
591  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData = GetStateData;
592 
593  SCReturn;
594 }
595 
596 void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto,
597  bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig))
598 {
599  SCEnter();
600 
601  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].ApplyTxConfig = ApplyTxConfig;
602 
603  SCReturn;
604 }
605 
606 void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto,
607  void (*SetStreamDepthFlag)(void *tx, uint8_t flags))
608 {
609  SCEnter();
610 
611  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag = SetStreamDepthFlag;
612 
613  SCReturn;
614 }
615 
616 /***** Get and transaction functions *****/
617 
618 void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto)
619 {
620  SCEnter();
621  void * r = NULL;
622 
623  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc != NULL) {
624  r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc();
625  }
626 
627  SCReturnPtr(r, "void *");
628 }
629 
630 void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto,
631  void *local_data)
632 {
633  SCEnter();
634 
635  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree != NULL) {
636  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree(local_data);
637  }
638 
639  SCReturn;
640 }
641 
642 /** \brief default tx iterator
643  *
644  * Used if the app layer parser doesn't register its own iterator.
645  * Simply walks the tx_id space until it finds a tx. Uses 'state' to
646  * keep track of where it left off.
647  *
648  * \retval txptr or NULL if no more txs in list
649  */
650 static AppLayerGetTxIterTuple AppLayerDefaultGetTxIterator(
651  const uint8_t ipproto, const AppProto alproto,
652  void *alstate, uint64_t min_tx_id, uint64_t max_tx_id,
653  AppLayerGetTxIterState *state)
654 {
655  uint64_t ustate = *(uint64_t *)state;
656  uint64_t tx_id = MAX(min_tx_id, ustate);
657  for ( ; tx_id < max_tx_id; tx_id++) {
658  void *tx_ptr = AppLayerParserGetTx(ipproto, alproto, alstate, tx_id);
659  if (tx_ptr != NULL) {
660  ustate = tx_id + 1;
661  *state = *(AppLayerGetTxIterState *)&ustate;
662  AppLayerGetTxIterTuple tuple = {
663  .tx_ptr = tx_ptr,
664  .tx_id = tx_id,
665  .has_next = (tx_id + 1 < max_tx_id),
666  };
667  SCLogDebug("tuple: %p/%"PRIu64"/%s", tuple.tx_ptr, tuple.tx_id,
668  tuple.has_next ? "true" : "false");
669  return tuple;
670  }
671  }
672 
673  AppLayerGetTxIterTuple no_tuple = { NULL, 0, false };
674  return no_tuple;
675 }
676 
677 AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto,
678  const AppProto alproto)
679 {
680  AppLayerGetTxIteratorFunc Func =
681  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxIterator;
682  return Func ? Func : AppLayerDefaultGetTxIterator;
683 }
684 
685 uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
686 {
687  SCEnter();
688 
689  SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
690 }
691 
692 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
693 {
694  SCEnter();
695 
696  if (pstate != NULL)
697  pstate->log_id = tx_id;
698 
699  SCReturn;
700 }
701 
702 uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
703 {
704  SCEnter();
705 
706  if (pstate != NULL)
707  SCReturnCT(pstate->inspect_id[(direction & STREAM_TOSERVER) ? 0 : 1], "uint64_t");
708 
709  DEBUG_VALIDATE_BUG_ON(1);
710  SCReturnCT(0ULL, "uint64_t");
711 }
712 
713 inline uint8_t AppLayerParserGetTxDetectProgress(AppLayerTxData *txd, const uint8_t dir)
714 {
715  uint8_t p = (dir & STREAM_TOSERVER) ? txd->detect_progress_ts : txd->detect_progress_tc;
716  return p;
717 }
718 
719 static inline uint32_t GetTxLogged(AppLayerTxData *txd)
720 {
721  return txd->logged.flags;
722 }
723 
724 void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate,
725  void *alstate, const uint8_t flags,
726  bool tag_txs_as_inspected)
727 {
728  SCEnter();
729 
730  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
731  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
732  uint64_t idx = AppLayerParserGetTransactionInspectId(pstate, flags);
733  const int state_done_progress = AppLayerParserGetStateProgressCompletionStatus(f->alproto, flags);
734  const uint8_t ipproto = f->proto;
735  const AppProto alproto = f->alproto;
736 
737  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
738  AppLayerGetTxIterState state = { 0 };
739 
740  SCLogDebug("called: %s, tag_txs_as_inspected %s",direction==0?"toserver":"toclient",
741  tag_txs_as_inspected?"true":"false");
742 
743  /* mark all txs as inspected if the applayer progress is
744  * at the 'end state'. */
745  while (1) {
746  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, idx, total_txs, &state);
747  if (ires.tx_ptr == NULL)
748  break;
749 
750  void *tx = ires.tx_ptr;
751  idx = ires.tx_id;
752 
753  int state_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx, flags);
754  if (state_progress < state_done_progress)
755  break;
756 
757  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
758  if (txd && tag_txs_as_inspected) {
759  const uint8_t inspected_flag = (flags & STREAM_TOSERVER) ? APP_LAYER_TX_INSPECTED_TS
760  : APP_LAYER_TX_INSPECTED_TC;
761  if (txd->flags & inspected_flag) {
762  txd->flags |= inspected_flag;
763  SCLogDebug("%p/%" PRIu64 " in-order tx is done for direction %s. Flags %02x", tx,
764  idx, flags & STREAM_TOSERVER ? "toserver" : "toclient", txd->flags);
765  }
766  }
767  idx++;
768  if (!ires.has_next)
769  break;
770  }
771  pstate->inspect_id[direction] = idx;
772  SCLogDebug("inspect_id now %"PRIu64, pstate->inspect_id[direction]);
773 
774  /* if necessary we flag all txs that are complete as 'inspected'
775  * also move inspect_id forward. */
776  if (tag_txs_as_inspected) {
777  /* continue at idx */
778  while (1) {
779  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, idx, total_txs, &state);
780  if (ires.tx_ptr == NULL)
781  break;
782 
783  void *tx = ires.tx_ptr;
784  /* if we got a higher id than the minimum we requested, we
785  * skipped a bunch of 'null-txs'. Lets see if we can up the
786  * inspect tracker */
787  if (ires.tx_id > idx && pstate->inspect_id[direction] == idx) {
788  pstate->inspect_id[direction] = ires.tx_id;
789  }
790  idx = ires.tx_id;
791 
792  const int state_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx, flags);
793  if (state_progress < state_done_progress)
794  break;
795 
796  /* txd can be NULL for HTTP sessions where the user data alloc failed */
797  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
798  if (likely(txd)) {
799  const uint8_t inspected_flag = (flags & STREAM_TOSERVER)
800  ? APP_LAYER_TX_INSPECTED_TS
801  : APP_LAYER_TX_INSPECTED_TC;
802  if (txd->flags & inspected_flag) {
803  txd->flags |= inspected_flag;
804  SCLogDebug("%p/%" PRIu64 " out of order tx is done for direction %s. Flag %02x",
805  tx, idx, flags & STREAM_TOSERVER ? "toserver" : "toclient", txd->flags);
806 
807  SCLogDebug("%p/%"PRIu64" out of order tx. Update inspect_id? %"PRIu64,
808  tx, idx, pstate->inspect_id[direction]);
809  if (pstate->inspect_id[direction]+1 == idx)
810  pstate->inspect_id[direction] = idx;
811  }
812  } else {
813  if (pstate->inspect_id[direction]+1 == idx)
814  pstate->inspect_id[direction] = idx;
815  }
816  if (!ires.has_next)
817  break;
818  idx++;
819  }
820  }
821 
822  SCReturn;
823 }
824 
825 AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
826 {
827  SCEnter();
828 
829  SCReturnPtr(pstate->decoder_events,
830  "AppLayerDecoderEvents *");
831 }
832 
833 AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto,
834  void *tx)
835 {
836  SCEnter();
837 
838  AppLayerDecoderEvents *ptr = NULL;
839 
840  /* Access events via the tx_data. */
841  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
842  if (txd != NULL && txd->events != NULL) {
843  ptr = txd->events;
844  }
845 
846  SCReturnPtr(ptr, "AppLayerDecoderEvents *");
847 }
848 
849 AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
850 {
851  SCEnter();
852 
853  if (alp_ctx.ctxs[f->alproto][f->protomap].GetTxFiles != NULL) {
854  return alp_ctx.ctxs[f->alproto][f->protomap].GetTxFiles(tx, direction);
855  }
856 
857  AppLayerGetFileState files = { .fc = NULL, .cfg = NULL };
858  return files;
859 }
860 
861 static void AppLayerParserFileTxHousekeeping(
862  const Flow *f, void *tx, const uint8_t pkt_dir, const bool trunc)
863 {
864  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, tx, pkt_dir);
865  if (files.fc) {
866  FilesPrune(files.fc, files.cfg, trunc);
867  }
868 }
869 
870 #define IS_DISRUPTED(flags) ((flags) & (STREAM_DEPTH | STREAM_GAP))
871 
872 extern int g_detect_disabled;
873 extern bool g_file_logger_enabled;
874 extern bool g_filedata_logger_enabled;
875 
876 /**
877  * \brief remove obsolete (inspected and logged) transactions
878  */
879 void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
880 {
881  SCEnter();
882  DEBUG_ASSERT_FLOW_LOCKED(f);
883 
884  AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->alproto][f->protomap];
885  if (unlikely(p->StateTransactionFree == NULL))
886  SCReturn;
887 
888  const bool has_tx_detect_flags = !g_detect_disabled;
889  const uint8_t ipproto = f->proto;
890  const AppProto alproto = f->alproto;
891  void * const alstate = f->alstate;
892  AppLayerParserState * const alparser = f->alparser;
893 
894  if (alstate == NULL || alparser == NULL)
895  SCReturn;
896 
897  const uint64_t min = alparser->min_id;
898  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
899  const LoggerId logger_expectation = AppLayerParserProtocolGetLoggerBits(ipproto, alproto);
900  const int tx_end_state_ts = AppLayerParserGetStateProgressCompletionStatus(alproto, STREAM_TOSERVER);
901  const int tx_end_state_tc = AppLayerParserGetStateProgressCompletionStatus(alproto, STREAM_TOCLIENT);
902  const uint8_t ts_disrupt_flags = FlowGetDisruptionFlags(f, STREAM_TOSERVER);
903  const uint8_t tc_disrupt_flags = FlowGetDisruptionFlags(f, STREAM_TOCLIENT);
904 
905  int pkt_dir_trunc = -1;
906 
907  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
908  AppLayerGetTxIterState state;
909  memset(&state, 0, sizeof(state));
910  uint64_t i = min;
911  uint64_t new_min = min;
912  SCLogDebug("start min %"PRIu64, min);
913  bool skipped = false;
914  // const bool support_files = AppLayerParserSupportsFiles(f->proto, f->alproto);
915 
916  while (1) {
917  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, i, total_txs, &state);
918  if (ires.tx_ptr == NULL)
919  break;
920 
921  bool tx_skipped = false;
922  void *tx = ires.tx_ptr;
923  i = ires.tx_id; // actual tx id for the tx the IterFunc returned
924 
925  SCLogDebug("%p/%"PRIu64" checking", tx, i);
926  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
927  if (txd != NULL && AppLayerParserHasFilesInDir(txd, pkt_dir)) {
928  if (pkt_dir_trunc == -1)
929  pkt_dir_trunc = IS_DISRUPTED(
930  (pkt_dir == STREAM_TOSERVER) ? ts_disrupt_flags : tc_disrupt_flags);
931  AppLayerParserFileTxHousekeeping(f, tx, pkt_dir, (bool)pkt_dir_trunc);
932  }
933  if (txd) {
934  // should be reset by parser next time it updates the tx
935  if (pkt_dir & STREAM_TOSERVER) {
936  txd->updated_ts = false;
937  } else {
938  txd->updated_tc = false;
939  }
940  }
941  const int tx_progress_tc =
942  AppLayerParserGetStateProgress(ipproto, alproto, tx, tc_disrupt_flags);
943  if (tx_progress_tc < tx_end_state_tc) {
944  SCLogDebug("%p/%"PRIu64" skipping: tc parser not done", tx, i);
945  skipped = true;
946  goto next;
947  }
948  const int tx_progress_ts =
949  AppLayerParserGetStateProgress(ipproto, alproto, tx, ts_disrupt_flags);
950  if (tx_progress_ts < tx_end_state_ts) {
951  SCLogDebug("%p/%"PRIu64" skipping: ts parser not done", tx, i);
952  skipped = true;
953  goto next;
954  }
955 
956  if (txd && has_tx_detect_flags) {
957  if (!IS_DISRUPTED(ts_disrupt_flags) &&
958  (f->sgh_toserver != NULL || (f->flags & FLOW_SGH_TOSERVER) == 0)) {
959  if ((txd->flags & (APP_LAYER_TX_INSPECTED_TS | APP_LAYER_TX_SKIP_INSPECT_TS)) ==
960  0) {
961  SCLogDebug("%p/%" PRIu64 " skipping: TS inspect not done: ts:%02x", tx, i,
962  txd->flags);
963  tx_skipped = true;
964  }
965  }
966  if (!IS_DISRUPTED(tc_disrupt_flags) &&
967  (f->sgh_toclient != NULL || (f->flags & FLOW_SGH_TOCLIENT) == 0)) {
968  if ((txd->flags & (APP_LAYER_TX_INSPECTED_TC | APP_LAYER_TX_SKIP_INSPECT_TC)) ==
969  0) {
970  SCLogDebug("%p/%" PRIu64 " skipping: TC inspect not done: ts:%02x", tx, i,
971  txd->flags);
972  tx_skipped = true;
973  }
974  }
975  }
976 
977  if (tx_skipped) {
978  SCLogDebug("%p/%" PRIu64 " tx_skipped", tx, i);
979  skipped = true;
980  goto next;
981  }
982 
983  if (txd && logger_expectation != 0) {
984  LoggerId tx_logged = GetTxLogged(txd);
985  if (tx_logged != logger_expectation) {
986  SCLogDebug("%p/%"PRIu64" skipping: logging not done: want:%"PRIx32", have:%"PRIx32,
987  tx, i, logger_expectation, tx_logged);
988  skipped = true;
989  goto next;
990  }
991  }
992 
993  /* if file logging is enabled, we keep a tx active while some of the files aren't
994  * logged yet. */
995  if (txd) {
996  SCLogDebug("files_opened %u files_logged %u files_stored %u", txd->files_opened,
997  txd->files_logged, txd->files_stored);
998 
999  if (txd->files_opened) {
1000  if (g_file_logger_enabled && txd->files_opened != txd->files_logged) {
1001  skipped = true;
1002  goto next;
1003  }
1004  if (g_filedata_logger_enabled && txd->files_opened != txd->files_stored) {
1005  skipped = true;
1006  goto next;
1007  }
1008  }
1009  }
1010 
1011  /* if we are here, the tx can be freed. */
1012  p->StateTransactionFree(alstate, i);
1013  SCLogDebug("%p/%"PRIu64" freed", tx, i);
1014 
1015  /* if we didn't skip any tx so far, up the minimum */
1016  SCLogDebug("skipped? %s i %"PRIu64", new_min %"PRIu64, skipped ? "true" : "false", i, new_min);
1017  if (!skipped)
1018  new_min = i + 1;
1019  SCLogDebug("final i %"PRIu64", new_min %"PRIu64, i, new_min);
1020 
1021 next:
1022  if (!ires.has_next) {
1023  /* this was the last tx. See if we skipped any. If not
1024  * we removed all and can update the minimum to the max
1025  * id. */
1026  SCLogDebug("no next: cur tx i %"PRIu64", total %"PRIu64, i, total_txs);
1027  if (!skipped) {
1028  new_min = total_txs;
1029  SCLogDebug("no next: cur tx i %"PRIu64", total %"PRIu64": "
1030  "new_min updated to %"PRIu64, i, total_txs, new_min);
1031  }
1032  break;
1033  }
1034  i++;
1035  }
1036 
1037  /* see if we need to bring all trackers up to date. */
1038  SCLogDebug("update f->alparser->min_id? %"PRIu64" vs %"PRIu64, new_min, alparser->min_id);
1039  if (new_min > alparser->min_id) {
1040  const uint64_t next_id = new_min;
1041  alparser->min_id = next_id;
1042  alparser->inspect_id[0] = MAX(alparser->inspect_id[0], next_id);
1043  alparser->inspect_id[1] = MAX(alparser->inspect_id[1], next_id);
1044  alparser->log_id = MAX(alparser->log_id, next_id);
1045  SCLogDebug("updated f->alparser->min_id %"PRIu64, alparser->min_id);
1046  }
1047  SCReturn;
1048 }
1049 
1050 static inline int StateGetProgressCompletionStatus(const AppProto alproto, const uint8_t flags)
1051 {
1052  if (flags & STREAM_TOSERVER) {
1053  return alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts;
1054  } else if (flags & STREAM_TOCLIENT) {
1055  return alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc;
1056  } else {
1057  DEBUG_VALIDATE_BUG_ON(1);
1058  return 0;
1059  }
1060 }
1061 
1062 /**
1063  * \brief get the progress value for a tx/protocol
1064  *
1065  * If the stream is disrupted, we return the 'completion' value.
1066  */
1067 int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,
1068  void *alstate, uint8_t flags)
1069 {
1070  SCEnter();
1071  int r;
1072  if (unlikely(IS_DISRUPTED(flags))) {
1073  r = StateGetProgressCompletionStatus(alproto, flags);
1074  } else {
1075  uint8_t direction = flags & (STREAM_TOCLIENT | STREAM_TOSERVER);
1076  r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetProgress(
1077  alstate, direction);
1078  }
1079  SCReturnInt(r);
1080 }
1081 
1082 uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
1083 {
1084  SCEnter();
1085  uint64_t r = alp_ctx.ctxs[f->alproto][f->protomap].StateGetTxCnt(alstate);
1086  SCReturnCT(r, "uint64_t");
1087 }
1088 
1089 void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
1090 {
1091  SCEnter();
1092  void *r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTx(alstate, tx_id);
1093  SCReturnPtr(r, "void *");
1094 }
1095 
1096 int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto,
1097  uint8_t direction)
1098 {
1099  SCEnter();
1100  int r = StateGetProgressCompletionStatus(alproto, direction);
1101  SCReturnInt(r);
1102 }
1103 
1104 int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name,
1105  uint8_t *event_id, AppLayerEventType *event_type)
1106 {
1107  SCEnter();
1108  const int ipproto_map = FlowGetProtoMapping(ipproto);
1109  int r = (alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfo == NULL)
1110  ? -1
1111  : alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfo(
1112  event_name, event_id, event_type);
1113  SCReturnInt(r);
1114 }
1115 
1116 int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t event_id,
1117  const char **event_name, AppLayerEventType *event_type)
1118 {
1119  SCEnter();
1120  const int ipproto_map = FlowGetProtoMapping(ipproto);
1121  *event_name = (const char *)NULL;
1122  int r = (alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfoById == NULL)
1123  ? -1
1124  : alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfoById(
1125  event_id, event_name, event_type);
1126  SCReturnInt(r);
1127 }
1128 
1129 uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
1130 {
1131  SCEnter();
1132  uint8_t r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].first_data_dir;
1133  SCReturnCT(r, "uint8_t");
1134 }
1135 
1136 uint64_t AppLayerParserGetTransactionActive(const Flow *f,
1137  AppLayerParserState *pstate, uint8_t direction)
1138 {
1139  SCEnter();
1140 
1141  uint64_t active_id;
1142  uint64_t log_id = pstate->log_id;
1143  uint64_t inspect_id = pstate->inspect_id[(direction & STREAM_TOSERVER) ? 0 : 1];
1144  if (alp_ctx.ctxs[f->alproto][f->protomap].logger) {
1145  active_id = MIN(log_id, inspect_id);
1146  } else {
1147  active_id = inspect_id;
1148  }
1149 
1150  SCReturnCT(active_id, "uint64_t");
1151 }
1152 
1153 bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
1154 {
1155  // Custom case for only signature-only protocol so far
1156  if (alproto == ALPROTO_HTTP) {
1157  return AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP1) ||
1158  AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP2);
1159  }
1160  return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxFiles != NULL;
1161 }
1162 
1163 AppLayerTxData *AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
1164 {
1165  SCEnter();
1166  AppLayerTxData *d = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxData(tx);
1167  SCReturnPtr(d, "AppLayerTxData");
1168 }
1169 
1170 AppLayerStateData *AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
1171 {
1172  SCEnter();
1173  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData) {
1174  AppLayerStateData *d =
1175  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData(state);
1176  SCReturnPtr(d, "AppLayerStateData");
1177  }
1178  SCReturnPtr(NULL, "AppLayerStateData");
1179 }
1180 
1181 void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto,
1182  void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
1183 {
1184  SCEnter();
1185  const int ipproto_map = FlowGetProtoMapping(ipproto);
1186  if (alp_ctx.ctxs[alproto][ipproto_map].ApplyTxConfig) {
1187  alp_ctx.ctxs[alproto][ipproto_map].ApplyTxConfig(state, tx, mode, config);
1188  }
1189  SCReturn;
1190 }
1191 
1192 /***** General *****/
1193 
1194 static inline void SetEOFFlags(AppLayerParserState *pstate, const uint8_t flags)
1195 {
1196  if ((flags & (STREAM_EOF|STREAM_TOSERVER)) == (STREAM_EOF|STREAM_TOSERVER)) {
1197  SCLogDebug("setting APP_LAYER_PARSER_EOF_TS");
1198  AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_EOF_TS);
1199  } else if ((flags & (STREAM_EOF|STREAM_TOCLIENT)) == (STREAM_EOF|STREAM_TOCLIENT)) {
1200  SCLogDebug("setting APP_LAYER_PARSER_EOF_TC");
1201  AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_EOF_TC);
1202  }
1203 }
1204 
1205 /** \internal
1206  * \brief create/close stream frames
1207  * On first invocation of TCP parser in a direction, create a <alproto>.stream frame.
1208  * On STREAM_EOF, set the final length. */
1209 static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t *input,
1210  const uint32_t input_len, const uint8_t flags)
1211 {
1212  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
1213  AppLayerParserState *pstate = f->alparser;
1214 
1215  /* setup the generic stream frame */
1216  if (((direction == 0 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TS) == 0) ||
1217  (direction == 1 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TC) == 0)) &&
1218  input != NULL && f->proto == IPPROTO_TCP) {
1219  Frame *frame = AppLayerFrameGetLastOpenByType(f, direction, FRAME_STREAM_TYPE);
1220  if (frame == NULL) {
1221  int64_t frame_len = -1;
1222  if (flags & STREAM_EOF)
1223  frame_len = input_len;
1224 
1225  frame = AppLayerFrameNewByAbsoluteOffset(
1226  f, &stream_slice, stream_slice.offset, frame_len, direction, FRAME_STREAM_TYPE);
1227  if (frame) {
1228  SCLogDebug("opened: frame %p id %" PRIi64, frame, frame->id);
1229  frame->flags = FRAME_FLAG_ENDS_AT_EOF; // TODO logic is not yet implemented
1230  DEBUG_VALIDATE_BUG_ON(
1231  frame->id != 1); // should always be the first frame that is created
1232  }
1233  if (direction == 0) {
1234  pstate->flags |= APP_LAYER_PARSER_SFRAME_TS;
1235  } else {
1236  pstate->flags |= APP_LAYER_PARSER_SFRAME_TC;
1237  }
1238  }
1239  } else if (flags & STREAM_EOF) {
1240  Frame *frame = AppLayerFrameGetLastOpenByType(f, direction, FRAME_STREAM_TYPE);
1241  SCLogDebug("EOF closing: frame %p", frame);
1242  if (frame) {
1243  /* calculate final frame length */
1244  int64_t slice_o = (int64_t)stream_slice.offset - (int64_t)frame->offset;
1245  int64_t frame_len = slice_o + (int64_t)input_len;
1246  SCLogDebug("%s: EOF frame->offset %" PRIu64 " -> %" PRIi64 ": o %" PRIi64,
1247  AppProtoToString(f->alproto), frame->offset, frame_len, slice_o);
1248  frame->len = frame_len;
1249  }
1250  }
1251 }
1252 
1253 static void Setup(Flow *f, const uint8_t direction, const uint8_t *input, uint32_t input_len,
1254  const uint8_t flags, StreamSlice *as)
1255 {
1256  memset(as, 0, sizeof(*as));
1257  as->input = input;
1258  as->input_len = input_len;
1259  as->flags = flags;
1260 
1261  if (f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1262  TcpSession *ssn = f->protoctx;
1263  TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
1264  as->offset = STREAM_APP_PROGRESS(stream);
1265  }
1266 }
1267 
1268 /** \retval int -1 in case of unrecoverable error. App-layer tracking stops for this flow.
1269  * \retval int 0 ok: we did not update app_progress
1270  * \retval int 1 ok: we updated app_progress */
1271 int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto,
1272  uint8_t flags, const uint8_t *input, uint32_t input_len)
1273 {
1274  SCEnter();
1275 #ifdef DEBUG_VALIDATION
1276  BUG_ON(f->protomap != FlowGetProtoMapping(f->proto));
1277 #endif
1278  AppLayerParserState *pstate = f->alparser;
1279  AppLayerParserProtoCtx *p = &alp_ctx.ctxs[alproto][f->protomap];
1280  StreamSlice stream_slice;
1281  void *alstate = NULL;
1282  uint64_t p_tx_cnt = 0;
1283  uint32_t consumed = input_len;
1284  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
1285 
1286  /* we don't have the parser registered for this protocol */
1287  if (p->StateAlloc == NULL) {
1288  if (f->proto == IPPROTO_TCP) {
1289  StreamTcpDisableAppLayer(f);
1290  }
1291  goto end;
1292  }
1293 
1294  if (flags & STREAM_GAP) {
1295  if (!(p->option_flags & APP_LAYER_PARSER_OPT_ACCEPT_GAPS)) {
1296  SCLogDebug("app-layer parser does not accept gaps");
1297  if (f->alstate != NULL && !FlowChangeProto(f)) {
1298  AppLayerParserTriggerRawStreamReassembly(f, direction);
1299  }
1300  AppLayerIncGapErrorCounter(tv, f);
1301  goto error;
1302  }
1303  }
1304 
1305  /* Get the parser state (if any) */
1306  if (pstate == NULL) {
1307  f->alparser = pstate = AppLayerParserStateAlloc();
1308  if (pstate == NULL) {
1309  AppLayerIncAllocErrorCounter(tv, f);
1310  goto error;
1311  }
1312  }
1313 
1314  SetEOFFlags(pstate, flags);
1315 
1316  alstate = f->alstate;
1317  if (alstate == NULL || FlowChangeProto(f)) {
1318  f->alstate = alstate = p->StateAlloc(alstate, f->alproto_orig);
1319  if (alstate == NULL) {
1320  AppLayerIncAllocErrorCounter(tv, f);
1321  goto error;
1322  }
1323  SCLogDebug("alloced new app layer state %p (name %s)",
1324  alstate, AppLayerGetProtoName(f->alproto));
1325 
1326  /* set flow flags to state */
1327  if (f->file_flags != 0) {
1328  AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
1329  if (sd != NULL) {
1330  if ((sd->file_flags & f->file_flags) != f->file_flags) {
1331  SCLogDebug("state data: updating file_flags %04x with flow file_flags %04x",
1332  sd->file_flags, f->file_flags);
1333  sd->file_flags |= f->file_flags;
1334  }
1335  }
1336  }
1337  } else {
1338  SCLogDebug("using existing app layer state %p (name %s))",
1339  alstate, AppLayerGetProtoName(f->alproto));
1340  }
1341 
1342  p_tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
1343 
1344  /* invoke the recursive parser, but only on data. We may get empty msgs on EOF */
1345  if (input_len > 0 || (flags & STREAM_EOF)) {
1346  Setup(f, flags & (STREAM_TOSERVER | STREAM_TOCLIENT), input, input_len, flags,
1347  &stream_slice);
1348  HandleStreamFrames(f, stream_slice, input, input_len, flags);
1349 
1350 #ifdef DEBUG
1351  if (((stream_slice.flags & STREAM_TOSERVER) &&
1352  stream_slice.offset >= g_eps_applayer_error_offset_ts)) {
1353  SCLogNotice("putting parser %s into an error state from toserver offset %" PRIu64,
1354  AppProtoToString(alproto), g_eps_applayer_error_offset_ts);
1355  AppLayerIncParserErrorCounter(tv, f);
1356  goto error;
1357  }
1358  if (((stream_slice.flags & STREAM_TOCLIENT) &&
1359  stream_slice.offset >= g_eps_applayer_error_offset_tc)) {
1360  SCLogNotice("putting parser %s into an error state from toclient offset %" PRIu64,
1361  AppProtoToString(alproto), g_eps_applayer_error_offset_tc);
1362  AppLayerIncParserErrorCounter(tv, f);
1363  goto error;
1364  }
1365 #endif
1366  /* invoke the parser */
1367  AppLayerResult res = p->Parser[direction](f, alstate, pstate, stream_slice,
1368  alp_tctx->alproto_local_storage[alproto][f->protomap]);
1369  if (res.status < 0) {
1370  AppLayerIncParserErrorCounter(tv, f);
1371  goto error;
1372  } else if (res.status > 0) {
1373  DEBUG_VALIDATE_BUG_ON(res.consumed > input_len);
1374  DEBUG_VALIDATE_BUG_ON(res.needed + res.consumed < input_len);
1375  DEBUG_VALIDATE_BUG_ON(res.needed == 0);
1376  /* incomplete is only supported for TCP */
1377  DEBUG_VALIDATE_BUG_ON(f->proto != IPPROTO_TCP);
1378 
1379  /* put protocol in error state on improper use of the
1380  * return codes. */
1381  if (res.consumed > input_len || res.needed + res.consumed < input_len) {
1382  AppLayerIncInternalErrorCounter(tv, f);
1383  goto error;
1384  }
1385 
1386  if (f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1387  TcpSession *ssn = f->protoctx;
1388  SCLogDebug("direction %d/%s", direction,
1389  (flags & STREAM_TOSERVER) ? "toserver" : "toclient");
1390  if (direction == 0) {
1391  /* parser told us how much data it needs on top of what it
1392  * consumed. So we need tell stream engine how much we need
1393  * before the next call */
1394  ssn->client.data_required = res.needed;
1395  SCLogDebug("setting data_required %u", ssn->client.data_required);
1396  } else {
1397  /* parser told us how much data it needs on top of what it
1398  * consumed. So we need tell stream engine how much we need
1399  * before the next call */
1400  ssn->server.data_required = res.needed;
1401  SCLogDebug("setting data_required %u", ssn->server.data_required);
1402  }
1403  }
1404  consumed = res.consumed;
1405  }
1406  }
1407 
1408  /* set the packets to no inspection and reassembly if required */
1409  if (pstate->flags & APP_LAYER_PARSER_NO_INSPECTION) {
1410  AppLayerParserSetEOF(pstate);
1411 
1412  if (f->proto == IPPROTO_TCP) {
1413  StreamTcpDisableAppLayer(f);
1414 
1415  /* Set the no reassembly flag for both the stream in this TcpSession */
1416  if (pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
1417  /* Used only if it's TCP */
1418  TcpSession *ssn = f->protoctx;
1419  if (ssn != NULL) {
1420  StreamTcpSetSessionNoReassemblyFlag(ssn, 0);
1421  StreamTcpSetSessionNoReassemblyFlag(ssn, 1);
1422  }
1423  }
1424  /* Set the bypass flag for both the stream in this TcpSession */
1425  if (pstate->flags & APP_LAYER_PARSER_BYPASS_READY) {
1426  /* Used only if it's TCP */
1427  TcpSession *ssn = f->protoctx;
1428  if (ssn != NULL) {
1429  StreamTcpSetSessionBypassFlag(ssn);
1430  }
1431  }
1432  } else {
1433  // for TCP, this is set after flushing
1434  FlowSetNoPayloadInspectionFlag(f);
1435  }
1436  }
1437 
1438  /* In cases like HeartBleed for TLS we need to inspect AppLayer but not Payload */
1439  if (!(f->flags & FLOW_NOPAYLOAD_INSPECTION) && pstate->flags & APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD) {
1440  FlowSetNoPayloadInspectionFlag(f);
1441  /* Set the no reassembly flag for both the stream in this TcpSession */
1442  if (f->proto == IPPROTO_TCP) {
1443  /* Used only if it's TCP */
1444  TcpSession *ssn = f->protoctx;
1445  if (ssn != NULL) {
1446  StreamTcpSetDisableRawReassemblyFlag(ssn, 0);
1447  StreamTcpSetDisableRawReassemblyFlag(ssn, 1);
1448  }
1449  }
1450  }
1451 
1452  /* get the diff in tx cnt for stats keeping */
1453  uint64_t cur_tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
1454  if (cur_tx_cnt > p_tx_cnt && tv) {
1455  AppLayerIncTxCounter(tv, f, cur_tx_cnt - p_tx_cnt);
1456  }
1457 
1458  end:
1459  /* update app progress */
1460  if (consumed != input_len && f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1461  TcpSession *ssn = f->protoctx;
1462  StreamTcpUpdateAppLayerProgress(ssn, direction, consumed);
1463  SCReturnInt(1);
1464  }
1465 
1466  SCReturnInt(0);
1467  error:
1468  /* Set the no app layer inspection flag for both
1469  * the stream in this Flow */
1470  if (f->proto == IPPROTO_TCP) {
1471  StreamTcpDisableAppLayer(f);
1472  }
1473  AppLayerParserSetEOF(pstate);
1474  SCReturnInt(-1);
1475 }
1476 
1477 void AppLayerParserSetEOF(AppLayerParserState *pstate)
1478 {
1479  SCEnter();
1480 
1481  if (pstate == NULL)
1482  goto end;
1483 
1484  SCLogDebug("setting APP_LAYER_PARSER_EOF_TC and APP_LAYER_PARSER_EOF_TS");
1485  AppLayerParserStateSetFlag(pstate, (APP_LAYER_PARSER_EOF_TS|APP_LAYER_PARSER_EOF_TC));
1486 
1487  end:
1488  SCReturn;
1489 }
1490 
1491 /* return true if there are app parser decoder events. These are
1492  * only the ones that are set during protocol detection. */
1493 bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
1494 {
1495  SCEnter();
1496 
1497  if (pstate == NULL)
1498  return false;
1499 
1500  const AppLayerDecoderEvents *decoder_events = AppLayerParserGetDecoderEvents(pstate);
1501  if (decoder_events && decoder_events->cnt)
1502  return true;
1503 
1504  /* if we have reached here, we don't have events */
1505  return false;
1506 }
1507 
1508 /** \brief simple way to globally test if a alproto is registered
1509  * and fully enabled in the configuration.
1510  */
1511 int AppLayerParserIsEnabled(AppProto alproto)
1512 {
1513  for (int i = 0; i < FLOW_PROTO_APPLAYER_MAX; i++) {
1514  if (alp_ctx.ctxs[alproto][i].StateGetProgress != NULL) {
1515  return 1;
1516  }
1517  }
1518  return 0;
1519 }
1520 
1521 int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto)
1522 {
1523  SCEnter();
1524  int ipproto_map = FlowGetProtoMapping(ipproto);
1525  int r = (!alp_ctx.ctxs[alproto][ipproto_map].logger) ? 0 : 1;
1526  SCReturnInt(r);
1527 }
1528 
1529 LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto)
1530 {
1531  SCEnter();
1532  const int ipproto_map = FlowGetProtoMapping(ipproto);
1533  LoggerId r = alp_ctx.ctxs[alproto][ipproto_map].logger_bits;
1534  SCReturnUInt(r);
1535 }
1536 
1537 void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
1538 {
1539  SCEnter();
1540 
1541  SCLogDebug("f %p tcp %p direction %d", f, f ? f->protoctx : NULL, direction);
1542  if (f != NULL && f->protoctx != NULL)
1543  StreamTcpReassembleTriggerRawReassembly(f->protoctx, direction);
1544 
1545  SCReturn;
1546 }
1547 
1548 void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth)
1549 {
1550  SCEnter();
1551 
1552  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].stream_depth = stream_depth;
1553  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].internal_flags |=
1554  APP_LAYER_PARSER_INT_STREAM_DEPTH_SET;
1555 
1556  SCReturn;
1557 }
1558 
1559 uint32_t AppLayerParserGetStreamDepth(const Flow *f)
1560 {
1561  SCReturnInt(alp_ctx.ctxs[f->alproto][f->protomap].stream_depth);
1562 }
1563 
1564 void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
1565 {
1566  SCEnter();
1567  void *tx = NULL;
1568  if (state != NULL) {
1569  if ((tx = AppLayerParserGetTx(ipproto, alproto, state, tx_id)) != NULL) {
1570  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag != NULL) {
1571  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag(tx, flags);
1572  }
1573  }
1574  }
1575  SCReturn;
1576 }
1577 
1578 int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name)
1579 {
1580  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName != NULL) {
1581  return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName(name);
1582  } else {
1583  return -1;
1584  }
1585 }
1586 
1587 const char *AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
1588 {
1589  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById != NULL) {
1590  return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById(id);
1591  } else {
1592  return NULL;
1593  }
1594 }
1595 
1596 /***** Cleanup *****/
1597 
1598 void AppLayerParserStateProtoCleanup(
1599  uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
1600 {
1601  SCEnter();
1602 
1603  AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][protomap];
1604 
1605  if (ctx->StateFree != NULL && alstate != NULL)
1606  ctx->StateFree(alstate);
1607 
1608  /* free the app layer parser api state */
1609  if (pstate != NULL)
1610  AppLayerParserStateFree(pstate);
1611 
1612  SCReturn;
1613 }
1614 
1615 void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate)
1616 {
1617  AppLayerParserStateProtoCleanup(f->protomap, f->alproto, alstate, pstate);
1618 }
1619 
1620 static void ValidateParserProtoDump(AppProto alproto, uint8_t ipproto)
1621 {
1622  uint8_t map = FlowGetProtoMapping(ipproto);
1623  const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][map];
1624  printf("ERROR: incomplete app-layer registration\n");
1625  printf("AppLayer protocol %s ipproto %u\n", AppProtoToString(alproto), ipproto);
1626  printf("- option flags %"PRIx32"\n", ctx->option_flags);
1627  printf("- first_data_dir %"PRIx8"\n", ctx->first_data_dir);
1628  printf("Mandatory:\n");
1629  printf("- Parser[0] %p Parser[1] %p\n", ctx->Parser[0], ctx->Parser[1]);
1630  printf("- StateAlloc %p StateFree %p\n", ctx->StateAlloc, ctx->StateFree);
1631  printf("- StateGetTx %p StateGetTxCnt %p StateTransactionFree %p\n",
1632  ctx->StateGetTx, ctx->StateGetTxCnt, ctx->StateTransactionFree);
1633  printf("- GetTxData %p\n", ctx->GetTxData);
1634  printf("- GetStateData %p\n", ctx->GetStateData);
1635  printf("- StateGetProgress %p\n", ctx->StateGetProgress);
1636  printf("Optional:\n");
1637  printf("- LocalStorageAlloc %p LocalStorageFree %p\n", ctx->LocalStorageAlloc, ctx->LocalStorageFree);
1638  printf("- StateGetEventInfo %p StateGetEventInfoById %p\n", ctx->StateGetEventInfo,
1639  ctx->StateGetEventInfoById);
1640 }
1641 
1642 #define BOTH_SET(a, b) ((a) != NULL && (b) != NULL)
1643 #define BOTH_SET_OR_BOTH_UNSET(a, b) (((a) == NULL && (b) == NULL) || ((a) != NULL && (b) != NULL))
1644 #define THREE_SET(a, b, c) ((a) != NULL && (b) != NULL && (c) != NULL)
1645 
1646 static void ValidateParserProto(AppProto alproto, uint8_t ipproto)
1647 {
1648  uint8_t map = FlowGetProtoMapping(ipproto);
1649  const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][map];
1650 
1651  if (ctx->Parser[0] == NULL && ctx->Parser[1] == NULL)
1652  return;
1653 
1654  if (!(BOTH_SET(ctx->Parser[0], ctx->Parser[1]))) {
1655  goto bad;
1656  }
1657  if (!(BOTH_SET(ctx->StateFree, ctx->StateAlloc))) {
1658  goto bad;
1659  }
1660  if (!(THREE_SET(ctx->StateGetTx, ctx->StateGetTxCnt, ctx->StateTransactionFree))) {
1661  goto bad;
1662  }
1663  if (ctx->StateGetProgress == NULL) {
1664  goto bad;
1665  }
1666  /* local storage is optional, but needs both set if used */
1667  if (!(BOTH_SET_OR_BOTH_UNSET(ctx->LocalStorageAlloc, ctx->LocalStorageFree))) {
1668  goto bad;
1669  }
1670  if (ctx->GetTxData == NULL) {
1671  goto bad;
1672  }
1673  if (ctx->GetStateData == NULL) {
1674  goto bad;
1675  }
1676  return;
1677 bad:
1678  ValidateParserProtoDump(alproto, ipproto);
1679  exit(EXIT_FAILURE);
1680 }
1681 #undef BOTH_SET
1682 #undef BOTH_SET_OR_BOTH_UNSET
1683 #undef THREE_SET_OR_THREE_UNSET
1684 #undef THREE_SET
1685 
1686 static void ValidateParser(AppProto alproto)
1687 {
1688  ValidateParserProto(alproto, IPPROTO_TCP);
1689  ValidateParserProto(alproto, IPPROTO_UDP);
1690 }
1691 
1692 static void ValidateParsers(void)
1693 {
1694  AppProto p = 0;
1695  for (; p < g_alproto_max; p++) {
1696  ValidateParser(p);
1697  }
1698 }
1699 
1700 #define ARRAY_CAP_STEP 16
1701 static void (**PreRegisteredCallbacks)(void) = NULL;
1702 static size_t preregistered_callbacks_nb = 0;
1703 static size_t preregistered_callbacks_cap = 0;
1704 
1705 int AppLayerParserPreRegister(void (*Register)(void))
1706 {
1707  if (preregistered_callbacks_nb == preregistered_callbacks_cap) {
1708  void *tmp = SCRealloc(PreRegisteredCallbacks,
1709  sizeof(void *) * (preregistered_callbacks_cap + ARRAY_CAP_STEP));
1710  if (tmp == NULL) {
1711  return 1;
1712  }
1713  preregistered_callbacks_cap += ARRAY_CAP_STEP;
1714  PreRegisteredCallbacks = tmp;
1715  }
1716  PreRegisteredCallbacks[preregistered_callbacks_nb] = Register;
1717  preregistered_callbacks_nb++;
1718  return 0;
1719 }
1720 
1721 void AppLayerParserRegisterProtocolParsers(void)
1722 {
1723  SCEnter();
1724 
1725  AppLayerConfig();
1726 
1727  RegisterHTPParsers();
1728  RegisterSSLParsers();
1729  SCRegisterDcerpcParser();
1730  SCRegisterDcerpcUdpParser();
1731  RegisterSMBParsers();
1732  RegisterFTPParsers();
1733  RegisterSSHParsers();
1734  RegisterSMTPParsers();
1735  SCRegisterDnsUdpParser();
1736  SCRegisterDnsTcpParser();
1737  SCRegisterBittorrentDhtUdpParser();
1738  RegisterModbusParsers();
1739  SCEnipRegisterParsers();
1740  RegisterDNP3Parsers();
1741  RegisterNFSTCPParsers();
1742  RegisterNFSUDPParsers();
1743  rs_register_ntp_parser();
1744  RegisterTFTPParsers();
1745  RegisterIKEParsers();
1746  rs_register_krb5_parser();
1747  SCRegisterDhcpParser();
1748  rs_register_snmp_parser();
1749  rs_sip_register_parser();
1750  rs_quic_register_parser();
1751  rs_websocket_register_parser();
1752  SCRegisterLdapTcpParser();
1753  SCRegisterLdapUdpParser();
1754  rs_template_register_parser();
1755  SCRfbRegisterParser();
1756  SCMqttRegisterParser();
1757  SCRegisterPgsqlParser();
1758  rs_rdp_register_parser();
1759  RegisterHTTP2Parsers();
1760  rs_telnet_register_parser();
1761  RegisterIMAPParsers();
1762 
1763  /** POP3 */
1764  AppLayerProtoDetectRegisterProtocol(ALPROTO_POP3, "pop3");
1765  if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "pop3")) {
1766  if (AppLayerProtoDetectPMRegisterPatternCS(
1767  IPPROTO_TCP, ALPROTO_POP3, "+OK ", 4, 0, STREAM_TOCLIENT) < 0) {
1768  FatalError("pop3 proto registration failure");
1769  }
1770  } else {
1771  SCLogInfo("Protocol detection and parser disabled for pop3 protocol.");
1772  }
1773  for (size_t i = 0; i < preregistered_callbacks_nb; i++) {
1774  PreRegisteredCallbacks[i]();
1775  }
1776 
1777  ValidateParsers();
1778 }
1779 
1780 
1781 /* coccinelle: AppLayerParserStateSetFlag():2,2:APP_LAYER_PARSER_ */
1782 void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint16_t flag)
1783 {
1784  SCEnter();
1785  pstate->flags |= flag;
1786  SCReturn;
1787 }
1788 
1789 /* coccinelle: AppLayerParserStateIssetFlag():2,2:APP_LAYER_PARSER_ */
1790 uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
1791 {
1792  SCEnter();
1793  SCReturnUInt(pstate->flags & flag);
1794 }
1795 
1796 /***** Unittests *****/
1797 
1798 #ifdef UNITTESTS
1799 #include "util-unittest-helper.h"
1800 
1801 void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto,
1802  void (*RegisterUnittests)(void))
1803 {
1804  SCEnter();
1805  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].RegisterUnittests = RegisterUnittests;
1806  SCReturn;
1807 }
1808 
1809 void AppLayerParserRegisterUnittests(void)
1810 {
1811  SCEnter();
1812 
1813  int ip;
1814  AppProto alproto;
1815  AppLayerParserProtoCtx *ctx;
1816 
1817  for (ip = 0; ip < FLOW_PROTO_DEFAULT; ip++) {
1818  for (alproto = 0; alproto < g_alproto_max; alproto++) {
1819  ctx = &alp_ctx.ctxs[alproto][ip];
1820  if (ctx->RegisterUnittests == NULL)
1821  continue;
1822  ctx->RegisterUnittests();
1823  }
1824  }
1825 
1826  SCReturn;
1827 }
1828 
1829 #endif
app-layer-nfs-udp.h
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:480
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:278
TcpStream_
Definition: stream-tcp-private.h:106
AppLayerParserProtoCtx_::GetStateData
AppLayerStateData *(* GetStateData)(void *state)
Definition: app-layer-parser.c:101
ts
uint64_t ts
Definition: source-erf-file.c:55
AppLayerParserProtoCtx_::StateGetTxCnt
uint64_t(* StateGetTxCnt)(void *alstate)
Definition: app-layer-parser.c:91
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:149
AppLayerParserProtoCtx_::logger_bits
uint32_t logger_bits
Definition: app-layer-parser.c:78
AppLayerParserProtoCtx_::complete_tc
int complete_tc
Definition: app-layer-parser.c:95
AppLayerParserProtoCtx_::GetTxData
AppLayerTxData *(* GetTxData)(void *tx)
Definition: app-layer-parser.c:102
app-layer-tftp.h
AppLayerParserState_::log_id
uint64_t log_id
Definition: app-layer-parser.c:139
RegisterSMBParsers
void RegisterSMBParsers(void)
Definition: app-layer-smb.c:45
app-layer-ssh.h
RegisterIKEParsers
void RegisterIKEParsers(void)
Definition: app-layer-ike.c:40
AppLayerParserIsEnabled
int AppLayerParserIsEnabled(AppProto alproto)
simple way to globally test if a alproto is registered and fully enabled in the configuration.
Definition: app-layer-parser.c:1511
AppLayerParserRegisterLocalStorageFunc
void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto, void *(*LocalStorageAlloc)(void), void(*LocalStorageFree)(void *))
Definition: app-layer-parser.c:440
BOTH_SET
#define BOTH_SET(a, b)
Definition: app-layer-parser.c:1642
AppLayerParserProtocolHasLogger
int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1521
AppLayerParserRegisterOptionFlags
void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto, uint32_t flags)
Definition: app-layer-parser.c:419
flow-util.h
FramesFree
void FramesFree(Frames *frames)
Definition: app-layer-frames.c:447
AppLayerParserSetStreamDepthFlag
void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
Definition: app-layer-parser.c:1564
APP_LAYER_TX_SKIP_INSPECT_TC
#define APP_LAYER_TX_SKIP_INSPECT_TC
Definition: app-layer-parser.h:54
AppLayerParserSetTransactionLogId
void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
Definition: app-layer-parser.c:692
g_filedata_logger_enabled
bool g_filedata_logger_enabled
Definition: output-filedata.c:37
AppLayerParserSetStreamDepth
void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth)
Definition: app-layer-parser.c:1548
ConfNode_::val
char * val
Definition: conf.h:34
stream-tcp.h
AppLayerParserApplyTxConfig
void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto, void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
Definition: app-layer-parser.c:1181
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
remove obsolete (inspected and logged) transactions
Definition: app-layer-parser.c:879
AppLayerParserGetProtocolParserLocalStorage
void * AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:618
AppLayerParserProtoCtx_::LocalStorageFree
void(* LocalStorageFree)(void *)
Definition: app-layer-parser.c:84
AppLayerParserProtoCtx_
App layer protocol parser context.
Definition: app-layer-parser.c:67
RegisterSSHParsers
void RegisterSSHParsers(void)
Function to register the SSH protocol parsers and other functions.
Definition: app-layer-ssh.c:81
AppLayerParserProtoCtx_::StateGetTx
void *(* StateGetTx)(void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:92
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
FLOW_SGH_TOCLIENT
#define FLOW_SGH_TOCLIENT
Definition: flow.h:73
AppLayerParserSetTransactionInspectId
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
Definition: app-layer-parser.c:724
APP_LAYER_PARSER_BYPASS_READY
#define APP_LAYER_PARSER_BYPASS_READY
Definition: app-layer-parser.h:38
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:833
AppLayerGetTxIterator
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
Definition: app-layer-parser.c:677
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
RegisterModbusParsers
void RegisterModbusParsers(void)
Function to register the Modbus protocol parser.
Definition: app-layer-modbus.c:49
AppLayerParserGetTxDetectProgress
uint8_t AppLayerParserGetTxDetectProgress(AppLayerTxData *txd, const uint8_t dir)
Definition: app-layer-parser.c:713
Flow_::proto
uint8_t proto
Definition: flow.h:376
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:85
StreamTcpSetDisableRawReassemblyFlag
void StreamTcpSetDisableRawReassemblyFlag(TcpSession *, char)
Set the No reassembly flag for the given direction in given TCP session.
Definition: stream-tcp.c:6710
AppLayerFramesSetupContainer
FramesContainer * AppLayerFramesSetupContainer(Flow *f)
Definition: app-layer-parser.c:185
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:338
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1067
AppLayerParserTriggerRawStreamReassembly
void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
Definition: app-layer-parser.c:1537
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:72
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:72
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
Frame::offset
uint64_t offset
Definition: app-layer-frames.h:49
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
Frame
Definition: app-layer-frames.h:43
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:354
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:162
APP_LAYER_PARSER_INT_STREAM_DEPTH_SET
#define APP_LAYER_PARSER_INT_STREAM_DEPTH_SET
Definition: app-layer-parser.h:48
StreamTcpReassembleTriggerRawReassembly
void StreamTcpReassembleTriggerRawReassembly(TcpSession *ssn, int direction)
Trigger RAW stream reassembly.
Definition: stream-tcp-reassemble.c:2161
LoggerId
LoggerId
Definition: suricata-common.h:469
Flow_::protomap
uint8_t protomap
Definition: flow.h:443
AppLayerParserGetTransactionLogId
uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
Definition: app-layer-parser.c:685
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:40
ctx
struct Thresholds ctx
AppLayerParserSupportsFiles
bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1153
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:528
AppLayerParserRegisterParserAcceptableDataDirection
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:408
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1096
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1129
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:222
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:490
FLOW_NOPAYLOAD_INSPECTION
#define FLOW_NOPAYLOAD_INSPECTION
Definition: flow.h:65
Frame::id
int64_t id
Definition: app-layer-frames.h:51
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:454
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1598
AppLayerParserProtoCtx_::StateGetTxIterator
AppLayerGetTxIteratorFunc StateGetTxIterator
Definition: app-layer-parser.c:93
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:317
MIN
#define MIN(x, y)
Definition: suricata-common.h:400
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:136
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6678
FramesContainer
Definition: app-layer-frames.h:71
AppLayerParserGetStateData
AppLayerStateData * AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
Definition: app-layer-parser.c:1170
app-layer-http2.h
app-layer-ftp.h
AppLayerFrameNewByAbsoluteOffset
Frame * AppLayerFrameNewByAbsoluteOffset(Flow *f, const StreamSlice *stream_slice, const uint64_t frame_start, const int64_t len, int dir, uint8_t frame_type)
create new frame using the absolute offset from the start of the stream
Definition: app-layer-frames.c:598
AppLayerFrameGetLastOpenByType
Frame * AppLayerFrameGetLastOpenByType(Flow *f, const int dir, const uint8_t frame_type)
Definition: app-layer-frames.c:712
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:219
MAX
#define MAX(x, y)
Definition: suricata-common.h:404
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:39
Flow_::protoctx
void * protoctx
Definition: flow.h:439
TcpStream_::data_required
uint32_t data_required
Definition: stream-tcp-private.h:133
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:170
EXCEPTION_POLICY_NOT_SET
@ EXCEPTION_POLICY_NOT_SET
Definition: util-exception-policy-types.h:26
ExceptionPolicyParse
enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow)
Definition: util-exception-policy.c:302
AppLayerParserRegisterUnittests
void AppLayerParserRegisterUnittests(void)
Definition: app-layer-parser.c:1809
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:702
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:36
AppLayerParserProtoCtx_::ApplyTxConfig
bool(* ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig)
Definition: app-layer-parser.c:103
FlowGetReverseProtoMapping
uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
Definition: flow-util.c:112
RegisterDNP3Parsers
void RegisterDNP3Parsers(void)
Register the DNP3 application protocol parser.
Definition: app-layer-dnp3.c:1528
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:536
util-unittest-helper.h
AppLayerParserProtoCtx_::StateGetEventInfoById
int(* StateGetEventInfoById)(uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-parser.c:96
FTPParserCleanup
void FTPParserCleanup(void)
Free memory allocated for global FTP parser state.
Definition: app-layer-ftp.c:1393
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:849
AppLayerParserState_::flags
uint16_t flags
Definition: app-layer-parser.c:131
Flow_::sgh_toserver
const struct SigGroupHead_ * sgh_toserver
Definition: flow.h:484
AppLayerParserState_::inspect_id
uint64_t inspect_id[2]
Definition: app-layer-parser.c:135
AppLayerParserFPtr
AppLayerResult(* AppLayerParserFPtr)(Flow *f, void *protocol_state, AppLayerParserState *pstate, StreamSlice stream_slice, void *local_storage)
Prototype for parsing functions.
Definition: app-layer-parser.h:116
AppLayerParserCtx
struct AppLayerParserCtx_ AppLayerParserCtx
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:476
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1721
app-layer-detect-proto.h
APP_LAYER_PARSER_SFRAME_TS
#define APP_LAYER_PARSER_SFRAME_TS
Definition: app-layer-parser.h:42
app-layer-htp.h
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:73
AppLayerParserProtoCtx_::stream_depth
uint32_t stream_depth
Definition: app-layer-parser.c:111
AppLayerParserState_
Definition: app-layer-parser.c:129
AppLayerParserGetEventInfoById
int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1116
AppLayerParserProtoCtx_::GetFrameIdByName
AppLayerParserGetFrameIdByNameFn GetFrameIdByName
Definition: app-layer-parser.c:107
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1587
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:29
AppLayerParserGetTransactionActive
uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:1136
AppLayerParserProtoCtx_::logger
bool logger
Definition: app-layer-parser.c:71
app-layer-ike.h
AppLayerFramesFreeContainer
void AppLayerFramesFreeContainer(Flow *f)
Definition: app-layer-parser.c:170
app-layer-dnp3.h
AppLayerParserThreadCtx_::alproto_local_storage
void *(* alproto_local_storage)[FLOW_PROTO_MAX]
Definition: app-layer-parser.c:59
AppLayerParserProtoCtx_::StateGetEventInfo
int(* StateGetEventInfo)(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:98
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:471
AppLayerParserRegisterGetFrameFuncs
void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto, AppLayerParserGetFrameIdByNameFn GetIdByNameFunc, AppLayerParserGetFrameNameByIdFn GetNameByIdFunc)
Definition: app-layer-parser.c:555
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
AppLayerParserProtoCtx_::SetStreamDepthFlag
void(* SetStreamDepthFlag)(void *tx, uint8_t flags)
Definition: app-layer-parser.c:105
AppLayerParserState_::min_id
uint64_t min_id
Definition: app-layer-parser.c:141
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
AppLayerParserRegisterLoggerBits
void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits)
Definition: app-layer-parser.c:462
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void *, AppProto), void(*StateFree)(void *))
Definition: app-layer-parser.c:429
APP_LAYER_PARSER_NO_REASSEMBLY
#define APP_LAYER_PARSER_NO_REASSEMBLY
Definition: app-layer-parser.h:36
IS_DISRUPTED
#define IS_DISRUPTED(flags)
Definition: app-layer-parser.c:870
AppLayerParserSetEOF
void AppLayerParserSetEOF(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1477
AppLayerParserProtoCtx_::RegisterUnittests
void(* RegisterUnittests)(void)
Definition: app-layer-parser.c:121
AppLayerParserStateFree
void AppLayerParserStateFree(AppLayerParserState *pstate)
Definition: app-layer-parser.c:241
FLOW_PROTO_MAX
@ FLOW_PROTO_MAX
Definition: flow-private.h:74
app-layer-parser.h
AppLayerParserStateCleanup
void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1615
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:309
AppLayerDecoderEvents_::cnt
uint8_t cnt
Definition: app-layer-events.h:40
Flow_::sgh_toclient
const struct SigGroupHead_ * sgh_toclient
Definition: flow.h:481
RegisterNFSTCPParsers
void RegisterNFSTCPParsers(void)
Definition: app-layer-nfs-tcp.c:46
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:565
AppLayerParserProtoCtx_::GetFrameNameById
AppLayerParserGetFrameNameByIdFn GetFrameNameById
Definition: app-layer-parser.c:108
AppLayerParserProtoCtx
struct AppLayerParserProtoCtx_ AppLayerParserProtoCtx
App layer protocol parser context.
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:253
SCReturn
#define SCReturn
Definition: util-debug.h:273
RegisterFTPParsers
void RegisterFTPParsers(void)
Definition: app-layer-ftp.c:1259
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1801
AppLayerGetTxIterState
Definition: app-layer-parser.h:119
AppLayerParserProtoCtx_::StateAlloc
void *(* StateAlloc)(void *, AppProto)
Definition: app-layer-parser.c:80
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
RegisterTFTPParsers
void RegisterTFTPParsers(void)
Definition: app-layer-tftp.c:155
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:77
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:40
SCReturnUInt
#define SCReturnUInt(x)
Definition: util-debug.h:277
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
BOTH_SET_OR_BOTH_UNSET
#define BOTH_SET_OR_BOTH_UNSET(a, b)
Definition: app-layer-parser.c:1643
Frame::len
int64_t len
Definition: app-layer-frames.h:50
name
const char * name
Definition: tm-threads.c:2081
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerParserProtoCtx_::StateFree
void(* StateFree)(void *)
Definition: app-layer-parser.c:81
AppLayerParserRegisterGetTxFilesFunc
void AppLayerParserRegisterGetTxFilesFunc(uint8_t ipproto, AppProto alproto, AppLayerGetFileState(*GetTxFiles)(void *, uint8_t))
Definition: app-layer-parser.c:452
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1757
AppLayerParserRegisterSetStreamDepthFlag
void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void(*SetStreamDepthFlag)(void *tx, uint8_t flags))
Definition: app-layer-parser.c:606
APP_LAYER_PARSER_SFRAME_TC
#define APP_LAYER_PARSER_SFRAME_TC
Definition: app-layer-parser.h:43
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:178
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:70
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:255
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
APP_LAYER_PARSER_NO_INSPECTION
#define APP_LAYER_PARSER_NO_INSPECTION
Definition: app-layer-parser.h:35
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1089
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:183
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:396
app-layer-imap.h
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:45
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:290
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:510
ConfigAction
ConfigAction
Definition: util-config.h:27
AppLayerErrorGetExceptionPolicy
enum ExceptionPolicy AppLayerErrorGetExceptionPolicy(void)
Definition: app-layer-parser.c:156
AppLayerParserStateSetFlag
void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1782
AppLayerParserProtoCtx_::Parser
AppLayerParserFPtr Parser[2]
Definition: app-layer-parser.c:69
app-layer-modbus.h
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1389
AppLayerParserProtoCtx_::StateTransactionFree
void(* StateTransactionFree)(void *, uint64_t)
Definition: app-layer-parser.c:82
app-layer-frames.h
AppLayerParserPreRegister
int AppLayerParserPreRegister(void(*Register)(void))
Definition: app-layer-parser.c:1705
RegisterSSLParsers
void RegisterSSLParsers(void)
Function to register the SSL protocol parser and other functions.
Definition: app-layer-ssl.c:3242
AppLayerParserProtoCtx_::option_flags
uint32_t option_flags
Definition: app-layer-parser.c:114
StreamTcpSetSessionNoReassemblyFlag
void StreamTcpSetSessionNoReassemblyFlag(TcpSession *, char)
disable reassembly
Definition: stream-tcp.c:6698
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1271
AppLayerParserGetFrameNameByIdFn
const char *(* AppLayerParserGetFrameNameByIdFn)(const uint8_t id)
Definition: app-layer-parser.h:135
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:447
suricata-common.h
AppLayerParserCtx_::ctxs
AppLayerParserProtoCtx(* ctxs)[FLOW_PROTO_MAX]
Definition: app-layer-parser.c:126
AppLayerParserGetFrameIdByName
int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name)
Definition: app-layer-parser.c:1578
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
AppLayerParserProtoCtx_::internal_flags
uint32_t internal_flags
Definition: app-layer-parser.c:117
AppLayerParserRegisterApplyTxConfigFunc
void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto, bool(*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig))
Definition: app-layer-parser.c:596
AppLayerParserRegisterStateDataFunc
void AppLayerParserRegisterStateDataFunc(uint8_t ipproto, AppProto alproto, AppLayerStateData *(*GetStateData)(void *state))
Definition: app-layer-parser.c:586
FilesPrune
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
Definition: util-file.c:1206
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:186
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1163
FatalError
#define FatalError(...)
Definition: util-debug.h:502
AppLayerParserRegisterTxDataFunc
void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, AppLayerTxData *(*GetTxData)(void *tx))
Definition: app-layer-parser.c:576
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1559
RegisterIMAPParsers
void RegisterIMAPParsers(void)
Definition: app-layer-imap.c:84
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
AppLayerParserProtoCtx_::GetTxFiles
AppLayerGetFileState(* GetTxFiles)(void *, uint8_t)
Definition: app-layer-parser.c:88
util-validate.h
FRAME_STREAM_TYPE
#define FRAME_STREAM_TYPE
Definition: app-layer-frames.h:30
APP_LAYER_PARSER_OPT_ACCEPT_GAPS
#define APP_LAYER_PARSER_OPT_ACCEPT_GAPS
Definition: app-layer-parser.h:46
APP_LAYER_TX_INSPECTED_TS
#define APP_LAYER_TX_INSPECTED_TS
Definition: app-layer-parser.h:56
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
AppLayerParserRegisterGetTxIterator
void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, AppLayerGetTxIteratorFunc Func)
Definition: app-layer-parser.c:520
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:178
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
AppLayerParserProtoCtx_::complete_ts
int complete_ts
Definition: app-layer-parser.c:94
FLOW_SGH_TOSERVER
#define FLOW_SGH_TOSERVER
Definition: flow.h:71
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
Flow_::alstate
void * alstate
Definition: flow.h:477
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:265
Flow_::flags
uint32_t flags
Definition: flow.h:419
AppLayerParserGetDecoderEvents
AppLayerDecoderEvents * AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:825
THREE_SET
#define THREE_SET(a, b, c)
Definition: app-layer-parser.c:1644
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1008
UTHAppLayerParserStateGetIds
void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
Definition: app-layer-parser.c:208
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:561
RegisterHTPParsers
void RegisterHTPParsers(void)
Register the HTTP protocol and state handling functions to APP layer of the engine.
Definition: app-layer-htp.c:2809
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:154
FRAME_FLAG_ENDS_AT_EOF
#define FRAME_FLAG_ENDS_AT_EOF
Definition: app-layer-frames.h:38
RegisterSMTPParsers
void RegisterSMTPParsers(void)
Register the SMTP Protocol parser.
Definition: app-layer-smtp.c:1860
AppLayerParserStateAlloc
AppLayerParserState * AppLayerParserStateAlloc(void)
Definition: app-layer-parser.c:229
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
AppLayerParserState_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: app-layer-parser.c:144
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:500
app-layer-smb.h
AppLayerParserProtoCtx_::StateGetProgress
int(* StateGetProgress)(void *alstate, uint8_t direction)
Definition: app-layer-parser.c:90
AppLayerParserProtocolGetLoggerBits
LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1529
AppLayerParserCtx_
Definition: app-layer-parser.c:125
AppLayerParserRegisterGetEventInfoById
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(uint8_t event_id, const char **event_name, AppLayerEventType *event_type))
Definition: app-layer-parser.c:543
AppLayerGetTxIteratorFunc
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
Definition: app-layer-parser.h:128
g_file_logger_enabled
bool g_file_logger_enabled
Definition: output-file.c:39
likely
#define likely(expr)
Definition: util-optimize.h:32
RegisterHTTP2Parsers
void RegisterHTTP2Parsers(void)
Definition: app-layer-http2.c:56
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:145
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
AppLayerProtoDetectPMRegisterPatternCS
int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-sensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1639
app-layer-smtp.h
APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD
#define APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD
Definition: app-layer-parser.h:37
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:194
FlowGetDisruptionFlags
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
Definition: flow.c:1125
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
AppLayerParserStateIssetFlag
uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1790
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
RegisterNFSUDPParsers
void RegisterNFSUDPParsers(void)
Definition: app-layer-nfs-udp.c:63
FLOW_PROTO_DEFAULT
@ FLOW_PROTO_DEFAULT
Definition: flow-private.h:71
Flow_::file_flags
uint16_t file_flags
Definition: flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:448
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
AppLayerParserDestroyProtocolParserLocalStorage
void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto, void *local_data)
Definition: app-layer-parser.c:630
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1082
AppLayerProtoDetectConfProtoDetectionEnabled
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:1949
SMTPParserCleanup
void SMTPParserCleanup(void)
Free memory allocated for global SMTP parser state.
Definition: app-layer-smtp.c:1915
AppLayerParserHasDecoderEvents
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1493
AppLayerParserGetFrameIdByNameFn
int(* AppLayerParserGetFrameIdByNameFn)(const char *frame_name)
Definition: app-layer-parser.h:134
AppLayerDecoderEvents_::events
uint8_t * events
Definition: app-layer-events.h:38
AppLayerParserState_::frames
FramesContainer * frames
Definition: app-layer-parser.c:146
StreamTcpSetSessionBypassFlag
void StreamTcpSetSessionBypassFlag(TcpSession *)
enable bypass
Definition: stream-tcp.c:6721
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
app-layer-ssl.h
ARRAY_CAP_STEP
#define ARRAY_CAP_STEP
Definition: app-layer-parser.c:1700
APP_LAYER_TX_INSPECTED_TC
#define APP_LAYER_TX_INSPECTED_TC
Definition: app-layer-parser.h:57
AppLayerParserProtoCtx_::LocalStorageAlloc
void *(* LocalStorageAlloc)(void)
Definition: app-layer-parser.c:83
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1104
app-layer-nfs-tcp.h
APP_LAYER_TX_SKIP_INSPECT_TS
#define APP_LAYER_TX_SKIP_INSPECT_TS
Definition: app-layer-parser.h:53
app-layer.h
AppLayerParserProtoCtx_::first_data_dir
uint8_t first_data_dir
Definition: app-layer-parser.c:76