suricata
app-layer-parser.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Generic App-layer parsing functions.
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer-parser.h"
28 
29 #include "flow.h"
30 #include "flow-private.h"
31 #include "flow-util.h"
32 
33 #include "app-layer-frames.h"
34 
35 #include "stream-tcp.h"
36 
37 #include "util-validate.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-detect-proto.h"
41 
42 #include "app-layer-ftp.h"
43 #include "app-layer-smtp.h"
44 
45 #include "app-layer-smb.h"
46 #include "app-layer-htp.h"
47 #include "app-layer-ssl.h"
48 #include "app-layer-ssh.h"
49 #include "app-layer-modbus.h"
50 #include "app-layer-dnp3.h"
51 #include "app-layer-nfs-tcp.h"
52 #include "app-layer-nfs-udp.h"
53 #include "app-layer-tftp.h"
54 #include "app-layer-ike.h"
55 #include "app-layer-http2.h"
56 #include "app-layer-imap.h"
57 
58 struct AppLayerParserThreadCtx_ {
59  void *alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX];
60 };
61 
62 
63 /**
64  * \brief App layer protocol parser context.
65  */
66 typedef struct AppLayerParserProtoCtx_
67 {
68  /* 0 - to_server, 1 - to_client. */
69  AppLayerParserFPtr Parser[2];
70 
71  bool logger;
72 
73  /* Indicates the direction the parser is ready to see the data
74  * the first time for a flow. Values accepted -
75  * STREAM_TOSERVER, STREAM_TOCLIENT */
76  uint8_t first_data_dir;
77 
78  uint32_t logger_bits; /**< registered loggers for this proto */
79 
80  void *(*StateAlloc)(void *, AppProto);
81  void (*StateFree)(void *);
82  void (*StateTransactionFree)(void *, uint64_t);
83  void *(*LocalStorageAlloc)(void);
84  void (*LocalStorageFree)(void *);
85 
86  /** get FileContainer reference from the TX. MUST return a non-NULL reference if the TX
87  * has or may have files in the requested direction at some point. */
88  AppLayerGetFileState (*GetTxFiles)(void *, uint8_t);
89 
90  int (*StateGetProgress)(void *alstate, uint8_t direction);
91  uint64_t (*StateGetTxCnt)(void *alstate);
92  void *(*StateGetTx)(void *alstate, uint64_t tx_id);
93  AppLayerGetTxIteratorFunc StateGetTxIterator;
94  int complete_ts;
95  int complete_tc;
96  int (*StateGetEventInfoById)(
97  uint8_t event_id, const char **event_name, AppLayerEventType *event_type);
98  int (*StateGetEventInfo)(
99  const char *event_name, uint8_t *event_id, AppLayerEventType *event_type);
100 
101  AppLayerStateData *(*GetStateData)(void *state);
102  AppLayerTxData *(*GetTxData)(void *tx);
103  bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig);
104 
105  void (*SetStreamDepthFlag)(void *tx, uint8_t flags);
106 
107  AppLayerParserGetFrameIdByNameFn GetFrameIdByName;
108  AppLayerParserGetFrameNameByIdFn GetFrameNameById;
109 
110  /* each app-layer has its own value */
111  uint32_t stream_depth;
112 
113  /* Option flags such as supporting gaps or not. */
114  uint32_t option_flags;
115  /* coccinelle: AppLayerParserProtoCtx:option_flags:APP_LAYER_PARSER_OPT_ */
116 
117  uint32_t internal_flags;
118  /* coccinelle: AppLayerParserProtoCtx:internal_flags:APP_LAYER_PARSER_INT_ */
119 
120 #ifdef UNITTESTS
121  void (*RegisterUnittests)(void);
122 #endif
123 } AppLayerParserProtoCtx;
124 
125 typedef struct AppLayerParserCtx_ {
126  AppLayerParserProtoCtx ctxs[FLOW_PROTO_MAX][ALPROTO_MAX];
127 } AppLayerParserCtx;
128 
129 struct AppLayerParserState_ {
130  /* coccinelle: AppLayerParserState:flags:APP_LAYER_PARSER_ */
131  uint16_t flags;
132 
133  /* Indicates the current transaction that is being inspected.
134  * We have a var per direction. */
135  uint64_t inspect_id[2];
136  /* Indicates the current transaction being logged. Unlike inspect_id,
137  * we don't need a var per direction since we don't log a transaction
138  * unless we have the entire transaction. */
139  uint64_t log_id;
140 
141  uint64_t min_id;
142 
143  /* Used to store decoder events. */
144  AppLayerDecoderEvents *decoder_events;
145 
146  FramesContainer *frames;
147 };
148 
149 enum ExceptionPolicy g_applayerparser_error_policy = EXCEPTION_POLICY_NOT_SET;
150 
151 static void AppLayerConfig(void)
152 {
153  g_applayerparser_error_policy = ExceptionPolicyParse("app-layer.error-policy", true);
154 }
155 
156 static void AppLayerParserFramesFreeContainer(FramesContainer *frames)
157 {
158  if (frames != NULL) {
159  FramesFree(&frames->toserver);
160  FramesFree(&frames->toclient);
161  SCFree(frames);
162  }
163 }
164 
165 void AppLayerFramesFreeContainer(Flow *f)
166 {
167  if (f == NULL || f->alparser == NULL || f->alparser->frames == NULL)
168  return;
169  AppLayerParserFramesFreeContainer(f->alparser->frames);
170  f->alparser->frames = NULL;
171 }
172 
173 FramesContainer *AppLayerFramesGetContainer(Flow *f)
174 {
175  if (f == NULL || f->alparser == NULL)
176  return NULL;
177  return f->alparser->frames;
178 }
179 
180 FramesContainer *AppLayerFramesSetupContainer(Flow *f)
181 {
182 #ifdef UNITTESTS
183  if (f == NULL || f->alparser == NULL || (f->proto == IPPROTO_TCP && f->protoctx == NULL))
184  return NULL;
185 #endif
186  DEBUG_VALIDATE_BUG_ON(f == NULL || f->alparser == NULL);
187  if (f->alparser->frames == NULL) {
188  f->alparser->frames = SCCalloc(1, sizeof(FramesContainer));
189  if (f->alparser->frames == NULL) {
190  return NULL;
191  }
192 #ifdef DEBUG
193  f->alparser->frames->toserver.ipproto = f->proto;
194  f->alparser->frames->toserver.alproto = f->alproto;
195  f->alparser->frames->toclient.ipproto = f->proto;
196  f->alparser->frames->toclient.alproto = f->alproto;
197 #endif
198  }
199  return f->alparser->frames;
200 }
201 
202 #ifdef UNITTESTS
203 void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
204 {
205  struct AppLayerParserState_ *s = ptr;
206  *i1 = s->inspect_id[0];
207  *i2 = s->inspect_id[1];
208  *log = s->log_id;
209  *min = s->min_id;
210 }
211 #endif
212 
213 /* Static global version of the parser context.
214  * Post 2.0 let's look at changing this to move it out to app-layer.c. */
215 static AppLayerParserCtx alp_ctx;
216 
217 int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
218 {
219  uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
220 
221  return (alp_ctx.ctxs[ipproto_map][alproto].StateAlloc != NULL) ? 1 : 0;
222 }
223 
224 AppLayerParserState *AppLayerParserStateAlloc(void)
225 {
226  SCEnter();
227 
228  AppLayerParserState *pstate = (AppLayerParserState *)SCCalloc(1, sizeof(*pstate));
229  if (pstate == NULL)
230  goto end;
231 
232  end:
233  SCReturnPtr(pstate, "AppLayerParserState");
234 }
235 
236 void AppLayerParserStateFree(AppLayerParserState *pstate)
237 {
238  SCEnter();
239 
240  if (pstate->decoder_events != NULL)
241  AppLayerDecoderEventsFreeEvents(&pstate->decoder_events);
242  AppLayerParserFramesFreeContainer(pstate->frames);
243  SCFree(pstate);
244 
245  SCReturn;
246 }
247 
248 int AppLayerParserSetup(void)
249 {
250  SCEnter();
251  memset(&alp_ctx, 0, sizeof(alp_ctx));
252  SCReturnInt(0);
253 }
254 
255 void AppLayerParserPostStreamSetup(void)
256 {
257  /* lets set a default value for stream_depth */
258  for (int flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
259  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
260  if (!(alp_ctx.ctxs[flow_proto][alproto].internal_flags &
261  APP_LAYER_PARSER_INT_STREAM_DEPTH_SET)) {
262  alp_ctx.ctxs[flow_proto][alproto].stream_depth =
263  stream_config.reassembly_depth;
264  }
265  }
266  }
267 }
268 
269 int AppLayerParserDeSetup(void)
270 {
271  SCEnter();
272 
273  FTPParserCleanup();
274  SMTPParserCleanup();
275 
276  SCReturnInt(0);
277 }
278 
279 AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void)
280 {
281  SCEnter();
282 
283  AppLayerParserThreadCtx *tctx = SCCalloc(1, sizeof(*tctx));
284  if (tctx == NULL)
285  goto end;
286 
287  for (uint8_t flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
288  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
289  uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto);
290 
291  tctx->alproto_local_storage[flow_proto][alproto] =
292  AppLayerParserGetProtocolParserLocalStorage(ipproto, alproto);
293  }
294  }
295 
296  end:
297  SCReturnPtr(tctx, "void *");
298 }
299 
300 void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
301 {
302  SCEnter();
303 
304  for (uint8_t flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
305  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
306  uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto);
307 
308  AppLayerParserDestroyProtocolParserLocalStorage(ipproto, alproto,
309  tctx->alproto_local_storage[flow_proto][alproto]);
310  }
311  }
312 
313  SCFree(tctx);
314  SCReturn;
315 }
316 
317 /** \brief check if a parser is enabled in the config
318  * Returns enabled always if: were running unittests
319  */
320 int AppLayerParserConfParserEnabled(const char *ipproto,
321  const char *alproto_name)
322 {
323  SCEnter();
324 
325  int enabled = 1;
326  char param[100];
327  ConfNode *node;
328  int r;
329 
330  if (RunmodeIsUnittests())
331  goto enabled;
332 
333  r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
334  alproto_name, ".enabled");
335  if (r < 0) {
336  FatalError("snprintf failure.");
337  } else if (r > (int)sizeof(param)) {
338  FatalError("buffer not big enough to write param.");
339  }
340 
341  node = ConfGetNode(param);
342  if (node == NULL) {
343  SCLogDebug("Entry for %s not found.", param);
344  r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.",
345  alproto_name, ".", ipproto, ".enabled");
346  if (r < 0) {
347  FatalError("snprintf failure.");
348  } else if (r > (int)sizeof(param)) {
349  FatalError("buffer not big enough to write param.");
350  }
351 
352  node = ConfGetNode(param);
353  if (node == NULL) {
354  SCLogDebug("Entry for %s not found.", param);
355  goto enabled;
356  }
357  }
358 
359  if (ConfValIsTrue(node->val)) {
360  goto enabled;
361  } else if (ConfValIsFalse(node->val)) {
362  goto disabled;
363  } else if (strcasecmp(node->val, "detection-only") == 0) {
364  goto disabled;
365  } else {
366  SCLogError("Invalid value found for %s.", param);
367  exit(EXIT_FAILURE);
368  }
369 
370  disabled:
371  enabled = 0;
372  enabled:
373  SCReturnInt(enabled);
374 }
375 
376 /***** Parser related registration *****/
377 
378 int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto,
379  uint8_t direction,
380  AppLayerParserFPtr Parser)
381 {
382  SCEnter();
383 
384  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
385  Parser[(direction & STREAM_TOSERVER) ? 0 : 1] = Parser;
386 
387  SCReturnInt(0);
388 }
389 
390 void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto,
391  uint8_t direction)
392 {
393  SCEnter();
394 
395  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].first_data_dir |=
396  (direction & (STREAM_TOSERVER | STREAM_TOCLIENT));
397 
398  SCReturn;
399 }
400 
401 void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto,
402  uint32_t flags)
403 {
404  SCEnter();
405 
406  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].option_flags |= flags;
407 
408  SCReturn;
409 }
410 
411 void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto,
412  void *(*StateAlloc)(void *, AppProto), void (*StateFree)(void *))
413 {
414  SCEnter();
415 
416  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateAlloc =
417  StateAlloc;
418  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateFree =
419  StateFree;
420 
421  SCReturn;
422 }
423 
424 void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto,
425  void *(*LocalStorageAlloc)(void),
426  void (*LocalStorageFree)(void *))
427 {
428  SCEnter();
429 
430  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].LocalStorageAlloc =
431  LocalStorageAlloc;
432  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].LocalStorageFree =
433  LocalStorageFree;
434 
435  SCReturn;
436 }
437 
438 void AppLayerParserRegisterGetTxFilesFunc(
439  uint8_t ipproto, AppProto alproto, AppLayerGetFileState (*GetTxFiles)(void *, uint8_t))
440 {
441  SCEnter();
442 
443  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxFiles = GetTxFiles;
444 
445  SCReturn;
446 }
447 
448 void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits)
449 {
450  SCEnter();
451 
452  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].logger_bits = bits;
453 
454  SCReturn;
455 }
456 
457 void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
458 {
459  SCEnter();
460 
461  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].logger = true;
462 
463  SCReturn;
464 }
465 
466 void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto,
467  int (*StateGetProgress)(void *alstate, uint8_t direction))
468 {
469  SCEnter();
470 
471  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
472  StateGetProgress = StateGetProgress;
473 
474  SCReturn;
475 }
476 
477 void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto,
478  void (*StateTransactionFree)(void *, uint64_t))
479 {
480  SCEnter();
481 
482  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
483  StateTransactionFree = StateTransactionFree;
484 
485  SCReturn;
486 }
487 
488 void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto,
489  uint64_t (*StateGetTxCnt)(void *alstate))
490 {
491  SCEnter();
492 
493  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
494  StateGetTxCnt = StateGetTxCnt;
495 
496  SCReturn;
497 }
498 
499 void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto,
500  void *(StateGetTx)(void *alstate, uint64_t tx_id))
501 {
502  SCEnter();
503 
504  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
505  StateGetTx = StateGetTx;
506 
507  SCReturn;
508 }
509 
510 void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto,
511  AppLayerGetTxIteratorFunc Func)
512 {
513  SCEnter();
514  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTxIterator = Func;
515  SCReturn;
516 }
517 
518 void AppLayerParserRegisterStateProgressCompletionStatus(
519  AppProto alproto, const int ts, const int tc)
520 {
521  BUG_ON(ts == 0);
522  BUG_ON(tc == 0);
523  BUG_ON(!AppProtoIsValid(alproto));
524  BUG_ON(alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts != 0 &&
525  alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts != ts);
526  BUG_ON(alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc != 0 &&
527  alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc != tc);
528 
529  alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts = ts;
530  alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc = tc;
531 }
532 
533 void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto,
534  int (*StateGetEventInfoById)(
535  uint8_t event_id, const char **event_name, AppLayerEventType *event_type))
536 {
537  SCEnter();
538 
539  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
540  StateGetEventInfoById = StateGetEventInfoById;
541 
542  SCReturn;
543 }
544 
545 void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto,
546  AppLayerParserGetFrameIdByNameFn GetIdByNameFunc,
547  AppLayerParserGetFrameNameByIdFn GetNameByIdFunc)
548 {
549  SCEnter();
550  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameIdByName = GetIdByNameFunc;
551  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameNameById = GetNameByIdFunc;
552  SCReturn;
553 }
554 
555 void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
556  int (*StateGetEventInfo)(
557  const char *event_name, uint8_t *event_id, AppLayerEventType *event_type))
558 {
559  SCEnter();
560 
561  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
562  StateGetEventInfo = StateGetEventInfo;
563 
564  SCReturn;
565 }
566 
567 void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto,
568  AppLayerTxData *(*GetTxData)(void *tx))
569 {
570  SCEnter();
571 
572  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxData = GetTxData;
573 
574  SCReturn;
575 }
576 
577 void AppLayerParserRegisterStateDataFunc(
578  uint8_t ipproto, AppProto alproto, AppLayerStateData *(*GetStateData)(void *state))
579 {
580  SCEnter();
581 
582  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetStateData = GetStateData;
583 
584  SCReturn;
585 }
586 
587 void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto,
588  bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig))
589 {
590  SCEnter();
591 
592  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].ApplyTxConfig = ApplyTxConfig;
593 
594  SCReturn;
595 }
596 
597 void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto,
598  void (*SetStreamDepthFlag)(void *tx, uint8_t flags))
599 {
600  SCEnter();
601 
602  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag = SetStreamDepthFlag;
603 
604  SCReturn;
605 }
606 
607 /***** Get and transaction functions *****/
608 
609 void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto)
610 {
611  SCEnter();
612  void * r = NULL;
613 
614  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
615  LocalStorageAlloc != NULL)
616  {
617  r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
618  LocalStorageAlloc();
619  }
620 
621  SCReturnPtr(r, "void *");
622 }
623 
624 void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto,
625  void *local_data)
626 {
627  SCEnter();
628 
629  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
630  LocalStorageFree != NULL)
631  {
632  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
633  LocalStorageFree(local_data);
634  }
635 
636  SCReturn;
637 }
638 
639 /** \brief default tx iterator
640  *
641  * Used if the app layer parser doesn't register its own iterator.
642  * Simply walks the tx_id space until it finds a tx. Uses 'state' to
643  * keep track of where it left off.
644  *
645  * \retval txptr or NULL if no more txs in list
646  */
647 static AppLayerGetTxIterTuple AppLayerDefaultGetTxIterator(
648  const uint8_t ipproto, const AppProto alproto,
649  void *alstate, uint64_t min_tx_id, uint64_t max_tx_id,
650  AppLayerGetTxIterState *state)
651 {
652  uint64_t ustate = *(uint64_t *)state;
653  uint64_t tx_id = MAX(min_tx_id, ustate);
654  for ( ; tx_id < max_tx_id; tx_id++) {
655  void *tx_ptr = AppLayerParserGetTx(ipproto, alproto, alstate, tx_id);
656  if (tx_ptr != NULL) {
657  ustate = tx_id + 1;
658  *state = *(AppLayerGetTxIterState *)&ustate;
659  AppLayerGetTxIterTuple tuple = {
660  .tx_ptr = tx_ptr,
661  .tx_id = tx_id,
662  .has_next = (tx_id + 1 < max_tx_id),
663  };
664  SCLogDebug("tuple: %p/%"PRIu64"/%s", tuple.tx_ptr, tuple.tx_id,
665  tuple.has_next ? "true" : "false");
666  return tuple;
667  }
668  }
669 
670  AppLayerGetTxIterTuple no_tuple = { NULL, 0, false };
671  return no_tuple;
672 }
673 
674 AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto,
675  const AppProto alproto)
676 {
677  AppLayerGetTxIteratorFunc Func =
678  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTxIterator;
679  return Func ? Func : AppLayerDefaultGetTxIterator;
680 }
681 
682 uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
683 {
684  SCEnter();
685 
686  SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
687 }
688 
689 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
690 {
691  SCEnter();
692 
693  if (pstate != NULL)
694  pstate->log_id = tx_id;
695 
696  SCReturn;
697 }
698 
699 uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
700 {
701  SCEnter();
702 
703  if (pstate == NULL)
704  SCReturnCT(0ULL, "uint64_t");
705 
706  SCReturnCT(pstate->inspect_id[(direction & STREAM_TOSERVER) ? 0 : 1], "uint64_t");
707 }
708 
709 inline uint64_t AppLayerParserGetTxDetectFlags(AppLayerTxData *txd, const uint8_t dir)
710 {
711  uint64_t detect_flags =
712  (dir & STREAM_TOSERVER) ? txd->detect_flags_ts : txd->detect_flags_tc;
713  return detect_flags;
714 }
715 
716 static inline void SetTxDetectFlags(AppLayerTxData *txd, const uint8_t dir, const uint64_t detect_flags)
717 {
718  if (dir & STREAM_TOSERVER) {
719  txd->detect_flags_ts = detect_flags;
720  } else {
721  txd->detect_flags_tc = detect_flags;
722  }
723 }
724 
725 static inline uint32_t GetTxLogged(AppLayerTxData *txd)
726 {
727  return txd->logged.flags;
728 }
729 
730 void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate,
731  void *alstate, const uint8_t flags,
732  bool tag_txs_as_inspected)
733 {
734  SCEnter();
735 
736  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
737  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
738  uint64_t idx = AppLayerParserGetTransactionInspectId(pstate, flags);
739  const int state_done_progress = AppLayerParserGetStateProgressCompletionStatus(f->alproto, flags);
740  const uint8_t ipproto = f->proto;
741  const AppProto alproto = f->alproto;
742 
743  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
744  AppLayerGetTxIterState state = { 0 };
745 
746  SCLogDebug("called: %s, tag_txs_as_inspected %s",direction==0?"toserver":"toclient",
747  tag_txs_as_inspected?"true":"false");
748 
749  /* mark all txs as inspected if the applayer progress is
750  * at the 'end state'. */
751  while (1) {
752  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, idx, total_txs, &state);
753  if (ires.tx_ptr == NULL)
754  break;
755 
756  void *tx = ires.tx_ptr;
757  idx = ires.tx_id;
758 
759  int state_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx, flags);
760  if (state_progress < state_done_progress)
761  break;
762 
763  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
764  if (txd && tag_txs_as_inspected) {
765  uint64_t detect_flags = AppLayerParserGetTxDetectFlags(txd, flags);
766  if ((detect_flags & APP_LAYER_TX_INSPECTED_FLAG) == 0) {
767  detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;
768  SetTxDetectFlags(txd, flags, detect_flags);
769  SCLogDebug("%p/%"PRIu64" in-order tx is done for direction %s. Flag %016"PRIx64,
770  tx, idx, flags & STREAM_TOSERVER ? "toserver" : "toclient", detect_flags);
771  }
772  }
773  idx++;
774  if (!ires.has_next)
775  break;
776  }
777  pstate->inspect_id[direction] = idx;
778  SCLogDebug("inspect_id now %"PRIu64, pstate->inspect_id[direction]);
779 
780  /* if necessary we flag all txs that are complete as 'inspected'
781  * also move inspect_id forward. */
782  if (tag_txs_as_inspected) {
783  /* continue at idx */
784  while (1) {
785  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, idx, total_txs, &state);
786  if (ires.tx_ptr == NULL)
787  break;
788 
789  void *tx = ires.tx_ptr;
790  /* if we got a higher id than the minimum we requested, we
791  * skipped a bunch of 'null-txs'. Lets see if we can up the
792  * inspect tracker */
793  if (ires.tx_id > idx && pstate->inspect_id[direction] == idx) {
794  pstate->inspect_id[direction] = ires.tx_id;
795  }
796  idx = ires.tx_id;
797 
798  const int state_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx, flags);
799  if (state_progress < state_done_progress)
800  break;
801 
802  /* txd can be NULL for HTTP sessions where the user data alloc failed */
803  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
804  if (likely(txd)) {
805  uint64_t detect_flags = AppLayerParserGetTxDetectFlags(txd, flags);
806  if ((detect_flags & APP_LAYER_TX_INSPECTED_FLAG) == 0) {
807  detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;
808  SetTxDetectFlags(txd, flags, detect_flags);
809  SCLogDebug("%p/%"PRIu64" out of order tx is done for direction %s. Flag %016"PRIx64,
810  tx, idx, flags & STREAM_TOSERVER ? "toserver" : "toclient", detect_flags);
811 
812  SCLogDebug("%p/%"PRIu64" out of order tx. Update inspect_id? %"PRIu64,
813  tx, idx, pstate->inspect_id[direction]);
814  if (pstate->inspect_id[direction]+1 == idx)
815  pstate->inspect_id[direction] = idx;
816  }
817  } else {
818  if (pstate->inspect_id[direction]+1 == idx)
819  pstate->inspect_id[direction] = idx;
820  }
821  if (!ires.has_next)
822  break;
823  idx++;
824  }
825  }
826 
827  SCReturn;
828 }
829 
830 AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
831 {
832  SCEnter();
833 
834  SCReturnPtr(pstate->decoder_events,
835  "AppLayerDecoderEvents *");
836 }
837 
838 AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto,
839  void *tx)
840 {
841  SCEnter();
842 
843  AppLayerDecoderEvents *ptr = NULL;
844 
845  /* Access events via the tx_data. */
846  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
847  if (txd != NULL && txd->events != NULL) {
848  ptr = txd->events;
849  }
850 
851  SCReturnPtr(ptr, "AppLayerDecoderEvents *");
852 }
853 
854 AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
855 {
856  SCEnter();
857 
858  if (alp_ctx.ctxs[f->protomap][f->alproto].GetTxFiles != NULL) {
859  return alp_ctx.ctxs[f->protomap][f->alproto].GetTxFiles(tx, direction);
860  }
861 
862  AppLayerGetFileState files = { .fc = NULL, .cfg = NULL };
863  return files;
864 }
865 
866 static void AppLayerParserFileTxHousekeeping(
867  const Flow *f, void *tx, const uint8_t pkt_dir, const bool trunc)
868 {
869  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, tx, pkt_dir);
870  if (files.fc) {
871  FilesPrune(files.fc, files.cfg, trunc);
872  }
873 }
874 
875 #define IS_DISRUPTED(flags) ((flags) & (STREAM_DEPTH | STREAM_GAP))
876 
877 extern int g_detect_disabled;
878 extern bool g_file_logger_enabled;
879 extern bool g_filedata_logger_enabled;
880 
881 /**
882  * \brief remove obsolete (inspected and logged) transactions
883  */
884 void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
885 {
886  SCEnter();
887  DEBUG_ASSERT_FLOW_LOCKED(f);
888 
889  AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->protomap][f->alproto];
890  if (unlikely(p->StateTransactionFree == NULL))
891  SCReturn;
892 
893  const bool has_tx_detect_flags = !g_detect_disabled;
894  const uint8_t ipproto = f->proto;
895  const AppProto alproto = f->alproto;
896  void * const alstate = f->alstate;
897  AppLayerParserState * const alparser = f->alparser;
898 
899  if (alstate == NULL || alparser == NULL)
900  SCReturn;
901 
902  const uint64_t min = alparser->min_id;
903  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
904  const LoggerId logger_expectation = AppLayerParserProtocolGetLoggerBits(ipproto, alproto);
905  const int tx_end_state_ts = AppLayerParserGetStateProgressCompletionStatus(alproto, STREAM_TOSERVER);
906  const int tx_end_state_tc = AppLayerParserGetStateProgressCompletionStatus(alproto, STREAM_TOCLIENT);
907  const uint8_t ts_disrupt_flags = FlowGetDisruptionFlags(f, STREAM_TOSERVER);
908  const uint8_t tc_disrupt_flags = FlowGetDisruptionFlags(f, STREAM_TOCLIENT);
909 
910  int pkt_dir_trunc = -1;
911 
912  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
913  AppLayerGetTxIterState state;
914  memset(&state, 0, sizeof(state));
915  uint64_t i = min;
916  uint64_t new_min = min;
917  SCLogDebug("start min %"PRIu64, min);
918  bool skipped = false;
919  // const bool support_files = AppLayerParserSupportsFiles(f->proto, f->alproto);
920 
921  while (1) {
922  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, i, total_txs, &state);
923  if (ires.tx_ptr == NULL)
924  break;
925 
926  bool tx_skipped = false;
927  void *tx = ires.tx_ptr;
928  i = ires.tx_id; // actual tx id for the tx the IterFunc returned
929 
930  SCLogDebug("%p/%"PRIu64" checking", tx, i);
931  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
932  if (txd != NULL && AppLayerParserHasFilesInDir(txd, pkt_dir)) {
933  if (pkt_dir_trunc == -1)
934  pkt_dir_trunc = IS_DISRUPTED(
935  (pkt_dir == STREAM_TOSERVER) ? ts_disrupt_flags : tc_disrupt_flags);
936  AppLayerParserFileTxHousekeeping(f, tx, pkt_dir, (bool)pkt_dir_trunc);
937  }
938 
939  const int tx_progress_tc =
940  AppLayerParserGetStateProgress(ipproto, alproto, tx, tc_disrupt_flags);
941  if (tx_progress_tc < tx_end_state_tc) {
942  SCLogDebug("%p/%"PRIu64" skipping: tc parser not done", tx, i);
943  skipped = true;
944  goto next;
945  }
946  const int tx_progress_ts =
947  AppLayerParserGetStateProgress(ipproto, alproto, tx, ts_disrupt_flags);
948  if (tx_progress_ts < tx_end_state_ts) {
949  SCLogDebug("%p/%"PRIu64" skipping: ts parser not done", tx, i);
950  skipped = true;
951  goto next;
952  }
953 
954  if (txd && has_tx_detect_flags) {
955  if (!IS_DISRUPTED(ts_disrupt_flags) && f->sgh_toserver != NULL) {
956  uint64_t detect_flags_ts = AppLayerParserGetTxDetectFlags(txd, STREAM_TOSERVER);
957  if (!(detect_flags_ts &
958  (APP_LAYER_TX_INSPECTED_FLAG | APP_LAYER_TX_SKIP_INSPECT_FLAG))) {
959  SCLogDebug("%p/%" PRIu64 " skipping: TS inspect not done: ts:%" PRIx64, tx, i,
960  detect_flags_ts);
961  tx_skipped = true;
962  }
963  }
964  if (!IS_DISRUPTED(tc_disrupt_flags) && f->sgh_toclient != NULL) {
965  uint64_t detect_flags_tc = AppLayerParserGetTxDetectFlags(txd, STREAM_TOCLIENT);
966  if (!(detect_flags_tc &
967  (APP_LAYER_TX_INSPECTED_FLAG | APP_LAYER_TX_SKIP_INSPECT_FLAG))) {
968  SCLogDebug("%p/%" PRIu64 " skipping: TC inspect not done: ts:%" PRIx64, tx, i,
969  detect_flags_tc);
970  tx_skipped = true;
971  }
972  }
973  }
974 
975  if (tx_skipped) {
976  SCLogDebug("%p/%" PRIu64 " tx_skipped", tx, i);
977  skipped = true;
978  goto next;
979  }
980 
981  if (txd && logger_expectation != 0) {
982  LoggerId tx_logged = GetTxLogged(txd);
983  if (tx_logged != logger_expectation) {
984  SCLogDebug("%p/%"PRIu64" skipping: logging not done: want:%"PRIx32", have:%"PRIx32,
985  tx, i, logger_expectation, tx_logged);
986  skipped = true;
987  goto next;
988  }
989  }
990 
991  /* if file logging is enabled, we keep a tx active while some of the files aren't
992  * logged yet. */
993  if (txd) {
994  SCLogDebug("files_opened %u files_logged %u files_stored %u", txd->files_opened,
995  txd->files_logged, txd->files_stored);
996 
997  if (txd->files_opened) {
998  if (g_file_logger_enabled && txd->files_opened != txd->files_logged) {
999  skipped = true;
1000  goto next;
1001  }
1002  if (g_filedata_logger_enabled && txd->files_opened != txd->files_stored) {
1003  skipped = true;
1004  goto next;
1005  }
1006  }
1007  }
1008 
1009  /* if we are here, the tx can be freed. */
1010  p->StateTransactionFree(alstate, i);
1011  SCLogDebug("%p/%"PRIu64" freed", tx, i);
1012 
1013  /* if we didn't skip any tx so far, up the minimum */
1014  SCLogDebug("skipped? %s i %"PRIu64", new_min %"PRIu64, skipped ? "true" : "false", i, new_min);
1015  if (!skipped)
1016  new_min = i + 1;
1017  SCLogDebug("final i %"PRIu64", new_min %"PRIu64, i, new_min);
1018 
1019 next:
1020  if (!ires.has_next) {
1021  /* this was the last tx. See if we skipped any. If not
1022  * we removed all and can update the minimum to the max
1023  * id. */
1024  SCLogDebug("no next: cur tx i %"PRIu64", total %"PRIu64, i, total_txs);
1025  if (!skipped) {
1026  new_min = total_txs;
1027  SCLogDebug("no next: cur tx i %"PRIu64", total %"PRIu64": "
1028  "new_min updated to %"PRIu64, i, total_txs, new_min);
1029  }
1030  break;
1031  }
1032  i++;
1033  }
1034 
1035  /* see if we need to bring all trackers up to date. */
1036  SCLogDebug("update f->alparser->min_id? %"PRIu64" vs %"PRIu64, new_min, alparser->min_id);
1037  if (new_min > alparser->min_id) {
1038  const uint64_t next_id = new_min;
1039  alparser->min_id = next_id;
1040  alparser->inspect_id[0] = MAX(alparser->inspect_id[0], next_id);
1041  alparser->inspect_id[1] = MAX(alparser->inspect_id[1], next_id);
1042  alparser->log_id = MAX(alparser->log_id, next_id);
1043  SCLogDebug("updated f->alparser->min_id %"PRIu64, alparser->min_id);
1044  }
1045  SCReturn;
1046 }
1047 
1048 static inline int StateGetProgressCompletionStatus(const AppProto alproto, const uint8_t flags)
1049 {
1050  if (flags & STREAM_TOSERVER) {
1051  return alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts;
1052  } else if (flags & STREAM_TOCLIENT) {
1053  return alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc;
1054  } else {
1055  DEBUG_VALIDATE_BUG_ON(1);
1056  return 0;
1057  }
1058 }
1059 
1060 /**
1061  * \brief get the progress value for a tx/protocol
1062  *
1063  * If the stream is disrupted, we return the 'completion' value.
1064  */
1065 int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,
1066  void *alstate, uint8_t flags)
1067 {
1068  SCEnter();
1069  int r;
1070  if (unlikely(IS_DISRUPTED(flags))) {
1071  r = StateGetProgressCompletionStatus(alproto, flags);
1072  } else {
1073  uint8_t direction = flags & (STREAM_TOCLIENT | STREAM_TOSERVER);
1074  r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetProgress(
1075  alstate, direction);
1076  }
1077  SCReturnInt(r);
1078 }
1079 
1080 uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
1081 {
1082  SCEnter();
1083  uint64_t r = alp_ctx.ctxs[f->protomap][f->alproto].StateGetTxCnt(alstate);
1084  SCReturnCT(r, "uint64_t");
1085 }
1086 
1087 void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
1088 {
1089  SCEnter();
1090  void *r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTx(alstate, tx_id);
1091  SCReturnPtr(r, "void *");
1092 }
1093 
1094 int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto,
1095  uint8_t direction)
1096 {
1097  SCEnter();
1098  int r = StateGetProgressCompletionStatus(alproto, direction);
1099  SCReturnInt(r);
1100 }
1101 
1102 int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name,
1103  uint8_t *event_id, AppLayerEventType *event_type)
1104 {
1105  SCEnter();
1106  const int ipproto_map = FlowGetProtoMapping(ipproto);
1107  int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfo == NULL) ?
1108  -1 : alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfo(event_name, event_id, event_type);
1109  SCReturnInt(r);
1110 }
1111 
1112 int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t event_id,
1113  const char **event_name, AppLayerEventType *event_type)
1114 {
1115  SCEnter();
1116  const int ipproto_map = FlowGetProtoMapping(ipproto);
1117  *event_name = (const char *)NULL;
1118  int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById == NULL) ?
1119  -1 : alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById(event_id, event_name, event_type);
1120  SCReturnInt(r);
1121 }
1122 
1123 uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
1124 {
1125  SCEnter();
1126  uint8_t r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].first_data_dir;
1127  SCReturnCT(r, "uint8_t");
1128 }
1129 
1130 uint64_t AppLayerParserGetTransactionActive(const Flow *f,
1131  AppLayerParserState *pstate, uint8_t direction)
1132 {
1133  SCEnter();
1134 
1135  uint64_t active_id;
1136  uint64_t log_id = pstate->log_id;
1137  uint64_t inspect_id = pstate->inspect_id[(direction & STREAM_TOSERVER) ? 0 : 1];
1138  if (alp_ctx.ctxs[f->protomap][f->alproto].logger == true) {
1139  active_id = MIN(log_id, inspect_id);
1140  } else {
1141  active_id = inspect_id;
1142  }
1143 
1144  SCReturnCT(active_id, "uint64_t");
1145 }
1146 
1147 bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
1148 {
1149  // Custom case for only signature-only protocol so far
1150  if (alproto == ALPROTO_HTTP) {
1151  return AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP1) ||
1152  AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP2);
1153  }
1154  return alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxFiles != NULL;
1155 }
1156 
1157 AppLayerTxData *AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
1158 {
1159  SCEnter();
1160  AppLayerTxData *d = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxData(tx);
1161  SCReturnPtr(d, "AppLayerTxData");
1162 }
1163 
1164 AppLayerStateData *AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
1165 {
1166  SCEnter();
1167  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetStateData) {
1168  AppLayerStateData *d =
1169  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetStateData(state);
1170  SCReturnPtr(d, "AppLayerStateData");
1171  }
1172  SCReturnPtr(NULL, "AppLayerStateData");
1173 }
1174 
1175 void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto,
1176  void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
1177 {
1178  SCEnter();
1179  const int ipproto_map = FlowGetProtoMapping(ipproto);
1180  if (alp_ctx.ctxs[ipproto_map][alproto].ApplyTxConfig) {
1181  alp_ctx.ctxs[ipproto_map][alproto].ApplyTxConfig(state, tx, mode, config);
1182  }
1183  SCReturn;
1184 }
1185 
1186 /***** General *****/
1187 
1188 static inline void SetEOFFlags(AppLayerParserState *pstate, const uint8_t flags)
1189 {
1190  if ((flags & (STREAM_EOF|STREAM_TOSERVER)) == (STREAM_EOF|STREAM_TOSERVER)) {
1191  SCLogDebug("setting APP_LAYER_PARSER_EOF_TS");
1192  AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_EOF_TS);
1193  } else if ((flags & (STREAM_EOF|STREAM_TOCLIENT)) == (STREAM_EOF|STREAM_TOCLIENT)) {
1194  SCLogDebug("setting APP_LAYER_PARSER_EOF_TC");
1195  AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_EOF_TC);
1196  }
1197 }
1198 
1199 /** \internal
1200  * \brief create/close stream frames
1201  * On first invocation of TCP parser in a direction, create a <alproto>.stream frame.
1202  * On STREAM_EOF, set the final length. */
1203 static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t *input,
1204  const uint32_t input_len, const uint8_t flags)
1205 {
1206  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
1207  AppLayerParserState *pstate = f->alparser;
1208 
1209  /* setup the generic stream frame */
1210  if (((direction == 0 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TS) == 0) ||
1211  (direction == 1 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TC) == 0)) &&
1212  input != NULL && f->proto == IPPROTO_TCP) {
1213  Frame *frame = AppLayerFrameGetLastOpenByType(f, direction, FRAME_STREAM_TYPE);
1214  if (frame == NULL) {
1215  int64_t frame_len = -1;
1216  if (flags & STREAM_EOF)
1217  frame_len = input_len;
1218 
1219  frame = AppLayerFrameNewByAbsoluteOffset(
1220  f, &stream_slice, stream_slice.offset, frame_len, direction, FRAME_STREAM_TYPE);
1221  if (frame) {
1222  SCLogDebug("opened: frame %p id %" PRIi64, frame, frame->id);
1223  frame->flags = FRAME_FLAG_ENDS_AT_EOF; // TODO logic is not yet implemented
1224  DEBUG_VALIDATE_BUG_ON(
1225  frame->id != 1); // should always be the first frame that is created
1226  }
1227  if (direction == 0) {
1228  pstate->flags |= APP_LAYER_PARSER_SFRAME_TS;
1229  } else {
1230  pstate->flags |= APP_LAYER_PARSER_SFRAME_TC;
1231  }
1232  }
1233  } else if (flags & STREAM_EOF) {
1234  Frame *frame = AppLayerFrameGetLastOpenByType(f, direction, FRAME_STREAM_TYPE);
1235  SCLogDebug("EOF closing: frame %p", frame);
1236  if (frame) {
1237  /* calculate final frame length */
1238  int64_t slice_o = (int64_t)stream_slice.offset - (int64_t)frame->offset;
1239  int64_t frame_len = slice_o + (int64_t)input_len;
1240  SCLogDebug("%s: EOF frame->offset %" PRIu64 " -> %" PRIi64 ": o %" PRIi64,
1241  AppProtoToString(f->alproto), frame->offset, frame_len, slice_o);
1242  frame->len = frame_len;
1243  }
1244  }
1245 }
1246 
1247 static void Setup(Flow *f, const uint8_t direction, const uint8_t *input, uint32_t input_len,
1248  const uint8_t flags, StreamSlice *as)
1249 {
1250  memset(as, 0, sizeof(*as));
1251  as->input = input;
1252  as->input_len = input_len;
1253  as->flags = flags;
1254 
1255  if (f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1256  TcpSession *ssn = f->protoctx;
1257  TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
1258  as->offset = STREAM_APP_PROGRESS(stream);
1259  }
1260 }
1261 
1262 /** \retval int -1 in case of unrecoverable error. App-layer tracking stops for this flow.
1263  * \retval int 0 ok: we did not update app_progress
1264  * \retval int 1 ok: we updated app_progress */
1265 int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto,
1266  uint8_t flags, const uint8_t *input, uint32_t input_len)
1267 {
1268  SCEnter();
1269 #ifdef DEBUG_VALIDATION
1270  BUG_ON(f->protomap != FlowGetProtoMapping(f->proto));
1271 #endif
1272  AppLayerParserState *pstate = f->alparser;
1273  AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->protomap][alproto];
1274  StreamSlice stream_slice;
1275  void *alstate = NULL;
1276  uint64_t p_tx_cnt = 0;
1277  uint32_t consumed = input_len;
1278  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
1279 
1280  /* we don't have the parser registered for this protocol */
1281  if (p->StateAlloc == NULL) {
1282  if (f->proto == IPPROTO_TCP) {
1283  StreamTcpDisableAppLayer(f);
1284  }
1285  goto end;
1286  }
1287 
1288  if (flags & STREAM_GAP) {
1289  if (!(p->option_flags & APP_LAYER_PARSER_OPT_ACCEPT_GAPS)) {
1290  SCLogDebug("app-layer parser does not accept gaps");
1291  if (f->alstate != NULL && !FlowChangeProto(f)) {
1292  AppLayerParserTriggerRawStreamReassembly(f, direction);
1293  }
1294  AppLayerIncGapErrorCounter(tv, f);
1295  goto error;
1296  }
1297  }
1298 
1299  /* Get the parser state (if any) */
1300  if (pstate == NULL) {
1301  f->alparser = pstate = AppLayerParserStateAlloc();
1302  if (pstate == NULL) {
1303  AppLayerIncAllocErrorCounter(tv, f);
1304  goto error;
1305  }
1306  }
1307 
1308  SetEOFFlags(pstate, flags);
1309 
1310  alstate = f->alstate;
1311  if (alstate == NULL || FlowChangeProto(f)) {
1312  f->alstate = alstate = p->StateAlloc(alstate, f->alproto_orig);
1313  if (alstate == NULL) {
1314  AppLayerIncAllocErrorCounter(tv, f);
1315  goto error;
1316  }
1317  SCLogDebug("alloced new app layer state %p (name %s)",
1318  alstate, AppLayerGetProtoName(f->alproto));
1319 
1320  /* set flow flags to state */
1321  if (f->file_flags != 0) {
1322  AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
1323  if (sd != NULL) {
1324  if ((sd->file_flags & f->file_flags) != f->file_flags) {
1325  SCLogDebug("state data: updating file_flags %04x with flow file_flags %04x",
1326  sd->file_flags, f->file_flags);
1327  sd->file_flags |= f->file_flags;
1328  }
1329  }
1330  }
1331  } else {
1332  SCLogDebug("using existing app layer state %p (name %s))",
1333  alstate, AppLayerGetProtoName(f->alproto));
1334  }
1335 
1336  p_tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
1337 
1338  /* invoke the recursive parser, but only on data. We may get empty msgs on EOF */
1339  if (input_len > 0 || (flags & STREAM_EOF)) {
1340  Setup(f, flags & (STREAM_TOSERVER | STREAM_TOCLIENT), input, input_len, flags,
1341  &stream_slice);
1342  HandleStreamFrames(f, stream_slice, input, input_len, flags);
1343 
1344 #ifdef DEBUG
1345  if (((stream_slice.flags & STREAM_TOSERVER) &&
1346  stream_slice.offset >= g_eps_applayer_error_offset_ts)) {
1347  SCLogNotice("putting parser %s into an error state from toserver offset %" PRIu64,
1348  AppProtoToString(alproto), g_eps_applayer_error_offset_ts);
1349  AppLayerIncParserErrorCounter(tv, f);
1350  goto error;
1351  }
1352  if (((stream_slice.flags & STREAM_TOCLIENT) &&
1353  stream_slice.offset >= g_eps_applayer_error_offset_tc)) {
1354  SCLogNotice("putting parser %s into an error state from toclient offset %" PRIu64,
1355  AppProtoToString(alproto), g_eps_applayer_error_offset_tc);
1356  AppLayerIncParserErrorCounter(tv, f);
1357  goto error;
1358  }
1359 #endif
1360  /* invoke the parser */
1361  AppLayerResult res = p->Parser[direction](f, alstate, pstate, stream_slice,
1362  alp_tctx->alproto_local_storage[f->protomap][alproto]);
1363  if (res.status < 0) {
1364  AppLayerIncParserErrorCounter(tv, f);
1365  goto error;
1366  } else if (res.status > 0) {
1367  DEBUG_VALIDATE_BUG_ON(res.consumed > input_len);
1368  DEBUG_VALIDATE_BUG_ON(res.needed + res.consumed < input_len);
1369  DEBUG_VALIDATE_BUG_ON(res.needed == 0);
1370  /* incomplete is only supported for TCP */
1371  DEBUG_VALIDATE_BUG_ON(f->proto != IPPROTO_TCP);
1372 
1373  /* put protocol in error state on improper use of the
1374  * return codes. */
1375  if (res.consumed > input_len || res.needed + res.consumed < input_len) {
1376  AppLayerIncInternalErrorCounter(tv, f);
1377  goto error;
1378  }
1379 
1380  if (f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1381  TcpSession *ssn = f->protoctx;
1382  SCLogDebug("direction %d/%s", direction,
1383  (flags & STREAM_TOSERVER) ? "toserver" : "toclient");
1384  if (direction == 0) {
1385  /* parser told us how much data it needs on top of what it
1386  * consumed. So we need tell stream engine how much we need
1387  * before the next call */
1388  ssn->client.data_required = res.needed;
1389  SCLogDebug("setting data_required %u", ssn->client.data_required);
1390  } else {
1391  /* parser told us how much data it needs on top of what it
1392  * consumed. So we need tell stream engine how much we need
1393  * before the next call */
1394  ssn->server.data_required = res.needed;
1395  SCLogDebug("setting data_required %u", ssn->server.data_required);
1396  }
1397  }
1398  consumed = res.consumed;
1399  }
1400  }
1401 
1402  /* set the packets to no inspection and reassembly if required */
1403  if (pstate->flags & APP_LAYER_PARSER_NO_INSPECTION) {
1404  AppLayerParserSetEOF(pstate);
1405 
1406  if (f->proto == IPPROTO_TCP) {
1407  StreamTcpDisableAppLayer(f);
1408 
1409  /* Set the no reassembly flag for both the stream in this TcpSession */
1410  if (pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
1411  /* Used only if it's TCP */
1412  TcpSession *ssn = f->protoctx;
1413  if (ssn != NULL) {
1414  StreamTcpSetSessionNoReassemblyFlag(ssn, 0);
1415  StreamTcpSetSessionNoReassemblyFlag(ssn, 1);
1416  }
1417  }
1418  /* Set the bypass flag for both the stream in this TcpSession */
1419  if (pstate->flags & APP_LAYER_PARSER_BYPASS_READY) {
1420  /* Used only if it's TCP */
1421  TcpSession *ssn = f->protoctx;
1422  if (ssn != NULL) {
1423  StreamTcpSetSessionBypassFlag(ssn);
1424  }
1425  }
1426  } else {
1427  // for TCP, this is set after flushing
1428  FlowSetNoPayloadInspectionFlag(f);
1429  }
1430  }
1431 
1432  /* In cases like HeartBleed for TLS we need to inspect AppLayer but not Payload */
1433  if (!(f->flags & FLOW_NOPAYLOAD_INSPECTION) && pstate->flags & APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD) {
1434  FlowSetNoPayloadInspectionFlag(f);
1435  /* Set the no reassembly flag for both the stream in this TcpSession */
1436  if (f->proto == IPPROTO_TCP) {
1437  /* Used only if it's TCP */
1438  TcpSession *ssn = f->protoctx;
1439  if (ssn != NULL) {
1440  StreamTcpSetDisableRawReassemblyFlag(ssn, 0);
1441  StreamTcpSetDisableRawReassemblyFlag(ssn, 1);
1442  }
1443  }
1444  }
1445 
1446  /* get the diff in tx cnt for stats keeping */
1447  uint64_t cur_tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
1448  if (cur_tx_cnt > p_tx_cnt && tv) {
1449  AppLayerIncTxCounter(tv, f, cur_tx_cnt - p_tx_cnt);
1450  }
1451 
1452  end:
1453  /* update app progress */
1454  if (consumed != input_len && f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1455  TcpSession *ssn = f->protoctx;
1456  StreamTcpUpdateAppLayerProgress(ssn, direction, consumed);
1457  SCReturnInt(1);
1458  }
1459 
1460  SCReturnInt(0);
1461  error:
1462  /* Set the no app layer inspection flag for both
1463  * the stream in this Flow */
1464  if (f->proto == IPPROTO_TCP) {
1465  StreamTcpDisableAppLayer(f);
1466  }
1467  AppLayerParserSetEOF(pstate);
1468  SCReturnInt(-1);
1469 }
1470 
1471 void AppLayerParserSetEOF(AppLayerParserState *pstate)
1472 {
1473  SCEnter();
1474 
1475  if (pstate == NULL)
1476  goto end;
1477 
1478  SCLogDebug("setting APP_LAYER_PARSER_EOF_TC and APP_LAYER_PARSER_EOF_TS");
1479  AppLayerParserStateSetFlag(pstate, (APP_LAYER_PARSER_EOF_TS|APP_LAYER_PARSER_EOF_TC));
1480 
1481  end:
1482  SCReturn;
1483 }
1484 
1485 /* return true if there are app parser decoder events. These are
1486  * only the ones that are set during protocol detection. */
1487 bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
1488 {
1489  SCEnter();
1490 
1491  if (pstate == NULL)
1492  return false;
1493 
1494  const AppLayerDecoderEvents *decoder_events = AppLayerParserGetDecoderEvents(pstate);
1495  if (decoder_events && decoder_events->cnt)
1496  return true;
1497 
1498  /* if we have reached here, we don't have events */
1499  return false;
1500 }
1501 
1502 /** \brief simple way to globally test if a alproto is registered
1503  * and fully enabled in the configuration.
1504  */
1505 int AppLayerParserIsEnabled(AppProto alproto)
1506 {
1507  for (int i = 0; i < FLOW_PROTO_APPLAYER_MAX; i++) {
1508  if (alp_ctx.ctxs[i][alproto].StateGetProgress != NULL) {
1509  return 1;
1510  }
1511  }
1512  return 0;
1513 }
1514 
1515 int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto)
1516 {
1517  SCEnter();
1518  int ipproto_map = FlowGetProtoMapping(ipproto);
1519  int r = (alp_ctx.ctxs[ipproto_map][alproto].logger == false) ? 0 : 1;
1520  SCReturnInt(r);
1521 }
1522 
1523 LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto)
1524 {
1525  SCEnter();
1526  const int ipproto_map = FlowGetProtoMapping(ipproto);
1527  LoggerId r = alp_ctx.ctxs[ipproto_map][alproto].logger_bits;
1528  SCReturnUInt(r);
1529 }
1530 
1531 void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
1532 {
1533  SCEnter();
1534 
1535  SCLogDebug("f %p tcp %p direction %d", f, f ? f->protoctx : NULL, direction);
1536  if (f != NULL && f->protoctx != NULL)
1537  StreamTcpReassembleTriggerRawReassembly(f->protoctx, direction);
1538 
1539  SCReturn;
1540 }
1541 
1542 void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth)
1543 {
1544  SCEnter();
1545 
1546  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].stream_depth = stream_depth;
1547  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].internal_flags |=
1548  APP_LAYER_PARSER_INT_STREAM_DEPTH_SET;
1549 
1550  SCReturn;
1551 }
1552 
1553 uint32_t AppLayerParserGetStreamDepth(const Flow *f)
1554 {
1555  SCReturnInt(alp_ctx.ctxs[f->protomap][f->alproto].stream_depth);
1556 }
1557 
1558 void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
1559 {
1560  SCEnter();
1561  void *tx = NULL;
1562  if (state != NULL) {
1563  if ((tx = AppLayerParserGetTx(ipproto, alproto, state, tx_id)) != NULL) {
1564  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag != NULL) {
1565  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag(tx, flags);
1566  }
1567  }
1568  }
1569  SCReturn;
1570 }
1571 
1572 int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name)
1573 {
1574  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameIdByName != NULL) {
1575  return alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameIdByName(name);
1576  } else {
1577  return -1;
1578  }
1579 }
1580 
1581 const char *AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
1582 {
1583  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameNameById != NULL) {
1584  return alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameNameById(id);
1585  } else {
1586  return NULL;
1587  }
1588 }
1589 
1590 /***** Cleanup *****/
1591 
1592 void AppLayerParserStateProtoCleanup(
1593  uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
1594 {
1595  SCEnter();
1596 
1597  AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[protomap][alproto];
1598 
1599  if (ctx->StateFree != NULL && alstate != NULL)
1600  ctx->StateFree(alstate);
1601 
1602  /* free the app layer parser api state */
1603  if (pstate != NULL)
1604  AppLayerParserStateFree(pstate);
1605 
1606  SCReturn;
1607 }
1608 
1609 void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate)
1610 {
1611  AppLayerParserStateProtoCleanup(f->protomap, f->alproto, alstate, pstate);
1612 }
1613 
1614 static void ValidateParserProtoDump(AppProto alproto, uint8_t ipproto)
1615 {
1616  uint8_t map = FlowGetProtoMapping(ipproto);
1617  const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[map][alproto];
1618  printf("ERROR: incomplete app-layer registration\n");
1619  printf("AppLayer protocol %s ipproto %u\n", AppProtoToString(alproto), ipproto);
1620  printf("- option flags %"PRIx32"\n", ctx->option_flags);
1621  printf("- first_data_dir %"PRIx8"\n", ctx->first_data_dir);
1622  printf("Mandatory:\n");
1623  printf("- Parser[0] %p Parser[1] %p\n", ctx->Parser[0], ctx->Parser[1]);
1624  printf("- StateAlloc %p StateFree %p\n", ctx->StateAlloc, ctx->StateFree);
1625  printf("- StateGetTx %p StateGetTxCnt %p StateTransactionFree %p\n",
1626  ctx->StateGetTx, ctx->StateGetTxCnt, ctx->StateTransactionFree);
1627  printf("- GetTxData %p\n", ctx->GetTxData);
1628  printf("- GetStateData %p\n", ctx->GetStateData);
1629  printf("- StateGetProgress %p\n", ctx->StateGetProgress);
1630  printf("Optional:\n");
1631  printf("- LocalStorageAlloc %p LocalStorageFree %p\n", ctx->LocalStorageAlloc, ctx->LocalStorageFree);
1632  printf("- StateGetEventInfo %p StateGetEventInfoById %p\n", ctx->StateGetEventInfo,
1633  ctx->StateGetEventInfoById);
1634 }
1635 
1636 #define BOTH_SET(a, b) ((a) != NULL && (b) != NULL)
1637 #define BOTH_SET_OR_BOTH_UNSET(a, b) (((a) == NULL && (b) == NULL) || ((a) != NULL && (b) != NULL))
1638 #define THREE_SET(a, b, c) ((a) != NULL && (b) != NULL && (c) != NULL)
1639 
1640 static void ValidateParserProto(AppProto alproto, uint8_t ipproto)
1641 {
1642  uint8_t map = FlowGetProtoMapping(ipproto);
1643  const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[map][alproto];
1644 
1645  if (ctx->Parser[0] == NULL && ctx->Parser[1] == NULL)
1646  return;
1647 
1648  if (!(BOTH_SET(ctx->Parser[0], ctx->Parser[1]))) {
1649  goto bad;
1650  }
1651  if (!(BOTH_SET(ctx->StateFree, ctx->StateAlloc))) {
1652  goto bad;
1653  }
1654  if (!(THREE_SET(ctx->StateGetTx, ctx->StateGetTxCnt, ctx->StateTransactionFree))) {
1655  goto bad;
1656  }
1657  if (ctx->StateGetProgress == NULL) {
1658  goto bad;
1659  }
1660  /* local storage is optional, but needs both set if used */
1661  if (!(BOTH_SET_OR_BOTH_UNSET(ctx->LocalStorageAlloc, ctx->LocalStorageFree))) {
1662  goto bad;
1663  }
1664  if (ctx->GetTxData == NULL) {
1665  goto bad;
1666  }
1667  if (ctx->GetStateData == NULL) {
1668  goto bad;
1669  }
1670  return;
1671 bad:
1672  ValidateParserProtoDump(alproto, ipproto);
1673  exit(EXIT_FAILURE);
1674 }
1675 #undef BOTH_SET
1676 #undef BOTH_SET_OR_BOTH_UNSET
1677 #undef THREE_SET_OR_THREE_UNSET
1678 #undef THREE_SET
1679 
1680 static void ValidateParser(AppProto alproto)
1681 {
1682  ValidateParserProto(alproto, IPPROTO_TCP);
1683  ValidateParserProto(alproto, IPPROTO_UDP);
1684 }
1685 
1686 static void ValidateParsers(void)
1687 {
1688  AppProto p = 0;
1689  for ( ; p < ALPROTO_MAX; p++) {
1690  ValidateParser(p);
1691  }
1692 }
1693 
1694 void AppLayerParserRegisterProtocolParsers(void)
1695 {
1696  SCEnter();
1697 
1698  AppLayerConfig();
1699 
1700  RegisterHTPParsers();
1701  RegisterSSLParsers();
1702  rs_dcerpc_register_parser();
1703  rs_dcerpc_udp_register_parser();
1704  RegisterSMBParsers();
1705  RegisterFTPParsers();
1706  RegisterSSHParsers();
1707  RegisterSMTPParsers();
1708  SCRegisterDnsUdpParser();
1709  SCRegisterDnsTcpParser();
1710  rs_bittorrent_dht_udp_register_parser();
1711  RegisterModbusParsers();
1712  SCEnipRegisterParsers();
1713  RegisterDNP3Parsers();
1714  RegisterNFSTCPParsers();
1715  RegisterNFSUDPParsers();
1716  rs_register_ntp_parser();
1717  RegisterTFTPParsers();
1718  RegisterIKEParsers();
1719  rs_register_krb5_parser();
1720  rs_dhcp_register_parser();
1721  rs_register_snmp_parser();
1722  rs_sip_register_parser();
1723  rs_quic_register_parser();
1724  rs_websocket_register_parser();
1725  SCRegisterLdapTcpParser();
1726  SCRegisterLdapUdpParser();
1727  rs_template_register_parser();
1728  SCRfbRegisterParser();
1729  SCMqttRegisterParser();
1730  SCRegisterPgsqlParser();
1731  rs_rdp_register_parser();
1732  RegisterHTTP2Parsers();
1733  rs_telnet_register_parser();
1734  RegisterIMAPParsers();
1735 
1736  /** POP3 */
1737  AppLayerProtoDetectRegisterProtocol(ALPROTO_POP3, "pop3");
1738  if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "pop3")) {
1739  if (AppLayerProtoDetectPMRegisterPatternCS(
1740  IPPROTO_TCP, ALPROTO_POP3, "+OK ", 4, 0, STREAM_TOCLIENT) < 0) {
1741  FatalError("pop3 proto registration failure");
1742  }
1743  } else {
1744  SCLogInfo("Protocol detection and parser disabled for pop3 protocol.");
1745  }
1746 
1747  ValidateParsers();
1748 }
1749 
1750 
1751 /* coccinelle: AppLayerParserStateSetFlag():2,2:APP_LAYER_PARSER_ */
1752 void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint16_t flag)
1753 {
1754  SCEnter();
1755  pstate->flags |= flag;
1756  SCReturn;
1757 }
1758 
1759 /* coccinelle: AppLayerParserStateIssetFlag():2,2:APP_LAYER_PARSER_ */
1760 uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
1761 {
1762  SCEnter();
1763  SCReturnUInt(pstate->flags & flag);
1764 }
1765 
1766 /***** Unittests *****/
1767 
1768 #ifdef UNITTESTS
1769 #include "util-unittest-helper.h"
1770 
1771 void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto,
1772  void (*RegisterUnittests)(void))
1773 {
1774  SCEnter();
1775  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
1776  RegisterUnittests = RegisterUnittests;
1777  SCReturn;
1778 }
1779 
1780 void AppLayerParserRegisterUnittests(void)
1781 {
1782  SCEnter();
1783 
1784  int ip;
1785  AppProto alproto;
1786  AppLayerParserProtoCtx *ctx;
1787 
1788  for (ip = 0; ip < FLOW_PROTO_DEFAULT; ip++) {
1789  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1790  ctx = &alp_ctx.ctxs[ip][alproto];
1791  if (ctx->RegisterUnittests == NULL)
1792  continue;
1793  ctx->RegisterUnittests();
1794  }
1795  }
1796 
1797  SCReturn;
1798 }
1799 
1800 #endif
app-layer-nfs-udp.h
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:466
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:269
TcpStream_
Definition: stream-tcp-private.h:106
AppLayerParserProtoCtx_::GetStateData
AppLayerStateData *(* GetStateData)(void *state)
Definition: app-layer-parser.c:101
ts
uint64_t ts
Definition: source-erf-file.c:55
AppLayerParserProtoCtx_::StateGetTxCnt
uint64_t(* StateGetTxCnt)(void *alstate)
Definition: app-layer-parser.c:91
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:149
AppLayerParserProtoCtx_::logger_bits
uint32_t logger_bits
Definition: app-layer-parser.c:78
AppLayerParserProtoCtx_::complete_tc
int complete_tc
Definition: app-layer-parser.c:95
AppLayerParserProtoCtx_::GetTxData
AppLayerTxData *(* GetTxData)(void *tx)
Definition: app-layer-parser.c:102
app-layer-tftp.h
AppLayerParserCtx_::ctxs
AppLayerParserProtoCtx ctxs[FLOW_PROTO_MAX][ALPROTO_MAX]
Definition: app-layer-parser.c:126
AppLayerParserState_::log_id
uint64_t log_id
Definition: app-layer-parser.c:139
RegisterSMBParsers
void RegisterSMBParsers(void)
Definition: app-layer-smb.c:45
app-layer-ssh.h
RegisterIKEParsers
void RegisterIKEParsers(void)
Definition: app-layer-ike.c:40
AppLayerParserIsEnabled
int AppLayerParserIsEnabled(AppProto alproto)
simple way to globally test if a alproto is registered and fully enabled in the configuration.
Definition: app-layer-parser.c:1505
AppLayerParserRegisterLocalStorageFunc
void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto, void *(*LocalStorageAlloc)(void), void(*LocalStorageFree)(void *))
Definition: app-layer-parser.c:424
BOTH_SET
#define BOTH_SET(a, b)
Definition: app-layer-parser.c:1636
AppLayerParserProtocolHasLogger
int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1515
AppLayerParserRegisterOptionFlags
void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto, uint32_t flags)
Definition: app-layer-parser.c:401
flow-util.h
FramesFree
void FramesFree(Frames *frames)
Definition: app-layer-frames.c:437
AppLayerParserSetStreamDepthFlag
void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
Definition: app-layer-parser.c:1558
AppLayerParserSetTransactionLogId
void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
Definition: app-layer-parser.c:689
g_filedata_logger_enabled
bool g_filedata_logger_enabled
Definition: output-filedata.c:37
AppLayerParserSetStreamDepth
void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth)
Definition: app-layer-parser.c:1542
ConfNode_::val
char * val
Definition: conf.h:34
stream-tcp.h
AppLayerParserApplyTxConfig
void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto, void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
Definition: app-layer-parser.c:1175
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
remove obsolete (inspected and logged) transactions
Definition: app-layer-parser.c:884
AppLayerParserGetProtocolParserLocalStorage
void * AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:609
AppLayerParserProtoCtx_::LocalStorageFree
void(* LocalStorageFree)(void *)
Definition: app-layer-parser.c:84
AppLayerParserProtoCtx_
App layer protocol parser context.
Definition: app-layer-parser.c:67
RegisterSSHParsers
void RegisterSSHParsers(void)
Function to register the SSH protocol parsers and other functions.
Definition: app-layer-ssh.c:81
AppLayerParserProtoCtx_::StateGetTx
void *(* StateGetTx)(void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:92
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
AppLayerParserSetTransactionInspectId
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
Definition: app-layer-parser.c:730
APP_LAYER_PARSER_BYPASS_READY
#define APP_LAYER_PARSER_BYPASS_READY
Definition: app-layer-parser.h:38
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:838
AppLayerGetTxIterator
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
Definition: app-layer-parser.c:674
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
RegisterModbusParsers
void RegisterModbusParsers(void)
Function to register the Modbus protocol parser.
Definition: app-layer-modbus.c:49
Flow_::proto
uint8_t proto
Definition: flow.h:378
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:81
StreamTcpSetDisableRawReassemblyFlag
void StreamTcpSetDisableRawReassemblyFlag(TcpSession *, char)
Set the No reassembly flag for the given direction in given TCP session.
Definition: stream-tcp.c:6670
AppLayerFramesSetupContainer
FramesContainer * AppLayerFramesSetupContainer(Flow *f)
Definition: app-layer-parser.c:180
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:320
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1065
AppLayerParserTriggerRawStreamReassembly
void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
Definition: app-layer-parser.c:1531
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:66
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:72
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
Frame::offset
uint64_t offset
Definition: app-layer-frames.h:49
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:65
Frame
Definition: app-layer-frames.h:43
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:356
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:162
APP_LAYER_PARSER_INT_STREAM_DEPTH_SET
#define APP_LAYER_PARSER_INT_STREAM_DEPTH_SET
Definition: app-layer-parser.h:48
StreamTcpReassembleTriggerRawReassembly
void StreamTcpReassembleTriggerRawReassembly(TcpSession *ssn, int direction)
Trigger RAW stream reassembly.
Definition: stream-tcp-reassemble.c:2101
LoggerId
LoggerId
Definition: suricata-common.h:460
Flow_::protomap
uint8_t protomap
Definition: flow.h:450
AppLayerParserGetTransactionLogId
uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
Definition: app-layer-parser.c:682
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:75
ctx
struct Thresholds ctx
AppLayerParserSupportsFiles
bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1147
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:518
AppLayerParserRegisterParserAcceptableDataDirection
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:390
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1094
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1123
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:217
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:477
FLOW_NOPAYLOAD_INSPECTION
#define FLOW_NOPAYLOAD_INSPECTION
Definition: flow.h:66
Frame::id
int64_t id
Definition: app-layer-frames.h:51
APP_LAYER_TX_SKIP_INSPECT_FLAG
#define APP_LAYER_TX_SKIP_INSPECT_FLAG
Definition: app-layer-parser.h:78
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:461
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1592
AppLayerParserProtoCtx_::StateGetTxIterator
AppLayerGetTxIteratorFunc StateGetTxIterator
Definition: app-layer-parser.c:93
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:136
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6634
FramesContainer
Definition: app-layer-frames.h:71
APP_LAYER_TX_INSPECTED_FLAG
#define APP_LAYER_TX_INSPECTED_FLAG
Definition: app-layer-parser.h:80
FLOW_PROTO_MAX
@ FLOW_PROTO_MAX
Definition: flow-private.h:74
AppLayerParserGetStateData
AppLayerStateData * AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
Definition: app-layer-parser.c:1164
app-layer-http2.h
app-layer-ftp.h
AppLayerFrameNewByAbsoluteOffset
Frame * AppLayerFrameNewByAbsoluteOffset(Flow *f, const StreamSlice *stream_slice, const uint64_t frame_start, const int64_t len, int dir, uint8_t frame_type)
create new frame using the absolute offset from the start of the stream
Definition: app-layer-frames.c:588
AppLayerFrameGetLastOpenByType
Frame * AppLayerFrameGetLastOpenByType(Flow *f, const int dir, const uint8_t frame_type)
Definition: app-layer-frames.c:702
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:219
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:39
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:76
Flow_::protoctx
void * protoctx
Definition: flow.h:446
TcpStream_::data_required
uint32_t data_required
Definition: stream-tcp-private.h:133
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:170
EXCEPTION_POLICY_NOT_SET
@ EXCEPTION_POLICY_NOT_SET
Definition: util-exception-policy-types.h:26
ExceptionPolicyParse
enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow)
Definition: util-exception-policy.c:232
AppLayerParserRegisterUnittests
void AppLayerParserRegisterUnittests(void)
Definition: app-layer-parser.c:1780
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:699
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:36
AppLayerParserProtoCtx_::ApplyTxConfig
bool(* ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig)
Definition: app-layer-parser.c:103
FlowGetReverseProtoMapping
uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
Definition: flow-util.c:112
RegisterDNP3Parsers
void RegisterDNP3Parsers(void)
Register the DNP3 application protocol parser.
Definition: app-layer-dnp3.c:1530
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:536
util-unittest-helper.h
AppLayerParserProtoCtx_::StateGetEventInfoById
int(* StateGetEventInfoById)(uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-parser.c:96
FTPParserCleanup
void FTPParserCleanup(void)
Free memory allocated for global FTP parser state.
Definition: app-layer-ftp.c:1479
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:854
AppLayerParserState_::flags
uint16_t flags
Definition: app-layer-parser.c:131
Flow_::sgh_toserver
const struct SigGroupHead_ * sgh_toserver
Definition: flow.h:488
AppLayerParserState_::inspect_id
uint64_t inspect_id[2]
Definition: app-layer-parser.c:135
AppLayerParserFPtr
AppLayerResult(* AppLayerParserFPtr)(Flow *f, void *protocol_state, AppLayerParserState *pstate, StreamSlice stream_slice, void *local_storage)
Prototype for parsing functions.
Definition: app-layer-parser.h:140
AppLayerParserCtx
struct AppLayerParserCtx_ AppLayerParserCtx
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:480
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1694
app-layer-detect-proto.h
APP_LAYER_PARSER_SFRAME_TS
#define APP_LAYER_PARSER_SFRAME_TS
Definition: app-layer-parser.h:42
app-layer-htp.h
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:73
AppLayerParserProtoCtx_::stream_depth
uint32_t stream_depth
Definition: app-layer-parser.c:111
AppLayerParserState_
Definition: app-layer-parser.c:129
AppLayerParserGetEventInfoById
int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1112
AppLayerParserProtoCtx_::GetFrameIdByName
AppLayerParserGetFrameIdByNameFn GetFrameIdByName
Definition: app-layer-parser.c:107
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1581
AppLayerParserGetTransactionActive
uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:1130
AppLayerParserProtoCtx_::logger
bool logger
Definition: app-layer-parser.c:71
app-layer-ike.h
AppLayerFramesFreeContainer
void AppLayerFramesFreeContainer(Flow *f)
Definition: app-layer-parser.c:165
app-layer-dnp3.h
AppLayerParserGetTxDetectFlags
uint64_t AppLayerParserGetTxDetectFlags(AppLayerTxData *txd, const uint8_t dir)
Definition: app-layer-parser.c:709
AppLayerParserProtoCtx_::StateGetEventInfo
int(* StateGetEventInfo)(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:98
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:457
AppLayerParserRegisterGetFrameFuncs
void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto, AppLayerParserGetFrameIdByNameFn GetIdByNameFunc, AppLayerParserGetFrameNameByIdFn GetNameByIdFunc)
Definition: app-layer-parser.c:545
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
AppLayerParserProtoCtx_::SetStreamDepthFlag
void(* SetStreamDepthFlag)(void *tx, uint8_t flags)
Definition: app-layer-parser.c:105
AppLayerParserState_::min_id
uint64_t min_id
Definition: app-layer-parser.c:141
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
AppLayerParserRegisterLoggerBits
void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits)
Definition: app-layer-parser.c:448
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void *, AppProto), void(*StateFree)(void *))
Definition: app-layer-parser.c:411
FLOW_PROTO_DEFAULT
@ FLOW_PROTO_DEFAULT
Definition: flow-private.h:71
APP_LAYER_PARSER_NO_REASSEMBLY
#define APP_LAYER_PARSER_NO_REASSEMBLY
Definition: app-layer-parser.h:36
IS_DISRUPTED
#define IS_DISRUPTED(flags)
Definition: app-layer-parser.c:875
AppLayerParserSetEOF
void AppLayerParserSetEOF(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1471
AppLayerParserProtoCtx_::RegisterUnittests
void(* RegisterUnittests)(void)
Definition: app-layer-parser.c:121
AppLayerParserStateFree
void AppLayerParserStateFree(AppLayerParserState *pstate)
Definition: app-layer-parser.c:236
app-layer-parser.h
AppLayerParserStateCleanup
void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1609
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
AppLayerDecoderEvents_::cnt
uint8_t cnt
Definition: app-layer-events.h:40
Flow_::sgh_toclient
const struct SigGroupHead_ * sgh_toclient
Definition: flow.h:485
RegisterNFSTCPParsers
void RegisterNFSTCPParsers(void)
Definition: app-layer-nfs-tcp.c:46
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:555
AppLayerParserProtoCtx_::GetFrameNameById
AppLayerParserGetFrameNameByIdFn GetFrameNameById
Definition: app-layer-parser.c:108
AppLayerParserProtoCtx
struct AppLayerParserProtoCtx_ AppLayerParserProtoCtx
App layer protocol parser context.
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:248
SCReturn
#define SCReturn
Definition: util-debug.h:273
RegisterFTPParsers
void RegisterFTPParsers(void)
Definition: app-layer-ftp.c:1345
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1771
AppLayerGetTxIterState
Definition: app-layer-parser.h:143
AppLayerParserProtoCtx_::StateAlloc
void *(* StateAlloc)(void *, AppProto)
Definition: app-layer-parser.c:80
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
RegisterTFTPParsers
void RegisterTFTPParsers(void)
Definition: app-layer-tftp.c:155
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:77
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:40
SCReturnUInt
#define SCReturnUInt(x)
Definition: util-debug.h:277
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
BOTH_SET_OR_BOTH_UNSET
#define BOTH_SET_OR_BOTH_UNSET(a, b)
Definition: app-layer-parser.c:1637
AppLayerParserThreadCtx_::alproto_local_storage
void * alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX]
Definition: app-layer-parser.c:59
Frame::len
int64_t len
Definition: app-layer-frames.h:50
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerParserProtoCtx_::StateFree
void(* StateFree)(void *)
Definition: app-layer-parser.c:81
AppLayerParserRegisterGetTxFilesFunc
void AppLayerParserRegisterGetTxFilesFunc(uint8_t ipproto, AppProto alproto, AppLayerGetFileState(*GetTxFiles)(void *, uint8_t))
Definition: app-layer-parser.c:438
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1761
AppLayerParserRegisterSetStreamDepthFlag
void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void(*SetStreamDepthFlag)(void *tx, uint8_t flags))
Definition: app-layer-parser.c:597
APP_LAYER_PARSER_SFRAME_TC
#define APP_LAYER_PARSER_SFRAME_TC
Definition: app-layer-parser.h:43
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:178
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:64
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:251
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
APP_LAYER_PARSER_NO_INSPECTION
#define APP_LAYER_PARSER_NO_INSPECTION
Definition: app-layer-parser.h:35
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1087
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:183
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:378
app-layer-imap.h
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:45
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:499
ConfigAction
ConfigAction
Definition: util-config.h:27
AppLayerParserStateSetFlag
void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1752
AppLayerParserProtoCtx_::Parser
AppLayerParserFPtr Parser[2]
Definition: app-layer-parser.c:69
app-layer-modbus.h
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1367
AppLayerParserProtoCtx_::StateTransactionFree
void(* StateTransactionFree)(void *, uint64_t)
Definition: app-layer-parser.c:82
app-layer-frames.h
RegisterSSLParsers
void RegisterSSLParsers(void)
Function to register the SSL protocol parser and other functions.
Definition: app-layer-ssl.c:3207
AppLayerParserProtoCtx_::option_flags
uint32_t option_flags
Definition: app-layer-parser.c:114
StreamTcpSetSessionNoReassemblyFlag
void StreamTcpSetSessionNoReassemblyFlag(TcpSession *, char)
disable reassembly
Definition: stream-tcp.c:6654
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
AppLayerParserGetFrameNameByIdFn
const char *(* AppLayerParserGetFrameNameByIdFn)(const uint8_t id)
Definition: app-layer-parser.h:159
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:446
suricata-common.h
AppLayerParserGetFrameIdByName
int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name)
Definition: app-layer-parser.c:1572
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerParserProtoCtx_::internal_flags
uint32_t internal_flags
Definition: app-layer-parser.c:117
AppLayerParserRegisterApplyTxConfigFunc
void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto, bool(*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig))
Definition: app-layer-parser.c:587
AppLayerParserRegisterStateDataFunc
void AppLayerParserRegisterStateDataFunc(uint8_t ipproto, AppProto alproto, AppLayerStateData *(*GetStateData)(void *state))
Definition: app-layer-parser.c:577
FilesPrune
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
Definition: util-file.c:1207
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:186
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1157
FatalError
#define FatalError(...)
Definition: util-debug.h:502
AppLayerParserRegisterTxDataFunc
void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, AppLayerTxData *(*GetTxData)(void *tx))
Definition: app-layer-parser.c:567
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1553
RegisterIMAPParsers
void RegisterIMAPParsers(void)
Definition: app-layer-imap.c:84
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
AppLayerParserProtoCtx_::GetTxFiles
AppLayerGetFileState(* GetTxFiles)(void *, uint8_t)
Definition: app-layer-parser.c:88
util-validate.h
FRAME_STREAM_TYPE
#define FRAME_STREAM_TYPE
Definition: app-layer-frames.h:30
APP_LAYER_PARSER_OPT_ACCEPT_GAPS
#define APP_LAYER_PARSER_OPT_ACCEPT_GAPS
Definition: app-layer-parser.h:46
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
AppLayerParserRegisterGetTxIterator
void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, AppLayerGetTxIteratorFunc Func)
Definition: app-layer-parser.c:510
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:173
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
AppLayerParserProtoCtx_::complete_ts
int complete_ts
Definition: app-layer-parser.c:94
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
Flow_::alstate
void * alstate
Definition: flow.h:481
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:255
Flow_::flags
uint32_t flags
Definition: flow.h:426
AppLayerParserGetDecoderEvents
AppLayerDecoderEvents * AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:830
THREE_SET
#define THREE_SET(a, b, c)
Definition: app-layer-parser.c:1638
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1005
UTHAppLayerParserStateGetIds
void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
Definition: app-layer-parser.c:203
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:561
RegisterHTPParsers
void RegisterHTPParsers(void)
Register the HTTP protocol and state handling functions to APP layer of the engine.
Definition: app-layer-htp.c:2802
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:70
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:154
FRAME_FLAG_ENDS_AT_EOF
#define FRAME_FLAG_ENDS_AT_EOF
Definition: app-layer-frames.h:38
RegisterSMTPParsers
void RegisterSMTPParsers(void)
Register the SMTP Protocol parser.
Definition: app-layer-smtp.c:1862
AppLayerParserStateAlloc
AppLayerParserState * AppLayerParserStateAlloc(void)
Definition: app-layer-parser.c:224
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
AppLayerParserState_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: app-layer-parser.c:144
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:488
app-layer-smb.h
AppLayerParserProtoCtx_::StateGetProgress
int(* StateGetProgress)(void *alstate, uint8_t direction)
Definition: app-layer-parser.c:90
AppLayerParserProtocolGetLoggerBits
LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1523
AppLayerParserCtx_
Definition: app-layer-parser.c:125
AppLayerParserRegisterGetEventInfoById
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(uint8_t event_id, const char **event_name, AppLayerEventType *event_type))
Definition: app-layer-parser.c:533
AppLayerGetTxIteratorFunc
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
Definition: app-layer-parser.h:152
g_file_logger_enabled
bool g_file_logger_enabled
Definition: output-file.c:39
likely
#define likely(expr)
Definition: util-optimize.h:32
RegisterHTTP2Parsers
void RegisterHTTP2Parsers(void)
Definition: app-layer-http2.c:56
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:145
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
AppLayerProtoDetectPMRegisterPatternCS
int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-sensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1657
app-layer-smtp.h
APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD
#define APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD
Definition: app-layer-parser.h:37
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:204
FlowGetDisruptionFlags
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
Definition: flow.c:1140
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
AppLayerParserStateIssetFlag
uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1760
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
RegisterNFSUDPParsers
void RegisterNFSUDPParsers(void)
Definition: app-layer-nfs-udp.c:63
Flow_::file_flags
uint16_t file_flags
Definition: flow.h:428
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
AppLayerParserDestroyProtocolParserLocalStorage
void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto, void *local_data)
Definition: app-layer-parser.c:624
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1080
AppLayerProtoDetectConfProtoDetectionEnabled
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:1952
SMTPParserCleanup
void SMTPParserCleanup(void)
Free memory allocated for global SMTP parser state.
Definition: app-layer-smtp.c:1917
AppLayerParserHasDecoderEvents
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1487
AppLayerParserGetFrameIdByNameFn
int(* AppLayerParserGetFrameIdByNameFn)(const char *frame_name)
Definition: app-layer-parser.h:158
AppLayerDecoderEvents_::events
uint8_t * events
Definition: app-layer-events.h:38
AppLayerParserState_::frames
FramesContainer * frames
Definition: app-layer-parser.c:146
StreamTcpSetSessionBypassFlag
void StreamTcpSetSessionBypassFlag(TcpSession *)
enable bypass
Definition: stream-tcp.c:6681
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
app-layer-ssl.h
AppLayerParserProtoCtx_::LocalStorageAlloc
void *(* LocalStorageAlloc)(void)
Definition: app-layer-parser.c:83
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1102
app-layer-nfs-tcp.h
app-layer.h
AppLayerParserProtoCtx_::first_data_dir
uint8_t first_data_dir
Definition: app-layer-parser.c:76