suricata
app-layer-parser.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Generic App-layer parsing functions.
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer-parser.h"
28 
29 #include "flow.h"
30 #include "flow-private.h"
31 #include "flow-util.h"
32 
33 #include "app-layer-frames.h"
34 
35 #include "stream-tcp.h"
36 
37 #include "util-validate.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-detect-proto.h"
41 
42 #include "app-layer-ftp.h"
43 #include "app-layer-smtp.h"
44 
45 #include "app-layer-smb.h"
46 #include "app-layer-htp.h"
47 #include "app-layer-ssl.h"
48 #include "app-layer-ssh.h"
49 #include "app-layer-modbus.h"
50 #include "app-layer-dnp3.h"
51 #include "app-layer-nfs-tcp.h"
52 #include "app-layer-nfs-udp.h"
53 #include "app-layer-tftp.h"
54 #include "app-layer-ike.h"
55 #include "app-layer-http2.h"
56 #include "app-layer-imap.h"
57 
58 struct AppLayerParserThreadCtx_ {
59  void *(*alproto_local_storage)[FLOW_PROTO_MAX];
60 };
61 
62 
63 /**
64  * \brief App layer protocol parser context.
65  */
66 typedef struct AppLayerParserProtoCtx_
67 {
68  /* 0 - to_server, 1 - to_client. */
69  AppLayerParserFPtr Parser[2];
70 
71  bool logger;
72 
73  /* Indicates the direction the parser is ready to see the data
74  * the first time for a flow. Values accepted -
75  * STREAM_TOSERVER, STREAM_TOCLIENT */
76  uint8_t first_data_dir;
77 
78  uint32_t logger_bits; /**< registered loggers for this proto */
79 
80  void *(*StateAlloc)(void *, AppProto);
81  void (*StateFree)(void *);
82  void (*StateTransactionFree)(void *, uint64_t);
83  void *(*LocalStorageAlloc)(void);
84  void (*LocalStorageFree)(void *);
85 
86  /** get FileContainer reference from the TX. MUST return a non-NULL reference if the TX
87  * has or may have files in the requested direction at some point. */
88  AppLayerGetFileState (*GetTxFiles)(void *, uint8_t);
89 
90  int (*StateGetProgress)(void *alstate, uint8_t direction);
91  uint64_t (*StateGetTxCnt)(void *alstate);
92  void *(*StateGetTx)(void *alstate, uint64_t tx_id);
93  AppLayerGetTxIteratorFunc StateGetTxIterator;
94  int complete_ts;
95  int complete_tc;
96  int (*StateGetEventInfoById)(
97  uint8_t event_id, const char **event_name, AppLayerEventType *event_type);
98  int (*StateGetEventInfo)(
99  const char *event_name, uint8_t *event_id, AppLayerEventType *event_type);
100 
101  AppLayerStateData *(*GetStateData)(void *state);
102  AppLayerTxData *(*GetTxData)(void *tx);
103  bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig);
104 
105  void (*SetStreamDepthFlag)(void *tx, uint8_t flags);
106 
107  AppLayerParserGetFrameIdByNameFn GetFrameIdByName;
108  AppLayerParserGetFrameNameByIdFn GetFrameNameById;
109 
110  /* each app-layer has its own value */
111  uint32_t stream_depth;
112 
113  /* Option flags such as supporting gaps or not. */
114  uint32_t option_flags;
115  /* coccinelle: AppLayerParserProtoCtx:option_flags:APP_LAYER_PARSER_OPT_ */
116 
117  uint32_t internal_flags;
118  /* coccinelle: AppLayerParserProtoCtx:internal_flags:APP_LAYER_PARSER_INT_ */
119 
120 #ifdef UNITTESTS
121  void (*RegisterUnittests)(void);
122 #endif
123 } AppLayerParserProtoCtx;
124 
125 typedef struct AppLayerParserCtx_ {
126  AppLayerParserProtoCtx (*ctxs)[FLOW_PROTO_MAX];
127 } AppLayerParserCtx;
128 
129 struct AppLayerParserState_ {
130  /* coccinelle: AppLayerParserState:flags:APP_LAYER_PARSER_ */
131  uint16_t flags;
132 
133  /* Indicates the current transaction that is being inspected.
134  * We have a var per direction. */
135  uint64_t inspect_id[2];
136  /* Indicates the current transaction being logged. Unlike inspect_id,
137  * we don't need a var per direction since we don't log a transaction
138  * unless we have the entire transaction. */
139  uint64_t log_id;
140 
141  uint64_t min_id;
142 
143  /* Used to store decoder events. */
144  AppLayerDecoderEvents *decoder_events;
145 
146  FramesContainer *frames;
147 };
148 
149 enum ExceptionPolicy g_applayerparser_error_policy = EXCEPTION_POLICY_NOT_SET;
150 
151 static void AppLayerConfig(void)
152 {
153  g_applayerparser_error_policy = ExceptionPolicyParse("app-layer.error-policy", true);
154 }
155 
156 static void AppLayerParserFramesFreeContainer(FramesContainer *frames)
157 {
158  if (frames != NULL) {
159  FramesFree(&frames->toserver);
160  FramesFree(&frames->toclient);
161  SCFree(frames);
162  }
163 }
164 
165 void AppLayerFramesFreeContainer(Flow *f)
166 {
167  if (f == NULL || f->alparser == NULL || f->alparser->frames == NULL)
168  return;
169  AppLayerParserFramesFreeContainer(f->alparser->frames);
170  f->alparser->frames = NULL;
171 }
172 
173 FramesContainer *AppLayerFramesGetContainer(Flow *f)
174 {
175  if (f == NULL || f->alparser == NULL)
176  return NULL;
177  return f->alparser->frames;
178 }
179 
180 FramesContainer *AppLayerFramesSetupContainer(Flow *f)
181 {
182 #ifdef UNITTESTS
183  if (f == NULL || f->alparser == NULL || (f->proto == IPPROTO_TCP && f->protoctx == NULL))
184  return NULL;
185 #endif
186  DEBUG_VALIDATE_BUG_ON(f == NULL || f->alparser == NULL);
187  if (f->alparser->frames == NULL) {
188  f->alparser->frames = SCCalloc(1, sizeof(FramesContainer));
189  if (f->alparser->frames == NULL) {
190  return NULL;
191  }
192 #ifdef DEBUG
193  f->alparser->frames->toserver.ipproto = f->proto;
194  f->alparser->frames->toserver.alproto = f->alproto;
195  f->alparser->frames->toclient.ipproto = f->proto;
196  f->alparser->frames->toclient.alproto = f->alproto;
197 #endif
198  }
199  return f->alparser->frames;
200 }
201 
202 #ifdef UNITTESTS
203 void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
204 {
205  struct AppLayerParserState_ *s = ptr;
206  *i1 = s->inspect_id[0];
207  *i2 = s->inspect_id[1];
208  *log = s->log_id;
209  *min = s->min_id;
210 }
211 #endif
212 
213 /* Static global version of the parser context.
214  * Post 2.0 let's look at changing this to move it out to app-layer.c. */
215 static AppLayerParserCtx alp_ctx;
216 
217 int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
218 {
219  uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
220 
221  return (alp_ctx.ctxs[alproto][ipproto_map].StateAlloc != NULL) ? 1 : 0;
222 }
223 
224 AppLayerParserState *AppLayerParserStateAlloc(void)
225 {
226  SCEnter();
227 
228  AppLayerParserState *pstate = (AppLayerParserState *)SCCalloc(1, sizeof(*pstate));
229  if (pstate == NULL)
230  goto end;
231 
232  end:
233  SCReturnPtr(pstate, "AppLayerParserState");
234 }
235 
236 void AppLayerParserStateFree(AppLayerParserState *pstate)
237 {
238  SCEnter();
239 
240  if (pstate->decoder_events != NULL)
241  AppLayerDecoderEventsFreeEvents(&pstate->decoder_events);
242  AppLayerParserFramesFreeContainer(pstate->frames);
243  SCFree(pstate);
244 
245  SCReturn;
246 }
247 
248 int AppLayerParserSetup(void)
249 {
250  SCEnter();
251  // initial allocation that will later be grown using realloc,
252  // when new protocols register themselves and make g_alproto_max grow
253  alp_ctx.ctxs = SCCalloc(g_alproto_max, sizeof(AppLayerParserProtoCtx[FLOW_PROTO_MAX]));
254  if (unlikely(alp_ctx.ctxs == NULL)) {
255  FatalError("Unable to alloc alp_ctx.ctxs.");
256  }
257  SCReturnInt(0);
258 }
259 
260 void AppLayerParserPostStreamSetup(void)
261 {
262  /* lets set a default value for stream_depth */
263  for (int flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
264  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
265  if (!(alp_ctx.ctxs[alproto][flow_proto].internal_flags &
266  APP_LAYER_PARSER_INT_STREAM_DEPTH_SET)) {
267  alp_ctx.ctxs[alproto][flow_proto].stream_depth = stream_config.reassembly_depth;
268  }
269  }
270  }
271 }
272 
273 int AppLayerParserDeSetup(void)
274 {
275  SCEnter();
276 
277  SCFree(alp_ctx.ctxs);
278 
279  FTPParserCleanup();
280  SMTPParserCleanup();
281 
282  SCReturnInt(0);
283 }
284 
285 AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void)
286 {
287  SCEnter();
288 
289  AppLayerParserThreadCtx *tctx = SCCalloc(1, sizeof(*tctx));
290  if (tctx == NULL)
291  goto end;
292 
293  tctx->alproto_local_storage = SCCalloc(g_alproto_max, sizeof(void *[FLOW_PROTO_MAX]));
294  if (unlikely(tctx->alproto_local_storage == NULL)) {
295  SCFree(tctx);
296  tctx = NULL;
297  goto end;
298  }
299  for (uint8_t flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
300  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
301  uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto);
302 
303  tctx->alproto_local_storage[alproto][flow_proto] =
304  AppLayerParserGetProtocolParserLocalStorage(ipproto, alproto);
305  }
306  }
307 
308  end:
309  SCReturnPtr(tctx, "void *");
310 }
311 
312 void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
313 {
314  SCEnter();
315 
316  for (uint8_t flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
317  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
318  uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto);
319 
320  AppLayerParserDestroyProtocolParserLocalStorage(
321  ipproto, alproto, tctx->alproto_local_storage[alproto][flow_proto]);
322  }
323  }
324 
325  SCFree(tctx->alproto_local_storage);
326  SCFree(tctx);
327  SCReturn;
328 }
329 
330 /** \brief check if a parser is enabled in the config
331  * Returns enabled always if: were running unittests
332  */
333 int AppLayerParserConfParserEnabled(const char *ipproto,
334  const char *alproto_name)
335 {
336  SCEnter();
337 
338  int enabled = 1;
339  char param[100];
340  ConfNode *node;
341  int r;
342 
343  if (RunmodeIsUnittests())
344  goto enabled;
345 
346  r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
347  alproto_name, ".enabled");
348  if (r < 0) {
349  FatalError("snprintf failure.");
350  } else if (r > (int)sizeof(param)) {
351  FatalError("buffer not big enough to write param.");
352  }
353 
354  node = ConfGetNode(param);
355  if (node == NULL) {
356  SCLogDebug("Entry for %s not found.", param);
357  r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.",
358  alproto_name, ".", ipproto, ".enabled");
359  if (r < 0) {
360  FatalError("snprintf failure.");
361  } else if (r > (int)sizeof(param)) {
362  FatalError("buffer not big enough to write param.");
363  }
364 
365  node = ConfGetNode(param);
366  if (node == NULL) {
367  SCLogDebug("Entry for %s not found.", param);
368  goto enabled;
369  }
370  }
371 
372  if (ConfValIsTrue(node->val)) {
373  goto enabled;
374  } else if (ConfValIsFalse(node->val)) {
375  goto disabled;
376  } else if (strcasecmp(node->val, "detection-only") == 0) {
377  goto disabled;
378  } else {
379  SCLogError("Invalid value found for %s.", param);
380  exit(EXIT_FAILURE);
381  }
382 
383  disabled:
384  enabled = 0;
385  enabled:
386  SCReturnInt(enabled);
387 }
388 
389 /***** Parser related registration *****/
390 
391 int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto,
392  uint8_t direction,
393  AppLayerParserFPtr Parser)
394 {
395  SCEnter();
396 
397  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)]
398  .Parser[(direction & STREAM_TOSERVER) ? 0 : 1] = Parser;
399 
400  SCReturnInt(0);
401 }
402 
403 void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto,
404  uint8_t direction)
405 {
406  SCEnter();
407 
408  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].first_data_dir |=
409  (direction & (STREAM_TOSERVER | STREAM_TOCLIENT));
410 
411  SCReturn;
412 }
413 
414 void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto,
415  uint32_t flags)
416 {
417  SCEnter();
418 
419  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].option_flags |= flags;
420 
421  SCReturn;
422 }
423 
424 void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto,
425  void *(*StateAlloc)(void *, AppProto), void (*StateFree)(void *))
426 {
427  SCEnter();
428 
429  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateAlloc = StateAlloc;
430  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateFree = StateFree;
431 
432  SCReturn;
433 }
434 
435 void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto,
436  void *(*LocalStorageAlloc)(void),
437  void (*LocalStorageFree)(void *))
438 {
439  SCEnter();
440 
441  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc = LocalStorageAlloc;
442  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree = LocalStorageFree;
443 
444  SCReturn;
445 }
446 
447 void AppLayerParserRegisterGetTxFilesFunc(
448  uint8_t ipproto, AppProto alproto, AppLayerGetFileState (*GetTxFiles)(void *, uint8_t))
449 {
450  SCEnter();
451 
452  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxFiles = GetTxFiles;
453 
454  SCReturn;
455 }
456 
457 void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits)
458 {
459  SCEnter();
460 
461  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].logger_bits = bits;
462 
463  SCReturn;
464 }
465 
466 void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
467 {
468  SCEnter();
469 
470  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].logger = true;
471 
472  SCReturn;
473 }
474 
475 void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto,
476  int (*StateGetProgress)(void *alstate, uint8_t direction))
477 {
478  SCEnter();
479 
480  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetProgress = StateGetProgress;
481 
482  SCReturn;
483 }
484 
485 void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto,
486  void (*StateTransactionFree)(void *, uint64_t))
487 {
488  SCEnter();
489 
490  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateTransactionFree = StateTransactionFree;
491 
492  SCReturn;
493 }
494 
495 void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto,
496  uint64_t (*StateGetTxCnt)(void *alstate))
497 {
498  SCEnter();
499 
500  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxCnt = StateGetTxCnt;
501 
502  SCReturn;
503 }
504 
505 void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto,
506  void *(StateGetTx)(void *alstate, uint64_t tx_id))
507 {
508  SCEnter();
509 
510  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTx = StateGetTx;
511 
512  SCReturn;
513 }
514 
515 void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto,
516  AppLayerGetTxIteratorFunc Func)
517 {
518  SCEnter();
519  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxIterator = Func;
520  SCReturn;
521 }
522 
523 void AppLayerParserRegisterStateProgressCompletionStatus(
524  AppProto alproto, const int ts, const int tc)
525 {
526  BUG_ON(ts == 0);
527  BUG_ON(tc == 0);
528  BUG_ON(!AppProtoIsValid(alproto));
529  BUG_ON(alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts != 0 &&
530  alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts != ts);
531  BUG_ON(alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc != 0 &&
532  alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc != tc);
533 
534  alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts = ts;
535  alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc = tc;
536 }
537 
538 void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto,
539  int (*StateGetEventInfoById)(
540  uint8_t event_id, const char **event_name, AppLayerEventType *event_type))
541 {
542  SCEnter();
543 
544  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetEventInfoById =
545  StateGetEventInfoById;
546 
547  SCReturn;
548 }
549 
550 void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto,
551  AppLayerParserGetFrameIdByNameFn GetIdByNameFunc,
552  AppLayerParserGetFrameNameByIdFn GetNameByIdFunc)
553 {
554  SCEnter();
555  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName = GetIdByNameFunc;
556  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById = GetNameByIdFunc;
557  SCReturn;
558 }
559 
560 void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
561  int (*StateGetEventInfo)(
562  const char *event_name, uint8_t *event_id, AppLayerEventType *event_type))
563 {
564  SCEnter();
565 
566  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetEventInfo = StateGetEventInfo;
567 
568  SCReturn;
569 }
570 
571 void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto,
572  AppLayerTxData *(*GetTxData)(void *tx))
573 {
574  SCEnter();
575 
576  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxData = GetTxData;
577 
578  SCReturn;
579 }
580 
581 void AppLayerParserRegisterStateDataFunc(
582  uint8_t ipproto, AppProto alproto, AppLayerStateData *(*GetStateData)(void *state))
583 {
584  SCEnter();
585 
586  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData = GetStateData;
587 
588  SCReturn;
589 }
590 
591 void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto,
592  bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig))
593 {
594  SCEnter();
595 
596  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].ApplyTxConfig = ApplyTxConfig;
597 
598  SCReturn;
599 }
600 
601 void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto,
602  void (*SetStreamDepthFlag)(void *tx, uint8_t flags))
603 {
604  SCEnter();
605 
606  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag = SetStreamDepthFlag;
607 
608  SCReturn;
609 }
610 
611 /***** Get and transaction functions *****/
612 
613 void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto)
614 {
615  SCEnter();
616  void * r = NULL;
617 
618  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc != NULL) {
619  r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc();
620  }
621 
622  SCReturnPtr(r, "void *");
623 }
624 
625 void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto,
626  void *local_data)
627 {
628  SCEnter();
629 
630  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree != NULL) {
631  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree(local_data);
632  }
633 
634  SCReturn;
635 }
636 
637 /** \brief default tx iterator
638  *
639  * Used if the app layer parser doesn't register its own iterator.
640  * Simply walks the tx_id space until it finds a tx. Uses 'state' to
641  * keep track of where it left off.
642  *
643  * \retval txptr or NULL if no more txs in list
644  */
645 static AppLayerGetTxIterTuple AppLayerDefaultGetTxIterator(
646  const uint8_t ipproto, const AppProto alproto,
647  void *alstate, uint64_t min_tx_id, uint64_t max_tx_id,
648  AppLayerGetTxIterState *state)
649 {
650  uint64_t ustate = *(uint64_t *)state;
651  uint64_t tx_id = MAX(min_tx_id, ustate);
652  for ( ; tx_id < max_tx_id; tx_id++) {
653  void *tx_ptr = AppLayerParserGetTx(ipproto, alproto, alstate, tx_id);
654  if (tx_ptr != NULL) {
655  ustate = tx_id + 1;
656  *state = *(AppLayerGetTxIterState *)&ustate;
657  AppLayerGetTxIterTuple tuple = {
658  .tx_ptr = tx_ptr,
659  .tx_id = tx_id,
660  .has_next = (tx_id + 1 < max_tx_id),
661  };
662  SCLogDebug("tuple: %p/%"PRIu64"/%s", tuple.tx_ptr, tuple.tx_id,
663  tuple.has_next ? "true" : "false");
664  return tuple;
665  }
666  }
667 
668  AppLayerGetTxIterTuple no_tuple = { NULL, 0, false };
669  return no_tuple;
670 }
671 
672 AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto,
673  const AppProto alproto)
674 {
675  AppLayerGetTxIteratorFunc Func =
676  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxIterator;
677  return Func ? Func : AppLayerDefaultGetTxIterator;
678 }
679 
680 uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
681 {
682  SCEnter();
683 
684  SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
685 }
686 
687 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
688 {
689  SCEnter();
690 
691  if (pstate != NULL)
692  pstate->log_id = tx_id;
693 
694  SCReturn;
695 }
696 
697 uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
698 {
699  SCEnter();
700 
701  if (pstate == NULL)
702  SCReturnCT(0ULL, "uint64_t");
703 
704  SCReturnCT(pstate->inspect_id[(direction & STREAM_TOSERVER) ? 0 : 1], "uint64_t");
705 }
706 
707 inline uint64_t AppLayerParserGetTxDetectFlags(AppLayerTxData *txd, const uint8_t dir)
708 {
709  uint64_t detect_flags =
710  (dir & STREAM_TOSERVER) ? txd->detect_flags_ts : txd->detect_flags_tc;
711  return detect_flags;
712 }
713 
714 static inline void SetTxDetectFlags(AppLayerTxData *txd, const uint8_t dir, const uint64_t detect_flags)
715 {
716  if (dir & STREAM_TOSERVER) {
717  txd->detect_flags_ts = detect_flags;
718  } else {
719  txd->detect_flags_tc = detect_flags;
720  }
721 }
722 
723 static inline uint32_t GetTxLogged(AppLayerTxData *txd)
724 {
725  return txd->logged.flags;
726 }
727 
728 void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate,
729  void *alstate, const uint8_t flags,
730  bool tag_txs_as_inspected)
731 {
732  SCEnter();
733 
734  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
735  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
736  uint64_t idx = AppLayerParserGetTransactionInspectId(pstate, flags);
737  const int state_done_progress = AppLayerParserGetStateProgressCompletionStatus(f->alproto, flags);
738  const uint8_t ipproto = f->proto;
739  const AppProto alproto = f->alproto;
740 
741  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
742  AppLayerGetTxIterState state = { 0 };
743 
744  SCLogDebug("called: %s, tag_txs_as_inspected %s",direction==0?"toserver":"toclient",
745  tag_txs_as_inspected?"true":"false");
746 
747  /* mark all txs as inspected if the applayer progress is
748  * at the 'end state'. */
749  while (1) {
750  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, idx, total_txs, &state);
751  if (ires.tx_ptr == NULL)
752  break;
753 
754  void *tx = ires.tx_ptr;
755  idx = ires.tx_id;
756 
757  int state_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx, flags);
758  if (state_progress < state_done_progress)
759  break;
760 
761  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
762  if (txd && tag_txs_as_inspected) {
763  uint64_t detect_flags = AppLayerParserGetTxDetectFlags(txd, flags);
764  if ((detect_flags & APP_LAYER_TX_INSPECTED_FLAG) == 0) {
765  detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;
766  SetTxDetectFlags(txd, flags, detect_flags);
767  SCLogDebug("%p/%"PRIu64" in-order tx is done for direction %s. Flag %016"PRIx64,
768  tx, idx, flags & STREAM_TOSERVER ? "toserver" : "toclient", detect_flags);
769  }
770  }
771  idx++;
772  if (!ires.has_next)
773  break;
774  }
775  pstate->inspect_id[direction] = idx;
776  SCLogDebug("inspect_id now %"PRIu64, pstate->inspect_id[direction]);
777 
778  /* if necessary we flag all txs that are complete as 'inspected'
779  * also move inspect_id forward. */
780  if (tag_txs_as_inspected) {
781  /* continue at idx */
782  while (1) {
783  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, idx, total_txs, &state);
784  if (ires.tx_ptr == NULL)
785  break;
786 
787  void *tx = ires.tx_ptr;
788  /* if we got a higher id than the minimum we requested, we
789  * skipped a bunch of 'null-txs'. Lets see if we can up the
790  * inspect tracker */
791  if (ires.tx_id > idx && pstate->inspect_id[direction] == idx) {
792  pstate->inspect_id[direction] = ires.tx_id;
793  }
794  idx = ires.tx_id;
795 
796  const int state_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx, flags);
797  if (state_progress < state_done_progress)
798  break;
799 
800  /* txd can be NULL for HTTP sessions where the user data alloc failed */
801  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
802  if (likely(txd)) {
803  uint64_t detect_flags = AppLayerParserGetTxDetectFlags(txd, flags);
804  if ((detect_flags & APP_LAYER_TX_INSPECTED_FLAG) == 0) {
805  detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;
806  SetTxDetectFlags(txd, flags, detect_flags);
807  SCLogDebug("%p/%"PRIu64" out of order tx is done for direction %s. Flag %016"PRIx64,
808  tx, idx, flags & STREAM_TOSERVER ? "toserver" : "toclient", detect_flags);
809 
810  SCLogDebug("%p/%"PRIu64" out of order tx. Update inspect_id? %"PRIu64,
811  tx, idx, pstate->inspect_id[direction]);
812  if (pstate->inspect_id[direction]+1 == idx)
813  pstate->inspect_id[direction] = idx;
814  }
815  } else {
816  if (pstate->inspect_id[direction]+1 == idx)
817  pstate->inspect_id[direction] = idx;
818  }
819  if (!ires.has_next)
820  break;
821  idx++;
822  }
823  }
824 
825  SCReturn;
826 }
827 
828 AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
829 {
830  SCEnter();
831 
832  SCReturnPtr(pstate->decoder_events,
833  "AppLayerDecoderEvents *");
834 }
835 
836 AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto,
837  void *tx)
838 {
839  SCEnter();
840 
841  AppLayerDecoderEvents *ptr = NULL;
842 
843  /* Access events via the tx_data. */
844  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
845  if (txd != NULL && txd->events != NULL) {
846  ptr = txd->events;
847  }
848 
849  SCReturnPtr(ptr, "AppLayerDecoderEvents *");
850 }
851 
852 AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
853 {
854  SCEnter();
855 
856  if (alp_ctx.ctxs[f->alproto][f->protomap].GetTxFiles != NULL) {
857  return alp_ctx.ctxs[f->alproto][f->protomap].GetTxFiles(tx, direction);
858  }
859 
860  AppLayerGetFileState files = { .fc = NULL, .cfg = NULL };
861  return files;
862 }
863 
864 static void AppLayerParserFileTxHousekeeping(
865  const Flow *f, void *tx, const uint8_t pkt_dir, const bool trunc)
866 {
867  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, tx, pkt_dir);
868  if (files.fc) {
869  FilesPrune(files.fc, files.cfg, trunc);
870  }
871 }
872 
873 #define IS_DISRUPTED(flags) ((flags) & (STREAM_DEPTH | STREAM_GAP))
874 
875 extern int g_detect_disabled;
876 extern bool g_file_logger_enabled;
877 extern bool g_filedata_logger_enabled;
878 
879 /**
880  * \brief remove obsolete (inspected and logged) transactions
881  */
882 void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
883 {
884  SCEnter();
885  DEBUG_ASSERT_FLOW_LOCKED(f);
886 
887  AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->alproto][f->protomap];
888  if (unlikely(p->StateTransactionFree == NULL))
889  SCReturn;
890 
891  const bool has_tx_detect_flags = !g_detect_disabled;
892  const uint8_t ipproto = f->proto;
893  const AppProto alproto = f->alproto;
894  void * const alstate = f->alstate;
895  AppLayerParserState * const alparser = f->alparser;
896 
897  if (alstate == NULL || alparser == NULL)
898  SCReturn;
899 
900  const uint64_t min = alparser->min_id;
901  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
902  const LoggerId logger_expectation = AppLayerParserProtocolGetLoggerBits(ipproto, alproto);
903  const int tx_end_state_ts = AppLayerParserGetStateProgressCompletionStatus(alproto, STREAM_TOSERVER);
904  const int tx_end_state_tc = AppLayerParserGetStateProgressCompletionStatus(alproto, STREAM_TOCLIENT);
905  const uint8_t ts_disrupt_flags = FlowGetDisruptionFlags(f, STREAM_TOSERVER);
906  const uint8_t tc_disrupt_flags = FlowGetDisruptionFlags(f, STREAM_TOCLIENT);
907 
908  int pkt_dir_trunc = -1;
909 
910  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
911  AppLayerGetTxIterState state;
912  memset(&state, 0, sizeof(state));
913  uint64_t i = min;
914  uint64_t new_min = min;
915  SCLogDebug("start min %"PRIu64, min);
916  bool skipped = false;
917  // const bool support_files = AppLayerParserSupportsFiles(f->proto, f->alproto);
918 
919  while (1) {
920  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, i, total_txs, &state);
921  if (ires.tx_ptr == NULL)
922  break;
923 
924  bool tx_skipped = false;
925  void *tx = ires.tx_ptr;
926  i = ires.tx_id; // actual tx id for the tx the IterFunc returned
927 
928  SCLogDebug("%p/%"PRIu64" checking", tx, i);
929  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
930  if (txd != NULL && AppLayerParserHasFilesInDir(txd, pkt_dir)) {
931  if (pkt_dir_trunc == -1)
932  pkt_dir_trunc = IS_DISRUPTED(
933  (pkt_dir == STREAM_TOSERVER) ? ts_disrupt_flags : tc_disrupt_flags);
934  AppLayerParserFileTxHousekeeping(f, tx, pkt_dir, (bool)pkt_dir_trunc);
935  }
936  if (txd) {
937  // should be reset by parser next time it updates the tx
938  if (pkt_dir & STREAM_TOSERVER) {
939  txd->updated_ts = false;
940  } else {
941  txd->updated_tc = false;
942  }
943  }
944  const int tx_progress_tc =
945  AppLayerParserGetStateProgress(ipproto, alproto, tx, tc_disrupt_flags);
946  if (tx_progress_tc < tx_end_state_tc) {
947  SCLogDebug("%p/%"PRIu64" skipping: tc parser not done", tx, i);
948  skipped = true;
949  goto next;
950  }
951  const int tx_progress_ts =
952  AppLayerParserGetStateProgress(ipproto, alproto, tx, ts_disrupt_flags);
953  if (tx_progress_ts < tx_end_state_ts) {
954  SCLogDebug("%p/%"PRIu64" skipping: ts parser not done", tx, i);
955  skipped = true;
956  goto next;
957  }
958 
959  if (txd && has_tx_detect_flags) {
960  if (!IS_DISRUPTED(ts_disrupt_flags) && f->sgh_toserver != NULL) {
961  uint64_t detect_flags_ts = AppLayerParserGetTxDetectFlags(txd, STREAM_TOSERVER);
962  if (!(detect_flags_ts &
963  (APP_LAYER_TX_INSPECTED_FLAG | APP_LAYER_TX_SKIP_INSPECT_FLAG))) {
964  SCLogDebug("%p/%" PRIu64 " skipping: TS inspect not done: ts:%" PRIx64, tx, i,
965  detect_flags_ts);
966  tx_skipped = true;
967  }
968  }
969  if (!IS_DISRUPTED(tc_disrupt_flags) && f->sgh_toclient != NULL) {
970  uint64_t detect_flags_tc = AppLayerParserGetTxDetectFlags(txd, STREAM_TOCLIENT);
971  if (!(detect_flags_tc &
972  (APP_LAYER_TX_INSPECTED_FLAG | APP_LAYER_TX_SKIP_INSPECT_FLAG))) {
973  SCLogDebug("%p/%" PRIu64 " skipping: TC inspect not done: ts:%" PRIx64, tx, i,
974  detect_flags_tc);
975  tx_skipped = true;
976  }
977  }
978  }
979 
980  if (tx_skipped) {
981  SCLogDebug("%p/%" PRIu64 " tx_skipped", tx, i);
982  skipped = true;
983  goto next;
984  }
985 
986  if (txd && logger_expectation != 0) {
987  LoggerId tx_logged = GetTxLogged(txd);
988  if (tx_logged != logger_expectation) {
989  SCLogDebug("%p/%"PRIu64" skipping: logging not done: want:%"PRIx32", have:%"PRIx32,
990  tx, i, logger_expectation, tx_logged);
991  skipped = true;
992  goto next;
993  }
994  }
995 
996  /* if file logging is enabled, we keep a tx active while some of the files aren't
997  * logged yet. */
998  if (txd) {
999  SCLogDebug("files_opened %u files_logged %u files_stored %u", txd->files_opened,
1000  txd->files_logged, txd->files_stored);
1001 
1002  if (txd->files_opened) {
1003  if (g_file_logger_enabled && txd->files_opened != txd->files_logged) {
1004  skipped = true;
1005  goto next;
1006  }
1007  if (g_filedata_logger_enabled && txd->files_opened != txd->files_stored) {
1008  skipped = true;
1009  goto next;
1010  }
1011  }
1012  }
1013 
1014  /* if we are here, the tx can be freed. */
1015  p->StateTransactionFree(alstate, i);
1016  SCLogDebug("%p/%"PRIu64" freed", tx, i);
1017 
1018  /* if we didn't skip any tx so far, up the minimum */
1019  SCLogDebug("skipped? %s i %"PRIu64", new_min %"PRIu64, skipped ? "true" : "false", i, new_min);
1020  if (!skipped)
1021  new_min = i + 1;
1022  SCLogDebug("final i %"PRIu64", new_min %"PRIu64, i, new_min);
1023 
1024 next:
1025  if (!ires.has_next) {
1026  /* this was the last tx. See if we skipped any. If not
1027  * we removed all and can update the minimum to the max
1028  * id. */
1029  SCLogDebug("no next: cur tx i %"PRIu64", total %"PRIu64, i, total_txs);
1030  if (!skipped) {
1031  new_min = total_txs;
1032  SCLogDebug("no next: cur tx i %"PRIu64", total %"PRIu64": "
1033  "new_min updated to %"PRIu64, i, total_txs, new_min);
1034  }
1035  break;
1036  }
1037  i++;
1038  }
1039 
1040  /* see if we need to bring all trackers up to date. */
1041  SCLogDebug("update f->alparser->min_id? %"PRIu64" vs %"PRIu64, new_min, alparser->min_id);
1042  if (new_min > alparser->min_id) {
1043  const uint64_t next_id = new_min;
1044  alparser->min_id = next_id;
1045  alparser->inspect_id[0] = MAX(alparser->inspect_id[0], next_id);
1046  alparser->inspect_id[1] = MAX(alparser->inspect_id[1], next_id);
1047  alparser->log_id = MAX(alparser->log_id, next_id);
1048  SCLogDebug("updated f->alparser->min_id %"PRIu64, alparser->min_id);
1049  }
1050  SCReturn;
1051 }
1052 
1053 static inline int StateGetProgressCompletionStatus(const AppProto alproto, const uint8_t flags)
1054 {
1055  if (flags & STREAM_TOSERVER) {
1056  return alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts;
1057  } else if (flags & STREAM_TOCLIENT) {
1058  return alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc;
1059  } else {
1060  DEBUG_VALIDATE_BUG_ON(1);
1061  return 0;
1062  }
1063 }
1064 
1065 /**
1066  * \brief get the progress value for a tx/protocol
1067  *
1068  * If the stream is disrupted, we return the 'completion' value.
1069  */
1070 int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,
1071  void *alstate, uint8_t flags)
1072 {
1073  SCEnter();
1074  int r;
1075  if (unlikely(IS_DISRUPTED(flags))) {
1076  r = StateGetProgressCompletionStatus(alproto, flags);
1077  } else {
1078  uint8_t direction = flags & (STREAM_TOCLIENT | STREAM_TOSERVER);
1079  r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetProgress(
1080  alstate, direction);
1081  }
1082  SCReturnInt(r);
1083 }
1084 
1085 uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
1086 {
1087  SCEnter();
1088  uint64_t r = alp_ctx.ctxs[f->alproto][f->protomap].StateGetTxCnt(alstate);
1089  SCReturnCT(r, "uint64_t");
1090 }
1091 
1092 void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
1093 {
1094  SCEnter();
1095  void *r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTx(alstate, tx_id);
1096  SCReturnPtr(r, "void *");
1097 }
1098 
1099 int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto,
1100  uint8_t direction)
1101 {
1102  SCEnter();
1103  int r = StateGetProgressCompletionStatus(alproto, direction);
1104  SCReturnInt(r);
1105 }
1106 
1107 int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name,
1108  uint8_t *event_id, AppLayerEventType *event_type)
1109 {
1110  SCEnter();
1111  const int ipproto_map = FlowGetProtoMapping(ipproto);
1112  int r = (alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfo == NULL)
1113  ? -1
1114  : alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfo(
1115  event_name, event_id, event_type);
1116  SCReturnInt(r);
1117 }
1118 
1119 int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t event_id,
1120  const char **event_name, AppLayerEventType *event_type)
1121 {
1122  SCEnter();
1123  const int ipproto_map = FlowGetProtoMapping(ipproto);
1124  *event_name = (const char *)NULL;
1125  int r = (alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfoById == NULL)
1126  ? -1
1127  : alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfoById(
1128  event_id, event_name, event_type);
1129  SCReturnInt(r);
1130 }
1131 
1132 uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
1133 {
1134  SCEnter();
1135  uint8_t r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].first_data_dir;
1136  SCReturnCT(r, "uint8_t");
1137 }
1138 
1139 uint64_t AppLayerParserGetTransactionActive(const Flow *f,
1140  AppLayerParserState *pstate, uint8_t direction)
1141 {
1142  SCEnter();
1143 
1144  uint64_t active_id;
1145  uint64_t log_id = pstate->log_id;
1146  uint64_t inspect_id = pstate->inspect_id[(direction & STREAM_TOSERVER) ? 0 : 1];
1147  if (alp_ctx.ctxs[f->alproto][f->protomap].logger == true) {
1148  active_id = MIN(log_id, inspect_id);
1149  } else {
1150  active_id = inspect_id;
1151  }
1152 
1153  SCReturnCT(active_id, "uint64_t");
1154 }
1155 
1156 bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
1157 {
1158  // Custom case for only signature-only protocol so far
1159  if (alproto == ALPROTO_HTTP) {
1160  return AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP1) ||
1161  AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP2);
1162  }
1163  return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxFiles != NULL;
1164 }
1165 
1166 AppLayerTxData *AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
1167 {
1168  SCEnter();
1169  AppLayerTxData *d = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxData(tx);
1170  SCReturnPtr(d, "AppLayerTxData");
1171 }
1172 
1173 AppLayerStateData *AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
1174 {
1175  SCEnter();
1176  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData) {
1177  AppLayerStateData *d =
1178  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData(state);
1179  SCReturnPtr(d, "AppLayerStateData");
1180  }
1181  SCReturnPtr(NULL, "AppLayerStateData");
1182 }
1183 
1184 void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto,
1185  void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
1186 {
1187  SCEnter();
1188  const int ipproto_map = FlowGetProtoMapping(ipproto);
1189  if (alp_ctx.ctxs[alproto][ipproto_map].ApplyTxConfig) {
1190  alp_ctx.ctxs[alproto][ipproto_map].ApplyTxConfig(state, tx, mode, config);
1191  }
1192  SCReturn;
1193 }
1194 
1195 /***** General *****/
1196 
1197 static inline void SetEOFFlags(AppLayerParserState *pstate, const uint8_t flags)
1198 {
1199  if ((flags & (STREAM_EOF|STREAM_TOSERVER)) == (STREAM_EOF|STREAM_TOSERVER)) {
1200  SCLogDebug("setting APP_LAYER_PARSER_EOF_TS");
1201  AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_EOF_TS);
1202  } else if ((flags & (STREAM_EOF|STREAM_TOCLIENT)) == (STREAM_EOF|STREAM_TOCLIENT)) {
1203  SCLogDebug("setting APP_LAYER_PARSER_EOF_TC");
1204  AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_EOF_TC);
1205  }
1206 }
1207 
1208 /** \internal
1209  * \brief create/close stream frames
1210  * On first invocation of TCP parser in a direction, create a <alproto>.stream frame.
1211  * On STREAM_EOF, set the final length. */
1212 static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t *input,
1213  const uint32_t input_len, const uint8_t flags)
1214 {
1215  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
1216  AppLayerParserState *pstate = f->alparser;
1217 
1218  /* setup the generic stream frame */
1219  if (((direction == 0 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TS) == 0) ||
1220  (direction == 1 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TC) == 0)) &&
1221  input != NULL && f->proto == IPPROTO_TCP) {
1222  Frame *frame = AppLayerFrameGetLastOpenByType(f, direction, FRAME_STREAM_TYPE);
1223  if (frame == NULL) {
1224  int64_t frame_len = -1;
1225  if (flags & STREAM_EOF)
1226  frame_len = input_len;
1227 
1228  frame = AppLayerFrameNewByAbsoluteOffset(
1229  f, &stream_slice, stream_slice.offset, frame_len, direction, FRAME_STREAM_TYPE);
1230  if (frame) {
1231  SCLogDebug("opened: frame %p id %" PRIi64, frame, frame->id);
1232  frame->flags = FRAME_FLAG_ENDS_AT_EOF; // TODO logic is not yet implemented
1233  DEBUG_VALIDATE_BUG_ON(
1234  frame->id != 1); // should always be the first frame that is created
1235  }
1236  if (direction == 0) {
1237  pstate->flags |= APP_LAYER_PARSER_SFRAME_TS;
1238  } else {
1239  pstate->flags |= APP_LAYER_PARSER_SFRAME_TC;
1240  }
1241  }
1242  } else if (flags & STREAM_EOF) {
1243  Frame *frame = AppLayerFrameGetLastOpenByType(f, direction, FRAME_STREAM_TYPE);
1244  SCLogDebug("EOF closing: frame %p", frame);
1245  if (frame) {
1246  /* calculate final frame length */
1247  int64_t slice_o = (int64_t)stream_slice.offset - (int64_t)frame->offset;
1248  int64_t frame_len = slice_o + (int64_t)input_len;
1249  SCLogDebug("%s: EOF frame->offset %" PRIu64 " -> %" PRIi64 ": o %" PRIi64,
1250  AppProtoToString(f->alproto), frame->offset, frame_len, slice_o);
1251  frame->len = frame_len;
1252  }
1253  }
1254 }
1255 
1256 static void Setup(Flow *f, const uint8_t direction, const uint8_t *input, uint32_t input_len,
1257  const uint8_t flags, StreamSlice *as)
1258 {
1259  memset(as, 0, sizeof(*as));
1260  as->input = input;
1261  as->input_len = input_len;
1262  as->flags = flags;
1263 
1264  if (f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1265  TcpSession *ssn = f->protoctx;
1266  TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
1267  as->offset = STREAM_APP_PROGRESS(stream);
1268  }
1269 }
1270 
1271 /** \retval int -1 in case of unrecoverable error. App-layer tracking stops for this flow.
1272  * \retval int 0 ok: we did not update app_progress
1273  * \retval int 1 ok: we updated app_progress */
1274 int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto,
1275  uint8_t flags, const uint8_t *input, uint32_t input_len)
1276 {
1277  SCEnter();
1278 #ifdef DEBUG_VALIDATION
1279  BUG_ON(f->protomap != FlowGetProtoMapping(f->proto));
1280 #endif
1281  AppLayerParserState *pstate = f->alparser;
1282  AppLayerParserProtoCtx *p = &alp_ctx.ctxs[alproto][f->protomap];
1283  StreamSlice stream_slice;
1284  void *alstate = NULL;
1285  uint64_t p_tx_cnt = 0;
1286  uint32_t consumed = input_len;
1287  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
1288 
1289  /* we don't have the parser registered for this protocol */
1290  if (p->StateAlloc == NULL) {
1291  if (f->proto == IPPROTO_TCP) {
1292  StreamTcpDisableAppLayer(f);
1293  }
1294  goto end;
1295  }
1296 
1297  if (flags & STREAM_GAP) {
1298  if (!(p->option_flags & APP_LAYER_PARSER_OPT_ACCEPT_GAPS)) {
1299  SCLogDebug("app-layer parser does not accept gaps");
1300  if (f->alstate != NULL && !FlowChangeProto(f)) {
1301  AppLayerParserTriggerRawStreamReassembly(f, direction);
1302  }
1303  AppLayerIncGapErrorCounter(tv, f);
1304  goto error;
1305  }
1306  }
1307 
1308  /* Get the parser state (if any) */
1309  if (pstate == NULL) {
1310  f->alparser = pstate = AppLayerParserStateAlloc();
1311  if (pstate == NULL) {
1312  AppLayerIncAllocErrorCounter(tv, f);
1313  goto error;
1314  }
1315  }
1316 
1317  SetEOFFlags(pstate, flags);
1318 
1319  alstate = f->alstate;
1320  if (alstate == NULL || FlowChangeProto(f)) {
1321  f->alstate = alstate = p->StateAlloc(alstate, f->alproto_orig);
1322  if (alstate == NULL) {
1323  AppLayerIncAllocErrorCounter(tv, f);
1324  goto error;
1325  }
1326  SCLogDebug("alloced new app layer state %p (name %s)",
1327  alstate, AppLayerGetProtoName(f->alproto));
1328 
1329  /* set flow flags to state */
1330  if (f->file_flags != 0) {
1331  AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
1332  if (sd != NULL) {
1333  if ((sd->file_flags & f->file_flags) != f->file_flags) {
1334  SCLogDebug("state data: updating file_flags %04x with flow file_flags %04x",
1335  sd->file_flags, f->file_flags);
1336  sd->file_flags |= f->file_flags;
1337  }
1338  }
1339  }
1340  } else {
1341  SCLogDebug("using existing app layer state %p (name %s))",
1342  alstate, AppLayerGetProtoName(f->alproto));
1343  }
1344 
1345  p_tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
1346 
1347  /* invoke the recursive parser, but only on data. We may get empty msgs on EOF */
1348  if (input_len > 0 || (flags & STREAM_EOF)) {
1349  Setup(f, flags & (STREAM_TOSERVER | STREAM_TOCLIENT), input, input_len, flags,
1350  &stream_slice);
1351  HandleStreamFrames(f, stream_slice, input, input_len, flags);
1352 
1353 #ifdef DEBUG
1354  if (((stream_slice.flags & STREAM_TOSERVER) &&
1355  stream_slice.offset >= g_eps_applayer_error_offset_ts)) {
1356  SCLogNotice("putting parser %s into an error state from toserver offset %" PRIu64,
1357  AppProtoToString(alproto), g_eps_applayer_error_offset_ts);
1358  AppLayerIncParserErrorCounter(tv, f);
1359  goto error;
1360  }
1361  if (((stream_slice.flags & STREAM_TOCLIENT) &&
1362  stream_slice.offset >= g_eps_applayer_error_offset_tc)) {
1363  SCLogNotice("putting parser %s into an error state from toclient offset %" PRIu64,
1364  AppProtoToString(alproto), g_eps_applayer_error_offset_tc);
1365  AppLayerIncParserErrorCounter(tv, f);
1366  goto error;
1367  }
1368 #endif
1369  /* invoke the parser */
1370  AppLayerResult res = p->Parser[direction](f, alstate, pstate, stream_slice,
1371  alp_tctx->alproto_local_storage[alproto][f->protomap]);
1372  if (res.status < 0) {
1373  AppLayerIncParserErrorCounter(tv, f);
1374  goto error;
1375  } else if (res.status > 0) {
1376  DEBUG_VALIDATE_BUG_ON(res.consumed > input_len);
1377  DEBUG_VALIDATE_BUG_ON(res.needed + res.consumed < input_len);
1378  DEBUG_VALIDATE_BUG_ON(res.needed == 0);
1379  /* incomplete is only supported for TCP */
1380  DEBUG_VALIDATE_BUG_ON(f->proto != IPPROTO_TCP);
1381 
1382  /* put protocol in error state on improper use of the
1383  * return codes. */
1384  if (res.consumed > input_len || res.needed + res.consumed < input_len) {
1385  AppLayerIncInternalErrorCounter(tv, f);
1386  goto error;
1387  }
1388 
1389  if (f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1390  TcpSession *ssn = f->protoctx;
1391  SCLogDebug("direction %d/%s", direction,
1392  (flags & STREAM_TOSERVER) ? "toserver" : "toclient");
1393  if (direction == 0) {
1394  /* parser told us how much data it needs on top of what it
1395  * consumed. So we need tell stream engine how much we need
1396  * before the next call */
1397  ssn->client.data_required = res.needed;
1398  SCLogDebug("setting data_required %u", ssn->client.data_required);
1399  } else {
1400  /* parser told us how much data it needs on top of what it
1401  * consumed. So we need tell stream engine how much we need
1402  * before the next call */
1403  ssn->server.data_required = res.needed;
1404  SCLogDebug("setting data_required %u", ssn->server.data_required);
1405  }
1406  }
1407  consumed = res.consumed;
1408  }
1409  }
1410 
1411  /* set the packets to no inspection and reassembly if required */
1412  if (pstate->flags & APP_LAYER_PARSER_NO_INSPECTION) {
1413  AppLayerParserSetEOF(pstate);
1414 
1415  if (f->proto == IPPROTO_TCP) {
1416  StreamTcpDisableAppLayer(f);
1417 
1418  /* Set the no reassembly flag for both the stream in this TcpSession */
1419  if (pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
1420  /* Used only if it's TCP */
1421  TcpSession *ssn = f->protoctx;
1422  if (ssn != NULL) {
1423  StreamTcpSetSessionNoReassemblyFlag(ssn, 0);
1424  StreamTcpSetSessionNoReassemblyFlag(ssn, 1);
1425  }
1426  }
1427  /* Set the bypass flag for both the stream in this TcpSession */
1428  if (pstate->flags & APP_LAYER_PARSER_BYPASS_READY) {
1429  /* Used only if it's TCP */
1430  TcpSession *ssn = f->protoctx;
1431  if (ssn != NULL) {
1432  StreamTcpSetSessionBypassFlag(ssn);
1433  }
1434  }
1435  } else {
1436  // for TCP, this is set after flushing
1437  FlowSetNoPayloadInspectionFlag(f);
1438  }
1439  }
1440 
1441  /* In cases like HeartBleed for TLS we need to inspect AppLayer but not Payload */
1442  if (!(f->flags & FLOW_NOPAYLOAD_INSPECTION) && pstate->flags & APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD) {
1443  FlowSetNoPayloadInspectionFlag(f);
1444  /* Set the no reassembly flag for both the stream in this TcpSession */
1445  if (f->proto == IPPROTO_TCP) {
1446  /* Used only if it's TCP */
1447  TcpSession *ssn = f->protoctx;
1448  if (ssn != NULL) {
1449  StreamTcpSetDisableRawReassemblyFlag(ssn, 0);
1450  StreamTcpSetDisableRawReassemblyFlag(ssn, 1);
1451  }
1452  }
1453  }
1454 
1455  /* get the diff in tx cnt for stats keeping */
1456  uint64_t cur_tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
1457  if (cur_tx_cnt > p_tx_cnt && tv) {
1458  AppLayerIncTxCounter(tv, f, cur_tx_cnt - p_tx_cnt);
1459  }
1460 
1461  end:
1462  /* update app progress */
1463  if (consumed != input_len && f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1464  TcpSession *ssn = f->protoctx;
1465  StreamTcpUpdateAppLayerProgress(ssn, direction, consumed);
1466  SCReturnInt(1);
1467  }
1468 
1469  SCReturnInt(0);
1470  error:
1471  /* Set the no app layer inspection flag for both
1472  * the stream in this Flow */
1473  if (f->proto == IPPROTO_TCP) {
1474  StreamTcpDisableAppLayer(f);
1475  }
1476  AppLayerParserSetEOF(pstate);
1477  SCReturnInt(-1);
1478 }
1479 
1480 void AppLayerParserSetEOF(AppLayerParserState *pstate)
1481 {
1482  SCEnter();
1483 
1484  if (pstate == NULL)
1485  goto end;
1486 
1487  SCLogDebug("setting APP_LAYER_PARSER_EOF_TC and APP_LAYER_PARSER_EOF_TS");
1488  AppLayerParserStateSetFlag(pstate, (APP_LAYER_PARSER_EOF_TS|APP_LAYER_PARSER_EOF_TC));
1489 
1490  end:
1491  SCReturn;
1492 }
1493 
1494 /* return true if there are app parser decoder events. These are
1495  * only the ones that are set during protocol detection. */
1496 bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
1497 {
1498  SCEnter();
1499 
1500  if (pstate == NULL)
1501  return false;
1502 
1503  const AppLayerDecoderEvents *decoder_events = AppLayerParserGetDecoderEvents(pstate);
1504  if (decoder_events && decoder_events->cnt)
1505  return true;
1506 
1507  /* if we have reached here, we don't have events */
1508  return false;
1509 }
1510 
1511 /** \brief simple way to globally test if a alproto is registered
1512  * and fully enabled in the configuration.
1513  */
1514 int AppLayerParserIsEnabled(AppProto alproto)
1515 {
1516  for (int i = 0; i < FLOW_PROTO_APPLAYER_MAX; i++) {
1517  if (alp_ctx.ctxs[alproto][i].StateGetProgress != NULL) {
1518  return 1;
1519  }
1520  }
1521  return 0;
1522 }
1523 
1524 int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto)
1525 {
1526  SCEnter();
1527  int ipproto_map = FlowGetProtoMapping(ipproto);
1528  int r = (alp_ctx.ctxs[alproto][ipproto_map].logger == false) ? 0 : 1;
1529  SCReturnInt(r);
1530 }
1531 
1532 LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto)
1533 {
1534  SCEnter();
1535  const int ipproto_map = FlowGetProtoMapping(ipproto);
1536  LoggerId r = alp_ctx.ctxs[alproto][ipproto_map].logger_bits;
1537  SCReturnUInt(r);
1538 }
1539 
1540 void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
1541 {
1542  SCEnter();
1543 
1544  SCLogDebug("f %p tcp %p direction %d", f, f ? f->protoctx : NULL, direction);
1545  if (f != NULL && f->protoctx != NULL)
1546  StreamTcpReassembleTriggerRawReassembly(f->protoctx, direction);
1547 
1548  SCReturn;
1549 }
1550 
1551 void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth)
1552 {
1553  SCEnter();
1554 
1555  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].stream_depth = stream_depth;
1556  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].internal_flags |=
1557  APP_LAYER_PARSER_INT_STREAM_DEPTH_SET;
1558 
1559  SCReturn;
1560 }
1561 
1562 uint32_t AppLayerParserGetStreamDepth(const Flow *f)
1563 {
1564  SCReturnInt(alp_ctx.ctxs[f->alproto][f->protomap].stream_depth);
1565 }
1566 
1567 void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
1568 {
1569  SCEnter();
1570  void *tx = NULL;
1571  if (state != NULL) {
1572  if ((tx = AppLayerParserGetTx(ipproto, alproto, state, tx_id)) != NULL) {
1573  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag != NULL) {
1574  alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag(tx, flags);
1575  }
1576  }
1577  }
1578  SCReturn;
1579 }
1580 
1581 int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name)
1582 {
1583  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName != NULL) {
1584  return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName(name);
1585  } else {
1586  return -1;
1587  }
1588 }
1589 
1590 const char *AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
1591 {
1592  if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById != NULL) {
1593  return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById(id);
1594  } else {
1595  return NULL;
1596  }
1597 }
1598 
1599 /***** Cleanup *****/
1600 
1601 void AppLayerParserStateProtoCleanup(
1602  uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
1603 {
1604  SCEnter();
1605 
1606  AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][protomap];
1607 
1608  if (ctx->StateFree != NULL && alstate != NULL)
1609  ctx->StateFree(alstate);
1610 
1611  /* free the app layer parser api state */
1612  if (pstate != NULL)
1613  AppLayerParserStateFree(pstate);
1614 
1615  SCReturn;
1616 }
1617 
1618 void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate)
1619 {
1620  AppLayerParserStateProtoCleanup(f->protomap, f->alproto, alstate, pstate);
1621 }
1622 
1623 static void ValidateParserProtoDump(AppProto alproto, uint8_t ipproto)
1624 {
1625  uint8_t map = FlowGetProtoMapping(ipproto);
1626  const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][map];
1627  printf("ERROR: incomplete app-layer registration\n");
1628  printf("AppLayer protocol %s ipproto %u\n", AppProtoToString(alproto), ipproto);
1629  printf("- option flags %"PRIx32"\n", ctx->option_flags);
1630  printf("- first_data_dir %"PRIx8"\n", ctx->first_data_dir);
1631  printf("Mandatory:\n");
1632  printf("- Parser[0] %p Parser[1] %p\n", ctx->Parser[0], ctx->Parser[1]);
1633  printf("- StateAlloc %p StateFree %p\n", ctx->StateAlloc, ctx->StateFree);
1634  printf("- StateGetTx %p StateGetTxCnt %p StateTransactionFree %p\n",
1635  ctx->StateGetTx, ctx->StateGetTxCnt, ctx->StateTransactionFree);
1636  printf("- GetTxData %p\n", ctx->GetTxData);
1637  printf("- GetStateData %p\n", ctx->GetStateData);
1638  printf("- StateGetProgress %p\n", ctx->StateGetProgress);
1639  printf("Optional:\n");
1640  printf("- LocalStorageAlloc %p LocalStorageFree %p\n", ctx->LocalStorageAlloc, ctx->LocalStorageFree);
1641  printf("- StateGetEventInfo %p StateGetEventInfoById %p\n", ctx->StateGetEventInfo,
1642  ctx->StateGetEventInfoById);
1643 }
1644 
1645 #define BOTH_SET(a, b) ((a) != NULL && (b) != NULL)
1646 #define BOTH_SET_OR_BOTH_UNSET(a, b) (((a) == NULL && (b) == NULL) || ((a) != NULL && (b) != NULL))
1647 #define THREE_SET(a, b, c) ((a) != NULL && (b) != NULL && (c) != NULL)
1648 
1649 static void ValidateParserProto(AppProto alproto, uint8_t ipproto)
1650 {
1651  uint8_t map = FlowGetProtoMapping(ipproto);
1652  const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][map];
1653 
1654  if (ctx->Parser[0] == NULL && ctx->Parser[1] == NULL)
1655  return;
1656 
1657  if (!(BOTH_SET(ctx->Parser[0], ctx->Parser[1]))) {
1658  goto bad;
1659  }
1660  if (!(BOTH_SET(ctx->StateFree, ctx->StateAlloc))) {
1661  goto bad;
1662  }
1663  if (!(THREE_SET(ctx->StateGetTx, ctx->StateGetTxCnt, ctx->StateTransactionFree))) {
1664  goto bad;
1665  }
1666  if (ctx->StateGetProgress == NULL) {
1667  goto bad;
1668  }
1669  /* local storage is optional, but needs both set if used */
1670  if (!(BOTH_SET_OR_BOTH_UNSET(ctx->LocalStorageAlloc, ctx->LocalStorageFree))) {
1671  goto bad;
1672  }
1673  if (ctx->GetTxData == NULL) {
1674  goto bad;
1675  }
1676  if (ctx->GetStateData == NULL) {
1677  goto bad;
1678  }
1679  return;
1680 bad:
1681  ValidateParserProtoDump(alproto, ipproto);
1682  exit(EXIT_FAILURE);
1683 }
1684 #undef BOTH_SET
1685 #undef BOTH_SET_OR_BOTH_UNSET
1686 #undef THREE_SET_OR_THREE_UNSET
1687 #undef THREE_SET
1688 
1689 static void ValidateParser(AppProto alproto)
1690 {
1691  ValidateParserProto(alproto, IPPROTO_TCP);
1692  ValidateParserProto(alproto, IPPROTO_UDP);
1693 }
1694 
1695 static void ValidateParsers(void)
1696 {
1697  AppProto p = 0;
1698  for (; p < g_alproto_max; p++) {
1699  ValidateParser(p);
1700  }
1701 }
1702 
1703 #define ARRAY_CAP_STEP 16
1704 static void (**PreRegisteredCallbacks)(void) = NULL;
1705 static size_t preregistered_callbacks_nb = 0;
1706 static size_t preregistered_callbacks_cap = 0;
1707 
1708 int AppLayerParserPreRegister(void (*Register)(void))
1709 {
1710  if (preregistered_callbacks_nb == preregistered_callbacks_cap) {
1711  void *tmp = SCRealloc(PreRegisteredCallbacks,
1712  sizeof(void *) * (preregistered_callbacks_cap + ARRAY_CAP_STEP));
1713  if (tmp == NULL) {
1714  return 1;
1715  }
1716  preregistered_callbacks_cap += ARRAY_CAP_STEP;
1717  PreRegisteredCallbacks = tmp;
1718  }
1719  PreRegisteredCallbacks[preregistered_callbacks_nb] = Register;
1720  preregistered_callbacks_nb++;
1721  return 0;
1722 }
1723 
1724 void AppLayerParserRegisterProtocolParsers(void)
1725 {
1726  SCEnter();
1727 
1728  AppLayerConfig();
1729 
1730  RegisterHTPParsers();
1731  RegisterSSLParsers();
1732  rs_dcerpc_register_parser();
1733  rs_dcerpc_udp_register_parser();
1734  RegisterSMBParsers();
1735  RegisterFTPParsers();
1736  RegisterSSHParsers();
1737  RegisterSMTPParsers();
1738  SCRegisterDnsUdpParser();
1739  SCRegisterDnsTcpParser();
1740  rs_bittorrent_dht_udp_register_parser();
1741  RegisterModbusParsers();
1742  SCEnipRegisterParsers();
1743  RegisterDNP3Parsers();
1744  RegisterNFSTCPParsers();
1745  RegisterNFSUDPParsers();
1746  rs_register_ntp_parser();
1747  RegisterTFTPParsers();
1748  RegisterIKEParsers();
1749  rs_register_krb5_parser();
1750  rs_dhcp_register_parser();
1751  rs_register_snmp_parser();
1752  rs_sip_register_parser();
1753  rs_quic_register_parser();
1754  rs_websocket_register_parser();
1755  SCRegisterLdapTcpParser();
1756  SCRegisterLdapUdpParser();
1757  rs_template_register_parser();
1758  SCRfbRegisterParser();
1759  SCMqttRegisterParser();
1760  SCRegisterPgsqlParser();
1761  rs_rdp_register_parser();
1762  RegisterHTTP2Parsers();
1763  rs_telnet_register_parser();
1764  RegisterIMAPParsers();
1765 
1766  /** POP3 */
1767  AppLayerProtoDetectRegisterProtocol(ALPROTO_POP3, "pop3");
1768  if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "pop3")) {
1769  if (AppLayerProtoDetectPMRegisterPatternCS(
1770  IPPROTO_TCP, ALPROTO_POP3, "+OK ", 4, 0, STREAM_TOCLIENT) < 0) {
1771  FatalError("pop3 proto registration failure");
1772  }
1773  } else {
1774  SCLogInfo("Protocol detection and parser disabled for pop3 protocol.");
1775  }
1776  for (size_t i = 0; i < preregistered_callbacks_nb; i++) {
1777  PreRegisteredCallbacks[i]();
1778  }
1779 
1780  ValidateParsers();
1781 }
1782 
1783 
1784 /* coccinelle: AppLayerParserStateSetFlag():2,2:APP_LAYER_PARSER_ */
1785 void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint16_t flag)
1786 {
1787  SCEnter();
1788  pstate->flags |= flag;
1789  SCReturn;
1790 }
1791 
1792 /* coccinelle: AppLayerParserStateIssetFlag():2,2:APP_LAYER_PARSER_ */
1793 uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
1794 {
1795  SCEnter();
1796  SCReturnUInt(pstate->flags & flag);
1797 }
1798 
1799 /***** Unittests *****/
1800 
1801 #ifdef UNITTESTS
1802 #include "util-unittest-helper.h"
1803 
1804 void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto,
1805  void (*RegisterUnittests)(void))
1806 {
1807  SCEnter();
1808  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
1809  RegisterUnittests = RegisterUnittests;
1810  SCReturn;
1811 }
1812 
1813 void AppLayerParserRegisterUnittests(void)
1814 {
1815  SCEnter();
1816 
1817  int ip;
1818  AppProto alproto;
1819  AppLayerParserProtoCtx *ctx;
1820 
1821  for (ip = 0; ip < FLOW_PROTO_DEFAULT; ip++) {
1822  for (alproto = 0; alproto < g_alproto_max; alproto++) {
1823  ctx = &alp_ctx.ctxs[alproto][ip];
1824  if (ctx->RegisterUnittests == NULL)
1825  continue;
1826  ctx->RegisterUnittests();
1827  }
1828  }
1829 
1830  SCReturn;
1831 }
1832 
1833 #endif
app-layer-nfs-udp.h
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:475
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:273
TcpStream_
Definition: stream-tcp-private.h:106
AppLayerParserProtoCtx_::GetStateData
AppLayerStateData *(* GetStateData)(void *state)
Definition: app-layer-parser.c:101
ts
uint64_t ts
Definition: source-erf-file.c:55
AppLayerParserProtoCtx_::StateGetTxCnt
uint64_t(* StateGetTxCnt)(void *alstate)
Definition: app-layer-parser.c:91
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:149
AppLayerParserProtoCtx_::logger_bits
uint32_t logger_bits
Definition: app-layer-parser.c:78
AppLayerParserProtoCtx_::complete_tc
int complete_tc
Definition: app-layer-parser.c:95
AppLayerParserProtoCtx_::GetTxData
AppLayerTxData *(* GetTxData)(void *tx)
Definition: app-layer-parser.c:102
app-layer-tftp.h
AppLayerParserState_::log_id
uint64_t log_id
Definition: app-layer-parser.c:139
RegisterSMBParsers
void RegisterSMBParsers(void)
Definition: app-layer-smb.c:45
app-layer-ssh.h
RegisterIKEParsers
void RegisterIKEParsers(void)
Definition: app-layer-ike.c:40
AppLayerParserIsEnabled
int AppLayerParserIsEnabled(AppProto alproto)
simple way to globally test if a alproto is registered and fully enabled in the configuration.
Definition: app-layer-parser.c:1514
AppLayerParserRegisterLocalStorageFunc
void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto, void *(*LocalStorageAlloc)(void), void(*LocalStorageFree)(void *))
Definition: app-layer-parser.c:435
BOTH_SET
#define BOTH_SET(a, b)
Definition: app-layer-parser.c:1645
AppLayerParserProtocolHasLogger
int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1524
AppLayerParserRegisterOptionFlags
void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto, uint32_t flags)
Definition: app-layer-parser.c:414
flow-util.h
FramesFree
void FramesFree(Frames *frames)
Definition: app-layer-frames.c:447
AppLayerParserSetStreamDepthFlag
void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
Definition: app-layer-parser.c:1567
AppLayerParserSetTransactionLogId
void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
Definition: app-layer-parser.c:687
g_filedata_logger_enabled
bool g_filedata_logger_enabled
Definition: output-filedata.c:37
AppLayerParserSetStreamDepth
void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth)
Definition: app-layer-parser.c:1551
ConfNode_::val
char * val
Definition: conf.h:34
stream-tcp.h
AppLayerParserApplyTxConfig
void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto, void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
Definition: app-layer-parser.c:1184
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
remove obsolete (inspected and logged) transactions
Definition: app-layer-parser.c:882
AppLayerParserGetProtocolParserLocalStorage
void * AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:613
AppLayerParserProtoCtx_::LocalStorageFree
void(* LocalStorageFree)(void *)
Definition: app-layer-parser.c:84
AppLayerParserProtoCtx_
App layer protocol parser context.
Definition: app-layer-parser.c:67
RegisterSSHParsers
void RegisterSSHParsers(void)
Function to register the SSH protocol parsers and other functions.
Definition: app-layer-ssh.c:81
AppLayerParserProtoCtx_::StateGetTx
void *(* StateGetTx)(void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:92
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
AppLayerParserSetTransactionInspectId
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
Definition: app-layer-parser.c:728
APP_LAYER_PARSER_BYPASS_READY
#define APP_LAYER_PARSER_BYPASS_READY
Definition: app-layer-parser.h:38
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:836
AppLayerGetTxIterator
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
Definition: app-layer-parser.c:672
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
RegisterModbusParsers
void RegisterModbusParsers(void)
Function to register the Modbus protocol parser.
Definition: app-layer-modbus.c:49
Flow_::proto
uint8_t proto
Definition: flow.h:379
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:85
StreamTcpSetDisableRawReassemblyFlag
void StreamTcpSetDisableRawReassemblyFlag(TcpSession *, char)
Set the No reassembly flag for the given direction in given TCP session.
Definition: stream-tcp.c:6703
AppLayerFramesSetupContainer
FramesContainer * AppLayerFramesSetupContainer(Flow *f)
Definition: app-layer-parser.c:180
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:333
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1070
AppLayerParserTriggerRawStreamReassembly
void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
Definition: app-layer-parser.c:1540
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:72
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:72
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
Frame::offset
uint64_t offset
Definition: app-layer-frames.h:49
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
Frame
Definition: app-layer-frames.h:43
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:357
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:162
APP_LAYER_PARSER_INT_STREAM_DEPTH_SET
#define APP_LAYER_PARSER_INT_STREAM_DEPTH_SET
Definition: app-layer-parser.h:48
StreamTcpReassembleTriggerRawReassembly
void StreamTcpReassembleTriggerRawReassembly(TcpSession *ssn, int direction)
Trigger RAW stream reassembly.
Definition: stream-tcp-reassemble.c:2156
LoggerId
LoggerId
Definition: suricata-common.h:460
Flow_::protomap
uint8_t protomap
Definition: flow.h:446
AppLayerParserGetTransactionLogId
uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
Definition: app-layer-parser.c:680
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:40
ctx
struct Thresholds ctx
AppLayerParserSupportsFiles
bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1156
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:523
AppLayerParserRegisterParserAcceptableDataDirection
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:403
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1099
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1132
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:217
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:485
FLOW_NOPAYLOAD_INSPECTION
#define FLOW_NOPAYLOAD_INSPECTION
Definition: flow.h:66
Frame::id
int64_t id
Definition: app-layer-frames.h:51
APP_LAYER_TX_SKIP_INSPECT_FLAG
#define APP_LAYER_TX_SKIP_INSPECT_FLAG
Definition: app-layer-parser.h:78
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:457
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1601
AppLayerParserProtoCtx_::StateGetTxIterator
AppLayerGetTxIteratorFunc StateGetTxIterator
Definition: app-layer-parser.c:93
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:136
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6667
FramesContainer
Definition: app-layer-frames.h:71
APP_LAYER_TX_INSPECTED_FLAG
#define APP_LAYER_TX_INSPECTED_FLAG
Definition: app-layer-parser.h:80
FLOW_PROTO_MAX
@ FLOW_PROTO_MAX
Definition: flow-private.h:74
AppLayerParserGetStateData
AppLayerStateData * AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
Definition: app-layer-parser.c:1173
app-layer-http2.h
app-layer-ftp.h
AppLayerFrameNewByAbsoluteOffset
Frame * AppLayerFrameNewByAbsoluteOffset(Flow *f, const StreamSlice *stream_slice, const uint64_t frame_start, const int64_t len, int dir, uint8_t frame_type)
create new frame using the absolute offset from the start of the stream
Definition: app-layer-frames.c:598
AppLayerFrameGetLastOpenByType
Frame * AppLayerFrameGetLastOpenByType(Flow *f, const int dir, const uint8_t frame_type)
Definition: app-layer-frames.c:712
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:219
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:39
Flow_::protoctx
void * protoctx
Definition: flow.h:442
TcpStream_::data_required
uint32_t data_required
Definition: stream-tcp-private.h:133
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:170
EXCEPTION_POLICY_NOT_SET
@ EXCEPTION_POLICY_NOT_SET
Definition: util-exception-policy-types.h:26
ExceptionPolicyParse
enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow)
Definition: util-exception-policy.c:232
AppLayerParserRegisterUnittests
void AppLayerParserRegisterUnittests(void)
Definition: app-layer-parser.c:1813
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:697
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:36
AppLayerParserProtoCtx_::ApplyTxConfig
bool(* ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig)
Definition: app-layer-parser.c:103
FlowGetReverseProtoMapping
uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
Definition: flow-util.c:112
RegisterDNP3Parsers
void RegisterDNP3Parsers(void)
Register the DNP3 application protocol parser.
Definition: app-layer-dnp3.c:1532
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:536
util-unittest-helper.h
AppLayerParserProtoCtx_::StateGetEventInfoById
int(* StateGetEventInfoById)(uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-parser.c:96
FTPParserCleanup
void FTPParserCleanup(void)
Free memory allocated for global FTP parser state.
Definition: app-layer-ftp.c:1484
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:852
AppLayerParserState_::flags
uint16_t flags
Definition: app-layer-parser.c:131
Flow_::sgh_toserver
const struct SigGroupHead_ * sgh_toserver
Definition: flow.h:484
AppLayerParserState_::inspect_id
uint64_t inspect_id[2]
Definition: app-layer-parser.c:135
AppLayerParserFPtr
AppLayerResult(* AppLayerParserFPtr)(Flow *f, void *protocol_state, AppLayerParserState *pstate, StreamSlice stream_slice, void *local_storage)
Prototype for parsing functions.
Definition: app-layer-parser.h:140
AppLayerParserCtx
struct AppLayerParserCtx_ AppLayerParserCtx
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:476
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1724
app-layer-detect-proto.h
APP_LAYER_PARSER_SFRAME_TS
#define APP_LAYER_PARSER_SFRAME_TS
Definition: app-layer-parser.h:42
app-layer-htp.h
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:73
AppLayerParserProtoCtx_::stream_depth
uint32_t stream_depth
Definition: app-layer-parser.c:111
AppLayerParserState_
Definition: app-layer-parser.c:129
AppLayerParserGetEventInfoById
int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1119
AppLayerParserProtoCtx_::GetFrameIdByName
AppLayerParserGetFrameIdByNameFn GetFrameIdByName
Definition: app-layer-parser.c:107
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1590
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:29
AppLayerParserGetTransactionActive
uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:1139
AppLayerParserProtoCtx_::logger
bool logger
Definition: app-layer-parser.c:71
app-layer-ike.h
AppLayerFramesFreeContainer
void AppLayerFramesFreeContainer(Flow *f)
Definition: app-layer-parser.c:165
app-layer-dnp3.h
AppLayerParserThreadCtx_::alproto_local_storage
void *(* alproto_local_storage)[FLOW_PROTO_MAX]
Definition: app-layer-parser.c:59
AppLayerParserGetTxDetectFlags
uint64_t AppLayerParserGetTxDetectFlags(AppLayerTxData *txd, const uint8_t dir)
Definition: app-layer-parser.c:707
AppLayerParserProtoCtx_::StateGetEventInfo
int(* StateGetEventInfo)(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:98
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:466
AppLayerParserRegisterGetFrameFuncs
void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto, AppLayerParserGetFrameIdByNameFn GetIdByNameFunc, AppLayerParserGetFrameNameByIdFn GetNameByIdFunc)
Definition: app-layer-parser.c:550
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
AppLayerParserProtoCtx_::SetStreamDepthFlag
void(* SetStreamDepthFlag)(void *tx, uint8_t flags)
Definition: app-layer-parser.c:105
AppLayerParserState_::min_id
uint64_t min_id
Definition: app-layer-parser.c:141
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
AppLayerParserRegisterLoggerBits
void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits)
Definition: app-layer-parser.c:457
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void *, AppProto), void(*StateFree)(void *))
Definition: app-layer-parser.c:424
FLOW_PROTO_DEFAULT
@ FLOW_PROTO_DEFAULT
Definition: flow-private.h:71
APP_LAYER_PARSER_NO_REASSEMBLY
#define APP_LAYER_PARSER_NO_REASSEMBLY
Definition: app-layer-parser.h:36
IS_DISRUPTED
#define IS_DISRUPTED(flags)
Definition: app-layer-parser.c:873
AppLayerParserSetEOF
void AppLayerParserSetEOF(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1480
AppLayerParserProtoCtx_::RegisterUnittests
void(* RegisterUnittests)(void)
Definition: app-layer-parser.c:121
AppLayerParserStateFree
void AppLayerParserStateFree(AppLayerParserState *pstate)
Definition: app-layer-parser.c:236
app-layer-parser.h
AppLayerParserStateCleanup
void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1618
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
AppLayerDecoderEvents_::cnt
uint8_t cnt
Definition: app-layer-events.h:40
Flow_::sgh_toclient
const struct SigGroupHead_ * sgh_toclient
Definition: flow.h:481
RegisterNFSTCPParsers
void RegisterNFSTCPParsers(void)
Definition: app-layer-nfs-tcp.c:46
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:560
AppLayerParserProtoCtx_::GetFrameNameById
AppLayerParserGetFrameNameByIdFn GetFrameNameById
Definition: app-layer-parser.c:108
AppLayerParserProtoCtx
struct AppLayerParserProtoCtx_ AppLayerParserProtoCtx
App layer protocol parser context.
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:248
SCReturn
#define SCReturn
Definition: util-debug.h:273
RegisterFTPParsers
void RegisterFTPParsers(void)
Definition: app-layer-ftp.c:1350
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1804
AppLayerGetTxIterState
Definition: app-layer-parser.h:143
AppLayerParserProtoCtx_::StateAlloc
void *(* StateAlloc)(void *, AppProto)
Definition: app-layer-parser.c:80
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
RegisterTFTPParsers
void RegisterTFTPParsers(void)
Definition: app-layer-tftp.c:155
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:77
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:40
SCReturnUInt
#define SCReturnUInt(x)
Definition: util-debug.h:277
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
BOTH_SET_OR_BOTH_UNSET
#define BOTH_SET_OR_BOTH_UNSET(a, b)
Definition: app-layer-parser.c:1646
Frame::len
int64_t len
Definition: app-layer-frames.h:50
name
const char * name
Definition: tm-threads.c:2081
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerParserProtoCtx_::StateFree
void(* StateFree)(void *)
Definition: app-layer-parser.c:81
AppLayerParserRegisterGetTxFilesFunc
void AppLayerParserRegisterGetTxFilesFunc(uint8_t ipproto, AppProto alproto, AppLayerGetFileState(*GetTxFiles)(void *, uint8_t))
Definition: app-layer-parser.c:447
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1782
AppLayerParserRegisterSetStreamDepthFlag
void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void(*SetStreamDepthFlag)(void *tx, uint8_t flags))
Definition: app-layer-parser.c:601
APP_LAYER_PARSER_SFRAME_TC
#define APP_LAYER_PARSER_SFRAME_TC
Definition: app-layer-parser.h:43
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:178
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:70
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:251
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
APP_LAYER_PARSER_NO_INSPECTION
#define APP_LAYER_PARSER_NO_INSPECTION
Definition: app-layer-parser.h:35
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1092
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:183
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:391
app-layer-imap.h
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:45
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:285
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:505
ConfigAction
ConfigAction
Definition: util-config.h:27
AppLayerParserStateSetFlag
void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1785
AppLayerParserProtoCtx_::Parser
AppLayerParserFPtr Parser[2]
Definition: app-layer-parser.c:69
app-layer-modbus.h
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1371
AppLayerParserProtoCtx_::StateTransactionFree
void(* StateTransactionFree)(void *, uint64_t)
Definition: app-layer-parser.c:82
app-layer-frames.h
AppLayerParserPreRegister
int AppLayerParserPreRegister(void(*Register)(void))
Definition: app-layer-parser.c:1708
RegisterSSLParsers
void RegisterSSLParsers(void)
Function to register the SSL protocol parser and other functions.
Definition: app-layer-ssl.c:3209
AppLayerParserProtoCtx_::option_flags
uint32_t option_flags
Definition: app-layer-parser.c:114
StreamTcpSetSessionNoReassemblyFlag
void StreamTcpSetSessionNoReassemblyFlag(TcpSession *, char)
disable reassembly
Definition: stream-tcp.c:6687
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1274
AppLayerParserGetFrameNameByIdFn
const char *(* AppLayerParserGetFrameNameByIdFn)(const uint8_t id)
Definition: app-layer-parser.h:159
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:448
suricata-common.h
AppLayerParserCtx_::ctxs
AppLayerParserProtoCtx(* ctxs)[FLOW_PROTO_MAX]
Definition: app-layer-parser.c:126
AppLayerParserGetFrameIdByName
int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name)
Definition: app-layer-parser.c:1581
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
AppLayerParserProtoCtx_::internal_flags
uint32_t internal_flags
Definition: app-layer-parser.c:117
AppLayerParserRegisterApplyTxConfigFunc
void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto, bool(*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig))
Definition: app-layer-parser.c:591
AppLayerParserRegisterStateDataFunc
void AppLayerParserRegisterStateDataFunc(uint8_t ipproto, AppProto alproto, AppLayerStateData *(*GetStateData)(void *state))
Definition: app-layer-parser.c:581
FilesPrune
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
Definition: util-file.c:1207
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:186
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1166
FatalError
#define FatalError(...)
Definition: util-debug.h:502
AppLayerParserRegisterTxDataFunc
void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, AppLayerTxData *(*GetTxData)(void *tx))
Definition: app-layer-parser.c:571
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1562
RegisterIMAPParsers
void RegisterIMAPParsers(void)
Definition: app-layer-imap.c:84
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
AppLayerParserProtoCtx_::GetTxFiles
AppLayerGetFileState(* GetTxFiles)(void *, uint8_t)
Definition: app-layer-parser.c:88
util-validate.h
FRAME_STREAM_TYPE
#define FRAME_STREAM_TYPE
Definition: app-layer-frames.h:30
APP_LAYER_PARSER_OPT_ACCEPT_GAPS
#define APP_LAYER_PARSER_OPT_ACCEPT_GAPS
Definition: app-layer-parser.h:46
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
AppLayerParserRegisterGetTxIterator
void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, AppLayerGetTxIteratorFunc Func)
Definition: app-layer-parser.c:515
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:173
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
AppLayerParserProtoCtx_::complete_ts
int complete_ts
Definition: app-layer-parser.c:94
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
Flow_::alstate
void * alstate
Definition: flow.h:477
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:260
Flow_::flags
uint32_t flags
Definition: flow.h:422
AppLayerParserGetDecoderEvents
AppLayerDecoderEvents * AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:828
THREE_SET
#define THREE_SET(a, b, c)
Definition: app-layer-parser.c:1647
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1006
UTHAppLayerParserStateGetIds
void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
Definition: app-layer-parser.c:203
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:561
RegisterHTPParsers
void RegisterHTPParsers(void)
Register the HTTP protocol and state handling functions to APP layer of the engine.
Definition: app-layer-htp.c:2825
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:154
FRAME_FLAG_ENDS_AT_EOF
#define FRAME_FLAG_ENDS_AT_EOF
Definition: app-layer-frames.h:38
RegisterSMTPParsers
void RegisterSMTPParsers(void)
Register the SMTP Protocol parser.
Definition: app-layer-smtp.c:1866
AppLayerParserStateAlloc
AppLayerParserState * AppLayerParserStateAlloc(void)
Definition: app-layer-parser.c:224
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
AppLayerParserState_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: app-layer-parser.c:144
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:495
app-layer-smb.h
AppLayerParserProtoCtx_::StateGetProgress
int(* StateGetProgress)(void *alstate, uint8_t direction)
Definition: app-layer-parser.c:90
AppLayerParserProtocolGetLoggerBits
LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1532
AppLayerParserCtx_
Definition: app-layer-parser.c:125
AppLayerParserRegisterGetEventInfoById
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(uint8_t event_id, const char **event_name, AppLayerEventType *event_type))
Definition: app-layer-parser.c:538
AppLayerGetTxIteratorFunc
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
Definition: app-layer-parser.h:152
g_file_logger_enabled
bool g_file_logger_enabled
Definition: output-file.c:39
likely
#define likely(expr)
Definition: util-optimize.h:32
RegisterHTTP2Parsers
void RegisterHTTP2Parsers(void)
Definition: app-layer-http2.c:57
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:145
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
AppLayerProtoDetectPMRegisterPatternCS
int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-sensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1664
app-layer-smtp.h
APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD
#define APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD
Definition: app-layer-parser.h:37
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:204
FlowGetDisruptionFlags
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
Definition: flow.c:1136
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
AppLayerParserStateIssetFlag
uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1793
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
RegisterNFSUDPParsers
void RegisterNFSUDPParsers(void)
Definition: app-layer-nfs-udp.c:63
Flow_::file_flags
uint16_t file_flags
Definition: flow.h:424
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:451
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
AppLayerParserDestroyProtocolParserLocalStorage
void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto, void *local_data)
Definition: app-layer-parser.c:625
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1085
AppLayerProtoDetectConfProtoDetectionEnabled
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:1974
SMTPParserCleanup
void SMTPParserCleanup(void)
Free memory allocated for global SMTP parser state.
Definition: app-layer-smtp.c:1921
AppLayerParserHasDecoderEvents
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1496
AppLayerParserGetFrameIdByNameFn
int(* AppLayerParserGetFrameIdByNameFn)(const char *frame_name)
Definition: app-layer-parser.h:158
AppLayerDecoderEvents_::events
uint8_t * events
Definition: app-layer-events.h:38
AppLayerParserState_::frames
FramesContainer * frames
Definition: app-layer-parser.c:146
StreamTcpSetSessionBypassFlag
void StreamTcpSetSessionBypassFlag(TcpSession *)
enable bypass
Definition: stream-tcp.c:6714
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
app-layer-ssl.h
ARRAY_CAP_STEP
#define ARRAY_CAP_STEP
Definition: app-layer-parser.c:1703
AppLayerParserProtoCtx_::LocalStorageAlloc
void *(* LocalStorageAlloc)(void)
Definition: app-layer-parser.c:83
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1107
app-layer-nfs-tcp.h
app-layer.h
AppLayerParserProtoCtx_::first_data_dir
uint8_t first_data_dir
Definition: app-layer-parser.c:76