suricata
app-layer-parser.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Generic App-layer parsing functions.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "util-unittest.h"
29 #include "decode.h"
30 #include "threads.h"
31 
32 #include "util-print.h"
33 #include "util-pool.h"
34 
35 #include "flow-util.h"
36 #include "flow-private.h"
37 
38 #include "detect-engine-state.h"
39 #include "detect-engine-port.h"
40 
41 #include "stream-tcp.h"
42 #include "stream-tcp-private.h"
43 #include "stream.h"
44 #include "stream-tcp-reassemble.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-protos.h"
48 #include "app-layer-parser.h"
49 #include "app-layer-smb.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-ftp.h"
52 #include "app-layer-ssl.h"
53 #include "app-layer-ssh.h"
54 #include "app-layer-smtp.h"
55 #include "app-layer-modbus.h"
56 #include "app-layer-enip.h"
57 #include "app-layer-dnp3.h"
58 #include "app-layer-nfs-tcp.h"
59 #include "app-layer-nfs-udp.h"
60 #include "app-layer-ntp.h"
61 #include "app-layer-tftp.h"
62 #include "app-layer-ike.h"
63 #include "app-layer-krb5.h"
64 #include "app-layer-snmp.h"
65 #include "app-layer-sip.h"
66 #include "app-layer-rfb.h"
67 #include "app-layer-mqtt.h"
68 #include "app-layer-template.h"
69 #include "app-layer-template-rust.h"
70 #include "app-layer-rdp.h"
71 #include "app-layer-http2.h"
72 
73 #include "conf.h"
74 #include "util-spm.h"
75 
76 #include "util-debug.h"
77 #include "decode-events.h"
78 #include "util-unittest-helper.h"
79 #include "util-validate.h"
80 
81 #include "runmodes.h"
82 
83 #include "rust.h"
84 
85 struct AppLayerParserThreadCtx_ {
86  void *alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX];
87 };
88 
89 
90 /**
91  * \brief App layer protocol parser context.
92  */
93 typedef struct AppLayerParserProtoCtx_
94 {
95  /* 0 - to_server, 1 - to_client. */
96  AppLayerParserFPtr Parser[2];
97  bool logger;
98  uint32_t logger_bits; /**< registered loggers for this proto */
99 
100  void *(*StateAlloc)(void *, AppProto);
101  void (*StateFree)(void *);
102  void (*StateTransactionFree)(void *, uint64_t);
103  void *(*LocalStorageAlloc)(void);
104  void (*LocalStorageFree)(void *);
105 
106  void (*Truncate)(void *, uint8_t);
107  FileContainer *(*StateGetFiles)(void *, uint8_t);
108  AppLayerDecoderEvents *(*StateGetEvents)(void *);
109 
110  int (*StateGetProgress)(void *alstate, uint8_t direction);
111  uint64_t (*StateGetTxCnt)(void *alstate);
112  void *(*StateGetTx)(void *alstate, uint64_t tx_id);
113  AppLayerGetTxIteratorFunc StateGetTxIterator;
114  int complete_ts;
115  int complete_tc;
116  int (*StateGetEventInfoById)(int event_id, const char **event_name,
117  AppLayerEventType *event_type);
118  int (*StateGetEventInfo)(const char *event_name,
119  int *event_id, AppLayerEventType *event_type);
120 
121  DetectEngineState *(*GetTxDetectState)(void *tx);
122  int (*SetTxDetectState)(void *tx, DetectEngineState *);
123 
124  AppLayerTxData *(*GetTxData)(void *tx);
125  bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig);
126 
127  void (*SetStreamDepthFlag)(void *tx, uint8_t flags);
128 
129  /* each app-layer has its own value */
130  uint32_t stream_depth;
131 
132  /* Indicates the direction the parser is ready to see the data
133  * the first time for a flow. Values accepted -
134  * STREAM_TOSERVER, STREAM_TOCLIENT */
135  uint8_t first_data_dir;
136 
137  /* Option flags such as supporting gaps or not. */
138  uint32_t option_flags;
139  /* coccinelle: AppLayerParserProtoCtx:option_flags:APP_LAYER_PARSER_OPT_ */
140 
141  uint32_t internal_flags;
142  /* coccinelle: AppLayerParserProtoCtx:internal_flags:APP_LAYER_PARSER_INT_ */
143 
144 #ifdef UNITTESTS
145  void (*RegisterUnittests)(void);
146 #endif
147 } AppLayerParserProtoCtx;
148 
149 typedef struct AppLayerParserCtx_ {
150  AppLayerParserProtoCtx ctxs[FLOW_PROTO_MAX][ALPROTO_MAX];
151 } AppLayerParserCtx;
152 
153 struct AppLayerParserState_ {
154  /* coccinelle: AppLayerParserState:flags:APP_LAYER_PARSER_ */
155  uint8_t flags;
156 
157  /* Indicates the current transaction that is being inspected.
158  * We have a var per direction. */
159  uint64_t inspect_id[2];
160  /* Indicates the current transaction being logged. Unlike inspect_id,
161  * we don't need a var per direction since we don't log a transaction
162  * unless we have the entire transaction. */
163  uint64_t log_id;
164 
165  uint64_t min_id;
166 
167  /* Used to store decoder events. */
168  AppLayerDecoderEvents *decoder_events;
169 };
170 
171 #ifdef UNITTESTS
172 void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
173 {
174  struct AppLayerParserState_ *s = ptr;
175  *i1 = s->inspect_id[0];
176  *i2 = s->inspect_id[1];
177  *log = s->log_id;
178  *min = s->min_id;
179 }
180 #endif
181 
182 /* Static global version of the parser context.
183  * Post 2.0 let's look at changing this to move it out to app-layer.c. */
184 static AppLayerParserCtx alp_ctx;
185 
186 int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
187 {
188  uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
189 
190  return (alp_ctx.ctxs[ipproto_map][alproto].StateAlloc != NULL) ? 1 : 0;
191 }
192 
193 AppLayerParserState *AppLayerParserStateAlloc(void)
194 {
195  SCEnter();
196 
197  AppLayerParserState *pstate = (AppLayerParserState *)SCMalloc(sizeof(*pstate));
198  if (pstate == NULL)
199  goto end;
200  memset(pstate, 0, sizeof(*pstate));
201 
202  end:
203  SCReturnPtr(pstate, "AppLayerParserState");
204 }
205 
206 void AppLayerParserStateFree(AppLayerParserState *pstate)
207 {
208  SCEnter();
209 
210  if (pstate->decoder_events != NULL)
211  AppLayerDecoderEventsFreeEvents(&pstate->decoder_events);
212  SCFree(pstate);
213 
214  SCReturn;
215 }
216 
217 int AppLayerParserSetup(void)
218 {
219  SCEnter();
220  memset(&alp_ctx, 0, sizeof(alp_ctx));
221  SCReturnInt(0);
222 }
223 
224 void AppLayerParserPostStreamSetup(void)
225 {
226  AppProto alproto = 0;
227  int flow_proto = 0;
228 
229  /* lets set a default value for stream_depth */
230  for (flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
231  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
232  if (!(alp_ctx.ctxs[flow_proto][alproto].internal_flags &
233  APP_LAYER_PARSER_INT_STREAM_DEPTH_SET)) {
234  alp_ctx.ctxs[flow_proto][alproto].stream_depth =
235  stream_config.reassembly_depth;
236  }
237  }
238  }
239 }
240 
241 int AppLayerParserDeSetup(void)
242 {
243  SCEnter();
244 
245  FTPParserCleanup();
246  SMTPParserCleanup();
247 
248  SCReturnInt(0);
249 }
250 
251 AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void)
252 {
253  SCEnter();
254 
255  AppProto alproto = 0;
256  int flow_proto = 0;
257  AppLayerParserThreadCtx *tctx;
258 
259  tctx = SCMalloc(sizeof(*tctx));
260  if (tctx == NULL)
261  goto end;
262  memset(tctx, 0, sizeof(*tctx));
263 
264  for (flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
265  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
266  uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto);
267 
268  tctx->alproto_local_storage[flow_proto][alproto] =
269  AppLayerParserGetProtocolParserLocalStorage(ipproto, alproto);
270  }
271  }
272 
273  end:
274  SCReturnPtr(tctx, "void *");
275 }
276 
277 void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
278 {
279  SCEnter();
280 
281  AppProto alproto = 0;
282  int flow_proto = 0;
283 
284  for (flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) {
285  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
286  uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto);
287 
288  AppLayerParserDestroyProtocolParserLocalStorage(ipproto, alproto,
289  tctx->alproto_local_storage[flow_proto][alproto]);
290  }
291  }
292 
293  SCFree(tctx);
294  SCReturn;
295 }
296 
297 /** \brief check if a parser is enabled in the config
298  * Returns enabled always if: were running unittests
299  */
300 int AppLayerParserConfParserEnabled(const char *ipproto,
301  const char *alproto_name)
302 {
303  SCEnter();
304 
305  int enabled = 1;
306  char param[100];
307  ConfNode *node;
308  int r;
309 
310  if (RunmodeIsUnittests())
311  goto enabled;
312 
313  r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
314  alproto_name, ".enabled");
315  if (r < 0) {
316  FatalError(SC_ERR_FATAL, "snprintf failure.");
317  } else if (r > (int)sizeof(param)) {
318  FatalError(SC_ERR_FATAL, "buffer not big enough to write param.");
319  }
320 
321  node = ConfGetNode(param);
322  if (node == NULL) {
323  SCLogDebug("Entry for %s not found.", param);
324  r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.",
325  alproto_name, ".", ipproto, ".enabled");
326  if (r < 0) {
327  FatalError(SC_ERR_FATAL, "snprintf failure.");
328  } else if (r > (int)sizeof(param)) {
329  FatalError(SC_ERR_FATAL, "buffer not big enough to write param.");
330  }
331 
332  node = ConfGetNode(param);
333  if (node == NULL) {
334  SCLogDebug("Entry for %s not found.", param);
335  goto enabled;
336  }
337  }
338 
339  if (ConfValIsTrue(node->val)) {
340  goto enabled;
341  } else if (ConfValIsFalse(node->val)) {
342  goto disabled;
343  } else if (strcasecmp(node->val, "detection-only") == 0) {
344  goto disabled;
345  } else {
346  SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
347  exit(EXIT_FAILURE);
348  }
349 
350  disabled:
351  enabled = 0;
352  enabled:
353  SCReturnInt(enabled);
354 }
355 
356 /***** Parser related registration *****/
357 
358 int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto,
359  uint8_t direction,
360  AppLayerParserFPtr Parser)
361 {
362  SCEnter();
363 
364  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
365  Parser[(direction & STREAM_TOSERVER) ? 0 : 1] = Parser;
366 
367  SCReturnInt(0);
368 }
369 
370 void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto,
371  uint8_t direction)
372 {
373  SCEnter();
374 
375  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].first_data_dir |=
376  (direction & (STREAM_TOSERVER | STREAM_TOCLIENT));
377 
378  SCReturn;
379 }
380 
381 void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto,
382  uint32_t flags)
383 {
384  SCEnter();
385 
386  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].option_flags |= flags;
387 
388  SCReturn;
389 }
390 
391 uint32_t AppLayerParserGetOptionFlags(uint8_t protomap, AppProto alproto)
392 {
393  SCEnter();
394  SCReturnUInt(alp_ctx.ctxs[protomap][alproto].option_flags);
395 }
396 
397 void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto,
398  void *(*StateAlloc)(void *, AppProto), void (*StateFree)(void *))
399 {
400  SCEnter();
401 
402  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateAlloc =
403  StateAlloc;
404  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateFree =
405  StateFree;
406 
407  SCReturn;
408 }
409 
410 void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto,
411  void *(*LocalStorageAlloc)(void),
412  void (*LocalStorageFree)(void *))
413 {
414  SCEnter();
415 
416  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].LocalStorageAlloc =
417  LocalStorageAlloc;
418  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].LocalStorageFree =
419  LocalStorageFree;
420 
421  SCReturn;
422 }
423 
424 void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto,
425  FileContainer *(*StateGetFiles)(void *, uint8_t))
426 {
427  SCEnter();
428 
429  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetFiles =
430  StateGetFiles;
431 
432  SCReturn;
433 }
434 
435 void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto alproto,
436  AppLayerDecoderEvents *(*StateGetEvents)(void *))
437 {
438  SCEnter();
439 
440  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetEvents =
441  StateGetEvents;
442 
443  SCReturn;
444 }
445 
446 void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits)
447 {
448  SCEnter();
449 
450  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].logger_bits = bits;
451 
452  SCReturn;
453 }
454 
455 void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
456 {
457  SCEnter();
458 
459  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].logger = true;
460 
461  SCReturn;
462 }
463 
464 void AppLayerParserRegisterTruncateFunc(uint8_t ipproto, AppProto alproto,
465  void (*Truncate)(void *, uint8_t))
466 {
467  SCEnter();
468 
469  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].Truncate = Truncate;
470 
471  SCReturn;
472 }
473 
474 void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto,
475  int (*StateGetProgress)(void *alstate, uint8_t direction))
476 {
477  SCEnter();
478 
479  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
480  StateGetProgress = StateGetProgress;
481 
482  SCReturn;
483 }
484 
485 void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto,
486  void (*StateTransactionFree)(void *, uint64_t))
487 {
488  SCEnter();
489 
490  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
491  StateTransactionFree = StateTransactionFree;
492 
493  SCReturn;
494 }
495 
496 void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto,
497  uint64_t (*StateGetTxCnt)(void *alstate))
498 {
499  SCEnter();
500 
501  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
502  StateGetTxCnt = StateGetTxCnt;
503 
504  SCReturn;
505 }
506 
507 void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto,
508  void *(StateGetTx)(void *alstate, uint64_t tx_id))
509 {
510  SCEnter();
511 
512  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
513  StateGetTx = StateGetTx;
514 
515  SCReturn;
516 }
517 
518 void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto,
519  AppLayerGetTxIteratorFunc Func)
520 {
521  SCEnter();
522  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTxIterator = Func;
523  SCReturn;
524 }
525 
526 void AppLayerParserRegisterStateProgressCompletionStatus(
527  AppProto alproto, const int ts, const int tc)
528 {
529  BUG_ON(ts == 0);
530  BUG_ON(tc == 0);
531  BUG_ON(!AppProtoIsValid(alproto));
532  BUG_ON(alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts != 0 &&
533  alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts != ts);
534  BUG_ON(alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc != 0 &&
535  alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc != tc);
536 
537  alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts = ts;
538  alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc = tc;
539 }
540 
541 void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto,
542  int (*StateGetEventInfoById)(int event_id, const char **event_name,
543  AppLayerEventType *event_type))
544 {
545  SCEnter();
546 
547  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
548  StateGetEventInfoById = StateGetEventInfoById;
549 
550  SCReturn;
551 }
552 
553 void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
554  int (*StateGetEventInfo)(const char *event_name, int *event_id,
555  AppLayerEventType *event_type))
556 {
557  SCEnter();
558 
559  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
560  StateGetEventInfo = StateGetEventInfo;
561 
562  SCReturn;
563 }
564 
565 void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto,
566  DetectEngineState *(*GetTxDetectState)(void *tx),
567  int (*SetTxDetectState)(void *tx, DetectEngineState *))
568 {
569  SCEnter();
570 
571  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxDetectState = GetTxDetectState;
572  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetTxDetectState = SetTxDetectState;
573 
574  SCReturn;
575 }
576 
577 void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto,
578  AppLayerTxData *(*GetTxData)(void *tx))
579 {
580  SCEnter();
581 
582  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxData = GetTxData;
583 
584  SCReturn;
585 }
586 
587 void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto,
588  bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig))
589 {
590  SCEnter();
591 
592  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].ApplyTxConfig = ApplyTxConfig;
593 
594  SCReturn;
595 }
596 
597 void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto,
598  void (*SetStreamDepthFlag)(void *tx, uint8_t flags))
599 {
600  SCEnter();
601 
602  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag = SetStreamDepthFlag;
603 
604  SCReturn;
605 }
606 
607 /***** Get and transaction functions *****/
608 
609 void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto)
610 {
611  SCEnter();
612  void * r = NULL;
613 
614  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
615  LocalStorageAlloc != NULL)
616  {
617  r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
618  LocalStorageAlloc();
619  }
620 
621  SCReturnPtr(r, "void *");
622 }
623 
624 void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto,
625  void *local_data)
626 {
627  SCEnter();
628 
629  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
630  LocalStorageFree != NULL)
631  {
632  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
633  LocalStorageFree(local_data);
634  }
635 
636  SCReturn;
637 }
638 
639 /** \brief default tx iterator
640  *
641  * Used if the app layer parser doesn't register its own iterator.
642  * Simply walks the tx_id space until it finds a tx. Uses 'state' to
643  * keep track of where it left off.
644  *
645  * \retval txptr or NULL if no more txs in list
646  */
647 static AppLayerGetTxIterTuple AppLayerDefaultGetTxIterator(
648  const uint8_t ipproto, const AppProto alproto,
649  void *alstate, uint64_t min_tx_id, uint64_t max_tx_id,
650  AppLayerGetTxIterState *state)
651 {
652  uint64_t ustate = *(uint64_t *)state;
653  uint64_t tx_id = MAX(min_tx_id, ustate);
654  for ( ; tx_id < max_tx_id; tx_id++) {
655  void *tx_ptr = AppLayerParserGetTx(ipproto, alproto, alstate, tx_id);
656  if (tx_ptr != NULL) {
657  ustate = tx_id + 1;
658  *state = *(AppLayerGetTxIterState *)&ustate;
659  AppLayerGetTxIterTuple tuple = {
660  .tx_ptr = tx_ptr,
661  .tx_id = tx_id,
662  .has_next = (tx_id + 1 < max_tx_id),
663  };
664  SCLogDebug("tuple: %p/%"PRIu64"/%s", tuple.tx_ptr, tuple.tx_id,
665  tuple.has_next ? "true" : "false");
666  return tuple;
667  }
668  }
669 
670  AppLayerGetTxIterTuple no_tuple = { NULL, 0, false };
671  return no_tuple;
672 }
673 
674 AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto,
675  const AppProto alproto)
676 {
677  AppLayerGetTxIteratorFunc Func =
678  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTxIterator;
679  return Func ? Func : AppLayerDefaultGetTxIterator;
680 }
681 
682 uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
683 {
684  SCEnter();
685 
686  SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
687 }
688 
689 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
690 {
691  SCEnter();
692 
693  if (pstate != NULL)
694  pstate->log_id = tx_id;
695 
696  SCReturn;
697 }
698 
699 uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
700 {
701  SCEnter();
702 
703  if (pstate == NULL)
704  SCReturnCT(0ULL, "uint64_t");
705 
706  SCReturnCT(pstate->inspect_id[direction & STREAM_TOSERVER ? 0 : 1], "uint64_t");
707 }
708 
709 static inline uint64_t GetTxDetectFlags(AppLayerTxData *txd, const uint8_t dir)
710 {
711  uint64_t detect_flags =
712  (dir & STREAM_TOSERVER) ? txd->detect_flags_ts : txd->detect_flags_tc;
713  return detect_flags;
714 }
715 
716 static inline void SetTxDetectFlags(AppLayerTxData *txd, const uint8_t dir, const uint64_t detect_flags)
717 {
718  if (dir & STREAM_TOSERVER) {
719  txd->detect_flags_ts = detect_flags;
720  } else {
721  txd->detect_flags_tc = detect_flags;
722  }
723 }
724 
725 static inline uint32_t GetTxLogged(AppLayerTxData *txd)
726 {
727  return txd->logged.flags;
728 }
729 
730 void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate,
731  void *alstate, const uint8_t flags,
732  bool tag_txs_as_inspected)
733 {
734  SCEnter();
735 
736  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
737  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
738  uint64_t idx = AppLayerParserGetTransactionInspectId(pstate, flags);
739  const int state_done_progress = AppLayerParserGetStateProgressCompletionStatus(f->alproto, flags);
740  const uint8_t ipproto = f->proto;
741  const AppProto alproto = f->alproto;
742 
743  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
744  AppLayerGetTxIterState state;
745  memset(&state, 0, sizeof(state));
746 
747  SCLogDebug("called: %s, tag_txs_as_inspected %s",direction==0?"toserver":"toclient",
748  tag_txs_as_inspected?"true":"false");
749 
750  /* mark all txs as inspected if the applayer progress is
751  * at the 'end state'. */
752  while (1) {
753  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, idx, total_txs, &state);
754  if (ires.tx_ptr == NULL)
755  break;
756 
757  void *tx = ires.tx_ptr;
758  idx = ires.tx_id;
759 
760  int state_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx, flags);
761  if (state_progress < state_done_progress)
762  break;
763 
764  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
765  if (txd && tag_txs_as_inspected) {
766  uint64_t detect_flags = GetTxDetectFlags(txd, flags);
767  if ((detect_flags & APP_LAYER_TX_INSPECTED_FLAG) == 0) {
768  detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;
769  SetTxDetectFlags(txd, flags, detect_flags);
770  SCLogDebug("%p/%"PRIu64" in-order tx is done for direction %s. Flag %016"PRIx64,
771  tx, idx, flags & STREAM_TOSERVER ? "toserver" : "toclient", detect_flags);
772  }
773  }
774  idx++;
775  if (!ires.has_next)
776  break;
777  }
778  pstate->inspect_id[direction] = idx;
779  SCLogDebug("inspect_id now %"PRIu64, pstate->inspect_id[direction]);
780 
781  /* if necessary we flag all txs that are complete as 'inspected'
782  * also move inspect_id forward. */
783  if (tag_txs_as_inspected) {
784  /* continue at idx */
785  while (1) {
786  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, idx, total_txs, &state);
787  if (ires.tx_ptr == NULL)
788  break;
789 
790  void *tx = ires.tx_ptr;
791  /* if we got a higher id than the minimum we requested, we
792  * skipped a bunch of 'null-txs'. Lets see if we can up the
793  * inspect tracker */
794  if (ires.tx_id > idx && pstate->inspect_id[direction] == idx) {
795  pstate->inspect_id[direction] = ires.tx_id;
796  }
797  idx = ires.tx_id;
798 
799  const int state_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx, flags);
800  if (state_progress < state_done_progress)
801  break;
802 
803  /* txd can be NULL for HTTP sessions where the user data alloc failed */
804  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
805  if (likely(txd)) {
806  uint64_t detect_flags = GetTxDetectFlags(txd, flags);
807  if ((detect_flags & APP_LAYER_TX_INSPECTED_FLAG) == 0) {
808  detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;
809  SetTxDetectFlags(txd, flags, detect_flags);
810  SCLogDebug("%p/%"PRIu64" out of order tx is done for direction %s. Flag %016"PRIx64,
811  tx, idx, flags & STREAM_TOSERVER ? "toserver" : "toclient", detect_flags);
812 
813  SCLogDebug("%p/%"PRIu64" out of order tx. Update inspect_id? %"PRIu64,
814  tx, idx, pstate->inspect_id[direction]);
815  if (pstate->inspect_id[direction]+1 == idx)
816  pstate->inspect_id[direction] = idx;
817  }
818  } else {
819  if (pstate->inspect_id[direction]+1 == idx)
820  pstate->inspect_id[direction] = idx;
821  }
822  if (!ires.has_next)
823  break;
824  idx++;
825  }
826  }
827 
828  SCReturn;
829 }
830 
831 AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
832 {
833  SCEnter();
834 
835  SCReturnPtr(pstate->decoder_events,
836  "AppLayerDecoderEvents *");
837 }
838 
839 void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoderEvents *devents)
840 {
841  pstate->decoder_events = devents;
842 }
843 
844 AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto,
845  void *tx)
846 {
847  SCEnter();
848 
849  AppLayerDecoderEvents *ptr = NULL;
850 
851  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
852  StateGetEvents != NULL)
853  {
854  ptr = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
855  StateGetEvents(tx);
856  }
857 
858  SCReturnPtr(ptr, "AppLayerDecoderEvents *");
859 }
860 
861 FileContainer *AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
862 {
863  SCEnter();
864 
865  FileContainer *ptr = NULL;
866 
867  if (alp_ctx.ctxs[f->protomap][f->alproto].StateGetFiles != NULL)
868  {
869  ptr = alp_ctx.ctxs[f->protomap][f->alproto].
870  StateGetFiles(f->alstate, direction);
871  }
872 
873  SCReturnPtr(ptr, "FileContainer *");
874 }
875 
876 #define IS_DISRUPTED(flags) ((flags) & (STREAM_DEPTH | STREAM_GAP))
877 
878 extern int g_detect_disabled;
879 /**
880  * \brief remove obsolete (inspected and logged) transactions
881  */
882 void AppLayerParserTransactionsCleanup(Flow *f)
883 {
884  SCEnter();
885  DEBUG_ASSERT_FLOW_LOCKED(f);
886 
887  AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->protomap][f->alproto];
888  if (unlikely(p->StateTransactionFree == NULL))
889  SCReturn;
890 
891  const bool has_tx_detect_flags = !g_detect_disabled;
892  const uint8_t ipproto = f->proto;
893  const AppProto alproto = f->alproto;
894  void * const alstate = f->alstate;
895  AppLayerParserState * const alparser = f->alparser;
896 
897  if (alstate == NULL || alparser == NULL)
898  SCReturn;
899 
900  const uint64_t min = alparser->min_id;
901  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
902  const LoggerId logger_expectation = AppLayerParserProtocolGetLoggerBits(ipproto, alproto);
903  const int tx_end_state_ts = AppLayerParserGetStateProgressCompletionStatus(alproto, STREAM_TOSERVER);
904  const int tx_end_state_tc = AppLayerParserGetStateProgressCompletionStatus(alproto, STREAM_TOCLIENT);
905  const uint8_t ts_disrupt_flags = FlowGetDisruptionFlags(f, STREAM_TOSERVER);
906  const uint8_t tc_disrupt_flags = FlowGetDisruptionFlags(f, STREAM_TOCLIENT);
907 
908  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
909  AppLayerGetTxIterState state;
910  memset(&state, 0, sizeof(state));
911  uint64_t i = min;
912  uint64_t new_min = min;
913  SCLogDebug("start min %"PRIu64, min);
914  bool skipped = false;
915  const bool is_unidir =
916  AppLayerParserGetOptionFlags(f->protomap, f->alproto) & APP_LAYER_PARSER_OPT_UNIDIR_TXS;
917 
918  while (1) {
919  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, i, total_txs, &state);
920  if (ires.tx_ptr == NULL)
921  break;
922 
923  bool tx_skipped = false;
924  void *tx = ires.tx_ptr;
925  i = ires.tx_id; // actual tx id for the tx the IterFunc returned
926 
927  SCLogDebug("%p/%"PRIu64" checking", tx, i);
928 
929  const int tx_progress_tc =
930  AppLayerParserGetStateProgress(ipproto, alproto, tx, tc_disrupt_flags);
931  if (tx_progress_tc < tx_end_state_tc) {
932  SCLogDebug("%p/%"PRIu64" skipping: tc parser not done", tx, i);
933  skipped = true;
934  goto next;
935  }
936  const int tx_progress_ts =
937  AppLayerParserGetStateProgress(ipproto, alproto, tx, ts_disrupt_flags);
938  if (tx_progress_ts < tx_end_state_ts) {
939  SCLogDebug("%p/%"PRIu64" skipping: ts parser not done", tx, i);
940  skipped = true;
941  goto next;
942  }
943 
944  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx);
945  bool inspected = false;
946  if (txd && has_tx_detect_flags) {
947  if (!IS_DISRUPTED(ts_disrupt_flags) && f->sgh_toserver != NULL) {
948  uint64_t detect_flags_ts = GetTxDetectFlags(txd, STREAM_TOSERVER);
949  if (!(detect_flags_ts & APP_LAYER_TX_INSPECTED_FLAG)) {
950  SCLogDebug("%p/%"PRIu64" skipping: TS inspect not done: ts:%"PRIx64,
951  tx, i, detect_flags_ts);
952  tx_skipped = true;
953  } else {
954  inspected = true;
955  }
956  }
957  if (!IS_DISRUPTED(tc_disrupt_flags) && f->sgh_toclient != NULL) {
958  uint64_t detect_flags_tc = GetTxDetectFlags(txd, STREAM_TOCLIENT);
959  if (!(detect_flags_tc & APP_LAYER_TX_INSPECTED_FLAG)) {
960  SCLogDebug("%p/%"PRIu64" skipping: TC inspect not done: tc:%"PRIx64,
961  tx, i, detect_flags_tc);
962  tx_skipped = true;
963  } else {
964  inspected = true;
965  }
966  }
967  }
968 
969  // If not a unidirectional transaction both sides are required to have
970  // been inspected.
971  if (!is_unidir && tx_skipped) {
972  SCLogDebug("%p/%" PRIu64 " !is_unidir && tx_skipped", tx, i);
973  skipped = true;
974  goto next;
975  }
976 
977  // If this is a unidirectional transaction require only one side to be
978  // inspected, which the inspected flag tells us. This is also guarded
979  // with skip to limit this check to transactions that actually had the
980  // tx inspected flag checked.
981  if (is_unidir && tx_skipped && !inspected) {
982  SCLogDebug("%p/%" PRIu64 " is_unidir && tx_skipped && !inspected", tx, i);
983  skipped = true;
984  goto next;
985  }
986 
987  if (txd && logger_expectation != 0) {
988  LoggerId tx_logged = GetTxLogged(txd);
989  if (tx_logged != logger_expectation) {
990  SCLogDebug("%p/%"PRIu64" skipping: logging not done: want:%"PRIx32", have:%"PRIx32,
991  tx, i, logger_expectation, tx_logged);
992  skipped = true;
993  goto next;
994  }
995  }
996 
997  /* if we are here, the tx can be freed. */
998  p->StateTransactionFree(alstate, i);
999  SCLogDebug("%p/%"PRIu64" freed", tx, i);
1000 
1001  /* if we didn't skip any tx so far, up the minimum */
1002  SCLogDebug("skipped? %s i %"PRIu64", new_min %"PRIu64, skipped ? "true" : "false", i, new_min);
1003  if (!skipped)
1004  new_min = i + 1;
1005  SCLogDebug("final i %"PRIu64", new_min %"PRIu64, i, new_min);
1006 
1007 next:
1008  if (!ires.has_next) {
1009  /* this was the last tx. See if we skipped any. If not
1010  * we removed all and can update the minimum to the max
1011  * id. */
1012  SCLogDebug("no next: cur tx i %"PRIu64", total %"PRIu64, i, total_txs);
1013  if (!skipped) {
1014  new_min = total_txs;
1015  SCLogDebug("no next: cur tx i %"PRIu64", total %"PRIu64": "
1016  "new_min updated to %"PRIu64, i, total_txs, new_min);
1017  }
1018  break;
1019  }
1020  i++;
1021  }
1022 
1023  /* see if we need to bring all trackers up to date. */
1024  SCLogDebug("update f->alparser->min_id? %"PRIu64" vs %"PRIu64, new_min, alparser->min_id);
1025  if (new_min > alparser->min_id) {
1026  const uint64_t next_id = new_min;
1027  alparser->min_id = next_id;
1028  alparser->inspect_id[0] = MAX(alparser->inspect_id[0], next_id);
1029  alparser->inspect_id[1] = MAX(alparser->inspect_id[1], next_id);
1030  alparser->log_id = MAX(alparser->log_id, next_id);
1031  SCLogDebug("updated f->alparser->min_id %"PRIu64, alparser->min_id);
1032  }
1033  SCReturn;
1034 }
1035 
1036 static inline int StateGetProgressCompletionStatus(const AppProto alproto, const uint8_t flags)
1037 {
1038  if (flags & STREAM_TOSERVER) {
1039  return alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts;
1040  } else if (flags & STREAM_TOCLIENT) {
1041  return alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc;
1042  } else {
1043  DEBUG_VALIDATE_BUG_ON(1);
1044  return 0;
1045  }
1046 }
1047 
1048 /**
1049  * \brief get the progress value for a tx/protocol
1050  *
1051  * If the stream is disrupted, we return the 'completion' value.
1052  */
1053 int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,
1054  void *alstate, uint8_t flags)
1055 {
1056  SCEnter();
1057  int r;
1058  if (unlikely(IS_DISRUPTED(flags))) {
1059  r = StateGetProgressCompletionStatus(alproto, flags);
1060  } else {
1061  r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
1062  StateGetProgress(alstate, flags);
1063  }
1064  SCReturnInt(r);
1065 }
1066 
1067 uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
1068 {
1069  SCEnter();
1070  uint64_t r = alp_ctx.ctxs[f->protomap][f->alproto].StateGetTxCnt(alstate);
1071  SCReturnCT(r, "uint64_t");
1072 }
1073 
1074 void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
1075 {
1076  SCEnter();
1077  void *r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTx(alstate, tx_id);
1078  SCReturnPtr(r, "void *");
1079 }
1080 
1081 int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto,
1082  uint8_t direction)
1083 {
1084  SCEnter();
1085  int r = StateGetProgressCompletionStatus(alproto, direction);
1086  SCReturnInt(r);
1087 }
1088 
1089 int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name,
1090  int *event_id, AppLayerEventType *event_type)
1091 {
1092  SCEnter();
1093  const int ipproto_map = FlowGetProtoMapping(ipproto);
1094  int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfo == NULL) ?
1095  -1 : alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfo(event_name, event_id, event_type);
1096  SCReturnInt(r);
1097 }
1098 
1099 int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, int event_id,
1100  const char **event_name, AppLayerEventType *event_type)
1101 {
1102  SCEnter();
1103  const int ipproto_map = FlowGetProtoMapping(ipproto);
1104  *event_name = (const char *)NULL;
1105  int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById == NULL) ?
1106  -1 : alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById(event_id, event_name, event_type);
1107  SCReturnInt(r);
1108 }
1109 
1110 uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
1111 {
1112  SCEnter();
1113  uint8_t r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].first_data_dir;
1114  SCReturnCT(r, "uint8_t");
1115 }
1116 
1117 uint64_t AppLayerParserGetTransactionActive(const Flow *f,
1118  AppLayerParserState *pstate, uint8_t direction)
1119 {
1120  SCEnter();
1121 
1122  uint64_t active_id;
1123  uint64_t log_id = pstate->log_id;
1124  uint64_t inspect_id = pstate->inspect_id[direction & STREAM_TOSERVER ? 0 : 1];
1125  if (alp_ctx.ctxs[f->protomap][f->alproto].logger == true) {
1126  active_id = MIN(log_id, inspect_id);
1127  } else {
1128  active_id = inspect_id;
1129  }
1130 
1131  SCReturnCT(active_id, "uint64_t");
1132 }
1133 
1134 int AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
1135 {
1136  // Custom case for only signature-only protocol so far
1137  if (alproto == ALPROTO_HTTP) {
1138  return AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP1) ||
1139  AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP2);
1140  }
1141  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetFiles != NULL)
1142  return TRUE;
1143  return FALSE;
1144 }
1145 
1146 DetectEngineState *AppLayerParserGetTxDetectState(uint8_t ipproto, AppProto alproto, void *tx)
1147 {
1148  SCEnter();
1149  DetectEngineState *s = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxDetectState(tx);
1150  SCReturnPtr(s, "DetectEngineState");
1151 }
1152 
1153 int AppLayerParserSetTxDetectState(const Flow *f,
1154  void *tx, DetectEngineState *s)
1155 {
1156  SCEnter();
1157  int r = alp_ctx.ctxs[f->protomap][f->alproto].SetTxDetectState(tx, s);
1158  SCReturnInt(r);
1159 }
1160 
1161 AppLayerTxData *AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
1162 {
1163  SCEnter();
1164  AppLayerTxData *d = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxData(tx);
1165  SCReturnPtr(d, "AppLayerTxData");
1166 }
1167 
1168 void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto,
1169  void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
1170 {
1171  SCEnter();
1172  const int ipproto_map = FlowGetProtoMapping(ipproto);
1173  if (alp_ctx.ctxs[ipproto_map][alproto].ApplyTxConfig) {
1174  alp_ctx.ctxs[ipproto_map][alproto].ApplyTxConfig(state, tx, mode, config);
1175  }
1176  SCReturn;
1177 }
1178 
1179 /***** General *****/
1180 
1181 static inline void SetEOFFlags(AppLayerParserState *pstate, const uint8_t flags)
1182 {
1183  if ((flags & (STREAM_EOF|STREAM_TOSERVER)) == (STREAM_EOF|STREAM_TOSERVER)) {
1184  SCLogDebug("setting APP_LAYER_PARSER_EOF_TS");
1185  AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_EOF_TS);
1186  } else if ((flags & (STREAM_EOF|STREAM_TOCLIENT)) == (STREAM_EOF|STREAM_TOCLIENT)) {
1187  SCLogDebug("setting APP_LAYER_PARSER_EOF_TC");
1188  AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_EOF_TC);
1189  }
1190 }
1191 
1192 /** \retval int -1 in case of unrecoverable error. App-layer tracking stops for this flow.
1193  * \retval int 0 ok: we did not update app_progress
1194  * \retval int 1 ok: we updated app_progress */
1195 int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto,
1196  uint8_t flags, const uint8_t *input, uint32_t input_len)
1197 {
1198  SCEnter();
1199 #ifdef DEBUG_VALIDATION
1200  BUG_ON(f->protomap != FlowGetProtoMapping(f->proto));
1201 #endif
1202  AppLayerParserState *pstate = f->alparser;
1203  AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->protomap][alproto];
1204  void *alstate = NULL;
1205  uint64_t p_tx_cnt = 0;
1206  uint32_t consumed = input_len;
1207  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
1208 
1209  /* we don't have the parser registered for this protocol */
1210  if (p->StateAlloc == NULL)
1211  goto end;
1212 
1213  if (flags & STREAM_GAP) {
1214  if (!(p->option_flags & APP_LAYER_PARSER_OPT_ACCEPT_GAPS)) {
1215  SCLogDebug("app-layer parser does not accept gaps");
1216  if (f->alstate != NULL && !FlowChangeProto(f)) {
1217  AppLayerParserStreamTruncated(f->proto, alproto, f->alstate,
1218  flags);
1219  }
1220  goto error;
1221  }
1222  }
1223 
1224  /* Get the parser state (if any) */
1225  if (pstate == NULL) {
1226  f->alparser = pstate = AppLayerParserStateAlloc();
1227  if (pstate == NULL)
1228  goto error;
1229  }
1230 
1231  SetEOFFlags(pstate, flags);
1232 
1233  alstate = f->alstate;
1234  if (alstate == NULL || FlowChangeProto(f)) {
1235  f->alstate = alstate = p->StateAlloc(alstate, f->alproto_orig);
1236  if (alstate == NULL)
1237  goto error;
1238  SCLogDebug("alloced new app layer state %p (name %s)",
1239  alstate, AppLayerGetProtoName(f->alproto));
1240  } else {
1241  SCLogDebug("using existing app layer state %p (name %s))",
1242  alstate, AppLayerGetProtoName(f->alproto));
1243  }
1244 
1245  p_tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
1246 
1247  /* invoke the recursive parser, but only on data. We may get empty msgs on EOF */
1248  if (input_len > 0 || (flags & STREAM_EOF)) {
1249  /* invoke the parser */
1250  AppLayerResult res = p->Parser[direction](f, alstate, pstate,
1251  input, input_len,
1252  alp_tctx->alproto_local_storage[f->protomap][alproto],
1253  flags);
1254  if (res.status < 0) {
1255  goto error;
1256  } else if (res.status > 0) {
1257  DEBUG_VALIDATE_BUG_ON(res.consumed > input_len);
1258  DEBUG_VALIDATE_BUG_ON(res.needed + res.consumed < input_len);
1259  DEBUG_VALIDATE_BUG_ON(res.needed == 0);
1260  /* incomplete is only supported for TCP */
1261  DEBUG_VALIDATE_BUG_ON(f->proto != IPPROTO_TCP);
1262 
1263  /* put protocol in error state on improper use of the
1264  * return codes. */
1265  if (res.consumed > input_len || res.needed + res.consumed < input_len) {
1266  goto error;
1267  }
1268 
1269  if (f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1270  TcpSession *ssn = f->protoctx;
1271  SCLogDebug("direction %d/%s", direction,
1272  (flags & STREAM_TOSERVER) ? "toserver" : "toclient");
1273  if (direction == 0) {
1274  /* parser told us how much data it needs on top of what it
1275  * consumed. So we need tell stream engine how much we need
1276  * before the next call */
1277  ssn->client.data_required = res.needed;
1278  SCLogDebug("setting data_required %u", ssn->client.data_required);
1279  } else {
1280  /* parser told us how much data it needs on top of what it
1281  * consumed. So we need tell stream engine how much we need
1282  * before the next call */
1283  ssn->server.data_required = res.needed;
1284  SCLogDebug("setting data_required %u", ssn->server.data_required);
1285  }
1286  }
1287  consumed = res.consumed;
1288  }
1289  }
1290 
1291  /* set the packets to no inspection and reassembly if required */
1292  if (pstate->flags & APP_LAYER_PARSER_NO_INSPECTION) {
1293  AppLayerParserSetEOF(pstate);
1294  FlowSetNoPayloadInspectionFlag(f);
1295 
1296  if (f->proto == IPPROTO_TCP) {
1297  StreamTcpDisableAppLayer(f);
1298 
1299  /* Set the no reassembly flag for both the stream in this TcpSession */
1300  if (pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
1301  /* Used only if it's TCP */
1302  TcpSession *ssn = f->protoctx;
1303  if (ssn != NULL) {
1304  StreamTcpSetSessionNoReassemblyFlag(ssn, 0);
1305  StreamTcpSetSessionNoReassemblyFlag(ssn, 1);
1306  }
1307  }
1308  /* Set the bypass flag for both the stream in this TcpSession */
1309  if (pstate->flags & APP_LAYER_PARSER_BYPASS_READY) {
1310  /* Used only if it's TCP */
1311  TcpSession *ssn = f->protoctx;
1312  if (ssn != NULL) {
1313  StreamTcpSetSessionBypassFlag(ssn);
1314  }
1315  }
1316  }
1317  }
1318 
1319  /* In cases like HeartBleed for TLS we need to inspect AppLayer but not Payload */
1320  if (!(f->flags & FLOW_NOPAYLOAD_INSPECTION) && pstate->flags & APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD) {
1321  FlowSetNoPayloadInspectionFlag(f);
1322  /* Set the no reassembly flag for both the stream in this TcpSession */
1323  if (f->proto == IPPROTO_TCP) {
1324  /* Used only if it's TCP */
1325  TcpSession *ssn = f->protoctx;
1326  if (ssn != NULL) {
1327  StreamTcpSetDisableRawReassemblyFlag(ssn, 0);
1328  StreamTcpSetDisableRawReassemblyFlag(ssn, 1);
1329  }
1330  }
1331  }
1332 
1333  /* get the diff in tx cnt for stats keeping */
1334  uint64_t cur_tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
1335  if (cur_tx_cnt > p_tx_cnt && tv) {
1336  AppLayerIncTxCounter(tv, f, cur_tx_cnt - p_tx_cnt);
1337  }
1338 
1339  /* stream truncated, inform app layer */
1340  if (flags & STREAM_DEPTH)
1341  AppLayerParserStreamTruncated(f->proto, alproto, alstate, flags);
1342 
1343  end:
1344  /* update app progress */
1345  if (consumed != input_len && f->proto == IPPROTO_TCP && f->protoctx != NULL) {
1346  TcpSession *ssn = f->protoctx;
1347  StreamTcpUpdateAppLayerProgress(ssn, direction, consumed);
1348  SCReturnInt(1);
1349  }
1350 
1351  SCReturnInt(0);
1352  error:
1353  /* Set the no app layer inspection flag for both
1354  * the stream in this Flow */
1355  if (f->proto == IPPROTO_TCP) {
1356  StreamTcpDisableAppLayer(f);
1357  }
1358  AppLayerParserSetEOF(pstate);
1359  SCReturnInt(-1);
1360 }
1361 
1362 void AppLayerParserSetEOF(AppLayerParserState *pstate)
1363 {
1364  SCEnter();
1365 
1366  if (pstate == NULL)
1367  goto end;
1368 
1369  SCLogDebug("setting APP_LAYER_PARSER_EOF_TC and APP_LAYER_PARSER_EOF_TS");
1370  AppLayerParserStateSetFlag(pstate, (APP_LAYER_PARSER_EOF_TS|APP_LAYER_PARSER_EOF_TC));
1371 
1372  end:
1373  SCReturn;
1374 }
1375 
1376 /* return true if there are app parser decoder events. These are
1377  * only the ones that are set during protocol detection. */
1378 bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
1379 {
1380  SCEnter();
1381 
1382  if (pstate == NULL)
1383  return false;
1384 
1385  const AppLayerDecoderEvents *decoder_events = AppLayerParserGetDecoderEvents(pstate);
1386  if (decoder_events && decoder_events->cnt)
1387  return true;
1388 
1389  /* if we have reached here, we don't have events */
1390  return false;
1391 }
1392 
1393 /** \brief simple way to globally test if a alproto is registered
1394  * and fully enabled in the configuration.
1395  */
1396 int AppLayerParserIsEnabled(AppProto alproto)
1397 {
1398  for (int i = 0; i < FLOW_PROTO_APPLAYER_MAX; i++) {
1399  if (alp_ctx.ctxs[i][alproto].StateGetProgress != NULL) {
1400  return 1;
1401  }
1402  }
1403  return 0;
1404 }
1405 
1406 int AppLayerParserProtocolIsTxEventAware(uint8_t ipproto, AppProto alproto)
1407 {
1408  SCEnter();
1409  int ipproto_map = FlowGetProtoMapping(ipproto);
1410  int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEvents == NULL) ? 0 : 1;
1411  SCReturnInt(r);
1412 }
1413 
1414 int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto)
1415 {
1416  SCEnter();
1417  int ipproto_map = FlowGetProtoMapping(ipproto);
1418  int r = (alp_ctx.ctxs[ipproto_map][alproto].logger == false) ? 0 : 1;
1419  SCReturnInt(r);
1420 }
1421 
1422 LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto)
1423 {
1424  SCEnter();
1425  const int ipproto_map = FlowGetProtoMapping(ipproto);
1426  LoggerId r = alp_ctx.ctxs[ipproto_map][alproto].logger_bits;
1427  SCReturnUInt(r);
1428 }
1429 
1430 void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
1431 {
1432  SCEnter();
1433 
1434  SCLogDebug("f %p tcp %p direction %d", f, f ? f->protoctx : NULL, direction);
1435  if (f != NULL && f->protoctx != NULL)
1436  StreamTcpReassembleTriggerRawReassembly(f->protoctx, direction);
1437 
1438  SCReturn;
1439 }
1440 
1441 void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth)
1442 {
1443  SCEnter();
1444 
1445  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].stream_depth = stream_depth;
1446  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].internal_flags |=
1447  APP_LAYER_PARSER_INT_STREAM_DEPTH_SET;
1448 
1449  SCReturn;
1450 }
1451 
1452 uint32_t AppLayerParserGetStreamDepth(const Flow *f)
1453 {
1454  SCReturnInt(alp_ctx.ctxs[f->protomap][f->alproto].stream_depth);
1455 }
1456 
1457 void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
1458 {
1459  SCEnter();
1460  void *tx = NULL;
1461  if (state != NULL) {
1462  if ((tx = AppLayerParserGetTx(ipproto, alproto, state, tx_id)) != NULL) {
1463  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag != NULL) {
1464  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag(tx, flags);
1465  }
1466  }
1467  }
1468  SCReturn;
1469 }
1470 
1471 /***** Cleanup *****/
1472 
1473 void AppLayerParserStateProtoCleanup(
1474  uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
1475 {
1476  SCEnter();
1477 
1478  AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[protomap][alproto];
1479 
1480  if (ctx->StateFree != NULL && alstate != NULL)
1481  ctx->StateFree(alstate);
1482 
1483  /* free the app layer parser api state */
1484  if (pstate != NULL)
1485  AppLayerParserStateFree(pstate);
1486 
1487  SCReturn;
1488 }
1489 
1490 void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate)
1491 {
1492  AppLayerParserStateProtoCleanup(f->protomap, f->alproto, alstate, pstate);
1493 }
1494 
1495 static void ValidateParserProtoDump(AppProto alproto, uint8_t ipproto)
1496 {
1497  uint8_t map = FlowGetProtoMapping(ipproto);
1498  const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[map][alproto];
1499  printf("ERROR: incomplete app-layer registration\n");
1500  printf("AppLayer protocol %s ipproto %u\n", AppProtoToString(alproto), ipproto);
1501  printf("- option flags %"PRIx32"\n", ctx->option_flags);
1502  printf("- first_data_dir %"PRIx8"\n", ctx->first_data_dir);
1503  printf("Mandatory:\n");
1504  printf("- Parser[0] %p Parser[1] %p\n", ctx->Parser[0], ctx->Parser[1]);
1505  printf("- StateAlloc %p StateFree %p\n", ctx->StateAlloc, ctx->StateFree);
1506  printf("- StateGetTx %p StateGetTxCnt %p StateTransactionFree %p\n",
1507  ctx->StateGetTx, ctx->StateGetTxCnt, ctx->StateTransactionFree);
1508  printf("- GetTxData %p\n", ctx->GetTxData);
1509  printf("- StateGetProgress %p\n", ctx->StateGetProgress);
1510  printf("- GetTxDetectState %p SetTxDetectState %p\n", ctx->GetTxDetectState, ctx->SetTxDetectState);
1511  printf("Optional:\n");
1512  printf("- LocalStorageAlloc %p LocalStorageFree %p\n", ctx->LocalStorageAlloc, ctx->LocalStorageFree);
1513  printf("- StateGetEvents %p StateGetEventInfo %p StateGetEventInfoById %p\n", ctx->StateGetEvents, ctx->StateGetEventInfo,
1514  ctx->StateGetEventInfoById);
1515 }
1516 
1517 #define BOTH_SET(a, b) ((a) != NULL && (b) != NULL)
1518 #define BOTH_SET_OR_BOTH_UNSET(a, b) (((a) == NULL && (b) == NULL) || ((a) != NULL && (b) != NULL))
1519 #define THREE_SET_OR_THREE_UNSET(a, b, c) (((a) == NULL && (b) == NULL && (c) == NULL) || ((a) != NULL && (b) != NULL && (c) != NULL))
1520 #define THREE_SET(a, b, c) ((a) != NULL && (b) != NULL && (c) != NULL)
1521 
1522 static void ValidateParserProto(AppProto alproto, uint8_t ipproto)
1523 {
1524  uint8_t map = FlowGetProtoMapping(ipproto);
1525  const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[map][alproto];
1526 
1527  if (ctx->Parser[0] == NULL && ctx->Parser[1] == NULL)
1528  return;
1529 
1530  if (!(BOTH_SET(ctx->Parser[0], ctx->Parser[1]))) {
1531  goto bad;
1532  }
1533  if (!(BOTH_SET(ctx->StateFree, ctx->StateAlloc))) {
1534  goto bad;
1535  }
1536  if (!(THREE_SET(ctx->StateGetTx, ctx->StateGetTxCnt, ctx->StateTransactionFree))) {
1537  goto bad;
1538  }
1539  if (ctx->StateGetProgress == NULL) {
1540  goto bad;
1541  }
1542  /* local storage is optional, but needs both set if used */
1543  if (!(BOTH_SET_OR_BOTH_UNSET(ctx->LocalStorageAlloc, ctx->LocalStorageFree))) {
1544  goto bad;
1545  }
1546  if (!(BOTH_SET(ctx->GetTxDetectState, ctx->SetTxDetectState))) {
1547  goto bad;
1548  }
1549  if (ctx->GetTxData == NULL) {
1550  goto bad;
1551  }
1552  return;
1553 bad:
1554  ValidateParserProtoDump(alproto, ipproto);
1555  exit(EXIT_FAILURE);
1556 }
1557 #undef BOTH_SET
1558 #undef BOTH_SET_OR_BOTH_UNSET
1559 #undef THREE_SET_OR_THREE_UNSET
1560 #undef THREE_SET
1561 
1562 static void ValidateParser(AppProto alproto)
1563 {
1564  ValidateParserProto(alproto, IPPROTO_TCP);
1565  ValidateParserProto(alproto, IPPROTO_UDP);
1566 }
1567 
1568 static void ValidateParsers(void)
1569 {
1570  AppProto p = 0;
1571  for ( ; p < ALPROTO_MAX; p++) {
1572  ValidateParser(p);
1573  }
1574 }
1575 
1576 void AppLayerParserRegisterProtocolParsers(void)
1577 {
1578  SCEnter();
1579 
1580  RegisterHTPParsers();
1581  RegisterSSLParsers();
1582  rs_dcerpc_register_parser();
1583  rs_dcerpc_udp_register_parser();
1584  RegisterSMBParsers();
1585  RegisterFTPParsers();
1586  RegisterSSHParsers();
1587  RegisterSMTPParsers();
1588  rs_dns_udp_register_parser();
1589  rs_dns_tcp_register_parser();
1590  RegisterModbusParsers();
1591  RegisterENIPUDPParsers();
1592  RegisterENIPTCPParsers();
1593  RegisterDNP3Parsers();
1594  RegisterNFSTCPParsers();
1595  RegisterNFSUDPParsers();
1596  RegisterNTPParsers();
1597  RegisterTFTPParsers();
1598  RegisterIKEParsers();
1599  RegisterKRB5Parsers();
1600  rs_dhcp_register_parser();
1601  RegisterSNMPParsers();
1602  RegisterSIPParsers();
1603  RegisterTemplateRustParsers();
1604  RegisterRFBParsers();
1605  RegisterMQTTParsers();
1606  RegisterTemplateParsers();
1607  RegisterRdpParsers();
1608  RegisterHTTP2Parsers();
1609 
1610  /** IMAP */
1611  AppLayerProtoDetectRegisterProtocol(ALPROTO_IMAP, "imap");
1612  if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "imap")) {
1613  if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP,
1614  "1|20|capability", 12, 0, STREAM_TOSERVER) < 0)
1615  {
1616  SCLogInfo("imap proto registration failure");
1617  exit(EXIT_FAILURE);
1618  }
1619  } else {
1620  SCLogInfo("Protocol detection and parser disabled for %s protocol.",
1621  "imap");
1622  }
1623 
1624  ValidateParsers();
1625  return;
1626 }
1627 
1628 
1629 /* coccinelle: AppLayerParserStateSetFlag():2,2:APP_LAYER_PARSER_ */
1630 void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint8_t flag)
1631 {
1632  SCEnter();
1633  pstate->flags |= flag;
1634  SCReturn;
1635 }
1636 
1637 /* coccinelle: AppLayerParserStateIssetFlag():2,2:APP_LAYER_PARSER_ */
1638 int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag)
1639 {
1640  SCEnter();
1641  SCReturnInt(pstate->flags & flag);
1642 }
1643 
1644 
1645 void AppLayerParserStreamTruncated(uint8_t ipproto, AppProto alproto, void *alstate,
1646  uint8_t direction)
1647 {
1648  SCEnter();
1649 
1650  if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].Truncate != NULL)
1651  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].Truncate(alstate, direction);
1652 
1653  SCReturn;
1654 }
1655 
1656 #ifdef DEBUG
1657 void AppLayerParserStatePrintDetails(AppLayerParserState *pstate)
1658 {
1659  SCEnter();
1660 
1661  if (pstate == NULL)
1662  SCReturn;
1663 
1664  AppLayerParserState *p = pstate;
1665  SCLogDebug("AppLayerParser parser state information for parser state p(%p). "
1666  "p->inspect_id[0](%"PRIu64"), "
1667  "p->inspect_id[1](%"PRIu64"), "
1668  "p->log_id(%"PRIu64"), "
1669  "p->decoder_events(%p).",
1670  pstate, p->inspect_id[0], p->inspect_id[1], p->log_id,
1671  p->decoder_events);
1672 
1673  SCReturn;
1674 }
1675 #endif
1676 
1677 /***** Unittests *****/
1678 
1679 #ifdef UNITTESTS
1680 
1681 static AppLayerParserCtx alp_ctx_backup_unittest;
1682 
1683 typedef struct TestState_ {
1684  uint8_t test;
1685 } TestState;
1686 
1687 /**
1688  * \brief Test parser function to test the memory deallocation of app layer
1689  * parser of occurence of an error.
1690  */
1691 static AppLayerResult TestProtocolParser(Flow *f, void *test_state, AppLayerParserState *pstate,
1692  const uint8_t *input, uint32_t input_len,
1693  void *local_data, const uint8_t flags)
1694 {
1695  SCEnter();
1696  SCReturnStruct(APP_LAYER_ERROR);
1697 }
1698 
1699 /** \brief Function to allocates the Test protocol state memory
1700  */
1701 static void *TestProtocolStateAlloc(void *orig_state, AppProto proto_orig)
1702 {
1703  SCEnter();
1704  void *s = SCMalloc(sizeof(TestState));
1705  if (unlikely(s == NULL))
1706  goto end;
1707  memset(s, 0, sizeof(TestState));
1708  end:
1709  SCReturnPtr(s, "TestState");
1710 }
1711 
1712 /** \brief Function to free the Test Protocol state memory
1713  */
1714 static void TestProtocolStateFree(void *s)
1715 {
1716  SCFree(s);
1717 }
1718 
1719 static uint64_t TestGetTxCnt(void *state)
1720 {
1721  /* single tx */
1722  return 1;
1723 }
1724 
1725 static void TestStateTransactionFree(void *state, uint64_t tx_id)
1726 {
1727  /* do nothing */
1728 }
1729 
1730 static void *TestGetTx(void *state, uint64_t tx_id)
1731 {
1732  TestState *test_state = (TestState *)state;
1733  return test_state;
1734 }
1735 
1736 void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto,
1737  void (*RegisterUnittests)(void))
1738 {
1739  SCEnter();
1740  alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
1741  RegisterUnittests = RegisterUnittests;
1742  SCReturn;
1743 }
1744 
1745 void AppLayerParserBackupParserTable(void)
1746 {
1747  SCEnter();
1748  alp_ctx_backup_unittest = alp_ctx;
1749  memset(&alp_ctx, 0, sizeof(alp_ctx));
1750  SCReturn;
1751 }
1752 
1753 void AppLayerParserRestoreParserTable(void)
1754 {
1755  SCEnter();
1756  alp_ctx = alp_ctx_backup_unittest;
1757  memset(&alp_ctx_backup_unittest, 0, sizeof(alp_ctx_backup_unittest));
1758  SCReturn;
1759 }
1760 
1761 /**
1762  * \test Test the deallocation of app layer parser memory on occurance of
1763  * error in the parsing process.
1764  */
1765 static int AppLayerParserTest01(void)
1766 {
1767  AppLayerParserBackupParserTable();
1768 
1769  Flow *f = NULL;
1770  uint8_t testbuf[] = { 0x11 };
1771  uint32_t testlen = sizeof(testbuf);
1772  TcpSession ssn;
1773  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1774 
1775  memset(&ssn, 0, sizeof(ssn));
1776 
1777  /* Register the Test protocol state and parser functions */
1778  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TEST, STREAM_TOSERVER,
1779  TestProtocolParser);
1780  AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TEST,
1781  TestProtocolStateAlloc, TestProtocolStateFree);
1782  AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_TEST, TestStateTransactionFree);
1783  AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_TEST, TestGetTx);
1784  AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_TEST, TestGetTxCnt);
1785 
1786  f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
1787  FAIL_IF_NULL(f);
1788  f->protoctx = &ssn;
1789  f->alproto = ALPROTO_TEST;
1790  f->proto = IPPROTO_TCP;
1791 
1792  StreamTcpInitConfig(true);
1793 
1794  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,
1795  STREAM_TOSERVER | STREAM_EOF, testbuf,
1796  testlen);
1797  FAIL_IF(r != -1);
1798 
1799  FAIL_IF(!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1800 
1801  AppLayerParserRestoreParserTable();
1802  StreamTcpFreeConfig(true);
1803  UTHFreeFlow(f);
1804  PASS;
1805 }
1806 
1807 /**
1808  * \test Test the deallocation of app layer parser memory on occurance of
1809  * error in the parsing process for UDP.
1810  */
1811 static int AppLayerParserTest02(void)
1812 {
1813  AppLayerParserBackupParserTable();
1814 
1815  Flow *f = NULL;
1816  uint8_t testbuf[] = { 0x11 };
1817  uint32_t testlen = sizeof(testbuf);
1818  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1819 
1820  /* Register the Test protocol state and parser functions */
1821  AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TEST, STREAM_TOSERVER,
1822  TestProtocolParser);
1823  AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TEST,
1824  TestProtocolStateAlloc, TestProtocolStateFree);
1825  AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_TEST, TestStateTransactionFree);
1826  AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_TEST, TestGetTx);
1827  AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_TEST, TestGetTxCnt);
1828 
1829  f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
1830  FAIL_IF_NULL(f);
1831  f->alproto = ALPROTO_TEST;
1832  f->proto = IPPROTO_UDP;
1833  f->protomap = FlowGetProtoMapping(f->proto);
1834 
1835  StreamTcpInitConfig(true);
1836 
1837  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,
1838  STREAM_TOSERVER | STREAM_EOF, testbuf,
1839  testlen);
1840  FAIL_IF(r != -1);
1841 
1842  AppLayerParserRestoreParserTable();
1843  StreamTcpFreeConfig(true);
1844  UTHFreeFlow(f);
1845  PASS;
1846 }
1847 
1848 
1849 void AppLayerParserRegisterUnittests(void)
1850 {
1851  SCEnter();
1852 
1853  int ip;
1854  AppProto alproto;
1855  AppLayerParserProtoCtx *ctx;
1856 
1857  for (ip = 0; ip < FLOW_PROTO_DEFAULT; ip++) {
1858  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1859  ctx = &alp_ctx.ctxs[ip][alproto];
1860  if (ctx->RegisterUnittests == NULL)
1861  continue;
1862  ctx->RegisterUnittests();
1863  }
1864  }
1865 
1866  UtRegisterTest("AppLayerParserTest01", AppLayerParserTest01);
1867  UtRegisterTest("AppLayerParserTest02", AppLayerParserTest02);
1868 
1869  SCReturn;
1870 }
1871 
1872 #endif
AppLayerParserProtoCtx_::Truncate
void(* Truncate)(void *, uint8_t)
Definition: app-layer-parser.c:106
app-layer-nfs-udp.h
ALPROTO_TEST
@ ALPROTO_TEST
Definition: app-layer-protos.h:69
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:474
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:241
FileContainer_
Definition: util-file.h:107
ts
uint64_t ts
Definition: source-erf-file.c:54
RegisterNTPParsers
void RegisterNTPParsers(void)
Definition: app-layer-ntp.c:38
AppLayerParserProtoCtx_::StateGetTxCnt
uint64_t(* StateGetTxCnt)(void *alstate)
Definition: app-layer-parser.c:111
AppLayerParserProtoCtx_::logger_bits
uint32_t logger_bits
Definition: app-layer-parser.c:98
AppLayerParserProtoCtx_::complete_tc
int complete_tc
Definition: app-layer-parser.c:115
AppLayerParserProtoCtx_::GetTxData
AppLayerTxData *(* GetTxData)(void *tx)
Definition: app-layer-parser.c:124
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
RegisterTemplateRustParsers
void RegisterTemplateRustParsers(void)
Definition: app-layer-template-rust.c:48
app-layer-tftp.h
AppLayerParserCtx_::ctxs
AppLayerParserProtoCtx ctxs[FLOW_PROTO_MAX][ALPROTO_MAX]
Definition: app-layer-parser.c:150
AppLayerParserState_::log_id
uint64_t log_id
Definition: app-layer-parser.c:163
RegisterSMBParsers
void RegisterSMBParsers(void)
Definition: app-layer-smb.c:235
app-layer-ssh.h
RegisterIKEParsers
void RegisterIKEParsers(void)
Definition: app-layer-ike.c:40
AppLayerParserIsEnabled
int AppLayerParserIsEnabled(AppProto alproto)
simple way to globally test if a alproto is registered and fully enabled in the configuration.
Definition: app-layer-parser.c:1396
AppLayerParserRegisterLocalStorageFunc
void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto, void *(*LocalStorageAlloc)(void), void(*LocalStorageFree)(void *))
Definition: app-layer-parser.c:410
BOTH_SET
#define BOTH_SET(a, b)
Definition: app-layer-parser.c:1517
AppLayerParserProtocolHasLogger
int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1414
AppLayerParserRegisterOptionFlags
void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto, uint32_t flags)
Definition: app-layer-parser.c:381
flow-util.h
AppLayerParserSetStreamDepthFlag
void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
Definition: app-layer-parser.c:1457
AppLayerParserSetTransactionLogId
void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
Definition: app-layer-parser.c:689
AppLayerParserSetStreamDepth
void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth)
Definition: app-layer-parser.c:1441
DetectEngineState_
Definition: detect-engine-state.h:93
ConfNode_::val
char * val
Definition: conf.h:34
stream-tcp.h
AppLayerParserApplyTxConfig
void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto, void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
Definition: app-layer-parser.c:1168
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
AppLayerParserGetProtocolParserLocalStorage
void * AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:609
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerParserProtoCtx_::LocalStorageFree
void(* LocalStorageFree)(void *)
Definition: app-layer-parser.c:104
AppLayerParserProtoCtx_
App layer protocol parser context.
Definition: app-layer-parser.c:94
RegisterSSHParsers
void RegisterSSHParsers(void)
Function to register the SSH protocol parsers and other functions.
Definition: app-layer-ssh.c:81
AppLayerParserProtoCtx_::StateGetTx
void *(* StateGetTx)(void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:112
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
AppLayerParserSetTransactionInspectId
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
Definition: app-layer-parser.c:730
APP_LAYER_PARSER_BYPASS_READY
#define APP_LAYER_PARSER_BYPASS_READY
Definition: app-layer-parser.h:40
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:844
AppLayerGetTxIterator
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
Definition: app-layer-parser.c:674
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
RegisterModbusParsers
void RegisterModbusParsers(void)
Function to register the Modbus protocol parser.
Definition: app-layer-modbus.c:49
Flow_::proto
uint8_t proto
Definition: flow.h:372
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:77
AppLayerParserFPtr
AppLayerResult(* AppLayerParserFPtr)(Flow *f, void *protocol_state, AppLayerParserState *pstate, const uint8_t *buf, uint32_t buf_len, void *local_storage, const uint8_t flags)
Prototype for parsing functions.
Definition: app-layer-parser.h:113
StreamTcpSetDisableRawReassemblyFlag
void StreamTcpSetDisableRawReassemblyFlag(TcpSession *, char)
Set the No reassembly flag for the given direction in given TCP session.
Definition: stream-tcp.c:5988
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:300
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1053
AppLayerParserTriggerRawStreamReassembly
void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
Definition: app-layer-parser.c:1430
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:175
threads.h
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:350
APP_LAYER_PARSER_INT_STREAM_DEPTH_SET
#define APP_LAYER_PARSER_INT_STREAM_DEPTH_SET
Definition: app-layer-parser.h:48
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
AppLayerParserRegisterGetEventsFunc
void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto alproto, AppLayerDecoderEvents *(*StateGetEvents)(void *))
Definition: app-layer-parser.c:435
StreamTcpReassembleTriggerRawReassembly
void StreamTcpReassembleTriggerRawReassembly(TcpSession *ssn, int direction)
Trigger RAW stream reassembly.
Definition: stream-tcp-reassemble.c:1960
LoggerId
LoggerId
Definition: suricata-common.h:436
Flow_::protomap
uint8_t protomap
Definition: flow.h:452
AppLayerParserGetTransactionLogId
uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
Definition: app-layer-parser.c:682
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerParserRegisterTruncateFunc
void AppLayerParserRegisterTruncateFunc(uint8_t ipproto, AppProto alproto, void(*Truncate)(void *, uint8_t))
Definition: app-layer-parser.c:464
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:526
AppLayerParserRegisterParserAcceptableDataDirection
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:370
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1081
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1110
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:186
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:485
FLOW_NOPAYLOAD_INSPECTION
#define FLOW_NOPAYLOAD_INSPECTION
Definition: flow.h:65
AppLayerParserSupportsFiles
int AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1134
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:463
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1473
AppLayerParserProtoCtx_::StateGetTxIterator
AppLayerGetTxIteratorFunc StateGetTxIterator
Definition: app-layer-parser.c:113
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:277
rust.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:148
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:5954
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:861
APP_LAYER_TX_INSPECTED_FLAG
#define APP_LAYER_TX_INSPECTED_FLAG
Definition: app-layer-parser.h:53
stream-tcp-reassemble.h
AppLayerParserRegisterDetectStateFuncs
void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto, DetectEngineState *(*GetTxDetectState)(void *tx), int(*SetTxDetectState)(void *tx, DetectEngineState *))
Definition: app-layer-parser.c:565
AppLayerParserGetOptionFlags
uint32_t AppLayerParserGetOptionFlags(uint8_t protomap, AppProto alproto)
Definition: app-layer-parser.c:391
TestState
struct TestState_ TestState
app-layer-http2.h
RegisterSIPParsers
void RegisterSIPParsers(void)
Definition: app-layer-sip.c:30
app-layer-ftp.h
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:119
MAX
#define MAX(x, y)
Definition: suricata-common.h:376
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:41
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:72
Flow_::protoctx
void * protoctx
Definition: flow.h:448
TcpStream_::data_required
uint32_t data_required
Definition: stream-tcp-private.h:120
AppLayerParserRegisterUnittests
void AppLayerParserRegisterUnittests(void)
Definition: app-layer-parser.c:1849
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:699
RegisterKRB5Parsers
void RegisterKRB5Parsers(void)
Definition: app-layer-krb5.c:38
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
util-unittest.h
AppLayerParserProtoCtx_::ApplyTxConfig
bool(* ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig)
Definition: app-layer-parser.c:125
FlowGetReverseProtoMapping
uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
Definition: flow-util.c:109
AppLayerParserProtocolIsTxEventAware
int AppLayerParserProtocolIsTxEventAware(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1406
RegisterDNP3Parsers
void RegisterDNP3Parsers(void)
Register the DNP3 application protocol parser.
Definition: app-layer-dnp3.c:1584
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:565
util-unittest-helper.h
FTPParserCleanup
void FTPParserCleanup(void)
Free memory allocated for global FTP parser state.
Definition: app-layer-ftp.c:1426
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:269
AppLayerParserGetEventInfoById
int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, int event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1099
Flow_::sgh_toserver
const struct SigGroupHead_ * sgh_toserver
Definition: flow.h:490
AppLayerParserRestoreParserTable
void AppLayerParserRestoreParserTable(void)
Definition: app-layer-parser.c:1753
AppLayerParserState_::inspect_id
uint64_t inspect_id[2]
Definition: app-layer-parser.c:159
AppLayerParserCtx
struct AppLayerParserCtx_ AppLayerParserCtx
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:482
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1576
app-layer-krb5.h
RegisterRFBParsers
void RegisterRFBParsers(void)
Definition: app-layer-rfb.c:54
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:521
app-layer-htp.h
AppLayerParserStateIssetFlag
int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag)
Definition: app-layer-parser.c:1638
AppLayerParserProtoCtx_::stream_depth
uint32_t stream_depth
Definition: app-layer-parser.c:130
decode.h
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:153
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
AppLayerParserGetTransactionActive
uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:1117
AppLayerParserProtoCtx_::logger
bool logger
Definition: app-layer-parser.c:97
app-layer-ike.h
app-layer-dnp3.h
AppLayerParserStreamTruncated
void AppLayerParserStreamTruncated(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t direction)
Definition: app-layer-parser.c:1645
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:455
app-layer-rfb.h
AppLayerParserRegisterGetFilesFunc
void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto, FileContainer *(*StateGetFiles)(void *, uint8_t))
Definition: app-layer-parser.c:424
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
AppLayerParserProtoCtx_::SetStreamDepthFlag
void(* SetStreamDepthFlag)(void *tx, uint8_t flags)
Definition: app-layer-parser.c:127
AppLayerParserState_::min_id
uint64_t min_id
Definition: app-layer-parser.c:165
RegisterENIPTCPParsers
void RegisterENIPTCPParsers(void)
Function to register the ENIP protocol parsers and other functions.
Definition: app-layer-enip.c:553
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
AppLayerParserRegisterLoggerBits
void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits)
Definition: app-layer-parser.c:446
AppLayerParserProtoCtx_::StateGetEventInfo
int(* StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:118
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void *, AppProto), void(*StateFree)(void *))
Definition: app-layer-parser.c:397
AppLayerParserProtoCtx_::GetTxDetectState
DetectEngineState *(* GetTxDetectState)(void *tx)
Definition: app-layer-parser.c:121
detect-engine-port.h
APP_LAYER_PARSER_OPT_UNIDIR_TXS
#define APP_LAYER_PARSER_OPT_UNIDIR_TXS
Definition: app-layer-parser.h:46
AppLayerParserProtoCtx_::SetTxDetectState
int(* SetTxDetectState)(void *tx, DetectEngineState *)
Definition: app-layer-parser.c:122
APP_LAYER_PARSER_NO_REASSEMBLY
#define APP_LAYER_PARSER_NO_REASSEMBLY
Definition: app-layer-parser.h:38
IS_DISRUPTED
#define IS_DISRUPTED(flags)
Definition: app-layer-parser.c:876
AppLayerParserSetEOF
void AppLayerParserSetEOF(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1362
AppLayerParserProtoCtx_::RegisterUnittests
void(* RegisterUnittests)(void)
Definition: app-layer-parser.c:145
AppLayerParserStateFree
void AppLayerParserStateFree(AppLayerParserState *pstate)
Definition: app-layer-parser.c:206
FLOW_PROTO_MAX
@ FLOW_PROTO_MAX
Definition: flow-private.h:76
app-layer-parser.h
AppLayerParserStateCleanup
void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1490
TRUE
#define TRUE
Definition: suricata-common.h:33
AppLayerParserBackupParserTable
void AppLayerParserBackupParserTable(void)
Definition: app-layer-parser.c:1745
AppLayerParserProtoCtx_::StateGetEventInfoById
int(* StateGetEventInfoById)(int event_id, const char **event_name, AppLayerEventType *event_type)
Definition: app-layer-parser.c:116
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:277
AppLayerDecoderEvents_::cnt
uint8_t cnt
Definition: app-layer-events.h:38
Flow_::sgh_toclient
const struct SigGroupHead_ * sgh_toclient
Definition: flow.h:487
RegisterNFSTCPParsers
void RegisterNFSTCPParsers(void)
Definition: app-layer-nfs-tcp.c:235
AppLayerParserProtoCtx
struct AppLayerParserProtoCtx_ AppLayerParserProtoCtx
App layer protocol parser context.
FALSE
#define FALSE
Definition: suricata-common.h:34
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:217
SCReturn
#define SCReturn
Definition: util-debug.h:302
RegisterFTPParsers
void RegisterFTPParsers(void)
Definition: app-layer-ftp.c:1282
stream.h
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1736
AppLayerGetTxIterState
Definition: app-layer-parser.h:118
AppLayerParserProtoCtx_::StateAlloc
void *(* StateAlloc)(void *, AppProto)
Definition: app-layer-parser.c:100
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
STREAM_DEPTH
#define STREAM_DEPTH
Definition: stream.h:34
RegisterTFTPParsers
void RegisterTFTPParsers(void)
Definition: app-layer-tftp.c:173
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:35
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:79
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:42
SCReturnUInt
#define SCReturnUInt(x)
Definition: util-debug.h:306
conf.h
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
BOTH_SET_OR_BOTH_UNSET
#define BOTH_SET_OR_BOTH_UNSET(a, b)
Definition: app-layer-parser.c:1518
AppLayerParserThreadCtx_::alproto_local_storage
void * alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX]
Definition: app-layer-parser.c:86
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:553
AppLayerParserSetDecoderEvents
void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoderEvents *devents)
Definition: app-layer-parser.c:839
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
AppLayerParserProtoCtx_::StateFree
void(* StateFree)(void *)
Definition: app-layer-parser.c:101
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1889
AppLayerParserRegisterSetStreamDepthFlag
void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void(*SetStreamDepthFlag)(void *tx, uint8_t flags))
Definition: app-layer-parser.c:597
app-layer-sip.h
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:59
runmodes.h
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:265
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:217
RegisterRdpParsers
void RegisterRdpParsers(void)
Definition: app-layer-rdp.c:35
APP_LAYER_PARSER_NO_INSPECTION
#define APP_LAYER_PARSER_NO_INSPECTION
Definition: app-layer-parser.h:37
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1074
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:211
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:358
decode-events.h
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:526
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:251
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:507
ConfigAction
ConfigAction
Definition: util-config.h:27
AppLayerParserProtoCtx_::Parser
AppLayerParserFPtr Parser[2]
Definition: app-layer-parser.c:96
app-layer-modbus.h
AppLayerParserProtoCtx_::StateTransactionFree
void(* StateTransactionFree)(void *, uint64_t)
Definition: app-layer-parser.c:102
app-layer-enip.h
SCReturnStruct
#define SCReturnStruct(x)
Definition: util-debug.h:320
app-layer-template-rust.h
RegisterSSLParsers
void RegisterSSLParsers(void)
Function to register the SSL protocol parser and other functions.
Definition: app-layer-ssl.c:2912
AppLayerParserProtoCtx_::option_flags
uint32_t option_flags
Definition: app-layer-parser.c:138
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
StreamTcpSetSessionNoReassemblyFlag
void StreamTcpSetSessionNoReassemblyFlag(TcpSession *, char)
disable reassembly
Definition: stream-tcp.c:5972
AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f)
remove obsolete (inspected and logged) transactions
Definition: app-layer-parser.c:882
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:670
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1195
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:337
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerParserProtoCtx_::internal_flags
uint32_t internal_flags
Definition: app-layer-parser.c:141
util-spm.h
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
AppLayerParserRegisterApplyTxConfigFunc
void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto, bool(*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig))
Definition: app-layer-parser.c:587
AppLayerParserProtoCtx_::StateGetFiles
FileContainer *(* StateGetFiles)(void *, uint8_t)
Definition: app-layer-parser.c:107
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
RegisterENIPUDPParsers
void RegisterENIPUDPParsers(void)
Function to register the ENIP protocol parsers and other functions.
Definition: app-layer-enip.c:463
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1161
FatalError
#define FatalError(x,...)
Definition: util-debug.h:532
AppLayerParserRegisterTxDataFunc
void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, AppLayerTxData *(*GetTxData)(void *tx))
Definition: app-layer-parser.c:577
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1452
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
RegisterSNMPParsers
void RegisterSNMPParsers(void)
Definition: app-layer-snmp.c:39
APP_LAYER_PARSER_OPT_ACCEPT_GAPS
#define APP_LAYER_PARSER_OPT_ACCEPT_GAPS
Definition: app-layer-parser.h:45
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
AppLayerParserRegisterGetTxIterator
void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, AppLayerGetTxIteratorFunc Func)
Definition: app-layer-parser.c:518
AppLayerParserProtoCtx_::complete_ts
int complete_ts
Definition: app-layer-parser.c:114
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
Flow_::alstate
void * alstate
Definition: flow.h:483
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:224
app-layer-template.h
Flow_::flags
uint32_t flags
Definition: flow.h:428
AppLayerParserGetDecoderEvents
AppLayerDecoderEvents * AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:831
THREE_SET
#define THREE_SET(a, b, c)
Definition: app-layer-parser.c:1520
TestState_::test
uint8_t test
Definition: app-layer-parser.c:1684
AppLayerParserRegisterGetEventInfoById
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(int event_id, const char **event_name, AppLayerEventType *event_type))
Definition: app-layer-parser.c:541
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:805
UTHAppLayerParserStateGetIds
void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
Definition: app-layer-parser.c:172
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:590
RegisterHTPParsers
void RegisterHTPParsers(void)
Register the HTTP protocol and state handling functions to APP layer of the engine.
Definition: app-layer-htp.c:3119
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:63
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:114
AppLayerParserGetTxDetectState
DetectEngineState * AppLayerParserGetTxDetectState(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1146
app-layer-snmp.h
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
RegisterSMTPParsers
void RegisterSMTPParsers(void)
Register the SMTP Protocol parser.
Definition: app-layer-smtp.c:1786
AppLayerParserSetTxDetectState
int AppLayerParserSetTxDetectState(const Flow *f, void *tx, DetectEngineState *s)
Definition: app-layer-parser.c:1153
AppLayerParserStateAlloc
AppLayerParserState * AppLayerParserStateAlloc(void)
Definition: app-layer-parser.c:193
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:314
app-layer-protos.h
RegisterTemplateParsers
void RegisterTemplateParsers(void)
Definition: app-layer-template.c:470
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:188
AppLayerParserState_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: app-layer-parser.c:168
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:496
APP_LAYER_ERROR
#define APP_LAYER_ERROR
Definition: app-layer-parser.h:64
app-layer-smb.h
app-layer-mqtt.h
AppLayerParserProtoCtx_::StateGetProgress
int(* StateGetProgress)(void *alstate, uint8_t direction)
Definition: app-layer-parser.c:110
AppLayerParserProtocolGetLoggerBits
LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1422
AppLayerParserStateSetFlag
void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint8_t flag)
Definition: app-layer-parser.c:1630
AppLayerParserCtx_
Definition: app-layer-parser.c:149
AppLayerGetTxIteratorFunc
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
Definition: app-layer-parser.h:127
likely
#define likely(expr)
Definition: util-optimize.h:32
RegisterHTTP2Parsers
void RegisterHTTP2Parsers(void)
Definition: app-layer-http2.c:56
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
AppLayerProtoDetectPMRegisterPatternCS
int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-sensitive pattern for protocol detection.
Definition: app-layer-detect-proto.c:1785
app-layer-smtp.h
APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD
#define APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD
Definition: app-layer-parser.h:39
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:212
FlowGetDisruptionFlags
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
Definition: flow.c:1114
TcpSession_
Definition: stream-tcp-private.h:260
RegisterNFSUDPParsers
void RegisterNFSUDPParsers(void)
Definition: app-layer-nfs-udp.c:224
FLOW_PROTO_DEFAULT
@ FLOW_PROTO_DEFAULT
Definition: flow-private.h:73
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:457
AppLayerParserDestroyProtocolParserLocalStorage
void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto, void *local_data)
Definition: app-layer-parser.c:624
util-pool.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1067
AppLayerProtoDetectConfProtoDetectionEnabled
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:1987
SMTPParserCleanup
void SMTPParserCleanup(void)
Free memory allocated for global SMTP parser state.
Definition: app-layer-smtp.c:1843
AppLayerParserHasDecoderEvents
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1378
RegisterMQTTParsers
void RegisterMQTTParsers(void)
Definition: app-layer-mqtt.c:37
StreamTcpSetSessionBypassFlag
void StreamTcpSetSessionBypassFlag(TcpSession *)
enable bypass
Definition: stream-tcp.c:5999
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
app-layer-ssl.h
AppLayerParserProtoCtx_::StateGetEvents
AppLayerDecoderEvents *(* StateGetEvents)(void *)
Definition: app-layer-parser.c:108
TestState_
Definition: app-layer-parser.c:1683
app-layer-ntp.h
debug.h
AppLayerParserState_::flags
uint8_t flags
Definition: app-layer-parser.c:155
AppLayerParserProtoCtx_::LocalStorageAlloc
void *(* LocalStorageAlloc)(void)
Definition: app-layer-parser.c:103
app-layer-nfs-tcp.h
app-layer-rdp.h
app-layer.h
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1089
AppLayerParserProtoCtx_::first_data_dir
uint8_t first_data_dir
Definition: app-layer-parser.c:135