suricata
app-layer-protos.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  */
24 
25 #ifndef SURICATA_APP_LAYER_PROTOS_H
26 #define SURICATA_APP_LAYER_PROTOS_H
27 
30  /* used by the probing parser when alproto detection fails
31  * permanently for that particular stream */
32  // Update of this value should be reflected in rust, where we also define it
34 
35  // Beginning of real/normal protocols
39  ALPROTO_TLS, /* SSLv2, SSLv3 & TLSv1 */
46 
73 
74  // signature-only (ie not seen in flow)
75  // HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2)
77 
78  /* keep last */
80  // After this ALPROTO_MAX_STATIC can come dynamic alproto ids
81  // For example, ALPROTO_SNMP is now dynamic
82 };
83 // NOTE: if ALPROTO's get >= 256, update SignatureNonPrefilterStore
84 
85 /* not using the enum as that is a unsigned int, so 4 bytes */
86 typedef uint16_t AppProto;
87 extern AppProto g_alproto_max;
88 
89 static inline bool AppProtoIsValid(AppProto a)
90 {
91  return ((a > ALPROTO_FAILED && a < g_alproto_max));
92 }
93 
94 // whether a signature AppProto matches a flow (or signature) AppProto
95 static inline bool AppProtoEquals(AppProto sigproto, AppProto alproto)
96 {
97  if (sigproto == alproto) {
98  return true;
99  }
100  switch (sigproto) {
101  case ALPROTO_DNS:
102  // a DNS signature matches on either DNS or DOH2 flows
103  return (alproto == ALPROTO_DOH2) || (alproto == ALPROTO_DNS);
104  case ALPROTO_HTTP2:
105  // a HTTP2 signature matches on either HTTP2 or DOH2 flows
106  return (alproto == ALPROTO_DOH2) || (alproto == ALPROTO_HTTP2);
107  case ALPROTO_DOH2:
108  // a DOH2 signature accepts dns, http2 or http generic keywords
109  return (alproto == ALPROTO_DOH2) || (alproto == ALPROTO_HTTP2) ||
110  (alproto == ALPROTO_DNS) || (alproto == ALPROTO_HTTP);
111  case ALPROTO_HTTP:
112  return (alproto == ALPROTO_HTTP1) || (alproto == ALPROTO_HTTP2);
113  case ALPROTO_DCERPC:
114  return (alproto == ALPROTO_SMB);
115  }
116  return false;
117 }
118 
119 // whether a signature AppProto matches a flow (or signature) AppProto
120 static inline AppProto AppProtoCommon(AppProto sigproto, AppProto alproto)
121 {
122  switch (sigproto) {
123  case ALPROTO_SMB:
124  if (alproto == ALPROTO_DCERPC) {
125  // ok to have dcerpc keywords in smb sig
126  return ALPROTO_SMB;
127  }
128  break;
129  case ALPROTO_HTTP:
130  // we had a generic http sig, now version specific
131  if (alproto == ALPROTO_HTTP1) {
132  return ALPROTO_HTTP1;
133  } else if (alproto == ALPROTO_HTTP2) {
134  return ALPROTO_HTTP2;
135  }
136  break;
137  case ALPROTO_HTTP1:
138  // version-specific sig with a generic keyword
139  if (alproto == ALPROTO_HTTP) {
140  return ALPROTO_HTTP1;
141  }
142  break;
143  case ALPROTO_HTTP2:
144  if (alproto == ALPROTO_HTTP) {
145  return ALPROTO_HTTP2;
146  }
147  break;
148  case ALPROTO_DOH2:
149  // DOH2 accepts different protocol keywords
150  if (alproto == ALPROTO_HTTP || alproto == ALPROTO_HTTP2 || alproto == ALPROTO_DNS) {
151  return ALPROTO_DOH2;
152  }
153  break;
154  }
155  if (sigproto != alproto) {
156  return ALPROTO_FAILED;
157  }
158  return alproto;
159 }
160 
161 /**
162  * \brief Maps the ALPROTO_*, to its string equivalent.
163  *
164  * \param alproto App layer protocol id.
165  *
166  * \retval String equivalent for the alproto.
167  */
168 const char *AppProtoToString(AppProto alproto);
169 
170 /**
171  * \brief Maps a string to its ALPROTO_* equivalent.
172  *
173  * \param String equivalent for the alproto.
174  *
175  * \retval alproto App layer protocol id, or ALPROTO_UNKNOWN.
176  */
177 AppProto StringToAppProto(const char *proto_name);
178 
179 AppProto AppProtoNewProtoFromString(const char *proto_name);
180 
181 void AppProtoRegisterProtoString(AppProto alproto, const char *proto_name);
182 
183 #endif /* SURICATA_APP_LAYER_PROTOS_H */
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
ALPROTO_ENIP
@ ALPROTO_ENIP
Definition: app-layer-protos.h:49
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:39
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:48
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:57
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:71
ALPROTO_JABBER
@ ALPROTO_JABBER
Definition: app-layer-protos.h:42
ALPROTO_IRC
@ ALPROTO_IRC
Definition: app-layer-protos.h:45
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:59
ALPROTO_LDAP
@ ALPROTO_LDAP
Definition: app-layer-protos.h:65
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:29
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:40
ALPROTO_DHCP
@ ALPROTO_DHCP
Definition: app-layer-protos.h:58
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:56
ALPROTO_MAX_STATIC
@ ALPROTO_MAX_STATIC
Definition: app-layer-protos.h:79
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:50
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
StringToAppProto
AppProto StringToAppProto(const char *proto_name)
Maps a string to its ALPROTO_* equivalent.
Definition: app-layer-protos.c:60
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:41
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:68
ALPROTO_TELNET
@ ALPROTO_TELNET
Definition: app-layer-protos.h:63
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
AppProtoRegisterProtoString
void AppProtoRegisterProtoString(AppProto alproto, const char *proto_name)
Definition: app-layer-protos.c:80
ALPROTO_TFTP
@ ALPROTO_TFTP
Definition: app-layer-protos.h:54
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
ALPROTO_PGSQL
@ ALPROTO_PGSQL
Definition: app-layer-protos.h:62
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:64
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:40
ALPROTO_MDNS
@ ALPROTO_MDNS
Definition: app-layer-protos.h:72
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:61
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:67
AppProtoNewProtoFromString
AppProto AppProtoNewProtoFromString(const char *proto_name)
Definition: app-layer-protos.c:74
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:60
ALPROTO_BITTORRENT_DHT
@ ALPROTO_BITTORRENT_DHT
Definition: app-layer-protos.h:70
ALPROTO_NTP
@ ALPROTO_NTP
Definition: app-layer-protos.h:52
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
AppProtoEnum
AppProtoEnum
Definition: app-layer-protos.h:28
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51