suricata
app-layer-protos.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  */
24 
25 #ifndef SURICATA_APP_LAYER_PROTOS_H
26 #define SURICATA_APP_LAYER_PROTOS_H
27 
28 enum AppProtoEnum {
29  ALPROTO_UNKNOWN = 0,
30  ALPROTO_HTTP1,
31  ALPROTO_FTP,
32  ALPROTO_SMTP,
33  ALPROTO_TLS, /* SSLv2, SSLv3 & TLSv1 */
34  ALPROTO_SSH,
35  ALPROTO_IMAP,
36  ALPROTO_JABBER,
37  ALPROTO_SMB,
38  ALPROTO_DCERPC,
39  ALPROTO_IRC,
40 
41  ALPROTO_DNS,
42  ALPROTO_MODBUS,
43  ALPROTO_ENIP,
44  ALPROTO_DNP3,
45  ALPROTO_NFS,
46  ALPROTO_NTP,
47  ALPROTO_FTPDATA,
48  ALPROTO_TFTP,
49  ALPROTO_IKE,
50  ALPROTO_KRB5,
51  ALPROTO_QUIC,
52  ALPROTO_DHCP,
53  ALPROTO_SNMP,
54  ALPROTO_SIP,
55  ALPROTO_RFB,
56  ALPROTO_MQTT,
57  ALPROTO_PGSQL,
58  ALPROTO_TELNET,
59  ALPROTO_WEBSOCKET,
60  ALPROTO_LDAP,
61  ALPROTO_DOH2,
62  ALPROTO_TEMPLATE,
63  ALPROTO_RDP,
64  ALPROTO_HTTP2,
65  ALPROTO_BITTORRENT_DHT,
66  ALPROTO_POP3,
67 
68  // signature-only (ie not seen in flow)
69  // HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2)
70  ALPROTO_HTTP,
71 
72  /* used by the probing parser when alproto detection fails
73  * permanently for that particular stream */
74  ALPROTO_FAILED,
75  /* keep last */
76  ALPROTO_MAX,
77 };
78 // NOTE: if ALPROTO's get >= 256, update SignatureNonPrefilterStore
79 
80 /* not using the enum as that is a unsigned int, so 4 bytes */
81 typedef uint16_t AppProto;
82 
83 static inline bool AppProtoIsValid(AppProto a)
84 {
85  return ((a > ALPROTO_UNKNOWN && a < ALPROTO_FAILED));
86 }
87 
88 // whether a signature AppProto matches a flow (or signature) AppProto
89 static inline bool AppProtoEquals(AppProto sigproto, AppProto alproto)
90 {
91  if (sigproto == alproto) {
92  return true;
93  }
94  switch (sigproto) {
95  case ALPROTO_DNS:
96  // a DNS signature matches on either DNS or DOH2 flows
97  return (alproto == ALPROTO_DOH2) || (alproto == ALPROTO_DNS);
98  case ALPROTO_HTTP2:
99  // a HTTP2 signature matches on either HTTP2 or DOH2 flows
100  return (alproto == ALPROTO_DOH2) || (alproto == ALPROTO_HTTP2);
101  case ALPROTO_DOH2:
102  // a DOH2 signature accepts dns, http2 or http generic keywords
103  return (alproto == ALPROTO_DOH2) || (alproto == ALPROTO_HTTP2) ||
104  (alproto == ALPROTO_DNS) || (alproto == ALPROTO_HTTP);
105  case ALPROTO_HTTP:
106  return (alproto == ALPROTO_HTTP1) || (alproto == ALPROTO_HTTP2);
107  case ALPROTO_DCERPC:
108  return (alproto == ALPROTO_SMB);
109  }
110  return false;
111 }
112 
113 // whether a signature AppProto matches a flow (or signature) AppProto
114 static inline AppProto AppProtoCommon(AppProto sigproto, AppProto alproto)
115 {
116  switch (sigproto) {
117  case ALPROTO_SMB:
118  if (alproto == ALPROTO_DCERPC) {
119  // ok to have dcerpc keywords in smb sig
120  return ALPROTO_SMB;
121  }
122  break;
123  case ALPROTO_HTTP:
124  // we had a generic http sig, now version specific
125  if (alproto == ALPROTO_HTTP1) {
126  return ALPROTO_HTTP1;
127  } else if (alproto == ALPROTO_HTTP2) {
128  return ALPROTO_HTTP2;
129  }
130  break;
131  case ALPROTO_HTTP1:
132  // version-specific sig with a generic keyword
133  if (alproto == ALPROTO_HTTP) {
134  return ALPROTO_HTTP1;
135  }
136  break;
137  case ALPROTO_HTTP2:
138  if (alproto == ALPROTO_HTTP) {
139  return ALPROTO_HTTP2;
140  }
141  break;
142  case ALPROTO_DOH2:
143  // DOH2 accepts different protocol keywords
144  if (alproto == ALPROTO_HTTP || alproto == ALPROTO_HTTP2 || alproto == ALPROTO_DNS) {
145  return ALPROTO_DOH2;
146  }
147  break;
148  }
149  if (sigproto != alproto) {
150  return ALPROTO_FAILED;
151  }
152  return alproto;
153 }
154 
155 /**
156  * \brief Maps the ALPROTO_*, to its string equivalent.
157  *
158  * \param alproto App layer protocol id.
159  *
160  * \retval String equivalent for the alproto.
161  */
162 const char *AppProtoToString(AppProto alproto);
163 
164 /**
165  * \brief Maps a string to its ALPROTO_* equivalent.
166  *
167  * \param String equivalent for the alproto.
168  *
169  * \retval alproto App layer protocol id, or ALPROTO_UNKNOWN.
170  */
171 AppProto StringToAppProto(const char *proto_name);
172 
173 #endif /* SURICATA_APP_LAYER_PROTOS_H */
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:49
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
ALPROTO_ENIP
@ ALPROTO_ENIP
Definition: app-layer-protos.h:43
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:42
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:81
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:51
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:66
ALPROTO_JABBER
@ ALPROTO_JABBER
Definition: app-layer-protos.h:36
ALPROTO_IRC
@ ALPROTO_IRC
Definition: app-layer-protos.h:39
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:54
ALPROTO_LDAP
@ ALPROTO_LDAP
Definition: app-layer-protos.h:60
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
ALPROTO_DHCP
@ ALPROTO_DHCP
Definition: app-layer-protos.h:52
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:76
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:50
ALPROTO_SNMP
@ ALPROTO_SNMP
Definition: app-layer-protos.h:53
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:44
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
StringToAppProto
AppProto StringToAppProto(const char *proto_name)
Maps a string to its ALPROTO_* equivalent.
Definition: app-layer-protos.c:95
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:35
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:63
ALPROTO_TELNET
@ ALPROTO_TELNET
Definition: app-layer-protos.h:58
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:61
ALPROTO_TFTP
@ ALPROTO_TFTP
Definition: app-layer-protos.h:48
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:64
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
ALPROTO_PGSQL
@ ALPROTO_PGSQL
Definition: app-layer-protos.h:57
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:59
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:75
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:56
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:70
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:74
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:62
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:55
ALPROTO_BITTORRENT_DHT
@ ALPROTO_BITTORRENT_DHT
Definition: app-layer-protos.h:65
ALPROTO_NTP
@ ALPROTO_NTP
Definition: app-layer-protos.h:46
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
AppProtoEnum
AppProtoEnum
Definition: app-layer-protos.h:28
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45