app-layer-smtp.c File Reference

#include "suricata.h"
#include "suricata-common.h"
#include "decode.h"
#include "threads.h"
#include "stream-tcp-private.h"
#include "stream-tcp-reassemble.h"
#include "stream-tcp.h"
#include "stream.h"
#include "app-layer.h"
#include "app-layer-detect-proto.h"
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "app-layer-smtp.h"
#include "util-enum.h"
#include "util-mpm.h"
#include "util-debug.h"
#include "util-print.h"
#include "util-byte.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-memcmp.h"
#include "flow-util.h"
#include "detect-engine.h"
#include "detect-engine-state.h"
#include "detect-engine-build.h"
#include "detect-parse.h"
#include "decode-events.h"
#include "conf.h"
#include "util-mem.h"
#include "util-misc.h"
#include "util-validate.h"
#include "detect-engine-alert.h"

Include dependency graph for app-layer-smtp.c:

Go to the source code of this file.

Data Structures
struct	SMTPInput_
struct	SMTPLine_
struct	SMTPThreadCtx_

Macros
#define	FILEDATA_CONTENT_LIMIT   100000
#define	FILEDATA_CONTENT_INSPECT_MIN_SIZE   32768
#define	FILEDATA_CONTENT_INSPECT_WINDOW   4096
#define	SMTP_RAW_EXTRACTION_DEFAULT_VALUE   false
#define	SMTP_MAX_REQUEST_AND_REPLY_LINE_LENGTH   510
#define	SMTP_COMMAND_BUFFER_STEPS   5
#define	SMTP_PARSER_STATE_COMMAND_MODE   0x00
#define	SMTP_PARSER_STATE_COMMAND_DATA_MODE   0x01
#define	SMTP_PARSER_STATE_PARSING_SERVER_RESPONSE   0x02
#define	SMTP_PARSER_STATE_FIRST_REPLY_SEEN   0x04
#define	SMTP_PARSER_STATE_PARSING_MULTILINE_REPLY   0x08
#define	SMTP_PARSER_STATE_PIPELINING_SERVER   0x10
#define	SMTP_COMMAND_STARTTLS   1
#define	SMTP_COMMAND_DATA   2
#define	SMTP_COMMAND_BDAT   3
#define	SMTP_COMMAND_DATA_MODE   4
#define	SMTP_COMMAND_OTHER_CMD   5
#define	SMTP_COMMAND_RSET   6
#define	SMTP_EHLO_EXTENSION_PIPELINING
#define	SMTP_EHLO_EXTENSION_SIZE
#define	SMTP_EHLO_EXTENSION_DSN
#define	SMTP_EHLO_EXTENSION_STARTTLS
#define	SMTP_EHLO_EXTENSION_8BITMIME
#define	SMTP_LINE_BUFFER_LIMIT   4096
#define	SMTP_MPM   mpm_default_matcher
#define	rawmsgname   "rawmsg"

Typedefs
typedef struct SMTPInput_	SMTPInput
typedef struct SMTPLine_	SMTPLine
typedef struct SMTPThreadCtx_	SMTPThreadCtx

Enumerations
enum	SMTPCode {   SMTP_REPLY_211, SMTP_REPLY_214, SMTP_REPLY_220, SMTP_REPLY_221,   SMTP_REPLY_235, SMTP_REPLY_250, SMTP_REPLY_251, SMTP_REPLY_252,   SMTP_REPLY_334, SMTP_REPLY_354, SMTP_REPLY_421, SMTP_REPLY_450,   SMTP_REPLY_451, SMTP_REPLY_452, SMTP_REPLY_455, SMTP_REPLY_500,   SMTP_REPLY_501, SMTP_REPLY_502, SMTP_REPLY_503, SMTP_REPLY_504,   SMTP_REPLY_550, SMTP_REPLY_551, SMTP_REPLY_552, SMTP_REPLY_553,   SMTP_REPLY_554, SMTP_REPLY_555 }

Functions
int	SMTPProcessDataChunk (const uint8_t *chunk, uint32_t len, MimeDecParseState *state)
void *	SMTPStateAlloc (void *orig_state, AppProto proto_orig)
void	RegisterSMTPParsers (void)
	Register the SMTP Protocol parser. More...
void	SMTPParserCleanup (void)
	Free memory allocated for global SMTP parser state. More...
void	SMTPParserRegisterTests (void)

Variables
SCEnumCharMap	smtp_decoder_event_table []
SCEnumCharMap	smtp_reply_map []
SMTPConfig	smtp_config

Detailed Description

Author

Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Definition in file app-layer-smtp.c.

Macro Definition Documentation

FILEDATA_CONTENT_INSPECT_MIN_SIZE

#define FILEDATA_CONTENT_INSPECT_MIN_SIZE   32768

Definition at line 66 of file app-layer-smtp.c.

FILEDATA_CONTENT_INSPECT_WINDOW

#define FILEDATA_CONTENT_INSPECT_WINDOW   4096

Definition at line 68 of file app-layer-smtp.c.

FILEDATA_CONTENT_LIMIT

#define FILEDATA_CONTENT_LIMIT   100000

Definition at line 64 of file app-layer-smtp.c.

rawmsgname

#define rawmsgname   "rawmsg"

Definition at line 1125 of file app-layer-smtp.c.

SMTP_COMMAND_BDAT

#define SMTP_COMMAND_BDAT   3

Definition at line 99 of file app-layer-smtp.c.

SMTP_COMMAND_BUFFER_STEPS

#define SMTP_COMMAND_BUFFER_STEPS   5

Definition at line 74 of file app-layer-smtp.c.

SMTP_COMMAND_DATA

#define SMTP_COMMAND_DATA   2

Definition at line 98 of file app-layer-smtp.c.

SMTP_COMMAND_DATA_MODE

#define SMTP_COMMAND_DATA_MODE   4

Definition at line 104 of file app-layer-smtp.c.

SMTP_COMMAND_OTHER_CMD

#define SMTP_COMMAND_OTHER_CMD   5

Definition at line 106 of file app-layer-smtp.c.

SMTP_COMMAND_RSET

#define SMTP_COMMAND_RSET   6

Definition at line 107 of file app-layer-smtp.c.

SMTP_COMMAND_STARTTLS

#define SMTP_COMMAND_STARTTLS   1

Definition at line 97 of file app-layer-smtp.c.

SMTP_EHLO_EXTENSION_8BITMIME

#define SMTP_EHLO_EXTENSION_8BITMIME

Definition at line 114 of file app-layer-smtp.c.

SMTP_EHLO_EXTENSION_DSN

#define SMTP_EHLO_EXTENSION_DSN

Definition at line 112 of file app-layer-smtp.c.

SMTP_EHLO_EXTENSION_PIPELINING

#define SMTP_EHLO_EXTENSION_PIPELINING

Definition at line 110 of file app-layer-smtp.c.

SMTP_EHLO_EXTENSION_SIZE

#define SMTP_EHLO_EXTENSION_SIZE

Definition at line 111 of file app-layer-smtp.c.

SMTP_EHLO_EXTENSION_STARTTLS

#define SMTP_EHLO_EXTENSION_STARTTLS

Definition at line 113 of file app-layer-smtp.c.

SMTP_LINE_BUFFER_LIMIT

#define SMTP_LINE_BUFFER_LIMIT   4096

Definition at line 116 of file app-layer-smtp.c.

SMTP_MAX_REQUEST_AND_REPLY_LINE_LENGTH

#define SMTP_MAX_REQUEST_AND_REPLY_LINE_LENGTH   510

Definition at line 72 of file app-layer-smtp.c.

SMTP_MPM

#define SMTP_MPM   mpm_default_matcher

Definition at line 174 of file app-layer-smtp.c.

SMTP_PARSER_STATE_COMMAND_DATA_MODE

#define SMTP_PARSER_STATE_COMMAND_DATA_MODE   0x01

Definition at line 81 of file app-layer-smtp.c.

SMTP_PARSER_STATE_COMMAND_MODE

#define SMTP_PARSER_STATE_COMMAND_MODE   0x00

Definition at line 78 of file app-layer-smtp.c.

SMTP_PARSER_STATE_FIRST_REPLY_SEEN

#define SMTP_PARSER_STATE_FIRST_REPLY_SEEN   0x04

Definition at line 87 of file app-layer-smtp.c.

SMTP_PARSER_STATE_PARSING_MULTILINE_REPLY

#define SMTP_PARSER_STATE_PARSING_MULTILINE_REPLY   0x08

Definition at line 89 of file app-layer-smtp.c.

SMTP_PARSER_STATE_PARSING_SERVER_RESPONSE

#define SMTP_PARSER_STATE_PARSING_SERVER_RESPONSE   0x02

Definition at line 85 of file app-layer-smtp.c.

SMTP_PARSER_STATE_PIPELINING_SERVER

#define SMTP_PARSER_STATE_PIPELINING_SERVER   0x10

Definition at line 91 of file app-layer-smtp.c.

SMTP_RAW_EXTRACTION_DEFAULT_VALUE

#define SMTP_RAW_EXTRACTION_DEFAULT_VALUE   false

Definition at line 71 of file app-layer-smtp.c.

Typedef Documentation

SMTPInput

typedef struct SMTPInput_ SMTPInput

SMTPLine

typedef struct SMTPLine_ SMTPLine

SMTPThreadCtx

typedef struct SMTPThreadCtx_ SMTPThreadCtx

Enumeration Type Documentation

SMTPCode

enum SMTPCode

Enumerator
SMTP_REPLY_211
SMTP_REPLY_214
SMTP_REPLY_220
SMTP_REPLY_221
SMTP_REPLY_235
SMTP_REPLY_250
SMTP_REPLY_251
SMTP_REPLY_252
SMTP_REPLY_334
SMTP_REPLY_354
SMTP_REPLY_421
SMTP_REPLY_450
SMTP_REPLY_451
SMTP_REPLY_452
SMTP_REPLY_455
SMTP_REPLY_500
SMTP_REPLY_501
SMTP_REPLY_502
SMTP_REPLY_503
SMTP_REPLY_504
SMTP_REPLY_550
SMTP_REPLY_551
SMTP_REPLY_552
SMTP_REPLY_553
SMTP_REPLY_554
SMTP_REPLY_555

Definition at line 179 of file app-layer-smtp.c.

Function Documentation

RegisterSMTPParsers()

void RegisterSMTPParsers

(

void

)

Register the SMTP Protocol parser.

Definition at line 1731 of file app-layer-smtp.c.

References ALPROTO_SMTP, AppLayerProtoDetectConfProtoDetectionEnabled(), and AppLayerProtoDetectRegisterProtocol().

Here is the call graph for this function:

SMTPParserCleanup()

void SMTPParserCleanup

(

void

)

Free memory allocated for global SMTP parser state.

Definition at line 1785 of file app-layer-smtp.c.

Referenced by AppLayerParserDeSetup().

Here is the caller graph for this function:

SMTPParserRegisterTests()

void SMTPParserRegisterTests

(

void

)

Definition at line 4118 of file app-layer-smtp.c.

References UtRegisterTest().

Here is the call graph for this function:

SMTPProcessDataChunk()

int SMTPProcessDataChunk	(	const uint8_t *	chunk,
		uint32_t	len,
		MimeDecParseState *	state
	)

Definition at line 486 of file app-layer-smtp.c.

References Flow_::alstate, MimeDecParseState::body_begin, SMTPConfig::content_inspect_min_size, MimeDecEntity::ctnt_flags, CTNT_IS_ATTACHMENT, MimeDecStackNode::data, MimeDecParseState::data, DEBUG_VALIDATE_BUG_ON, FILE_STORE, FILE_USE_DETECT, FileFlowToFlags(), MimeDecEntity::filename, MimeDecEntity::filename_len, SMTPTransaction_::files_ts, flags, len, MIME_DEC_OK, Flow_::protoctx, SC_FILENAME_MAX, SCEnter, SCLogDebug, SCLogDebugEnabled(), smtp_config, MimeDecParseState::stack, StreamTcpReassemblySetMinInspectDepth(), and MimeDecStack::top.

Here is the call graph for this function:

SMTPStateAlloc()

void* SMTPStateAlloc	(	void *	orig_state,
		AppProto	proto_orig
	)

Definition at line 1426 of file app-layer-smtp.c.

References SMTPState_::cmds, SMTPState_::cmds_buffer_len, SCFree, SCMalloc, SMTP_COMMAND_BUFFER_STEPS, TAILQ_INIT, and unlikely.

Variable Documentation

smtp_config

SMTPConfig smtp_config

Initial value:

= {
    .decode_mime = true,
    {
            .decode_base64 = true,
            .decode_quoted_printable = true,
            .extract_urls = true,
            .extract_urls_schemes = NULL,
            .log_url_scheme = false,
            .body_md5 = false,
            .header_value_depth = 0,
    },
    .content_limit = FILEDATA_CONTENT_LIMIT,
    .content_inspect_min_size = FILEDATA_CONTENT_INSPECT_MIN_SIZE,
    .content_inspect_window = FILEDATA_CONTENT_INSPECT_WINDOW,
    .raw_extraction = SMTP_RAW_EXTRACTION_DEFAULT_VALUE,
    STREAMING_BUFFER_CONFIG_INITIALIZER,
}

Definition at line 245 of file app-layer-smtp.c.

Referenced by SMTPProcessDataChunk().

smtp_decoder_event_table

SCEnumCharMap smtp_decoder_event_table[]

Initial value:

= {
    { "INVALID_REPLY", SMTP_DECODER_EVENT_INVALID_REPLY },
    { "UNABLE_TO_MATCH_REPLY_WITH_REQUEST", SMTP_DECODER_EVENT_UNABLE_TO_MATCH_REPLY_WITH_REQUEST },
    { "MAX_COMMAND_LINE_LEN_EXCEEDED", SMTP_DECODER_EVENT_MAX_COMMAND_LINE_LEN_EXCEEDED },
    { "MAX_REPLY_LINE_LEN_EXCEEDED", SMTP_DECODER_EVENT_MAX_REPLY_LINE_LEN_EXCEEDED },
    { "INVALID_PIPELINED_SEQUENCE", SMTP_DECODER_EVENT_INVALID_PIPELINED_SEQUENCE },
    { "BDAT_CHUNK_LEN_EXCEEDED", SMTP_DECODER_EVENT_BDAT_CHUNK_LEN_EXCEEDED },
    { "NO_SERVER_WELCOME_MESSAGE", SMTP_DECODER_EVENT_NO_SERVER_WELCOME_MESSAGE },
    { "TLS_REJECTED", SMTP_DECODER_EVENT_TLS_REJECTED },
    { "DATA_COMMAND_REJECTED", SMTP_DECODER_EVENT_DATA_COMMAND_REJECTED },
    { "FAILED_PROTOCOL_CHANGE", SMTP_DECODER_EVENT_FAILED_PROTOCOL_CHANGE },
 
    
    { "MIME_PARSE_FAILED", SMTP_DECODER_EVENT_MIME_PARSE_FAILED },
    { "MIME_MALFORMED_MSG", SMTP_DECODER_EVENT_MIME_MALFORMED_MSG },
    { "MIME_INVALID_BASE64", SMTP_DECODER_EVENT_MIME_INVALID_BASE64 },
    { "MIME_INVALID_QP", SMTP_DECODER_EVENT_MIME_INVALID_QP },
    { "MIME_LONG_LINE", SMTP_DECODER_EVENT_MIME_LONG_LINE },
    { "MIME_LONG_ENC_LINE", SMTP_DECODER_EVENT_MIME_LONG_ENC_LINE },
    { "MIME_LONG_HEADER_NAME", SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME },
    { "MIME_LONG_HEADER_VALUE", SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE },
    { "MIME_LONG_BOUNDARY", SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG },
    { "MIME_LONG_FILENAME", SMTP_DECODER_EVENT_MIME_LONG_FILENAME },
 
    
    { "DUPLICATE_FIELDS", SMTP_DECODER_EVENT_DUPLICATE_FIELDS },
    { "UNPARSABLE_CONTENT", SMTP_DECODER_EVENT_UNPARSABLE_CONTENT },
    { "TRUNCATED_LINE", SMTP_DECODER_EVENT_TRUNCATED_LINE },
    { NULL, -1 },
}

Definition at line 137 of file app-layer-smtp.c.

smtp_reply_map

SCEnumCharMap smtp_reply_map[]

Definition at line 211 of file app-layer-smtp.c.