app-layer-smtp.c File Reference

#include "suricata.h"
#include "suricata-common.h"
#include "decode.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-detect-proto.h"
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "app-layer-frames.h"
#include "app-layer-events.h"
#include "app-layer-smtp.h"
#include "util-enum.h"
#include "util-mpm.h"
#include "util-debug.h"
#include "util-byte.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-memcmp.h"
#include "flow-util.h"
#include "detect-engine.h"
#include "detect-engine-state.h"
#include "detect-engine-build.h"
#include "detect-parse.h"
#include "conf.h"
#include "util-mem.h"
#include "util-misc.h"
#include "util-validate.h"
#include "detect-engine-alert.h"

Include dependency graph for app-layer-smtp.c:

Go to the source code of this file.

Data Structures
struct	SMTPInput_
struct	SMTPLine_
struct	SMTPThreadCtx_

Macros
#define	FILEDATA_CONTENT_LIMIT   100000
#define	FILEDATA_CONTENT_INSPECT_MIN_SIZE   32768
#define	FILEDATA_CONTENT_INSPECT_WINDOW   4096
#define	SMTP_RAW_EXTRACTION_DEFAULT_VALUE   false
#define	SMTP_COMMAND_BUFFER_STEPS   5
#define	SMTP_PARSER_STATE_COMMAND_DATA_MODE   0x01
#define	SMTP_PARSER_STATE_FIRST_REPLY_SEEN   0x04
#define	SMTP_PARSER_STATE_PARSING_MULTILINE_REPLY   0x08
#define	SMTP_PARSER_STATE_PIPELINING_SERVER   0x10
#define	SMTP_COMMAND_STARTTLS   1
#define	SMTP_COMMAND_DATA   2
#define	SMTP_COMMAND_BDAT   3
#define	SMTP_COMMAND_DATA_MODE   4
#define	SMTP_COMMAND_OTHER_CMD   5
#define	SMTP_COMMAND_RSET   6
#define	SMTP_DEFAULT_MAX_TX   256
#define	SMTP_MPM   mpm_default_matcher
#define	SCHEME_SUFFIX_LEN   3
#define	rawmsgname   "rawmsg"

Typedefs
typedef struct SMTPInput_	SMTPInput
typedef struct SMTPLine_	SMTPLine
typedef struct SMTPThreadCtx_	SMTPThreadCtx

Enumerations
enum	SMTPFrameTypes { SMTP_FRAME_COMMAND_LINE, SMTP_FRAME_DATA, SMTP_FRAME_RESPONSE_LINE }
enum	SMTPCode {   SMTP_REPLY_211, SMTP_REPLY_214, SMTP_REPLY_220, SMTP_REPLY_221,   SMTP_REPLY_235, SMTP_REPLY_250, SMTP_REPLY_251, SMTP_REPLY_252,   SMTP_REPLY_334, SMTP_REPLY_354, SMTP_REPLY_401, SMTP_REPLY_402,   SMTP_REPLY_421, SMTP_REPLY_435, SMTP_REPLY_450, SMTP_REPLY_451,   SMTP_REPLY_452, SMTP_REPLY_454, SMTP_REPLY_455, SMTP_REPLY_500,   SMTP_REPLY_501, SMTP_REPLY_502, SMTP_REPLY_503, SMTP_REPLY_504,   SMTP_REPLY_511, SMTP_REPLY_521, SMTP_REPLY_522, SMTP_REPLY_525,   SMTP_REPLY_530, SMTP_REPLY_534, SMTP_REPLY_535, SMTP_REPLY_541,   SMTP_REPLY_543, SMTP_REPLY_550, SMTP_REPLY_551, SMTP_REPLY_552,   SMTP_REPLY_553, SMTP_REPLY_554, SMTP_REPLY_555 }

Functions
void *	SMTPStateAlloc (void *orig_state, AppProto proto_orig)
void	RegisterSMTPParsers (void)
	Register the SMTP Protocol parser. More...
void	SMTPParserCleanup (void)
	Free memory allocated for global SMTP parser state. More...
void	SMTPParserRegisterTests (void)

Variables
SCEnumCharMap	smtp_decoder_event_table []
SCEnumCharMap	smtp_frame_table []
SCEnumCharMap	smtp_reply_map []
SMTPConfig	smtp_config

Detailed Description

Author

Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Definition in file app-layer-smtp.c.

Macro Definition Documentation

FILEDATA_CONTENT_INSPECT_MIN_SIZE

#define FILEDATA_CONTENT_INSPECT_MIN_SIZE   32768

Definition at line 62 of file app-layer-smtp.c.

FILEDATA_CONTENT_INSPECT_WINDOW

#define FILEDATA_CONTENT_INSPECT_WINDOW   4096

Definition at line 64 of file app-layer-smtp.c.

FILEDATA_CONTENT_LIMIT

#define FILEDATA_CONTENT_LIMIT   100000

Definition at line 60 of file app-layer-smtp.c.

rawmsgname

#define rawmsgname   "rawmsg"

Definition at line 1120 of file app-layer-smtp.c.

SCHEME_SUFFIX_LEN

#define SCHEME_SUFFIX_LEN   3

Definition at line 305 of file app-layer-smtp.c.

SMTP_COMMAND_BDAT

#define SMTP_COMMAND_BDAT   3

Definition at line 90 of file app-layer-smtp.c.

SMTP_COMMAND_BUFFER_STEPS

#define SMTP_COMMAND_BUFFER_STEPS   5

Definition at line 69 of file app-layer-smtp.c.

SMTP_COMMAND_DATA

#define SMTP_COMMAND_DATA   2

Definition at line 89 of file app-layer-smtp.c.

SMTP_COMMAND_DATA_MODE

#define SMTP_COMMAND_DATA_MODE   4

Definition at line 95 of file app-layer-smtp.c.

SMTP_COMMAND_OTHER_CMD

#define SMTP_COMMAND_OTHER_CMD   5

Definition at line 97 of file app-layer-smtp.c.

SMTP_COMMAND_RSET

#define SMTP_COMMAND_RSET   6

Definition at line 98 of file app-layer-smtp.c.

SMTP_COMMAND_STARTTLS

#define SMTP_COMMAND_STARTTLS   1

Definition at line 88 of file app-layer-smtp.c.

SMTP_DEFAULT_MAX_TX

#define SMTP_DEFAULT_MAX_TX   256

Definition at line 100 of file app-layer-smtp.c.

SMTP_MPM

#define SMTP_MPM   mpm_default_matcher

Definition at line 195 of file app-layer-smtp.c.

SMTP_PARSER_STATE_COMMAND_DATA_MODE

#define SMTP_PARSER_STATE_COMMAND_DATA_MODE   0x01

Definition at line 76 of file app-layer-smtp.c.

SMTP_PARSER_STATE_FIRST_REPLY_SEEN

#define SMTP_PARSER_STATE_FIRST_REPLY_SEEN   0x04

Definition at line 78 of file app-layer-smtp.c.

SMTP_PARSER_STATE_PARSING_MULTILINE_REPLY

#define SMTP_PARSER_STATE_PARSING_MULTILINE_REPLY   0x08

Definition at line 80 of file app-layer-smtp.c.

SMTP_PARSER_STATE_PIPELINING_SERVER

#define SMTP_PARSER_STATE_PIPELINING_SERVER   0x10

Definition at line 82 of file app-layer-smtp.c.

SMTP_RAW_EXTRACTION_DEFAULT_VALUE

#define SMTP_RAW_EXTRACTION_DEFAULT_VALUE   false

Definition at line 67 of file app-layer-smtp.c.

Typedef Documentation

SMTPInput

typedef struct SMTPInput_ SMTPInput

SMTPLine

typedef struct SMTPLine_ SMTPLine

SMTPThreadCtx

typedef struct SMTPThreadCtx_ SMTPThreadCtx

Enumeration Type Documentation

SMTPCode

enum SMTPCode

Enumerator
SMTP_REPLY_211
SMTP_REPLY_214
SMTP_REPLY_220
SMTP_REPLY_221
SMTP_REPLY_235
SMTP_REPLY_250
SMTP_REPLY_251
SMTP_REPLY_252
SMTP_REPLY_334
SMTP_REPLY_354
SMTP_REPLY_401
SMTP_REPLY_402
SMTP_REPLY_421
SMTP_REPLY_435
SMTP_REPLY_450
SMTP_REPLY_451
SMTP_REPLY_452
SMTP_REPLY_454
SMTP_REPLY_455
SMTP_REPLY_500
SMTP_REPLY_501
SMTP_REPLY_502
SMTP_REPLY_503
SMTP_REPLY_504
SMTP_REPLY_511
SMTP_REPLY_521
SMTP_REPLY_522
SMTP_REPLY_525
SMTP_REPLY_530
SMTP_REPLY_534
SMTP_REPLY_535
SMTP_REPLY_541
SMTP_REPLY_543
SMTP_REPLY_550
SMTP_REPLY_551
SMTP_REPLY_552
SMTP_REPLY_553
SMTP_REPLY_554
SMTP_REPLY_555

Definition at line 200 of file app-layer-smtp.c.

SMTPFrameTypes

enum SMTPFrameTypes

Enumerator
SMTP_FRAME_COMMAND_LINE
SMTP_FRAME_DATA
SMTP_FRAME_RESPONSE_LINE

Definition at line 152 of file app-layer-smtp.c.

Function Documentation

RegisterSMTPParsers()

void RegisterSMTPParsers

(

void

)

Register the SMTP Protocol parser.

Definition at line 1867 of file app-layer-smtp.c.

References ALPROTO_SMTP, AppLayerProtoDetectRegisterProtocol(), and SCAppLayerProtoDetectConfProtoDetectionEnabled().

Here is the call graph for this function:

SMTPParserCleanup()

void SMTPParserCleanup

(

void

)

Free memory allocated for global SMTP parser state.

Definition at line 1922 of file app-layer-smtp.c.

SMTPParserRegisterTests()

void SMTPParserRegisterTests

(

void

)

Definition at line 4245 of file app-layer-smtp.c.

References UtRegisterTest().

Here is the call graph for this function:

SMTPStateAlloc()

void* SMTPStateAlloc	(	void *	orig_state,
		AppProto	proto_orig
	)

Definition at line 1504 of file app-layer-smtp.c.

References SMTPState_::cmds, SMTPState_::cmds_buffer_len, SCCalloc, SCFree, SCMalloc, SMTP_COMMAND_BUFFER_STEPS, TAILQ_INIT, and unlikely.

Variable Documentation

smtp_config

SMTPConfig smtp_config

Initial value:

= {
    .decode_mime = true,
    .content_limit = FILEDATA_CONTENT_LIMIT,
    .content_inspect_min_size = FILEDATA_CONTENT_INSPECT_MIN_SIZE,
    .content_inspect_window = FILEDATA_CONTENT_INSPECT_WINDOW,
    .raw_extraction = SMTP_RAW_EXTRACTION_DEFAULT_VALUE,
    STREAMING_BUFFER_CONFIG_INITIALIZER,
}

Definition at line 293 of file app-layer-smtp.c.

smtp_decoder_event_table

SCEnumCharMap smtp_decoder_event_table[]

Initial value:

= {
    { "INVALID_REPLY", SMTP_DECODER_EVENT_INVALID_REPLY },
    { "UNABLE_TO_MATCH_REPLY_WITH_REQUEST", SMTP_DECODER_EVENT_UNABLE_TO_MATCH_REPLY_WITH_REQUEST },
    { "MAX_COMMAND_LINE_LEN_EXCEEDED", SMTP_DECODER_EVENT_MAX_COMMAND_LINE_LEN_EXCEEDED },
    { "MAX_REPLY_LINE_LEN_EXCEEDED", SMTP_DECODER_EVENT_MAX_REPLY_LINE_LEN_EXCEEDED },
    { "INVALID_PIPELINED_SEQUENCE", SMTP_DECODER_EVENT_INVALID_PIPELINED_SEQUENCE },
    { "BDAT_CHUNK_LEN_EXCEEDED", SMTP_DECODER_EVENT_BDAT_CHUNK_LEN_EXCEEDED },
    { "NO_SERVER_WELCOME_MESSAGE", SMTP_DECODER_EVENT_NO_SERVER_WELCOME_MESSAGE },
    { "TLS_REJECTED", SMTP_DECODER_EVENT_TLS_REJECTED },
    { "DATA_COMMAND_REJECTED", SMTP_DECODER_EVENT_DATA_COMMAND_REJECTED },
    { "FAILED_PROTOCOL_CHANGE", SMTP_DECODER_EVENT_FAILED_PROTOCOL_CHANGE },
 
    
    { "MIME_PARSE_FAILED", SMTP_DECODER_EVENT_MIME_PARSE_FAILED },
    { "MIME_INVALID_BASE64", SMTP_DECODER_EVENT_MIME_INVALID_BASE64 },
    { "MIME_INVALID_QP", SMTP_DECODER_EVENT_MIME_INVALID_QP },
    { "MIME_LONG_LINE", SMTP_DECODER_EVENT_MIME_LONG_LINE },
    { "MIME_LONG_ENC_LINE", SMTP_DECODER_EVENT_MIME_LONG_ENC_LINE },
    { "MIME_LONG_HEADER_NAME", SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME },
    { "MIME_LONG_HEADER_VALUE", SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE },
    { "MIME_LONG_BOUNDARY", SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG },
    { "MIME_LONG_FILENAME", SMTP_DECODER_EVENT_MIME_LONG_FILENAME },
 
    
    { "DUPLICATE_FIELDS", SMTP_DECODER_EVENT_DUPLICATE_FIELDS },
    { "UNPARSABLE_CONTENT", SMTP_DECODER_EVENT_UNPARSABLE_CONTENT },
    { "TRUNCATED_LINE", SMTP_DECODER_EVENT_TRUNCATED_LINE },
    { NULL, -1 },
}

Definition at line 122 of file app-layer-smtp.c.

smtp_frame_table

SCEnumCharMap smtp_frame_table[]

Initial value:

= {
    {
            "command_line",
            SMTP_FRAME_COMMAND_LINE,
    },
    {
            "data",
            SMTP_FRAME_DATA,
    },
    {
            "response_line",
            SMTP_FRAME_RESPONSE_LINE,
    },
    { NULL, -1 },
}

Definition at line 158 of file app-layer-smtp.c.

smtp_reply_map

SCEnumCharMap smtp_reply_map[]

Definition at line 245 of file app-layer-smtp.c.