suricata
app-layer-template.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /*
19  * TODO: Update \author in this file and app-layer-template.h.
20  * TODO: Implement your app-layer logic with unit tests.
21  * TODO: Remove SCLogNotice statements or convert to debug.
22  */
23 
24 /**
25  * \file
26  *
27  * \author FirstName LastName <yourname@domain>
28  *
29  * Template application layer detector and parser for learning and
30  * template purposes.
31  *
32  * This template implements a simple application layer for something
33  * like the echo protocol running on port 7.
34  */
35 
36 #include "suricata-common.h"
37 #include "stream.h"
38 #include "conf.h"
39 #include "app-layer.h"
40 #include "app-layer-detect-proto.h"
41 #include "app-layer-parser.h"
42 #include "app-layer-template.h"
43 
44 #include "util-unittest.h"
45 #include "util-validate.h"
46 
47 /* The default port to probe for echo traffic if not provided in the
48  * configuration file. */
49 #define TEMPLATE_DEFAULT_PORT "7"
50 
51 /* The minimum size for a message. For some protocols this might
52  * be the size of a header. */
53 #define TEMPLATE_MIN_FRAME_LEN 1
54 
55 /* Enum of app-layer events for the protocol. Normally you might
56  * have events for errors in parsing data, like unexpected data being
57  * received. For template we'll make something up, and log an app-layer
58  * level alert if an empty message is received.
59  *
60  * Example rule:
61  *
62  * alert template any any -> any any (msg:"SURICATA Template empty message"; \
63  * app-layer-event:template.empty_message; sid:X; rev:Y;)
64  */
65 enum {
67 };
68 
70  {"EMPTY_MESSAGE", TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE},
71 
72  // event table must be NULL-terminated
73  { NULL, -1 },
74 };
75 
76 static TemplateTransaction *TemplateTxAlloc(TemplateState *state)
77 {
79  if (unlikely(tx == NULL)) {
80  return NULL;
81  }
82 
83  /* Increment the transaction ID on the state each time one is
84  * allocated. */
85  tx->tx_id = state->transaction_max++;
86 
87  TAILQ_INSERT_TAIL(&state->tx_list, tx, next);
88 
89  return tx;
90 }
91 
92 static void TemplateTxFree(void *txv)
93 {
94  TemplateTransaction *tx = txv;
95 
96  if (tx->request_buffer != NULL) {
98  }
99 
100  if (tx->response_buffer != NULL) {
101  SCFree(tx->response_buffer);
102  }
103 
105 
106  SCFree(tx);
107 }
108 
109 static void *TemplateStateAlloc(void *orig_state, AppProto proto_orig)
110 {
111  SCLogNotice("Allocating template state.");
112  TemplateState *state = SCCalloc(1, sizeof(TemplateState));
113  if (unlikely(state == NULL)) {
114  return NULL;
115  }
116  TAILQ_INIT(&state->tx_list);
117  return state;
118 }
119 
120 static void TemplateStateFree(void *state)
121 {
122  TemplateState *template_state = state;
124  SCLogNotice("Freeing template state.");
125  while ((tx = TAILQ_FIRST(&template_state->tx_list)) != NULL) {
126  TAILQ_REMOVE(&template_state->tx_list, tx, next);
127  TemplateTxFree(tx);
128  }
129  SCFree(template_state);
130 }
131 
132 /**
133  * \brief Callback from the application layer to have a transaction freed.
134  *
135  * \param state a void pointer to the TemplateState object.
136  * \param tx_id the transaction ID to free.
137  */
138 static void TemplateStateTxFree(void *statev, uint64_t tx_id)
139 {
140  TemplateState *state = statev;
141  TemplateTransaction *tx = NULL, *ttx;
142 
143  SCLogNotice("Freeing transaction %"PRIu64, tx_id);
144 
145  TAILQ_FOREACH_SAFE(tx, &state->tx_list, next, ttx) {
146 
147  /* Continue if this is not the transaction we are looking
148  * for. */
149  if (tx->tx_id != tx_id) {
150  continue;
151  }
152 
153  /* Remove and free the transaction. */
154  TAILQ_REMOVE(&state->tx_list, tx, next);
155  TemplateTxFree(tx);
156  return;
157  }
158 
159  SCLogNotice("Transaction %"PRIu64" not found.", tx_id);
160 }
161 
162 static int TemplateStateGetEventInfo(const char *event_name, int *event_id,
163  AppLayerEventType *event_type)
164 {
165  *event_id = SCMapEnumNameToValue(event_name, template_decoder_event_table);
166  if (*event_id == -1) {
167  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
168  "template enum map table.", event_name);
169  /* This should be treated as fatal. */
170  return -1;
171  }
172 
173  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
174 
175  return 0;
176 }
177 
178 static int TemplateStateGetEventInfoById(int event_id, const char **event_name,
179  AppLayerEventType *event_type)
180 {
181  *event_name = SCMapEnumValueToName(event_id, template_decoder_event_table);
182  if (*event_name == NULL) {
183  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in "
184  "template enum map table.", event_id);
185  /* This should be treated as fatal. */
186  return -1;
187  }
188 
189  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
190 
191  return 0;
192 }
193 
194 /**
195  * \brief Probe the input to server to see if it looks like template.
196  *
197  * \retval ALPROTO_TEMPLATE if it looks like template,
198  * ALPROTO_FAILED, if it is clearly not ALPROTO_TEMPLATE,
199  * otherwise ALPROTO_UNKNOWN.
200  */
201 static AppProto TemplateProbingParserTs(Flow *f, uint8_t direction,
202  const uint8_t *input, uint32_t input_len, uint8_t *rdir)
203 {
204  /* Very simple test - if there is input, this is template. */
205  if (input_len >= TEMPLATE_MIN_FRAME_LEN) {
206  SCLogNotice("Detected as ALPROTO_TEMPLATE.");
207  return ALPROTO_TEMPLATE;
208  }
209 
210  SCLogNotice("Protocol not detected as ALPROTO_TEMPLATE.");
211  return ALPROTO_UNKNOWN;
212 }
213 
214 /**
215  * \brief Probe the input to client to see if it looks like template.
216  * TemplateProbingParserTs can be used instead if the protocol
217  * is symmetric.
218  *
219  * \retval ALPROTO_TEMPLATE if it looks like template,
220  * ALPROTO_FAILED, if it is clearly not ALPROTO_TEMPLATE,
221  * otherwise ALPROTO_UNKNOWN.
222  */
223 static AppProto TemplateProbingParserTc(Flow *f, uint8_t direction,
224  const uint8_t *input, uint32_t input_len, uint8_t *rdir)
225 {
226  /* Very simple test - if there is input, this is template. */
227  if (input_len >= TEMPLATE_MIN_FRAME_LEN) {
228  SCLogNotice("Detected as ALPROTO_TEMPLATE.");
229  return ALPROTO_TEMPLATE;
230  }
231 
232  SCLogNotice("Protocol not detected as ALPROTO_TEMPLATE.");
233  return ALPROTO_UNKNOWN;
234 }
235 
236 static AppLayerResult TemplateParseRequest(Flow *f, void *statev, AppLayerParserState *pstate,
237  StreamSlice stream_slice, void *local_data)
238 {
239  TemplateState *state = statev;
240  const uint8_t *input = StreamSliceGetData(&stream_slice);
241  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
242  const uint8_t flags = StreamSliceGetFlags(&stream_slice);
243 
244  SCLogNotice("Parsing template request: len=%"PRIu32, input_len);
245 
246  if (input == NULL) {
248  /* This is a signal that the stream is done. Do any
249  * cleanup if needed. Usually nothing is required here. */
251  } else if (flags & STREAM_GAP) {
252  /* This is a signal that there has been a gap in the
253  * stream. This only needs to be handled if gaps were
254  * enabled during protocol registration. The input_len
255  * contains the size of the gap. */
257  }
258  /* This should not happen. If input is NULL, one of the above should be
259  * true. */
260  DEBUG_VALIDATE_BUG_ON(true);
262  }
263 
264  /* Normally you would parse out data here and store it in the
265  * transaction object, but as this is echo, we'll just record the
266  * request data. */
267 
268  /* Also, if this protocol may have a "protocol data unit" span
269  * multiple chunks of data, which is always a possibility with
270  * TCP, you may need to do some buffering here.
271  *
272  * For the sake of simplicity, buffering is left out here, but
273  * even for an echo protocol we may want to buffer until a new
274  * line is seen, assuming its text based.
275  */
276 
277  /* Allocate a transaction.
278  *
279  * But note that if a "protocol data unit" is not received in one
280  * chunk of data, and the buffering is done on the transaction, we
281  * may need to look for the transaction that this newly received
282  * data belongs to.
283  */
284  TemplateTransaction *tx = TemplateTxAlloc(state);
285  if (unlikely(tx == NULL)) {
286  SCLogNotice("Failed to allocate new Template tx.");
287  goto end;
288  }
289  SCLogNotice("Allocated Template tx %"PRIu64".", tx->tx_id);
290 
291  /* Make a copy of the request. */
292  tx->request_buffer = SCCalloc(1, input_len);
293  if (unlikely(tx->request_buffer == NULL)) {
294  goto end;
295  }
296  memcpy(tx->request_buffer, input, input_len);
297  tx->request_buffer_len = input_len;
298 
299  /* Here we check for an empty message and create an app-layer
300  * event. */
301  if ((input_len == 1 && tx->request_buffer[0] == '\n') ||
302  (input_len == 2 && tx->request_buffer[0] == '\r')) {
303  SCLogNotice("Creating event for empty message.");
305  }
306 
307 end:
309 }
310 
311 static AppLayerResult TemplateParseResponse(Flow *f, void *statev, AppLayerParserState *pstate,
312  StreamSlice stream_slice, void *local_data)
313 {
314  TemplateState *state = statev;
315  TemplateTransaction *tx = NULL, *ttx;
316  const uint8_t *input = StreamSliceGetData(&stream_slice);
317  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
318 
319  SCLogNotice("Parsing Template response.");
320 
321  /* Likely connection closed, we can just return here. */
322  if ((input == NULL || input_len == 0) &&
325  }
326 
327  /* Probably don't want to create a transaction in this case
328  * either. */
329  if (input == NULL || input_len == 0) {
331  }
332 
333  /* Look up the existing transaction for this response. In the case
334  * of echo, it will be the most recent transaction on the
335  * TemplateState object. */
336 
337  /* We should just grab the last transaction, but this is to
338  * illustrate how you might traverse the transaction list to find
339  * the transaction associated with this response. */
340  TAILQ_FOREACH(ttx, &state->tx_list, next) {
341  tx = ttx;
342  }
343 
344  if (tx == NULL) {
345  SCLogNotice("Failed to find transaction for response on state %p.",
346  state);
347  goto end;
348  }
349 
350  SCLogNotice("Found transaction %"PRIu64" for response on state %p.",
351  tx->tx_id, state);
352 
353  /* If the protocol requires multiple chunks of data to complete, you may
354  * run into the case where you have existing response data.
355  *
356  * In this case, we just log that there is existing data and free it. But
357  * you might want to realloc the buffer and append the data.
358  */
359  if (tx->response_buffer != NULL) {
360  SCLogNotice("WARNING: Transaction already has response data, "
361  "existing data will be overwritten.");
362  SCFree(tx->response_buffer);
363  }
364 
365  /* Make a copy of the response. */
366  tx->response_buffer = SCCalloc(1, input_len);
367  if (unlikely(tx->response_buffer == NULL)) {
368  goto end;
369  }
370  memcpy(tx->response_buffer, input, input_len);
371  tx->response_buffer_len = input_len;
372 
373  /* Set the response_done flag for transaction state checking in
374  * TemplateGetStateProgress(). */
375  tx->response_done = 1;
376 
377 end:
379 }
380 
381 static uint64_t TemplateGetTxCnt(void *statev)
382 {
383  const TemplateState *state = statev;
384  SCLogNotice("Current tx count is %"PRIu64".", state->transaction_max);
385  return state->transaction_max;
386 }
387 
388 static void *TemplateGetTx(void *statev, uint64_t tx_id)
389 {
390  TemplateState *state = statev;
392 
393  SCLogDebug("Requested tx ID %" PRIu64 ".", tx_id);
394 
395  TAILQ_FOREACH(tx, &state->tx_list, next) {
396  if (tx->tx_id == tx_id) {
397  SCLogDebug("Transaction %" PRIu64 " found, returning tx object %p.", tx_id, tx);
398  return tx;
399  }
400  }
401 
402  SCLogDebug("Transaction ID %" PRIu64 " not found.", tx_id);
403  return NULL;
404 }
405 
406 /**
407  * \brief Return the state of a transaction in a given direction.
408  *
409  * In the case of the echo protocol, the existence of a transaction
410  * means that the request is done. However, some protocols that may
411  * need multiple chunks of data to complete the request may need more
412  * than just the existence of a transaction for the request to be
413  * considered complete.
414  *
415  * For the response to be considered done, the response for a request
416  * needs to be seen. The response_done flag is set on response for
417  * checking here.
418  */
419 static int TemplateGetStateProgress(void *txv, uint8_t direction)
420 {
421  TemplateTransaction *tx = txv;
422 
423  SCLogNotice("Transaction progress requested for tx ID %"PRIu64
424  ", direction=0x%02x", tx->tx_id, direction);
425 
426  if (direction & STREAM_TOCLIENT && tx->response_done) {
427  return 1;
428  }
429  else if (direction & STREAM_TOSERVER) {
430  /* For the template, just the existence of the transaction means the
431  * request is done. */
432  return 1;
433  }
434 
435  return 0;
436 }
437 
438 /**
439  * \brief retrieve the tx data used for logging, config, detection
440  */
441 static AppLayerTxData *TemplateGetTxData(void *vtx)
442 {
443  TemplateTransaction *tx = vtx;
444  return &tx->tx_data;
445 }
446 
448 {
449  const char *proto_name = "template";
450 
451  /* Check if Template TCP detection is enabled. If it does not exist in
452  * the configuration file then it will be disabled by default. */
453  if (AppLayerProtoDetectConfProtoDetectionEnabledDefault("tcp", proto_name, false)) {
454 
455  SCLogDebug("Template TCP protocol detection enabled.");
456 
458 
459  if (RunmodeIsUnittests()) {
460 
461  SCLogNotice("Unittest mode, registering default configuration.");
463  ALPROTO_TEMPLATE, 0, TEMPLATE_MIN_FRAME_LEN, STREAM_TOSERVER,
464  TemplateProbingParserTs, TemplateProbingParserTc);
465 
466  }
467  else {
468 
469  if (!AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP,
471  TemplateProbingParserTs, TemplateProbingParserTc)) {
472  SCLogDebug("No template app-layer configuration, enabling echo"
473  " detection TCP detection on port %s.",
475  AppLayerProtoDetectPPRegister(IPPROTO_TCP,
477  TEMPLATE_MIN_FRAME_LEN, STREAM_TOSERVER,
478  TemplateProbingParserTs, TemplateProbingParserTc);
479  }
480 
481  }
482 
483  }
484 
485  else {
486  SCLogDebug("Protocol detector and parser disabled for Template.");
487  return;
488  }
489 
490  if (AppLayerParserConfParserEnabled("tcp", proto_name)) {
491 
492  SCLogNotice("Registering Template protocol parser.");
493 
494  /* Register functions for state allocation and freeing. A
495  * state is allocated for every new Template flow. */
497  TemplateStateAlloc, TemplateStateFree);
498 
499  /* Register request parser for parsing frame from server to client. */
501  STREAM_TOSERVER, TemplateParseRequest);
502 
503  /* Register response parser for parsing frames from server to client. */
505  STREAM_TOCLIENT, TemplateParseResponse);
506 
507  /* Register a function to be called by the application layer
508  * when a transaction is to be freed. */
510  TemplateStateTxFree);
511 
512  /* Register a function to return the current transaction count. */
514  TemplateGetTxCnt);
515 
516  /* Transaction handling. */
519  ALPROTO_TEMPLATE, TemplateGetStateProgress);
521  TemplateGetTx);
523  TemplateGetTxData);
524 
526  TemplateStateGetEventInfo);
528  TemplateStateGetEventInfoById);
529 
530  /* Leave this is if your parser can handle gaps, otherwise
531  * remove. */
534  }
535  else {
536  SCLogDebug("Template protocol parsing disabled.");
537  }
538 
539 #ifdef UNITTESTS
542 #endif
543 }
544 
545 #ifdef UNITTESTS
546 #endif
547 
549 {
550 #ifdef UNITTESTS
551 #endif
552 }
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:503
AppLayerProtoDetectPPParseConfPorts
int AppLayerProtoDetectPPParseConfPorts(const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
Definition: app-layer-detect-proto.c:1727
TemplateParserRegisterTests
void TemplateParserRegisterTests(void)
Definition: app-layer-template.c:548
TemplateTransaction::response_done
uint8_t response_done
Definition: app-layer-template.h:47
AppLayerParserRegisterOptionFlags
void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto, uint32_t flags)
Definition: app-layer-parser.c:421
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:263
TemplateState::transaction_max
uint64_t transaction_max
Definition: app-layer-template.h:65
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:340
Flow_
Flow data structure.
Definition: flow.h:353
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:555
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:514
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:253
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:130
TEMPLATE_DEFAULT_PORT
#define TEMPLATE_DEFAULT_PORT
Definition: app-layer-template.c:49
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:295
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:42
util-unittest.h
APP_LAYER_EVENT_TYPE_TRANSACTION
@ APP_LAYER_EVENT_TYPE_TRANSACTION
Definition: app-layer-events.h:57
AppLayerProtoDetectPPRegister
void AppLayerProtoDetectPPRegister(uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2)
register parser at a port
Definition: app-layer-detect-proto.c:1693
app-layer-detect-proto.h
AppLayerParserStateIssetFlag
int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag)
Definition: app-layer-parser.c:1701
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:313
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:251
AppLayerParserState_
Definition: app-layer-parser.c:155
TemplateTransaction::response_buffer_len
uint32_t response_buffer_len
Definition: app-layer-template.h:45
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void *, AppProto), void(*StateFree)(void *))
Definition: app-layer-parser.c:437
app-layer-parser.h
stream.h
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1798
TemplateTransaction::request_buffer
uint8_t * request_buffer
Definition: app-layer-template.h:41
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:43
conf.h
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:592
TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE
@ TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE
Definition: app-layer-template.c:66
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1905
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:271
TAILQ_FOREACH_SAFE
#define TAILQ_FOREACH_SAFE(var, head, field, tvar)
Definition: queue.h:330
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:398
TemplateTransaction
Definition: app-layer-template.h:37
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:536
TemplateTransaction::response_buffer
uint8_t * response_buffer
Definition: app-layer-template.h:44
APP_LAYER_OK
#define APP_LAYER_OK
Definition: app-layer-parser.h:87
SCMapEnumValueToName
const char * SCMapEnumValueToName(int enum_value, SCEnumCharMap *table)
Maps an enum value to a string name, from the supplied table.
Definition: util-enum.c:68
SCReturnStruct
#define SCReturnStruct(x)
Definition: util-debug.h:320
TemplateTransaction::request_buffer_len
uint32_t request_buffer_len
Definition: app-layer-template.h:42
TemplateTransaction::tx_data
AppLayerTxData tx_data
Definition: app-layer-template.h:50
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SCEnumCharMap_
Definition: util-enum.h:27
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
TemplateTransaction::tx_id
uint64_t tx_id
Definition: app-layer-template.h:39
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
AppLayerParserRegisterTxDataFunc
void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, AppLayerTxData *(*GetTxData)(void *tx))
Definition: app-layer-parser.c:604
util-validate.h
APP_LAYER_PARSER_OPT_ACCEPT_GAPS
#define APP_LAYER_PARSER_OPT_ACCEPT_GAPS
Definition: app-layer-parser.h:46
TemplateState
Definition: app-layer-template.h:56
SCFree
#define SCFree(p)
Definition: util-mem.h:61
app-layer-template.h
AppLayerParserRegisterGetEventInfoById
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(int event_id, const char **event_name, AppLayerEventType *event_type))
Definition: app-layer-parser.c:570
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:59
RegisterTemplateParsers
void RegisterTemplateParsers(void)
Definition: app-layer-template.c:447
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:525
APP_LAYER_ERROR
#define APP_LAYER_ERROR
Definition: app-layer-parser.h:91
SC_ERR_INVALID_ENUM_MAP
@ SC_ERR_INVALID_ENUM_MAP
Definition: util-error.h:45
AppLayerProtoDetectConfProtoDetectionEnabledDefault
int AppLayerProtoDetectConfProtoDetectionEnabledDefault(const char *ipproto, const char *alproto, bool default_enabled)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:2009
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:232
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
TEMPLATE_MIN_FRAME_LEN
#define TEMPLATE_MIN_FRAME_LEN
Definition: app-layer-template.c:53
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
template_decoder_event_table
SCEnumCharMap template_decoder_event_table[]
Definition: app-layer-template.c:69
app-layer.h