suricata
app-layer-template.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /*
19  * TODO: Update \author in this file and app-layer-template.h.
20  * TODO: Implement your app-layer logic with unit tests.
21  * TODO: Remove SCLogNotice statements or convert to debug.
22  */
23 
24 /**
25  * \file
26  *
27  * \author FirstName LastName <yourname@domain>
28  *
29  * Template application layer detector and parser for learning and
30  * template purposes.
31  *
32  * This template implements a simple application layer for something
33  * like the echo protocol running on port 7.
34  */
35 
36 #include "suricata-common.h"
37 #include "suricata.h"
38 #include "stream.h"
39 #include "conf.h"
40 #include "app-layer.h"
41 #include "app-layer-detect-proto.h"
42 #include "app-layer-parser.h"
43 #include "app-layer-template.h"
44 
45 #include "util-unittest.h"
46 #include "util-validate.h"
47 #include "util-enum.h"
48 
49 /* The default port to probe for echo traffic if not provided in the
50  * configuration file. */
51 #define TEMPLATE_DEFAULT_PORT "7"
52 
53 /* The minimum size for a message. For some protocols this might
54  * be the size of a header. */
55 #define TEMPLATE_MIN_FRAME_LEN 1
56 
57 /* Enum of app-layer events for the protocol. Normally you might
58  * have events for errors in parsing data, like unexpected data being
59  * received. For template we'll make something up, and log an app-layer
60  * level alert if an empty message is received.
61  *
62  * Example rule:
63  *
64  * alert template any any -> any any (msg:"SURICATA Template empty message"; \
65  * app-layer-event:template.empty_message; sid:X; rev:Y;)
66  */
67 enum {
69 };
70 
72  {"EMPTY_MESSAGE", TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE},
73 
74  // event table must be NULL-terminated
75  { NULL, -1 },
76 };
77 
78 static TemplateTransaction *TemplateTxAlloc(TemplateState *state)
79 {
81  if (unlikely(tx == NULL)) {
82  return NULL;
83  }
84 
85  /* Increment the transaction ID on the state each time one is
86  * allocated. */
87  tx->tx_id = state->transaction_max++;
88 
89  TAILQ_INSERT_TAIL(&state->tx_list, tx, next);
90 
91  return tx;
92 }
93 
94 static void TemplateTxFree(void *txv)
95 {
96  TemplateTransaction *tx = txv;
97 
98  if (tx->request_buffer != NULL) {
100  }
101 
102  if (tx->response_buffer != NULL) {
103  SCFree(tx->response_buffer);
104  }
105 
107 
108  SCFree(tx);
109 }
110 
111 static void *TemplateStateAlloc(void *orig_state, AppProto proto_orig)
112 {
113  SCLogNotice("Allocating template state.");
114  TemplateState *state = SCCalloc(1, sizeof(TemplateState));
115  if (unlikely(state == NULL)) {
116  return NULL;
117  }
118  TAILQ_INIT(&state->tx_list);
119  return state;
120 }
121 
122 static void TemplateStateFree(void *state)
123 {
124  TemplateState *template_state = state;
126  SCLogNotice("Freeing template state.");
127  while ((tx = TAILQ_FIRST(&template_state->tx_list)) != NULL) {
128  TAILQ_REMOVE(&template_state->tx_list, tx, next);
129  TemplateTxFree(tx);
130  }
131  SCFree(template_state);
132 }
133 
134 /**
135  * \brief Callback from the application layer to have a transaction freed.
136  *
137  * \param state a void pointer to the TemplateState object.
138  * \param tx_id the transaction ID to free.
139  */
140 static void TemplateStateTxFree(void *statev, uint64_t tx_id)
141 {
142  TemplateState *state = statev;
143  TemplateTransaction *tx = NULL, *ttx;
144 
145  SCLogNotice("Freeing transaction %"PRIu64, tx_id);
146 
147  TAILQ_FOREACH_SAFE(tx, &state->tx_list, next, ttx) {
148 
149  /* Continue if this is not the transaction we are looking
150  * for. */
151  if (tx->tx_id != tx_id) {
152  continue;
153  }
154 
155  /* Remove and free the transaction. */
156  TAILQ_REMOVE(&state->tx_list, tx, next);
157  TemplateTxFree(tx);
158  return;
159  }
160 
161  SCLogNotice("Transaction %"PRIu64" not found.", tx_id);
162 }
163 
164 static int TemplateStateGetEventInfo(const char *event_name, int *event_id,
165  AppLayerEventType *event_type)
166 {
167  *event_id = SCMapEnumNameToValue(event_name, template_decoder_event_table);
168  if (*event_id == -1) {
169  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
170  "template enum map table.", event_name);
171  /* This should be treated as fatal. */
172  return -1;
173  }
174 
175  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
176 
177  return 0;
178 }
179 
180 static int TemplateStateGetEventInfoById(int event_id, const char **event_name,
181  AppLayerEventType *event_type)
182 {
183  *event_name = SCMapEnumValueToName(event_id, template_decoder_event_table);
184  if (*event_name == NULL) {
185  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in "
186  "template enum map table.", event_id);
187  /* This should be treated as fatal. */
188  return -1;
189  }
190 
191  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
192 
193  return 0;
194 }
195 
196 /**
197  * \brief Probe the input to server to see if it looks like template.
198  *
199  * \retval ALPROTO_TEMPLATE if it looks like template,
200  * ALPROTO_FAILED, if it is clearly not ALPROTO_TEMPLATE,
201  * otherwise ALPROTO_UNKNOWN.
202  */
203 static AppProto TemplateProbingParserTs(Flow *f, uint8_t direction,
204  const uint8_t *input, uint32_t input_len, uint8_t *rdir)
205 {
206  /* Very simple test - if there is input, this is template. */
207  if (input_len >= TEMPLATE_MIN_FRAME_LEN) {
208  SCLogNotice("Detected as ALPROTO_TEMPLATE.");
209  return ALPROTO_TEMPLATE;
210  }
211 
212  SCLogNotice("Protocol not detected as ALPROTO_TEMPLATE.");
213  return ALPROTO_UNKNOWN;
214 }
215 
216 /**
217  * \brief Probe the input to client to see if it looks like template.
218  * TemplateProbingParserTs can be used instead if the protocol
219  * is symmetric.
220  *
221  * \retval ALPROTO_TEMPLATE if it looks like template,
222  * ALPROTO_FAILED, if it is clearly not ALPROTO_TEMPLATE,
223  * otherwise ALPROTO_UNKNOWN.
224  */
225 static AppProto TemplateProbingParserTc(Flow *f, uint8_t direction,
226  const uint8_t *input, uint32_t input_len, uint8_t *rdir)
227 {
228  /* Very simple test - if there is input, this is template. */
229  if (input_len >= TEMPLATE_MIN_FRAME_LEN) {
230  SCLogNotice("Detected as ALPROTO_TEMPLATE.");
231  return ALPROTO_TEMPLATE;
232  }
233 
234  SCLogNotice("Protocol not detected as ALPROTO_TEMPLATE.");
235  return ALPROTO_UNKNOWN;
236 }
237 
238 static AppLayerResult TemplateParseRequest(Flow *f, void *statev, AppLayerParserState *pstate,
239  StreamSlice stream_slice, void *local_data)
240 {
241  TemplateState *state = statev;
242  const uint8_t *input = StreamSliceGetData(&stream_slice);
243  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
244  const uint8_t flags = StreamSliceGetFlags(&stream_slice);
245 
246  SCLogNotice("Parsing template request: len=%"PRIu32, input_len);
247 
248  if (input == NULL) {
250  /* This is a signal that the stream is done. Do any
251  * cleanup if needed. Usually nothing is required here. */
253  } else if (flags & STREAM_GAP) {
254  /* This is a signal that there has been a gap in the
255  * stream. This only needs to be handled if gaps were
256  * enabled during protocol registration. The input_len
257  * contains the size of the gap. */
259  }
260  /* This should not happen. If input is NULL, one of the above should be
261  * true. */
262  DEBUG_VALIDATE_BUG_ON(true);
264  }
265 
266  /* Normally you would parse out data here and store it in the
267  * transaction object, but as this is echo, we'll just record the
268  * request data. */
269 
270  /* Also, if this protocol may have a "protocol data unit" span
271  * multiple chunks of data, which is always a possibility with
272  * TCP, you may need to do some buffering here.
273  *
274  * For the sake of simplicity, buffering is left out here, but
275  * even for an echo protocol we may want to buffer until a new
276  * line is seen, assuming its text based.
277  */
278 
279  /* Allocate a transaction.
280  *
281  * But note that if a "protocol data unit" is not received in one
282  * chunk of data, and the buffering is done on the transaction, we
283  * may need to look for the transaction that this newly received
284  * data belongs to.
285  */
286  TemplateTransaction *tx = TemplateTxAlloc(state);
287  if (unlikely(tx == NULL)) {
288  SCLogNotice("Failed to allocate new Template tx.");
289  goto end;
290  }
291  SCLogNotice("Allocated Template tx %"PRIu64".", tx->tx_id);
292 
293  /* Make a copy of the request. */
294  tx->request_buffer = SCCalloc(1, input_len);
295  if (unlikely(tx->request_buffer == NULL)) {
296  goto end;
297  }
298  memcpy(tx->request_buffer, input, input_len);
299  tx->request_buffer_len = input_len;
300 
301  /* Here we check for an empty message and create an app-layer
302  * event. */
303  if ((input_len == 1 && tx->request_buffer[0] == '\n') ||
304  (input_len == 2 && tx->request_buffer[0] == '\r')) {
305  SCLogNotice("Creating event for empty message.");
307  }
308 
309 end:
311 }
312 
313 static AppLayerResult TemplateParseResponse(Flow *f, void *statev, AppLayerParserState *pstate,
314  StreamSlice stream_slice, void *local_data)
315 {
316  TemplateState *state = statev;
317  TemplateTransaction *tx = NULL, *ttx;
318  const uint8_t *input = StreamSliceGetData(&stream_slice);
319  uint32_t input_len = StreamSliceGetDataLen(&stream_slice);
320 
321  SCLogNotice("Parsing Template response.");
322 
323  /* Likely connection closed, we can just return here. */
324  if ((input == NULL || input_len == 0) &&
327  }
328 
329  /* Probably don't want to create a transaction in this case
330  * either. */
331  if (input == NULL || input_len == 0) {
333  }
334 
335  /* Look up the existing transaction for this response. In the case
336  * of echo, it will be the most recent transaction on the
337  * TemplateState object. */
338 
339  /* We should just grab the last transaction, but this is to
340  * illustrate how you might traverse the transaction list to find
341  * the transaction associated with this response. */
342  TAILQ_FOREACH(ttx, &state->tx_list, next) {
343  tx = ttx;
344  }
345 
346  if (tx == NULL) {
347  SCLogNotice("Failed to find transaction for response on state %p.",
348  state);
349  goto end;
350  }
351 
352  SCLogNotice("Found transaction %"PRIu64" for response on state %p.",
353  tx->tx_id, state);
354 
355  /* If the protocol requires multiple chunks of data to complete, you may
356  * run into the case where you have existing response data.
357  *
358  * In this case, we just log that there is existing data and free it. But
359  * you might want to realloc the buffer and append the data.
360  */
361  if (tx->response_buffer != NULL) {
362  SCLogNotice("WARNING: Transaction already has response data, "
363  "existing data will be overwritten.");
364  SCFree(tx->response_buffer);
365  }
366 
367  /* Make a copy of the response. */
368  tx->response_buffer = SCCalloc(1, input_len);
369  if (unlikely(tx->response_buffer == NULL)) {
370  goto end;
371  }
372  memcpy(tx->response_buffer, input, input_len);
373  tx->response_buffer_len = input_len;
374 
375  /* Set the response_done flag for transaction state checking in
376  * TemplateGetStateProgress(). */
377  tx->response_done = 1;
378 
379 end:
381 }
382 
383 static uint64_t TemplateGetTxCnt(void *statev)
384 {
385  const TemplateState *state = statev;
386  SCLogNotice("Current tx count is %"PRIu64".", state->transaction_max);
387  return state->transaction_max;
388 }
389 
390 static void *TemplateGetTx(void *statev, uint64_t tx_id)
391 {
392  TemplateState *state = statev;
394 
395  SCLogDebug("Requested tx ID %" PRIu64 ".", tx_id);
396 
397  TAILQ_FOREACH(tx, &state->tx_list, next) {
398  if (tx->tx_id == tx_id) {
399  SCLogDebug("Transaction %" PRIu64 " found, returning tx object %p.", tx_id, tx);
400  return tx;
401  }
402  }
403 
404  SCLogDebug("Transaction ID %" PRIu64 " not found.", tx_id);
405  return NULL;
406 }
407 
408 /**
409  * \brief Return the state of a transaction in a given direction.
410  *
411  * In the case of the echo protocol, the existence of a transaction
412  * means that the request is done. However, some protocols that may
413  * need multiple chunks of data to complete the request may need more
414  * than just the existence of a transaction for the request to be
415  * considered complete.
416  *
417  * For the response to be considered done, the response for a request
418  * needs to be seen. The response_done flag is set on response for
419  * checking here.
420  */
421 static int TemplateGetStateProgress(void *txv, uint8_t direction)
422 {
423  TemplateTransaction *tx = txv;
424 
425  SCLogNotice("Transaction progress requested for tx ID %"PRIu64
426  ", direction=0x%02x", tx->tx_id, direction);
427 
428  if (direction & STREAM_TOCLIENT && tx->response_done) {
429  return 1;
430  }
431  else if (direction & STREAM_TOSERVER) {
432  /* For the template, just the existence of the transaction means the
433  * request is done. */
434  return 1;
435  }
436 
437  return 0;
438 }
439 
440 /**
441  * \brief retrieve the tx data used for logging, config, detection
442  */
443 static AppLayerTxData *TemplateGetTxData(void *vtx)
444 {
445  TemplateTransaction *tx = vtx;
446  return &tx->tx_data;
447 }
448 
450 {
451  const char *proto_name = "template";
452 
453  /* Check if Template TCP detection is enabled. If it does not exist in
454  * the configuration file then it will be disabled by default. */
455  if (AppLayerProtoDetectConfProtoDetectionEnabledDefault("tcp", proto_name, false)) {
456 
457  SCLogDebug("Template TCP protocol detection enabled.");
458 
460 
461  if (RunmodeIsUnittests()) {
462 
463  SCLogNotice("Unittest mode, registering default configuration.");
465  ALPROTO_TEMPLATE, 0, TEMPLATE_MIN_FRAME_LEN, STREAM_TOSERVER,
466  TemplateProbingParserTs, TemplateProbingParserTc);
467 
468  }
469  else {
470 
471  if (!AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP,
473  TemplateProbingParserTs, TemplateProbingParserTc)) {
474  SCLogDebug("No template app-layer configuration, enabling echo"
475  " detection TCP detection on port %s.",
477  AppLayerProtoDetectPPRegister(IPPROTO_TCP,
479  TEMPLATE_MIN_FRAME_LEN, STREAM_TOSERVER,
480  TemplateProbingParserTs, TemplateProbingParserTc);
481  }
482 
483  }
484 
485  }
486 
487  else {
488  SCLogDebug("Protocol detector and parser disabled for Template.");
489  return;
490  }
491 
492  if (AppLayerParserConfParserEnabled("tcp", proto_name)) {
493 
494  SCLogNotice("Registering Template protocol parser.");
495 
496  /* Register functions for state allocation and freeing. A
497  * state is allocated for every new Template flow. */
499  TemplateStateAlloc, TemplateStateFree);
500 
501  /* Register request parser for parsing frame from server to client. */
503  STREAM_TOSERVER, TemplateParseRequest);
504 
505  /* Register response parser for parsing frames from server to client. */
507  STREAM_TOCLIENT, TemplateParseResponse);
508 
509  /* Register a function to be called by the application layer
510  * when a transaction is to be freed. */
512  TemplateStateTxFree);
513 
514  /* Register a function to return the current transaction count. */
516  TemplateGetTxCnt);
517 
518  /* Transaction handling. */
521  ALPROTO_TEMPLATE, TemplateGetStateProgress);
523  TemplateGetTx);
525  TemplateGetTxData);
526 
528  TemplateStateGetEventInfo);
530  TemplateStateGetEventInfoById);
531 
532  /* Leave this is if your parser can handle gaps, otherwise
533  * remove. */
536  }
537  else {
538  SCLogDebug("Template protocol parsing disabled.");
539  }
540 
541 #ifdef UNITTESTS
544 #endif
545 }
546 
547 #ifdef UNITTESTS
548 #endif
549 
551 {
552 #ifdef UNITTESTS
553 #endif
554 }
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:510
AppLayerProtoDetectPPParseConfPorts
int AppLayerProtoDetectPPParseConfPorts(const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
Definition: app-layer-detect-proto.c:1732
TemplateParserRegisterTests
void TemplateParserRegisterTests(void)
Definition: app-layer-template.c:550
TemplateTransaction::response_done
uint8_t response_done
Definition: app-layer-template.h:45
AppLayerParserRegisterOptionFlags
void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto, uint32_t flags)
Definition: app-layer-parser.c:428
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:262
TemplateState::transaction_max
uint64_t transaction_max
Definition: app-layer-template.h:63
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:347
Flow_
Flow data structure.
Definition: flow.h:353
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:562
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:521
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:132
TEMPLATE_DEFAULT_PORT
#define TEMPLATE_DEFAULT_PORT
Definition: app-layer-template.c:51
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:294
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:39
util-unittest.h
APP_LAYER_EVENT_TYPE_TRANSACTION
@ APP_LAYER_EVENT_TYPE_TRANSACTION
Definition: app-layer-events.h:57
AppLayerProtoDetectPPRegister
void AppLayerProtoDetectPPRegister(uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2)
register parser at a port
Definition: app-layer-detect-proto.c:1693
app-layer-detect-proto.h
AppLayerParserStateIssetFlag
int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag)
Definition: app-layer-parser.c:1726
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:312
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:250
AppLayerParserState_
Definition: app-layer-parser.c:155
TemplateTransaction::response_buffer_len
uint32_t response_buffer_len
Definition: app-layer-template.h:43
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void *, AppProto), void(*StateFree)(void *))
Definition: app-layer-parser.c:444
app-layer-parser.h
stream.h
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1823
TemplateTransaction::request_buffer
uint8_t * request_buffer
Definition: app-layer-template.h:39
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:40
conf.h
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:599
TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE
@ TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE
Definition: app-layer-template.c:68
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1910
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:279
TAILQ_FOREACH_SAFE
#define TAILQ_FOREACH_SAFE(var, head, field, tvar)
Definition: queue.h:329
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:405
TemplateTransaction
Definition: app-layer-template.h:35
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:543
TemplateTransaction::response_buffer
uint8_t * response_buffer
Definition: app-layer-template.h:42
APP_LAYER_OK
#define APP_LAYER_OK
Definition: app-layer-parser.h:84
SCMapEnumValueToName
const char * SCMapEnumValueToName(int enum_value, SCEnumCharMap *table)
Maps an enum value to a string name, from the supplied table.
Definition: util-enum.c:68
SCReturnStruct
#define SCReturnStruct(x)
Definition: util-debug.h:318
TemplateTransaction::request_buffer_len
uint32_t request_buffer_len
Definition: app-layer-template.h:40
TemplateTransaction::tx_data
AppLayerTxData tx_data
Definition: app-layer-template.h:48
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SCEnumCharMap_
Definition: util-enum.h:27
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
TemplateTransaction::tx_id
uint64_t tx_id
Definition: app-layer-template.h:37
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
AppLayerParserRegisterTxDataFunc
void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, AppLayerTxData *(*GetTxData)(void *tx))
Definition: app-layer-parser.c:611
util-validate.h
APP_LAYER_PARSER_OPT_ACCEPT_GAPS
#define APP_LAYER_PARSER_OPT_ACCEPT_GAPS
Definition: app-layer-parser.h:43
TemplateState
Definition: app-layer-template.h:54
SCFree
#define SCFree(p)
Definition: util-mem.h:61
app-layer-template.h
AppLayerParserRegisterGetEventInfoById
void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfoById)(int event_id, const char **event_name, AppLayerEventType *event_type))
Definition: app-layer-parser.c:577
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:59
RegisterTemplateParsers
void RegisterTemplateParsers(void)
Definition: app-layer-template.c:449
suricata.h
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:532
APP_LAYER_ERROR
#define APP_LAYER_ERROR
Definition: app-layer-parser.h:88
SC_ERR_INVALID_ENUM_MAP
@ SC_ERR_INVALID_ENUM_MAP
Definition: util-error.h:45
AppLayerProtoDetectConfProtoDetectionEnabledDefault
int AppLayerProtoDetectConfProtoDetectionEnabledDefault(const char *ipproto, const char *alproto, bool default_enabled)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:2015
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:230
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
TEMPLATE_MIN_FRAME_LEN
#define TEMPLATE_MIN_FRAME_LEN
Definition: app-layer-template.c:55
util-enum.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
template_decoder_event_table
SCEnumCharMap template_decoder_event_table[]
Definition: app-layer-template.c:71
app-layer.h