suricata
app-layer-tftp.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  *
17  */
18 
19 /**
20  * \file
21  *
22  * \author ClĂ©ment Galland <clement.galland@epita.fr>
23  *
24  * Parser for NTP application layer running on UDP port 69.
25  */
26 
27 
28 #include "suricata-common.h"
29 #include "stream.h"
30 #include "conf.h"
31 
32 #include "util-unittest.h"
33 
34 #include "app-layer-detect-proto.h"
35 #include "app-layer-parser.h"
36 
37 #include "app-layer-tftp.h"
38 
39 #include "rust-tftp-tftp-gen.h"
40 
41 /* The default port to probe if not provided in the configuration file. */
42 #define TFTP_DEFAULT_PORT "69"
43 
44 /* The minimum size for an message. For some protocols this might
45  * be the size of a header. */
46 #define TFTP_MIN_FRAME_LEN 4
47 
48 static void *TFTPStateAlloc(void)
49 {
50  return rs_tftp_state_alloc();
51 }
52 
53 static void TFTPStateFree(void *state)
54 {
55  rs_tftp_state_free(state);
56 }
57 
58 /**
59  * \brief Callback from the application layer to have a transaction freed.
60  *
61  * \param state a void pointer to the TFTPState object.
62  * \param tx_id the transaction ID to free.
63  */
64 static void TFTPStateTxFree(void *state, uint64_t tx_id)
65 {
66  rs_tftp_state_tx_free(state, tx_id);
67 }
68 
69 static int TFTPStateGetEventInfo(const char *event_name, int *event_id,
70  AppLayerEventType *event_type)
71 {
72  return -1;
73 }
74 
75 static AppLayerDecoderEvents *TFTPGetEvents(void *tx)
76 {
77  return NULL;
78 }
79 
80 /**
81  * \brief Probe the input to see if it looks like echo.
82  *
83  * \retval ALPROTO_TFTP if it looks like echo, otherwise
84  * ALPROTO_UNKNOWN.
85  */
86 static AppProto TFTPProbingParser(Flow *f, uint8_t direction,
87  uint8_t *input, uint32_t input_len, uint8_t *rdir)
88 {
89  /* Very simple test - if there is input, this is tftp.
90  * Also check if it's starting by a zero */
91  if (input_len >= TFTP_MIN_FRAME_LEN && *input == 0) {
92  SCLogDebug("Detected as ALPROTO_TFTP.");
93  return ALPROTO_TFTP;
94  }
95 
96  SCLogDebug("Protocol not detected as ALPROTO_TFTP.");
97  return ALPROTO_UNKNOWN;
98 }
99 
100 static int TFTPParseRequest(Flow *f, void *state,
101  AppLayerParserState *pstate, uint8_t *input, uint32_t input_len,
102  void *local_data, const uint8_t flags)
103 {
104  SCLogDebug("Parsing echo request: len=%"PRIu32, input_len);
105 
106  /* Likely connection closed, we can just return here. */
107  if ((input == NULL || input_len == 0) &&
108  AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
109  return 0;
110  }
111 
112  /* Probably don't want to create a transaction in this case
113  * either. */
114  if (input == NULL || input_len == 0) {
115  return 0;
116  }
117 
118  return rs_tftp_request(state, input, input_len);
119 }
120 
121 /**
122  * \brief Response parsing is not implemented
123  */
124 static int TFTPParseResponse(Flow *f, void *state, AppLayerParserState *pstate,
125  uint8_t *input, uint32_t input_len, void *local_data,
126  const uint8_t flags)
127 {
128  return 0;
129 }
130 
131 static uint64_t TFTPGetTxCnt(void *state)
132 {
133  return rs_tftp_get_tx_cnt(state);
134 }
135 
136 static void *TFTPGetTx(void *state, uint64_t tx_id)
137 {
138  return rs_tftp_get_tx(state, tx_id);
139 }
140 
141 static void TFTPSetTxLogged(void *state, void *vtx, uint32_t logger)
142 {
143  rs_tftp_set_tx_logged(state, vtx, logger);
144 }
145 
146 static LoggerId TFTPGetTxLogged(void *state, void *vtx)
147 {
148  return rs_tftp_get_tx_logged(state, vtx);
149 }
150 
151 /**
152  * \brief Called by the application layer.
153  *
154  * In most cases 1 can be returned here.
155  */
156 static int TFTPGetAlstateProgressCompletionStatus(uint8_t direction) {
157  return 1;
158 }
159 
160 /**
161  * \brief Return the state of a transaction in a given direction.
162  *
163  * In the case of the echo protocol, the existence of a transaction
164  * means that the request is done. However, some protocols that may
165  * need multiple chunks of data to complete the request may need more
166  * than just the existence of a transaction for the request to be
167  * considered complete.
168  *
169  * For the response to be considered done, the response for a request
170  * needs to be seen. The response_done flag is set on response for
171  * checking here.
172  */
173 static int TFTPGetStateProgress(void *tx, uint8_t direction)
174 {
175  return 1;
176 }
177 
178 static DetectEngineState *TFTPGetTxDetectState(void *vtx)
179 {
180  return NULL;
181 }
182 
183 static int TFTPSetTxDetectState(void *vtx,
184  DetectEngineState *s)
185 {
186  return 0;
187 }
188 
189 void RegisterTFTPParsers(void)
190 {
191  const char *proto_name = "tftp";
192 
193  /* Check if TFTP UDP detection is enabled. If it does not exist in
194  * the configuration file then it will be enabled by default. */
195  if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) {
196 
197  SCLogDebug("TFTP UDP protocol detection enabled.");
198 
199  AppLayerProtoDetectRegisterProtocol(ALPROTO_TFTP, proto_name);
200 
201  if (RunmodeIsUnittests()) {
202  SCLogDebug("Unittest mode, registeringd default configuration.");
203  AppLayerProtoDetectPPRegister(IPPROTO_UDP, TFTP_DEFAULT_PORT,
204  ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN,
205  STREAM_TOSERVER, TFTPProbingParser,
206  NULL);
207  } else {
208  if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP,
209  proto_name, ALPROTO_TFTP,
210  0, TFTP_MIN_FRAME_LEN,
211  TFTPProbingParser, NULL)) {
212  SCLogDebug("No echo app-layer configuration, enabling echo"
213  " detection UDP detection on port %s.",
214  TFTP_DEFAULT_PORT);
215  AppLayerProtoDetectPPRegister(IPPROTO_UDP,
216  TFTP_DEFAULT_PORT, ALPROTO_TFTP,
217  0, TFTP_MIN_FRAME_LEN,
218  STREAM_TOSERVER,TFTPProbingParser,
219  NULL);
220  }
221  }
222  } else {
223  SCLogDebug("Protocol detecter and parser disabled for TFTP.");
224  return;
225  }
226 
227  if (AppLayerParserConfParserEnabled("udp", proto_name)) {
228 
229  SCLogDebug("Registering TFTP protocol parser.");
230 
231  /* Register functions for state allocation and freeing. A
232  * state is allocated for every new TFTP flow. */
233  AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TFTP,
234  TFTPStateAlloc, TFTPStateFree);
235 
236  /* Register request parser for parsing frame from server to client. */
237  AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP,
238  STREAM_TOSERVER, TFTPParseRequest);
239 
240  /* Register response parser for parsing frames from server to client. */
241  AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP,
242  STREAM_TOCLIENT, TFTPParseResponse);
243 
244  /* Register a function to be called by the application layer
245  * when a transaction is to be freed. */
246  AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_TFTP,
247  TFTPStateTxFree);
248 
249  AppLayerParserRegisterLoggerFuncs(IPPROTO_UDP, ALPROTO_TFTP,
250  TFTPGetTxLogged, TFTPSetTxLogged);
251 
252  /* Register a function to return the current transaction count. */
253  AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_TFTP,
254  TFTPGetTxCnt);
255 
256  /* Transaction handling. */
257  AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_TFTP,
258  TFTPGetAlstateProgressCompletionStatus);
259  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP,
260  ALPROTO_TFTP,
261  TFTPGetStateProgress);
262  AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_TFTP,
263  TFTPGetTx);
264 
265  /* What is this being registered for? */
266  AppLayerParserRegisterDetectStateFuncs(IPPROTO_UDP, ALPROTO_TFTP,
267  TFTPGetTxDetectState,
268  TFTPSetTxDetectState);
269 
270  AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_TFTP,
271  TFTPStateGetEventInfo);
272  AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_TFTP,
273  TFTPGetEvents);
274  }
275  else {
276  SCLogDebug("TFTP protocol parsing disabled.");
277  }
278 }
RegisterTFTPParsers
void RegisterTFTPParsers(void)
Definition: app-layer-tftp.c:189
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
AppLayerProtoDetectPPRegister
void AppLayerProtoDetectPPRegister(uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2)
register parser at a port
Definition: app-layer-detect-proto.c:1609
TFTP_MIN_FRAME_LEN
#define TFTP_MIN_FRAME_LEN
Definition: app-layer-tftp.c:46
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:489
event_type
uint32_t event_type
Definition: alert-unified2-alert.c:84
LoggerId
LoggerId
Definition: suricata-common.h:418
AppLayerProtoDetectConfProtoDetectionEnabled
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
Definition: app-layer-detect-proto.c:1888
AppLayerParserStateIssetFlag
int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag)
Definition: app-layer-parser.c:1551
AppLayerParserRegisterDetectStateFuncs
void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto, DetectEngineState *(*GetTxDetectState)(void *tx), int(*SetTxDetectState)(void *tx, DetectEngineState *))
Definition: app-layer-parser.c:576
AppLayerParserRegisterGetEventsFunc
void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto alproto, AppLayerDecoderEvents *(*StateGetEvents)(void *))
Definition: app-layer-parser.c:435
AppLayerParserRegisterLoggerFuncs
void AppLayerParserRegisterLoggerFuncs(uint8_t ipproto, AppProto alproto, LoggerId(*StateGetTxLogged)(void *, void *), void(*StateSetTxLogged)(void *, void *, LoggerId))
Definition: app-layer-parser.c:446
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:69
AppLayerParserState_
Definition: app-layer-parser.c:151
TFTP_DEFAULT_PORT
#define TFTP_DEFAULT_PORT
Definition: app-layer-tftp.c:42
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests and when...
Definition: app-layer-parser.c:298
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
AppLayerParserRegisterParser
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
Definition: app-layer-parser.c:363
AppLayerParserRegisterGetTx
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
Definition: app-layer-parser.c:522
AppLayerProtoDetectPPParseConfPorts
int AppLayerProtoDetectPPParseConfPorts(const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
Definition: app-layer-detect-proto.c:1643
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:564
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
AppLayerParserRegisterGetStateProgressCompletionStatus
void AppLayerParserRegisterGetStateProgressCompletionStatus(AppProto alproto, int(*StateGetProgressCompletionStatus)(uint8_t direction))
Definition: app-layer-parser.c:541
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:265
AppLayerProtoDetectRegisterProtocol
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
Definition: app-layer-detect-proto.c:1824
tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:268
DetectEngineState_
Definition: detect-engine-state.h:92
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
APP_LAYER_PARSER_EOF
#define APP_LAYER_PARSER_EOF
Definition: app-layer-parser.h:34
AppLayerParserRegisterGetTxCnt
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
Definition: app-layer-parser.c:511
AppLayerParserRegisterStateFuncs
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void), void(*StateFree)(void *))
Definition: app-layer-parser.c:396
Flow_
Flow data structure.
Definition: flow.h:325
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:500