From fe0511d54c2737581a15e2b8a6abd518f6ca4451 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Mon, 19 Mar 2012 09:06:16 +0530 Subject: [PATCH 2/2] Add new command line option --list-app-layer-protocols to list supported app layer protocols in sigs --- src/app-layer-dcerpc-udp.c | 8 +++-- src/app-layer-dcerpc.c | 8 +++-- src/app-layer-detect-proto.c | 83 +++++++++++++++++++++++------------------- src/app-layer-detect-proto.h | 2 +- src/app-layer-ftp.c | 12 ++++--- src/app-layer-htp.c | 34 +++++++++-------- src/app-layer-parser.c | 46 ++++++++++++++++++++---- src/app-layer-parser.h | 3 ++ src/app-layer-smb.c | 26 +++++++------ src/app-layer-smtp.c | 10 +++-- src/app-layer-ssh.c | 8 +++-- src/app-layer-ssl.c | 24 +++++++------ src/suricata.c | 22 +++++++++--- 13 files changed, 178 insertions(+), 108 deletions(-) diff --git a/src/app-layer-dcerpc-udp.c b/src/app-layer-dcerpc-udp.c index 2931757..df244cd 100644 --- a/src/app-layer-dcerpc-udp.c +++ b/src/app-layer-dcerpc-udp.c @@ -717,12 +717,14 @@ static void DCERPCUDPStateFree(void *s) { } void RegisterDCERPCUDPParsers(void) { + char *proto_name = "dcerpcudp"; + /** DCERPC */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER); - AppLayerRegisterProto("dcerpcudp", ALPROTO_DCERPC_UDP, STREAM_TOSERVER, + AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER, DCERPCUDPParse); - AppLayerRegisterProto("dcerpcudp", ALPROTO_DCERPC_UDP, STREAM_TOCLIENT, + AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT, DCERPCUDPParse); AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc, DCERPCUDPStateFree); diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index b7cb263..ddd8bc4 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -1825,12 +1825,14 @@ void DCERPCUpdateTransactionId(void *state, uint16_t *id) { } void RegisterDCERPCParsers(void) { + char *proto_name = "dcerpc"; + /** DCERPC */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER); - AppLayerRegisterProto("dcerpc", ALPROTO_DCERPC, STREAM_TOSERVER, + AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER, DCERPCParse); - AppLayerRegisterProto("dcerpc", ALPROTO_DCERPC, STREAM_TOCLIENT, + AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT, DCERPCParse); AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc, DCERPCStateFree); diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 366a086..2631756 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -203,7 +203,14 @@ end: * \param offset Offset setting for the content. E.g. 4 mean that the content has to match after the first 4 bytes of the stream. * \param flags Set STREAM_TOCLIENT or STREAM_TOSERVER for the direction in which to try to match the content. */ -void AlpProtoAdd(AlpProtoDetectCtx *ctx, uint16_t ip_proto, uint16_t al_proto, char *content, uint16_t depth, uint16_t offset, uint8_t flags) { +void AlpProtoAdd(AlpProtoDetectCtx *ctx, char *name, uint16_t ip_proto, uint16_t al_proto, char *content, uint16_t depth, uint16_t offset, uint8_t flags) +{ + if (al_proto_table[al_proto].name != NULL) { + BUG_ON(strcmp(al_proto_table[al_proto].name, name) != 0); + } else { + al_proto_table[al_proto].name = name; + } + DetectContentData *cd = DetectContentParseEncloseQuotes(content); if (cd == NULL) { return; @@ -746,7 +753,7 @@ int AlpDetectTest01(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -754,7 +761,7 @@ int AlpDetectTest01(void) { } buf = SCStrdup("GET"); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOSERVER); if (ctx.toserver.id != 1) { r = 0; } @@ -787,7 +794,7 @@ int AlpDetectTest02(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -799,7 +806,7 @@ int AlpDetectTest02(void) { } buf = SCStrdup("220 "); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_FTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "ftp", IPPROTO_TCP, ALPROTO_FTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 2) { @@ -839,7 +846,7 @@ int AlpDetectTest03(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -851,7 +858,7 @@ int AlpDetectTest03(void) { } buf = SCStrdup("220 "); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_FTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "ftp", IPPROTO_TCP, ALPROTO_FTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 2) { @@ -908,7 +915,7 @@ int AlpDetectTest04(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -966,7 +973,7 @@ int AlpDetectTest05(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -978,7 +985,7 @@ int AlpDetectTest05(void) { } buf = SCStrdup("220 "); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_FTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "ftp", IPPROTO_TCP, ALPROTO_FTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 2) { @@ -1035,7 +1042,7 @@ int AlpDetectTest06(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -1047,7 +1054,7 @@ int AlpDetectTest06(void) { } buf = SCStrdup("220 "); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_FTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "ftp", IPPROTO_TCP, ALPROTO_FTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 2) { @@ -1104,7 +1111,7 @@ int AlpDetectTest07(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -1172,7 +1179,7 @@ int AlpDetectTest08(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, buf, 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "smb", IPPROTO_TCP, ALPROTO_SMB, buf, 8, 4, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -1237,7 +1244,7 @@ int AlpDetectTest09(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, buf, 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, buf, 8, 4, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -1297,7 +1304,7 @@ int AlpDetectTest10(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_DCERPC, buf, 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "dcerpc", IPPROTO_TCP, ALPROTO_DCERPC, buf, 4, 0, STREAM_TOCLIENT); SCFree(buf); if (ctx.toclient.id != 1) { @@ -1347,13 +1354,13 @@ int AlpDetectTest11(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, "GET", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, "PUT", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, "POST", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, "TRACE", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS", 7, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, "GET", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, "PUT", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, "POST", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, "TRACE", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS", 7, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOCLIENT); if (ctx.toserver.id != 6) { printf("ctx.toserver.id %u != 6: ", ctx.toserver.id); @@ -1390,7 +1397,7 @@ int AlpDetectTest12(void) { int r = 0; AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_TCP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOSERVER); AlpProtoFinalizeGlobal(&ctx); if (ctx.head == NULL) { @@ -1436,13 +1443,13 @@ int AlpDetectTest13(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "GET", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "PUT", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "POST", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "TRACE", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "OPTIONS", 7, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "GET", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "PUT", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "POST", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "TRACE", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "OPTIONS", 7, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOCLIENT); if (ctx.toserver.id != 6) { printf("ctx.toserver.id %u != 6: ", ctx.toserver.id); @@ -1487,13 +1494,13 @@ int AlpDetectTest14(void) { AlpProtoInit(&ctx); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "GET", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "PUT", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "POST", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "TRACE", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "OPTIONS", 7, 0, STREAM_TOSERVER); - AlpProtoAdd(&ctx, IPPROTO_UDP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "GET", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "PUT", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "POST", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "TRACE", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "OPTIONS", 7, 0, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "http", IPPROTO_UDP, ALPROTO_HTTP, "HTTP", 4, 0, STREAM_TOCLIENT); if (ctx.toserver.id != 6) { printf("ctx.toserver.id %u != 6: ", ctx.toserver.id); diff --git a/src/app-layer-detect-proto.h b/src/app-layer-detect-proto.h index 42fd311..bf0723e 100644 --- a/src/app-layer-detect-proto.h +++ b/src/app-layer-detect-proto.h @@ -95,7 +95,7 @@ uint16_t AppLayerDetectGetProtoProbingParser(AlpProtoDetectCtx *, Flow *, uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *, AlpProtoDetectThreadCtx *, Flow *, uint8_t *, uint32_t, uint8_t, uint8_t); -void AlpProtoAdd(AlpProtoDetectCtx *, uint16_t, uint16_t, char *, uint16_t, uint16_t, uint8_t); +void AlpProtoAdd(AlpProtoDetectCtx *, char *, uint16_t, uint16_t, char *, uint16_t, uint16_t, uint8_t); void AppLayerDetectProtoThreadSpawn(void); void AlpDetectRegisterTests(void); diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c index 2c42f66..985b781 100644 --- a/src/app-layer-ftp.c +++ b/src/app-layer-ftp.c @@ -264,14 +264,16 @@ static void FTPStateFree(void *s) { void RegisterFTPParsers(void) { + char *proto_name = "ftp"; + /** FTP */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER); - AppLayerRegisterProto("ftp", ALPROTO_FTP, STREAM_TOSERVER, + AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER, FTPParseRequest); - AppLayerRegisterProto("ftp", ALPROTO_FTP, STREAM_TOCLIENT, + AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT, FTPParseResponse); AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP, FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine, diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index ce7ee75..a320f4f 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -2337,21 +2337,23 @@ void RegisterHTPParsers(void) { SCEnter(); + char *proto_name = "http"; + /** HTTP */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER); AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree); AppLayerRegisterTransactionIdFuncs(ALPROTO_HTTP, HTPStateUpdateTransactionId, HTPStateTransactionFree); @@ -2359,9 +2361,9 @@ void RegisterHTPParsers(void) AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table); - AppLayerRegisterProto("http", ALPROTO_HTTP, STREAM_TOSERVER, + AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER, HTPHandleRequestData); - AppLayerRegisterProto("http", ALPROTO_HTTP, STREAM_TOCLIENT, + AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT, HTPHandleResponseData); HTPConfigure(); diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 6488ff6..8545343 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -60,9 +60,9 @@ #include "util-unittest-helper.h" #include "util-validate.h" -static AppLayerProto al_proto_table[ALPROTO_MAX]; /**< Application layer protocol - table mapped to their - corresponding parsers */ +AppLayerProto al_proto_table[ALPROTO_MAX]; /**< Application layer protocol + table mapped to their + corresponding parsers */ #define MAX_PARSERS 100 static AppLayerParserTableElement al_parser_table[MAX_PARSERS]; @@ -595,8 +595,6 @@ int AppLayerRegisterProto(char *name, uint8_t proto, uint8_t flags, al_parser_table[al_max_parsers].name = name; al_parser_table[al_max_parsers].AppLayerParser = AppLayerParser; - al_proto_table[proto].name = name; - /* create proto, direction -- parser mapping */ if (flags & STREAM_TOSERVER) { al_proto_table[proto].to_server = al_max_parsers; @@ -1228,6 +1226,40 @@ int AppLayerTransactionUpdateInspectId(Flow *f, char direction) SCReturnInt(r); } +void AppLayerListSupportedProtocols(void) +{ + uint32_t i; + uint32_t temp_alprotos_buf[ALPROTO_MAX]; + + printf("=========Supported App Layer Protocols=========\n"); + + /* for each proto, alloc the map array */ + for (i = 0; i < ALPROTO_MAX; i++) { + if (al_proto_table[i].name == NULL) + continue; + + temp_alprotos_buf[i] = 1; + printf("%s\n", al_proto_table[i].name); + } + + AppLayerProbingParserInfo *pinfo = alp_proto_ctx.probing_parsers_info; + while (pinfo != NULL) { + if (temp_alprotos_buf[pinfo->al_proto] == 1) { + pinfo = pinfo->next; + continue; + } + + printf("%s\n", pinfo->al_proto_name); + temp_alprotos_buf[pinfo->al_proto] = 1; + pinfo = pinfo->next; + } + + printf("=====\n"); + + + return; +} + AppLayerDecoderEvents *AppLayerGetDecoderEventsForFlow(Flow *f) { DEBUG_ASSERT_FLOW_LOCKED(f); @@ -1294,11 +1326,11 @@ void RegisterAppLayerParsers(void) /** IMAP */ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER); /** MSN Messenger */ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER); /** Jabber */ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT); diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index b00070e..f156517 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -187,6 +187,8 @@ typedef struct AppLayerProbingParserInfo_ { #define APP_LAYER_PROBING_PARSER_PRIORITY_MEDIUM 2 #define APP_LAYER_PROBING_PARSER_PRIORITY_LOW 3 +extern AppLayerProto al_proto_table[]; + static inline AppLayerProbingParser *AppLayerGetProbingParsers(AppLayerProbingParser *probing_parsers, uint16_t ip_proto, @@ -288,6 +290,7 @@ void AppLayerFreeProbingParsersInfo(AppLayerProbingParserInfo *); void AppLayerPrintProbingParsers(AppLayerProbingParser *); uint16_t AppLayerGetStateVersion(Flow *f); +void AppLayerListSupportedProtocols(void); FileContainer *AppLayerGetFilesFromFlow(Flow *, uint8_t); AppLayerDecoderEvents *AppLayerGetDecoderEventsForFlow(Flow *); diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index 045b5e0..e7b0da7 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -1370,14 +1370,16 @@ static uint16_t SMBProbingParser(uint8_t *input, uint32_t ilen) } void RegisterSMBParsers(void) { + char *proto_name = "smb"; + /** SMB */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); /** SMB2 */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); - AppLayerRegisterProto("smb", ALPROTO_SMB, STREAM_TOSERVER, SMBParse); - AppLayerRegisterProto("smb", ALPROTO_SMB, STREAM_TOCLIENT, SMBParse); + AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParse); + AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParse); AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree); AppLayerRegisterTransactionIdFuncs(ALPROTO_SMB, SMBUpdateTransactionId, NULL); @@ -1979,12 +1981,12 @@ int SMBParserTest05(void) AlpProtoInit(&ctx); /** SMB */ - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "smb", IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "smb", IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); /** SMB2 */ - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); AppLayerRegisterProbingParser(&ctx, f.dp, @@ -2063,12 +2065,12 @@ int SMBParserTest06(void) AlpProtoInit(&ctx); /** SMB */ - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "smb", IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "smb", IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); /** SMB2 */ - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT); - AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); + AlpProtoAdd(&ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); AppLayerRegisterProbingParser(&ctx, f.dp, diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index 65e53b6..e6c9a67 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -848,16 +848,18 @@ static void SMTPSetMpmState(void) */ void RegisterSMTPParsers(void) { - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0, + char *proto_name = "smtp"; + + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0, + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0, STREAM_TOSERVER); AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree); - AppLayerRegisterProto("smtp", ALPROTO_SMTP, STREAM_TOSERVER, + AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER, SMTPParseClientRecord); - AppLayerRegisterProto("smtp", ALPROTO_SMTP, STREAM_TOCLIENT, + AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT, SMTPParseServerRecord); AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table); diff --git a/src/app-layer-ssh.c b/src/app-layer-ssh.c index 6f38056..5a40c3f 100644 --- a/src/app-layer-ssh.c +++ b/src/app-layer-ssh.c @@ -746,12 +746,14 @@ static void SSHStateFree(void *state) */ void RegisterSSHParsers(void) { + char *proto_name = "ssh"; + /** SSH */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER); - AppLayerRegisterProto("ssh", ALPROTO_SSH, STREAM_TOCLIENT, + AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT, SSHParseServerRecord); - AppLayerRegisterProto("ssh", ALPROTO_SSH, STREAM_TOSERVER, + AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER, SSHParseClientRecord); AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree); diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 8337182..80d5749 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -861,8 +861,10 @@ void SSLStateFree(void *p) */ void RegisterSSLParsers(void) { + char *proto_name = "tls"; + /** SSLv2 and SSLv23*/ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER); /* subsection - SSLv2 style record by client, but informing the server the max * version it supports */ /* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it @@ -871,22 +873,22 @@ void RegisterSSLParsers(void) //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT); /** SSLv3 */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */ + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */ /** TLSv1 */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */ + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */ /** TLSv1.1 */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */ + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */ /** TLSv1.2 */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */ + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */ - AppLayerRegisterProto("tls", ALPROTO_TLS, STREAM_TOSERVER, + AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER, SSLParseClientRecord); - AppLayerRegisterProto("tls", ALPROTO_TLS, STREAM_TOCLIENT, + AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT, SSLParseServerRecord); AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree); diff --git a/src/suricata.c b/src/suricata.c index 7e3c934..4708b6e 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -441,6 +441,7 @@ void usage(const char *progname) #ifdef UNITTESTS printf("\t-u : run the unittests and exit\n"); printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n"); + printf("\t--list-app-layer-protos : list supported app layer protocols\n"); printf("\t--list-unittests : list unit tests\n"); printf("\t--list-keywords : list all keywords implemented by the engine\n"); printf("\t--fatal-unittests : enable fatal failure on unittest error\n"); @@ -622,6 +623,7 @@ int main(int argc, char **argv) char *regex_arg = NULL; #endif int dump_config = 0; + int list_app_layer_protocols = 0; int list_unittests = 0; int list_cuda_cards = 0; int list_runmodes = 0; @@ -704,6 +706,7 @@ int main(int argc, char **argv) {"pcap", optional_argument, 0, 0}, {"pcap-buffer-size", required_argument, 0, 0}, {"unittest-filter", required_argument, 0, 'U'}, + {"list-app-layer-protocols", 0, &list_app_layer_protocols, 1}, {"list-unittests", 0, &list_unittests, 1}, {"list-cuda-cards", 0, &list_cuda_cards, 1}, {"list-runmodes", 0, &list_runmodes, 1}, @@ -840,6 +843,9 @@ int main(int argc, char **argv) exit(EXIT_FAILURE); } } + else if(strcmp((long_opts[option_index]).name, "list-app-layer-protocols") == 0) { + /* listing all supported app layer protocols */ + } else if(strcmp((long_opts[option_index]).name, "list-unittests") == 0) { #ifdef UNITTESTS /* Set run_mode to unit tests. */ @@ -1173,6 +1179,10 @@ int main(int argc, char **argv) TimeInit(); SupportFastPatternForSigMatchTypes(); + /* load the pattern matchers */ + MpmTableSetup(); + + /** \todo we need an api for these */ /* Load yaml configuration file if provided. */ if (conf_filename != NULL) { if (ConfYamlLoadFile(conf_filename) != 0) { @@ -1201,6 +1211,13 @@ int main(int argc, char **argv) exit(EXIT_FAILURE); } + AppLayerDetectProtoThreadInit(); + if (list_app_layer_protocols) { + AppLayerListSupportedProtocols(); + exit(EXIT_SUCCESS); + } + AppLayerParsersInitPostProcess(); + if (dump_config) { ConfDump(); exit(EXIT_SUCCESS); @@ -1310,7 +1327,6 @@ int main(int argc, char **argv) } /* hardcoded initialization code */ - MpmTableSetup(); /* load the pattern matchers */ SigTableSetup(); /* load the rule keywords */ if (list_keywords) { SigTableList(); @@ -1379,10 +1395,6 @@ int main(int argc, char **argv) AppLayerHtpNeedFileInspection(); - /** \todo we need an api for these */ - AppLayerDetectProtoThreadInit(); - AppLayerParsersInitPostProcess(); - #ifdef UNITTESTS if (run_mode == RUNMODE_UNITTEST) { -- 1.7.1