[people/ms/suricata.git] / src / app-layer-parser.h

/* Copyright (C) 2007-2013 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 */

#ifndef __APP_LAYER_PARSER_H__
#define __APP_LAYER_PARSER_H__

#include "app-layer-events.h"
#include "util-file.h"

#define APP_LAYER_PARSER_EOF            0x01
#define APP_LAYER_PARSER_NO_INSPECTION  0x02
#define APP_LAYER_PARSER_NO_REASSEMBLY  0x04


/***** transaction handling *****/

/** \brief Function ptr type for getting active TxId from a flow
 *  Used by AppLayerTransactionGetActive.
 */
typedef uint64_t (*GetActiveTxIdFunc)(Flow *f, uint8_t flags);

/** \brief Register GetActiveTxId Function
 *
 */
void RegisterAppLayerGetActiveTxIdFunc(GetActiveTxIdFunc FuncPtr);

/** \brief active TX retrieval for normal ops: so with detection and logging
 *
 *  \retval tx_id lowest tx_id that still needs work
 *
 *  This is the default function.
 */
uint64_t AppLayerTransactionGetActiveDetectLog(Flow *f, uint8_t flags);

/** \brief active TX retrieval for logging only ops
 *
 *  \retval tx_id lowest tx_id that still needs work
 */
uint64_t AppLayerTransactionGetActiveLogOnly(Flow *f, uint8_t flags);


int AppLayerParserSetup(void);

int AppLayerParserDeSetup(void);

typedef struct AppLayerParserThreadCtx_ AppLayerParserThreadCtx;

/**
 * \brief Gets a new app layer protocol's parser thread context.
 *
 * \retval Non-NULL pointer on success.
 *         NULL pointer on failure.
 */
AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void);

/**
 * \brief Destroys the app layer parser thread context obtained
 *        using AppLayerParserThreadCtxAlloc().
 *
 * \param tctx Pointer to the thread context to be destroyed.
 */
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx);

/**
 * \brief Given a protocol name, checks if the parser is enabled in
 *        the conf file.
 *
 * \param alproto_name Name of the app layer protocol.
 *
 * \retval 1 If enabled.
 * \retval 0 If disabled.
 */
int AppLayerParserConfParserEnabled(const char *ipproto,
                                    const char *alproto_name);

/***** Parser related registration *****/

/**
 * \brief Register app layer parser for the protocol.
 *
 * \retval 0 On success.
 * \retval -1 On failure.
 */
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto,
                      uint8_t direction,
                      int (*Parser)(Flow *f, void *protocol_state,
                                    AppLayerParserState *pstate,
                                    uint8_t *buf, uint32_t buf_len,
                                    void *local_storage));
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto,
                                              AppProto alproto,
                                              uint8_t direction);
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto,
                           void *(*StateAlloc)(void),
                           void (*StateFree)(void *));
void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto proto,
                                 void *(*LocalStorageAlloc)(void),
                                 void (*LocalStorageFree)(void *));
void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto,
                             FileContainer *(*StateGetFiles)(void *, uint8_t));
void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto proto,
    AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t));
void AppLayerParserRegisterHasEventsFunc(uint8_t ipproto, AppProto alproto,
                              int (*StateHasEvents)(void *));
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto);
void AppLayerParserRegisterTruncateFunc(uint8_t ipproto, AppProto alproto,
                             void (*Truncate)(void *, uint8_t));
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto,
    int (*StateGetStateProgress)(void *alstate, uint8_t direction));
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto,
                           void (*StateTransactionFree)(void *, uint64_t));
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto,
                         uint64_t (*StateGetTxCnt)(void *alstate));
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto,
                      void *(StateGetTx)(void *alstate, uint64_t tx_id));
void AppLayerParserRegisterGetStateProgressCompletionStatus(uint8_t ipproto,
                                                 AppProto alproto,
    int (*StateGetStateProgressCompletionStatus)(uint8_t direction));
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
    int (*StateGetEventInfo)(const char *event_name, int *event_id,
                             AppLayerEventType *event_type));

/***** Get and transaction functions *****/

void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto);
void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto,
                                          void *local_data);


uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate);
void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate);
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction);
void AppLayerParserSetTransactionInspectId(AppLayerParserState *pstate,
                                uint8_t ipproto, AppProto alproto, void *alstate,
                                uint8_t direction);
AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate);
void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoderEvents *devents);
AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *alstate,
                                        uint64_t tx_id);
uint16_t AppLayerParserGetStateVersion(AppLayerParserState *pstate);
FileContainer *AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto,
                           void *alstate, uint8_t direction);
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,
                        void *alstate, uint8_t direction);
uint64_t AppLayerParserGetTxCnt(uint8_t ipproto, AppProto alproto, void *alstate);
void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id);
int AppLayerParserGetStateProgressCompletionStatus(uint8_t ipproto, AppProto alproto,
                                        uint8_t direction);
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name,
                    int *event_id, AppLayerEventType *event_type);

uint64_t AppLayerParserGetTransactionActive(uint8_t ipproto, AppProto alproto, AppLayerParserState *pstate, uint8_t direction);

uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto);

/***** General *****/

int AppLayerParserParse(AppLayerParserThreadCtx *tctx, Flow *f, AppProto alproto,
                   uint8_t flags, uint8_t *input, uint32_t input_len);
void AppLayerParserSetEOF(AppLayerParserState *pstate);
int AppLayerParserHasDecoderEvents(uint8_t ipproto, AppProto alproto, void *alstate, AppLayerParserState *pstate,
                        uint8_t flags);
int AppLayerParserProtocolIsTxAware(uint8_t ipproto, AppProto alproto);
int AppLayerParserProtocolIsTxEventAware(uint8_t ipproto, AppProto alproto);
int AppLayerParserProtocolSupportsTxs(uint8_t ipproto, AppProto alproto);
void AppLayerParserTriggerRawStreamReassembly(Flow *f);

/***** Cleanup *****/

void AppLayerParserStateCleanup(uint8_t ipproto, AppProto alproto, void *alstate, AppLayerParserState *pstate);

void AppLayerParserRegisterProtocolParsers(void);


void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint8_t flag);
int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag);

void AppLayerParserStreamTruncated(uint8_t ipproto, AppProto alproto, void *alstate,
                        uint8_t direction);


AppLayerParserState *AppLayerParserStateAlloc(void);
void AppLayerParserStateFree(AppLayerParserState *pstate);


#ifdef DEBUG
void AppLayerParserStatePrintDetails(AppLayerParserState *pstate);
#endif

/***** Unittests *****/

#ifdef UNITTESTS
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto,
                                  void (*RegisterUnittests)(void));
void AppLayerParserRegisterUnittests(void);
void AppLayerParserBackupParserTable(void);
void AppLayerParserRestoreParserTable(void);
#endif

#endif /* __APP_LAYER_PARSER_H__ */
Commit	Line	Data
429c6388	1	/* Copyright (C) 2007-2013 Open Information Security Foundation
ce019275 WM	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \file
	20	*
	21	* \author Victor Julien <victor@inliniac.net>
429c6388	22	* \author Anoop Saldanha <anoopsaldanha@gmail.com>
ce019275 WM	23	*/
ce019275 WM	24
59327e0f VJ	25	#ifndef __APP_LAYER_PARSER_H__
59327e0f VJ	26	#define __APP_LAYER_PARSER_H__
8e10844f	27
347c0df9	28	#include "app-layer-events.h"
e1022ee5 VJ	29	#include "util-file.h"
e1022ee5 VJ	30
429c6388 AS	31	#define APP_LAYER_PARSER_EOF 0x01
	32	#define APP_LAYER_PARSER_NO_INSPECTION 0x02
	33	#define APP_LAYER_PARSER_NO_REASSEMBLY 0x04
	34
2c857087 VJ	35
	36
	37	/*** transaction handling ***/
	38
	39	/** \brief Function ptr type for getting active TxId from a flow
	40	* Used by AppLayerTransactionGetActive.
	41	*/
	42	typedef uint64_t (GetActiveTxIdFunc)(Flow f, uint8_t flags);
	43
	44	/** \brief Register GetActiveTxId Function
	45	*
	46	*/
	47	void RegisterAppLayerGetActiveTxIdFunc(GetActiveTxIdFunc FuncPtr);
	48
	49	/** \brief active TX retrieval for normal ops: so with detection and logging
	50	*
	51	* \retval tx_id lowest tx_id that still needs work
	52	*
	53	* This is the default function.
	54	*/
	55	uint64_t AppLayerTransactionGetActiveDetectLog(Flow *f, uint8_t flags);
	56
5cc880c5 VJ	57	/** \brief active TX retrieval for logging only ops
	58	*
	59	* \retval tx_id lowest tx_id that still needs work
	60	*/
	61	uint64_t AppLayerTransactionGetActiveLogOnly(Flow *f, uint8_t flags);
	62
	63
429c6388 AS	64	int AppLayerParserSetup(void);
	65
	66	int AppLayerParserDeSetup(void);
	67
9634e60e VJ	68	typedef struct AppLayerParserThreadCtx_ AppLayerParserThreadCtx;
9634e60e VJ	69
429c6388 AS	70	/**
	71	* \brief Gets a new app layer protocol's parser thread context.
	72	*
	73	* \retval Non-NULL pointer on success.
	74	* NULL pointer on failure.
	75	*/
9634e60e	76	AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void);
429c6388 AS	77
	78	/**
	79	* \brief Destroys the app layer parser thread context obtained
fdefb65b	80	* using AppLayerParserThreadCtxAlloc().
429c6388 AS	81	*
	82	* \param tctx Pointer to the thread context to be destroyed.
	83	*/
9634e60e	84	void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx);
429c6388 AS	85
	86	/**
	87	* \brief Given a protocol name, checks if the parser is enabled in
	88	* the conf file.
	89	*
	90	* \param alproto_name Name of the app layer protocol.
	91	*
	92	* \retval 1 If enabled.
	93	* \retval 0 If disabled.
d4d18e31	94	*/
429c6388 AS	95	int AppLayerParserConfParserEnabled(const char *ipproto,
429c6388 AS	96	const char *alproto_name);
d4d18e31	97
429c6388	98	/*** Parser related registration ***/
d4d18e31 AS	99
d4d18e31 AS	100	/**
429c6388	101	* \brief Register app layer parser for the protocol.
d4d18e31	102	*
429c6388 AS	103	* \retval 0 On success.
429c6388 AS	104	* \retval -1 On failure.
d4d18e31	105	*/
5cdeadb3	106	int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto,
429c6388 AS	107	uint8_t direction,
429c6388 AS	108	int (Parser)(Flow f, void *protocol_state,
9634e60e	109	AppLayerParserState *pstate,
429c6388 AS	110	uint8_t *buf, uint32_t buf_len,
429c6388 AS	111	void *local_storage));
5cdeadb3	112	void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto,
429c6388 AS	113	AppProto alproto,
429c6388 AS	114	uint8_t direction);
5cdeadb3	115	void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto,
429c6388 AS	116	void (StateAlloc)(void),
429c6388 AS	117	void (StateFree)(void ));
5cdeadb3	118	void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto proto,
429c6388 AS	119	void (LocalStorageAlloc)(void),
429c6388 AS	120	void (LocalStorageFree)(void ));
5cdeadb3	121	void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto,
429c6388	122	FileContainer (StateGetFiles)(void *, uint8_t));
5cdeadb3	123	void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto proto,
429c6388	124	AppLayerDecoderEvents (StateGetEvents)(void *, uint64_t));
5cdeadb3	125	void AppLayerParserRegisterHasEventsFunc(uint8_t ipproto, AppProto alproto,
429c6388	126	int (StateHasEvents)(void ));
5cdeadb3 VJ	127	void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto);
5cdeadb3 VJ	128	void AppLayerParserRegisterTruncateFunc(uint8_t ipproto, AppProto alproto,
429c6388	129	void (Truncate)(void , uint8_t));
5cdeadb3	130	void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto,
429c6388	131	int (StateGetStateProgress)(void alstate, uint8_t direction));
5cdeadb3	132	void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto,
429c6388	133	void (StateTransactionFree)(void , uint64_t));
5cdeadb3	134	void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto,
429c6388	135	uint64_t (StateGetTxCnt)(void alstate));
5cdeadb3	136	void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto,
429c6388	137	void (StateGetTx)(void alstate, uint64_t tx_id));
5cdeadb3	138	void AppLayerParserRegisterGetStateProgressCompletionStatus(uint8_t ipproto,
f5f14880	139	AppProto alproto,
429c6388	140	int (*StateGetStateProgressCompletionStatus)(uint8_t direction));
5cdeadb3	141	void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
429c6388 AS	142	int (StateGetEventInfo)(const char event_name, int *event_id,
429c6388 AS	143	AppLayerEventType *event_type));
d4d18e31	144
429c6388	145	/*** Get and transaction functions ***/
16cfae2f	146
5cdeadb3 VJ	147	void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto);
5cdeadb3 VJ	148	void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto,
429c6388	149	void *local_data);
6cb00142	150
6cb00142	151
9634e60e VJ	152	uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate);
	153	void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate);
	154	uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction);
	155	void AppLayerParserSetTransactionInspectId(AppLayerParserState *pstate,
5cdeadb3	156	uint8_t ipproto, AppProto alproto, void *alstate,
429c6388	157	uint8_t direction);
9634e60e VJ	158	AppLayerDecoderEvents AppLayerParserGetDecoderEvents(AppLayerParserState pstate);
9634e60e VJ	159	void AppLayerParserSetDecoderEvents(AppLayerParserState pstate, AppLayerDecoderEvents devents);
5cdeadb3	160	AppLayerDecoderEvents AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void alstate,
429c6388	161	uint64_t tx_id);
9634e60e	162	uint16_t AppLayerParserGetStateVersion(AppLayerParserState *pstate);
5cdeadb3	163	FileContainer *AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto,
429c6388	164	void *alstate, uint8_t direction);
5cdeadb3	165	int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,
429c6388	166	void *alstate, uint8_t direction);
5cdeadb3 VJ	167	uint64_t AppLayerParserGetTxCnt(uint8_t ipproto, AppProto alproto, void *alstate);
	168	void AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void alstate, uint64_t tx_id);
	169	int AppLayerParserGetStateProgressCompletionStatus(uint8_t ipproto, AppProto alproto,
429c6388	170	uint8_t direction);
5cdeadb3	171	int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name,
429c6388	172	int event_id, AppLayerEventType event_type);
6cb00142	173
9634e60e	174	uint64_t AppLayerParserGetTransactionActive(uint8_t ipproto, AppProto alproto, AppLayerParserState *pstate, uint8_t direction);
6cb00142	175
f5f14880	176	uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto);
ddde572f	177
429c6388 AS	178	/*** General ***/
429c6388 AS	179
9634e60e	180	int AppLayerParserParse(AppLayerParserThreadCtx tctx, Flow f, AppProto alproto,
429c6388	181	uint8_t flags, uint8_t *input, uint32_t input_len);
9634e60e VJ	182	void AppLayerParserSetEOF(AppLayerParserState *pstate);
9634e60e VJ	183	int AppLayerParserHasDecoderEvents(uint8_t ipproto, AppProto alproto, void alstate, AppLayerParserState pstate,
429c6388	184	uint8_t flags);
b2d420be	185	int AppLayerParserProtocolIsTxAware(uint8_t ipproto, AppProto alproto);
5cdeadb3 VJ	186	int AppLayerParserProtocolIsTxEventAware(uint8_t ipproto, AppProto alproto);
5cdeadb3 VJ	187	int AppLayerParserProtocolSupportsTxs(uint8_t ipproto, AppProto alproto);
429c6388 AS	188	void AppLayerParserTriggerRawStreamReassembly(Flow *f);
	189
	190	/*** Cleanup ***/
	191
9634e60e	192	void AppLayerParserStateCleanup(uint8_t ipproto, AppProto alproto, void alstate, AppLayerParserState pstate);
429c6388 AS	193
	194	void AppLayerParserRegisterProtocolParsers(void);
	195
	196
9634e60e VJ	197	void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint8_t flag);
9634e60e VJ	198	int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag);
429c6388	199
5cdeadb3	200	void AppLayerParserStreamTruncated(uint8_t ipproto, AppProto alproto, void *alstate,
429c6388 AS	201	uint8_t direction);
	202
	203
	204
9634e60e VJ	205	AppLayerParserState *AppLayerParserStateAlloc(void);
9634e60e VJ	206	void AppLayerParserStateFree(AppLayerParserState *pstate);
429c6388 AS	207
	208
	209
	210	#ifdef DEBUG
9634e60e	211	void AppLayerParserStatePrintDetails(AppLayerParserState *pstate);
429c6388	212	#endif
6cb00142 AS	213
	214	/*** Unittests ***/
	215
429c6388	216	#ifdef UNITTESTS
5cdeadb3	217	void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto,
429c6388 AS	218	void (*RegisterUnittests)(void));
	219	void AppLayerParserRegisterUnittests(void);
	220	void AppLayerParserBackupParserTable(void);
	221	void AppLayerParserRestoreParserTable(void);
	222	#endif
6cb00142	223
59327e0f	224	#endif /* __APP_LAYER_PARSER_H__ */