[people/ms/suricata.git] / src / app-layer-tftp.c

/* Copyright (C) 2017 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 *
 */

/**
 * \file
 *
 * \author Clément Galland <clement.galland@epita.fr>
 *
 * Parser for NTP application layer running on UDP port 69.
 */


#include "suricata-common.h"
#include "stream.h"
#include "conf.h"

#include "util-unittest.h"

#include "app-layer-detect-proto.h"
#include "app-layer-parser.h"

#include "app-layer-tftp.h"

#ifndef HAVE_RUST

void RegisterTFTPParsers(void)
{
}

#else

#include "rust-tftp-tftp-gen.h"

/* The default port to probe if not provided in the configuration file. */
#define TFTP_DEFAULT_PORT "69"

/* The minimum size for an message. For some protocols this might
 * be the size of a header. */
#define TFTP_MIN_FRAME_LEN 4

/* Enum of app-layer events for an echo protocol. Normally you might
 * have events for errors in parsing data, like unexpected data being
 * received. For echo we'll make something up, and log an app-layer
 * level alert if an empty message is received.
 *
 * Example rule:
 *
 * alert tftp any any -> any any (msg:"SURICATA TFTP empty message"; \
 *    app-layer-event:tftp.empty_message; sid:X; rev:Y;)
 */
enum {
    TFTP_DECODER_EVENT_EMPTY_MESSAGE,
};

SCEnumCharMap tftp_decoder_event_table[] = {
    {"EMPTY_MESSAGE", TFTP_DECODER_EVENT_EMPTY_MESSAGE},

    // event table must be NULL-terminated
    { NULL, -1 },
};

static void *TFTPStateAlloc(void)
{
    return rs_tftp_state_alloc();
}

static void TFTPStateFree(void *state)
{
    rs_tftp_state_free(state);
}

/**
 * \brief Callback from the application layer to have a transaction freed.
 *
 * \param state a void pointer to the TFTPState object.
 * \param tx_id the transaction ID to free.
 */
static void TFTPStateTxFree(void *state, uint64_t tx_id)
{
    rs_tftp_state_tx_free(state, tx_id);
}

static int TFTPStateGetEventInfo(const char *event_name, int *event_id,
    AppLayerEventType *event_type)
{
    return -1;
}

static AppLayerDecoderEvents *TFTPGetEvents(void *state, uint64_t tx_id)
{
    return NULL;
}

/**
 * \brief Probe the input to see if it looks like echo.
 *
 * \retval ALPROTO_TFTP if it looks like echo, otherwise
 *     ALPROTO_UNKNOWN.
 */
static AppProto TFTPProbingParser(Flow *f, uint8_t *input, uint32_t input_len,
    uint32_t *offset)
{
    /* Very simple test - if there is input, this is tftp.
     * Also check if it's starting by a zero */
    if (input_len >= TFTP_MIN_FRAME_LEN && *input == 0) {
        SCLogDebug("Detected as ALPROTO_TFTP.");
        return ALPROTO_TFTP;
    }

    SCLogDebug("Protocol not detected as ALPROTO_TFTP.");
    return ALPROTO_UNKNOWN;
}

static int TFTPParseRequest(Flow *f, void *state,
    AppLayerParserState *pstate, uint8_t *input, uint32_t input_len,
    void *local_data)
{
    SCLogDebug("Parsing echo request: len=%"PRIu32, input_len);

    /* Likely connection closed, we can just return here. */
    if ((input == NULL || input_len == 0) &&
        AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
        return 0;
    }

    /* Probably don't want to create a transaction in this case
     * either. */
    if (input == NULL || input_len == 0) {
        return 0;
    }

    return rs_tftp_request(state, input, input_len);
}

/**
 * \brief Response parsing is not implemented
 */
static int TFTPParseResponse(Flow *f, void *state, AppLayerParserState *pstate,
    uint8_t *input, uint32_t input_len, void *local_data)
{
    return 0;
}

static uint64_t TFTPGetTxCnt(void *state)
{
    return rs_tftp_get_tx_cnt(state);
}

static void *TFTPGetTx(void *state, uint64_t tx_id)
{
    return rs_tftp_get_tx(state, tx_id);
}

static void TFTPSetTxLogged(void *state, void *vtx, uint32_t logger)
{
    rs_tftp_set_tx_logged(state, vtx, logger);
}

static LoggerId TFTPGetTxLogged(void *state, void *vtx)
{
    return rs_tftp_get_tx_logged(state, vtx);
}

/**
 * \brief Called by the application layer.
 *
 * In most cases 1 can be returned here.
 */
static int TFTPGetAlstateProgressCompletionStatus(uint8_t direction) {
    return 1;
}

/**
 * \brief Return the state of a transaction in a given direction.
 *
 * In the case of the echo protocol, the existence of a transaction
 * means that the request is done. However, some protocols that may
 * need multiple chunks of data to complete the request may need more
 * than just the existence of a transaction for the request to be
 * considered complete.
 *
 * For the response to be considered done, the response for a request
 * needs to be seen.  The response_done flag is set on response for
 * checking here.
 */
static int TFTPGetStateProgress(void *tx, uint8_t direction)
{
    return 1;
}

static DetectEngineState *TFTPGetTxDetectState(void *vtx)
{
    return NULL;
}

static int TFTPSetTxDetectState(void *vtx,
    DetectEngineState *s)
{
    return 0;
}

void RegisterTFTPParsers(void)
{
    const char *proto_name = "tftp";

    /* Check if TFTP UDP detection is enabled. If it does not exist in
     * the configuration file then it will be enabled by default. */
    if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) {

        SCLogDebug("TFTP UDP protocol detection enabled.");

        AppLayerProtoDetectRegisterProtocol(ALPROTO_TFTP, proto_name);

        if (RunmodeIsUnittests()) {
            SCLogDebug("Unittest mode, registeringd default configuration.");
            AppLayerProtoDetectPPRegister(IPPROTO_UDP, TFTP_DEFAULT_PORT,
                                          ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN,
                                          STREAM_TOSERVER, TFTPProbingParser,
                                          NULL);
        } else {
            if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP,
                                                     proto_name, ALPROTO_TFTP,
                                                     0, TFTP_MIN_FRAME_LEN,
                                                     TFTPProbingParser, NULL)) {
                SCLogDebug("No echo app-layer configuration, enabling echo"
                           " detection UDP detection on port %s.",
                           TFTP_DEFAULT_PORT);
                AppLayerProtoDetectPPRegister(IPPROTO_UDP,
                                              TFTP_DEFAULT_PORT, ALPROTO_TFTP,
                                              0, TFTP_MIN_FRAME_LEN,
                                              STREAM_TOSERVER,TFTPProbingParser,
                                              NULL);
            }
        }
    } else {
        SCLogDebug("Protocol detecter and parser disabled for TFTP.");
        return;
    }

    if (AppLayerParserConfParserEnabled("udp", proto_name)) {

        SCLogDebug("Registering TFTP protocol parser.");

        /* Register functions for state allocation and freeing. A
         * state is allocated for every new TFTP flow. */
        AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TFTP,
                                         TFTPStateAlloc, TFTPStateFree);

        /* Register request parser for parsing frame from server to client. */
        AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP,
                                     STREAM_TOSERVER, TFTPParseRequest);

        /* Register response parser for parsing frames from server to client. */
        AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP,
                                     STREAM_TOCLIENT, TFTPParseResponse);

        /* Register a function to be called by the application layer
         * when a transaction is to be freed. */
        AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_TFTP,
                                         TFTPStateTxFree);

        AppLayerParserRegisterLoggerFuncs(IPPROTO_UDP, ALPROTO_TFTP,
                                          TFTPGetTxLogged, TFTPSetTxLogged);

        /* Register a function to return the current transaction count. */
        AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_TFTP,
                                       TFTPGetTxCnt);

        /* Transaction handling. */
        AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_TFTP,
            TFTPGetAlstateProgressCompletionStatus);
        AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP,
                                                   ALPROTO_TFTP,
                                                   TFTPGetStateProgress);
        AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_TFTP,
                                    TFTPGetTx);

        /* What is this being registered for? */
        AppLayerParserRegisterDetectStateFuncs(IPPROTO_UDP, ALPROTO_TFTP,
                                               TFTPGetTxDetectState,
                                               TFTPSetTxDetectState);

        AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_TFTP,
                                           TFTPStateGetEventInfo);
        AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_TFTP,
                                            TFTPGetEvents);
    }
    else {
        SCLogDebug("TFTP protocol parsing disabled.");
    }

#ifdef UNITTESTS
    AppLayerParserRegisterProtocolUnittests(IPPROTO_UDP, ALPROTO_TFTP,
                                            TFTPParserRegisterTests);
#endif
}

#ifdef UNITTESTS
#endif

void TFTPParserRegisterTests(void)
{
#ifdef UNITTESTS
#endif
}

#endif /* HAVE_RUST */
Commit	Line	Data
b9cf49e9 CG	1	/* Copyright (C) 2017 Open Information Security Foundation
	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*
	17	*/
	18
	19	/**
	20	* \file
	21	*
	22	* \author Clément Galland <clement.galland@epita.fr>
	23	*
	24	* Parser for NTP application layer running on UDP port 69.
	25	*/
	26
	27
	28	#include "suricata-common.h"
	29	#include "stream.h"
	30	#include "conf.h"
	31
	32	#include "util-unittest.h"
	33
	34	#include "app-layer-detect-proto.h"
	35	#include "app-layer-parser.h"
	36
	37	#include "app-layer-tftp.h"
	38
	39	#ifndef HAVE_RUST
	40
	41	void RegisterTFTPParsers(void)
	42	{
	43	}
	44
	45	#else
	46
	47	#include "rust-tftp-tftp-gen.h"
	48
	49	/* The default port to probe if not provided in the configuration file. */
	50	#define TFTP_DEFAULT_PORT "69"
	51
	52	/* The minimum size for an message. For some protocols this might
	53	* be the size of a header. */
	54	#define TFTP_MIN_FRAME_LEN 4
	55
	56	/* Enum of app-layer events for an echo protocol. Normally you might
	57	* have events for errors in parsing data, like unexpected data being
	58	* received. For echo we'll make something up, and log an app-layer
	59	* level alert if an empty message is received.
	60	*
	61	* Example rule:
	62	*
	63	* alert tftp any any -> any any (msg:"SURICATA TFTP empty message"; \
	64	* app-layer-event:tftp.empty_message; sid:X; rev:Y;)
65	*/
66	enum {
67	TFTP_DECODER_EVENT_EMPTY_MESSAGE,
68	};
69
70	SCEnumCharMap tftp_decoder_event_table[] = {
71	{"EMPTY_MESSAGE", TFTP_DECODER_EVENT_EMPTY_MESSAGE},
72
73	// event table must be NULL-terminated
74	{ NULL, -1 },
75	};
76
77	static void *TFTPStateAlloc(void)
78	{
79	return rs_tftp_state_alloc();
80	}
81
82	static void TFTPStateFree(void *state)
83	{
84	rs_tftp_state_free(state);
85	}
86
87	/**
88	* \brief Callback from the application layer to have a transaction freed.
89	*
90	* \param state a void pointer to the TFTPState object.
91	* \param tx_id the transaction ID to free.
92	*/
93	static void TFTPStateTxFree(void *state, uint64_t tx_id)
94	{
95	rs_tftp_state_tx_free(state, tx_id);
96	}
97
98	static int TFTPStateGetEventInfo(const char event_name, int event_id,
99	AppLayerEventType *event_type)
100	{
101	return -1;
102	}
103
104	static AppLayerDecoderEvents TFTPGetEvents(void state, uint64_t tx_id)
105	{
106	return NULL;
107	}
108
b9cf49e9 CG	109	/**
	110	* \brief Probe the input to see if it looks like echo.
	111	*
	112	* \retval ALPROTO_TFTP if it looks like echo, otherwise
	113	* ALPROTO_UNKNOWN.
	114	*/
	115	static AppProto TFTPProbingParser(Flow f, uint8_t input, uint32_t input_len,
	116	uint32_t *offset)
	117	{
80f2fbac	118	/* Very simple test - if there is input, this is tftp.
b9cf49e9 CG	119	* Also check if it's starting by a zero */
	120	if (input_len >= TFTP_MIN_FRAME_LEN && *input == 0) {
	121	SCLogDebug("Detected as ALPROTO_TFTP.");
	122	return ALPROTO_TFTP;
	123	}
	124
	125	SCLogDebug("Protocol not detected as ALPROTO_TFTP.");
	126	return ALPROTO_UNKNOWN;
	127	}
	128
	129	static int TFTPParseRequest(Flow f, void state,
	130	AppLayerParserState pstate, uint8_t input, uint32_t input_len,
	131	void *local_data)
	132	{
	133	SCLogDebug("Parsing echo request: len=%"PRIu32, input_len);
	134
	135	/* Likely connection closed, we can just return here. */
	136	if ((input == NULL \|\| input_len == 0) &&
	137	AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
	138	return 0;
	139	}
	140
	141	/* Probably don't want to create a transaction in this case
	142	* either. */
	143	if (input == NULL \|\| input_len == 0) {
	144	return 0;
	145	}
	146
	147	return rs_tftp_request(state, input, input_len);
	148	}
	149
	150	/**
	151	* \brief Response parsing is not implemented
	152	*/
	153	static int TFTPParseResponse(Flow f, void state, AppLayerParserState *pstate,
	154	uint8_t input, uint32_t input_len, void local_data)
	155	{
	156	return 0;
	157	}
	158
	159	static uint64_t TFTPGetTxCnt(void *state)
	160	{
	161	return rs_tftp_get_tx_cnt(state);
	162	}
	163
	164	static void TFTPGetTx(void state, uint64_t tx_id)
	165	{
	166	return rs_tftp_get_tx(state, tx_id);
	167	}
	168
	169	static void TFTPSetTxLogged(void state, void vtx, uint32_t logger)
	170	{
	171	rs_tftp_set_tx_logged(state, vtx, logger);
	172	}
	173
80f2fbac	174	static LoggerId TFTPGetTxLogged(void state, void vtx)
b9cf49e9	175	{
80f2fbac	176	return rs_tftp_get_tx_logged(state, vtx);
b9cf49e9 CG	177	}
	178
	179	/**
	180	* \brief Called by the application layer.
	181	*
	182	* In most cases 1 can be returned here.
	183	*/
	184	static int TFTPGetAlstateProgressCompletionStatus(uint8_t direction) {
	185	return 1;
	186	}
	187
	188	/**
	189	* \brief Return the state of a transaction in a given direction.
	190	*
	191	* In the case of the echo protocol, the existence of a transaction
	192	* means that the request is done. However, some protocols that may
	193	* need multiple chunks of data to complete the request may need more
	194	* than just the existence of a transaction for the request to be
	195	* considered complete.
	196	*
	197	* For the response to be considered done, the response for a request
	198	* needs to be seen. The response_done flag is set on response for
	199	* checking here.
	200	*/
	201	static int TFTPGetStateProgress(void *tx, uint8_t direction)
	202	{
	203	return 1;
	204	}
	205
	206	static DetectEngineState TFTPGetTxDetectState(void vtx)
	207	{
	208	return NULL;
	209	}
	210
7548944b	211	static int TFTPSetTxDetectState(void *vtx,
b9cf49e9 CG	212	DetectEngineState *s)
	213	{
	214	return 0;
	215	}
	216
	217	void RegisterTFTPParsers(void)
	218	{
	219	const char *proto_name = "tftp";
	220
	221	/* Check if TFTP UDP detection is enabled. If it does not exist in
	222	* the configuration file then it will be enabled by default. */
	223	if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) {
	224
	225	SCLogDebug("TFTP UDP protocol detection enabled.");
	226
	227	AppLayerProtoDetectRegisterProtocol(ALPROTO_TFTP, proto_name);
	228
	229	if (RunmodeIsUnittests()) {
	230	SCLogDebug("Unittest mode, registeringd default configuration.");
	231	AppLayerProtoDetectPPRegister(IPPROTO_UDP, TFTP_DEFAULT_PORT,
	232	ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN,
	233	STREAM_TOSERVER, TFTPProbingParser,
	234	NULL);
	235	} else {
	236	if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP,
	237	proto_name, ALPROTO_TFTP,
	238	0, TFTP_MIN_FRAME_LEN,
	239	TFTPProbingParser, NULL)) {
	240	SCLogDebug("No echo app-layer configuration, enabling echo"
	241	" detection UDP detection on port %s.",
	242	TFTP_DEFAULT_PORT);
	243	AppLayerProtoDetectPPRegister(IPPROTO_UDP,
	244	TFTP_DEFAULT_PORT, ALPROTO_TFTP,
	245	0, TFTP_MIN_FRAME_LEN,
	246	STREAM_TOSERVER,TFTPProbingParser,
	247	NULL);
	248	}
	249	}
	250	} else {
	251	SCLogDebug("Protocol detecter and parser disabled for TFTP.");
	252	return;
	253	}
	254
	255	if (AppLayerParserConfParserEnabled("udp", proto_name)) {
	256
	257	SCLogDebug("Registering TFTP protocol parser.");
	258
	259	/* Register functions for state allocation and freeing. A
	260	* state is allocated for every new TFTP flow. */
	261	AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TFTP,
	262	TFTPStateAlloc, TFTPStateFree);
	263
	264	/* Register request parser for parsing frame from server to client. */
	265	AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP,
	266	STREAM_TOSERVER, TFTPParseRequest);
	267
	268	/* Register response parser for parsing frames from server to client. */
	269	AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP,
	270	STREAM_TOCLIENT, TFTPParseResponse);
	271
	272	/* Register a function to be called by the application layer
	273	* when a transaction is to be freed. */
	274	AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_TFTP,
	275	TFTPStateTxFree);
276
277	AppLayerParserRegisterLoggerFuncs(IPPROTO_UDP, ALPROTO_TFTP,
278	TFTPGetTxLogged, TFTPSetTxLogged);
279
280	/* Register a function to return the current transaction count. */
281	AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_TFTP,
282	TFTPGetTxCnt);
283
284	/* Transaction handling. */
285	AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_TFTP,
286	TFTPGetAlstateProgressCompletionStatus);
287	AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP,
288	ALPROTO_TFTP,
289	TFTPGetStateProgress);
290	AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_TFTP,
291	TFTPGetTx);
292
b9cf49e9 CG	293	/* What is this being registered for? */
b9cf49e9 CG	294	AppLayerParserRegisterDetectStateFuncs(IPPROTO_UDP, ALPROTO_TFTP,
7548944b	295	TFTPGetTxDetectState,
b9cf49e9 CG	296	TFTPSetTxDetectState);
	297
	298	AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_TFTP,
	299	TFTPStateGetEventInfo);
	300	AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_TFTP,
	301	TFTPGetEvents);
	302	}
	303	else {
	304	SCLogDebug("TFTP protocol parsing disabled.");
	305	}
	306
	307	#ifdef UNITTESTS
	308	AppLayerParserRegisterProtocolUnittests(IPPROTO_UDP, ALPROTO_TFTP,
	309	TFTPParserRegisterTests);
	310	#endif
	311	}
	312
	313	#ifdef UNITTESTS
	314	#endif
	315
	316	void TFTPParserRegisterTests(void)
	317	{
	318	#ifdef UNITTESTS
	319	#endif
	320	}
	321
	322	#endif /* HAVE_RUST */