]> git.ipfire.org Git - people/ms/suricata.git/blob - src/app-layer-smtp.h
projects / people / ms / suricata.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
app-layer: include decoder events in app-layer tx data
[people/ms/suricata.git] / src / app-layer-smtp.h
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 /**
19 * \file
20 *
21 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22 */
23
24 #ifndef __APP_LAYER_SMTP_H__
25 #define __APP_LAYER_SMTP_H__
26
27 #include "decode-events.h"
28 #include "util-decode-mime.h"
29 #include "queue.h"
30 #include "util-streaming-buffer.h"
31 #include "rust.h"
32
33 enum {
34 SMTP_DECODER_EVENT_INVALID_REPLY,
35 SMTP_DECODER_EVENT_UNABLE_TO_MATCH_REPLY_WITH_REQUEST,
36 SMTP_DECODER_EVENT_MAX_COMMAND_LINE_LEN_EXCEEDED,
37 SMTP_DECODER_EVENT_MAX_REPLY_LINE_LEN_EXCEEDED,
38 SMTP_DECODER_EVENT_INVALID_PIPELINED_SEQUENCE,
39 SMTP_DECODER_EVENT_BDAT_CHUNK_LEN_EXCEEDED,
40 SMTP_DECODER_EVENT_NO_SERVER_WELCOME_MESSAGE,
41 SMTP_DECODER_EVENT_TLS_REJECTED,
42 SMTP_DECODER_EVENT_DATA_COMMAND_REJECTED,
43
44 /* MIME Events */
45 SMTP_DECODER_EVENT_MIME_PARSE_FAILED,
46 SMTP_DECODER_EVENT_MIME_MALFORMED_MSG,
47 SMTP_DECODER_EVENT_MIME_INVALID_BASE64,
48 SMTP_DECODER_EVENT_MIME_INVALID_QP,
49 SMTP_DECODER_EVENT_MIME_LONG_LINE,
50 SMTP_DECODER_EVENT_MIME_LONG_ENC_LINE,
51 SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME,
52 SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE,
53 SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG,
54 SMTP_DECODER_EVENT_MIME_LONG_FILENAME,
55
56 /* Invalid behavior or content */
57 SMTP_DECODER_EVENT_DUPLICATE_FIELDS,
58 SMTP_DECODER_EVENT_UNPARSABLE_CONTENT,
59 };
60
61 typedef struct SMTPString_ {
62 uint8_t *str;
63 uint16_t len;
64
65 TAILQ_ENTRY(SMTPString_) next;
66 } SMTPString;
67
68 typedef struct SMTPTransaction_ {
69 /** id of this tx, starting at 0 */
70 uint64_t tx_id;
71
72 AppLayerTxData tx_data;
73
74 int done;
75 /** the first message contained in the session */
76 MimeDecEntity *msg_head;
77 /** the last message contained in the session */
78 MimeDecEntity *msg_tail;
79 /** the mime decoding parser state */
80 MimeDecParseState *mime_state;
81
82 /* MAIL FROM parameters */
83 uint8_t *mail_from;
84 uint16_t mail_from_len;
85
86 TAILQ_HEAD(, SMTPString_) rcpt_to_list; /**< rcpt to string list */
87
88 TAILQ_ENTRY(SMTPTransaction_) next;
89 } SMTPTransaction;
90
91 typedef struct SMTPConfig {
92
93 int decode_mime;
94 MimeDecConfig mime_config;
95 uint32_t content_limit;
96 uint32_t content_inspect_min_size;
97 uint32_t content_inspect_window;
98
99 int raw_extraction;
100
101 StreamingBufferConfig sbcfg;
102 } SMTPConfig;
103
104 typedef struct SMTPState_ {
105 SMTPTransaction *curr_tx;
106 TAILQ_HEAD(, SMTPTransaction_) tx_list; /**< transaction list */
107 uint64_t tx_cnt;
108 uint64_t toserver_data_count;
109 uint64_t toserver_last_data_stamp;
110
111 /* current input that is being parsed */
112 const uint8_t *input;
113 int32_t input_len;
114 uint8_t direction;
115
116 /* --parser details-- */
117 /** current line extracted by the parser from the call to SMTPGetline() */
118 const uint8_t *current_line;
119 /** length of the line in current_line. Doesn't include the delimiter */
120 int32_t current_line_len;
121 uint8_t current_line_delimiter_len;
122
123 /** used to indicate if the current_line buffer is a malloced buffer. We
124 * use a malloced buffer, if a line is fragmented */
125 uint8_t *tc_db;
126 int32_t tc_db_len;
127 uint8_t tc_current_line_db;
128 /** we have see LF for the currently parsed line */
129 uint8_t tc_current_line_lf_seen;
130
131 /** used to indicate if the current_line buffer is a malloced buffer. We
132 * use a malloced buffer, if a line is fragmented */
133 uint8_t *ts_db;
134 int32_t ts_db_len;
135 uint8_t ts_current_line_db;
136 /** we have see LF for the currently parsed line */
137 uint8_t ts_current_line_lf_seen;
138
139 /** var to indicate parser state */
140 uint8_t parser_state;
141 /** current command in progress */
142 uint8_t current_command;
143 /** bdat chunk len */
144 uint32_t bdat_chunk_len;
145 /** bdat chunk idx */
146 uint32_t bdat_chunk_idx;
147
148 /* the request commands are store here and the reply handler uses these
149 * stored command in the buffer to match the reply(ies) with the command */
150 /** the command buffer */
151 uint8_t *cmds;
152 /** the buffer length */
153 uint16_t cmds_buffer_len;
154 /** no of commands stored in the above buffer */
155 uint16_t cmds_cnt;
156 /** index of the command in the buffer, currently in inspection by reply
157 * handler */
158 uint16_t cmds_idx;
159
160 /* HELO of HELO message content */
161 uint16_t helo_len;
162 uint8_t *helo;
163
164 /* SMTP Mime decoding and file extraction */
165 /** the list of files sent to the server */
166 FileContainer *files_ts;
167 uint32_t file_track_id;
168 } SMTPState;
169
170 /* Create SMTP config structure */
171 extern SMTPConfig smtp_config;
172
173 int SMTPProcessDataChunk(const uint8_t *chunk, uint32_t len, MimeDecParseState *state);
174 void *SMTPStateAlloc(void *orig_state, AppProto proto_orig);
175 void RegisterSMTPParsers(void);
176 void SMTPParserCleanup(void);
177 void SMTPParserRegisterTests(void);
178
179 #endif /* __APP_LAYER_SMTP_H__ */
Michael's tree of suricata