[people/ms/suricata.git] / src / app-layer-parser.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 */

#ifndef __APP_LAYER_PARSER_H__
#define __APP_LAYER_PARSER_H__

#include "decode-events.h"

#include "util-file.h"

/** Mapping between local parser id's (e.g. HTTP_FIELD_REQUEST_URI) and
  * the dynamically assigned (at registration) global parser id. */
typedef struct AppLayerLocalMap_ {
    uint16_t parser_id;
} AppLayerLocalMap;

typedef uint16_t (*ProbingParserFPtr)(uint8_t *input, uint32_t input_len,
                                      uint32_t *offset);

/** \brief Mapping between ALPROTO_* and L7Parsers
 *
 * Map the proto to the parsers for the to_client and to_server directions.
 */
typedef struct AppLayerProto_ {
    char *name; /**< name of the registered proto */

    uint16_t to_server;
    uint16_t to_client;
    uint16_t map_size;
    char logger; /**< does this proto have a logger enabled? */

    AppLayerLocalMap **map;

    void *(*StateAlloc)(void);
    void (*StateFree)(void *);
    void (*StateTransactionFree)(void *, uint64_t);
    void *(*LocalStorageAlloc)(void);
    void (*LocalStorageFree)(void *);

    /** truncate state after a gap/depth event */
    void (*Truncate)(void *, uint8_t);
    FileContainer *(*StateGetFiles)(void *, uint8_t);
    AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t);
    /* bool indicating a state has decoder/parser events */
    int (*StateHasEvents)(void *);

    int (*StateGetAlstateProgress)(void *alstate, uint8_t direction);
    uint64_t (*StateGetTxCnt)(void *alstate);
    void *(*StateGetTx)(void *alstate, uint64_t tx_id);
    int (*StateGetAlstateProgressCompletionStatus)(uint8_t direction);

    int (*StateGetEventInfo)(const char *event_name,
                             int *event_id, AppLayerEventType *event_type);

    ProbingParserFPtr PPAlprotoMap[2];
    /* Indicates the direction the parser is ready to see the data
     * the first time for a flow.  Values accepted -
     * STREAM_TOSERVER, STREAM_TOCLIENT */
    uint8_t first_data_dir;

#ifdef UNITTESTS
    void (*RegisterUnittests)(void);
#endif
} AppLayerProto;

/** flags for the result elmts */
#define ALP_RESULT_ELMT_ALLOC 0x01

/** \brief Result elements for the parser */
typedef struct AppLayerParserResultElmt_ {
    uint16_t flags; /* flags. E.g. local alloc */
    uint16_t name_idx; /* idx for names like "http.request_line.uri" */

    uint32_t data_len; /* length of the data from the ptr */
    uint8_t  *data_ptr; /* point to the position in the "input" data
                          * or ptr to new mem if local alloc flag set */
    struct AppLayerParserResultElmt_ *next;
} AppLayerParserResultElmt;

/** \brief List head for parser result elmts */
typedef struct AppLayerParserResult_ {
    AppLayerParserResultElmt *head;
    AppLayerParserResultElmt *tail;
    uint32_t cnt;
} AppLayerParserResult;

#define APP_LAYER_PARSER_USE            0x01
#define APP_LAYER_PARSER_EOF            0x02
#define APP_LAYER_PARSER_DONE           0x04    /**< parser is done, ignore more
                                                     msgs */
#define APP_LAYER_PARSER_NO_INSPECTION  0x08    /**< Flag to indicate no more
                                                     packets payload inspection */
#define APP_LAYER_PARSER_NO_REASSEMBLY  0x10    /**< Flag to indicate no more
                                                     packets reassembly for this
                                                     session */

#define APP_LAYER_TRANSACTION_EOF       0x01    /**< Session done, last transaction
                                                     as well */
#define APP_LAYER_TRANSACTION_TOSERVER  0x02    /**< transaction has been inspected
                                                     in to server direction. */
#define APP_LAYER_TRANSACTION_TOCLIENT  0x04    /**< transaction has been inspected
                                                     in to server direction. */

typedef struct AppLayerParserState_ {
    uint8_t flags;
    uint16_t cur_parser; /**< idx of currently active parser */
    uint8_t *store;
    uint32_t store_len;
    uint16_t parse_field;
} AppLayerParserState;

typedef struct AppLayerParserStateStore_ {
    AppLayerParserState to_client;
    AppLayerParserState to_server;

    /** flags related to the id's */
    uint8_t id_flags;

    /* Indicates the current transaction that is being indicated.  We have
     * a var per direction. */
    uint64_t inspect_id[2];
    /* Indicates the current transaction being logged.  Unlike inspect_id,
     * we don't need a var per direction since we don't log a transaction
     * unless we have the entire transaction. */
    uint64_t log_id;
    uint16_t version;       /**< state version, incremented for each update,
                             *   can wrap around */

    /* Used to store decoder events */
    AppLayerDecoderEvents *decoder_events;
} AppLayerParserStateStore;

typedef struct AppLayerParserTableElement_ {
    int (*AppLayerParser)(Flow *f, void *protocol_state, AppLayerParserState
                          *parser_state, uint8_t *input, uint32_t input_len,
                          void *local_storage, AppLayerParserResult *output);

    char *name;

    uint16_t proto;
    uint16_t parser_local_id; /**< local id of the parser in the parser itself. */
} AppLayerParserTableElement;

typedef struct AppLayerProbingParserElement_ {
    char *al_proto_name;
    uint16_t al_proto;
    /* \todo don't really need it.  See if you can get rid of it */
    uint16_t port;
    /* \todo calculate at runtime and get rid of this var */
    uint32_t al_proto_mask;
    /* \todo check if we can reduce the bottom 2 vars to uint16_t */
    /* the min length of data that has to be supplied to invoke the parser */
    uint32_t min_depth;
    /* the max length of data after which this parser won't be invoked */
    uint32_t max_depth;
    /* the probing parser function */
    ProbingParserFPtr ProbingParser;

    struct AppLayerProbingParserElement_ *next;
} AppLayerProbingParserElement;

typedef struct AppLayerProbingParserPort_ {
    /* the port no for which probing parser(s) are invoked */
    uint16_t port;

    uint32_t toserver_al_proto_mask;
    uint32_t toclient_al_proto_mask;
    /* the max depth for all the probing parsers registered for this port */
    uint16_t toserver_max_depth;
    uint16_t toclient_max_depth;

    AppLayerProbingParserElement *toserver;
    AppLayerProbingParserElement *toclient;

    struct AppLayerProbingParserPort_ *next;
} AppLayerProbingParserPort;

typedef struct AppLayerProbingParser_ {
    uint16_t ip_proto;
    AppLayerProbingParserPort *port;

    struct AppLayerProbingParser_ *next;
} AppLayerProbingParser;

extern AppLayerProto al_proto_table[];

static inline
AppLayerProbingParserPort *AppLayerGetProbingParsers(AppLayerProbingParser *pp,
                                                     uint16_t ip_proto,
                                                     uint16_t port)
{
    while (pp != NULL) {
        if (pp->ip_proto == ip_proto)
            break;

        pp = pp->next;
    }

    if (pp == NULL)
        return NULL;

    AppLayerProbingParserPort *pp_port = pp->port;
    while (pp_port != NULL) {
        if (pp_port->port == port || pp_port->port == 0) {
            break;
        }
        pp_port = pp_port->next;
    }

    return pp_port;
}

struct AlpProtoDetectCtx_;

/* prototypes */
void AppLayerParsersInitPostProcess(void);
void RegisterAppLayerParsers(void);
void AppLayerParserRegisterTests(void);

/* registration */
int AppLayerRegisterProto(char *name, uint8_t proto, uint8_t flags,
                          int (*AppLayerParser)(Flow *f, void *protocol_state,
                                                AppLayerParserState *parser_state,
                                                uint8_t *input, uint32_t input_len,
                                                void *local_data,
                                                AppLayerParserResult *output));
int AppLayerRegisterParser(char *name, uint16_t proto, uint16_t parser_id,
                           int (*AppLayerParser)(Flow *f, void *protocol_state,
                                                 AppLayerParserState *parser_state,
                                                 uint8_t *input, uint32_t input_len,
                                                 void *local_data,
                                                 AppLayerParserResult *output),
                           char *dependency);
void AppLayerRegisterParserAcceptableDataDirection(uint16_t al_proto,
                                                   uint8_t flags);
void AppLayerMapProbingParserAgainstAlproto(uint16_t al_proto,
                                            uint8_t flags,
                                            ProbingParserFPtr ProbingParser);
void AppLayerRegisterProbingParser(struct AlpProtoDetectCtx_ *,
                                   uint16_t ip_proto,
                                   char *portstr,
                                   char *al_proto_name, uint16_t al_proto,
                                   uint16_t min_depth, uint16_t max_depth,
                                   uint8_t flags,
                                   ProbingParserFPtr ProbingParser);
#ifdef UNITTESTS
void AppLayerParserRegisterUnittests(uint16_t proto, void (*RegisterUnittests)(void));
#endif
void AppLayerRegisterStateFuncs(uint16_t proto, void *(*StateAlloc)(void),
                                void (*StateFree)(void *));
void AppLayerRegisterLocalStorageFunc(uint16_t proto,
                                      void *(*LocalStorageAlloc)(void),
                                      void (*LocalStorageFree)(void *));
void *AppLayerGetProtocolParserLocalStorage(uint16_t);
void AppLayerRegisterGetFilesFunc(uint16_t proto,
        FileContainer *(*StateGetFile)(void *, uint8_t));
void AppLayerRegisterGetEventsFunc(uint16_t proto,
        AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t));
void AppLayerRegisterHasEventsFunc(uint16_t proto,
        int (*StateHasEvents)(void *));

void AppLayerRegisterLogger(uint16_t proto);
uint16_t AppLayerGetProtoByName(const char *);
const char *AppLayerGetProtoString(int proto);
void AppLayerRegisterTruncateFunc(uint16_t proto, void (*Truncate)(void *, uint8_t));
void AppLayerRegisterGetAlstateProgressFunc(uint16_t alproto,
                                            int (*StateGetAlstateProgress)(void *alstate, uint8_t direction));
void AppLayerRegisterTxFreeFunc(uint16_t proto,
        void (*StateTransactionFree)(void *, uint64_t));
void AppLayerRegisterGetTxCnt(uint16_t alproto,
                              uint64_t (*StateGetTxCnt)(void *alstate));
void AppLayerRegisterGetTx(uint16_t alproto,
                           void *(*StateGetTx)(void *alstate, uint64_t tx_id));
void AppLayerRegisterGetAlstateProgressCompletionStatus(uint16_t alproto,
    int (*StateProgressCompletionStatus)(uint8_t direction));
void AppLayerRegisterGetEventInfo(uint16_t alproto,
                                  int (*StateGetEventInfo)(const char *event_name,
                                                           int *event_id,
                                                           AppLayerEventType *event_type));

int AppLayerParse(void *, Flow *, uint8_t,
                  uint8_t, uint8_t *, uint32_t);

int AlpParseFieldBySize(AppLayerParserResult *, AppLayerParserState *, uint16_t,
                        uint32_t, uint8_t *, uint32_t, uint32_t *);
int AlpParseFieldByEOF(AppLayerParserResult *, AppLayerParserState *, uint16_t,
                       uint8_t *, uint32_t);
int AlpParseFieldByDelimiter(AppLayerParserResult *, AppLayerParserState *,
                             uint16_t, const uint8_t *, uint8_t, uint8_t *,
                             uint32_t, uint32_t *);


/***** transaction handling *****/

/**
 * \brief Update the current log id.  Does one step increments currently.
 *
 * \param f Flow.
 */
void AppLayerTransactionUpdateLogId(Flow *f);

/**
 * \brief Get the current log id.
 *
 * \param f Flow.
 */
uint64_t AppLayerTransactionGetLogId(Flow *f);

/**
 * \brief Updates the inspection id for the alstate.
 *
 * \param f         Pointer to the flow(LOCKED).
 * \param direction Direction.  0 - toserver, 1 - toclient.
 */
void AppLayerTransactionUpdateInspectId(Flow *f, uint8_t direction);

/**
 * \brief Get the current tx id to be inspected.
 *
 * \param f     Flow.
 * \param flags Flags.
 *
 * \retval A positive integer value.
 */
uint64_t AppLayerTransactionGetInspectId(Flow *f, uint8_t flags);

uint64_t AppLayerTransactionGetActive(Flow *f, uint8_t flags);


void AppLayerSetEOF(Flow *);


/***** cleanup *****/

void AppLayerParserCleanupState(Flow *);
void AppLayerFreeProbingParsers(AppLayerProbingParser *);
void AppLayerPrintProbingParsers(AppLayerProbingParser *);

void AppLayerListSupportedProtocols(void);
AppLayerDecoderEvents *AppLayerGetDecoderEventsForFlow(Flow *);
AppLayerDecoderEvents *AppLayerGetEventsFromFlowByTx(Flow *f, uint64_t tx_id);
int AppLayerProtoIsTxEventAware(uint16_t alproto);
int AppLayerFlowHasDecoderEvents(Flow *f, uint8_t flags);

/***** Alproto param retrieval ******/

/**
 * \brief get the version of the state in a direction
 *
 * \param f Flow(LOCKED).
 * \param direction STREAM_TOSERVER or STREAM_TOCLIENT
 */
uint16_t AppLayerGetStateVersion(Flow *f);

FileContainer *AppLayerGetFilesFromFlow(Flow *, uint8_t);

/**
 * \brief Get the state progress.
 *
 *        This is a generic wrapper to each ALPROTO.  The value returned
 *        needs to be interpreted by the caller, based on the ALPROTO_*
 *        the caller supplies.
 *
 *        The state can be anything based on what the ALPROTO handler
 *        expects.  We have given a return value of int, although a range
 *        of -128 to 127 (int8_t) should be more than sufficient.
 *
 * \param alproto The app protocol.
 * \param state   App state.
 * \param dir     Directin. 0 - ts, 1 - tc.
 *
 * \retval An integer value indicating the current progress of "state".
 */
int AppLayerGetAlstateProgress(uint16_t alproto, void *state, uint8_t direction);

/**
 * \brief Get the no of txs.
 *
 * \param alproto The app protocol.
 * \param alstate App state.
 *
 * \retval A positive integer value indicating the no of txs.
 */
uint64_t AppLayerGetTxCnt(uint16_t alproto, void *alstate);

/**
 * \brief Get a tx referenced by the id.
 *
 * \param alproto The app protocol
 * \param alstate App state.
 * \param tx_id   The transaction id.
 *
 * \retval Tx instance.
 */
void *AppLayerGetTx(uint16_t alproto, void *alstate, uint64_t tx_id);

/**
 * \brief Get the state value for the following alproto, that corresponds to
 *        COMPLETE or DONE.
 *
 * \param alproto   The app protocol.
 * \param direction The direction.  0 - ts, 1 - tc.
 *
 * \retval An integer value indicating the state value.
 */
int AppLayerGetAlstateProgressCompletionStatus(uint16_t alproto, uint8_t direction);

/**
 * \brief Informs if the alproto supports transactions or not.
 *
 * \param alproto   The app protocol.
 * \param direction The direction.  0 - ts, 1 - tc.
 *
 * \retval 1 If true; 0 If false.
 */
int AppLayerAlprotoSupportsTxs(uint16_t alproto);

/**
 * \brief Triggers raw reassembly.
 *
 * \param f Flow pointer.
 */
void AppLayerTriggerRawStreamReassembly(Flow *);

/**
 * \brief Informs if the specified alproto's parser is enabled.
 *
 * \param alproto Character string holding the alproto name.
 */
int AppLayerParserEnabled(const char *alproto);

/**
 * \brief Informs if the specified alproto has detection enabled.
 *
 * \param alproto    Character string holding the alproto name.
 */
int AppLayerProtoDetectionEnabled(const char *alproto);

/**
 * \brief Gets event info for this alproto.
 *
 * \param alproto    Character string holding the alproto name.
 * \param event_name Name of the event.
 * \param event_id   Pointer to an instance to send back event id.
 */
int AppLayerGetEventInfo(uint16_t alproto, const char *event_name,
                         int *event_id, AppLayerEventType *event_type);

/***** Utility *****/

void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_proto,
                                     uint16_t min_depth, uint16_t max_depth,
                                     ProbingParserFPtr ProbingParser);


/***** Unittests *****/

/**
 * \brief Backup al_proto_table.
 *
 *        Currently we backup only the event table.  Feel free to backup
 *        other stuff as and when required.
 */
void AppLayerParserBackupAlprotoTable(void);
void AppLayerParserRestoreAlprotoTable(void);

#endif /* __APP_LAYER_PARSER_H__ */
Commit	Line	Data
ce019275 WM	1	/* Copyright (C) 2007-2010 Open Information Security Foundation
	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \file
	20	*
	21	* \author Victor Julien <victor@inliniac.net>
	22	*/
	23
8e10844f VJ	24	#ifndef __APP_LAYER_PARSER_H__
	25	#define __APP_LAYER_PARSER_H__
	26
eea5ab4a AS	27	#include "decode-events.h"
eea5ab4a AS	28
e1022ee5 VJ	29	#include "util-file.h"
e1022ee5 VJ	30
5a9a23f9 VJ	31	/** Mapping between local parser id's (e.g. HTTP_FIELD_REQUEST_URI) and
	32	* the dynamically assigned (at registration) global parser id. */
	33	typedef struct AppLayerLocalMap_ {
fa5939ca	34	uint16_t parser_id;
5a9a23f9 VJ	35	} AppLayerLocalMap;
5a9a23f9 VJ	36
0d7159b5 AS	37	typedef uint16_t (ProbingParserFPtr)(uint8_t input, uint32_t input_len,
	38	uint32_t *offset);
	39
8e10844f VJ	40	/** \brief Mapping between ALPROTO_* and L7Parsers
	41	*
	42	* Map the proto to the parsers for the to_client and to_server directions.
	43	*/
	44	typedef struct AppLayerProto_ {
f1f7df07 VJ	45	char name; /< name of the registered proto /
f1f7df07 VJ	46
fa5939ca BR	47	uint16_t to_server;
fa5939ca BR	48	uint16_t to_client;
06904c90 VJ	49	uint16_t map_size;
06904c90 VJ	50	char logger; /*< does this proto have a logger enabled? /
5a9a23f9 VJ	51
5a9a23f9 VJ	52	AppLayerLocalMap **map;
9f78d47c VJ	53
	54	void (StateAlloc)(void);
	55	void (StateFree)(void );
f59f9033	56	void (StateTransactionFree)(void , uint64_t);
01a35bb6	57	void (LocalStorageAlloc)(void);
9a6aef45	58	void (LocalStorageFree)(void );
869109a6 VJ	59
	60	/** truncate state after a gap/depth event */
	61	void (Truncate)(void , uint8_t);
d59ca75e	62	FileContainer (StateGetFiles)(void *, uint8_t);
9dc04d9f	63	AppLayerDecoderEvents (StateGetEvents)(void *, uint64_t);
e8ad876b VJ	64	/* bool indicating a state has decoder/parser events */
e8ad876b VJ	65	int (StateHasEvents)(void );
70b32f73	66
d4d18e31 AS	67	int (StateGetAlstateProgress)(void alstate, uint8_t direction);
	68	uint64_t (StateGetTxCnt)(void alstate);
	69	void (StateGetTx)(void *alstate, uint64_t tx_id);
	70	int (*StateGetAlstateProgressCompletionStatus)(uint8_t direction);
9faa4b74	71
5e2d9dbd AS	72	int (StateGetEventInfo)(const char event_name,
	73	int event_id, AppLayerEventType event_type);
	74
16144fe3	75	ProbingParserFPtr PPAlprotoMap[2];
96d1ba91 AS	76	/* Indicates the direction the parser is ready to see the data
	77	* the first time for a flow. Values accepted -
	78	* STREAM_TOSERVER, STREAM_TOCLIENT */
	79	uint8_t first_data_dir;
0d7159b5	80
9faa4b74 VJ	81	#ifdef UNITTESTS
	82	void (*RegisterUnittests)(void);
	83	#endif
8e10844f VJ	84	} AppLayerProto;
8e10844f VJ	85
9f78d47c VJ	86	/** flags for the result elmts */
	87	#define ALP_RESULT_ELMT_ALLOC 0x01
	88
	89	/** \brief Result elements for the parser */
	90	typedef struct AppLayerParserResultElmt_ {
fa5939ca BR	91	uint16_t flags; /* flags. E.g. local alloc */
fa5939ca BR	92	uint16_t name_idx; /* idx for names like "http.request_line.uri" */
8e10844f	93
fc248ca7	94	uint32_t data_len; /* length of the data from the ptr */
fa5939ca	95	uint8_t data_ptr; / point to the position in the "input" data
8e10844f	96	* or ptr to new mem if local alloc flag set */
9f78d47c VJ	97	struct AppLayerParserResultElmt_ *next;
	98	} AppLayerParserResultElmt;
	99
	100	/** \brief List head for parser result elmts */
	101	typedef struct AppLayerParserResult_ {
	102	AppLayerParserResultElmt *head;
	103	AppLayerParserResultElmt *tail;
fa5939ca	104	uint32_t cnt;
9f78d47c VJ	105	} AppLayerParserResult;
9f78d47c VJ	106
a16e7b74 GS	107	#define APP_LAYER_PARSER_USE 0x01
a16e7b74 GS	108	#define APP_LAYER_PARSER_EOF 0x02
70b32f73 VJ	109	#define APP_LAYER_PARSER_DONE 0x04 /**< parser is done, ignore more
	110	msgs */
	111	#define APP_LAYER_PARSER_NO_INSPECTION 0x08 /**< Flag to indicate no more
	112	packets payload inspection */
	113	#define APP_LAYER_PARSER_NO_REASSEMBLY 0x10 /**< Flag to indicate no more
	114	packets reassembly for this
	115	session */
	116
	117	#define APP_LAYER_TRANSACTION_EOF 0x01 /**< Session done, last transaction
	118	as well */
b8fec77f VJ	119	#define APP_LAYER_TRANSACTION_TOSERVER 0x02 /**< transaction has been inspected
	120	in to server direction. */
	121	#define APP_LAYER_TRANSACTION_TOCLIENT 0x04 /**< transaction has been inspected
	122	in to server direction. */
9f78d47c VJ	123
9f78d47c VJ	124	typedef struct AppLayerParserState_ {
fa5939ca	125	uint8_t flags;
70b32f73	126	uint16_t cur_parser; /*< idx of currently active parser /
fa5939ca BR	127	uint8_t *store;
	128	uint32_t store_len;
	129	uint16_t parse_field;
9f78d47c VJ	130	} AppLayerParserState;
	131
	132	typedef struct AppLayerParserStateStore_ {
	133	AppLayerParserState to_client;
	134	AppLayerParserState to_server;
70b32f73 VJ	135
	136	/** flags related to the id's */
	137	uint8_t id_flags;
	138
d4d18e31 AS	139	/* Indicates the current transaction that is being indicated. We have
	140	* a var per direction. */
	141	uint64_t inspect_id[2];
	142	/* Indicates the current transaction being logged. Unlike inspect_id,
	143	* we don't need a var per direction since we don't log a transaction
	144	* unless we have the entire transaction. */
	145	uint64_t log_id;
73efb4c7 VJ	146	uint16_t version; /**< state version, incremented for each update,
73efb4c7 VJ	147	* can wrap around */
eea5ab4a AS	148
	149	/* Used to store decoder events */
	150	AppLayerDecoderEvents *decoder_events;
9f78d47c	151	} AppLayerParserStateStore;
8e10844f VJ	152
8e10844f VJ	153	typedef struct AppLayerParserTableElement_ {
fc2f7f29 GS	154	int (AppLayerParser)(Flow f, void *protocol_state, AppLayerParserState
fc2f7f29 GS	155	parser_state, uint8_t input, uint32_t input_len,
9a6aef45	156	void local_storage, AppLayerParserResult output);
06904c90 VJ	157
	158	char *name;
	159
	160	uint16_t proto;
	161	uint16_t parser_local_id; /*< local id of the parser in the parser itself. /
8e10844f VJ	162	} AppLayerParserTableElement;
8e10844f VJ	163
7c31a232	164	typedef struct AppLayerProbingParserElement_ {
d9686fae	165	char *al_proto_name;
7c31a232	166	uint16_t al_proto;
d9686fae	167	/* \todo don't really need it. See if you can get rid of it */
7c31a232	168	uint16_t port;
d9686fae	169	/* \todo calculate at runtime and get rid of this var */
d68775d4	170	uint32_t al_proto_mask;
d9686fae	171	/* \todo check if we can reduce the bottom 2 vars to uint16_t */
7c31a232 AS	172	/* the min length of data that has to be supplied to invoke the parser */
	173	uint32_t min_depth;
	174	/* the max length of data after which this parser won't be invoked */
	175	uint32_t max_depth;
	176	/* the probing parser function */
8e8bc490	177	ProbingParserFPtr ProbingParser;
7c31a232 AS	178
	179	struct AppLayerProbingParserElement_ *next;
	180	} AppLayerProbingParserElement;
	181
d9686fae	182	typedef struct AppLayerProbingParserPort_ {
7c31a232 AS	183	/* the port no for which probing parser(s) are invoked */
7c31a232 AS	184	uint16_t port;
d9686fae	185
d68775d4 AS	186	uint32_t toserver_al_proto_mask;
d68775d4 AS	187	uint32_t toclient_al_proto_mask;
7c31a232 AS	188	/* the max depth for all the probing parsers registered for this port */
	189	uint16_t toserver_max_depth;
	190	uint16_t toclient_max_depth;
	191
	192	AppLayerProbingParserElement *toserver;
	193	AppLayerProbingParserElement *toclient;
	194
d9686fae AS	195	struct AppLayerProbingParserPort_ *next;
d9686fae AS	196	} AppLayerProbingParserPort;
7c31a232	197
d9686fae	198	typedef struct AppLayerProbingParser_ {
432c3317	199	uint16_t ip_proto;
d9686fae	200	AppLayerProbingParserPort *port;
432c3317	201
d9686fae AS	202	struct AppLayerProbingParser_ *next;
d9686fae AS	203	} AppLayerProbingParser;
7c31a232	204
10966245 AS	205	extern AppLayerProto al_proto_table[];
10966245 AS	206
a40fdc79	207	static inline
d9686fae AS	208	AppLayerProbingParserPort AppLayerGetProbingParsers(AppLayerProbingParser pp,
	209	uint16_t ip_proto,
	210	uint16_t port)
7c31a232	211	{
7c31a232	212	while (pp != NULL) {
d9686fae	213	if (pp->ip_proto == ip_proto)
7c31a232	214	break;
d9686fae	215
7c31a232 AS	216	pp = pp->next;
	217	}
	218
d9686fae AS	219	if (pp == NULL)
d9686fae AS	220	return NULL;
7c31a232	221
d9686fae AS	222	AppLayerProbingParserPort *pp_port = pp->port;
	223	while (pp_port != NULL) {
	224	if (pp_port->port == port \|\| pp_port->port == 0) {
	225	break;
	226	}
	227	pp_port = pp_port->next;
432c3317 AS	228	}
432c3317 AS	229
d9686fae	230	return pp_port;
432c3317	231	}
d9686fae	232
6e0d98d9 AS	233	struct AlpProtoDetectCtx_;
6e0d98d9 AS	234
9f78d47c VJ	235	/* prototypes */
	236	void AppLayerParsersInitPostProcess(void);
	237	void RegisterAppLayerParsers(void);
06904c90	238	void AppLayerParserRegisterTests(void);
8e10844f	239
06904c90	240	/* registration */
fc2f7f29 GS	241	int AppLayerRegisterProto(char *name, uint8_t proto, uint8_t flags,
fc2f7f29 GS	242	int (AppLayerParser)(Flow f, void *protocol_state,
9a6aef45 AS	243	AppLayerParserState *parser_state,
	244	uint8_t *input, uint32_t input_len,
	245	void *local_data,
	246	AppLayerParserResult *output));
fc2f7f29 GS	247	int AppLayerRegisterParser(char *name, uint16_t proto, uint16_t parser_id,
fc2f7f29 GS	248	int (AppLayerParser)(Flow f, void *protocol_state,
9a6aef45 AS	249	AppLayerParserState *parser_state,
	250	uint8_t *input, uint32_t input_len,
	251	void *local_data,
	252	AppLayerParserResult *output),
18fe3818	253	char *dependency);
0d7159b5 AS	254	void AppLayerRegisterParserAcceptableDataDirection(uint16_t al_proto,
	255	uint8_t flags);
	256	void AppLayerMapProbingParserAgainstAlproto(uint16_t al_proto,
	257	uint8_t flags,
	258	ProbingParserFPtr ProbingParser);
d9686fae AS	259	void AppLayerRegisterProbingParser(struct AlpProtoDetectCtx_ *,
	260	uint16_t ip_proto,
	261	char *portstr,
	262	char *al_proto_name, uint16_t al_proto,
	263	uint16_t min_depth, uint16_t max_depth,
	264	uint8_t flags,
8e8bc490	265	ProbingParserFPtr ProbingParser);
9faa4b74	266	#ifdef UNITTESTS
0d7159b5	267	void AppLayerParserRegisterUnittests(uint16_t proto, void (*RegisterUnittests)(void));
9faa4b74	268	#endif
fc2f7f29 GS	269	void AppLayerRegisterStateFuncs(uint16_t proto, void (StateAlloc)(void),
fc2f7f29 GS	270	void (StateFree)(void ));
9a6aef45 AS	271	void AppLayerRegisterLocalStorageFunc(uint16_t proto,
	272	void (LocalStorageAlloc)(void),
	273	void (LocalStorageFree)(void ));
01a35bb6	274	void *AppLayerGetProtocolParserLocalStorage(uint16_t);
e1022ee5	275	void AppLayerRegisterGetFilesFunc(uint16_t proto,
d59ca75e	276	FileContainer (StateGetFile)(void *, uint8_t));
9dc04d9f VJ	277	void AppLayerRegisterGetEventsFunc(uint16_t proto,
9dc04d9f VJ	278	AppLayerDecoderEvents (StateGetEvents)(void *, uint64_t));
e8ad876b VJ	279	void AppLayerRegisterHasEventsFunc(uint16_t proto,
	280	int (StateHasEvents)(void ));
	281
70b32f73	282	void AppLayerRegisterLogger(uint16_t proto);
06904c90	283	uint16_t AppLayerGetProtoByName(const char *);
68425453	284	const char *AppLayerGetProtoString(int proto);
869109a6	285	void AppLayerRegisterTruncateFunc(uint16_t proto, void (Truncate)(void , uint8_t));
d4d18e31 AS	286	void AppLayerRegisterGetAlstateProgressFunc(uint16_t alproto,
d4d18e31 AS	287	int (StateGetAlstateProgress)(void alstate, uint8_t direction));
f59f9033 VJ	288	void AppLayerRegisterTxFreeFunc(uint16_t proto,
f59f9033 VJ	289	void (StateTransactionFree)(void , uint64_t));
d4d18e31 AS	290	void AppLayerRegisterGetTxCnt(uint16_t alproto,
	291	uint64_t (StateGetTxCnt)(void alstate));
	292	void AppLayerRegisterGetTx(uint16_t alproto,
	293	void (StateGetTx)(void *alstate, uint64_t tx_id));
	294	void AppLayerRegisterGetAlstateProgressCompletionStatus(uint16_t alproto,
	295	int (*StateProgressCompletionStatus)(uint8_t direction));
5e2d9dbd AS	296	void AppLayerRegisterGetEventInfo(uint16_t alproto,
	297	int (StateGetEventInfo)(const char event_name,
	298	int *event_id,
	299	AppLayerEventType *event_type));
fc2f7f29	300
9a6aef45 AS	301	int AppLayerParse(void , Flow , uint8_t,
9a6aef45 AS	302	uint8_t, uint8_t *, uint32_t);
fc2f7f29 GS	303
	304	int AlpParseFieldBySize(AppLayerParserResult , AppLayerParserState , uint16_t,
	305	uint32_t, uint8_t , uint32_t, uint32_t );
	306	int AlpParseFieldByEOF(AppLayerParserResult , AppLayerParserState , uint16_t,
	307	uint8_t *, uint32_t);
	308	int AlpParseFieldByDelimiter(AppLayerParserResult , AppLayerParserState ,
	309	uint16_t, const uint8_t , uint8_t, uint8_t ,
	310	uint32_t, uint32_t *);
8e10844f	311
f1f7df07	312
d4d18e31 AS	313	/*** transaction handling ***/
	314
	315	/**
	316	* \brief Update the current log id. Does one step increments currently.
	317	*
	318	* \param f Flow.
	319	*/
	320	void AppLayerTransactionUpdateLogId(Flow *f);
	321
	322	/**
	323	* \brief Get the current log id.
	324	*
	325	* \param f Flow.
	326	*/
	327	uint64_t AppLayerTransactionGetLogId(Flow *f);
	328
	329	/**
	330	* \brief Updates the inspection id for the alstate.
	331	*
	332	* \param f Pointer to the flow(LOCKED).
	333	* \param direction Direction. 0 - toserver, 1 - toclient.
	334	*/
	335	void AppLayerTransactionUpdateInspectId(Flow *f, uint8_t direction);
	336
	337	/**
	338	* \brief Get the current tx id to be inspected.
	339	*
	340	* \param f Flow.
	341	* \param flags Flags.
	342	*
	343	* \retval A positive integer value.
	344	*/
	345	uint64_t AppLayerTransactionGetInspectId(Flow *f, uint8_t flags);
	346
3b3dce83	347	uint64_t AppLayerTransactionGetActive(Flow *f, uint8_t flags);
d4d18e31	348
70b32f73	349
23e01d23 VJ	350	void AppLayerSetEOF(Flow *);
23e01d23 VJ	351
d4d18e31 AS	352
	353
	354	/*** cleanup ***/
	355
8cc525c9	356	void AppLayerParserCleanupState(Flow *);
a40fdc79	357	void AppLayerFreeProbingParsers(AppLayerProbingParser *);
432c3317	358	void AppLayerPrintProbingParsers(AppLayerProbingParser *);
ba12f3c1	359
10966245	360	void AppLayerListSupportedProtocols(void);
eea5ab4a	361	AppLayerDecoderEvents AppLayerGetDecoderEventsForFlow(Flow );
9dc04d9f VJ	362	AppLayerDecoderEvents AppLayerGetEventsFromFlowByTx(Flow f, uint64_t tx_id);
	363	int AppLayerProtoIsTxEventAware(uint16_t alproto);
	364	int AppLayerFlowHasDecoderEvents(Flow *f, uint8_t flags);
e1022ee5	365
d4d18e31 AS	366	/*** Alproto param retrieval ****/
	367
	368	/**
	369	* \brief get the version of the state in a direction
	370	*
	371	* \param f Flow(LOCKED).
	372	* \param direction STREAM_TOSERVER or STREAM_TOCLIENT
	373	*/
	374	uint16_t AppLayerGetStateVersion(Flow *f);
	375
	376	FileContainer AppLayerGetFilesFromFlow(Flow , uint8_t);
	377
	378	/**
	379	* \brief Get the state progress.
	380	*
	381	* This is a generic wrapper to each ALPROTO. The value returned
	382	* needs to be interpreted by the caller, based on the ALPROTO_*
	383	* the caller supplies.
	384	*
	385	* The state can be anything based on what the ALPROTO handler
	386	* expects. We have given a return value of int, although a range
	387	* of -128 to 127 (int8_t) should be more than sufficient.
	388	*
	389	* \param alproto The app protocol.
	390	* \param state App state.
	391	* \param dir Directin. 0 - ts, 1 - tc.
	392	*
	393	* \retval An integer value indicating the current progress of "state".
	394	*/
	395	int AppLayerGetAlstateProgress(uint16_t alproto, void *state, uint8_t direction);
	396
	397	/**
	398	* \brief Get the no of txs.
	399	*
	400	* \param alproto The app protocol.
	401	* \param alstate App state.
	402	*
	403	* \retval A positive integer value indicating the no of txs.
	404	*/
	405	uint64_t AppLayerGetTxCnt(uint16_t alproto, void *alstate);
	406
	407	/**
	408	* \brief Get a tx referenced by the id.
	409	*
	410	* \param alproto The app protocol
	411	* \param alstate App state.
	412	* \param tx_id The transaction id.
	413	*
	414	* \retval Tx instance.
	415	*/
	416	void AppLayerGetTx(uint16_t alproto, void alstate, uint64_t tx_id);
	417
	418	/**
	419	* \brief Get the state value for the following alproto, that corresponds to
	420	* COMPLETE or DONE.
	421	*
	422	* \param alproto The app protocol.
	423	* \param direction The direction. 0 - ts, 1 - tc.
	424	*
	425	* \retval An integer value indicating the state value.
	426	*/
	427	int AppLayerGetAlstateProgressCompletionStatus(uint16_t alproto, uint8_t direction);
	428
	429	/**
430	* \brief Informs if the alproto supports transactions or not.
431	*
432	* \param alproto The app protocol.
433	* \param direction The direction. 0 - ts, 1 - tc.
434	*
435	* \retval 1 If true; 0 If false.
436	*/
437	int AppLayerAlprotoSupportsTxs(uint16_t alproto);
438
6cb00142 AS	439	/**
	440	* \brief Triggers raw reassembly.
	441	*
	442	* \param f Flow pointer.
	443	*/
16cfae2f VJ	444	void AppLayerTriggerRawStreamReassembly(Flow *);
16cfae2f VJ	445
6cb00142 AS	446	/**
	447	* \brief Informs if the specified alproto's parser is enabled.
	448	*
	449	* \param alproto Character string holding the alproto name.
	450	*/
ddde572f	451	int AppLayerParserEnabled(const char *alproto);
6cb00142 AS	452
	453	/**
	454	* \brief Informs if the specified alproto has detection enabled.
	455	*
	456	* \param alproto Character string holding the alproto name.
	457	*/
ddde572f	458	int AppLayerProtoDetectionEnabled(const char *alproto);
6cb00142 AS	459
	460	/**
	461	* \brief Gets event info for this alproto.
	462	*
	463	* \param alproto Character string holding the alproto name.
	464	* \param event_name Name of the event.
	465	* \param event_id Pointer to an instance to send back event id.
	466	*/
5e2d9dbd AS	467	int AppLayerGetEventInfo(uint16_t alproto, const char *event_name,
5e2d9dbd AS	468	int event_id, AppLayerEventType event_type);
6cb00142 AS	469
	470	/*** Utility ***/
	471
6f8cfd99 AS	472	void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_proto,
6f8cfd99 AS	473	uint16_t min_depth, uint16_t max_depth,
8e8bc490	474	ProbingParserFPtr ProbingParser);
ddde572f	475
6cb00142 AS	476
	477	/*** Unittests ***/
	478
5e2d9dbd AS	479	/**
	480	* \brief Backup al_proto_table.
	481	*
	482	* Currently we backup only the event table. Feel free to backup
	483	* other stuff as and when required.
	484	*/
6cb00142 AS	485	void AppLayerParserBackupAlprotoTable(void);
	486	void AppLayerParserRestoreAlprotoTable(void);
	487
8e10844f	488	#endif /* __APP_LAYER_PARSER_H__ */