]> git.ipfire.org Git - people/ms/suricata.git/blob - src/app-layer-smtp.h
projects / people / ms / suricata.git / blob
? search:


530f4a275a8e4346d5fb79cafaa21c901a39938d
[people/ms/suricata.git] / src / app-layer-smtp.h
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 /**
19 * \file
20 *
21 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22 */
23
24 #ifndef __APP_LAYER_SMTP_H__
25 #define __APP_LAYER_SMTP_H__
26
27 #include "decode-events.h"
28 #include "util-decode-mime.h"
29 #include "queue.h"
30 #include "util-streaming-buffer.h"
31 #include "rust.h"
32
33 enum {
34 SMTP_DECODER_EVENT_INVALID_REPLY,
35 SMTP_DECODER_EVENT_UNABLE_TO_MATCH_REPLY_WITH_REQUEST,
36 SMTP_DECODER_EVENT_MAX_COMMAND_LINE_LEN_EXCEEDED,
37 SMTP_DECODER_EVENT_MAX_REPLY_LINE_LEN_EXCEEDED,
38 SMTP_DECODER_EVENT_INVALID_PIPELINED_SEQUENCE,
39 SMTP_DECODER_EVENT_BDAT_CHUNK_LEN_EXCEEDED,
40 SMTP_DECODER_EVENT_NO_SERVER_WELCOME_MESSAGE,
41 SMTP_DECODER_EVENT_TLS_REJECTED,
42 SMTP_DECODER_EVENT_DATA_COMMAND_REJECTED,
43
44 /* MIME Events */
45 SMTP_DECODER_EVENT_MIME_PARSE_FAILED,
46 SMTP_DECODER_EVENT_MIME_MALFORMED_MSG,
47 SMTP_DECODER_EVENT_MIME_INVALID_BASE64,
48 SMTP_DECODER_EVENT_MIME_INVALID_QP,
49 SMTP_DECODER_EVENT_MIME_LONG_LINE,
50 SMTP_DECODER_EVENT_MIME_LONG_ENC_LINE,
51 SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME,
52 SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE,
53 SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG,
54 SMTP_DECODER_EVENT_MIME_LONG_FILENAME,
55
56 /* Invalid behavior or content */
57 SMTP_DECODER_EVENT_DUPLICATE_FIELDS,
58 SMTP_DECODER_EVENT_UNPARSABLE_CONTENT,
59 };
60
61 typedef struct SMTPString_ {
62 uint8_t *str;
63 uint16_t len;
64
65 TAILQ_ENTRY(SMTPString_) next;
66 } SMTPString;
67
68 typedef struct SMTPTransaction_ {
69 /** id of this tx, starting at 0 */
70 uint64_t tx_id;
71
72 AppLayerTxData tx_data;
73
74 int done;
75 /** the first message contained in the session */
76 MimeDecEntity *msg_head;
77 /** the last message contained in the session */
78 MimeDecEntity *msg_tail;
79 /** the mime decoding parser state */
80 MimeDecParseState *mime_state;
81
82 AppLayerDecoderEvents *decoder_events; /**< per tx events */
83
84 /* MAIL FROM parameters */
85 uint8_t *mail_from;
86 uint16_t mail_from_len;
87
88 TAILQ_HEAD(, SMTPString_) rcpt_to_list; /**< rcpt to string list */
89
90 TAILQ_ENTRY(SMTPTransaction_) next;
91 } SMTPTransaction;
92
93 typedef struct SMTPConfig {
94
95 int decode_mime;
96 MimeDecConfig mime_config;
97 uint32_t content_limit;
98 uint32_t content_inspect_min_size;
99 uint32_t content_inspect_window;
100
101 int raw_extraction;
102
103 StreamingBufferConfig sbcfg;
104 } SMTPConfig;
105
106 typedef struct SMTPState_ {
107 SMTPTransaction *curr_tx;
108 TAILQ_HEAD(, SMTPTransaction_) tx_list; /**< transaction list */
109 uint64_t tx_cnt;
110 uint64_t toserver_data_count;
111 uint64_t toserver_last_data_stamp;
112
113 /* current input that is being parsed */
114 const uint8_t *input;
115 int32_t input_len;
116 uint8_t direction;
117
118 /* --parser details-- */
119 /** current line extracted by the parser from the call to SMTPGetline() */
120 const uint8_t *current_line;
121 /** length of the line in current_line. Doesn't include the delimiter */
122 int32_t current_line_len;
123 uint8_t current_line_delimiter_len;
124
125 /** used to indicate if the current_line buffer is a malloced buffer. We
126 * use a malloced buffer, if a line is fragmented */
127 uint8_t *tc_db;
128 int32_t tc_db_len;
129 uint8_t tc_current_line_db;
130 /** we have see LF for the currently parsed line */
131 uint8_t tc_current_line_lf_seen;
132
133 /** used to indicate if the current_line buffer is a malloced buffer. We
134 * use a malloced buffer, if a line is fragmented */
135 uint8_t *ts_db;
136 int32_t ts_db_len;
137 uint8_t ts_current_line_db;
138 /** we have see LF for the currently parsed line */
139 uint8_t ts_current_line_lf_seen;
140
141 /** var to indicate parser state */
142 uint8_t parser_state;
143 /** current command in progress */
144 uint8_t current_command;
145 /** bdat chunk len */
146 uint32_t bdat_chunk_len;
147 /** bdat chunk idx */
148 uint32_t bdat_chunk_idx;
149
150 /* the request commands are store here and the reply handler uses these
151 * stored command in the buffer to match the reply(ies) with the command */
152 /** the command buffer */
153 uint8_t *cmds;
154 /** the buffer length */
155 uint16_t cmds_buffer_len;
156 /** no of commands stored in the above buffer */
157 uint16_t cmds_cnt;
158 /** index of the command in the buffer, currently in inspection by reply
159 * handler */
160 uint16_t cmds_idx;
161
162 /* HELO of HELO message content */
163 uint16_t helo_len;
164 uint8_t *helo;
165
166 /* SMTP Mime decoding and file extraction */
167 /** the list of files sent to the server */
168 FileContainer *files_ts;
169 uint32_t file_track_id;
170 } SMTPState;
171
172 /* Create SMTP config structure */
173 extern SMTPConfig smtp_config;
174
175 int SMTPProcessDataChunk(const uint8_t *chunk, uint32_t len, MimeDecParseState *state);
176 void *SMTPStateAlloc(void *orig_state, AppProto proto_orig);
177 void RegisterSMTPParsers(void);
178 void SMTPParserCleanup(void);
179 void SMTPParserRegisterTests(void);
180
181 #endif /* __APP_LAYER_SMTP_H__ */
Michael's tree of suricata