void RegisterDCERPCUDPParsers(void) {
char *proto_name = "dcerpcudp";
- /** DCERPC */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER);
-
- AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER,
- DCERPCUDPParse);
- AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT,
- DCERPCUDPParse);
- AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc,
- DCERPCUDPStateFree);
+ if (AppLayerProtoDetectionEnabled("dcerpc")) {
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ "dcerpc");
+ return;
+ }
+
+ if (AppLayerParserEnabled("dcerpc")) {
+ AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER,
+ DCERPCUDPParse);
+ AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT,
+ DCERPCUDPParse);
+ AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc,
+ DCERPCUDPStateFree);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", "dcerpc");
+ }
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_DCERPC_UDP, DCERPCUDPParserRegisterTests);
#endif
+
+ return;
}
/* UNITTESTS */
void RegisterDCERPCParsers(void) {
char *proto_name = "dcerpc";
- /** DCERPC */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER);
-
- AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER,
- DCERPCParseRequest);
- AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT,
- DCERPCParseResponse);
- AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc,
- DCERPCStateFree);
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ proto_name);
+ return;
+ }
+
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER,
+ DCERPCParseRequest);
+ AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT,
+ DCERPCParseResponse);
+ AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc,
+ DCERPCStateFree);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_DCERPC, DCERPCParserRegisterTests);
#endif
+
+ return;
}
/* UNITTESTS */
char *proto_name = "dnstcp";
/** DNS */
- AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOSERVER,
- DNSTCPRequestParse);
- AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOCLIENT,
- DNSTCPResponseParse);
- AppLayerRegisterStateFuncs(ALPROTO_DNS_TCP, DNSStateAlloc,
- DNSStateFree);
- AppLayerRegisterTxFreeFunc(ALPROTO_DNS_TCP,
- DNSStateTransactionFree);
-
- AppLayerRegisterGetEventsFunc(ALPROTO_DNS_TCP, DNSGetEvents);
- AppLayerRegisterHasEventsFunc(ALPROTO_DNS_TCP, DNSHasEvents);
-
- AppLayerRegisterGetTx(ALPROTO_DNS_TCP,
- DNSGetTx);
- AppLayerRegisterGetTxCnt(ALPROTO_DNS_TCP,
- DNSGetTxCnt);
- AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_TCP,
- DNSGetAlstateProgress);
- AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP,
- DNSGetAlstateProgressCompletionStatus);
-
- AppLayerRegisterProbingParser(&alp_proto_ctx,
- IPPROTO_TCP,
- "53",
- proto_name,
- ALPROTO_DNS_TCP,
- 0, sizeof(DNSTcpHeader),
- STREAM_TOSERVER,
- DNSTcpProbingParser);
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ IPPROTO_TCP,
+ "53",
+ proto_name,
+ ALPROTO_DNS_TCP,
+ 0, sizeof(DNSTcpHeader),
+ STREAM_TOSERVER,
+ DNSTcpProbingParser);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ proto_name);
+ return;
+ }
+
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOSERVER,
+ DNSTCPRequestParse);
+ AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOCLIENT,
+ DNSTCPResponseParse);
+ AppLayerRegisterStateFuncs(ALPROTO_DNS_TCP, DNSStateAlloc,
+ DNSStateFree);
+ AppLayerRegisterTxFreeFunc(ALPROTO_DNS_TCP,
+ DNSStateTransactionFree);
+
+ AppLayerRegisterGetEventsFunc(ALPROTO_DNS_TCP, DNSGetEvents);
+ AppLayerRegisterHasEventsFunc(ALPROTO_DNS_TCP, DNSHasEvents);
+
+ AppLayerRegisterGetTx(ALPROTO_DNS_TCP,
+ DNSGetTx);
+ AppLayerRegisterGetTxCnt(ALPROTO_DNS_TCP,
+ DNSGetTxCnt);
+ AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_TCP,
+ DNSGetAlstateProgress);
+ AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP,
+ DNSGetAlstateProgressCompletionStatus);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_TCP);
}
char *proto_name = "dnsudp";
/** DNS */
- AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOSERVER,
- DNSUDPRequestParse);
- AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOCLIENT,
- DNSUDPResponseParse);
- AppLayerRegisterStateFuncs(ALPROTO_DNS_UDP, DNSStateAlloc,
- DNSStateFree);
- AppLayerRegisterTxFreeFunc(ALPROTO_DNS_UDP,
- DNSStateTransactionFree);
-
- AppLayerRegisterGetEventsFunc(ALPROTO_DNS_UDP, DNSGetEvents);
- AppLayerRegisterHasEventsFunc(ALPROTO_DNS_UDP, DNSHasEvents);
-
- AppLayerRegisterGetTx(ALPROTO_DNS_UDP,
- DNSGetTx);
- AppLayerRegisterGetTxCnt(ALPROTO_DNS_UDP,
- DNSGetTxCnt);
- AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_UDP,
- DNSGetAlstateProgress);
- AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP,
- DNSGetAlstateProgressCompletionStatus);
-
- AppLayerRegisterProbingParser(&alp_proto_ctx,
- IPPROTO_UDP,
- "53",
- proto_name,
- ALPROTO_DNS_UDP,
- 0, sizeof(DNSHeader),
- STREAM_TOSERVER,
- DNSUdpProbingParser);
-
- DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP);
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ IPPROTO_UDP,
+ "53",
+ proto_name,
+ ALPROTO_DNS_UDP,
+ 0, sizeof(DNSHeader),
+ STREAM_TOSERVER,
+ DNSUdpProbingParser);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ proto_name);
+ return;
+ }
+
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOSERVER,
+ DNSUDPRequestParse);
+ AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOCLIENT,
+ DNSUDPResponseParse);
+ AppLayerRegisterStateFuncs(ALPROTO_DNS_UDP, DNSStateAlloc,
+ DNSStateFree);
+ AppLayerRegisterTxFreeFunc(ALPROTO_DNS_UDP,
+ DNSStateTransactionFree);
+
+ AppLayerRegisterGetEventsFunc(ALPROTO_DNS_UDP, DNSGetEvents);
+ AppLayerRegisterHasEventsFunc(ALPROTO_DNS_UDP, DNSHasEvents);
+
+ AppLayerRegisterGetTx(ALPROTO_DNS_UDP,
+ DNSGetTx);
+ AppLayerRegisterGetTxCnt(ALPROTO_DNS_UDP,
+ DNSGetTxCnt);
+ AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_UDP,
+ DNSGetAlstateProgress);
+ AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP,
+ DNSGetAlstateProgressCompletionStatus);
+
+ DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
}
/* UNITTESTS */
#endif
}
-
void RegisterFTPParsers(void) {
char *proto_name = "ftp";
/** FTP */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER);
-
- AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER,
- FTPParseRequest);
- AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT,
- FTPParseResponse);
- AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP,
- FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine,
- "ftp");
- AppLayerRegisterStateFuncs(ALPROTO_FTP, FTPStateAlloc, FTPStateFree);
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER);
+ }
+
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER,
+ FTPParseRequest);
+ AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT,
+ FTPParseResponse);
+ AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP,
+ FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine,
+ "ftp");
+ AppLayerRegisterStateFuncs(ALPROTO_FTP, FTPStateAlloc, FTPStateFree);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_FTP, FTPParserRegisterTests);
#endif
{
SCEnter();
+ if (!AppLayerProtoDetectionEnabled("http") || !AppLayerParserEnabled("http"))
+ SCReturn;
+
HTPCfgRec *nextrec = cfglist.next;
SCRadixReleaseRadixTree(cfgtree);
cfgtree = NULL;
}
SCLogDebug("LIBHTP default config: %p", cfglist.cfg);
HTPConfigSetDefaultsPhase1(&cfglist);
- HTPConfigParseParameters(&cfglist, ConfGetNode("libhtp.default-config"),
- cfgtree);
+ if (ConfGetNode("app-layer.protocols.http.libhtp") == NULL) {
+ HTPConfigParseParameters(&cfglist, ConfGetNode("libhtp.default-config"),
+ cfgtree);
+ } else {
+ HTPConfigParseParameters(&cfglist, ConfGetNode("app-layer.protocols.http.libhtp.default-config"), cfgtree);
+ }
HTPConfigSetDefaultsPhase2(&cfglist);
/* Read server config and create a parser for each IP in radix tree */
- ConfNode *server_config = ConfGetNode("libhtp.server-config");
+ ConfNode *server_config = ConfGetNode("app-layer.protocols.http.libhtp.server-config");
+ if (server_config == NULL) {
+ server_config = ConfGetNode("libhtp.server-config");
+ if (server_config == NULL) {
+ SCLogDebug("LIBHTP Configuring %p", server_config);
+ SCReturn;
+ }
+ }
SCLogDebug("LIBHTP Configuring %p", server_config);
- if (server_config == NULL)
- SCReturn;
ConfNode *si;
/* Server Nodes */
char *proto_name = "http";
/** HTTP */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER);
-
- AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree);
- AppLayerRegisterTxFreeFunc(ALPROTO_HTTP, HTPStateTransactionFree);
- AppLayerRegisterGetFilesFunc(ALPROTO_HTTP, HTPStateGetFiles);
- AppLayerRegisterGetAlstateProgressFunc(ALPROTO_HTTP, HTPStateGetAlstateProgress);
- AppLayerRegisterGetTxCnt(ALPROTO_HTTP, HTPStateGetTxCnt);
- AppLayerRegisterGetTx(ALPROTO_HTTP, HTPStateGetTx);
- AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP,
- HTPStateGetAlstateProgressCompletionStatus);
-
- AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table);
-
- AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate);
-
- AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER,
- HTPHandleRequestData);
- AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT,
- HTPHandleResponseData);
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol",
+ proto_name);
+ return;
+ }
+
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree);
+ AppLayerRegisterTxFreeFunc(ALPROTO_HTTP, HTPStateTransactionFree);
+ AppLayerRegisterGetFilesFunc(ALPROTO_HTTP, HTPStateGetFiles);
+ AppLayerRegisterGetAlstateProgressFunc(ALPROTO_HTTP, HTPStateGetAlstateProgress);
+ AppLayerRegisterGetTxCnt(ALPROTO_HTTP, HTPStateGetTxCnt);
+ AppLayerRegisterGetTx(ALPROTO_HTTP, HTPStateGetTx);
+ AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP,
+ HTPStateGetAlstateProgressCompletionStatus);
+
+ AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table);
+
+ AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate);
+
+ AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER,
+ HTPHandleRequestData);
+ AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT,
+ HTPHandleResponseData);
+ SC_ATOMIC_INIT(htp_config_flags);
+ HTPConfigure();
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_HTTP, HTPParserRegisterTests);
#endif
- SC_ATOMIC_INIT(htp_config_flags);
- HTPConfigure();
SCReturn;
}
#include "app-layer-dns-udp.h"
#include "app-layer-dns-tcp.h"
+#include "conf.h"
#include "util-spm.h"
#include "util-debug.h"
RegisterDNSTCPParsers();
/** IMAP */
- //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT);
- AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER);
+ if (AppLayerProtoDetectionEnabled("imap")) {
+ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT);
+ AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ "imap");
+ return;
+ }
/** MSN Messenger */
- //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT);
- AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER);
+ if (AppLayerProtoDetectionEnabled("msn")) {
+ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT);
+ AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ "msn");
+ return;
+ }
/** Jabber */
- //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT);
- //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);
+ if (AppLayerProtoDetectionEnabled("jabber")) {
+ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT);
+ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);
+ } else {
+ SCLogInfo("Protocol detection disabled for %s protocol and as a "
+ "consequence the conf param \"app-layer.protocols.%s."
+ "parser-enabled\" will now be ignored.", "jabber", "jabber");
+ return;
+ }
return;
}
}
}
+/*************************App Layer Conf Options Parsing***********************/
+/**
+ * \brief Given a protocol name, checks if the parser is enabled in the
+ * conf file.
+ *
+ * \param al_proto Name of the app layer protocol.
+ *
+ * \retval 1 If enabled.
+ * \retval 0 If disabled.
+ */
+int AppLayerParserEnabled(const char *al_proto)
+{
+ int enabled = 1;
+
+ char param[100];
+ int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
+ al_proto, ".enabled");
+ if (r < 0) {
+ SCLogError(SC_ERR_FATAL, "snprintf failure.");
+ exit(EXIT_FAILURE);
+ } else if (r > (int)sizeof(param)) {
+ SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
+ exit(EXIT_FAILURE);
+ }
+
+ ConfNode *node = ConfGetNode(param);
+ if (node == NULL) {
+ SCLogInfo("Entry for %s not found.", param);
+ return enabled;
+ } else {
+ if (strcasecmp(node->val, "yes") == 0) {
+ enabled = 1;
+ } else if (strcasecmp(node->val, "no") == 0) {
+ enabled = 0;
+ } else if (strcasecmp(node->val, "detection-only") == 0) {
+ enabled = 0;
+ } else {
+ SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ return enabled;
+}
+
+/**
+ * \brief Given a protocol name, checks if proto detection is enabled in the
+ * conf file.
+ *
+ * \param al_proto Name of the app layer protocol.
+ *
+ * \retval 1 If enabled.
+ * \retval 0 If disabled.
+ */
+int AppLayerProtoDetectionEnabled(const char *al_proto)
+{
+ int enabled = 1;
+
+ char param[100];
+ int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
+ al_proto, ".enabled");
+ if (r < 0) {
+ SCLogError(SC_ERR_FATAL, "snprintf failure.");
+ exit(EXIT_FAILURE);
+ } else if (r > (int)sizeof(param)) {
+ SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
+ exit(EXIT_FAILURE);
+ }
+
+ ConfNode *node = ConfGetNode(param);
+ if (node == NULL) {
+ SCLogInfo("Entry for %s not found.", param);
+ return enabled;
+ } else {
+ if (strcasecmp(node->val, "yes") == 0) {
+ enabled = 1;
+ } else if (strcasecmp(node->val, "no") == 0) {
+ enabled = 0;
+ } else if (strcasecmp(node->val, "detection-only") == 0) {
+ enabled = 1;
+ } else {
+ SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ return enabled;
+}
+
/********************************Probing Parsers*******************************/
void AppLayerTriggerRawStreamReassembly(Flow *);
+int AppLayerParserEnabled(const char *alproto);
+int AppLayerProtoDetectionEnabled(const char *alproto);
+
#endif /* __APP_LAYER_PARSER_H__ */
void RegisterSMBParsers(void) {
char *proto_name = "smb";
- /** SMB */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER);
-
- /** SMB2 */
- AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER);
-
- AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest);
- AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse);
- AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree);
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ /** SMB */
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER);
+ /** SMB2 */
+ AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER);
+
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ IPPROTO_TCP,
+ "139",
+ "smb",
+ ALPROTO_SMB,
+ SMB_PROBING_PARSER_MIN_DEPTH, 0,
+ STREAM_TOSERVER,
+ SMBProbingParser);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ proto_name);
+ return;
+ }
+
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest);
+ AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse);
+ AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
- AppLayerRegisterProbingParser(&alp_proto_ctx,
- IPPROTO_TCP,
- "139",
- "smb",
- ALPROTO_SMB,
- SMB_PROBING_PARSER_MIN_DEPTH, 0,
- STREAM_TOSERVER,
- SMBProbingParser);
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SMB, SMBParserRegisterTests);
#endif
}
void RegisterSMB2Parsers(void) {
- AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse);
- AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse);
- AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree);
+ /** SMB2 */
+ char *proto_name = "smb2";
+
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AppLayerRegisterProto(proto_name, ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse);
+ AppLayerRegisterProto(proto_name, ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse);
+ AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
+
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SMB2, SMB2ParserRegisterTests);
#endif
+ return;
}
/* UNITTESTS */
{
char *proto_name = "smtp";
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0,
- STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0,
- STREAM_TOSERVER);
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0,
+ STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0,
+ STREAM_TOSERVER);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ proto_name);
+ return;
+ }
- AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree);
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree);
- AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER,
- SMTPParseClientRecord);
- AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT,
- SMTPParseServerRecord);
- AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table);
+ AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER,
+ SMTPParseClientRecord);
+ AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT,
+ SMTPParseServerRecord);
+ AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table);
- AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc,
- SMTPLocalStorageFree);
+ AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc,
+ SMTPLocalStorageFree);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
SMTPSetMpmState();
char *proto_name = "ssh";
/** SSH */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER);
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol.",
+ proto_name);
+ return;
+ }
- AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT,
- SSHParseServerRecord);
- AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER,
- SSHParseClientRecord);
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT,
+ SSHParseServerRecord);
+ AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER,
+ SSHParseClientRecord);
+ AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree);
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
- AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree);
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SSH, SSHParserRegisterTests);
#endif
char *proto_name = "tls";
/** SSLv2 and SSLv23*/
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER);
- /* subsection - SSLv2 style record by client, but informing the server the max
- * version it supports */
- /* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it
- * after some tests */
- //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 5, 2, STREAM_TOSERVER);
- //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT);
-
- /** SSLv3 */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */
+ if (AppLayerProtoDetectionEnabled(proto_name)) {
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER);
+ /* subsection - SSLv2 style record by client, but informing the server the max
+ * version it supports */
+ /* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it
+ * after some tests */
+ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 5, 2, STREAM_TOSERVER);
+ //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT);
+
+ /** SSLv3 */
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1 */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1.1 */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1.2 */
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER);
- AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */
-
- AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER,
- SSLParseClientRecord);
-
- AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT,
- SSLParseServerRecord);
- AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table);
-
- AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
-
- AppLayerRegisterProbingParser(&alp_proto_ctx,
- IPPROTO_TCP,
- "443",
- proto_name,
- ALPROTO_TLS,
- 0, 3,
- STREAM_TOSERVER,
- SSLProbingParser);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */
+
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ IPPROTO_TCP,
+ "443",
+ proto_name,
+ ALPROTO_TLS,
+ 0, 3,
+ STREAM_TOSERVER,
+ SSLProbingParser);
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for %s protocol",
+ proto_name);
+ return;
+ }
+
+ if (AppLayerParserEnabled(proto_name)) {
+ AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER,
+ SSLParseClientRecord);
+
+ AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT,
+ SSLParseServerRecord);
+ AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table);
+
+ AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
+
+ /* Get the value of no reassembly option from the config file */
+ if (ConfGetNode("app-layer.protocols.tls.no-reassemble") == NULL) {
+ if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
+ ssl_config.no_reassemble = 1;
+ } else {
+ if (ConfGetBool("app-layer.protocols.tls.no-reassemble", &ssl_config.no_reassemble) != 1)
+ ssl_config.no_reassemble = 1;
+ }
+ } else {
+ SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
+ "still on.", proto_name);
+ }
+
#ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_TLS, SSLParserRegisterTests);
#endif
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
- "(msg:\"Test dns_query option\"; "
- "dns_query; content:\"google\"; nocase; sid:1;)");
+ s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
+ "(msg:\"Test dns_query option\"; "
+ "dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; sid:1;)");
if (s == NULL) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
if (s == NULL) {
goto end;
}
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
+ s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test Z flag event\"; "
"app-layer-event:dns.z_flag_set; sid:3;)");
if (s == NULL) {
if (s->alproto == ALPROTO_UNKNOWN) {
SCLogError(SC_ERR_UNKNOWN_PROTOCOL, "protocol \"%s\" cannot be used "
- "in a signature", protostr);
+ "in a signature. Either detection for this protocol "
+ "supported yet OR detection has been disabled for "
+ "protocol through the yaml option "
+ "app-layer.protocols.%s.detection-enabled", protostr,
+ protostr);
SCReturnInt(-1);
}
}
}
}
}
+ }
+
+ if (s->alproto != ALPROTO_UNKNOWN) {
+ if (s->flags & SIG_FLAG_STATE_MATCH) {
+ if (al_proto_table[s->alproto].to_server == 0 ||
+ al_proto_table[s->alproto].to_client == 0) {
+ const char *proto_name = TmModuleAlprotoToString(s->alproto);
+ SCLogInfo("Signature uses options that need the app layer "
+ "parser for \"%s\", but the parser's disabled "
+ "for the protocol. Please check if you have "
+ "disabled it through the option "
+ "\"app-layer.protocols.%s.enabled\" or internally "
+ "there the parser has been disabled in the code. "
+ "Invalidating signature.", proto_name, proto_name);
+ SCReturnInt(0);
+ }
+ }
+
+
+
+
+
}
if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
match-limit: 3500
match-limit-recursion: 1500
-###########################################################################
-# Configure libhtp.
-#
-#
-# default-config: Used when no server-config matches
-# personality: List of personalities used by default
-# request-body-limit: Limit reassembly of request body for inspection
-# by http_client_body & pcre /P option.
-# response-body-limit: Limit reassembly of response body for inspection
-# by file_data, http_server_body & pcre /Q option.
-# double-decode-path: Double decode path section of the URI
-# double-decode-query: Double decode query section of the URI
-#
-# server-config: List of server configurations to use if address matches
-# address: List of ip addresses or networks for this block
-# personalitiy: List of personalities used by this block
-# request-body-limit: Limit reassembly of request body for inspection
-# by http_client_body & pcre /P option.
-# response-body-limit: Limit reassembly of response body for inspection
-# by file_data, http_server_body & pcre /Q option.
-# double-decode-path: Double decode path section of the URI
-# double-decode-query: Double decode query section of the URI
-#
-# Currently Available Personalities:
-# Minimal
-# Generic
-# IDS (default)
-# IIS_4_0
-# IIS_5_0
-# IIS_5_1
-# IIS_6_0
-# IIS_7_0
-# IIS_7_5
-# Apache_2
-###########################################################################
-libhtp:
-
- default-config:
- personality: IDS
-
- # Can be specified in kb, mb, gb. Just a number indicates
- # it's in bytes.
- request-body-limit: 3072
- response-body-limit: 3072
-
- # inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 32kb
- response-body-inspect-window: 4kb
-
- # decoding
- double-decode-path: no
- double-decode-query: no
-
- server-config:
-
- - apache:
- address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
- personality: Apache_2
- # Can be specified in kb, mb, gb. Just a number indicates
- # it's in bytes.
- request-body-limit: 4096
- response-body-limit: 4096
- double-decode-path: no
- double-decode-query: no
-
- - iis7:
- address:
- - 192.168.0.0/24
- - 192.168.10.0/24
- personality: IIS_7_0
- # Can be specified in kb, mb, gb. Just a number indicates
- # it's in bytes.
- request-body-limit: 4096
- response-body-limit: 4096
- double-decode-path: no
- double-decode-query: no
+# Holds details on the app-layer. The protocols section details each protocol.
+# Under each protocol, the default value for detection-enabled and "
+# parsed-enabled is yes, unless specified otherwise.
+# Each protocol covers enabling/disabling parsers for all ipprotos
+# the app-layer protocol runs on. For example "dcerpc" refers to the tcp
+# version of the protocol as well as the udp version of the protocol.
+# The option "enabled" takes 3 values - "yes", "no", "detection-only".
+# "yes" enables both detection and the parser, "no" disables both, and
+# "detection-only" enables detection only(parser disabled).
+app-layer:
+ protocols:
+ tls:
+ enabled: yes
+
+ #no-reassemble: yes
+ dcerpc:
+ enabled: yes
+ ftp:
+ enabled: yes
+ ssh:
+ enabled: yes
+ smtp:
+ enabled: yes
+ imap:
+ enabled: detection-only
+ msn:
+ enabled: detection-only
+ smb:
+ enabled: yes
+ # smb2 detection is disabled internally inside the engine.
+ #smb2:
+ # enabled: yes
+ http:
+ enabled: yes
+
+ ###########################################################################
+ # Configure libhtp.
+ #
+ #
+ # default-config: Used when no server-config matches
+ # personality: List of personalities used by default
+ # request-body-limit: Limit reassembly of request body for inspection
+ # by http_client_body & pcre /P option.
+ # response-body-limit: Limit reassembly of response body for inspection
+ # by file_data, http_server_body & pcre /Q option.
+ # double-decode-path: Double decode path section of the URI
+ # double-decode-query: Double decode query section of the URI
+ #
+ # server-config: List of server configurations to use if address matches
+ # address: List of ip addresses or networks for this block
+ # personalitiy: List of personalities used by this block
+ # request-body-limit: Limit reassembly of request body for inspection
+ # by http_client_body & pcre /P option.
+ # response-body-limit: Limit reassembly of response body for inspection
+ # by file_data, http_server_body & pcre /Q option.
+ # double-decode-path: Double decode path section of the URI
+ # double-decode-query: Double decode query section of the URI
+ #
+ # Currently Available Personalities:
+ # Minimal
+ # Generic
+ # IDS (default)
+ # IIS_4_0
+ # IIS_5_0
+ # IIS_5_1
+ # IIS_6_0
+ # IIS_7_0
+ # IIS_7_5
+ # Apache_2
+ ###########################################################################
+ libhtp:
+
+ default-config:
+ personality: IDS
+
+ # Can be specified in kb, mb, gb. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 3072
+ response-body-limit: 3072
+
+ # inspection limits
+ request-body-minimal-inspect-size: 32kb
+ request-body-inspect-window: 4kb
+ response-body-minimal-inspect-size: 32kb
+ response-body-inspect-window: 4kb
+
+ # decoding
+ double-decode-path: no
+ double-decode-query: no
+
+ server-config:
+
+ - apache:
+ address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+ personality: Apache_2
+ # Can be specified in kb, mb, gb. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 4096
+ response-body-limit: 4096
+ double-decode-path: no
+ double-decode-query: no
+
+ - iis7:
+ address:
+ - 192.168.0.0/24
+ - 192.168.10.0/24
+ personality: IIS_7_0
+ # Can be specified in kb, mb, gb. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 4096
+ response-body-limit: 4096
+ double-decode-path: no
+ double-decode-query: no
# Profiling settings. Only effective if Suricata has been built with the
# the --enable-profiling configure flag.
projects / thirdparty / suricata.git / commitdiff
