From: Philippe Antoine Date: Thu, 1 Aug 2019 12:12:54 +0000 (+0200) Subject: detectproto: adding missing probing parsers X-Git-Tag: suricata-5.0.0-rc1~147 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ff50773bd8d23e430263350029766cf08ac4c43;p=thirdparty%2Fsuricata.git detectproto: adding missing probing parsers In direction TO_CLIENT for symetric protocols --- diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c index 74997ed957..645b8cfc92 100644 --- a/src/app-layer-dnp3.c +++ b/src/app-layer-dnp3.c @@ -1609,12 +1609,12 @@ void RegisterDNP3Parsers(void) if (RunmodeIsUnittests()) { AppLayerProtoDetectPPRegister(IPPROTO_TCP, DNP3_DEFAULT_PORT, ALPROTO_DNP3, 0, sizeof(DNP3LinkHeader), STREAM_TOSERVER, - DNP3ProbingParser, NULL); + DNP3ProbingParser, DNP3ProbingParser); } else { if (!AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_DNP3, 0, sizeof(DNP3LinkHeader), - DNP3ProbingParser, NULL)) { + DNP3ProbingParser, DNP3ProbingParser)) { #ifndef AFLFUZZ_APPLAYER return; #endif diff --git a/src/app-layer-modbus.c b/src/app-layer-modbus.c index 5c55614f7b..6606ee1672 100644 --- a/src/app-layer-modbus.c +++ b/src/app-layer-modbus.c @@ -1482,14 +1482,14 @@ void RegisterModbusParsers(void) ALPROTO_MODBUS, 0, sizeof(ModbusHeader), STREAM_TOSERVER, - ModbusProbingParser, NULL); + ModbusProbingParser, ModbusProbingParser); } else { /* If there is no app-layer section for Modbus, silently * leave it disabled. */ if (!AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_MODBUS, 0, sizeof(ModbusHeader), - ModbusProbingParser, NULL)) { + ModbusProbingParser, ModbusProbingParser)) { #ifndef AFLFUZZ_APPLAYER return; #endif diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index 807876cc9c..08bc56db79 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -273,7 +273,7 @@ void RegisterSMBParsers(void) if (RunmodeIsUnittests()) { AppLayerProtoDetectPPRegister(IPPROTO_TCP, "445", ALPROTO_SMB, 0, MIN_REC_SIZE, STREAM_TOSERVER, SMBTCPProbe, - NULL); + SMBTCPProbe); } else { int have_cfg = AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_SMB, 0, diff --git a/src/app-layer-template.c b/src/app-layer-template.c index dd0fd203d7..38113840e8 100644 --- a/src/app-layer-template.c +++ b/src/app-layer-template.c @@ -196,12 +196,35 @@ static AppLayerDecoderEvents *TemplateGetEvents(void *tx) } /** - * \brief Probe the input to see if it looks like template. + * \brief Probe the input to server to see if it looks like template. * - * \retval ALPROTO_TEMPLATE if it looks like template, otherwise - * ALPROTO_UNKNOWN. + * \retval ALPROTO_TEMPLATE if it looks like template, + * ALPROTO_FAILED, if it is clearly not ALPROTO_TEMPLATE, + * otherwise ALPROTO_UNKNOWN. */ -static AppProto TemplateProbingParser(Flow *f, uint8_t direction, +static AppProto TemplateProbingParserTs(Flow *f, uint8_t direction, + uint8_t *input, uint32_t input_len, uint8_t *rdir) +{ + /* Very simple test - if there is input, this is template. */ + if (input_len >= TEMPLATE_MIN_FRAME_LEN) { + SCLogNotice("Detected as ALPROTO_TEMPLATE."); + return ALPROTO_TEMPLATE; + } + + SCLogNotice("Protocol not detected as ALPROTO_TEMPLATE."); + return ALPROTO_UNKNOWN; +} + +/** + * \brief Probe the input to client to see if it looks like template. + * TemplateProbingParserTs can be used instead if the protocol + * is symmetric. + * + * \retval ALPROTO_TEMPLATE if it looks like template, + * ALPROTO_FAILED, if it is clearly not ALPROTO_TEMPLATE, + * otherwise ALPROTO_UNKNOWN. + */ +static AppProto TemplateProbingParserTc(Flow *f, uint8_t direction, uint8_t *input, uint32_t input_len, uint8_t *rdir) { /* Very simple test - if there is input, this is template. */ @@ -472,21 +495,21 @@ void RegisterTemplateParsers(void) SCLogNotice("Unittest mode, registeringd default configuration."); AppLayerProtoDetectPPRegister(IPPROTO_TCP, TEMPLATE_DEFAULT_PORT, ALPROTO_TEMPLATE, 0, TEMPLATE_MIN_FRAME_LEN, STREAM_TOSERVER, - TemplateProbingParser, NULL); + TemplateProbingParserTs, TemplateProbingParserTc); } else { if (!AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_TEMPLATE, 0, TEMPLATE_MIN_FRAME_LEN, - TemplateProbingParser, NULL)) { + TemplateProbingParserTs, TemplateProbingParserTc)) { SCLogNotice("No template app-layer configuration, enabling echo" " detection TCP detection on port %s.", TEMPLATE_DEFAULT_PORT); AppLayerProtoDetectPPRegister(IPPROTO_TCP, TEMPLATE_DEFAULT_PORT, ALPROTO_TEMPLATE, 0, TEMPLATE_MIN_FRAME_LEN, STREAM_TOSERVER, - TemplateProbingParser, NULL); + TemplateProbingParserTs, TemplateProbingParserTc); } } diff --git a/src/app-layer-tftp.c b/src/app-layer-tftp.c index bac605d467..b0cfb56262 100644 --- a/src/app-layer-tftp.c +++ b/src/app-layer-tftp.c @@ -203,12 +203,12 @@ void RegisterTFTPParsers(void) AppLayerProtoDetectPPRegister(IPPROTO_UDP, TFTP_DEFAULT_PORT, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, STREAM_TOSERVER, TFTPProbingParser, - NULL); + TFTPProbingParser); } else { if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP, proto_name, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, - TFTPProbingParser, NULL)) { + TFTPProbingParser, TFTPProbingParser)) { SCLogDebug("No echo app-layer configuration, enabling echo" " detection UDP detection on port %s.", TFTP_DEFAULT_PORT); @@ -216,7 +216,7 @@ void RegisterTFTPParsers(void) TFTP_DEFAULT_PORT, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, STREAM_TOSERVER,TFTPProbingParser, - NULL); + TFTPProbingParser); } } } else {