From: Jason Ish Date: Thu, 17 Nov 2022 16:37:02 +0000 (-0600) Subject: templates: remove C app-layer templates X-Git-Tag: suricata-7.0.0-rc1~305 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86831541155bac8e31d8b68873a35257d1565b80;p=thirdparty%2Fsuricata.git templates: remove C app-layer templates --- diff --git a/src/Makefile.am b/src/Makefile.am index 633d2be9bc..1edc6b9361 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -51,7 +51,6 @@ noinst_HEADERS = \ app-layer-snmp.h \ app-layer-ssh.h \ app-layer-ssl.h \ - app-layer-template.h \ app-layer-tftp.h \ autoconf.h \ build-info.h \ @@ -321,7 +320,6 @@ noinst_HEADERS = \ detect-tcp-seq.h \ detect-tcp-window.h \ detect-template2.h \ - detect-template-buffer.h \ detect-template.h \ detect-template-rust-buffer.h \ detect-threshold.h \ @@ -426,7 +424,6 @@ noinst_HEADERS = \ output-json-snmp.h \ output-json-ssh.h \ output-json-stats.h \ - output-json-template.h \ output-json-template-rust.h \ output-json-tftp.h \ output-json-tls.h \ @@ -665,7 +662,6 @@ libsuricata_c_a_SOURCES = \ app-layer-snmp.c \ app-layer-ssh.c \ app-layer-ssl.c \ - app-layer-template.c \ app-layer-tftp.c \ conf.c \ conf-yaml-loader.c \ @@ -932,7 +928,6 @@ libsuricata_c_a_SOURCES = \ detect-tcp-seq.c \ detect-tcp-window.c \ detect-template2.c \ - detect-template-buffer.c \ detect-template.c \ detect-template-rust-buffer.c \ detect-threshold.c \ @@ -1037,7 +1032,6 @@ libsuricata_c_a_SOURCES = \ output-json-snmp.c \ output-json-ssh.c \ output-json-stats.c \ - output-json-template.c \ output-json-template-rust.c \ output-json-tftp.c \ output-json-tls.c \ diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index f9a54510df..ac7e41e303 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -915,8 +915,6 @@ static void AppLayerProtoDetectPrintProbingParsers(AppLayerProtoDetectProbingPar printf(" alproto: ALPROTO_PGSQL\n"); else if (pp_pe->alproto == ALPROTO_TELNET) printf(" alproto: ALPROTO_TELNET\n"); - else if (pp_pe->alproto == ALPROTO_TEMPLATE) - printf(" alproto: ALPROTO_TEMPLATE\n"); else if (pp_pe->alproto == ALPROTO_DNP3) printf(" alproto: ALPROTO_DNP3\n"); else if (pp_pe->alproto == ALPROTO_BITTORRENT_DHT) @@ -1000,8 +998,6 @@ static void AppLayerProtoDetectPrintProbingParsers(AppLayerProtoDetectProbingPar printf(" alproto: ALPROTO_PGSQL\n"); else if (pp_pe->alproto == ALPROTO_TELNET) printf(" alproto: ALPROTO_TELNET\n"); - else if (pp_pe->alproto == ALPROTO_TEMPLATE) - printf(" alproto: ALPROTO_TEMPLATE\n"); else if (pp_pe->alproto == ALPROTO_DNP3) printf(" alproto: ALPROTO_DNP3\n"); else if (pp_pe->alproto == ALPROTO_BITTORRENT_DHT) diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 6f03cb6eef..bb75292073 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -60,7 +60,6 @@ #include "app-layer-mqtt.h" #include "app-layer-snmp.h" #include "app-layer-quic.h" -#include "app-layer-template.h" #include "app-layer-rdp.h" #include "app-layer-http2.h" @@ -1741,7 +1740,6 @@ void AppLayerParserRegisterProtocolParsers(void) RegisterRFBParsers(); RegisterMQTTParsers(); rs_pgsql_register_parser(); - RegisterTemplateParsers(); RegisterRdpParsers(); RegisterHTTP2Parsers(); rs_telnet_register_parser(); diff --git a/src/app-layer-protos.c b/src/app-layer-protos.c index 39e9e7f437..41fe5ba718 100644 --- a/src/app-layer-protos.c +++ b/src/app-layer-protos.c @@ -117,9 +117,6 @@ const char *AppProtoToString(AppProto alproto) case ALPROTO_TELNET: proto_name = "telnet"; break; - case ALPROTO_TEMPLATE: - proto_name = "template"; - break; case ALPROTO_TEMPLATE_RUST: proto_name = "template-rust"; break; @@ -190,8 +187,6 @@ AppProto StringToAppProto(const char *proto_name) return ALPROTO_PGSQL; if (strcmp(proto_name, "telnet") == 0) return ALPROTO_TELNET; - if (strcmp(proto_name, "template") == 0) - return ALPROTO_TEMPLATE; if (strcmp(proto_name, "template-rust") == 0) return ALPROTO_TEMPLATE_RUST; if (strcmp(proto_name,"rdp")==0) return ALPROTO_RDP; diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h index 0c29135db6..6ed7a0de3a 100644 --- a/src/app-layer-protos.h +++ b/src/app-layer-protos.h @@ -56,7 +56,6 @@ enum AppProtoEnum { ALPROTO_MQTT, ALPROTO_PGSQL, ALPROTO_TELNET, - ALPROTO_TEMPLATE, ALPROTO_TEMPLATE_RUST, ALPROTO_RDP, ALPROTO_HTTP2, diff --git a/src/app-layer-template.c b/src/app-layer-template.c deleted file mode 100644 index 5803cacac0..0000000000 --- a/src/app-layer-template.c +++ /dev/null @@ -1,564 +0,0 @@ -/* Copyright (C) 2015-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/* - * TODO: Update \author in this file and app-layer-template.h. - * TODO: Implement your app-layer logic with unit tests. - * TODO: Remove SCLogNotice statements or convert to debug. - */ - -/** - * \file - * - * \author FirstName LastName - * - * Template application layer detector and parser for learning and - * template purposes. - * - * This template implements a simple application layer for something - * like the echo protocol running on port 7. - */ - -#include "suricata-common.h" -#include "suricata.h" -#include "stream.h" -#include "conf.h" -#include "app-layer.h" -#include "app-layer-detect-proto.h" -#include "app-layer-parser.h" -#include "app-layer-template.h" - -#include "util-unittest.h" -#include "util-validate.h" -#include "util-enum.h" - -/* The default port to probe for echo traffic if not provided in the - * configuration file. */ -#define TEMPLATE_DEFAULT_PORT "7" - -/* The minimum size for a message. For some protocols this might - * be the size of a header. */ -#define TEMPLATE_MIN_FRAME_LEN 1 - -/* Enum of app-layer events for the protocol. Normally you might - * have events for errors in parsing data, like unexpected data being - * received. For template we'll make something up, and log an app-layer - * level alert if an empty message is received. - * - * Example rule: - * - * alert template any any -> any any (msg:"SURICATA Template empty message"; \ - * app-layer-event:template.empty_message; sid:X; rev:Y;) - */ -enum { - TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE, -}; - -SCEnumCharMap template_decoder_event_table[] = { - {"EMPTY_MESSAGE", TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE}, - - // event table must be NULL-terminated - { NULL, -1 }, -}; - -static TemplateTransaction *TemplateTxAlloc(TemplateState *state) -{ - TemplateTransaction *tx = SCCalloc(1, sizeof(TemplateTransaction)); - if (unlikely(tx == NULL)) { - return NULL; - } - - /* Increment the transaction ID on the state each time one is - * allocated. */ - tx->tx_id = state->transaction_max++; - - TAILQ_INSERT_TAIL(&state->tx_list, tx, next); - - return tx; -} - -static void TemplateTxFree(void *txv) -{ - TemplateTransaction *tx = txv; - - if (tx->request_buffer != NULL) { - SCFree(tx->request_buffer); - } - - if (tx->response_buffer != NULL) { - SCFree(tx->response_buffer); - } - - AppLayerDecoderEventsFreeEvents(&tx->tx_data.events); - - SCFree(tx); -} - -static void *TemplateStateAlloc(void *orig_state, AppProto proto_orig) -{ - SCLogNotice("Allocating template state."); - TemplateState *state = SCCalloc(1, sizeof(TemplateState)); - if (unlikely(state == NULL)) { - return NULL; - } - TAILQ_INIT(&state->tx_list); - return state; -} - -static void TemplateStateFree(void *state) -{ - TemplateState *template_state = state; - TemplateTransaction *tx; - SCLogNotice("Freeing template state."); - while ((tx = TAILQ_FIRST(&template_state->tx_list)) != NULL) { - TAILQ_REMOVE(&template_state->tx_list, tx, next); - TemplateTxFree(tx); - } - SCFree(template_state); -} - -/** - * \brief Callback from the application layer to have a transaction freed. - * - * \param state a void pointer to the TemplateState object. - * \param tx_id the transaction ID to free. - */ -static void TemplateStateTxFree(void *statev, uint64_t tx_id) -{ - TemplateState *state = statev; - TemplateTransaction *tx = NULL, *ttx; - - SCLogNotice("Freeing transaction %"PRIu64, tx_id); - - TAILQ_FOREACH_SAFE(tx, &state->tx_list, next, ttx) { - - /* Continue if this is not the transaction we are looking - * for. */ - if (tx->tx_id != tx_id) { - continue; - } - - /* Remove and free the transaction. */ - TAILQ_REMOVE(&state->tx_list, tx, next); - TemplateTxFree(tx); - return; - } - - SCLogNotice("Transaction %"PRIu64" not found.", tx_id); -} - -static int TemplateStateGetEventInfo(const char *event_name, int *event_id, - AppLayerEventType *event_type) -{ - *event_id = SCMapEnumNameToValue(event_name, template_decoder_event_table); - if (*event_id == -1) { - SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in " - "template enum map table.", event_name); - /* This should be treated as fatal. */ - return -1; - } - - *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION; - - return 0; -} - -static int TemplateStateGetEventInfoById(int event_id, const char **event_name, - AppLayerEventType *event_type) -{ - *event_name = SCMapEnumValueToName(event_id, template_decoder_event_table); - if (*event_name == NULL) { - SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in " - "template enum map table.", event_id); - /* This should be treated as fatal. */ - return -1; - } - - *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION; - - return 0; -} - -/** - * \brief Probe the input to server to see if it looks like template. - * - * \retval ALPROTO_TEMPLATE if it looks like template, - * ALPROTO_FAILED, if it is clearly not ALPROTO_TEMPLATE, - * otherwise ALPROTO_UNKNOWN. - */ -static AppProto TemplateProbingParserTs(Flow *f, uint8_t direction, - const uint8_t *input, uint32_t input_len, uint8_t *rdir) -{ - /* Very simple test - if there is input, this is template. */ - if (input_len >= TEMPLATE_MIN_FRAME_LEN) { - SCLogNotice("Detected as ALPROTO_TEMPLATE."); - return ALPROTO_TEMPLATE; - } - - SCLogNotice("Protocol not detected as ALPROTO_TEMPLATE."); - return ALPROTO_UNKNOWN; -} - -/** - * \brief Probe the input to client to see if it looks like template. - * TemplateProbingParserTs can be used instead if the protocol - * is symmetric. - * - * \retval ALPROTO_TEMPLATE if it looks like template, - * ALPROTO_FAILED, if it is clearly not ALPROTO_TEMPLATE, - * otherwise ALPROTO_UNKNOWN. - */ -static AppProto TemplateProbingParserTc(Flow *f, uint8_t direction, - const uint8_t *input, uint32_t input_len, uint8_t *rdir) -{ - /* Very simple test - if there is input, this is template. */ - if (input_len >= TEMPLATE_MIN_FRAME_LEN) { - SCLogNotice("Detected as ALPROTO_TEMPLATE."); - return ALPROTO_TEMPLATE; - } - - SCLogNotice("Protocol not detected as ALPROTO_TEMPLATE."); - return ALPROTO_UNKNOWN; -} - -static AppLayerResult TemplateParseRequest(Flow *f, void *statev, AppLayerParserState *pstate, - StreamSlice stream_slice, void *local_data) -{ - TemplateState *state = statev; - const uint8_t *input = StreamSliceGetData(&stream_slice); - uint32_t input_len = StreamSliceGetDataLen(&stream_slice); - const uint8_t flags = StreamSliceGetFlags(&stream_slice); - - SCLogNotice("Parsing template request: len=%"PRIu32, input_len); - - if (input == NULL) { - if (AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TS)) { - /* This is a signal that the stream is done. Do any - * cleanup if needed. Usually nothing is required here. */ - SCReturnStruct(APP_LAYER_OK); - } else if (flags & STREAM_GAP) { - /* This is a signal that there has been a gap in the - * stream. This only needs to be handled if gaps were - * enabled during protocol registration. The input_len - * contains the size of the gap. */ - SCReturnStruct(APP_LAYER_OK); - } - /* This should not happen. If input is NULL, one of the above should be - * true. */ - DEBUG_VALIDATE_BUG_ON(true); - SCReturnStruct(APP_LAYER_ERROR); - } - - /* Normally you would parse out data here and store it in the - * transaction object, but as this is echo, we'll just record the - * request data. */ - - /* Also, if this protocol may have a "protocol data unit" span - * multiple chunks of data, which is always a possibility with - * TCP, you may need to do some buffering here. - * - * For the sake of simplicity, buffering is left out here, but - * even for an echo protocol we may want to buffer until a new - * line is seen, assuming its text based. - */ - - /* Allocate a transaction. - * - * But note that if a "protocol data unit" is not received in one - * chunk of data, and the buffering is done on the transaction, we - * may need to look for the transaction that this newly received - * data belongs to. - */ - TemplateTransaction *tx = TemplateTxAlloc(state); - if (unlikely(tx == NULL)) { - SCLogNotice("Failed to allocate new Template tx."); - goto end; - } - SCLogNotice("Allocated Template tx %"PRIu64".", tx->tx_id); - - /* Make a copy of the request. */ - tx->request_buffer = SCCalloc(1, input_len); - if (unlikely(tx->request_buffer == NULL)) { - goto end; - } - memcpy(tx->request_buffer, input, input_len); - tx->request_buffer_len = input_len; - - /* Here we check for an empty message and create an app-layer - * event. */ - if ((input_len == 1 && tx->request_buffer[0] == '\n') || - (input_len == 2 && tx->request_buffer[0] == '\r')) { - SCLogNotice("Creating event for empty message."); - AppLayerDecoderEventsSetEventRaw(&tx->tx_data.events, TEMPLATE_DECODER_EVENT_EMPTY_MESSAGE); - } - -end: - SCReturnStruct(APP_LAYER_OK); -} - -static AppLayerResult TemplateParseResponse(Flow *f, void *statev, AppLayerParserState *pstate, - StreamSlice stream_slice, void *local_data) -{ - TemplateState *state = statev; - TemplateTransaction *tx = NULL, *ttx; - const uint8_t *input = StreamSliceGetData(&stream_slice); - uint32_t input_len = StreamSliceGetDataLen(&stream_slice); - - SCLogNotice("Parsing Template response."); - - /* Likely connection closed, we can just return here. */ - if ((input == NULL || input_len == 0) && - AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TC)) { - SCReturnStruct(APP_LAYER_OK); - } - - /* Probably don't want to create a transaction in this case - * either. */ - if (input == NULL || input_len == 0) { - SCReturnStruct(APP_LAYER_OK); - } - - /* Look up the existing transaction for this response. In the case - * of echo, it will be the most recent transaction on the - * TemplateState object. */ - - /* We should just grab the last transaction, but this is to - * illustrate how you might traverse the transaction list to find - * the transaction associated with this response. */ - TAILQ_FOREACH(ttx, &state->tx_list, next) { - tx = ttx; - } - - if (tx == NULL) { - SCLogNotice("Failed to find transaction for response on state %p.", - state); - goto end; - } - - SCLogNotice("Found transaction %"PRIu64" for response on state %p.", - tx->tx_id, state); - - /* If the protocol requires multiple chunks of data to complete, you may - * run into the case where you have existing response data. - * - * In this case, we just log that there is existing data and free it. But - * you might want to realloc the buffer and append the data. - */ - if (tx->response_buffer != NULL) { - SCLogNotice("WARNING: Transaction already has response data, " - "existing data will be overwritten."); - SCFree(tx->response_buffer); - } - - /* Make a copy of the response. */ - tx->response_buffer = SCCalloc(1, input_len); - if (unlikely(tx->response_buffer == NULL)) { - goto end; - } - memcpy(tx->response_buffer, input, input_len); - tx->response_buffer_len = input_len; - - /* Set the response_done flag for transaction state checking in - * TemplateGetStateProgress(). */ - tx->response_done = 1; - -end: - SCReturnStruct(APP_LAYER_OK); -} - -static uint64_t TemplateGetTxCnt(void *statev) -{ - const TemplateState *state = statev; - SCLogNotice("Current tx count is %"PRIu64".", state->transaction_max); - return state->transaction_max; -} - -static void *TemplateGetTx(void *statev, uint64_t tx_id) -{ - TemplateState *state = statev; - TemplateTransaction *tx; - - SCLogDebug("Requested tx ID %" PRIu64 ".", tx_id); - - TAILQ_FOREACH(tx, &state->tx_list, next) { - if (tx->tx_id == tx_id) { - SCLogDebug("Transaction %" PRIu64 " found, returning tx object %p.", tx_id, tx); - return tx; - } - } - - SCLogDebug("Transaction ID %" PRIu64 " not found.", tx_id); - return NULL; -} - -/** - * \brief Return the state of a transaction in a given direction. - * - * In the case of the echo protocol, the existence of a transaction - * means that the request is done. However, some protocols that may - * need multiple chunks of data to complete the request may need more - * than just the existence of a transaction for the request to be - * considered complete. - * - * For the response to be considered done, the response for a request - * needs to be seen. The response_done flag is set on response for - * checking here. - */ -static int TemplateGetStateProgress(void *txv, uint8_t direction) -{ - TemplateTransaction *tx = txv; - - SCLogNotice("Transaction progress requested for tx ID %"PRIu64 - ", direction=0x%02x", tx->tx_id, direction); - - if (direction & STREAM_TOCLIENT && tx->response_done) { - return 1; - } - else if (direction & STREAM_TOSERVER) { - /* For the template, just the existence of the transaction means the - * request is done. */ - return 1; - } - - return 0; -} - -/** - * \brief retrieve the tx data used for logging, config, detection - */ -static AppLayerTxData *TemplateGetTxData(void *vtx) -{ - TemplateTransaction *tx = vtx; - return &tx->tx_data; -} - -/** - * \brief retrieve the state data - */ -static AppLayerStateData *TemplateGetStateData(void *vstate) -{ - TemplateState *state = vstate; - return &state->state_data; -} - -void RegisterTemplateParsers(void) -{ - const char *proto_name = "template"; - - /* Check if Template TCP detection is enabled. If it does not exist in - * the configuration file then it will be disabled by default. */ - if (AppLayerProtoDetectConfProtoDetectionEnabledDefault("tcp", proto_name, false)) { - - SCLogDebug("Template TCP protocol detection enabled."); - - AppLayerProtoDetectRegisterProtocol(ALPROTO_TEMPLATE, proto_name); - - if (RunmodeIsUnittests()) { - - SCLogNotice("Unittest mode, registering default configuration."); - AppLayerProtoDetectPPRegister(IPPROTO_TCP, TEMPLATE_DEFAULT_PORT, - ALPROTO_TEMPLATE, 0, TEMPLATE_MIN_FRAME_LEN, STREAM_TOSERVER, - TemplateProbingParserTs, TemplateProbingParserTc); - - } - else { - - if (!AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, - proto_name, ALPROTO_TEMPLATE, 0, TEMPLATE_MIN_FRAME_LEN, - TemplateProbingParserTs, TemplateProbingParserTc)) { - SCLogDebug("No template app-layer configuration, enabling echo" - " detection TCP detection on port %s.", - TEMPLATE_DEFAULT_PORT); - AppLayerProtoDetectPPRegister(IPPROTO_TCP, - TEMPLATE_DEFAULT_PORT, ALPROTO_TEMPLATE, 0, - TEMPLATE_MIN_FRAME_LEN, STREAM_TOSERVER, - TemplateProbingParserTs, TemplateProbingParserTc); - } - - } - - } - - else { - SCLogDebug("Protocol detector and parser disabled for Template."); - return; - } - - if (AppLayerParserConfParserEnabled("tcp", proto_name)) { - - SCLogNotice("Registering Template protocol parser."); - - /* Register functions for state allocation and freeing. A - * state is allocated for every new Template flow. */ - AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TEMPLATE, - TemplateStateAlloc, TemplateStateFree); - - /* Register request parser for parsing frame from server to client. */ - AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TEMPLATE, - STREAM_TOSERVER, TemplateParseRequest); - - /* Register response parser for parsing frames from server to client. */ - AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TEMPLATE, - STREAM_TOCLIENT, TemplateParseResponse); - - /* Register a function to be called by the application layer - * when a transaction is to be freed. */ - AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_TEMPLATE, - TemplateStateTxFree); - - /* Register a function to return the current transaction count. */ - AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_TEMPLATE, - TemplateGetTxCnt); - - /* Transaction handling. */ - AppLayerParserRegisterStateProgressCompletionStatus(ALPROTO_TEMPLATE, 1, 1); - AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, - ALPROTO_TEMPLATE, TemplateGetStateProgress); - AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_TEMPLATE, - TemplateGetTx); - AppLayerParserRegisterTxDataFunc(IPPROTO_TCP, ALPROTO_TEMPLATE, - TemplateGetTxData); - AppLayerParserRegisterStateDataFunc(IPPROTO_TCP, ALPROTO_TEMPLATE, TemplateGetStateData); - - AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_TEMPLATE, - TemplateStateGetEventInfo); - AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_TEMPLATE, - TemplateStateGetEventInfoById); - - /* Leave this is if your parser can handle gaps, otherwise - * remove. */ - AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_TEMPLATE, - APP_LAYER_PARSER_OPT_ACCEPT_GAPS); - } - else { - SCLogDebug("Template protocol parsing disabled."); - } - -#ifdef UNITTESTS - AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_TEMPLATE, - TemplateParserRegisterTests); -#endif -} - -#ifdef UNITTESTS -#endif - -void TemplateParserRegisterTests(void) -{ -#ifdef UNITTESTS -#endif -} diff --git a/src/app-layer-template.h b/src/app-layer-template.h deleted file mode 100644 index f468005c84..0000000000 --- a/src/app-layer-template.h +++ /dev/null @@ -1,67 +0,0 @@ -/* Copyright (C) 2015-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author FirstName LastName - */ - -#ifndef __APP_LAYER_TEMPLATE_H__ -#define __APP_LAYER_TEMPLATE_H__ - - - -#include "rust.h" - -void RegisterTemplateParsers(void); -void TemplateParserRegisterTests(void); - -typedef struct TemplateTransaction -{ - /** Internal transaction ID. */ - uint64_t tx_id; - - uint8_t *request_buffer; - uint32_t request_buffer_len; - - uint8_t *response_buffer; - uint32_t response_buffer_len; - - uint8_t response_done; /*<< Flag to be set when the response is - * seen. */ - - AppLayerTxData tx_data; - - TAILQ_ENTRY(TemplateTransaction) next; - -} TemplateTransaction; - -typedef struct TemplateState { - AppLayerStateData state_data; - - /** List of Template transactions associated with this - * state. */ - TAILQ_HEAD(, TemplateTransaction) tx_list; - - /** A count of the number of transactions created. The - * transaction ID for each transaction is allocated - * by incrementing this value. */ - uint64_t transaction_max; -} TemplateState; - -#endif /* __APP_LAYER_TEMPLATE_H__ */ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 488c5c4bd0..0693823f02 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -232,7 +232,6 @@ #include "detect-quic-cyu-hash.h" #include "detect-quic-cyu-string.h" -#include "detect-template-buffer.h" #include "detect-bypass.h" #include "detect-ftpdata.h" #include "detect-engine-content-inspection.h" @@ -253,7 +252,6 @@ #include "app-layer-protos.h" #include "app-layer-htp.h" #include "app-layer-smtp.h" -#include "app-layer-template.h" #include "detect-frame.h" #include "detect-tls.h" #include "detect-tls-cert-validity.h" @@ -678,7 +676,6 @@ void SigTableSetup(void) DetectQuicCyuHashRegister(); DetectQuicCyuStringRegister(); - DetectTemplateBufferRegister(); DetectBypassRegister(); DetectConfigRegister(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index a7f6b2e95b..9af94d7a16 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -306,7 +306,6 @@ enum DetectKeywordId { DETECT_AL_QUIC_UA, DETECT_AL_QUIC_CYU_HASH, DETECT_AL_QUIC_CYU_STRING, - DETECT_AL_TEMPLATE_BUFFER, DETECT_BYPASS, diff --git a/src/detect-template-buffer.c b/src/detect-template-buffer.c deleted file mode 100644 index 777bb28aa5..0000000000 --- a/src/detect-template-buffer.c +++ /dev/null @@ -1,152 +0,0 @@ -/* Copyright (C) 2015-2018 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/* - * TODO: Update the \author in this file and detect-template-buffer.h. - * TODO: Update description in the \file section below. - * TODO: Remove SCLogNotice statements or convert to debug. - */ - -/** - * \file - * - * \author FirstName LastName - * - * Set up of the "template_buffer" keyword to allow content - * inspections on the decoded template application layer buffers. - */ - -#include "suricata-common.h" -#include "conf.h" -#include "detect.h" -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-mpm.h" -#include "detect-engine-prefilter.h" -#include "app-layer-template.h" -#include "detect-template-buffer.h" - -static int DetectTemplateBufferSetup(DetectEngineCtx *, Signature *, const char *); -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, - Flow *_f, const uint8_t flow_flags, - void *txv, const int list_id); -#ifdef UNITTESTS -static void DetectTemplateBufferRegisterTests(void); -#endif -static int g_template_buffer_id = 0; - -void DetectTemplateBufferRegister(void) -{ - /* TEMPLATE_START_REMOVE */ - /* Prevent registration of this buffer unless explicitly enabled or when - * running unittests. This will be removed during code generation from this - * template. */ - if (!RunmodeIsUnittests()) { - if (ConfGetNode("app-layer.protocols.template") == NULL) { - return; - } - } - /* TEMPLATE_END_REMOVE */ - sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].name = "template_buffer"; - sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].desc = - "Template content modifier to match on the template buffers"; - sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].Setup = DetectTemplateBufferSetup; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].RegisterTests = - DetectTemplateBufferRegisterTests; -#endif - - sigmatch_table[DETECT_AL_TEMPLATE_BUFFER].flags |= SIGMATCH_NOOPT; - - /* register inspect engines - these are called per signature */ - DetectAppLayerInspectEngineRegister2("template_buffer", - ALPROTO_TEMPLATE, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerInspectEngineRegister2("template_buffer", - ALPROTO_TEMPLATE, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectBufferGeneric, GetData); - - /* register mpm engines - these are called in the prefilter stage */ - DetectAppLayerMpmRegister2("template_buffer", SIG_FLAG_TOSERVER, 0, - PrefilterGenericMpmRegister, GetData, - ALPROTO_TEMPLATE, 0); - DetectAppLayerMpmRegister2("template_buffer", SIG_FLAG_TOCLIENT, 0, - PrefilterGenericMpmRegister, GetData, - ALPROTO_TEMPLATE, 0); - - - g_template_buffer_id = DetectBufferTypeGetByName("template_buffer"); - - /* NOTE: You may want to change this to SCLogNotice during development. */ - SCLogDebug("Template application layer detect registered."); -} - -static int DetectTemplateBufferSetup(DetectEngineCtx *de_ctx, Signature *s, - const char *str) -{ - /* store list id. Content, pcre, etc will be added to the list at this - * id. */ - s->init_data->list = g_template_buffer_id; - - /* set the app proto for this signature. This means it will only be - * evaluated against flows that are ALPROTO_TEMPLATE */ - if (DetectSignatureSetAppProto(s, ALPROTO_TEMPLATE) != 0) - return -1; - - return 0; -} - -/** \internal - * \brief get the data to inspect from the transaction. - * This function gets the data, sets up the InspectionBuffer object - * and applies transformations (if any). - * - * \retval buffer or NULL in case of error - */ -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, - Flow *_f, const uint8_t flow_flags, - void *txv, const int list_id) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const TemplateTransaction *tx = (TemplateTransaction *)txv; - const uint8_t *data = NULL; - uint32_t data_len = 0; - - if (flow_flags & STREAM_TOSERVER) { - data = tx->request_buffer; - data_len = tx->request_buffer_len; - } else if (flow_flags & STREAM_TOCLIENT) { - data = tx->response_buffer; - data_len = tx->response_buffer_len; - } else { - return NULL; /* no buffer */ - } - - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - - return buffer; -} - -#ifdef UNITTESTS -#include "detect-engine-alert.h" -#include "tests/detect-template-buffer.c" -#endif diff --git a/src/detect-template-buffer.h b/src/detect-template-buffer.h deleted file mode 100644 index 0c974cfeac..0000000000 --- a/src/detect-template-buffer.h +++ /dev/null @@ -1,30 +0,0 @@ -/* Copyright (C) 2015-2017 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author FirstName LastName - */ - -#ifndef __DETECT_TEMPLATE_BUFFER_H__ -#define __DETECT_TEMPLATE_BUFFER_H__ - - -void DetectTemplateBufferRegister(void); - -#endif /* __DETECT_TEMPLATE_BUFFER_H__ */ diff --git a/src/detect-template-rust-buffer.c b/src/detect-template-rust-buffer.c index 917f8a1ce2..eb856617e9 100644 --- a/src/detect-template-rust-buffer.c +++ b/src/detect-template-rust-buffer.c @@ -70,9 +70,9 @@ void DetectTemplateRustBufferRegister(void) sigmatch_table[DETECT_AL_TEMPLATE_RUST_BUFFER].flags |= SIGMATCH_NOOPT; /* register inspect engines */ - DetectAppLayerInspectEngineRegister2("template_rust_buffer", ALPROTO_TEMPLATE, + DetectAppLayerInspectEngineRegister2("template_rust_buffer", ALPROTO_TEMPLATE_RUST, SIG_FLAG_TOSERVER, 0, DetectEngineInspectTemplateRustBuffer, NULL); - DetectAppLayerInspectEngineRegister2("template_rust_buffer", ALPROTO_TEMPLATE, + DetectAppLayerInspectEngineRegister2("template_rust_buffer", ALPROTO_TEMPLATE_RUST, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectTemplateRustBuffer, NULL); g_template_rust_id = DetectBufferTypeGetByName("template_rust_buffer"); diff --git a/src/output-json-template.h b/src/output-json-template.h deleted file mode 100644 index 874df6b3b4..0000000000 --- a/src/output-json-template.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author FirstName LastName - */ - -#ifndef __OUTPUT_JSON_TEMPLATE_H__ -#define __OUTPUT_JSON_TEMPLATE_H__ - -void JsonTemplateLogRegister(void); - -#endif /* __OUTPUT_JSON_TEMPLATE_H__ */ diff --git a/src/output.c b/src/output.c index f1d771e6fe..a66c111756 100644 --- a/src/output.c +++ b/src/output.c @@ -77,7 +77,6 @@ #include "output-json-rfb.h" #include "output-json-mqtt.h" #include "output-json-pgsql.h" -#include "output-json-template.h" #include "output-json-template-rust.h" #include "output-json-rdp.h" #include "output-json-http2.h" @@ -1116,8 +1115,6 @@ void OutputRegisterLoggers(void) JsonMQTTLogRegister(); /* Pgsql JSON logger. */ JsonPgsqlLogRegister(); - /* Template JSON logger. */ - JsonTemplateLogRegister(); /* Template Rust JSON logger. */ JsonTemplateRustLogRegister(); /* RDP JSON logger. */