From: Anoop Saldanha Date: Fri, 2 Aug 2013 16:12:58 +0000 (+0530) Subject: Introduce new options into the conf file to enable/disable - X-Git-Tag: suricata-2.0beta2~306 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ddde572fbad2163994ea38097c54dfb6d381615c;p=thirdparty%2Fsuricata.git Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files. --- diff --git a/src/app-layer-dcerpc-udp.c b/src/app-layer-dcerpc-udp.c index 3163a673bb..68b343da20 100644 --- a/src/app-layer-dcerpc-udp.c +++ b/src/app-layer-dcerpc-udp.c @@ -720,18 +720,30 @@ static void DCERPCUDPStateFree(void *s) { void RegisterDCERPCUDPParsers(void) { char *proto_name = "dcerpcudp"; - /** DCERPC */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER); - - AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER, - DCERPCUDPParse); - AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT, - DCERPCUDPParse); - AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc, - DCERPCUDPStateFree); + if (AppLayerProtoDetectionEnabled("dcerpc")) { + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + "dcerpc"); + return; + } + + if (AppLayerParserEnabled("dcerpc")) { + AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER, + DCERPCUDPParse); + AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT, + DCERPCUDPParse); + AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc, + DCERPCUDPStateFree); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", "dcerpc"); + } #ifdef UNITTESTS AppLayerRegisterUnittests(ALPROTO_DCERPC_UDP, DCERPCUDPParserRegisterTests); #endif + + return; } /* UNITTESTS */ diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index 45cd272be3..37a12f61e1 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -1869,18 +1869,30 @@ static void DCERPCStateFree(void *s) { void RegisterDCERPCParsers(void) { char *proto_name = "dcerpc"; - /** DCERPC */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER); - - AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER, - DCERPCParseRequest); - AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT, - DCERPCParseResponse); - AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc, - DCERPCStateFree); + if (AppLayerProtoDetectionEnabled(proto_name)) { + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + proto_name); + return; + } + + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER, + DCERPCParseRequest); + AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT, + DCERPCParseResponse); + AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc, + DCERPCStateFree); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } #ifdef UNITTESTS AppLayerRegisterUnittests(ALPROTO_DCERPC, DCERPCParserRegisterTests); #endif + + return; } /* UNITTESTS */ diff --git a/src/app-layer-dns-tcp.c b/src/app-layer-dns-tcp.c index 373aa64513..a098f75f14 100644 --- a/src/app-layer-dns-tcp.c +++ b/src/app-layer-dns-tcp.c @@ -578,35 +578,46 @@ void RegisterDNSTCPParsers(void) { char *proto_name = "dnstcp"; /** DNS */ - AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOSERVER, - DNSTCPRequestParse); - AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOCLIENT, - DNSTCPResponseParse); - AppLayerRegisterStateFuncs(ALPROTO_DNS_TCP, DNSStateAlloc, - DNSStateFree); - AppLayerRegisterTxFreeFunc(ALPROTO_DNS_TCP, - DNSStateTransactionFree); - - AppLayerRegisterGetEventsFunc(ALPROTO_DNS_TCP, DNSGetEvents); - AppLayerRegisterHasEventsFunc(ALPROTO_DNS_TCP, DNSHasEvents); - - AppLayerRegisterGetTx(ALPROTO_DNS_TCP, - DNSGetTx); - AppLayerRegisterGetTxCnt(ALPROTO_DNS_TCP, - DNSGetTxCnt); - AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_TCP, - DNSGetAlstateProgress); - AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP, - DNSGetAlstateProgressCompletionStatus); - - AppLayerRegisterProbingParser(&alp_proto_ctx, - IPPROTO_TCP, - "53", - proto_name, - ALPROTO_DNS_TCP, - 0, sizeof(DNSTcpHeader), - STREAM_TOSERVER, - DNSTcpProbingParser); + if (AppLayerProtoDetectionEnabled(proto_name)) { + AppLayerRegisterProbingParser(&alp_proto_ctx, + IPPROTO_TCP, + "53", + proto_name, + ALPROTO_DNS_TCP, + 0, sizeof(DNSTcpHeader), + STREAM_TOSERVER, + DNSTcpProbingParser); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + proto_name); + return; + } + + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOSERVER, + DNSTCPRequestParse); + AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOCLIENT, + DNSTCPResponseParse); + AppLayerRegisterStateFuncs(ALPROTO_DNS_TCP, DNSStateAlloc, + DNSStateFree); + AppLayerRegisterTxFreeFunc(ALPROTO_DNS_TCP, + DNSStateTransactionFree); + + AppLayerRegisterGetEventsFunc(ALPROTO_DNS_TCP, DNSGetEvents); + AppLayerRegisterHasEventsFunc(ALPROTO_DNS_TCP, DNSHasEvents); + + AppLayerRegisterGetTx(ALPROTO_DNS_TCP, + DNSGetTx); + AppLayerRegisterGetTxCnt(ALPROTO_DNS_TCP, + DNSGetTxCnt); + AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_TCP, + DNSGetAlstateProgress); + AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP, + DNSGetAlstateProgressCompletionStatus); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_TCP); } diff --git a/src/app-layer-dns-udp.c b/src/app-layer-dns-udp.c index 2e41de1fb9..9857b26f1d 100644 --- a/src/app-layer-dns-udp.c +++ b/src/app-layer-dns-udp.c @@ -298,37 +298,48 @@ void RegisterDNSUDPParsers(void) { char *proto_name = "dnsudp"; /** DNS */ - AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOSERVER, - DNSUDPRequestParse); - AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOCLIENT, - DNSUDPResponseParse); - AppLayerRegisterStateFuncs(ALPROTO_DNS_UDP, DNSStateAlloc, - DNSStateFree); - AppLayerRegisterTxFreeFunc(ALPROTO_DNS_UDP, - DNSStateTransactionFree); - - AppLayerRegisterGetEventsFunc(ALPROTO_DNS_UDP, DNSGetEvents); - AppLayerRegisterHasEventsFunc(ALPROTO_DNS_UDP, DNSHasEvents); - - AppLayerRegisterGetTx(ALPROTO_DNS_UDP, - DNSGetTx); - AppLayerRegisterGetTxCnt(ALPROTO_DNS_UDP, - DNSGetTxCnt); - AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_UDP, - DNSGetAlstateProgress); - AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP, - DNSGetAlstateProgressCompletionStatus); - - AppLayerRegisterProbingParser(&alp_proto_ctx, - IPPROTO_UDP, - "53", - proto_name, - ALPROTO_DNS_UDP, - 0, sizeof(DNSHeader), - STREAM_TOSERVER, - DNSUdpProbingParser); - - DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP); + if (AppLayerProtoDetectionEnabled(proto_name)) { + AppLayerRegisterProbingParser(&alp_proto_ctx, + IPPROTO_UDP, + "53", + proto_name, + ALPROTO_DNS_UDP, + 0, sizeof(DNSHeader), + STREAM_TOSERVER, + DNSUdpProbingParser); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + proto_name); + return; + } + + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOSERVER, + DNSUDPRequestParse); + AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOCLIENT, + DNSUDPResponseParse); + AppLayerRegisterStateFuncs(ALPROTO_DNS_UDP, DNSStateAlloc, + DNSStateFree); + AppLayerRegisterTxFreeFunc(ALPROTO_DNS_UDP, + DNSStateTransactionFree); + + AppLayerRegisterGetEventsFunc(ALPROTO_DNS_UDP, DNSGetEvents); + AppLayerRegisterHasEventsFunc(ALPROTO_DNS_UDP, DNSHasEvents); + + AppLayerRegisterGetTx(ALPROTO_DNS_UDP, + DNSGetTx); + AppLayerRegisterGetTxCnt(ALPROTO_DNS_UDP, + DNSGetTxCnt); + AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_UDP, + DNSGetAlstateProgress); + AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP, + DNSGetAlstateProgressCompletionStatus); + + DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } } /* UNITTESTS */ diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c index 6b633c8430..6930a9c4f8 100644 --- a/src/app-layer-ftp.c +++ b/src/app-layer-ftp.c @@ -262,23 +262,29 @@ static void FTPStateFree(void *s) { #endif } - void RegisterFTPParsers(void) { char *proto_name = "ftp"; /** FTP */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER); - - AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER, - FTPParseRequest); - AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT, - FTPParseResponse); - AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP, - FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine, - "ftp"); - AppLayerRegisterStateFuncs(ALPROTO_FTP, FTPStateAlloc, FTPStateFree); + if (AppLayerProtoDetectionEnabled(proto_name)) { + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER); + } + + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER, + FTPParseRequest); + AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT, + FTPParseResponse); + AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP, + FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine, + "ftp"); + AppLayerRegisterStateFuncs(ALPROTO_FTP, FTPStateAlloc, FTPStateFree); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } #ifdef UNITTESTS AppLayerRegisterUnittests(ALPROTO_FTP, FTPParserRegisterTests); #endif diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index 9fa7361402..2fb6987fcd 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -1853,6 +1853,9 @@ void HTPFreeConfig(void) { SCEnter(); + if (!AppLayerProtoDetectionEnabled("http") || !AppLayerParserEnabled("http")) + SCReturn; + HTPCfgRec *nextrec = cfglist.next; SCRadixReleaseRadixTree(cfgtree); cfgtree = NULL; @@ -2284,15 +2287,24 @@ void HTPConfigure(void) } SCLogDebug("LIBHTP default config: %p", cfglist.cfg); HTPConfigSetDefaultsPhase1(&cfglist); - HTPConfigParseParameters(&cfglist, ConfGetNode("libhtp.default-config"), - cfgtree); + if (ConfGetNode("app-layer.protocols.http.libhtp") == NULL) { + HTPConfigParseParameters(&cfglist, ConfGetNode("libhtp.default-config"), + cfgtree); + } else { + HTPConfigParseParameters(&cfglist, ConfGetNode("app-layer.protocols.http.libhtp.default-config"), cfgtree); + } HTPConfigSetDefaultsPhase2(&cfglist); /* Read server config and create a parser for each IP in radix tree */ - ConfNode *server_config = ConfGetNode("libhtp.server-config"); + ConfNode *server_config = ConfGetNode("app-layer.protocols.http.libhtp.server-config"); + if (server_config == NULL) { + server_config = ConfGetNode("libhtp.server-config"); + if (server_config == NULL) { + SCLogDebug("LIBHTP Configuring %p", server_config); + SCReturn; + } + } SCLogDebug("LIBHTP Configuring %p", server_config); - if (server_config == NULL) - SCReturn; ConfNode *si; /* Server Nodes */ @@ -2393,44 +2405,55 @@ void RegisterHTPParsers(void) char *proto_name = "http"; /** HTTP */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER); - - AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree); - AppLayerRegisterTxFreeFunc(ALPROTO_HTTP, HTPStateTransactionFree); - AppLayerRegisterGetFilesFunc(ALPROTO_HTTP, HTPStateGetFiles); - AppLayerRegisterGetAlstateProgressFunc(ALPROTO_HTTP, HTPStateGetAlstateProgress); - AppLayerRegisterGetTxCnt(ALPROTO_HTTP, HTPStateGetTxCnt); - AppLayerRegisterGetTx(ALPROTO_HTTP, HTPStateGetTx); - AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP, - HTPStateGetAlstateProgressCompletionStatus); - - AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table); - - AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate); - - AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER, - HTPHandleRequestData); - AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT, - HTPHandleResponseData); + if (AppLayerProtoDetectionEnabled(proto_name)) { + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol", + proto_name); + return; + } + + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree); + AppLayerRegisterTxFreeFunc(ALPROTO_HTTP, HTPStateTransactionFree); + AppLayerRegisterGetFilesFunc(ALPROTO_HTTP, HTPStateGetFiles); + AppLayerRegisterGetAlstateProgressFunc(ALPROTO_HTTP, HTPStateGetAlstateProgress); + AppLayerRegisterGetTxCnt(ALPROTO_HTTP, HTPStateGetTxCnt); + AppLayerRegisterGetTx(ALPROTO_HTTP, HTPStateGetTx); + AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP, + HTPStateGetAlstateProgressCompletionStatus); + + AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table); + + AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate); + + AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER, + HTPHandleRequestData); + AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT, + HTPHandleResponseData); + SC_ATOMIC_INIT(htp_config_flags); + HTPConfigure(); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } #ifdef UNITTESTS AppLayerRegisterUnittests(ALPROTO_HTTP, HTPParserRegisterTests); #endif - SC_ATOMIC_INIT(htp_config_flags); - HTPConfigure(); SCReturn; } diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 4cce770d52..f2a9710d51 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -57,6 +57,7 @@ #include "app-layer-dns-udp.h" #include "app-layer-dns-tcp.h" +#include "conf.h" #include "util-spm.h" #include "util-debug.h" @@ -1399,16 +1400,35 @@ void RegisterAppLayerParsers(void) RegisterDNSTCPParsers(); /** IMAP */ - //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT); - AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER); + if (AppLayerProtoDetectionEnabled("imap")) { + //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT); + AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + "imap"); + return; + } /** MSN Messenger */ - //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT); - AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER); + if (AppLayerProtoDetectionEnabled("msn")) { + //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT); + AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + "msn"); + return; + } /** Jabber */ - //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT); - //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER); + if (AppLayerProtoDetectionEnabled("jabber")) { + //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT); + //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER); + } else { + SCLogInfo("Protocol detection disabled for %s protocol and as a " + "consequence the conf param \"app-layer.protocols.%s." + "parser-enabled\" will now be ignored.", "jabber", "jabber"); + return; + } return; } @@ -1521,6 +1541,95 @@ void AppLayerParsersInitPostProcess(void) } } +/*************************App Layer Conf Options Parsing***********************/ +/** + * \brief Given a protocol name, checks if the parser is enabled in the + * conf file. + * + * \param al_proto Name of the app layer protocol. + * + * \retval 1 If enabled. + * \retval 0 If disabled. + */ +int AppLayerParserEnabled(const char *al_proto) +{ + int enabled = 1; + + char param[100]; + int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.", + al_proto, ".enabled"); + if (r < 0) { + SCLogError(SC_ERR_FATAL, "snprintf failure."); + exit(EXIT_FAILURE); + } else if (r > (int)sizeof(param)) { + SCLogError(SC_ERR_FATAL, "buffer not big enough to write param."); + exit(EXIT_FAILURE); + } + + ConfNode *node = ConfGetNode(param); + if (node == NULL) { + SCLogInfo("Entry for %s not found.", param); + return enabled; + } else { + if (strcasecmp(node->val, "yes") == 0) { + enabled = 1; + } else if (strcasecmp(node->val, "no") == 0) { + enabled = 0; + } else if (strcasecmp(node->val, "detection-only") == 0) { + enabled = 0; + } else { + SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param); + exit(EXIT_FAILURE); + } + } + + return enabled; +} + +/** + * \brief Given a protocol name, checks if proto detection is enabled in the + * conf file. + * + * \param al_proto Name of the app layer protocol. + * + * \retval 1 If enabled. + * \retval 0 If disabled. + */ +int AppLayerProtoDetectionEnabled(const char *al_proto) +{ + int enabled = 1; + + char param[100]; + int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.", + al_proto, ".enabled"); + if (r < 0) { + SCLogError(SC_ERR_FATAL, "snprintf failure."); + exit(EXIT_FAILURE); + } else if (r > (int)sizeof(param)) { + SCLogError(SC_ERR_FATAL, "buffer not big enough to write param."); + exit(EXIT_FAILURE); + } + + ConfNode *node = ConfGetNode(param); + if (node == NULL) { + SCLogInfo("Entry for %s not found.", param); + return enabled; + } else { + if (strcasecmp(node->val, "yes") == 0) { + enabled = 1; + } else if (strcasecmp(node->val, "no") == 0) { + enabled = 0; + } else if (strcasecmp(node->val, "detection-only") == 0) { + enabled = 1; + } else { + SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param); + exit(EXIT_FAILURE); + } + } + + return enabled; +} + /********************************Probing Parsers*******************************/ diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index 7eb90a4d66..814746d02c 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -416,4 +416,7 @@ int AppLayerAlprotoSupportsTxs(uint16_t alproto); void AppLayerTriggerRawStreamReassembly(Flow *); +int AppLayerParserEnabled(const char *alproto); +int AppLayerProtoDetectionEnabled(const char *alproto); + #endif /* __APP_LAYER_PARSER_H__ */ diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index da99636b64..8bcf12a155 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -1400,24 +1400,35 @@ static uint16_t SMBProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset void RegisterSMBParsers(void) { char *proto_name = "smb"; - /** SMB */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); - - /** SMB2 */ - AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); - - AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest); - AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse); - AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree); + if (AppLayerProtoDetectionEnabled(proto_name)) { + /** SMB */ + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); + /** SMB2 */ + AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); + + AppLayerRegisterProbingParser(&alp_proto_ctx, + IPPROTO_TCP, + "139", + "smb", + ALPROTO_SMB, + SMB_PROBING_PARSER_MIN_DEPTH, 0, + STREAM_TOSERVER, + SMBProbingParser); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + proto_name); + return; + } + + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest); + AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse); + AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } - AppLayerRegisterProbingParser(&alp_proto_ctx, - IPPROTO_TCP, - "139", - "smb", - ALPROTO_SMB, - SMB_PROBING_PARSER_MIN_DEPTH, 0, - STREAM_TOSERVER, - SMBProbingParser); #ifdef UNITTESTS AppLayerRegisterUnittests(ALPROTO_SMB, SMBParserRegisterTests); #endif diff --git a/src/app-layer-smb2.c b/src/app-layer-smb2.c index 1918587632..1b303bfd49 100644 --- a/src/app-layer-smb2.c +++ b/src/app-layer-smb2.c @@ -518,12 +518,22 @@ static void SMB2StateFree(void *s) { } void RegisterSMB2Parsers(void) { - AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse); - AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse); - AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree); + /** SMB2 */ + char *proto_name = "smb2"; + + if (AppLayerProtoDetectionEnabled(proto_name)) { + AppLayerRegisterProto(proto_name, ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse); + AppLayerRegisterProto(proto_name, ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse); + AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } + #ifdef UNITTESTS AppLayerRegisterUnittests(ALPROTO_SMB2, SMB2ParserRegisterTests); #endif + return; } /* UNITTESTS */ diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index fca2da6324..6d54bfca23 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -847,21 +847,32 @@ void RegisterSMTPParsers(void) { char *proto_name = "smtp"; - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0, - STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0, - STREAM_TOSERVER); + if (AppLayerProtoDetectionEnabled(proto_name)) { + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0, + STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0, + STREAM_TOSERVER); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + proto_name); + return; + } - AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree); + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree); - AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER, - SMTPParseClientRecord); - AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT, - SMTPParseServerRecord); - AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table); + AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER, + SMTPParseClientRecord); + AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT, + SMTPParseServerRecord); + AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table); - AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc, - SMTPLocalStorageFree); + AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc, + SMTPLocalStorageFree); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } SMTPSetMpmState(); diff --git a/src/app-layer-ssh.c b/src/app-layer-ssh.c index 697f0f1b04..700b280fac 100644 --- a/src/app-layer-ssh.c +++ b/src/app-layer-ssh.c @@ -739,14 +739,25 @@ void RegisterSSHParsers(void) char *proto_name = "ssh"; /** SSH */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER); + if (AppLayerProtoDetectionEnabled(proto_name)) { + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol.", + proto_name); + return; + } - AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT, - SSHParseServerRecord); - AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER, - SSHParseClientRecord); + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT, + SSHParseServerRecord); + AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER, + SSHParseClientRecord); + AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree); + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } - AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree); #ifdef UNITTESTS AppLayerRegisterUnittests(ALPROTO_SSH, SSHParserRegisterTests); #endif diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 6828bc3724..8771bab46d 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -994,44 +994,65 @@ void RegisterSSLParsers(void) char *proto_name = "tls"; /** SSLv2 and SSLv23*/ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER); - /* subsection - SSLv2 style record by client, but informing the server the max - * version it supports */ - /* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it - * after some tests */ - //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 5, 2, STREAM_TOSERVER); - //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT); - - /** SSLv3 */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */ + if (AppLayerProtoDetectionEnabled(proto_name)) { + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER); + /* subsection - SSLv2 style record by client, but informing the server the max + * version it supports */ + /* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it + * after some tests */ + //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 5, 2, STREAM_TOSERVER); + //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT); + + /** SSLv3 */ + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */ /** TLSv1 */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */ + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */ /** TLSv1.1 */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */ + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */ /** TLSv1.2 */ - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER); - AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */ - - AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER, - SSLParseClientRecord); - - AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT, - SSLParseServerRecord); - AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table); - - AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree); - - AppLayerRegisterProbingParser(&alp_proto_ctx, - IPPROTO_TCP, - "443", - proto_name, - ALPROTO_TLS, - 0, 3, - STREAM_TOSERVER, - SSLProbingParser); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER); + AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */ + + AppLayerRegisterProbingParser(&alp_proto_ctx, + IPPROTO_TCP, + "443", + proto_name, + ALPROTO_TLS, + 0, 3, + STREAM_TOSERVER, + SSLProbingParser); + } else { + SCLogInfo("Protocol detection and parser disabled for %s protocol", + proto_name); + return; + } + + if (AppLayerParserEnabled(proto_name)) { + AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER, + SSLParseClientRecord); + + AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT, + SSLParseServerRecord); + AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table); + + AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree); + + /* Get the value of no reassembly option from the config file */ + if (ConfGetNode("app-layer.protocols.tls.no-reassemble") == NULL) { + if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1) + ssl_config.no_reassemble = 1; + } else { + if (ConfGetBool("app-layer.protocols.tls.no-reassemble", &ssl_config.no_reassemble) != 1) + ssl_config.no_reassemble = 1; + } + } else { + SCLogInfo("Parsed disabled for %s protocol. Protocol detection" + "still on.", proto_name); + } + #ifdef UNITTESTS AppLayerRegisterUnittests(ALPROTO_TLS, SSLParserRegisterTests); #endif diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index df138fa733..69d9237b67 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -166,9 +166,9 @@ static int DetectDnsQueryTest01(void) { de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns_query option\"; " - "dns_query; content:\"google\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any " + "(msg:\"Test dns_query option\"; " + "dns_query; content:\"google\"; nocase; sid:1;)"); if (s == NULL) { goto end; } @@ -287,13 +287,13 @@ static int DetectDnsQueryTest02(void) { de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google.com\"; nocase; sid:1;)"); if (s == NULL) { goto end; } - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google.net\"; nocase; sid:2;)"); if (s == NULL) { @@ -432,7 +432,7 @@ static int DetectDnsQueryTest03(void) { de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any " "(msg:\"Test dns_query option\"; " "content:\"google\"; nocase; dns_query; sid:1;)"); if (s == NULL) { @@ -529,7 +529,7 @@ static int DetectDnsQueryTest04(void) { de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google\"; nocase; sid:1;)"); if (s == NULL) { @@ -680,13 +680,13 @@ static int DetectDnsQueryTest05(void) { de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google.com\"; nocase; sid:1;)"); if (s == NULL) { goto end; } - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google.net\"; nocase; sid:2;)"); if (s == NULL) { @@ -842,14 +842,14 @@ static int DetectDnsQueryTest06(void) { de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google\"; nocase; " "pcre:\"/google\\.com$/i\"; sid:1;)"); if (s == NULL) { goto end; } - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google\"; nocase; " "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)"); @@ -977,19 +977,19 @@ static int DetectDnsQueryTest07(void) { de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google.com\"; nocase; sid:1;)"); if (s == NULL) { goto end; } - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any " "(msg:\"Test dns_query option\"; " "dns_query; content:\"google.net\"; nocase; sid:2;)"); if (s == NULL) { goto end; } - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " + s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any " "(msg:\"Test Z flag event\"; " "app-layer-event:dns.z_flag_set; sid:3;)"); if (s == NULL) { diff --git a/src/detect-parse.c b/src/detect-parse.c index 88e81f0ab7..1c6debb024 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -636,7 +636,11 @@ int SigParseProto(Signature *s, const char *protostr) { if (s->alproto == ALPROTO_UNKNOWN) { SCLogError(SC_ERR_UNKNOWN_PROTOCOL, "protocol \"%s\" cannot be used " - "in a signature", protostr); + "in a signature. Either detection for this protocol " + "supported yet OR detection has been disabled for " + "protocol through the yaml option " + "app-layer.protocols.%s.detection-enabled", protostr, + protostr); SCReturnInt(-1); } } @@ -1224,6 +1228,28 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) { } } } + } + + if (s->alproto != ALPROTO_UNKNOWN) { + if (s->flags & SIG_FLAG_STATE_MATCH) { + if (al_proto_table[s->alproto].to_server == 0 || + al_proto_table[s->alproto].to_client == 0) { + const char *proto_name = TmModuleAlprotoToString(s->alproto); + SCLogInfo("Signature uses options that need the app layer " + "parser for \"%s\", but the parser's disabled " + "for the protocol. Please check if you have " + "disabled it through the option " + "\"app-layer.protocols.%s.enabled\" or internally " + "there the parser has been disabled in the code. " + "Invalidating signature.", proto_name, proto_name); + SCReturnInt(0); + } + } + + + + + } if (s->flags & SIG_FLAG_REQUIRE_PACKET) { diff --git a/suricata.yaml.in b/suricata.yaml.in index 8a8f3b059e..3b31465c99 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -976,84 +976,119 @@ pcre: match-limit: 3500 match-limit-recursion: 1500 -########################################################################### -# Configure libhtp. -# -# -# default-config: Used when no server-config matches -# personality: List of personalities used by default -# request-body-limit: Limit reassembly of request body for inspection -# by http_client_body & pcre /P option. -# response-body-limit: Limit reassembly of response body for inspection -# by file_data, http_server_body & pcre /Q option. -# double-decode-path: Double decode path section of the URI -# double-decode-query: Double decode query section of the URI -# -# server-config: List of server configurations to use if address matches -# address: List of ip addresses or networks for this block -# personalitiy: List of personalities used by this block -# request-body-limit: Limit reassembly of request body for inspection -# by http_client_body & pcre /P option. -# response-body-limit: Limit reassembly of response body for inspection -# by file_data, http_server_body & pcre /Q option. -# double-decode-path: Double decode path section of the URI -# double-decode-query: Double decode query section of the URI -# -# Currently Available Personalities: -# Minimal -# Generic -# IDS (default) -# IIS_4_0 -# IIS_5_0 -# IIS_5_1 -# IIS_6_0 -# IIS_7_0 -# IIS_7_5 -# Apache_2 -########################################################################### -libhtp: - - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 3072 - response-body-limit: 3072 - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 32kb - response-body-inspect-window: 4kb - - # decoding - double-decode-path: no - double-decode-query: no - - server-config: - - - apache: - address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - personality: Apache_2 - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 4096 - response-body-limit: 4096 - double-decode-path: no - double-decode-query: no - - - iis7: - address: - - 192.168.0.0/24 - - 192.168.10.0/24 - personality: IIS_7_0 - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 4096 - response-body-limit: 4096 - double-decode-path: no - double-decode-query: no +# Holds details on the app-layer. The protocols section details each protocol. +# Under each protocol, the default value for detection-enabled and " +# parsed-enabled is yes, unless specified otherwise. +# Each protocol covers enabling/disabling parsers for all ipprotos +# the app-layer protocol runs on. For example "dcerpc" refers to the tcp +# version of the protocol as well as the udp version of the protocol. +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables detection only(parser disabled). +app-layer: + protocols: + tls: + enabled: yes + + #no-reassemble: yes + dcerpc: + enabled: yes + ftp: + enabled: yes + ssh: + enabled: yes + smtp: + enabled: yes + imap: + enabled: detection-only + msn: + enabled: detection-only + smb: + enabled: yes + # smb2 detection is disabled internally inside the engine. + #smb2: + # enabled: yes + http: + enabled: yes + + ########################################################################### + # Configure libhtp. + # + # + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # server-config: List of server configurations to use if address matches + # address: List of ip addresses or networks for this block + # personalitiy: List of personalities used by this block + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # Currently Available Personalities: + # Minimal + # Generic + # IDS (default) + # IIS_4_0 + # IIS_5_0 + # IIS_5_1 + # IIS_6_0 + # IIS_7_0 + # IIS_7_5 + # Apache_2 + ########################################################################### + libhtp: + + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 3072 + response-body-limit: 3072 + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 32kb + response-body-inspect-window: 4kb + + # decoding + double-decode-path: no + double-decode-query: no + + server-config: + + - apache: + address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + personality: Apache_2 + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 4096 + response-body-limit: 4096 + double-decode-path: no + double-decode-query: no + + - iis7: + address: + - 192.168.0.0/24 + - 192.168.10.0/24 + personality: IIS_7_0 + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 4096 + response-body-limit: 4096 + double-decode-path: no + double-decode-query: no # Profiling settings. Only effective if Suricata has been built with the # the --enable-profiling configure flag.