From: Philippe Antoine Date: Wed, 6 Oct 2021 18:57:09 +0000 (+0200) Subject: app-layer: disable by default if not in configuration X-Git-Tag: suricata-7.0.0-beta1~1299 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea4a509a54e8292a41a496fc9d2b97096de91f77;p=thirdparty%2Fsuricata.git app-layer: disable by default if not in configuration DNP3, ENIP, HTTP2 and Modbus are supposed to be disabled by default. That means the default configuration does it, but that also means that, if they are not in suricata.yaml, the protocol should stay disabled. --- diff --git a/rust/src/applayer.rs b/rust/src/applayer.rs index 2f8beff9f5..abe556c758 100644 --- a/rust/src/applayer.rs +++ b/rust/src/applayer.rs @@ -323,6 +323,7 @@ extern { offset: u16, direction: u8, ppfn: ProbeFn, pp_min_depth: u16, pp_max_depth: u16) -> c_int; pub fn AppLayerProtoDetectConfProtoDetectionEnabled(ipproto: *const c_char, proto: *const c_char) -> c_int; + pub fn AppLayerProtoDetectConfProtoDetectionEnabledDefault(ipproto: *const c_char, proto: *const c_char, default: bool) -> c_int; } // Defined in app-layer-parser.h diff --git a/rust/src/modbus/modbus.rs b/rust/src/modbus/modbus.rs index ef2f05b45c..fa62ae7228 100644 --- a/rust/src/modbus/modbus.rs +++ b/rust/src/modbus/modbus.rs @@ -443,7 +443,7 @@ pub unsafe extern "C" fn rs_modbus_register_parser() { }; let ip_proto_str = CString::new("tcp").unwrap(); - if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { + if AppLayerProtoDetectConfProtoDetectionEnabledDefault(ip_proto_str.as_ptr(), parser.name, false) != 0 { let alproto = AppLayerRegisterProtocolDetection(&parser, 1); ALPROTO_MODBUS = alproto; if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 1513020c6a..2c1a300139 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -1984,8 +1984,8 @@ void AppLayerProtoDetectReset(Flow *f) f->alproto_tc = ALPROTO_UNKNOWN; } -int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, - const char *alproto) +int AppLayerProtoDetectConfProtoDetectionEnabledDefault( + const char *ipproto, const char *alproto, bool default_enabled) { SCEnter(); @@ -2021,7 +2021,11 @@ int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, node = ConfGetNode(param); if (node == NULL) { SCLogDebug("Entry for %s not found.", param); - goto enabled; + if (default_enabled) { + goto enabled; + } else { + goto disabled; + } } } @@ -2045,6 +2049,11 @@ int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, SCReturnInt(enabled); } +int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto) +{ + return AppLayerProtoDetectConfProtoDetectionEnabledDefault(ipproto, alproto, true); +} + AppLayerProtoDetectThreadCtx *AppLayerProtoDetectGetCtxThread(void) { SCEnter(); diff --git a/src/app-layer-detect-proto.h b/src/app-layer-detect-proto.h index 7f3fef0bd6..cf9b5e2506 100644 --- a/src/app-layer-detect-proto.h +++ b/src/app-layer-detect-proto.h @@ -162,6 +162,19 @@ void AppLayerProtoDetectRegisterAlias(const char *proto_name, const char *proto_ int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto); +/** + * \brief Given a protocol name, checks if proto detection is enabled in + * the conf file. + * + * \param alproto Name of the app layer protocol. + * \param default_enabled enable by default if not in the configuration file + * + * \retval 1 If enabled. + * \retval 0 If disabled. + */ +int AppLayerProtoDetectConfProtoDetectionEnabledDefault( + const char *ipproto, const char *alproto, bool default_enabled); + /** * \brief Inits and returns an app layer protocol detection thread context. diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c index 015f3d8c7e..7b707f355e 100644 --- a/src/app-layer-dnp3.c +++ b/src/app-layer-dnp3.c @@ -1587,8 +1587,7 @@ void RegisterDNP3Parsers(void) const char *proto_name = "dnp3"; - if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) - { + if (AppLayerProtoDetectConfProtoDetectionEnabledDefault("tcp", proto_name, false)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_DNP3, proto_name); if (RunmodeIsUnittests()) { @@ -1604,8 +1603,7 @@ void RegisterDNP3Parsers(void) } } - } - else { + } else { SCLogConfig("Protocol detection and parser disabled for DNP3."); SCReturn; } diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c index a53b13dcd9..346c4a0d73 100644 --- a/src/app-layer-enip.c +++ b/src/app-layer-enip.c @@ -465,8 +465,7 @@ void RegisterENIPUDPParsers(void) SCEnter(); const char *proto_name = "enip"; - if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) - { + if (AppLayerProtoDetectConfProtoDetectionEnabledDefault("udp", proto_name, false)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_ENIP, proto_name); if (RunmodeIsUnittests()) @@ -496,8 +495,7 @@ void RegisterENIPUDPParsers(void) } } - } else - { + } else { SCLogConfig("Protocol detection and parser disabled for %s protocol.", proto_name); return; @@ -555,8 +553,7 @@ void RegisterENIPTCPParsers(void) SCEnter(); const char *proto_name = "enip"; - if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) - { + if (AppLayerProtoDetectConfProtoDetectionEnabledDefault("tcp", proto_name, false)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_ENIP, proto_name); if (RunmodeIsUnittests()) @@ -577,8 +574,7 @@ void RegisterENIPTCPParsers(void) } } - } else - { + } else { SCLogDebug("Protocol detection and parser disabled for %s protocol.", proto_name); return; diff --git a/src/app-layer-http2.c b/src/app-layer-http2.c index 6285be9dd9..76e742c075 100644 --- a/src/app-layer-http2.c +++ b/src/app-layer-http2.c @@ -57,7 +57,7 @@ void RegisterHTTP2Parsers(void) { const char *proto_name = "http2"; - if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) { + if (AppLayerProtoDetectConfProtoDetectionEnabledDefault("tcp", proto_name, false)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_HTTP2, proto_name); if (HTTP2RegisterPatternsForProtocolDetection() < 0) return;