From: Victor Julien Date: Fri, 5 May 2017 09:22:44 +0000 (+0200) Subject: lua: extend SCFlowAppLayerProto X-Git-Tag: suricata-4.0.0-beta1~90 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6e3755b5c43c81e65a5b79e924ec28872be494e;p=thirdparty%2Fsuricata.git lua: extend SCFlowAppLayerProto Change SCFlowAppLayerProto to return 5 values: : alproto: detected protocol alproto_ts: detected protocol in toserver direction alproto_tc: detected protocol in toclient direction alproto_orig: pre-change/upgrade protocol alproto_expected: expected protocol in change/upgrade Orig and expect are used when changing and upgrading protocols. In a SMTP STARTTLS case, orig would normally be set to "smtp" and expect to "tls". --- diff --git a/doc/userguide/output/lua-output.rst b/doc/userguide/output/lua-output.rst index adef654a05..d9b015972d 100644 --- a/doc/userguide/output/lua-output.rst +++ b/doc/userguide/output/lua-output.rst @@ -175,7 +175,7 @@ SCFlowTuple SCFlowAppLayerProto ~~~~~~~~~~~~~~~~~~~ -Get alproto as string from the flow. If alproto is not (yet) known, it +Get alprotos as string from the flow. If a alproto is not (yet) known, it returns "unknown". Example: @@ -189,6 +189,12 @@ Example: end end +Returns 5 values: + +Orig and expect are used when changing and upgrading protocols. In a SMTP STARTTLS +case, orig would normally be set to "smtp" and expect to "tls". + + SCFlowHasAlerts ~~~~~~~~~~~~~~~ diff --git a/src/util-lua-common.c b/src/util-lua-common.c index 2037ef7bbf..b6a9c1c1d1 100644 --- a/src/util-lua-common.c +++ b/src/util-lua-common.c @@ -447,14 +447,14 @@ static int LuaCallbackTupleFlow(lua_State *luastate) /** \internal * \brief fill lua stack with AppLayerProto * \param luastate the lua state - * \param f flow, locked + * \param alproto AppProto to push to stack as string * \retval cnt number of data items placed on the stack * * Places: alproto as string (string) */ -static int LuaCallbackAppLayerProtoPushToStackFromFlow(lua_State *luastate, const Flow *f) +static int LuaCallbackAppLayerProtoPushToStackFromFlow(lua_State *luastate, const AppProto alproto) { - const char *string = AppProtoToString(f->alproto); + const char *string = AppProtoToString(alproto); if (string == NULL) string = "unknown"; lua_pushstring(luastate, string); @@ -472,7 +472,11 @@ static int LuaCallbackAppLayerProtoFlow(lua_State *luastate) if (f == NULL) return LuaCallbackError(luastate, "internal error: no flow"); - r = LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f); + r = LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto); + r += LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto_ts); + r += LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto_tc); + r += LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto_orig); + r += LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto_expect); return r; }