/** DNS */
if (AppLayerProtoDetectionEnabled(proto_name)) {
- AppLayerRegisterProbingParser(&alp_proto_ctx,
- IPPROTO_TCP,
- "53",
- proto_name,
- ALPROTO_DNS_TCP,
- 0, sizeof(DNSTcpHeader),
- STREAM_TOSERVER,
- DNSTcpProbingParser);
+ if (RunmodeIsUnittests()) {
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ IPPROTO_TCP,
+ "53",
+ proto_name,
+ ALPROTO_DNS_TCP,
+ 0, sizeof(DNSTcpHeader),
+ STREAM_TOSERVER,
+ DNSTcpProbingParser);
+ } else {
+ AppLayerParseProbingParserPorts(proto_name, ALPROTO_DNS_TCP,
+ 0, sizeof(DNSTcpHeader),
+ DNSTcpProbingParser);
+ }
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
/** DNS */
if (AppLayerProtoDetectionEnabled(proto_name)) {
- AppLayerRegisterProbingParser(&alp_proto_ctx,
- IPPROTO_UDP,
- "53",
- proto_name,
- ALPROTO_DNS_UDP,
- 0, sizeof(DNSHeader),
- STREAM_TOSERVER,
- DNSUdpProbingParser);
+ if (RunmodeIsUnittests()) {
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ IPPROTO_UDP,
+ "53",
+ proto_name,
+ ALPROTO_DNS_UDP,
+ 0, sizeof(DNSHeader),
+ STREAM_TOSERVER,
+ DNSUdpProbingParser);
+ } else {
+ AppLayerParseProbingParserPorts(proto_name, ALPROTO_DNS_UDP,
+ 0, sizeof(DNSHeader),
+ DNSUdpProbingParser);
+ }
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return enabled;
}
+void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_proto,
+ uint16_t min_depth, uint16_t max_depth,
+ uint16_t (*ProbingParser)(uint8_t *input,
+ uint32_t input_len,
+ uint32_t *offset))
+{
+ char param[100];
+ int r;
+ ConfNode *node;
+ ConfNode *proto_node = NULL;
+ ConfNode *port_node = NULL;
+
+ r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
+ al_proto_name, ".detection-ports");
+ if (r < 0) {
+ SCLogError(SC_ERR_FATAL, "snprintf failure.");
+ exit(EXIT_FAILURE);
+ } else if (r > (int)sizeof(param)) {
+ SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
+ exit(EXIT_FAILURE);
+ }
+ node = ConfGetNode(param);
+ if (node == NULL) {
+ SCLogDebug("Entry for %s not found.", param);
+ return;
+ }
+
+ /* for each proto */
+ TAILQ_FOREACH(proto_node, &node->head, next) {
+ DetectProto dp;
+ int ip_proto = DetectProtoParse(&dp, proto_node->name);
+ if (ip_proto <= 0) {
+ SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
+ "%s.%s", param, proto_node->name);
+ exit(EXIT_FAILURE);
+ }
+
+ /* toserver */
+ r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.",
+ al_proto_name, ".detection-ports.", proto_node->name, ".toserver");
+ if (r < 0) {
+ SCLogError(SC_ERR_FATAL, "snprintf failure.");
+ exit(EXIT_FAILURE);
+ } else if (r > (int)sizeof(param)) {
+ SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
+ exit(EXIT_FAILURE);
+ }
+ port_node = ConfGetNode(param);
+ if (port_node != NULL && port_node->val != NULL) {
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ ip_proto,
+ port_node->val,
+ (char *)al_proto_name,
+ al_proto,
+ min_depth, max_depth,
+ STREAM_TOSERVER,
+ ProbingParser);
+ }
+
+ /* toclient */
+ r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.",
+ al_proto_name, ".detection-ports.", proto_node->name, ".toclient");
+ if (r < 0) {
+ SCLogError(SC_ERR_FATAL, "snprintf failure.");
+ exit(EXIT_FAILURE);
+ } else if (r > (int)sizeof(param)) {
+ SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
+ exit(EXIT_FAILURE);
+ }
+ port_node = ConfGetNode(param);
+ if (port_node != NULL && port_node->val != NULL) {
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ ip_proto,
+ port_node->val,
+ (char *)al_proto_name,
+ al_proto,
+ min_depth, max_depth,
+ STREAM_TOCLIENT,
+ ProbingParser);
+
+ }
+ }
+
+ return;
+}
+
/********************************Probing Parsers*******************************/
int AppLayerParserEnabled(const char *alproto);
int AppLayerProtoDetectionEnabled(const char *alproto);
+void AppLayerParseProbingParserPorts(const char *al_proto_name, uint16_t al_proto,
+ uint16_t min_depth, uint16_t max_depth,
+ uint16_t (*ProbingParser)(uint8_t *input, uint32_t input_len, uint32_t *offset));
#endif /* __APP_LAYER_PARSER_H__ */
*
* \retval string equivalent for the alproto
*/
-const char *TmModuleAlprotoToString(int proto)
+const char *TmModuleAlprotoToString(enum AppProto proto)
{
- switch (proto) {
- CASE_CODE (ALPROTO_UNKNOWN);
- CASE_CODE (ALPROTO_HTTP);
- CASE_CODE (ALPROTO_FTP);
- CASE_CODE (ALPROTO_SMTP);
- CASE_CODE (ALPROTO_TLS);
- CASE_CODE (ALPROTO_SSH);
- CASE_CODE (ALPROTO_IMAP);
- CASE_CODE (ALPROTO_MSN);
- CASE_CODE (ALPROTO_JABBER);
- CASE_CODE (ALPROTO_SMB);
- CASE_CODE (ALPROTO_SMB2);
- CASE_CODE (ALPROTO_DCERPC);
- CASE_CODE (ALPROTO_DCERPC_UDP);
-
- CASE_CODE (ALPROTO_DNS);
- CASE_CODE (ALPROTO_DNS_UDP);
- CASE_CODE (ALPROTO_DNS_TCP);
+ const char *proto_name = NULL;
- default:
- return "ALPROTO_UNDEFINED";
+ switch (proto) {
+ case ALPROTO_HTTP:
+ proto_name = "http";
+ break;
+ case ALPROTO_FTP:
+ proto_name = "ftp";
+ break;
+ case ALPROTO_SMTP:
+ proto_name = "smtp";
+ break;
+ case ALPROTO_TLS:
+ proto_name = "tls";
+ break;
+ case ALPROTO_SSH:
+ proto_name = "ssh";
+ break;
+ case ALPROTO_IMAP:
+ proto_name = "imap";
+ break;
+ case ALPROTO_MSN:
+ proto_name = "msn";
+ break;
+ case ALPROTO_JABBER:
+ proto_name = "jabber";
+ break;
+ case ALPROTO_SMB:
+ proto_name = "smb";
+ break;
+ case ALPROTO_SMB2:
+ proto_name = "smb2";
+ break;
+ case ALPROTO_DCERPC:
+ proto_name = "dcerpc";
+ break;
+ case ALPROTO_DCERPC_UDP:
+ proto_name = "dcerpcudp";
+ break;
+ case ALPROTO_IRC:
+ proto_name = "irc";
+ break;
+ case ALPROTO_DNS_TCP:
+ proto_name = "dnstcp";
+ break;
+ case ALPROTO_DNS_UDP:
+ proto_name = "dnsudp";
+ break;
+ case ALPROTO_DNS:
+ case ALPROTO_FAILED:
+ case ALPROTO_TEST:
+ case ALPROTO_MAX:
+ case ALPROTO_UNKNOWN:
+ break;
}
+
+ return proto_name;
}
#ifndef __APP_LAYER_PROTOS_H__
#define __APP_LAYER_PROTOS_H__
-enum {
+enum AppProto {
ALPROTO_UNKNOWN = 0,
ALPROTO_HTTP,
ALPROTO_FTP,
ALPROTO_MAX,
};
-const char *TmModuleAlprotoToString(int proto);
+const char *TmModuleAlprotoToString(enum AppProto proto);
#endif /* __APP_LAYER_PROTOS_H__ */
/** SMB2 */
AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER);
- AppLayerRegisterProbingParser(&alp_proto_ctx,
- IPPROTO_TCP,
- "139",
- "smb",
- ALPROTO_SMB,
- SMB_PROBING_PARSER_MIN_DEPTH, 0,
- STREAM_TOSERVER,
- SMBProbingParser);
+ if (RunmodeIsUnittests()) {
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ IPPROTO_TCP,
+ "139",
+ "smb",
+ ALPROTO_SMB,
+ SMB_PROBING_PARSER_MIN_DEPTH, 0,
+ STREAM_TOSERVER,
+ SMBProbingParser);
+ } else {
+ AppLayerParseProbingParserPorts(proto_name, ALPROTO_SMB,
+ SMB_PROBING_PARSER_MIN_DEPTH, 0,
+ SMBProbingParser);
+ }
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */
- AppLayerRegisterProbingParser(&alp_proto_ctx,
- IPPROTO_TCP,
- "443",
- proto_name,
- ALPROTO_TLS,
- 0, 3,
- STREAM_TOSERVER,
- SSLProbingParser);
+ if (RunmodeIsUnittests()) {
+ AppLayerRegisterProbingParser(&alp_proto_ctx,
+ IPPROTO_TCP,
+ "443",
+ proto_name,
+ ALPROTO_TLS,
+ 0, 3,
+ STREAM_TOSERVER,
+ SSLProbingParser);
+ } else {
+ AppLayerParseProbingParserPorts(proto_name, ALPROTO_TLS,
+ 0, 3,
+ SSLProbingParser);
+ }
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol",
proto_name);
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
- p = UTHBuildPacket(buf, sizeof(buf), IPPROTO_UDP);
+ p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
- p1 = UTHBuildPacket(buf1, sizeof(buf1), IPPROTO_UDP);
- p2 = UTHBuildPacket(buf2, sizeof(buf2), IPPROTO_UDP);
- p3 = UTHBuildPacket(buf3, sizeof(buf3), IPPROTO_UDP);
+ p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
+ p2 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
+ p3 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
- p = UTHBuildPacket(buf, sizeof(buf), IPPROTO_TCP);
+ p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
- p1 = UTHBuildPacket(buf1, sizeof(buf1), IPPROTO_TCP);
- p2 = UTHBuildPacket(buf2, sizeof(buf2), IPPROTO_TCP);
+ p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_TCP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
+ p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_TCP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
- p1 = UTHBuildPacket(buf1, sizeof(buf1), IPPROTO_TCP);
- p2 = UTHBuildPacket(buf2, sizeof(buf2), IPPROTO_TCP);
- p3 = UTHBuildPacket(buf3, sizeof(buf3), IPPROTO_TCP);
- p4 = UTHBuildPacket(buf4, sizeof(buf4), IPPROTO_TCP);
+ p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_TCP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
+ p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_TCP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
+ p3 = UTHBuildPacketReal(buf3, sizeof(buf3), IPPROTO_TCP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
+ p4 = UTHBuildPacketReal(buf4, sizeof(buf4), IPPROTO_TCP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
- p = UTHBuildPacket(buf, sizeof(buf), IPPROTO_UDP);
+ p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
- p1 = UTHBuildPacket(buf1, sizeof(buf1), IPPROTO_UDP);
- p2 = UTHBuildPacket(buf2, sizeof(buf2), IPPROTO_UDP);
- p3 = UTHBuildPacket(buf3, sizeof(buf3), IPPROTO_UDP);
+ p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
+ p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_UDP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
+ p3 = UTHBuildPacketReal(buf3, sizeof(buf3), IPPROTO_UDP,
+ "192.168.1.5", "192.168.1.1",
+ 41424, 53);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
}
#endif
}
- return 0;
+ return proto;
error:
return -1;
*sig = (*de_ctx)->sig_list;
- if (DetectProtoParse(dp, str) != 0)
+ if (DetectProtoParse(dp, str) < 0)
goto end;
result = 1;
memset(&dp,0,sizeof(DetectProto));
int r = DetectProtoParse(&dp, "6");
- if (r != 0) {
+ if (r < 0) {
return 1;
}
memset(&dp,0,sizeof(DetectProto));
int r = DetectProtoParse(&dp, "tcp");
- if (r == 0 && dp.proto[(IPPROTO_TCP/8)] & (1<<(IPPROTO_TCP%8))) {
+ if (r >= 0 && dp.proto[(IPPROTO_TCP/8)] & (1<<(IPPROTO_TCP%8))) {
return 1;
}
memset(&dp,0,sizeof(DetectProto));
int r = DetectProtoParse(&dp, "ip");
- if (r == 0 && dp.flags & DETECT_PROTO_ANY) {
+ if (r >= 0 && dp.flags & DETECT_PROTO_ANY) {
return 1;
}
/* Check for a bad number */
int r = DetectProtoParse(&dp, "4242");
- if (r == -1) {
+ if (r < 0) {
return 1;
}
/* Check for a bad string */
int r = DetectProtoParse(&dp, "tcp/udp");
- if (r == -1) {
+ if (r < 0) {
return 1;
}
/* Check for a bad string */
int r = DetectProtoParse(&dp, "tcp-pkt");
- if (r == -1) {
+ if (r < -1) {
printf("parsing tcp-pkt failed: ");
return 0;
}
/* Check for a bad string */
int r = DetectProtoParse(&dp, "tcp-stream");
- if (r == -1) {
+ if (r < -1) {
printf("parsing tcp-stream failed: ");
return 0;
}
protocols:
tls:
enabled: yes
+ detection-ports:
+ tcp:
+ toserver: 443
#no-reassemble: yes
dcerpc:
enabled: detection-only
smb:
enabled: yes
+ detection-ports:
+ tcp:
+ toserver: 139
# smb2 detection is disabled internally inside the engine.
#smb2:
# enabled: yes
+ dnstcp:
+ enabled: yes
+ detection-ports:
+ tcp:
+ toserver: 53
+ dnsudp:
+ enabled: yes
+ detection-ports:
+ udp:
+ toserver: 53
http:
enabled: yes
projects / thirdparty / suricata.git / commitdiff
