From 5ddb2badf477676abb2a1de40891f70577a787a9 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Sep 2024 10:28:04 +0200 Subject: [PATCH 01/14] protodetect: make expectation_proto part of AppLayerProtoDetectCtx instead of a global variable. For easier initialization with dynamic number of protocols --- src/app-layer-detect-proto.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index a65a98c88a41..dd17b560c5fb 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -160,6 +160,9 @@ typedef struct AppLayerProtoDetectCtx_ { * for protocol detection. This table is independent of the * ipproto. */ const char *alproto_names[ALPROTO_MAX]; + + /* Protocol expectations, like ftp-data on tcp */ + uint8_t expectation_proto[ALPROTO_MAX]; } AppLayerProtoDetectCtx; typedef struct AppLayerProtoDetectAliases_ { @@ -2111,27 +2114,25 @@ void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos) SCReturn; } -uint8_t expectation_proto[ALPROTO_MAX]; - static void AppLayerProtoDetectPEGetIpprotos(AppProto alproto, uint8_t *ipprotos) { - if (expectation_proto[alproto] == IPPROTO_TCP) { + if (alpd_ctx.expectation_proto[alproto] == IPPROTO_TCP) { ipprotos[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8); } - if (expectation_proto[alproto] == IPPROTO_UDP) { + if (alpd_ctx.expectation_proto[alproto] == IPPROTO_UDP) { ipprotos[IPPROTO_UDP / 8] |= 1 << (IPPROTO_UDP % 8); } } void AppLayerRegisterExpectationProto(uint8_t proto, AppProto alproto) { - if (expectation_proto[alproto]) { - if (proto != expectation_proto[alproto]) { + if (alpd_ctx.expectation_proto[alproto]) { + if (proto != alpd_ctx.expectation_proto[alproto]) { SCLogError("Expectation on 2 IP protocols are not supported"); } } - expectation_proto[alproto] = proto; + alpd_ctx.expectation_proto[alproto] = proto; } /***** Unittests *****/ From c6bd4ef78627f7cb0e1392c2a9324d5b26e85ee5 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Sep 2024 10:35:11 +0200 Subject: [PATCH 02/14] protodetect: use dynamic number of app-layer protos for expectation_proto Ticket: 5053 --- src/app-layer-detect-proto.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index dd17b560c5fb..01d5536ece06 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -161,8 +161,11 @@ typedef struct AppLayerProtoDetectCtx_ { * ipproto. */ const char *alproto_names[ALPROTO_MAX]; - /* Protocol expectations, like ftp-data on tcp */ - uint8_t expectation_proto[ALPROTO_MAX]; + /* Protocol expectations, like ftp-data on tcp. + * It should be allocated to contain ALPROTO_MAX + * app-layer protocols. For each protocol, an iptype + * is referenced (or 0 if there is no expectation). */ + uint8_t *expectation_proto; } AppLayerProtoDetectCtx; typedef struct AppLayerProtoDetectAliases_ { @@ -1721,6 +1724,11 @@ int AppLayerProtoDetectSetup(void) } } + // to realloc when dynamic protos are added + alpd_ctx.expectation_proto = SCCalloc(ALPROTO_MAX, sizeof(uint8_t)); + if (unlikely(alpd_ctx.expectation_proto == NULL)) { + FatalError("Unable to alloc expectation_proto."); + } AppLayerExpectationSetup(); SCReturnInt(0); @@ -1752,6 +1760,9 @@ int AppLayerProtoDetectDeSetup(void) } } + SCFree(alpd_ctx.expectation_proto); + alpd_ctx.expectation_proto = NULL; + SpmDestroyGlobalThreadCtx(alpd_ctx.spm_global_thread_ctx); AppLayerProtoDetectFreeAliases(); From 1a39105ca850a3d62fe1457a52f514be7a0bd4f0 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Sep 2024 10:40:19 +0200 Subject: [PATCH 03/14] protodetect: use dynamic number of app-layer protos for alproto_names Ticket: 5053 --- src/app-layer-detect-proto.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 01d5536ece06..52e1f2922c02 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -158,8 +158,9 @@ typedef struct AppLayerProtoDetectCtx_ { /* Indicates the protocols that have registered themselves * for protocol detection. This table is independent of the - * ipproto. */ - const char *alproto_names[ALPROTO_MAX]; + * ipproto. It should be allocated to contain ALPROTO_MAX + * protocols. */ + const char **alproto_names; /* Protocol expectations, like ftp-data on tcp. * It should be allocated to contain ALPROTO_MAX @@ -1724,6 +1725,10 @@ int AppLayerProtoDetectSetup(void) } } + alpd_ctx.alproto_names = SCCalloc(ALPROTO_MAX, sizeof(char *)); + if (unlikely(alpd_ctx.alproto_names == NULL)) { + FatalError("Unable to alloc alproto_names."); + } // to realloc when dynamic protos are added alpd_ctx.expectation_proto = SCCalloc(ALPROTO_MAX, sizeof(uint8_t)); if (unlikely(alpd_ctx.expectation_proto == NULL)) { @@ -1760,6 +1765,8 @@ int AppLayerProtoDetectDeSetup(void) } } + SCFree(alpd_ctx.alproto_names); + alpd_ctx.alproto_names = NULL; SCFree(alpd_ctx.expectation_proto); alpd_ctx.expectation_proto = NULL; @@ -1776,6 +1783,7 @@ void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_n { SCEnter(); + // should have just been realloced when dynamic protos is added if (alpd_ctx.alproto_names[alproto] == NULL) alpd_ctx.alproto_names[alproto] = alproto_name; From 3338c82a6e84379b2a1fb5297a8eae8e6550d0ff Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Sep 2024 10:47:07 +0200 Subject: [PATCH 04/14] frames: use dynamic number of app-layer protos Ticket: 5053 --- src/app-layer-frames.c | 12 +++++++++++- src/app-layer-frames.h | 1 + src/app-layer.c | 2 ++ src/suricata.c | 1 - 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/app-layer-frames.c b/src/app-layer-frames.c index 432bd020d230..3fa4c345474a 100644 --- a/src/app-layer-frames.c +++ b/src/app-layer-frames.c @@ -33,15 +33,25 @@ struct FrameConfig { SC_ATOMIC_DECLARE(uint64_t, types); }; -static struct FrameConfig frame_config[ALPROTO_MAX]; +/* This array should be allocated to contain ALPROTO_MAX protocols. */ +static struct FrameConfig *frame_config; void FrameConfigInit(void) { + frame_config = SCCalloc(ALPROTO_MAX, sizeof(struct FrameConfig)); + if (unlikely(frame_config == NULL)) { + FatalError("Unable to alloc frame_config."); + } for (AppProto p = 0; p < ALPROTO_MAX; p++) { SC_ATOMIC_INIT(frame_config[p].types); } } +void FrameConfigDeInit(void) +{ + SCFree(frame_config); +} + void FrameConfigEnableAll(void) { const uint64_t bits = UINT64_MAX; diff --git a/src/app-layer-frames.h b/src/app-layer-frames.h index f49bead57b41..f1d5135d8953 100644 --- a/src/app-layer-frames.h +++ b/src/app-layer-frames.h @@ -106,6 +106,7 @@ FramesContainer *AppLayerFramesGetContainer(Flow *f); FramesContainer *AppLayerFramesSetupContainer(Flow *f); void FrameConfigInit(void); +void FrameConfigDeInit(void); void FrameConfigEnableAll(void); void FrameConfigEnable(const AppProto p, const uint8_t type); diff --git a/src/app-layer.c b/src/app-layer.c index 94f99f44f83e..d17ec45ec5f8 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -1039,6 +1039,7 @@ int AppLayerSetup(void) AppLayerProtoDetectPrepareState(); AppLayerSetupCounters(); + FrameConfigInit(); SCReturnInt(0); } @@ -1051,6 +1052,7 @@ int AppLayerDeSetup(void) AppLayerParserDeSetup(); AppLayerDeSetupCounters(); + FrameConfigDeInit(); SCReturnInt(0); } diff --git a/src/suricata.c b/src/suricata.c index 0de8039be1f0..6d8f70ed5b24 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -361,7 +361,6 @@ void GlobalsInitPreConfig(void) SupportFastPatternForSigMatchTypes(); SCThresholdConfGlobalInit(); SCProtoNameInit(); - FrameConfigInit(); } void GlobalsDestroy(void) From 4b08f81e85466591242fef22719b586ace90a0ee Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Sep 2024 13:16:00 +0200 Subject: [PATCH 05/14] util: parenthesis for macro so that we can use safely EXCEPTION_POLICY_MAX*sizeof(x) --- src/flow-private.h | 2 +- src/util-exception-policy-types.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/flow-private.h b/src/flow-private.h index bd7aac73644e..ebd4e11961b4 100644 --- a/src/flow-private.h +++ b/src/flow-private.h @@ -74,7 +74,7 @@ enum { FLOW_PROTO_MAX, }; /* max used in app-layer (counters) */ -#define FLOW_PROTO_APPLAYER_MAX FLOW_PROTO_UDP + 1 +#define FLOW_PROTO_APPLAYER_MAX (FLOW_PROTO_UDP + 1) /* * Variables diff --git a/src/util-exception-policy-types.h b/src/util-exception-policy-types.h index b5295d19305b..a6139acc8934 100644 --- a/src/util-exception-policy-types.h +++ b/src/util-exception-policy-types.h @@ -33,7 +33,7 @@ enum ExceptionPolicy { EXCEPTION_POLICY_REJECT, }; -#define EXCEPTION_POLICY_MAX EXCEPTION_POLICY_REJECT + 1 +#define EXCEPTION_POLICY_MAX (EXCEPTION_POLICY_REJECT + 1) /* Max length = possible exception policy scenarios + counter names * + exception policy type. E.g.: From aac271519a4881554a6ba6580f0c9e5ad1681bff Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Sep 2024 10:52:04 +0200 Subject: [PATCH 06/14] app-layer/stats: use dynamic number of app-layer protos Ticket: 5053 --- src/app-layer.c | 137 ++++++++++++++++++++++++++---------------------- 1 file changed, 73 insertions(+), 64 deletions(-) diff --git a/src/app-layer.c b/src/app-layer.c index d17ec45ec5f8..bd5920ab5c52 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -95,9 +95,9 @@ typedef struct AppLayerCounters_ { } AppLayerCounters; /* counter names. Only used at init. */ -AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]; +AppLayerCounterNames (*applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX]; /* counter id's. Used that runtime. */ -AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]; +AppLayerCounters (*applayer_counters)[FLOW_PROTO_APPLAYER_MAX]; /* Exception policy global counters ids */ ExceptionPolicyCounters eps_error_summary; @@ -144,7 +144,7 @@ static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t */ static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f) { - const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id; + const uint16_t id = applayer_counters[f->alproto][f->protomap].counter_id; if (likely(tv && id > 0)) { StatsIncr(tv, id); } @@ -152,7 +152,7 @@ static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f) void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step) { - const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id; + const uint16_t id = applayer_counters[f->alproto][f->protomap].counter_tx_id; if (likely(tv && id > 0)) { StatsAddUI64(tv, id, step); } @@ -160,7 +160,7 @@ void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step) void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f) { - const uint16_t id = applayer_counters[f->protomap][f->alproto].gap_error_id; + const uint16_t id = applayer_counters[f->alproto][f->protomap].gap_error_id; if (likely(tv && id > 0)) { StatsIncr(tv, id); } @@ -168,7 +168,7 @@ void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f) void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f) { - const uint16_t id = applayer_counters[f->protomap][f->alproto].alloc_error_id; + const uint16_t id = applayer_counters[f->alproto][f->protomap].alloc_error_id; if (likely(tv && id > 0)) { StatsIncr(tv, id); } @@ -176,7 +176,7 @@ void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f) void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f) { - const uint16_t id = applayer_counters[f->protomap][f->alproto].parser_error_id; + const uint16_t id = applayer_counters[f->alproto][f->protomap].parser_error_id; if (likely(tv && id > 0)) { StatsIncr(tv, id); } @@ -184,7 +184,7 @@ void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f) void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f) { - const uint16_t id = applayer_counters[f->protomap][f->alproto].internal_error_id; + const uint16_t id = applayer_counters[f->alproto][f->protomap].internal_error_id; if (likely(tv && id > 0)) { StatsIncr(tv, id); } @@ -197,7 +197,7 @@ static void AppLayerIncrErrorExcPolicyCounter(ThreadVars *tv, Flow *f, enum Exce return; } #endif - uint16_t id = applayer_counters[f->protomap][f->alproto].eps_error.eps_id[policy]; + uint16_t id = applayer_counters[f->alproto][f->protomap].eps_error.eps_id[policy]; /* for the summary values */ uint16_t g_id = eps_error_summary.eps_id[policy]; @@ -1132,8 +1132,8 @@ static void AppLayerSetupExceptionPolicyPerProtoCounters( g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) { for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) { if (IsAppLayerErrorExceptionPolicyStatsValid(i)) { - snprintf(applayer_counter_names[ipproto_map][alproto].eps_name[i], - sizeof(applayer_counter_names[ipproto_map][alproto].eps_name[i]), + snprintf(applayer_counter_names[alproto][ipproto_map].eps_name[i], + sizeof(applayer_counter_names[alproto][ipproto_map].eps_name[i]), "app_layer.error.%s%s.exception_policy.%s", alproto_str, ipproto_suffix, ExceptionPolicyEnumToString(i, true)); } @@ -1148,6 +1148,15 @@ void AppLayerSetupCounters(void) const char *str = "app_layer.flow."; const char *estr = "app_layer.error."; + applayer_counter_names = + SCCalloc(ALPROTO_MAX, sizeof(AppLayerCounterNames[FLOW_PROTO_APPLAYER_MAX])); + if (unlikely(applayer_counter_names == NULL)) { + FatalError("Unable to alloc applayer_counter_names."); + } + applayer_counters = SCCalloc(ALPROTO_MAX, sizeof(AppLayerCounters[FLOW_PROTO_APPLAYER_MAX])); + if (unlikely(applayer_counters == NULL)) { + FatalError("Unable to alloc applayer_counters."); + } /* We don't log stats counters if exception policy is `ignore`/`not set` */ if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) { /* Register global counters for app layer error exception policy summary */ @@ -1178,62 +1187,62 @@ void AppLayerSetupCounters(void) AppLayerProtoDetectSupportedIpprotos(alproto, ipprotos_all); if ((ipprotos_all[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) && (ipprotos_all[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)))) { - snprintf(applayer_counter_names[ipproto_map][alproto].name, - sizeof(applayer_counter_names[ipproto_map][alproto].name), - "%s%s%s", str, alproto_str, ipproto_suffix); - snprintf(applayer_counter_names[ipproto_map][alproto].tx_name, - sizeof(applayer_counter_names[ipproto_map][alproto].tx_name), - "%s%s%s", tx_str, alproto_str, ipproto_suffix); + snprintf(applayer_counter_names[alproto][ipproto_map].name, + sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s", + str, alproto_str, ipproto_suffix); + snprintf(applayer_counter_names[alproto][ipproto_map].tx_name, + sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s%s", + tx_str, alproto_str, ipproto_suffix); if (ipproto == IPPROTO_TCP) { - snprintf(applayer_counter_names[ipproto_map][alproto].gap_error, - sizeof(applayer_counter_names[ipproto_map][alproto].gap_error), + snprintf(applayer_counter_names[alproto][ipproto_map].gap_error, + sizeof(applayer_counter_names[alproto][ipproto_map].gap_error), "%s%s%s.gap", estr, alproto_str, ipproto_suffix); } - snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error, - sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error), + snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error, + sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error), "%s%s%s.alloc", estr, alproto_str, ipproto_suffix); - snprintf(applayer_counter_names[ipproto_map][alproto].parser_error, - sizeof(applayer_counter_names[ipproto_map][alproto].parser_error), + snprintf(applayer_counter_names[alproto][ipproto_map].parser_error, + sizeof(applayer_counter_names[alproto][ipproto_map].parser_error), "%s%s%s.parser", estr, alproto_str, ipproto_suffix); - snprintf(applayer_counter_names[ipproto_map][alproto].internal_error, - sizeof(applayer_counter_names[ipproto_map][alproto].internal_error), + snprintf(applayer_counter_names[alproto][ipproto_map].internal_error, + sizeof(applayer_counter_names[alproto][ipproto_map].internal_error), "%s%s%s.internal", estr, alproto_str, ipproto_suffix); AppLayerSetupExceptionPolicyPerProtoCounters( ipproto_map, alproto, alproto_str, ipproto_suffix); } else { - snprintf(applayer_counter_names[ipproto_map][alproto].name, - sizeof(applayer_counter_names[ipproto_map][alproto].name), - "%s%s", str, alproto_str); - snprintf(applayer_counter_names[ipproto_map][alproto].tx_name, - sizeof(applayer_counter_names[ipproto_map][alproto].tx_name), - "%s%s", tx_str, alproto_str); + snprintf(applayer_counter_names[alproto][ipproto_map].name, + sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s", str, + alproto_str); + snprintf(applayer_counter_names[alproto][ipproto_map].tx_name, + sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s", + tx_str, alproto_str); if (ipproto == IPPROTO_TCP) { - snprintf(applayer_counter_names[ipproto_map][alproto].gap_error, - sizeof(applayer_counter_names[ipproto_map][alproto].gap_error), + snprintf(applayer_counter_names[alproto][ipproto_map].gap_error, + sizeof(applayer_counter_names[alproto][ipproto_map].gap_error), "%s%s.gap", estr, alproto_str); } - snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error, - sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error), + snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error, + sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error), "%s%s.alloc", estr, alproto_str); - snprintf(applayer_counter_names[ipproto_map][alproto].parser_error, - sizeof(applayer_counter_names[ipproto_map][alproto].parser_error), + snprintf(applayer_counter_names[alproto][ipproto_map].parser_error, + sizeof(applayer_counter_names[alproto][ipproto_map].parser_error), "%s%s.parser", estr, alproto_str); - snprintf(applayer_counter_names[ipproto_map][alproto].internal_error, - sizeof(applayer_counter_names[ipproto_map][alproto].internal_error), + snprintf(applayer_counter_names[alproto][ipproto_map].internal_error, + sizeof(applayer_counter_names[alproto][ipproto_map].internal_error), "%s%s.internal", estr, alproto_str); AppLayerSetupExceptionPolicyPerProtoCounters( ipproto_map, alproto, alproto_str, ""); } } else if (alproto == ALPROTO_FAILED) { - snprintf(applayer_counter_names[ipproto_map][alproto].name, - sizeof(applayer_counter_names[ipproto_map][alproto].name), - "%s%s%s", str, "failed", ipproto_suffix); + snprintf(applayer_counter_names[alproto][ipproto_map].name, + sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s", str, + "failed", ipproto_suffix); if (ipproto == IPPROTO_TCP) { - snprintf(applayer_counter_names[ipproto_map][alproto].gap_error, - sizeof(applayer_counter_names[ipproto_map][alproto].gap_error), + snprintf(applayer_counter_names[alproto][ipproto_map].gap_error, + sizeof(applayer_counter_names[alproto][ipproto_map].gap_error), "%sfailed%s.gap", estr, ipproto_suffix); } } @@ -1264,41 +1273,41 @@ void AppLayerRegisterThreadCounters(ThreadVars *tv) for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) { if (alprotos[alproto] == 1) { - applayer_counters[ipproto_map][alproto].counter_id = - StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv); + applayer_counters[alproto][ipproto_map].counter_id = + StatsRegisterCounter(applayer_counter_names[alproto][ipproto_map].name, tv); - applayer_counters[ipproto_map][alproto].counter_tx_id = - StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv); + applayer_counters[alproto][ipproto_map].counter_tx_id = StatsRegisterCounter( + applayer_counter_names[alproto][ipproto_map].tx_name, tv); if (ipproto == IPPROTO_TCP) { - applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter( - applayer_counter_names[ipproto_map][alproto].gap_error, tv); + applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter( + applayer_counter_names[alproto][ipproto_map].gap_error, tv); } - applayer_counters[ipproto_map][alproto].alloc_error_id = StatsRegisterCounter( - applayer_counter_names[ipproto_map][alproto].alloc_error, tv); - applayer_counters[ipproto_map][alproto].parser_error_id = StatsRegisterCounter( - applayer_counter_names[ipproto_map][alproto].parser_error, tv); - applayer_counters[ipproto_map][alproto].internal_error_id = StatsRegisterCounter( - applayer_counter_names[ipproto_map][alproto].internal_error, tv); + applayer_counters[alproto][ipproto_map].alloc_error_id = StatsRegisterCounter( + applayer_counter_names[alproto][ipproto_map].alloc_error, tv); + applayer_counters[alproto][ipproto_map].parser_error_id = StatsRegisterCounter( + applayer_counter_names[alproto][ipproto_map].parser_error, tv); + applayer_counters[alproto][ipproto_map].internal_error_id = StatsRegisterCounter( + applayer_counter_names[alproto][ipproto_map].internal_error, tv); /* We don't log stats counters if exception policy is `ignore`/`not set` */ if (g_stats_eps_per_app_proto_errors && g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) { for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) { if (IsAppLayerErrorExceptionPolicyStatsValid(i)) { - applayer_counters[ipproto_map][alproto] + applayer_counters[alproto][ipproto_map] .eps_error.eps_id[i] = StatsRegisterCounter( - applayer_counter_names[ipproto_map][alproto].eps_name[i], tv); + applayer_counter_names[alproto][ipproto_map].eps_name[i], tv); } } } } else if (alproto == ALPROTO_FAILED) { - applayer_counters[ipproto_map][alproto].counter_id = - StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv); + applayer_counters[alproto][ipproto_map].counter_id = + StatsRegisterCounter(applayer_counter_names[alproto][ipproto_map].name, tv); if (ipproto == IPPROTO_TCP) { - applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter( - applayer_counter_names[ipproto_map][alproto].gap_error, tv); + applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter( + applayer_counter_names[alproto][ipproto_map].gap_error, tv); } } } @@ -1307,8 +1316,8 @@ void AppLayerRegisterThreadCounters(ThreadVars *tv) void AppLayerDeSetupCounters(void) { - memset(applayer_counter_names, 0, sizeof(applayer_counter_names)); - memset(applayer_counters, 0, sizeof(applayer_counters)); + SCFree(applayer_counter_names); + SCFree(applayer_counters); } /***** Unittests *****/ From 25458977d632122af84f486a5731f36d8eb7974c Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Sep 2024 11:13:21 +0200 Subject: [PATCH 07/14] fuzz: use dynamic number of app-layer protos Ticket: 5053 delay after initialization so that StringToAppProto works --- src/tests/fuzz/fuzz_applayerparserparse.c | 36 ++++++++++------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/src/tests/fuzz/fuzz_applayerparserparse.c b/src/tests/fuzz/fuzz_applayerparserparse.c index f20c566e399a..5e71243e047f 100644 --- a/src/tests/fuzz/fuzz_applayerparserparse.c +++ b/src/tests/fuzz/fuzz_applayerparserparse.c @@ -36,32 +36,15 @@ extern const char *configNoChecksum; const uint8_t separator[] = {0x01, 0xD5, 0xCA, 0x7A}; SCInstance surifuzz; AppProto forceLayer = 0; +char *target_suffix = NULL; SC_ATOMIC_EXTERN(unsigned int, engine_stage); int LLVMFuzzerInitialize(int *argc, char ***argv) { - char *target_suffix = strrchr((*argv)[0], '_'); - if (target_suffix != NULL) { - AppProto applayer = StringToAppProto(target_suffix + 1); - if (applayer != ALPROTO_UNKNOWN) { - forceLayer = applayer; - printf("Forcing %s=%" PRIu16 "\n", AppProtoToString(forceLayer), forceLayer); - return 0; - } - } + target_suffix = strrchr((*argv)[0], '_'); // else - const char *forceLayerStr = getenv("FUZZ_APPLAYER"); - if (forceLayerStr) { - if (ByteExtractStringUint16(&forceLayer, 10, 0, forceLayerStr) < 0) { - forceLayer = 0; - printf("Invalid numeric value for FUZZ_APPLAYER environment variable"); - } else { - printf("Forcing %s\n", AppProtoToString(forceLayer)); - } - } - // http is the output name, but we want to fuzz HTTP1 - if (forceLayer == ALPROTO_HTTP) { - forceLayer = ALPROTO_HTTP1; + if (!target_suffix) { + target_suffix = getenv("FUZZ_APPLAYER"); } return 0; } @@ -96,6 +79,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) PostConfLoadedSetup(&surifuzz); alp_tctx = AppLayerParserThreadCtxAlloc(); SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME); + if (target_suffix != NULL) { + AppProto applayer = StringToAppProto(target_suffix + 1); + if (applayer != ALPROTO_UNKNOWN) { + forceLayer = applayer; + printf("Forcing %s=%" PRIu16 "\n", AppProtoToString(forceLayer), forceLayer); + } + } + // http is the output name, but we want to fuzz HTTP1 + if (forceLayer == ALPROTO_HTTP) { + forceLayer = ALPROTO_HTTP1; + } } if (size < HEADER_LEN) { From 42db24341116d466d4c213a501e6c022b74f873c Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Sep 2024 11:00:37 +0200 Subject: [PATCH 08/14] app-layer/parser: use dynamic number of app-layer protos Ticket: 5053 --- src/app-layer-parser.c | 234 ++++++++++++++++++----------------------- 1 file changed, 105 insertions(+), 129 deletions(-) diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 48a6e47c2d9e..e743e41d4661 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -56,7 +56,7 @@ #include "app-layer-imap.h" struct AppLayerParserThreadCtx_ { - void *alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX]; + void *(*alproto_local_storage)[FLOW_PROTO_MAX]; }; @@ -123,7 +123,7 @@ typedef struct AppLayerParserProtoCtx_ } AppLayerParserProtoCtx; typedef struct AppLayerParserCtx_ { - AppLayerParserProtoCtx ctxs[FLOW_PROTO_MAX][ALPROTO_MAX]; + AppLayerParserProtoCtx (*ctxs)[FLOW_PROTO_MAX]; } AppLayerParserCtx; struct AppLayerParserState_ { @@ -218,7 +218,7 @@ int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto) { uint8_t ipproto_map = FlowGetProtoMapping(ipproto); - return (alp_ctx.ctxs[ipproto_map][alproto].StateAlloc != NULL) ? 1 : 0; + return (alp_ctx.ctxs[alproto][ipproto_map].StateAlloc != NULL) ? 1 : 0; } AppLayerParserState *AppLayerParserStateAlloc(void) @@ -248,7 +248,12 @@ void AppLayerParserStateFree(AppLayerParserState *pstate) int AppLayerParserSetup(void) { SCEnter(); - memset(&alp_ctx, 0, sizeof(alp_ctx)); + // initial allocation that will later be grown using realloc, + // when new protocols register themselves and make ALPROTO_MAX grow + alp_ctx.ctxs = SCCalloc(ALPROTO_MAX, sizeof(AppLayerParserProtoCtx[FLOW_PROTO_MAX])); + if (unlikely(alp_ctx.ctxs == NULL)) { + FatalError("Unable to alloc alp_ctx.ctxs."); + } SCReturnInt(0); } @@ -257,10 +262,9 @@ void AppLayerParserPostStreamSetup(void) /* lets set a default value for stream_depth */ for (int flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) { for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) { - if (!(alp_ctx.ctxs[flow_proto][alproto].internal_flags & + if (!(alp_ctx.ctxs[alproto][flow_proto].internal_flags & APP_LAYER_PARSER_INT_STREAM_DEPTH_SET)) { - alp_ctx.ctxs[flow_proto][alproto].stream_depth = - stream_config.reassembly_depth; + alp_ctx.ctxs[alproto][flow_proto].stream_depth = stream_config.reassembly_depth; } } } @@ -270,6 +274,8 @@ int AppLayerParserDeSetup(void) { SCEnter(); + SCFree(alp_ctx.ctxs); + FTPParserCleanup(); SMTPParserCleanup(); @@ -284,12 +290,18 @@ AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void) if (tctx == NULL) goto end; + tctx->alproto_local_storage = SCCalloc(ALPROTO_MAX, sizeof(void *[FLOW_PROTO_MAX])); + if (unlikely(tctx->alproto_local_storage == NULL)) { + SCFree(tctx); + tctx = NULL; + goto end; + } for (uint8_t flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) { for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) { uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto); - tctx->alproto_local_storage[flow_proto][alproto] = - AppLayerParserGetProtocolParserLocalStorage(ipproto, alproto); + tctx->alproto_local_storage[alproto][flow_proto] = + AppLayerParserGetProtocolParserLocalStorage(ipproto, alproto); } } @@ -305,11 +317,12 @@ void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx) for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) { uint8_t ipproto = FlowGetReverseProtoMapping(flow_proto); - AppLayerParserDestroyProtocolParserLocalStorage(ipproto, alproto, - tctx->alproto_local_storage[flow_proto][alproto]); + AppLayerParserDestroyProtocolParserLocalStorage( + ipproto, alproto, tctx->alproto_local_storage[alproto][flow_proto]); } } + SCFree(tctx->alproto_local_storage); SCFree(tctx); SCReturn; } @@ -381,8 +394,8 @@ int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - Parser[(direction & STREAM_TOSERVER) ? 0 : 1] = Parser; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)] + .Parser[(direction & STREAM_TOSERVER) ? 0 : 1] = Parser; SCReturnInt(0); } @@ -392,8 +405,8 @@ void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppPro { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].first_data_dir |= - (direction & (STREAM_TOSERVER | STREAM_TOCLIENT)); + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].first_data_dir |= + (direction & (STREAM_TOSERVER | STREAM_TOCLIENT)); SCReturn; } @@ -403,7 +416,7 @@ void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].option_flags |= flags; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].option_flags |= flags; SCReturn; } @@ -413,10 +426,8 @@ void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateAlloc = - StateAlloc; - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateFree = - StateFree; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateAlloc = StateAlloc; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateFree = StateFree; SCReturn; } @@ -427,10 +438,8 @@ void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].LocalStorageAlloc = - LocalStorageAlloc; - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].LocalStorageFree = - LocalStorageFree; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc = LocalStorageAlloc; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree = LocalStorageFree; SCReturn; } @@ -440,7 +449,7 @@ void AppLayerParserRegisterGetTxFilesFunc( { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxFiles = GetTxFiles; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxFiles = GetTxFiles; SCReturn; } @@ -449,7 +458,7 @@ void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerI { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].logger_bits = bits; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].logger_bits = bits; SCReturn; } @@ -458,7 +467,7 @@ void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto) { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].logger = true; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].logger = true; SCReturn; } @@ -468,8 +477,7 @@ void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alprot { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - StateGetProgress = StateGetProgress; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetProgress = StateGetProgress; SCReturn; } @@ -479,8 +487,7 @@ void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - StateTransactionFree = StateTransactionFree; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateTransactionFree = StateTransactionFree; SCReturn; } @@ -490,8 +497,7 @@ void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - StateGetTxCnt = StateGetTxCnt; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxCnt = StateGetTxCnt; SCReturn; } @@ -501,8 +507,7 @@ void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - StateGetTx = StateGetTx; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTx = StateGetTx; SCReturn; } @@ -511,7 +516,7 @@ void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, AppLayerGetTxIteratorFunc Func) { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTxIterator = Func; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxIterator = Func; SCReturn; } @@ -521,13 +526,13 @@ void AppLayerParserRegisterStateProgressCompletionStatus( BUG_ON(ts == 0); BUG_ON(tc == 0); BUG_ON(!AppProtoIsValid(alproto)); - BUG_ON(alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts != 0 && - alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts != ts); - BUG_ON(alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc != 0 && - alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc != tc); + BUG_ON(alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts != 0 && + alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts != ts); + BUG_ON(alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc != 0 && + alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc != tc); - alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts = ts; - alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc = tc; + alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts = ts; + alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc = tc; } void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, @@ -536,8 +541,8 @@ void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - StateGetEventInfoById = StateGetEventInfoById; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetEventInfoById = + StateGetEventInfoById; SCReturn; } @@ -547,8 +552,8 @@ void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto, AppLayerParserGetFrameNameByIdFn GetNameByIdFunc) { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameIdByName = GetIdByNameFunc; - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameNameById = GetNameByIdFunc; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName = GetIdByNameFunc; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById = GetNameByIdFunc; SCReturn; } @@ -558,8 +563,7 @@ void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - StateGetEventInfo = StateGetEventInfo; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetEventInfo = StateGetEventInfo; SCReturn; } @@ -569,7 +573,7 @@ void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxData = GetTxData; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxData = GetTxData; SCReturn; } @@ -579,7 +583,7 @@ void AppLayerParserRegisterStateDataFunc( { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetStateData = GetStateData; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData = GetStateData; SCReturn; } @@ -589,7 +593,7 @@ void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].ApplyTxConfig = ApplyTxConfig; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].ApplyTxConfig = ApplyTxConfig; SCReturn; } @@ -599,7 +603,7 @@ void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag = SetStreamDepthFlag; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag = SetStreamDepthFlag; SCReturn; } @@ -611,11 +615,8 @@ void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alpr SCEnter(); void * r = NULL; - if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - LocalStorageAlloc != NULL) - { - r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - LocalStorageAlloc(); + if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc != NULL) { + r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageAlloc(); } SCReturnPtr(r, "void *"); @@ -626,11 +627,8 @@ void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto a { SCEnter(); - if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - LocalStorageFree != NULL) - { - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - LocalStorageFree(local_data); + if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree != NULL) { + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].LocalStorageFree(local_data); } SCReturn; @@ -675,7 +673,7 @@ AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto) { AppLayerGetTxIteratorFunc Func = - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTxIterator; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTxIterator; return Func ? Func : AppLayerDefaultGetTxIterator; } @@ -855,8 +853,8 @@ AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uin { SCEnter(); - if (alp_ctx.ctxs[f->protomap][f->alproto].GetTxFiles != NULL) { - return alp_ctx.ctxs[f->protomap][f->alproto].GetTxFiles(tx, direction); + if (alp_ctx.ctxs[f->alproto][f->protomap].GetTxFiles != NULL) { + return alp_ctx.ctxs[f->alproto][f->protomap].GetTxFiles(tx, direction); } AppLayerGetFileState files = { .fc = NULL, .cfg = NULL }; @@ -886,7 +884,7 @@ void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir) SCEnter(); DEBUG_ASSERT_FLOW_LOCKED(f); - AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->protomap][f->alproto]; + AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->alproto][f->protomap]; if (unlikely(p->StateTransactionFree == NULL)) SCReturn; @@ -1048,9 +1046,9 @@ void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir) static inline int StateGetProgressCompletionStatus(const AppProto alproto, const uint8_t flags) { if (flags & STREAM_TOSERVER) { - return alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_ts; + return alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_ts; } else if (flags & STREAM_TOCLIENT) { - return alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].complete_tc; + return alp_ctx.ctxs[alproto][FLOW_PROTO_DEFAULT].complete_tc; } else { DEBUG_VALIDATE_BUG_ON(1); return 0; @@ -1071,7 +1069,7 @@ int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, r = StateGetProgressCompletionStatus(alproto, flags); } else { uint8_t direction = flags & (STREAM_TOCLIENT | STREAM_TOSERVER); - r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetProgress( + r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetProgress( alstate, direction); } SCReturnInt(r); @@ -1080,14 +1078,14 @@ int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate) { SCEnter(); - uint64_t r = alp_ctx.ctxs[f->protomap][f->alproto].StateGetTxCnt(alstate); + uint64_t r = alp_ctx.ctxs[f->alproto][f->protomap].StateGetTxCnt(alstate); SCReturnCT(r, "uint64_t"); } void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id) { SCEnter(); - void *r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTx(alstate, tx_id); + void *r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].StateGetTx(alstate, tx_id); SCReturnPtr(r, "void *"); } @@ -1104,8 +1102,10 @@ int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *ev { SCEnter(); const int ipproto_map = FlowGetProtoMapping(ipproto); - int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfo == NULL) ? - -1 : alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfo(event_name, event_id, event_type); + int r = (alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfo == NULL) + ? -1 + : alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfo( + event_name, event_id, event_type); SCReturnInt(r); } @@ -1115,15 +1115,17 @@ int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t ev SCEnter(); const int ipproto_map = FlowGetProtoMapping(ipproto); *event_name = (const char *)NULL; - int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById == NULL) ? - -1 : alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById(event_id, event_name, event_type); + int r = (alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfoById == NULL) + ? -1 + : alp_ctx.ctxs[alproto][ipproto_map].StateGetEventInfoById( + event_id, event_name, event_type); SCReturnInt(r); } uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto) { SCEnter(); - uint8_t r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].first_data_dir; + uint8_t r = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].first_data_dir; SCReturnCT(r, "uint8_t"); } @@ -1135,7 +1137,7 @@ uint64_t AppLayerParserGetTransactionActive(const Flow *f, uint64_t active_id; uint64_t log_id = pstate->log_id; uint64_t inspect_id = pstate->inspect_id[(direction & STREAM_TOSERVER) ? 0 : 1]; - if (alp_ctx.ctxs[f->protomap][f->alproto].logger == true) { + if (alp_ctx.ctxs[f->alproto][f->protomap].logger == true) { active_id = MIN(log_id, inspect_id); } else { active_id = inspect_id; @@ -1151,22 +1153,22 @@ bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto) return AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP1) || AppLayerParserSupportsFiles(ipproto, ALPROTO_HTTP2); } - return alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxFiles != NULL; + return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxFiles != NULL; } AppLayerTxData *AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx) { SCEnter(); - AppLayerTxData *d = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetTxData(tx); + AppLayerTxData *d = alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetTxData(tx); SCReturnPtr(d, "AppLayerTxData"); } AppLayerStateData *AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state) { SCEnter(); - if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetStateData) { + if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData) { AppLayerStateData *d = - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetStateData(state); + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateData(state); SCReturnPtr(d, "AppLayerStateData"); } SCReturnPtr(NULL, "AppLayerStateData"); @@ -1177,8 +1179,8 @@ void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto, { SCEnter(); const int ipproto_map = FlowGetProtoMapping(ipproto); - if (alp_ctx.ctxs[ipproto_map][alproto].ApplyTxConfig) { - alp_ctx.ctxs[ipproto_map][alproto].ApplyTxConfig(state, tx, mode, config); + if (alp_ctx.ctxs[alproto][ipproto_map].ApplyTxConfig) { + alp_ctx.ctxs[alproto][ipproto_map].ApplyTxConfig(state, tx, mode, config); } SCReturn; } @@ -1270,7 +1272,7 @@ int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow BUG_ON(f->protomap != FlowGetProtoMapping(f->proto)); #endif AppLayerParserState *pstate = f->alparser; - AppLayerParserProtoCtx *p = &alp_ctx.ctxs[f->protomap][alproto]; + AppLayerParserProtoCtx *p = &alp_ctx.ctxs[alproto][f->protomap]; StreamSlice stream_slice; void *alstate = NULL; uint64_t p_tx_cnt = 0; @@ -1359,7 +1361,7 @@ int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow #endif /* invoke the parser */ AppLayerResult res = p->Parser[direction](f, alstate, pstate, stream_slice, - alp_tctx->alproto_local_storage[f->protomap][alproto]); + alp_tctx->alproto_local_storage[alproto][f->protomap]); if (res.status < 0) { AppLayerIncParserErrorCounter(tv, f); goto error; @@ -1505,7 +1507,7 @@ bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate) int AppLayerParserIsEnabled(AppProto alproto) { for (int i = 0; i < FLOW_PROTO_APPLAYER_MAX; i++) { - if (alp_ctx.ctxs[i][alproto].StateGetProgress != NULL) { + if (alp_ctx.ctxs[alproto][i].StateGetProgress != NULL) { return 1; } } @@ -1516,7 +1518,7 @@ int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto) { SCEnter(); int ipproto_map = FlowGetProtoMapping(ipproto); - int r = (alp_ctx.ctxs[ipproto_map][alproto].logger == false) ? 0 : 1; + int r = (alp_ctx.ctxs[alproto][ipproto_map].logger == false) ? 0 : 1; SCReturnInt(r); } @@ -1524,7 +1526,7 @@ LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto) { SCEnter(); const int ipproto_map = FlowGetProtoMapping(ipproto); - LoggerId r = alp_ctx.ctxs[ipproto_map][alproto].logger_bits; + LoggerId r = alp_ctx.ctxs[alproto][ipproto_map].logger_bits; SCReturnUInt(r); } @@ -1543,16 +1545,16 @@ void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t st { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].stream_depth = stream_depth; - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].internal_flags |= - APP_LAYER_PARSER_INT_STREAM_DEPTH_SET; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].stream_depth = stream_depth; + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].internal_flags |= + APP_LAYER_PARSER_INT_STREAM_DEPTH_SET; SCReturn; } uint32_t AppLayerParserGetStreamDepth(const Flow *f) { - SCReturnInt(alp_ctx.ctxs[f->protomap][f->alproto].stream_depth); + SCReturnInt(alp_ctx.ctxs[f->alproto][f->protomap].stream_depth); } void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags) @@ -1561,8 +1563,8 @@ void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *s void *tx = NULL; if (state != NULL) { if ((tx = AppLayerParserGetTx(ipproto, alproto, state, tx_id)) != NULL) { - if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag != NULL) { - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].SetStreamDepthFlag(tx, flags); + if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag != NULL) { + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].SetStreamDepthFlag(tx, flags); } } } @@ -1571,8 +1573,8 @@ void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *s int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name) { - if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameIdByName != NULL) { - return alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameIdByName(name); + if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName != NULL) { + return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName(name); } else { return -1; } @@ -1580,8 +1582,8 @@ int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char const char *AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id) { - if (alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameNameById != NULL) { - return alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].GetFrameNameById(id); + if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById != NULL) { + return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameNameById(id); } else { return NULL; } @@ -1594,7 +1596,7 @@ void AppLayerParserStateProtoCleanup( { SCEnter(); - AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[protomap][alproto]; + AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][protomap]; if (ctx->StateFree != NULL && alstate != NULL) ctx->StateFree(alstate); @@ -1614,7 +1616,7 @@ void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserStat static void ValidateParserProtoDump(AppProto alproto, uint8_t ipproto) { uint8_t map = FlowGetProtoMapping(ipproto); - const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[map][alproto]; + const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][map]; printf("ERROR: incomplete app-layer registration\n"); printf("AppLayer protocol %s ipproto %u\n", AppProtoToString(alproto), ipproto); printf("- option flags %"PRIx32"\n", ctx->option_flags); @@ -1640,7 +1642,7 @@ static void ValidateParserProtoDump(AppProto alproto, uint8_t ipproto) static void ValidateParserProto(AppProto alproto, uint8_t ipproto) { uint8_t map = FlowGetProtoMapping(ipproto); - const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[map][alproto]; + const AppLayerParserProtoCtx *ctx = &alp_ctx.ctxs[alproto][map]; if (ctx->Parser[0] == NULL && ctx->Parser[1] == NULL) return; @@ -1768,8 +1770,6 @@ uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag #ifdef UNITTESTS #include "util-unittest-helper.h" -static AppLayerParserCtx alp_ctx_backup_unittest; - typedef struct TestState_ { uint8_t test; } TestState; @@ -1826,24 +1826,7 @@ void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void (*RegisterUnittests)(void)) { SCEnter(); - alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - RegisterUnittests = RegisterUnittests; - SCReturn; -} - -void AppLayerParserBackupParserTable(void) -{ - SCEnter(); - alp_ctx_backup_unittest = alp_ctx; - memset(&alp_ctx, 0, sizeof(alp_ctx)); - SCReturn; -} - -void AppLayerParserRestoreParserTable(void) -{ - SCEnter(); - alp_ctx = alp_ctx_backup_unittest; - memset(&alp_ctx_backup_unittest, 0, sizeof(alp_ctx_backup_unittest)); + alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].RegisterUnittests = RegisterUnittests; SCReturn; } @@ -1853,8 +1836,6 @@ void AppLayerParserRestoreParserTable(void) */ static int AppLayerParserTest01(void) { - AppLayerParserBackupParserTable(); - Flow *f = NULL; uint8_t testbuf[] = { 0x11 }; uint32_t testlen = sizeof(testbuf); @@ -1886,7 +1867,6 @@ static int AppLayerParserTest01(void) FAIL_IF(!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)); - AppLayerParserRestoreParserTable(); StreamTcpFreeConfig(true); UTHFreeFlow(f); PASS; @@ -1898,8 +1878,6 @@ static int AppLayerParserTest01(void) */ static int AppLayerParserTest02(void) { - AppLayerParserBackupParserTable(); - Flow *f = NULL; uint8_t testbuf[] = { 0x11 }; uint32_t testlen = sizeof(testbuf); @@ -1927,13 +1905,11 @@ static int AppLayerParserTest02(void) testlen); FAIL_IF(r != -1); - AppLayerParserRestoreParserTable(); StreamTcpFreeConfig(true); UTHFreeFlow(f); PASS; } - void AppLayerParserRegisterUnittests(void) { SCEnter(); @@ -1944,7 +1920,7 @@ void AppLayerParserRegisterUnittests(void) for (ip = 0; ip < FLOW_PROTO_DEFAULT; ip++) { for (alproto = 0; alproto < ALPROTO_MAX; alproto++) { - ctx = &alp_ctx.ctxs[ip][alproto]; + ctx = &alp_ctx.ctxs[alproto][ip]; if (ctx->RegisterUnittests == NULL) continue; ctx->RegisterUnittests(); From eb2c7f8135b460f08d1d6df2d64f659608b925ce Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 29 Oct 2024 11:27:30 +0100 Subject: [PATCH 09/14] profiling: use dynamic number of app-layer protos Ticket: 5053 --- src/util-profiling.c | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/src/util-profiling.c b/src/util-profiling.c index 80d3938bd41f..20fcc7f98016 100644 --- a/src/util-profiling.c +++ b/src/util-profiling.c @@ -72,8 +72,8 @@ SCProfilePacketData packet_profile_data6[257]; /**< all proto's + tunnel */ SCProfilePacketData packet_profile_tmm_data4[TMM_SIZE][257]; SCProfilePacketData packet_profile_tmm_data6[TMM_SIZE][257]; -SCProfilePacketData packet_profile_app_data4[ALPROTO_MAX][257]; -SCProfilePacketData packet_profile_app_data6[ALPROTO_MAX][257]; +SCProfilePacketData *packet_profile_app_data4; +SCProfilePacketData *packet_profile_app_data6; SCProfilePacketData packet_profile_app_pd_data4[257]; SCProfilePacketData packet_profile_app_pd_data6[257]; @@ -158,8 +158,14 @@ SCProfilingInit(void) memset(&packet_profile_data6, 0, sizeof(packet_profile_data6)); memset(&packet_profile_tmm_data4, 0, sizeof(packet_profile_tmm_data4)); memset(&packet_profile_tmm_data6, 0, sizeof(packet_profile_tmm_data6)); - memset(&packet_profile_app_data4, 0, sizeof(packet_profile_app_data4)); - memset(&packet_profile_app_data6, 0, sizeof(packet_profile_app_data6)); + packet_profile_app_data4 = SCCalloc(ALPROTO_MAX * 257, sizeof(SCProfilePacketData)); + if (packet_profile_app_data4 == NULL) { + FatalError("Failed to allocate packet_profile_app_data4"); + } + packet_profile_app_data6 = SCCalloc(ALPROTO_MAX * 257, sizeof(SCProfilePacketData)); + if (packet_profile_app_data6 == NULL) { + FatalError("Failed to allocate packet_profile_app_data6"); + } memset(&packet_profile_app_pd_data4, 0, sizeof(packet_profile_app_pd_data4)); memset(&packet_profile_app_pd_data6, 0, sizeof(packet_profile_app_pd_data6)); memset(&packet_profile_detect_data4, 0, sizeof(packet_profile_detect_data4)); @@ -269,6 +275,15 @@ SCProfilingInit(void) void SCProfilingDestroy(void) { + if (packet_profile_app_data4) { + SCFree(packet_profile_app_data4); + packet_profile_app_data4 = NULL; + } + if (packet_profile_app_data6) { + SCFree(packet_profile_app_data6); + packet_profile_app_data6 = NULL; + } + if (profiling_packets_enabled) { pthread_mutex_destroy(&packet_profile_lock); } @@ -490,16 +505,16 @@ void SCProfilingDumpPacketStats(void) total = 0; for (AppProto a = 0; a < ALPROTO_MAX; a++) { for (int p = 0; p < 257; p++) { - SCProfilePacketData *pd = &packet_profile_app_data4[a][p]; + SCProfilePacketData *pd = &packet_profile_app_data4[a * 257 + p]; total += pd->tot; - pd = &packet_profile_app_data6[a][p]; + pd = &packet_profile_app_data6[a * 257 + p]; total += pd->tot; } } for (AppProto a = 0; a < ALPROTO_MAX; a++) { for (int p = 0; p < 257; p++) { - SCProfilePacketData *pd = &packet_profile_app_data4[a][p]; + SCProfilePacketData *pd = &packet_profile_app_data4[a * 257 + p]; if (pd->cnt == 0) { continue; } @@ -518,7 +533,7 @@ void SCProfilingDumpPacketStats(void) for (AppProto a = 0; a < ALPROTO_MAX; a++) { for (int p = 0; p < 257; p++) { - SCProfilePacketData *pd = &packet_profile_app_data6[a][p]; + SCProfilePacketData *pd = &packet_profile_app_data6[a * 257 + p]; if (pd->cnt == 0) { continue; } @@ -918,9 +933,9 @@ static void SCProfilingUpdatePacketAppRecord(int alproto, uint8_t ipproto, PktPr SCProfilePacketData *pd; if (ipver == 4) - pd = &packet_profile_app_data4[alproto][ipproto]; + pd = &packet_profile_app_data4[alproto * 257 + ipproto]; else - pd = &packet_profile_app_data6[alproto][ipproto]; + pd = &packet_profile_app_data6[alproto * 257 + ipproto]; if (pd->min == 0 || pdt->ticks_spent < pd->min) { pd->min = pdt->ticks_spent; From 45679d17f4c7ccfcc9794cf42506b702b69e9faa Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 29 Oct 2024 22:26:37 +0100 Subject: [PATCH 10/14] fuzz: better init for protocol detection --- src/tests/fuzz/fuzz_applayerprotodetectgetproto.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c index e30f729bc28f..6dcaf1793461 100644 --- a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c +++ b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c @@ -9,7 +9,7 @@ #include "suricata.h" #include "app-layer-detect-proto.h" #include "flow-util.h" -#include "app-layer-parser.h" +#include "app-layer.h" #include "util-unittest-helper.h" #include "conf-yaml-loader.h" @@ -43,9 +43,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) MpmTableSetup(); SpmTableSetup(); EngineModeSetIDS(); - AppLayerProtoDetectSetup(); - AppLayerParserSetup(); - AppLayerParserRegisterProtocolParsers(); + AppLayerSetup(); alpd_tctx = AppLayerProtoDetectGetCtxThread(); SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME); } From df05782b34a27288aca3f8317c4ac10284ae5977 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 29 Oct 2024 22:28:18 +0100 Subject: [PATCH 11/14] fuzz: simplify target for protocol detection As too many cases are found when splitting tcp payload --- .../fuzz/fuzz_applayerprotodetectgetproto.c | 27 +------------------ 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c index 6dcaf1793461..4473de00941c 100644 --- a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c +++ b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c @@ -30,8 +30,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) Flow *f; TcpSession ssn; bool reverse; - AppProto alproto; - AppProto alproto2; if (alpd_tctx == NULL) { //global init @@ -66,31 +64,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) if (data[0] & STREAM_TOSERVER) { flags = STREAM_TOSERVER; } - alproto = AppLayerProtoDetectGetProto( + AppLayerProtoDetectGetProto( alpd_tctx, f, data + HEADER_LEN, size - HEADER_LEN, f->proto, flags, &reverse); - if (alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_FAILED && f->proto == IPPROTO_TCP) { - /* If we find a valid protocol at the start of a stream : - * check that with smaller input - * we find the same protocol or ALPROTO_UNKNOWN. - * Otherwise, we have evasion with TCP splitting - */ - for (size_t i = 0; i < size-HEADER_LEN && i < PROTO_DETECT_MAX_LEN; i++) { - // reset detection at each try cf probing_parser_toserver_alproto_masks - AppLayerProtoDetectReset(f); - alproto2 = AppLayerProtoDetectGetProto( - alpd_tctx, f, data + HEADER_LEN, i, f->proto, flags, &reverse); - if (alproto2 != ALPROTO_UNKNOWN && alproto2 != alproto) { - printf("Failed with input length %" PRIuMAX " versus %" PRIuMAX - ", found %s instead of %s\n", - (uintmax_t)i, (uintmax_t)size - HEADER_LEN, AppProtoToString(alproto2), - AppProtoToString(alproto)); - printf("Assertion failure: %s-%s\n", AppProtoToString(alproto2), - AppProtoToString(alproto)); - fflush(stdout); - abort(); - } - } - } FlowFree(f); return 0; From ff98a2381ad2cfa6271d01e88fc7d3d410a57e2c Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 29 Oct 2024 22:29:06 +0100 Subject: [PATCH 12/14] sip: remove UPDATE method for detection As it is also used for HTTP/1 --- rust/src/sip/sip.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/rust/src/sip/sip.rs b/rust/src/sip/sip.rs index 1a73d4e46a66..a1ada310be11 100755 --- a/rust/src/sip/sip.rs +++ b/rust/src/sip/sip.rs @@ -496,7 +496,6 @@ fn register_pattern_probe(proto: u8) -> i8 { "ACK\0", "BYE\0", "CANCEL\0", - "UPDATE\0", "REFER\0", "PRACK\0", "SUBSCRIBE\0", From 867f4862c0ce56361499bee4f65f86b233b4a6f1 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 17 Oct 2024 15:23:34 +0200 Subject: [PATCH 13/14] app-layer: make number of alprotos dynamic Ticket: 5053 The names are nwo dynamic --- rust/src/core.rs | 8 ++- scripts/setup-app-layer.py | 2 +- src/app-layer-protos.c | 89 +++++++++++++++--------------- src/app-layer-protos.h | 9 ++-- src/app-layer.c | 108 +++++++++++++++++++++++++------------ src/detect-engine-build.c | 3 +- src/runmodes.c | 3 +- 7 files changed, 135 insertions(+), 87 deletions(-) diff --git a/rust/src/core.rs b/rust/src/core.rs index a628b300384a..496e7b800a6b 100644 --- a/rust/src/core.rs +++ b/rust/src/core.rs @@ -252,7 +252,13 @@ pub fn init_ffi(context: &'static SuricataContext) { unsafe { SC = Some(context); - ALPROTO_FAILED = StringToAppProto("failed\0".as_ptr()); + } +} + +#[no_mangle] +pub extern "C" fn SCUpdateAlprotoFailed(alproto: AppProto) { + unsafe { + ALPROTO_FAILED = alproto; } } diff --git a/scripts/setup-app-layer.py b/scripts/setup-app-layer.py index bb3d23e83944..f94e68ae7d7e 100755 --- a/scripts/setup-app-layer.py +++ b/scripts/setup-app-layer.py @@ -129,7 +129,7 @@ def patch_app_layer_protos_h(protoname): open(filename, "w").write(output.getvalue()) def patch_app_layer_protos_c(protoname): - filename = "src/app-layer-protos.c" + filename = "src/app-layer.c" print("Patching %s." % (filename)) output = io.StringIO() diff --git a/src/app-layer-protos.c b/src/app-layer-protos.c index e82d8688f557..e8c8a5c4bf02 100644 --- a/src/app-layer-protos.c +++ b/src/app-layer-protos.c @@ -24,56 +24,19 @@ #include "suricata-common.h" #include "app-layer-protos.h" +#include "rust.h" + +AppProto ALPROTO_FAILED = ALPROTO_MAX_STATIC; +AppProto ALPROTO_MAX = ALPROTO_MAX_STATIC + 1; +#define ARRAY_CAP_STEP 16 +AppProto AppProtoStringsCap = ALPROTO_MAX_STATIC + 1; typedef struct AppProtoStringTuple { AppProto alproto; const char *str; } AppProtoStringTuple; -const AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = { - { ALPROTO_UNKNOWN, "unknown" }, - { ALPROTO_HTTP1, "http1" }, - { ALPROTO_FTP, "ftp" }, - { ALPROTO_SMTP, "smtp" }, - { ALPROTO_TLS, "tls" }, - { ALPROTO_SSH, "ssh" }, - { ALPROTO_IMAP, "imap" }, - { ALPROTO_JABBER, "jabber" }, - { ALPROTO_SMB, "smb" }, - { ALPROTO_DCERPC, "dcerpc" }, - { ALPROTO_IRC, "irc" }, - { ALPROTO_DNS, "dns" }, - { ALPROTO_MODBUS, "modbus" }, - { ALPROTO_ENIP, "enip" }, - { ALPROTO_DNP3, "dnp3" }, - { ALPROTO_NFS, "nfs" }, - { ALPROTO_NTP, "ntp" }, - { ALPROTO_FTPDATA, "ftp-data" }, - { ALPROTO_TFTP, "tftp" }, - { ALPROTO_IKE, "ike" }, - { ALPROTO_KRB5, "krb5" }, - { ALPROTO_QUIC, "quic" }, - { ALPROTO_DHCP, "dhcp" }, - { ALPROTO_SNMP, "snmp" }, - { ALPROTO_SIP, "sip" }, - { ALPROTO_RFB, "rfb" }, - { ALPROTO_MQTT, "mqtt" }, - { ALPROTO_PGSQL, "pgsql" }, - { ALPROTO_TELNET, "telnet" }, - { ALPROTO_WEBSOCKET, "websocket" }, - { ALPROTO_LDAP, "ldap" }, - { ALPROTO_DOH2, "doh2" }, - { ALPROTO_TEMPLATE, "template" }, - { ALPROTO_RDP, "rdp" }, - { ALPROTO_HTTP2, "http2" }, - { ALPROTO_BITTORRENT_DHT, "bittorrent-dht" }, - { ALPROTO_POP3, "pop3" }, - { ALPROTO_HTTP, "http" }, - { ALPROTO_FAILED, "failed" }, -#ifdef UNITTESTS - { ALPROTO_TEST, "test" }, -#endif -}; +AppProtoStringTuple *AppProtoStrings = NULL; const char *AppProtoToString(AppProto alproto) { @@ -87,7 +50,7 @@ const char *AppProtoToString(AppProto alproto) proto_name = "http_any"; break; default: - if (alproto < ARRAY_SIZE(AppProtoStrings)) { + if (alproto < ALPROTO_MAX) { BUG_ON(AppProtoStrings[alproto].alproto != alproto); proto_name = AppProtoStrings[alproto].str; } @@ -101,10 +64,44 @@ AppProto StringToAppProto(const char *proto_name) return ALPROTO_UNKNOWN; // We could use a Multi Pattern Matcher - for (size_t i = 0; i < ARRAY_SIZE(AppProtoStrings); i++) { + for (size_t i = 0; i < ALPROTO_MAX; i++) { if (strcmp(proto_name, AppProtoStrings[i].str) == 0) return AppProtoStrings[i].alproto; } return ALPROTO_UNKNOWN; } + +void RegisterAppProtoString(AppProto alproto, const char *proto_name) +{ + if (alproto < ALPROTO_FAILED) { + if (AppProtoStrings == NULL) { + AppProtoStrings = SCCalloc(AppProtoStringsCap, sizeof(AppProtoStringTuple)); + if (AppProtoStrings == NULL) { + FatalError("Unable to allocate AppProtoStrings"); + } + AppProtoStrings[ALPROTO_FAILED].str = "failed"; + AppProtoStrings[ALPROTO_FAILED].alproto = ALPROTO_FAILED; + SCUpdateAlprotoFailed(ALPROTO_FAILED); + } + AppProtoStrings[alproto].str = proto_name; + AppProtoStrings[alproto].alproto = alproto; + } else if (alproto == ALPROTO_FAILED && alproto + 1 == ALPROTO_MAX) { + if (ALPROTO_MAX == AppProtoStringsCap) { + void *tmp = SCRealloc(AppProtoStrings, + sizeof(AppProtoStringTuple) * (AppProtoStringsCap + ARRAY_CAP_STEP)); + if (tmp == NULL) { + FatalError("Unable to reallocate AppProtoStrings"); + } + AppProtoStringsCap += ARRAY_CAP_STEP; + AppProtoStrings = tmp; + } + AppProtoStrings[alproto].str = proto_name; + AppProtoStrings[alproto].alproto = alproto; + ALPROTO_FAILED++; + AppProtoStrings[ALPROTO_FAILED].str = "failed"; + AppProtoStrings[ALPROTO_FAILED].alproto = ALPROTO_FAILED; + SCUpdateAlprotoFailed(ALPROTO_FAILED); + ALPROTO_MAX++; + } +} diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h index 348203ac2f53..96e7414ee260 100644 --- a/src/app-layer-protos.h +++ b/src/app-layer-protos.h @@ -69,19 +69,18 @@ enum AppProtoEnum { // HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2) ALPROTO_HTTP, - /* used by the probing parser when alproto detection fails - * permanently for that particular stream */ - ALPROTO_FAILED, #ifdef UNITTESTS ALPROTO_TEST, #endif /* UNITESTS */ /* keep last */ - ALPROTO_MAX, + ALPROTO_MAX_STATIC, }; // NOTE: if ALPROTO's get >= 256, update SignatureNonPrefilterStore /* not using the enum as that is a unsigned int, so 4 bytes */ typedef uint16_t AppProto; +extern AppProto ALPROTO_FAILED; +extern AppProto ALPROTO_MAX; static inline bool AppProtoIsValid(AppProto a) { @@ -173,4 +172,6 @@ const char *AppProtoToString(AppProto alproto); */ AppProto StringToAppProto(const char *proto_name); +void RegisterAppProtoString(AppProto alproto, const char *proto_name); + #endif /* SURICATA_APP_LAYER_PROTOS_H */ diff --git a/src/app-layer.c b/src/app-layer.c index bd5920ab5c52..76341bf63078 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -905,42 +905,39 @@ int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow * tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow); PACKET_PROFILING_APP_PD_END(tctx); - switch (*alproto) { - case ALPROTO_UNKNOWN: - if (*alproto_otherdir != ALPROTO_UNKNOWN) { - // Use recognized side - f->alproto = *alproto_otherdir; - // do not keep ALPROTO_UNKNOWN for this side so as not to loop - *alproto = *alproto_otherdir; - if (*alproto_otherdir == ALPROTO_FAILED) { - SCLogDebug("ALPROTO_UNKNOWN flow %p", f); - } - } else { - // First side of protocol is unknown - *alproto = ALPROTO_FAILED; + if (*alproto == ALPROTO_UNKNOWN) { + if (*alproto_otherdir != ALPROTO_UNKNOWN) { + // Use recognized side + f->alproto = *alproto_otherdir; + // do not keep ALPROTO_UNKNOWN for this side so as not to loop + *alproto = *alproto_otherdir; + if (*alproto_otherdir == ALPROTO_FAILED) { + SCLogDebug("ALPROTO_UNKNOWN flow %p", f); } - break; - case ALPROTO_FAILED: - if (*alproto_otherdir != ALPROTO_UNKNOWN) { - // Use recognized side - f->alproto = *alproto_otherdir; - if (*alproto_otherdir == ALPROTO_FAILED) { - SCLogDebug("ALPROTO_UNKNOWN flow %p", f); - } + } else { + // First side of protocol is unknown + *alproto = ALPROTO_FAILED; + } + } else if (*alproto == ALPROTO_FAILED) { + if (*alproto_otherdir != ALPROTO_UNKNOWN) { + // Use recognized side + f->alproto = *alproto_otherdir; + if (*alproto_otherdir == ALPROTO_FAILED) { + SCLogDebug("ALPROTO_UNKNOWN flow %p", f); } - // else wait for second side of protocol - break; - default: - if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) { - if (*alproto_otherdir != *alproto) { - AppLayerDecoderEventsSetEventRaw( - &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS); - // data already sent to parser, we cannot change the protocol to use the one - // of the server - } - } else { - f->alproto = *alproto; + } + // else wait for second side of protocol + } else { + if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) { + if (*alproto_otherdir != *alproto) { + AppLayerDecoderEventsSetEventRaw( + &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS); + // data already sent to parser, we cannot change the protocol to use the one + // of the server } + } else { + f->alproto = *alproto; + } } if (*alproto_otherdir == ALPROTO_UNKNOWN) { if (f->alproto == ALPROTO_UNKNOWN) { @@ -1027,11 +1024,56 @@ void AppLayerListSupportedProtocols(void) } /***** Setup/General Registration *****/ +static void AppLayerNamesSetup(void) +{ + RegisterAppProtoString(ALPROTO_UNKNOWN, "unknown"); + RegisterAppProtoString(ALPROTO_HTTP1, "http1"); + RegisterAppProtoString(ALPROTO_FTP, "ftp"); + RegisterAppProtoString(ALPROTO_SMTP, "smtp"); + RegisterAppProtoString(ALPROTO_TLS, "tls"); + RegisterAppProtoString(ALPROTO_SSH, "ssh"); + RegisterAppProtoString(ALPROTO_IMAP, "imap"); + RegisterAppProtoString(ALPROTO_JABBER, "jabber"); + RegisterAppProtoString(ALPROTO_SMB, "smb"); + RegisterAppProtoString(ALPROTO_DCERPC, "dcerpc"); + RegisterAppProtoString(ALPROTO_IRC, "irc"); + RegisterAppProtoString(ALPROTO_DNS, "dns"); + RegisterAppProtoString(ALPROTO_MODBUS, "modbus"); + RegisterAppProtoString(ALPROTO_ENIP, "enip"); + RegisterAppProtoString(ALPROTO_DNP3, "dnp3"); + RegisterAppProtoString(ALPROTO_NFS, "nfs"); + RegisterAppProtoString(ALPROTO_NTP, "ntp"); + RegisterAppProtoString(ALPROTO_FTPDATA, "ftp-data"); + RegisterAppProtoString(ALPROTO_TFTP, "tftp"); + RegisterAppProtoString(ALPROTO_IKE, "ike"); + RegisterAppProtoString(ALPROTO_KRB5, "krb5"); + RegisterAppProtoString(ALPROTO_QUIC, "quic"); + RegisterAppProtoString(ALPROTO_DHCP, "dhcp"); + RegisterAppProtoString(ALPROTO_SNMP, "snmp"); + RegisterAppProtoString(ALPROTO_SIP, "sip"); + RegisterAppProtoString(ALPROTO_RFB, "rfb"); + RegisterAppProtoString(ALPROTO_MQTT, "mqtt"); + RegisterAppProtoString(ALPROTO_PGSQL, "pgsql"); + RegisterAppProtoString(ALPROTO_TELNET, "telnet"); + RegisterAppProtoString(ALPROTO_WEBSOCKET, "websocket"); + RegisterAppProtoString(ALPROTO_LDAP, "ldap"); + RegisterAppProtoString(ALPROTO_DOH2, "doh2"); + RegisterAppProtoString(ALPROTO_TEMPLATE, "template"); + RegisterAppProtoString(ALPROTO_RDP, "rdp"); + RegisterAppProtoString(ALPROTO_HTTP2, "http2"); + RegisterAppProtoString(ALPROTO_BITTORRENT_DHT, "bittorrent-dht"); + RegisterAppProtoString(ALPROTO_POP3, "pop3"); + RegisterAppProtoString(ALPROTO_HTTP, "http"); +#ifdef UNITTESTS + RegisterAppProtoString(ALPROTO_TEST, "test"); +#endif +} int AppLayerSetup(void) { SCEnter(); + AppLayerNamesSetup(); AppLayerProtoDetectSetup(); AppLayerParserSetup(); diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c index c85f53d5051d..01ea9b736457 100644 --- a/src/detect-engine-build.c +++ b/src/detect-engine-build.c @@ -625,7 +625,8 @@ static json_t *RulesGroupPrintSghStats(const DetectEngineCtx *de_ctx, const SigG } mpm_stats[max_buffer_type_id]; memset(mpm_stats, 0x00, sizeof(mpm_stats)); - uint32_t alstats[ALPROTO_MAX] = {0}; + uint32_t alstats[ALPROTO_MAX]; + memset(alstats, 0, ALPROTO_MAX * sizeof(uint32_t)); uint32_t mpm_sizes[max_buffer_type_id][256]; memset(mpm_sizes, 0, sizeof(mpm_sizes)); uint32_t alproto_mpm_bufs[ALPROTO_MAX][max_buffer_type_id]; diff --git a/src/runmodes.c b/src/runmodes.c index b326a96e3a67..72b5874db044 100644 --- a/src/runmodes.c +++ b/src/runmodes.c @@ -758,7 +758,8 @@ void RunModeInitializeOutputs(void) char tls_store_present = 0; // ALPROTO_MAX is set to its final value - LoggerId logger_bits[ALPROTO_MAX] = { 0 }; + LoggerId logger_bits[ALPROTO_MAX]; + memset(logger_bits, 0, ALPROTO_MAX * sizeof(LoggerId)); TAILQ_FOREACH(output, &outputs->head, next) { output_config = ConfNodeLookupChild(output, output->val); From b34acb1c34288d6602fc81fb347239dabdaaff72 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 16 Nov 2023 14:35:49 +0100 Subject: [PATCH 14/14] plugins: app-layer plugins Ticket: 5053 --- src/app-layer-parser.c | 10 ++++++ src/detect-engine-file.h | 11 ++++++ src/detect-engine-register.c | 13 ++++++++ src/detect-parse.c | 65 +++++++++++++++++++++++------------- src/output.c | 18 ++++++++++ src/suricata-plugin.h | 11 ++++++ src/util-plugin.c | 34 +++++++++++++++++++ src/util-plugin.h | 4 +++ 8 files changed, 142 insertions(+), 24 deletions(-) diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index e743e41d4661..4c7174508737 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -54,6 +54,7 @@ #include "app-layer-ike.h" #include "app-layer-http2.h" #include "app-layer-imap.h" +#include "util-plugin.h" struct AppLayerParserThreadCtx_ { void *(*alproto_local_storage)[FLOW_PROTO_MAX]; @@ -1745,6 +1746,15 @@ void AppLayerParserRegisterProtocolParsers(void) } else { SCLogInfo("Protocol detection and parser disabled for pop3 protocol."); } +#ifdef HAVE_PLUGINS + for (size_t i = 0; i < app_layer_plugins_nb; i++) { + SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i); + if (app_layer_plugin == NULL) { + break; + } + app_layer_plugin->Register(); + } +#endif ValidateParsers(); } diff --git a/src/detect-engine-file.h b/src/detect-engine-file.h index 13aa7465f436..5907f17e0807 100644 --- a/src/detect-engine-file.h +++ b/src/detect-engine-file.h @@ -28,4 +28,15 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *_alstate, void *tx, uint64_t tx_id); +// file protocols with common file handling +typedef struct { + AppProto al_proto; + int direction; + int to_client_progress; + int to_server_progress; +} DetectFileHandlerProtocol_t; + +void DetectFileRegisterProto( + AppProto alproto, int direction, int to_client_progress, int to_server_progress); + #endif /* SURICATA_DETECT_ENGINE_FILE_H */ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 6ea3698c2c93..bd7f0b2d39ae 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -288,6 +288,7 @@ #include "util-path.h" #include "util-mpm-ac.h" #include "runmodes.h" +#include "util-plugin.h" int DETECT_TBLSIZE = 0; int DETECT_TBLSIZE_IDX = DETECT_TBLSIZE_STATIC; @@ -695,6 +696,18 @@ void SigTableSetup(void) ScDetectSipRegister(); ScDetectTemplateRegister(); +#ifdef HAVE_PLUGINS + for (size_t i = 0; i < app_layer_plugins_nb; i++) { + SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i); + if (app_layer_plugin == NULL) { + break; + } + if (app_layer_plugin->KeywordsRegister != NULL) { + app_layer_plugin->KeywordsRegister(); + } + } +#endif + /* close keyword registration */ DetectBufferTypeCloseRegistration(); } diff --git a/src/detect-parse.c b/src/detect-parse.c index 984501c1dd8a..7f3ceb3eb368 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -68,6 +68,7 @@ #include "string.h" #include "detect-parse.h" #include "detect-engine-iponly.h" +#include "detect-engine-file.h" #include "app-layer-detect-proto.h" #include "action-globals.h" @@ -76,32 +77,48 @@ /* Table with all filehandler registrations */ DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]; +#define ALPROTO_WITHFILES_MAX 16 + +// file protocols with common file handling +DetectFileHandlerProtocol_t al_protocols[ALPROTO_WITHFILES_MAX] = { + { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, + { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, + { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, + { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, + { .al_proto = ALPROTO_HTTP1, + .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, + .to_client_progress = HTP_RESPONSE_BODY, + .to_server_progress = HTP_REQUEST_BODY }, + { .al_proto = ALPROTO_HTTP2, + .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, + .to_client_progress = HTTP2StateDataServer, + .to_server_progress = HTTP2StateDataClient }, + { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }, { .al_proto = ALPROTO_UNKNOWN } +}; + +void DetectFileRegisterProto( + AppProto alproto, int direction, int to_client_progress, int to_server_progress) +{ + size_t i = 0; + while (i < ALPROTO_WITHFILES_MAX && al_protocols[i].al_proto != ALPROTO_UNKNOWN) { + i++; + } + if (i == ALPROTO_WITHFILES_MAX) { + return; + } + al_protocols[i].al_proto = alproto; + al_protocols[i].direction = direction; + al_protocols[i].to_client_progress = to_client_progress; + al_protocols[i].to_server_progress = to_server_progress; + al_protocols[i + 1].al_proto = ALPROTO_UNKNOWN; +} + void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg) { - // file protocols with common file handling - typedef struct { - AppProto al_proto; - int direction; - int to_client_progress; - int to_server_progress; - } DetectFileHandlerProtocol_t; - static DetectFileHandlerProtocol_t al_protocols[] = { - { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, - { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, - { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, - { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, - { .al_proto = ALPROTO_HTTP1, - .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, - .to_client_progress = HTP_RESPONSE_BODY, - .to_server_progress = HTP_REQUEST_BODY }, - { .al_proto = ALPROTO_HTTP2, - .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, - .to_client_progress = HTTP2StateDataServer, - .to_server_progress = HTTP2StateDataClient }, - { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER } - }; - - for (size_t i = 0; i < ARRAY_SIZE(al_protocols); i++) { + for (size_t i = 0; i < ALPROTO_MAX; i++) { + if (al_protocols[i].al_proto == ALPROTO_UNKNOWN) { + break; + } int direction = al_protocols[i].direction == 0 ? (int)(SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT) : al_protocols[i].direction; diff --git a/src/output.c b/src/output.c index 002f33b5abc6..e734273e6ded 100644 --- a/src/output.c +++ b/src/output.c @@ -82,6 +82,7 @@ #include "app-layer-parser.h" #include "output-filestore.h" #include "output-json-arp.h" +#include "util-plugin.h" typedef struct RootLogger_ { OutputLogFunc LogFunc; @@ -1105,4 +1106,21 @@ void OutputRegisterLoggers(void) } /* ARP JSON logger */ JsonArpLogRegister(); + +#ifdef HAVE_PLUGINS + for (size_t i = 0; i < app_layer_plugins_nb; i++) { + SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i); + if (app_layer_plugin == NULL) { + break; + } + + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", app_layer_plugin->logname, + app_layer_plugin->confname, OutputJsonLogInitSub, + (AppProto)(ALPROTO_MAX_STATIC + i), JsonGenericDirFlowLogger, JsonLogThreadInit, + JsonLogThreadDeinit); + SCLogNotice("%s JSON logger registered.", app_layer_plugin->name); + RegisterSimpleJsonApplayerLogger((AppProto)(ALPROTO_MAX_STATIC + i), + (EveJsonSimpleTxLogFunc)app_layer_plugin->Logger, NULL); + } +#endif } diff --git a/src/suricata-plugin.h b/src/suricata-plugin.h index 639dd7c7313e..2aa876c43892 100644 --- a/src/suricata-plugin.h +++ b/src/suricata-plugin.h @@ -52,4 +52,15 @@ typedef struct SCCapturePlugin_ { int SCPluginRegisterCapture(SCCapturePlugin *); +typedef struct SCAppLayerPlugin_ { + char *name; + char *logname; + char *confname; + void (*Register)(void); + bool (*Logger)(void *tx, void *jb); + void (*KeywordsRegister)(void); +} SCAppLayerPlugin; + +int SCPluginRegisterAppLayer(SCAppLayerPlugin *); + #endif /* __SURICATA_PLUGIN_H */ diff --git a/src/util-plugin.c b/src/util-plugin.c index 7a9b467daaac..5f4ee9cf6273 100644 --- a/src/util-plugin.c +++ b/src/util-plugin.c @@ -22,6 +22,7 @@ #include "util-plugin.h" #include "util-debug.h" #include "conf.h" +#include "app-layer-protos.h" #ifdef HAVE_PLUGINS @@ -148,4 +149,37 @@ SCCapturePlugin *SCPluginFindCaptureByName(const char *name) } return plugin; } + +static SCAppLayerPlugin **app_layer_plugins = NULL; +size_t app_layer_plugins_nb = 0; +#define ARRAY_CAP_STEP 16 +static size_t app_layer_plugins_cap = 0; + +int SCPluginRegisterAppLayer(SCAppLayerPlugin *plugin) +{ + if (app_layer_plugins_nb == app_layer_plugins_cap) { + void *tmp = SCRealloc(app_layer_plugins, + sizeof(SCAppLayerPlugin *) * (app_layer_plugins_cap + ARRAY_CAP_STEP)); + if (tmp == NULL) { + return 1; + } + app_layer_plugins_cap += ARRAY_CAP_STEP; + app_layer_plugins = tmp; + } + if (app_layer_plugins_nb < app_layer_plugins_cap) { + app_layer_plugins[app_layer_plugins_nb] = plugin; + RegisterAppProtoString((AppProto)(ALPROTO_MAX_STATIC + app_layer_plugins_nb), plugin->name); + app_layer_plugins_nb++; + return 0; + } + return 1; +} + +SCAppLayerPlugin *SCPluginFindAppLayerByIndex(size_t i) +{ + if (i < app_layer_plugins_nb) { + return app_layer_plugins[i]; + } + return NULL; +} #endif diff --git a/src/util-plugin.h b/src/util-plugin.h index f749e287a366..dbbea568fc1a 100644 --- a/src/util-plugin.h +++ b/src/util-plugin.h @@ -25,4 +25,8 @@ SCCapturePlugin *SCPluginFindCaptureByName(const char *name); bool RegisterPlugin(SCPlugin *, void *); +SCAppLayerPlugin *SCPluginFindAppLayerByIndex(size_t i); + +extern size_t app_layer_plugins_nb; + #endif /* SURICATA_UTIL_PLUGIN_H */