suricata/src/app-layer-parser.h

#ifndef __APP_LAYER_PARSER_H__
#define __APP_LAYER_PARSER_H__

/** Mapping between local parser id's (e.g. HTTP_FIELD_REQUEST_URI) and
  * the dynamically assigned (at registration) global parser id. */
typedef struct AppLayerLocalMap_ {
    uint16_t parser_id;
} AppLayerLocalMap;

/** \brief Mapping between ALPROTO_* and L7Parsers
 *
 * Map the proto to the parsers for the to_client and to_server directions.
 */
typedef struct AppLayerProto_ {
    char *name; /**< name of the registered proto */

    uint16_t to_server;
    uint16_t to_client;
    uint8_t storage_id;

    AppLayerLocalMap **map;
    uint16_t map_size;

    void *(*StateAlloc)(void);
    void (*StateFree)(void *);
} AppLayerProto;

/** flags for the result elmts */
#define ALP_RESULT_ELMT_ALLOC 0x01

/** \brief Result elements for the parser */
typedef struct AppLayerParserResultElmt_ {
    uint16_t flags; /* flags. E.g. local alloc */
    uint16_t name_idx; /* idx for names like "http.request_line.uri" */

    uint8_t  *data_ptr; /* point to the position in the "input" data
                          * or ptr to new mem if local alloc flag set */
    uint32_t data_len; /* length of the data from the ptr */
    struct AppLayerParserResultElmt_ *next;
} AppLayerParserResultElmt;

/** \brief List head for parser result elmts */
typedef struct AppLayerParserResult_ {
    AppLayerParserResultElmt *head;
    AppLayerParserResultElmt *tail;
    uint32_t cnt;
} AppLayerParserResult;

#define APP_LAYER_PARSER_USE            0x01
#define APP_LAYER_PARSER_EOF            0x02
#define APP_LAYER_PARSER_DONE           0x04  /**< parser is done, ignore more
                                                   msgs */
#define APP_LAYER_PARSER_NO_INSPECTION  0x08 /**< Flag to indicate no more
                                                  packets payload inspection */
#define APP_LAYER_PARSER_NO_REASSEMBLY  0x10 /**< Flag to indicate no more
                                                  packets reassembly for this
                                                  session */

typedef struct AppLayerParserState_ {
    uint8_t flags;

    uint16_t cur_parser; /* idx of currently active parser */
    uint8_t *store;
    uint32_t store_len;
    uint16_t parse_field;
} AppLayerParserState;

typedef struct AppLayerParserStateStore_ {
    AppLayerParserState to_client;
    AppLayerParserState to_server;
} AppLayerParserStateStore;

typedef struct AppLayerParserTableElement_ {
    char *name;
    uint16_t proto;
    uint16_t parser_local_id; /** local id of the parser in the parser itself. */
    uint8_t flags;
    int (*AppLayerParser)(void *protocol_state, AppLayerParserState *parser_state, uint8_t *input, uint32_t input_len, AppLayerParserResult *output);
    uint16_t max_outputs; /* rationele is that if we know the max outputs of all parsers, we
                              can statically define our output array to be a certain size */
} AppLayerParserTableElement;

/* prototypes */
void AppLayerParsersInitPostProcess(void);
void RegisterAppLayerParsers(void);

int AppLayerRegisterProto(char *name, uint8_t proto, uint8_t flags, int (*AppLayerParser)(void *protocol_state, AppLayerParserState *parser_state, uint8_t *input, uint32_t input_len, AppLayerParserResult *output));
int AppLayerRegisterParser(char *name, uint16_t proto, uint16_t parser_id, int (*AppLayerParser)(void *protocol_state, AppLayerParserState *parser_state, uint8_t *input, uint32_t input_len, AppLayerParserResult *output), char *dependency);
void AppLayerRegisterStateFuncs(uint16_t proto, void *(*StateAlloc)(void), void (*StateFree)(void *));

int AppLayerParse(Flow *f, uint8_t proto, uint8_t flags, uint8_t *input, uint32_t input_len, char);

int AlpParseFieldBySize(AppLayerParserResult *, AppLayerParserState *, uint16_t, uint32_t, uint8_t *, uint32_t, uint32_t *);
int AlpParseFieldByEOF(AppLayerParserResult *, AppLayerParserState *, uint16_t, uint8_t *, uint32_t);
int AlpParseFieldByDelimiter(AppLayerParserResult *, AppLayerParserState *, uint16_t, const uint8_t *, uint8_t, uint8_t *, uint32_t, uint32_t *);
uint16_t AlpGetStateIdx(uint16_t);

uint16_t AppLayerGetProtoByName(const char *);

void AppLayerParserRegisterTests(void);

#include "stream-tcp-private.h"
void AppLayerParserCleanupState(TcpSession *);

#endif /* __APP_LAYER_PARSER_H__ */
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago			`#ifndef __APP_LAYER_PARSER_H__`
			`#define __APP_LAYER_PARSER_H__`

Update to the parsers. 16 years ago			`/** Mapping between local parser id's (e.g. HTTP_FIELD_REQUEST_URI) and`
			`* the dynamically assigned (at registration) global parser id. */`
			`typedef struct AppLayerLocalMap_ {`
64 bit cleanup part2 16 years ago			`uint16_t parser_id;`
Update to the parsers. 16 years ago			`} AppLayerLocalMap;`

Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago			`/** \brief Mapping between ALPROTO_* and L7Parsers`
			`*`
			`* Map the proto to the parsers for the to_client and to_server directions.`
			`*/`
			`typedef struct AppLayerProto_ {`
First iteration of doing app layer detection. 16 years ago			`char name; /< name of the registered proto /`

64 bit cleanup part2 16 years ago			`uint16_t to_server;`
			`uint16_t to_client;`
			`uint8_t storage_id;`
Update to the parsers. 16 years ago
			`AppLayerLocalMap **map;`
64 bit cleanup part2 16 years ago			`uint16_t map_size;`
Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago
			`void (StateAlloc)(void);`
			`void (StateFree)(void );`
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago			`} AppLayerProto;`

Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago			`/** flags for the result elmts */`
			`#define ALP_RESULT_ELMT_ALLOC 0x01`

			`/** \brief Result elements for the parser */`
			`typedef struct AppLayerParserResultElmt_ {`
64 bit cleanup part2 16 years ago			`uint16_t flags; /* flags. E.g. local alloc */`
			`uint16_t name_idx; /* idx for names like "http.request_line.uri" */`
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago
64 bit cleanup part2 16 years ago			`uint8_t data_ptr; / point to the position in the "input" data`
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago			`* or ptr to new mem if local alloc flag set */`
64 bit cleanup part2 16 years ago			`uint32_t data_len; /* length of the data from the ptr */`
Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago			`struct AppLayerParserResultElmt_ *next;`
			`} AppLayerParserResultElmt;`

			`/** \brief List head for parser result elmts */`
			`typedef struct AppLayerParserResult_ {`
			`AppLayerParserResultElmt *head;`
			`AppLayerParserResultElmt *tail;`
64 bit cleanup part2 16 years ago			`uint32_t cnt;`
Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago			`} AppLayerParserResult;`

tls no reassembly support 16 years ago			`#define APP_LAYER_PARSER_USE 0x01`
			`#define APP_LAYER_PARSER_EOF 0x02`
			`#define APP_LAYER_PARSER_DONE 0x04 /**< parser is done, ignore more`
			`msgs */`
			`#define APP_LAYER_PARSER_NO_INSPECTION 0x08 /**< Flag to indicate no more`
			`packets payload inspection */`
			`#define APP_LAYER_PARSER_NO_REASSEMBLY 0x10 /**< Flag to indicate no more`
			`packets reassembly for this`
			`session */`
Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago
			`typedef struct AppLayerParserState_ {`
64 bit cleanup part2 16 years ago			`uint8_t flags;`
Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago
64 bit cleanup part2 16 years ago			`uint16_t cur_parser; /* idx of currently active parser */`
			`uint8_t *store;`
			`uint32_t store_len;`
			`uint16_t parse_field;`
Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago			`} AppLayerParserState;`

			`typedef struct AppLayerParserStateStore_ {`
			`AppLayerParserState to_client;`
			`AppLayerParserState to_server;`
			`} AppLayerParserStateStore;`
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago
			`typedef struct AppLayerParserTableElement_ {`
			`char *name;`
64 bit cleanup part2 16 years ago			`uint16_t proto;`
			`uint16_t parser_local_id; /** local id of the parser in the parser itself. */`
			`uint8_t flags;`
			`int (AppLayerParser)(void protocol_state, AppLayerParserState parser_state, uint8_t input, uint32_t input_len, AppLayerParserResult *output);`
			`uint16_t max_outputs; /* rationele is that if we know the max outputs of all parsers, we`
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago			`can statically define our output array to be a certain size */`
			`} AppLayerParserTableElement;`

Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago			`/* prototypes */`
			`void AppLayerParsersInitPostProcess(void);`
			`void RegisterAppLayerParsers(void);`
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago
64 bit cleanup part2 16 years ago			`int AppLayerRegisterProto(char name, uint8_t proto, uint8_t flags, int (AppLayerParser)(void protocol_state, AppLayerParserState parser_state, uint8_t input, uint32_t input_len, AppLayerParserResult output));`
			`int AppLayerRegisterParser(char name, uint16_t proto, uint16_t parser_id, int (AppLayerParser)(void protocol_state, AppLayerParserState parser_state, uint8_t input, uint32_t input_len, AppLayerParserResult output), char *dependency);`
			`void AppLayerRegisterStateFuncs(uint16_t proto, void (StateAlloc)(void), void (StateFree)(void ));`
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago
Make locking of the flow optional in the app layer subsys so we can also pass locked flows to it. 16 years ago			`int AppLayerParse(Flow f, uint8_t proto, uint8_t flags, uint8_t input, uint32_t input_len, char);`
Further work on the stream L7 parser, it's api and the http stub implementation. 16 years ago
Add 'BySize' field parser. Add stub tls parser. 16 years ago			`int AlpParseFieldBySize(AppLayerParserResult , AppLayerParserState , uint16_t, uint32_t, uint8_t , uint32_t, uint32_t );`
64 bit cleanup part2 16 years ago			`int AlpParseFieldByEOF(AppLayerParserResult , AppLayerParserState , uint16_t, uint8_t *, uint32_t);`
			`int AlpParseFieldByDelimiter(AppLayerParserResult , AppLayerParserState , uint16_t, const uint8_t , uint8_t, uint8_t , uint32_t, uint32_t *);`
			`uint16_t AlpGetStateIdx(uint16_t);`
Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago
First iteration of doing app layer detection. 16 years ago			`uint16_t AppLayerGetProtoByName(const char *);`

app layer error handling 15 years ago			`void AppLayerParserRegisterTests(void);`

Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters. 16 years ago			`#include "stream-tcp-private.h"`
			`void AppLayerParserCleanupState(TcpSession *);`

Initial code of Application Layer parsing framework. Rename of L7* to AppLayer*. 16 years ago			`#endif /* __APP_LAYER_PARSER_H__ */`