aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

app-layer: add Flow to probing parser functions

Browse Source
pull/3108/head
Eric Leblond 8 years ago committed by Victor Julien
parent 2d68050e60
commit 31a0783865
14 changed files with 38 additions and 29 deletions
Show Stats Download Patch File Download Diff File

11
src/app-layer-detect-proto.c
Unescape Escape View File

@ -399,9 +399,9 @@ static AppProto AppLayerProtoDetectPPGetProto(Flow *f,
}
if (direction & STREAM_TOSERVER && pe->ProbingParserTs != NULL) {
alproto = pe->ProbingParserTs(buf, buflen, NULL);
alproto = pe->ProbingParserTs(f, buf, buflen, NULL);
} else if (pe->ProbingParserTc != NULL) {
alproto = pe->ProbingParserTc(buf, buflen, NULL);
alproto = pe->ProbingParserTc(f, buf, buflen, NULL);
}
if (alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_FAILED)
goto end;
@ -420,9 +420,9 @@ static AppProto AppLayerProtoDetectPPGetProto(Flow *f,
}
if (direction & STREAM_TOSERVER && pe->ProbingParserTs != NULL) {
alproto = pe->ProbingParserTs(buf, buflen, NULL);
alproto = pe->ProbingParserTs(f, buf, buflen, NULL);
} else if (pe->ProbingParserTc != NULL) {
alproto = pe->ProbingParserTc(buf, buflen, NULL);
alproto = pe->ProbingParserTc(f, buf, buflen, NULL);
}
if (alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_FAILED)
goto end;
@ -3034,7 +3034,8 @@ static int AppLayerProtoDetectPPTestData(AppLayerProtoDetectProbingParser *pp,
return result;
}
static uint16_t ProbingParserDummyForTesting(uint8_t *input,
static uint16_t ProbingParserDummyForTesting(Flow *f,
uint8_t *input,
uint32_t input_len,
uint32_t *offset)
{

3
src/app-layer-detect-proto.h
Unescape Escape View File

@ -27,7 +27,8 @@
typedef struct AppLayerProtoDetectThreadCtx_ AppLayerProtoDetectThreadCtx;
typedef AppProto (*ProbingParserFPtr)(uint8_t *input, uint32_t input_len,
typedef AppProto (*ProbingParserFPtr)(Flow *f,
uint8_t *input, uint32_t input_len,
uint32_t *offset);
/***** Protocol Retrieval *****/

12
src/app-layer-dnp3.c
Unescape Escape View File

@ -264,7 +264,7 @@ static int DNP3ContainsBanner(const uint8_t *input, uint32_t len)
/**
* \brief DNP3 probing parser.
*/
static uint16_t DNP3ProbingParser(uint8_t *input, uint32_t len,
static uint16_t DNP3ProbingParser(Flow *f, uint8_t *input, uint32_t len,
uint32_t *offset)
{
DNP3LinkHeader *hdr = (DNP3LinkHeader *)input;
@ -2055,25 +2055,25 @@ static int DNP3ProbingParserTest(void)
};
/* Valid frame. */
FAIL_IF(DNP3ProbingParser(pkt, sizeof(pkt), NULL) != ALPROTO_DNP3);
FAIL_IF(DNP3ProbingParser(NULL, pkt, sizeof(pkt), NULL) != ALPROTO_DNP3);
/* Send too little bytes. */
FAIL_IF(DNP3ProbingParser(pkt, sizeof(DNP3LinkHeader) - 1, NULL) != ALPROTO_UNKNOWN);
FAIL_IF(DNP3ProbingParser(NULL, pkt, sizeof(DNP3LinkHeader) - 1, NULL) != ALPROTO_UNKNOWN);
/* Bad start bytes. */
pkt[0] = 0x06;
FAIL_IF(DNP3ProbingParser(pkt, sizeof(pkt), NULL) != ALPROTO_FAILED);
FAIL_IF(DNP3ProbingParser(NULL, pkt, sizeof(pkt), NULL) != ALPROTO_FAILED);
/* Restore start byte. */
pkt[0] = 0x05;
/* Set the length to a value less than the minimum length of 5. */
pkt[2] = 0x03;
FAIL_IF(DNP3ProbingParser(pkt, sizeof(pkt), NULL) != ALPROTO_FAILED);
FAIL_IF(DNP3ProbingParser(NULL, pkt, sizeof(pkt), NULL) != ALPROTO_FAILED);
/* Send a banner. */
char mybanner[] = "Welcome to DNP3 SCADA.";
FAIL_IF(DNP3ProbingParser((uint8_t *)mybanner, sizeof(mybanner), NULL) != ALPROTO_DNP3);
FAIL_IF(DNP3ProbingParser(NULL, (uint8_t *)mybanner, sizeof(mybanner), NULL) != ALPROTO_DNP3);
PASS;
}

3
src/app-layer-dns-tcp-rust.c
Unescape Escape View File

@ -52,7 +52,8 @@ static int RustDNSTCPParseResponse(Flow *f, void *state,
local_data);
}
static uint16_t RustDNSTCPProbe(uint8_t *input, uint32_t len, uint32_t *offset)
static uint16_t RustDNSTCPProbe(Flow *f, uint8_t *input, uint32_t len,
uint32_t *offset)
{
SCLogDebug("RustDNSTCPProbe");
if (len == 0 || len < sizeof(DNSHeader)) {

11
src/app-layer-dns-tcp.c
Unescape Escape View File

@ -62,7 +62,7 @@ struct DNSTcpHeader_ {
} __attribute__((__packed__));
typedef struct DNSTcpHeader_ DNSTcpHeader;
static uint16_t DNSTcpProbingParser(uint8_t *input, uint32_t ilen,
static uint16_t DNSTcpProbingParser(Flow *f, uint8_t *input, uint32_t ilen,
uint32_t *offset);
/** \internal
@ -317,7 +317,7 @@ static int DNSTCPRequestParse(Flow *f, void *dstate,
/* Clear gap state. */
if (dns_state->gap_ts) {
if (DNSTcpProbingParser(input, input_len, NULL) == ALPROTO_DNS) {
if (DNSTcpProbingParser(f, input, input_len, NULL) == ALPROTO_DNS) {
SCLogDebug("New data probed as DNS, clearing gap state.");
BufferReset(dns_state);
dns_state->gap_ts = 0;
@ -557,7 +557,7 @@ static int DNSTCPResponseParse(Flow *f, void *dstate,
/* Clear gap state. */
if (dns_state->gap_tc) {
if (DNSTcpProbingParser(input, input_len, NULL) == ALPROTO_DNS) {
if (DNSTcpProbingParser(f, input, input_len, NULL) == ALPROTO_DNS) {
SCLogDebug("New data probed as DNS, clearing gap state.");
BufferReset(dns_state);
dns_state->gap_tc = 0;
@ -639,7 +639,8 @@ bad_data:
SCReturnInt(-1);
}
static uint16_t DNSTcpProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset)
static uint16_t DNSTcpProbingParser(Flow *f, uint8_t *input, uint32_t ilen,
uint32_t *offset)
{
if (ilen == 0 || ilen < sizeof(DNSTcpHeader)) {
SCLogDebug("ilen too small, hoped for at least %"PRIuMAX, (uintmax_t)sizeof(DNSTcpHeader));
@ -679,7 +680,7 @@ static uint16_t DNSTcpProbingParser(uint8_t *input, uint32_t ilen, uint32_t *off
* This is a minimal parser that just checks that the input contains enough
* data for a TCP DNS response.
*/
static uint16_t DNSTcpProbeResponse(uint8_t *input, uint32_t len,
static uint16_t DNSTcpProbeResponse(Flow *f, uint8_t *input, uint32_t len,
uint32_t *offset)
{
if (len == 0 || len < sizeof(DNSTcpHeader)) {

3
src/app-layer-dns-udp-rust.c
Unescape Escape View File

@ -50,7 +50,8 @@ static int RustDNSUDPParseResponse(Flow *f, void *state,
local_data);
}
static uint16_t DNSUDPProbe(uint8_t *input, uint32_t len, uint32_t *offset)
static uint16_t DNSUDPProbe(Flow *f, uint8_t *input, uint32_t len,
uint32_t *offset)
{
if (len == 0 || len < sizeof(DNSHeader)) {
return ALPROTO_UNKNOWN;

3
src/app-layer-dns-udp.c
Unescape Escape View File

@ -330,7 +330,8 @@ insufficient_data:
SCReturnInt(-1);
}
static uint16_t DNSUdpProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset)
static uint16_t DNSUdpProbingParser(Flow *f, uint8_t *input, uint32_t ilen,
uint32_t *offset)
{
if (ilen == 0 || ilen < sizeof(DNSHeader)) {
SCLogDebug("ilen too small, hoped for at least %"PRIuMAX, (uintmax_t)sizeof(DNSHeader));

2
src/app-layer-enip.c
Unescape Escape View File

@ -360,7 +360,7 @@ static int ENIPParse(Flow *f, void *state, AppLayerParserState *pstate,
static uint16_t ENIPProbingParser(uint8_t *input, uint32_t input_len,
static uint16_t ENIPProbingParser(Flow *f, uint8_t *input, uint32_t input_len,
uint32_t *offset)
{
// SCLogDebug("ENIPProbingParser %d", input_len);

3
src/app-layer-modbus.c
Unescape Escape View File

@ -1432,7 +1432,8 @@ static void ModbusStateFree(void *state)
SCReturn;
}
static uint16_t ModbusProbingParser(uint8_t *input,
static uint16_t ModbusProbingParser(Flow *f,
uint8_t *input,
uint32_t input_len,
uint32_t *offset)
{

4
src/app-layer-nfs-tcp.c
Unescape Escape View File

@ -117,7 +117,7 @@ static AppLayerDecoderEvents *NFSTCPGetEvents(void *state, uint64_t id)
* \retval ALPROTO_NFS if it looks like echo, otherwise
* ALPROTO_UNKNOWN.
*/
static AppProto NFSTCPProbingParserTS(uint8_t *input, uint32_t input_len,
static AppProto NFSTCPProbingParserTS(Flow *f, uint8_t *input, uint32_t input_len,
uint32_t *offset)
{
if (input_len < NFSTCP_MIN_FRAME_LEN) {
@ -135,7 +135,7 @@ static AppProto NFSTCPProbingParserTS(uint8_t *input, uint32_t input_len,
return ALPROTO_UNKNOWN;
}
static AppProto NFSTCPProbingParserTC(uint8_t *input, uint32_t input_len,
static AppProto NFSTCPProbingParserTC(Flow *f, uint8_t *input, uint32_t input_len,
uint32_t *offset)
{
if (input_len < NFSTCP_MIN_FRAME_LEN) {

4
src/app-layer-nfs-udp.c
Unescape Escape View File

@ -114,7 +114,7 @@ static AppLayerDecoderEvents *NFSGetEvents(void *state, uint64_t id)
* \retval ALPROTO_NFS if it looks like echo, otherwise
* ALPROTO_UNKNOWN.
*/
static AppProto NFSProbingParserTS(uint8_t *input, uint32_t input_len,
static AppProto NFSProbingParserTS(Flow *f, uint8_t *input, uint32_t input_len,
uint32_t *offset)
{
SCLogDebug("probing");
@ -136,7 +136,7 @@ static AppProto NFSProbingParserTS(uint8_t *input, uint32_t input_len,
return ALPROTO_UNKNOWN;
}
static AppProto NFSProbingParserTC(uint8_t *input, uint32_t input_len,
static AppProto NFSProbingParserTC(Flow *f, uint8_t *input, uint32_t input_len,
uint32_t *offset)
{
SCLogDebug("probing");

3
src/app-layer-smb.c
Unescape Escape View File

@ -1508,7 +1508,8 @@ static int SMBGetAlstateProgress(void *tx, uint8_t direction)
#define SMB_PROBING_PARSER_MIN_DEPTH 8
static uint16_t SMBProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset)
static uint16_t SMBProbingParser(Flow *f, uint8_t *input, uint32_t ilen,
uint32_t *offset)
{
int32_t len;
int32_t input_len = ilen;

3
src/app-layer-ssl.c
Unescape Escape View File

@ -1626,7 +1626,8 @@ static void SSLStateTransactionFree(void *state, uint64_t tx_id)
/* do nothing */
}
static uint16_t SSLProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset)
static uint16_t SSLProbingParser(Flow *f, uint8_t *input, uint32_t ilen,
uint32_t *offset)
{
/* probably a rst/fin sending an eof */
if (ilen == 0)

2
src/app-layer-template.c
Unescape Escape View File

@ -201,7 +201,7 @@ static int TemplateHasEvents(void *state)
* \retval ALPROTO_TEMPLATE if it looks like echo, otherwise
* ALPROTO_UNKNOWN.
*/
static AppProto TemplateProbingParser(uint8_t *input, uint32_t input_len,
static AppProto TemplateProbingParser(Flow *f, uint8_t *input, uint32_t input_len,
uint32_t *offset)
{
/* Very simple test - if there is input, this is echo. */

Write Preview
Loading…
Cancel
Save