aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for port based probing parsers for alproto detection

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 14 years ago committed by Victor Julien
parent fe6e41e3ef
commit 7c31a2327e
6 changed files with 3376 additions and 45 deletions
Show Stats Download Patch File Download Diff File

193
src/app-layer-detect-proto.c
Unescape Escape View File

@ -344,7 +344,8 @@ void AppLayerDetectProtoThreadInit(void) {
}
/**
* \brief Get the app layer proto based on a buffer
* \brief Get the app layer proto based on a buffer using a Patter matcher
* parser.
*
* \param ctx Global app layer detection context
* \param tctx Thread app layer detection context
@ -354,7 +355,10 @@ void AppLayerDetectProtoThreadInit(void) {
*
* \retval proto App Layer proto, or ALPROTO_UNKNOWN if unknown
*/
uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *ctx, AlpProtoDetectThreadCtx *tctx, uint8_t *buf, uint16_t buflen, uint8_t flags, uint8_t ipproto) {
uint16_t AppLayerDetectGetProtoPMParser(AlpProtoDetectCtx *ctx,
AlpProtoDetectThreadCtx *tctx,
uint8_t *buf, uint16_t buflen,
uint8_t flags, uint8_t ipproto) {
SCEnter();
AlpProtoDetectDirection *dir;
@ -500,6 +504,167 @@ end:
SCReturnUInt(proto);
}
/**
* \brief Call the probing parser if it exists for this src or dst port.
*/
uint16_t AppLayerDetectGetProtoProbingParser(AlpProtoDetectCtx *ctx, Flow *f,
uint8_t *buf, uint16_t buflen,
uint8_t flags, uint8_t ipproto)
{
AppLayerProbingParserElement *pe = NULL;
AppLayerProbingParser *pp = NULL;
if (flags & STREAM_TOSERVER) {
pp = AppLayerGetProbingParsers(ipproto, f->dp);
if (pp == NULL) {
SCLogDebug("toserver-No probing parser registered for port %"PRIu16,
f->dp);
if (f->flags & FLOW_TS_PM_ALPROTO_DETECT_DONE) {
f->flags |= FLOW_TS_PM_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
f->flags |= FLOW_TS_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
if (pp->toserver_max_depth != 0 && buflen > pp->toserver_max_depth) {
if (f->flags & FLOW_TS_PM_ALPROTO_DETECT_DONE) {
f->flags |= FLOW_TS_PM_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
f->flags |= FLOW_TS_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
pe = pp->toserver;
} else {
pp = AppLayerGetProbingParsers(ipproto, f->sp);
if (pp == NULL) {
SCLogDebug("toclient-No probing parser registered for port %"PRIu16,
f->sp);
if (f->flags & FLOW_TC_PM_ALPROTO_DETECT_DONE) {
f->flags |= FLOW_TC_PM_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
f->flags |= FLOW_TC_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
if (pp->toclient_max_depth != 0 && buflen > pp->toclient_max_depth) {
if (f->flags & FLOW_TC_PM_ALPROTO_DETECT_DONE) {
f->flags |= FLOW_TC_PM_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
f->flags |= FLOW_TC_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
pe = pp->toclient;
}
while (pe != NULL) {
if (buflen < pe->min_depth ||
(pe->max_depth != 0 && buflen > pe->max_depth)) {
pe = pe->next;
continue;
}
uint16_t alproto = pe->ProbingParser(buf, buflen);
if (alproto != ALPROTO_UNKNOWN)
return alproto;
pe = pe->next;
}
return ALPROTO_UNKNOWN;
}
/**
* \brief Get the app layer proto.
*
* \param ctx Global app layer detection context.
* \param tctx Thread app layer detection context.
* \param f Pointer to the flow.
* \param buf Pointer to the buffer to inspect.
* \param buflen Lenght of the buffer.
* \param flags Flags.
*
* \retval proto App Layer proto, or ALPROTO_UNKNOWN if unknown
*/
uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *ctx,
AlpProtoDetectThreadCtx *tctx, Flow *f,
uint8_t *buf, uint32_t buflen,
uint8_t flags, uint8_t ipproto)
{
uint16_t alproto = ALPROTO_UNKNOWN;
if (flags & STREAM_TOSERVER) {
if (buflen >= alp_proto_ctx.toserver.max_len) {
if (f->flags & FLOW_TS_PM_ALPROTO_DETECT_DONE) {
/* the PM parser has already tried and failed. Now it is
* upto the probing parser */
;
} else {
alproto = AppLayerDetectGetProtoPMParser(ctx, tctx, buf, buflen,
flags, ipproto);
if (alproto != ALPROTO_UNKNOWN)
return alproto;
/* the alproto hasn't been detected at this point */
if (f->flags & FLOW_TS_PP_ALPROTO_DETECT_DONE) {
f->flags |= FLOW_TS_PM_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
f->flags |= FLOW_TS_PM_ALPROTO_DETECT_DONE;
}
} else {
alproto = AppLayerDetectGetProtoPMParser(ctx, tctx, buf, buflen,
flags, ipproto);
if (alproto != ALPROTO_UNKNOWN)
return alproto;
}
/* If we have reached here, the PM parser has failed to detect the
* alproto.
*
* Check if the probing parser has already finished its duties. If it
* has, set flag to indicate both parsers have done all they could have
* to detect the alproto and failed. If it isn't through as yet, run
* the probing parser */
if (flags & FLOW_TS_PP_ALPROTO_DETECT_DONE) {
f->flags |= FLOW_TS_PM_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
} else {
return AppLayerDetectGetProtoProbingParser(ctx, f, buf, buflen,
flags, ipproto);
}
/* STREAM_TOCLIENT */
} else {
if (buflen >= alp_proto_ctx.toclient.max_len) {
if (f->flags & FLOW_TC_PM_ALPROTO_DETECT_DONE) {
;
} else {
alproto = AppLayerDetectGetProtoPMParser(ctx, tctx, buf, buflen,
flags, ipproto);
if (alproto != ALPROTO_UNKNOWN)
return alproto;
if (f->flags & FLOW_TC_PP_ALPROTO_DETECT_DONE) {
f->flags |= FLOW_TC_PM_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
}
f->flags |= FLOW_TC_PM_ALPROTO_DETECT_DONE;
}
} else {
alproto = AppLayerDetectGetProtoPMParser(ctx, tctx, buf, buflen,
flags, ipproto);
if (alproto != ALPROTO_UNKNOWN)
return alproto;
}
if (flags & FLOW_TC_PP_ALPROTO_DETECT_DONE) {
f->flags |= FLOW_TC_PM_PP_ALPROTO_DETECT_DONE;
return ALPROTO_UNKNOWN;
} else {
return AppLayerDetectGetProtoProbingParser(ctx, f, buf, buflen,
flags, ipproto);
}
}
}
/* VJ Originally I thought of having separate app layer
* handling threads, leaving this here in case we'll revisit that */
#if 0
@ -816,7 +981,7 @@ int AlpDetectTest05(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
if (proto != ALPROTO_HTTP) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_HTTP);
r = 0;
@ -885,7 +1050,7 @@ int AlpDetectTest06(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
if (proto != ALPROTO_FTP) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_FTP);
r = 0;
@ -942,7 +1107,7 @@ int AlpDetectTest07(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
if (proto != ALPROTO_UNKNOWN) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_UNKNOWN);
r = 0;
@ -1010,7 +1175,7 @@ int AlpDetectTest08(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
if (proto != ALPROTO_SMB) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_SMB);
r = 0;
@ -1075,7 +1240,7 @@ int AlpDetectTest09(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
if (proto != ALPROTO_SMB2) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_SMB2);
r = 0;
@ -1135,7 +1300,7 @@ int AlpDetectTest10(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data,sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
if (proto != ALPROTO_DCERPC) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_DCERPC);
r = 0;
@ -1192,13 +1357,13 @@ int AlpDetectTest11(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data, sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data, sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
if (proto == ALPROTO_HTTP) {
printf("proto %" PRIu8 " == %" PRIu8 ": ", proto, ALPROTO_HTTP);
r = 0;
}
proto = AppLayerDetectGetProto(&ctx, &tctx, l7data_resp, sizeof(l7data_resp), STREAM_TOSERVER, IPPROTO_TCP);
proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data_resp, sizeof(l7data_resp), STREAM_TOSERVER, IPPROTO_TCP);
if (proto != ALPROTO_HTTP) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_HTTP);
r = 0;
@ -1281,13 +1446,13 @@ int AlpDetectTest13(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data, sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data, sizeof(l7data), STREAM_TOCLIENT, IPPROTO_TCP);
if (proto == ALPROTO_HTTP) {
printf("proto %" PRIu8 " == %" PRIu8 ": ", proto, ALPROTO_HTTP);
r = 0;
}
proto = AppLayerDetectGetProto(&ctx, &tctx, l7data_resp, sizeof(l7data_resp), STREAM_TOSERVER, IPPROTO_TCP);
proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data_resp, sizeof(l7data_resp), STREAM_TOSERVER, IPPROTO_TCP);
if (proto == ALPROTO_HTTP) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_HTTP);
r = 0;
@ -1332,13 +1497,13 @@ int AlpDetectTest14(void) {
AlpProtoFinalizeGlobal(&ctx);
AlpProtoFinalizeThread(&ctx, &tctx);
uint8_t proto = AppLayerDetectGetProto(&ctx, &tctx, l7data, sizeof(l7data), STREAM_TOCLIENT, IPPROTO_UDP);
uint8_t proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data, sizeof(l7data), STREAM_TOCLIENT, IPPROTO_UDP);
if (proto == ALPROTO_HTTP) {
printf("proto %" PRIu8 " == %" PRIu8 ": ", proto, ALPROTO_HTTP);
r = 0;
}
proto = AppLayerDetectGetProto(&ctx, &tctx, l7data_resp, sizeof(l7data_resp), STREAM_TOSERVER, IPPROTO_UDP);
proto = AppLayerDetectGetProtoPMParser(&ctx, &tctx, l7data_resp, sizeof(l7data_resp), STREAM_TOSERVER, IPPROTO_UDP);
if (proto != ALPROTO_HTTP) {
printf("proto %" PRIu8 " != %" PRIu8 ": ", proto, ALPROTO_HTTP);
r = 0;

11
src/app-layer-detect-proto.h
Unescape Escape View File

@ -82,7 +82,16 @@ void *AppLayerDetectProtoThread(void *td);
void AppLayerDetectProtoThreadInit(void);
uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *, AlpProtoDetectThreadCtx *, uint8_t *, uint16_t, uint8_t, uint8_t);
uint16_t AppLayerDetectGetProtoPMParser(AlpProtoDetectCtx *,
AlpProtoDetectThreadCtx *,
uint8_t *, uint16_t,
uint8_t, uint8_t);
uint16_t AppLayerDetectGetProtoProbingParser(AlpProtoDetectCtx *, Flow *,
uint8_t *, uint16_t,
uint8_t, uint8_t);
uint16_t AppLayerDetectGetProto(AlpProtoDetectCtx *, AlpProtoDetectThreadCtx *,
Flow *, uint8_t *, uint32_t,
uint8_t, uint8_t);
void AlpProtoAdd(AlpProtoDetectCtx *, uint16_t, uint16_t, char *, uint16_t, uint16_t, uint8_t);
void AppLayerDetectProtoThreadSpawn(void);

3105
src/app-layer-parser.c
View File

File diff suppressed because it is too large Load Diff

52
src/app-layer-parser.h
Unescape Escape View File

@ -132,6 +132,58 @@ typedef struct AppLayerParserTableElement_ {
to be a certain size */
} AppLayerParserTableElement;
typedef struct AppLayerProbingParserElement_ {
const char *al_proto_name;
uint16_t al_proto;
uint16_t port;
uint8_t priority;
uint8_t top;
/* the min length of data that has to be supplied to invoke the parser */
uint32_t min_depth;
/* the max length of data after which this parser won't be invoked */
uint32_t max_depth;
/* the probing parser function */
uint16_t (*ProbingParser)(uint8_t *input, uint32_t input_len);
struct AppLayerProbingParserElement_ *next;
} AppLayerProbingParserElement;
typedef struct AppLayerProbingParser_ {
/* the port no for which probing parser(s) are invoked */
uint16_t port;
/* the max depth for all the probing parsers registered for this port */
uint16_t toserver_max_depth;
uint16_t toclient_max_depth;
AppLayerProbingParserElement *toserver;
AppLayerProbingParserElement *toclient;
struct AppLayerProbingParser_ *next;
} AppLayerProbingParser;
#define APP_LAYER_PROBING_PARSER_PRIORITY_HIGH 1
#define APP_LAYER_PROBING_PARSER_PRIORITY_MEDIUM 2
#define APP_LAYER_PROBING_PARSER_PRIORITY_LOW 3
extern AppLayerProbingParser *probing_parsers;
static inline AppLayerProbingParser *AppLayerGetProbingParsers(uint16_t ip_proto,
uint16_t port)
{
if (probing_parsers == NULL)
return NULL;
AppLayerProbingParser *pp = probing_parsers;
while (pp != NULL) {
if (pp->port == port) {
break;
}
pp = pp->next;
}
return pp;
}
/* prototypes */
void AppLayerParsersInitPostProcess(void);
void RegisterAppLayerParsers(void);

13
src/app-layer.c
Unescape Escape View File

@ -153,7 +153,8 @@ int AppLayerHandleTCPData(AlpProtoDetectThreadCtx *dp_ctx, Flow *f,
printf("=> Init Stream Data -- end\n");
}
#endif
alproto = AppLayerDetectGetProto(&alp_proto_ctx, dp_ctx,
alproto = AppLayerDetectGetProto(&alp_proto_ctx, dp_ctx, f,
data, data_len, flags, IPPROTO_TCP);
if (alproto != ALPROTO_UNKNOWN) {
/* store the proto and setup the L7 data array */
@ -164,13 +165,13 @@ int AppLayerHandleTCPData(AlpProtoDetectThreadCtx *dp_ctx, Flow *f,
} else {
if (flags & STREAM_TOSERVER) {
SCLogDebug("alp_proto_ctx.toserver.max_len %u", alp_proto_ctx.toserver.max_len);
if (data_len >= alp_proto_ctx.toserver.max_len) {
if (f->flags & FLOW_TS_PM_PP_ALPROTO_DETECT_DONE) {
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
StreamTcpSetSessionNoReassemblyFlag(ssn, 0);
}
} else if (flags & STREAM_TOCLIENT) {
if (data_len >= alp_proto_ctx.toclient.max_len) {
} else {
if (f->flags & FLOW_TC_PM_PP_ALPROTO_DETECT_DONE) {
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
StreamTcpSetSessionNoReassemblyFlag(ssn, 1);
@ -326,7 +327,7 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg)
//PrintRawDataFp(stdout, smsg->init.data, smsg->init.data_len);
//printf("=> Init Stream Data -- end\n");
alproto = AppLayerDetectGetProto(&alp_proto_ctx, dp_ctx,
alproto = AppLayerDetectGetProto(&alp_proto_ctx, dp_ctx, f
smsg->data.data, smsg->data.data_len, smsg->flow->alflags, IPPROTO_TCP);
if (alproto != ALPROTO_UNKNOWN) {
/* store the proto and setup the L7 data array */
@ -480,7 +481,7 @@ int AppLayerHandleUdp(AlpProtoDetectThreadCtx *dp_ctx, Flow *f, Packet *p)
//PrintRawDataFp(stdout, smsg->init.data, smsg->init.data_len);
//printf("=> Init Stream Data -- end\n");
alproto = AppLayerDetectGetProto(&alp_proto_ctx, dp_ctx,
alproto = AppLayerDetectGetProto(&alp_proto_ctx, dp_ctx, f,
p->payload, p->payload_len, flags, IPPROTO_UDP);
if (alproto != ALPROTO_UNKNOWN) {
/* store the proto and setup the L7 data array */

47
src/flow.h
Unescape Escape View File

@ -38,44 +38,57 @@
/* per flow flags */
/** At least on packet from the source address was seen */
#define FLOW_TO_SRC_SEEN 0x00000001
#define FLOW_TO_SRC_SEEN 0x00000001
/** At least on packet from the destination address was seen */
#define FLOW_TO_DST_SEEN 0x00000002
#define FLOW_TO_DST_SEEN 0x00000002
/** Flow lives in the flow-state-NEW list */
#define FLOW_NEW_LIST 0x00000004
#define FLOW_NEW_LIST 0x00000004
/** Flow lives in the flow-state-EST (established) list */
#define FLOW_EST_LIST 0x00000008
#define FLOW_EST_LIST 0x00000008
/** Flow lives in the flow-state-CLOSED list */
#define FLOW_CLOSED_LIST 0x00000010
#define FLOW_CLOSED_LIST 0x00000010
/** Flow was inspected against IP-Only sigs in the toserver direction */
#define FLOW_TOSERVER_IPONLY_SET 0x00000020
#define FLOW_TOSERVER_IPONLY_SET 0x00000020
/** Flow was inspected against IP-Only sigs in the toclient direction */
#define FLOW_TOCLIENT_IPONLY_SET 0x00000040
#define FLOW_TOCLIENT_IPONLY_SET 0x00000040
/** Packet belonging to this flow should not be inspected at all */
#define FLOW_NOPACKET_INSPECTION 0x00000080
#define FLOW_NOPACKET_INSPECTION 0x00000080
/** Packet payloads belonging to this flow should not be inspected */
#define FLOW_NOPAYLOAD_INSPECTION 0x00000100
#define FLOW_NOPAYLOAD_INSPECTION 0x00000100
/** All packets in this flow should be dropped */
#define FLOW_ACTION_DROP 0x00000200
#define FLOW_ACTION_DROP 0x00000200
/** All packets in this flow should be accepted */
#define FLOW_ACTION_PASS 0x00000400
#define FLOW_ACTION_PASS 0x00000400
/** Sgh for toserver direction set (even if it's NULL) */
#define FLOW_SGH_TOSERVER 0x00000800
#define FLOW_SGH_TOSERVER 0x00000800
/** Sgh for toclient direction set (even if it's NULL) */
#define FLOW_SGH_TOCLIENT 0x00001000
#define FLOW_SGH_TOCLIENT 0x00001000
/** packet to server direction has been logged in drop file (only in IPS mode) */
#define FLOW_TOSERVER_DROP_LOGGED 0x00002000
#define FLOW_TOSERVER_DROP_LOGGED 0x00002000
/** packet to client direction has been logged in drop file (only in IPS mode) */
#define FLOW_TOCLIENT_DROP_LOGGED 0x00004000
#define FLOW_TOCLIENT_DROP_LOGGED 0x00004000
/** alproto detect done. Right now we need it only for udp */
#define FLOW_ALPROTO_DETECT_DONE 0x00008000
#define FLOW_NO_APPLAYER_INSPECTION 0x00010000
#define FLOW_ALPROTO_DETECT_DONE 0x00008000
#define FLOW_NO_APPLAYER_INSPECTION 0x00010000
/* Pattern matcher alproto detection done */
#define FLOW_TS_PM_ALPROTO_DETECT_DONE 0x00020000
/* Probing parser alproto detection done */
#define FLOW_TS_PP_ALPROTO_DETECT_DONE 0x00040000
/* Both pattern matcher and probing parser alproto detection done */
#define FLOW_TS_PM_PP_ALPROTO_DETECT_DONE 0x00080000
/* Pattern matcher alproto detection done */
#define FLOW_TC_PM_ALPROTO_DETECT_DONE 0x00100000
/* Probing parser alproto detection done */
#define FLOW_TC_PP_ALPROTO_DETECT_DONE 0x00200000
/* Both pattern matcher and probing parser alproto detection done */
#define FLOW_TC_PM_PP_ALPROTO_DETECT_DONE 0x00400000
/* pkt flow flags */
#define FLOW_PKT_TOSERVER 0x01

Write Preview
Loading…
Cancel
Save