snmp: register protocol dynamically

Ticket: 4103
1 year ago · d24a3eb5f6
parent 640a4c8b11
commit d24a3eb5f6
7 changed files with 40 additions and 32 deletions
--- a/rust/src/applayer.rs
+++ b/rust/src/applayer.rs
@ -491,6 +491,11 @@ pub type ApplyTxConfigFn = unsafe extern "C" fn (*mut c_void, *mut c_void, c_int
 pub type GetFrameIdByName = unsafe extern "C" fn(*const c_char) -> c_int;
 pub type GetFrameNameById = unsafe extern "C" fn(u8) -> *const c_char;

+// Defined in detect-engine-register.h
+/// cbindgen:ignore
+extern "C" {
+    pub fn SigTablePreRegister(cb: unsafe extern "C" fn ());
+}

 // Defined in app-layer-register.h
 /// cbindgen:ignore
--- a/rust/src/snmp/snmp.rs
+++ b/rust/src/snmp/snmp.rs
@ -22,6 +22,8 @@ use crate::flow::Flow;
 use crate::snmp::snmp_parser::*;
 use crate::core::{self, *};
 use crate::applayer::{self, *};
+use super::log::SCSnmpLogJsonResponse;
+use super::detect::SCDetectSNMPRegister;
 use std;
 use std::ffi::CString;

@ -30,7 +32,10 @@ use der_parser::ber::BerObjectContent;
 use der_parser::der::parse_der_sequence;
 use nom7::{Err, IResult};
 use nom7::error::{ErrorKind, make_error};
-use suricata_sys::sys::AppProto;
+use suricata_sys::sys::{
+    AppProto, AppProtoNewProtoFromString, EveJsonTxLoggerRegistrationData,
+    SCOutputJsonLogDirection, SCOutputEvePreRegisterLogger,
+};

 #[derive(AppLayerEvent)]
 pub enum SNMPEvent {
@ -404,20 +409,28 @@ pub unsafe extern "C" fn SCRegisterSnmpParser() {
        get_frame_name_by_id: None,
    };
    let ip_proto_str = CString::new("udp").unwrap();
+    ALPROTO_SNMP = AppProtoNewProtoFromString(PARSER_NAME.as_ptr() as *const std::os::raw::c_char);
+    let reg_data = EveJsonTxLoggerRegistrationData {
+        confname: b"eve-log.snmp\0".as_ptr() as *const std::os::raw::c_char,
+        logname: b"JsonSNMPLog\0".as_ptr() as *const std::os::raw::c_char,
+        alproto: ALPROTO_SNMP,
+        dir: SCOutputJsonLogDirection::LOG_DIR_PACKET as u8,
+        LogTx: Some(SCSnmpLogJsonResponse),
+    };
+    SCOutputEvePreRegisterLogger(reg_data);
+    SigTablePreRegister(SCDetectSNMPRegister);
    if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
        // port 161
-        let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
-        // store the allocated ID for the probe function
-        ALPROTO_SNMP = alproto;
+        _ = AppLayerRegisterProtocolDetection(&parser, 1);
        if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
-            let _ = AppLayerRegisterParser(&parser, alproto);
+            let _ = AppLayerRegisterParser(&parser, ALPROTO_SNMP);
        }
        // port 162
        let default_port_traps = CString::new("162").unwrap();
        parser.default_port = default_port_traps.as_ptr();
        let _ = AppLayerRegisterProtocolDetection(&parser, 1);
        if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
-            let _ = AppLayerRegisterParser(&parser, alproto);
+            let _ = AppLayerRegisterParser(&parser, ALPROTO_SNMP);
        }
        AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SNMP);
    } else {
--- a/rust/sys/src/sys.rs
+++ b/rust/sys/src/sys.rs
@ -30,22 +30,21 @@ pub enum AppProtoEnum {
    ALPROTO_KRB5 = 21,
    ALPROTO_QUIC = 22,
    ALPROTO_DHCP = 23,
-    ALPROTO_SNMP = 24,
-    ALPROTO_SIP = 25,
-    ALPROTO_RFB = 26,
-    ALPROTO_MQTT = 27,
-    ALPROTO_PGSQL = 28,
-    ALPROTO_TELNET = 29,
-    ALPROTO_WEBSOCKET = 30,
-    ALPROTO_LDAP = 31,
-    ALPROTO_DOH2 = 32,
-    ALPROTO_TEMPLATE = 33,
-    ALPROTO_RDP = 34,
-    ALPROTO_HTTP2 = 35,
-    ALPROTO_BITTORRENT_DHT = 36,
-    ALPROTO_POP3 = 37,
-    ALPROTO_HTTP = 38,
-    ALPROTO_MAX_STATIC = 39,
+    ALPROTO_SIP = 24,
+    ALPROTO_RFB = 25,
+    ALPROTO_MQTT = 26,
+    ALPROTO_PGSQL = 27,
+    ALPROTO_TELNET = 28,
+    ALPROTO_WEBSOCKET = 29,
+    ALPROTO_LDAP = 30,
+    ALPROTO_DOH2 = 31,
+    ALPROTO_TEMPLATE = 32,
+    ALPROTO_RDP = 33,
+    ALPROTO_HTTP2 = 34,
+    ALPROTO_BITTORRENT_DHT = 35,
+    ALPROTO_POP3 = 36,
+    ALPROTO_HTTP = 37,
+    ALPROTO_MAX_STATIC = 38,
 }
 pub type AppProto = u16;
 extern "C" {
--- a/src/app-layer-protos.h
+++ b/src/app-layer-protos.h
@ -56,7 +56,6 @@ enum AppProtoEnum {
    ALPROTO_KRB5,
    ALPROTO_QUIC,
    ALPROTO_DHCP,
-    ALPROTO_SNMP,
    ALPROTO_SIP,
    ALPROTO_RFB,
    ALPROTO_MQTT,
@ -78,6 +77,7 @@ enum AppProtoEnum {
    /* keep last */
    ALPROTO_MAX_STATIC,
    // After this ALPROTO_MAX_STATIC can come dynamic alproto ids
+    // For example, ALPROTO_SNMP is now dynamic
 };
 // NOTE: if ALPROTO's get >= 256, update SignatureNonPrefilterStore

--- a/src/app-layer.c
+++ b/src/app-layer.c
@ -1057,7 +1057,6 @@ static void AppLayerNamesSetup(void)
    AppProtoRegisterProtoString(ALPROTO_KRB5, "krb5");
    AppProtoRegisterProtoString(ALPROTO_QUIC, "quic");
    AppProtoRegisterProtoString(ALPROTO_DHCP, "dhcp");
-    AppProtoRegisterProtoString(ALPROTO_SNMP, "snmp");
    AppProtoRegisterProtoString(ALPROTO_SIP, "sip");
    AppProtoRegisterProtoString(ALPROTO_RFB, "rfb");
    AppProtoRegisterProtoString(ALPROTO_MQTT, "mqtt");
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@ -741,7 +741,6 @@ void SigTableSetup(void)
    DetectEmailRegister();

    SCDetectSMTPRegister();
-    SCDetectSNMPRegister();
    SCDetectDHCPRegister();
    SCDetectWebsocketRegister();
    SCDetectEnipRegister();
--- a/src/output.c
+++ b/src/output.c
@ -906,8 +906,6 @@ void OutputRegisterRootLoggers(void)
            ALPROTO_KRB5, (EveJsonSimpleTxLogFunc)rs_krb5_log_json_response, NULL);
    RegisterSimpleJsonApplayerLogger(ALPROTO_QUIC, (EveJsonSimpleTxLogFunc)rs_quic_to_json, NULL);
    // ALPROTO_DHCP TODO missing
-    RegisterSimpleJsonApplayerLogger(
-            ALPROTO_SNMP, (EveJsonSimpleTxLogFunc)SCSnmpLogJsonResponse, NULL);
    RegisterSimpleJsonApplayerLogger(ALPROTO_SIP, (EveJsonSimpleTxLogFunc)rs_sip_log_json, NULL);
    RegisterSimpleJsonApplayerLogger(ALPROTO_RFB, (EveJsonSimpleTxLogFunc)rs_rfb_logger_log, NULL);
    RegisterSimpleJsonApplayerLogger(
@ -1111,12 +1109,7 @@ void OutputRegisterLoggers(void)
    SCLogDebug("quic json logger registered.");
    /* DHCP JSON logger. */
    JsonDHCPLogRegister();
-    /* SNMP JSON logger. */
-    OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSNMPLog", "eve-log.snmp",
-            OutputJsonLogInitSub, ALPROTO_SNMP, JsonGenericDirPacketLogger, JsonLogThreadInit,
-            JsonLogThreadDeinit);

-    SCLogDebug("SNMP JSON logger registered.");
    /* SIP JSON logger. */
    OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSIPLog", "eve-log.sip",
            OutputJsonLogInitSub, ALPROTO_SIP, JsonGenericDirPacketLogger, JsonLogThreadInit,