aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Introduce new options into the conf file to enable/disable -

Browse Source 
1. Proto detection
2. Parsers

For app layer protocols.

libhtp has now been moved to the section under app-layer.protocols.http,
but we still provide backward compatibility with older conf files.
pull/567/head
Anoop Saldanha 13 years ago
parent d9686fae57
commit ddde572fba
16 changed files with 614 additions and 302 deletions
Show Stats Download Patch File Download Diff File

30
src/app-layer-dcerpc-udp.c
Unescape Escape View File

@ -720,18 +720,30 @@ static void DCERPCUDPStateFree(void *s) {
void RegisterDCERPCUDPParsers(void) { void RegisterDCERPCUDPParsers(void) {
char *proto_name = "dcerpcudp"; char *proto_name = "dcerpcudp";
/** DCERPC */ if (AppLayerProtoDetectionEnabled("dcerpc")) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER);
} else {
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER, SCLogInfo("Protocol detection and parser disabled for %s protocol.",
DCERPCUDPParse); "dcerpc");
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT, return;
DCERPCUDPParse); }
AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc,
DCERPCUDPStateFree); if (AppLayerParserEnabled("dcerpc")) {
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOSERVER,
DCERPCUDPParse);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC_UDP, STREAM_TOCLIENT,
DCERPCUDPParse);
AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc,
DCERPCUDPStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", "dcerpc");
}
#ifdef UNITTESTS #ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_DCERPC_UDP, DCERPCUDPParserRegisterTests); AppLayerRegisterUnittests(ALPROTO_DCERPC_UDP, DCERPCUDPParserRegisterTests);
#endif #endif
return;
} }
/* UNITTESTS */ /* UNITTESTS */

30
src/app-layer-dcerpc.c
Unescape Escape View File

@ -1869,18 +1869,30 @@ static void DCERPCStateFree(void *s) {
void RegisterDCERPCParsers(void) { void RegisterDCERPCParsers(void) {
char *proto_name = "dcerpc"; char *proto_name = "dcerpc";
/** DCERPC */ if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER);
} else {
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER, SCLogInfo("Protocol detection and parser disabled for %s protocol.",
DCERPCParseRequest); proto_name);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT, return;
DCERPCParseResponse); }
AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc,
DCERPCStateFree); if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER,
DCERPCParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT,
DCERPCParseResponse);
AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc,
DCERPCStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS #ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_DCERPC, DCERPCParserRegisterTests); AppLayerRegisterUnittests(ALPROTO_DCERPC, DCERPCParserRegisterTests);
#endif #endif
return;
} }
/* UNITTESTS */ /* UNITTESTS */

69
src/app-layer-dns-tcp.c
Unescape Escape View File

@ -578,35 +578,46 @@ void RegisterDNSTCPParsers(void) {
char *proto_name = "dnstcp"; char *proto_name = "dnstcp";
/** DNS */ /** DNS */
AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOSERVER, if (AppLayerProtoDetectionEnabled(proto_name)) {
DNSTCPRequestParse); AppLayerRegisterProbingParser(&alp_proto_ctx,
AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOCLIENT, IPPROTO_TCP,
DNSTCPResponseParse); "53",
AppLayerRegisterStateFuncs(ALPROTO_DNS_TCP, DNSStateAlloc, proto_name,
DNSStateFree); ALPROTO_DNS_TCP,
AppLayerRegisterTxFreeFunc(ALPROTO_DNS_TCP, 0, sizeof(DNSTcpHeader),
DNSStateTransactionFree); STREAM_TOSERVER,
DNSTcpProbingParser);
AppLayerRegisterGetEventsFunc(ALPROTO_DNS_TCP, DNSGetEvents); } else {
AppLayerRegisterHasEventsFunc(ALPROTO_DNS_TCP, DNSHasEvents); SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
AppLayerRegisterGetTx(ALPROTO_DNS_TCP, return;
DNSGetTx); }
AppLayerRegisterGetTxCnt(ALPROTO_DNS_TCP,
DNSGetTxCnt); if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_TCP, AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOSERVER,
DNSGetAlstateProgress); DNSTCPRequestParse);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP, AppLayerRegisterProto(proto_name, ALPROTO_DNS_TCP, STREAM_TOCLIENT,
DNSGetAlstateProgressCompletionStatus); DNSTCPResponseParse);
AppLayerRegisterStateFuncs(ALPROTO_DNS_TCP, DNSStateAlloc,
AppLayerRegisterProbingParser(&alp_proto_ctx, DNSStateFree);
IPPROTO_TCP, AppLayerRegisterTxFreeFunc(ALPROTO_DNS_TCP,
"53", DNSStateTransactionFree);
proto_name,
ALPROTO_DNS_TCP, AppLayerRegisterGetEventsFunc(ALPROTO_DNS_TCP, DNSGetEvents);
0, sizeof(DNSTcpHeader), AppLayerRegisterHasEventsFunc(ALPROTO_DNS_TCP, DNSHasEvents);
STREAM_TOSERVER,
DNSTcpProbingParser); AppLayerRegisterGetTx(ALPROTO_DNS_TCP,
DNSGetTx);
AppLayerRegisterGetTxCnt(ALPROTO_DNS_TCP,
DNSGetTxCnt);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_TCP,
DNSGetAlstateProgress);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_TCP,
DNSGetAlstateProgressCompletionStatus);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_TCP); DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_TCP);
} }

73
src/app-layer-dns-udp.c
Unescape Escape View File

@ -298,37 +298,48 @@ void RegisterDNSUDPParsers(void) {
char *proto_name = "dnsudp"; char *proto_name = "dnsudp";
/** DNS */ /** DNS */
AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOSERVER, if (AppLayerProtoDetectionEnabled(proto_name)) {
DNSUDPRequestParse); AppLayerRegisterProbingParser(&alp_proto_ctx,
AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOCLIENT, IPPROTO_UDP,
DNSUDPResponseParse); "53",
AppLayerRegisterStateFuncs(ALPROTO_DNS_UDP, DNSStateAlloc, proto_name,
DNSStateFree); ALPROTO_DNS_UDP,
AppLayerRegisterTxFreeFunc(ALPROTO_DNS_UDP, 0, sizeof(DNSHeader),
DNSStateTransactionFree); STREAM_TOSERVER,
DNSUdpProbingParser);
AppLayerRegisterGetEventsFunc(ALPROTO_DNS_UDP, DNSGetEvents); } else {
AppLayerRegisterHasEventsFunc(ALPROTO_DNS_UDP, DNSHasEvents); SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
AppLayerRegisterGetTx(ALPROTO_DNS_UDP, return;
DNSGetTx); }
AppLayerRegisterGetTxCnt(ALPROTO_DNS_UDP,
DNSGetTxCnt); if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_UDP, AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOSERVER,
DNSGetAlstateProgress); DNSUDPRequestParse);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP, AppLayerRegisterProto(proto_name, ALPROTO_DNS_UDP, STREAM_TOCLIENT,
DNSGetAlstateProgressCompletionStatus); DNSUDPResponseParse);
AppLayerRegisterStateFuncs(ALPROTO_DNS_UDP, DNSStateAlloc,
AppLayerRegisterProbingParser(&alp_proto_ctx, DNSStateFree);
IPPROTO_UDP, AppLayerRegisterTxFreeFunc(ALPROTO_DNS_UDP,
"53", DNSStateTransactionFree);
proto_name,
ALPROTO_DNS_UDP, AppLayerRegisterGetEventsFunc(ALPROTO_DNS_UDP, DNSGetEvents);
0, sizeof(DNSHeader), AppLayerRegisterHasEventsFunc(ALPROTO_DNS_UDP, DNSHasEvents);
STREAM_TOSERVER,
DNSUdpProbingParser); AppLayerRegisterGetTx(ALPROTO_DNS_UDP,
DNSGetTx);
DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP); AppLayerRegisterGetTxCnt(ALPROTO_DNS_UDP,
DNSGetTxCnt);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_DNS_UDP,
DNSGetAlstateProgress);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_DNS_UDP,
DNSGetAlstateProgressCompletionStatus);
DNSAppLayerDecoderEventsRegister(ALPROTO_DNS_UDP);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
} }
/* UNITTESTS */ /* UNITTESTS */

32
src/app-layer-ftp.c
Unescape Escape View File

@ -262,23 +262,29 @@ static void FTPStateFree(void *s) {
#endif #endif
} }
void RegisterFTPParsers(void) { void RegisterFTPParsers(void) {
char *proto_name = "ftp"; char *proto_name = "ftp";
/** FTP */ /** FTP */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER); if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PASS ", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_FTP, "PORT ", 5, 0, STREAM_TOSERVER);
AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER, }
FTPParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT, if (AppLayerParserEnabled(proto_name)) {
FTPParseResponse); AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOSERVER,
AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP, FTPParseRequest);
FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine, AppLayerRegisterProto(proto_name, ALPROTO_FTP, STREAM_TOCLIENT,
"ftp"); FTPParseResponse);
AppLayerRegisterStateFuncs(ALPROTO_FTP, FTPStateAlloc, FTPStateFree); AppLayerRegisterParser("ftp.request_command_line", ALPROTO_FTP,
FTP_FIELD_REQUEST_LINE, FTPParseRequestCommandLine,
"ftp");
AppLayerRegisterStateFuncs(ALPROTO_FTP, FTPStateAlloc, FTPStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS #ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_FTP, FTPParserRegisterTests); AppLayerRegisterUnittests(ALPROTO_FTP, FTPParserRegisterTests);
#endif #endif

101
src/app-layer-htp.c
Unescape Escape View File

@ -1853,6 +1853,9 @@ void HTPFreeConfig(void)
{ {
SCEnter(); SCEnter();
if (!AppLayerProtoDetectionEnabled("http") || !AppLayerParserEnabled("http"))
SCReturn;
HTPCfgRec *nextrec = cfglist.next; HTPCfgRec *nextrec = cfglist.next;
SCRadixReleaseRadixTree(cfgtree); SCRadixReleaseRadixTree(cfgtree);
cfgtree = NULL; cfgtree = NULL;
@ -2284,15 +2287,24 @@ void HTPConfigure(void)
} }
SCLogDebug("LIBHTP default config: %p", cfglist.cfg); SCLogDebug("LIBHTP default config: %p", cfglist.cfg);
HTPConfigSetDefaultsPhase1(&cfglist); HTPConfigSetDefaultsPhase1(&cfglist);
HTPConfigParseParameters(&cfglist, ConfGetNode("libhtp.default-config"), if (ConfGetNode("app-layer.protocols.http.libhtp") == NULL) {
cfgtree); HTPConfigParseParameters(&cfglist, ConfGetNode("libhtp.default-config"),
cfgtree);
} else {
HTPConfigParseParameters(&cfglist, ConfGetNode("app-layer.protocols.http.libhtp.default-config"), cfgtree);
}
HTPConfigSetDefaultsPhase2(&cfglist); HTPConfigSetDefaultsPhase2(&cfglist);
/* Read server config and create a parser for each IP in radix tree */ /* Read server config and create a parser for each IP in radix tree */
ConfNode *server_config = ConfGetNode("libhtp.server-config"); ConfNode *server_config = ConfGetNode("app-layer.protocols.http.libhtp.server-config");
if (server_config == NULL) {
server_config = ConfGetNode("libhtp.server-config");
if (server_config == NULL) {
SCLogDebug("LIBHTP Configuring %p", server_config);
SCReturn;
}
}
SCLogDebug("LIBHTP Configuring %p", server_config); SCLogDebug("LIBHTP Configuring %p", server_config);
if (server_config == NULL)
SCReturn;
ConfNode *si; ConfNode *si;
/* Server Nodes */ /* Server Nodes */
@ -2393,44 +2405,55 @@ void RegisterHTPParsers(void)
char *proto_name = "http"; char *proto_name = "http";
/** HTTP */ /** HTTP */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER); if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|20|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "GET|09|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|20|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "PUT|09|", 4, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|20|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "POST|09|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|20|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "HEAD|09|", 5, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|20|", 6, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "TRACE|09|", 6, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|20|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "OPTIONS|09|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|20|", 8, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_HTTP, "CONNECT|09|", 8, 0, STREAM_TOSERVER);
AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree); } else {
AppLayerRegisterTxFreeFunc(ALPROTO_HTTP, HTPStateTransactionFree); SCLogInfo("Protocol detection and parser disabled for %s protocol",
AppLayerRegisterGetFilesFunc(ALPROTO_HTTP, HTPStateGetFiles); proto_name);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_HTTP, HTPStateGetAlstateProgress); return;
AppLayerRegisterGetTxCnt(ALPROTO_HTTP, HTPStateGetTxCnt); }
AppLayerRegisterGetTx(ALPROTO_HTTP, HTPStateGetTx);
AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP, if (AppLayerParserEnabled(proto_name)) {
HTPStateGetAlstateProgressCompletionStatus); AppLayerRegisterStateFuncs(ALPROTO_HTTP, HTPStateAlloc, HTPStateFree);
AppLayerRegisterTxFreeFunc(ALPROTO_HTTP, HTPStateTransactionFree);
AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table); AppLayerRegisterGetFilesFunc(ALPROTO_HTTP, HTPStateGetFiles);
AppLayerRegisterGetAlstateProgressFunc(ALPROTO_HTTP, HTPStateGetAlstateProgress);
AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate); AppLayerRegisterGetTxCnt(ALPROTO_HTTP, HTPStateGetTxCnt);
AppLayerRegisterGetTx(ALPROTO_HTTP, HTPStateGetTx);
AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER, AppLayerRegisterGetAlstateProgressCompletionStatus(ALPROTO_HTTP,
HTPHandleRequestData); HTPStateGetAlstateProgressCompletionStatus);
AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT,
HTPHandleResponseData); AppLayerDecoderEventsModuleRegister(ALPROTO_HTTP, http_decoder_event_table);
AppLayerRegisterTruncateFunc(ALPROTO_HTTP, HTPStateTruncate);
AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOSERVER,
HTPHandleRequestData);
AppLayerRegisterProto(proto_name, ALPROTO_HTTP, STREAM_TOCLIENT,
HTPHandleResponseData);
SC_ATOMIC_INIT(htp_config_flags);
HTPConfigure();
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS #ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_HTTP, HTPParserRegisterTests); AppLayerRegisterUnittests(ALPROTO_HTTP, HTPParserRegisterTests);
#endif #endif
SC_ATOMIC_INIT(htp_config_flags);
HTPConfigure();
SCReturn; SCReturn;
} }

121
src/app-layer-parser.c
Unescape Escape View File

@ -57,6 +57,7 @@
#include "app-layer-dns-udp.h" #include "app-layer-dns-udp.h"
#include "app-layer-dns-tcp.h" #include "app-layer-dns-tcp.h"
#include "conf.h"
#include "util-spm.h" #include "util-spm.h"
#include "util-debug.h" #include "util-debug.h"
@ -1399,16 +1400,35 @@ void RegisterAppLayerParsers(void)
RegisterDNSTCPParsers(); RegisterDNSTCPParsers();
/** IMAP */ /** IMAP */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT); if (AppLayerProtoDetectionEnabled("imap")) {
AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER); //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_IMAP, "|2A 20|OK|20|", 5, 0, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, "imap", IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap");
return;
}
/** MSN Messenger */ /** MSN Messenger */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT); if (AppLayerProtoDetectionEnabled("msn")) {
AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER); //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOCLIENT);
AlpProtoAdd(&alp_proto_ctx, "msn", IPPROTO_TCP, ALPROTO_MSN, "MSNP", 10, 6, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"msn");
return;
}
/** Jabber */ /** Jabber */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT); if (AppLayerProtoDetectionEnabled("jabber")) {
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER); //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOCLIENT);
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection disabled for %s protocol and as a "
"consequence the conf param \"app-layer.protocols.%s."
"parser-enabled\" will now be ignored.", "jabber", "jabber");
return;
}
return; return;
} }
@ -1521,6 +1541,95 @@ void AppLayerParsersInitPostProcess(void)
} }
} }
/*************************App Layer Conf Options Parsing***********************/
/**
* \brief Given a protocol name, checks if the parser is enabled in the
* conf file.
*
* \param al_proto Name of the app layer protocol.
*
* \retval 1 If enabled.
* \retval 0 If disabled.
*/
int AppLayerParserEnabled(const char *al_proto)
{
int enabled = 1;
char param[100];
int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
al_proto, ".enabled");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
ConfNode *node = ConfGetNode(param);
if (node == NULL) {
SCLogInfo("Entry for %s not found.", param);
return enabled;
} else {
if (strcasecmp(node->val, "yes") == 0) {
enabled = 1;
} else if (strcasecmp(node->val, "no") == 0) {
enabled = 0;
} else if (strcasecmp(node->val, "detection-only") == 0) {
enabled = 0;
} else {
SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
exit(EXIT_FAILURE);
}
}
return enabled;
}
/**
* \brief Given a protocol name, checks if proto detection is enabled in the
* conf file.
*
* \param al_proto Name of the app layer protocol.
*
* \retval 1 If enabled.
* \retval 0 If disabled.
*/
int AppLayerProtoDetectionEnabled(const char *al_proto)
{
int enabled = 1;
char param[100];
int r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.",
al_proto, ".enabled");
if (r < 0) {
SCLogError(SC_ERR_FATAL, "snprintf failure.");
exit(EXIT_FAILURE);
} else if (r > (int)sizeof(param)) {
SCLogError(SC_ERR_FATAL, "buffer not big enough to write param.");
exit(EXIT_FAILURE);
}
ConfNode *node = ConfGetNode(param);
if (node == NULL) {
SCLogInfo("Entry for %s not found.", param);
return enabled;
} else {
if (strcasecmp(node->val, "yes") == 0) {
enabled = 1;
} else if (strcasecmp(node->val, "no") == 0) {
enabled = 0;
} else if (strcasecmp(node->val, "detection-only") == 0) {
enabled = 1;
} else {
SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param);
exit(EXIT_FAILURE);
}
}
return enabled;
}
/********************************Probing Parsers*******************************/ /********************************Probing Parsers*******************************/

3
src/app-layer-parser.h
Unescape Escape View File

@ -416,4 +416,7 @@ int AppLayerAlprotoSupportsTxs(uint16_t alproto);
void AppLayerTriggerRawStreamReassembly(Flow *); void AppLayerTriggerRawStreamReassembly(Flow *);
int AppLayerParserEnabled(const char *alproto);
int AppLayerProtoDetectionEnabled(const char *alproto);
#endif /* __APP_LAYER_PARSER_H__ */ #endif /* __APP_LAYER_PARSER_H__ */

45
src/app-layer-smb.c
Unescape Escape View File

@ -1400,24 +1400,35 @@ static uint16_t SMBProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset
void RegisterSMBParsers(void) { void RegisterSMBParsers(void) {
char *proto_name = "smb"; char *proto_name = "smb";
/** SMB */ if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); /** SMB */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER);
/** SMB2 */ /** SMB2 */
AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER);
AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest); AppLayerRegisterProbingParser(&alp_proto_ctx,
AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse); IPPROTO_TCP,
AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree); "139",
"smb",
ALPROTO_SMB,
SMB_PROBING_PARSER_MIN_DEPTH, 0,
STREAM_TOSERVER,
SMBProbingParser);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest);
AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse);
AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
AppLayerRegisterProbingParser(&alp_proto_ctx,
IPPROTO_TCP,
"139",
"smb",
ALPROTO_SMB,
SMB_PROBING_PARSER_MIN_DEPTH, 0,
STREAM_TOSERVER,
SMBProbingParser);
#ifdef UNITTESTS #ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SMB, SMBParserRegisterTests); AppLayerRegisterUnittests(ALPROTO_SMB, SMBParserRegisterTests);
#endif #endif

16
src/app-layer-smb2.c
Unescape Escape View File

@ -518,12 +518,22 @@ static void SMB2StateFree(void *s) {
} }
void RegisterSMB2Parsers(void) { void RegisterSMB2Parsers(void) {
AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse); /** SMB2 */
AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse); char *proto_name = "smb2";
AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree);
if (AppLayerProtoDetectionEnabled(proto_name)) {
AppLayerRegisterProto(proto_name, ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse);
AppLayerRegisterProto(proto_name, ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse);
AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS #ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SMB2, SMB2ParserRegisterTests); AppLayerRegisterUnittests(ALPROTO_SMB2, SMB2ParserRegisterTests);
#endif #endif
return;
} }
/* UNITTESTS */ /* UNITTESTS */

35
src/app-layer-smtp.c
Unescape Escape View File

@ -847,21 +847,32 @@ void RegisterSMTPParsers(void)
{ {
char *proto_name = "smtp"; char *proto_name = "smtp";
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0, if (AppLayerProtoDetectionEnabled(proto_name)) {
STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "EHLO", 4, 0,
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0, STREAM_TOSERVER);
STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SMTP, "HELO", 4, 0,
STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree); if (AppLayerParserEnabled(proto_name)) {
AppLayerRegisterStateFuncs(ALPROTO_SMTP, SMTPStateAlloc, SMTPStateFree);
AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER, AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOSERVER,
SMTPParseClientRecord); SMTPParseClientRecord);
AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT, AppLayerRegisterProto(proto_name, ALPROTO_SMTP, STREAM_TOCLIENT,
SMTPParseServerRecord); SMTPParseServerRecord);
AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table); AppLayerDecoderEventsModuleRegister(ALPROTO_SMTP, smtp_decoder_event_table);
AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc, AppLayerRegisterLocalStorageFunc(ALPROTO_SMTP, SMTPLocalStorageAlloc,
SMTPLocalStorageFree); SMTPLocalStorageFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
SMTPSetMpmState(); SMTPSetMpmState();

23
src/app-layer-ssh.c
Unescape Escape View File

@ -739,14 +739,25 @@ void RegisterSSHParsers(void)
char *proto_name = "ssh"; char *proto_name = "ssh";
/** SSH */ /** SSH */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER); if (AppLayerProtoDetectionEnabled(proto_name)) {
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_SSH, "SSH-", 4, 0, STREAM_TOSERVER);
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT, if (AppLayerParserEnabled(proto_name)) {
SSHParseServerRecord); AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOCLIENT,
AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER, SSHParseServerRecord);
SSHParseClientRecord); AppLayerRegisterProto(proto_name, ALPROTO_SSH, STREAM_TOSERVER,
SSHParseClientRecord);
AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree);
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
AppLayerRegisterStateFuncs(ALPROTO_SSH, SSHStateAlloc, SSHStateFree);
#ifdef UNITTESTS #ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_SSH, SSHParserRegisterTests); AppLayerRegisterUnittests(ALPROTO_SSH, SSHParserRegisterTests);
#endif #endif

91
src/app-layer-ssl.c
Unescape Escape View File

@ -994,44 +994,65 @@ void RegisterSSLParsers(void)
char *proto_name = "tls"; char *proto_name = "tls";
/** SSLv2 and SSLv23*/ /** SSLv2 and SSLv23*/
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER); if (AppLayerProtoDetectionEnabled(proto_name)) {
/* subsection - SSLv2 style record by client, but informing the server the max AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER);
* version it supports */ /* subsection - SSLv2 style record by client, but informing the server the max
/* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it * version it supports */
* after some tests */ /* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 5, 2, STREAM_TOSERVER); * after some tests */
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT); //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 5, 2, STREAM_TOSERVER);
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT);
/** SSLv3 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER); /** SSLv3 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1 */ /** TLSv1 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1.1 */ /** TLSv1.1 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */
/** TLSv1.2 */ /** TLSv1.2 */
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER); AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER);
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */ AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER, AppLayerRegisterProbingParser(&alp_proto_ctx,
SSLParseClientRecord); IPPROTO_TCP,
"443",
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT, proto_name,
SSLParseServerRecord); ALPROTO_TLS,
AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table); 0, 3,
STREAM_TOSERVER,
AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree); SSLProbingParser);
} else {
AppLayerRegisterProbingParser(&alp_proto_ctx, SCLogInfo("Protocol detection and parser disabled for %s protocol",
IPPROTO_TCP, proto_name);
"443", return;
proto_name, }
ALPROTO_TLS,
0, 3, if (AppLayerParserEnabled(proto_name)) {
STREAM_TOSERVER, AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER,
SSLProbingParser); SSLParseClientRecord);
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT,
SSLParseServerRecord);
AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table);
AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
/* Get the value of no reassembly option from the config file */
if (ConfGetNode("app-layer.protocols.tls.no-reassemble") == NULL) {
if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
ssl_config.no_reassemble = 1;
} else {
if (ConfGetBool("app-layer.protocols.tls.no-reassemble", &ssl_config.no_reassemble) != 1)
ssl_config.no_reassemble = 1;
}
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
#ifdef UNITTESTS #ifdef UNITTESTS
AppLayerRegisterUnittests(ALPROTO_TLS, SSLParserRegisterTests); AppLayerRegisterUnittests(ALPROTO_TLS, SSLParserRegisterTests);
#endif #endif

28
src/detect-dns-query.c
Unescape Escape View File

@ -166,9 +166,9 @@ static int DetectDnsQueryTest01(void) {
de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)"); "dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) { if (s == NULL) {
goto end; goto end;
} }
@ -287,13 +287,13 @@ static int DetectDnsQueryTest02(void) {
de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)"); "dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) { if (s == NULL) {
goto end; goto end;
} }
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)"); "dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) { if (s == NULL) {
@ -432,7 +432,7 @@ static int DetectDnsQueryTest03(void) {
de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; sid:1;)"); "content:\"google\"; nocase; dns_query; sid:1;)");
if (s == NULL) { if (s == NULL) {
@ -529,7 +529,7 @@ static int DetectDnsQueryTest04(void) {
de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)"); "dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) { if (s == NULL) {
@ -680,13 +680,13 @@ static int DetectDnsQueryTest05(void) {
de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)"); "dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) { if (s == NULL) {
goto end; goto end;
} }
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnstcp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)"); "dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) { if (s == NULL) {
@ -842,14 +842,14 @@ static int DetectDnsQueryTest06(void) {
de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; " "dns_query; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)"); "pcre:\"/google\\.com$/i\"; sid:1;)");
if (s == NULL) { if (s == NULL) {
goto end; goto end;
} }
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; " "dns_query; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)"); "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
@ -977,19 +977,19 @@ static int DetectDnsQueryTest07(void) {
de_ctx->mpm_matcher = DEFAULT_MPM; de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)"); "dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) { if (s == NULL) {
goto end; goto end;
} }
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)"); "dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) { if (s == NULL) {
goto end; goto end;
} }
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dnsudp any any -> any any "
"(msg:\"Test Z flag event\"; " "(msg:\"Test Z flag event\"; "
"app-layer-event:dns.z_flag_set; sid:3;)"); "app-layer-event:dns.z_flag_set; sid:3;)");
if (s == NULL) { if (s == NULL) {

28
src/detect-parse.c
Unescape Escape View File

@ -636,7 +636,11 @@ int SigParseProto(Signature *s, const char *protostr) {
if (s->alproto == ALPROTO_UNKNOWN) { if (s->alproto == ALPROTO_UNKNOWN) {
SCLogError(SC_ERR_UNKNOWN_PROTOCOL, "protocol \"%s\" cannot be used " SCLogError(SC_ERR_UNKNOWN_PROTOCOL, "protocol \"%s\" cannot be used "
"in a signature", protostr); "in a signature. Either detection for this protocol "
"supported yet OR detection has been disabled for "
"protocol through the yaml option "
"app-layer.protocols.%s.detection-enabled", protostr,
protostr);
SCReturnInt(-1); SCReturnInt(-1);
} }
} }
@ -1224,6 +1228,28 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) {
} }
} }
} }
}
if (s->alproto != ALPROTO_UNKNOWN) {
if (s->flags & SIG_FLAG_STATE_MATCH) {
if (al_proto_table[s->alproto].to_server == 0 ||
al_proto_table[s->alproto].to_client == 0) {
const char *proto_name = TmModuleAlprotoToString(s->alproto);
SCLogInfo("Signature uses options that need the app layer "
"parser for \"%s\", but the parser's disabled "
"for the protocol. Please check if you have "
"disabled it through the option "
"\"app-layer.protocols.%s.enabled\" or internally "
"there the parser has been disabled in the code. "
"Invalidating signature.", proto_name, proto_name);
SCReturnInt(0);
}
}
} }
if (s->flags & SIG_FLAG_REQUIRE_PACKET) { if (s->flags & SIG_FLAG_REQUIRE_PACKET) {

191
suricata.yaml.in
Unescape Escape View File

@ -976,84 +976,119 @@ pcre:
match-limit: 3500 match-limit: 3500
match-limit-recursion: 1500 match-limit-recursion: 1500
########################################################################### # Holds details on the app-layer. The protocols section details each protocol.
# Configure libhtp. # Under each protocol, the default value for detection-enabled and "
# # parsed-enabled is yes, unless specified otherwise.
# # Each protocol covers enabling/disabling parsers for all ipprotos
# default-config: Used when no server-config matches # the app-layer protocol runs on. For example "dcerpc" refers to the tcp
# personality: List of personalities used by default # version of the protocol as well as the udp version of the protocol.
# request-body-limit: Limit reassembly of request body for inspection # The option "enabled" takes 3 values - "yes", "no", "detection-only".
# by http_client_body & pcre /P option. # "yes" enables both detection and the parser, "no" disables both, and
# response-body-limit: Limit reassembly of response body for inspection # "detection-only" enables detection only(parser disabled).
# by file_data, http_server_body & pcre /Q option. app-layer:
# double-decode-path: Double decode path section of the URI protocols:
# double-decode-query: Double decode query section of the URI tls:
# enabled: yes
# server-config: List of server configurations to use if address matches
# address: List of ip addresses or networks for this block #no-reassemble: yes
# personalitiy: List of personalities used by this block dcerpc:
# request-body-limit: Limit reassembly of request body for inspection enabled: yes
# by http_client_body & pcre /P option. ftp:
# response-body-limit: Limit reassembly of response body for inspection enabled: yes
# by file_data, http_server_body & pcre /Q option. ssh:
# double-decode-path: Double decode path section of the URI enabled: yes
# double-decode-query: Double decode query section of the URI smtp:
# enabled: yes
# Currently Available Personalities: imap:
# Minimal enabled: detection-only
# Generic msn:
# IDS (default) enabled: detection-only
# IIS_4_0 smb:
# IIS_5_0 enabled: yes
# IIS_5_1 # smb2 detection is disabled internally inside the engine.
# IIS_6_0 #smb2:
# IIS_7_0 # enabled: yes
# IIS_7_5 http:
# Apache_2 enabled: yes
###########################################################################
libhtp: ###########################################################################
# Configure libhtp.
default-config: #
personality: IDS #
# default-config: Used when no server-config matches
# Can be specified in kb, mb, gb. Just a number indicates # personality: List of personalities used by default
# it's in bytes. # request-body-limit: Limit reassembly of request body for inspection
request-body-limit: 3072 # by http_client_body & pcre /P option.
response-body-limit: 3072 # response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# inspection limits # double-decode-path: Double decode path section of the URI
request-body-minimal-inspect-size: 32kb # double-decode-query: Double decode query section of the URI
request-body-inspect-window: 4kb #
response-body-minimal-inspect-size: 32kb # server-config: List of server configurations to use if address matches
response-body-inspect-window: 4kb # address: List of ip addresses or networks for this block
# personalitiy: List of personalities used by this block
# decoding # request-body-limit: Limit reassembly of request body for inspection
double-decode-path: no # by http_client_body & pcre /P option.
double-decode-query: no # response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
server-config: # double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
- apache: #
address: [192.168.1.0/24, 127.0.0.0/8, "::1"] # Currently Available Personalities:
personality: Apache_2 # Minimal
# Can be specified in kb, mb, gb. Just a number indicates # Generic
# it's in bytes. # IDS (default)
request-body-limit: 4096 # IIS_4_0
response-body-limit: 4096 # IIS_5_0
double-decode-path: no # IIS_5_1
double-decode-query: no # IIS_6_0
# IIS_7_0
- iis7: # IIS_7_5
address: # Apache_2
- 192.168.0.0/24 ###########################################################################
- 192.168.10.0/24 libhtp:
personality: IIS_7_0
# Can be specified in kb, mb, gb. Just a number indicates default-config:
# it's in bytes. personality: IDS
request-body-limit: 4096
response-body-limit: 4096 # Can be specified in kb, mb, gb. Just a number indicates
double-decode-path: no # it's in bytes.
double-decode-query: no request-body-limit: 3072
response-body-limit: 3072
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
# decoding
double-decode-path: no
double-decode-query: no
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
# Profiling settings. Only effective if Suricata has been built with the # Profiling settings. Only effective if Suricata has been built with the
# the --enable-profiling configure flag. # the --enable-profiling configure flag.

Write Preview
Loading…
Cancel
Save