void TimeGet(struct timeval *tv) { if (tv == NULL) return; if (live == TRUE) { gettimeofday(tv, NULL); } else { #ifdef UNITTESTS if (unlikely(RunmodeIsUnittests())) { SCSpinLock(¤t_time_spinlock); tv->tv_sec = current_time.tv_sec; tv->tv_usec = current_time.tv_usec; SCSpinUnlock(¤t_time_spinlock); } else { #endif TmreadsGetMinimalTimestamp(tv); #ifdef UNITTESTS } #endif } SCLogDebug("time we got is %" PRIuMAX " sec, %" PRIuMAX " usec", (uintmax_t)tv->tv_sec, (uintmax_t)tv->tv_usec); }
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name) { SCEnter(); int enabled = 1; char param[100]; ConfNode *node; int r; if (RunmodeIsUnittests()) goto enabled; r = snprintf(param, sizeof(param), "%s%s%s", "app-layer.protocols.", alproto_name, ".enabled"); if (r < 0) { SCLogError(SC_ERR_FATAL, "snprintf failure."); exit(EXIT_FAILURE); } else if (r > (int)sizeof(param)) { SCLogError(SC_ERR_FATAL, "buffer not big enough to write param."); exit(EXIT_FAILURE); } node = ConfGetNode(param); if (node == NULL) { SCLogDebug("Entry for %s not found.", param); r = snprintf(param, sizeof(param), "%s%s%s%s%s", "app-layer.protocols.", alproto_name, ".", ipproto, ".enabled"); if (r < 0) { SCLogError(SC_ERR_FATAL, "snprintf failure."); exit(EXIT_FAILURE); } else if (r > (int)sizeof(param)) { SCLogError(SC_ERR_FATAL, "buffer not big enough to write param."); exit(EXIT_FAILURE); } node = ConfGetNode(param); if (node == NULL) { SCLogDebug("Entry for %s not found.", param); goto enabled; } } if (strcasecmp(node->val, "yes") == 0) { goto enabled; } else if (strcasecmp(node->val, "no") == 0) { goto disabled; } else if (strcasecmp(node->val, "detection-only") == 0) { goto enabled; } else { SCLogError(SC_ERR_FATAL, "Invalid value found for %s.", param); exit(EXIT_FAILURE); } disabled: enabled = 0; enabled: SCReturnInt(enabled); }
void RegisterMSSqlParsers(void) { char *proto_name = "mssql"; if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_MSSQL, proto_name); if (RunmodeIsUnittests()) { AppLayerProtoDetectPPRegister( IPPROTO_TCP, "1443", ALPROTO_MSSQL, 0, sizeof(TDSHeader), STREAM_TOSERVER, MSSqlProbingParser); } else { int have_cfg = AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_MSSQL, 0, sizeof(TDSHeader), MSSqlProbingParser); /* if not configured, enable the default 3306 port */ if (!have_cfg) { return; } } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol", proto_name); return; } if (AppLayerParserConfParserEnabled("tcp", proto_name)) { AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_MSSQL, STREAM_TOSERVER, TDSParseClientRecord); AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_MSSQL, STREAM_TOCLIENT, TDSParseServerRecord); AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_MSSQL, TDSStateAlloc, TDSStateFree); /* TODO: should we add get/has event callbacks? */ AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_MSSQL, TDSGetTx); AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_MSSQL, TDSGetTxCnt); AppLayerParserRegisterGetStateProgressCompletionStatus(IPPROTO_TCP, ALPROTO_MSSQL, TDSGetAlstateProgressCompletionStatus); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_MSSQL, TDSGetAlstateProgress); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_MSSQL, TDSParserRegisterTests); #endif return; }
/** * \brief Inits the context to be used by the Reference Config parsing API. * * This function initializes the hash table to be used by the Detection * Engine Context to hold the data from reference.config file, * obtains the file descriptor to parse the reference.config file, and * inits the regex used to parse the lines from reference.config file. * * \param de_ctx Pointer to the Detection Engine Context. * * \retval 0 On success. * \retval -1 On failure. */ static FILE *SCRConfInitContextAndLocalResources(DetectEngineCtx *de_ctx, FILE *fd) { char *filename = NULL; /* init the hash table to be used by the reference config references */ de_ctx->reference_conf_ht = HashTableInit(128, SCRConfReferenceHashFunc, SCRConfReferenceHashCompareFunc, SCRConfReferenceHashFree); if (de_ctx->reference_conf_ht == NULL) { SCLogError(SC_ERR_HASH_TABLE_INIT, "Error initializing the hash " "table"); goto error; } /* if it is not NULL, use the file descriptor. The hack so that we can * avoid using a dummy reference file for testing purposes and * instead use an input stream against a buffer containing the * reference strings */ if (fd == NULL) { filename = SCRConfGetConfFilename(); if ((fd = fopen(filename, "r")) == NULL) { #ifdef UNITTESTS if (RunmodeIsUnittests()) goto error; // silently fail #endif SCLogError(SC_ERR_FOPEN, "Error opening file: \"%s\": %s", filename, strerror(errno)); goto error; } } return fd; error: if (de_ctx->reference_conf_ht != NULL) { HashTableFree(de_ctx->reference_conf_ht); de_ctx->reference_conf_ht = NULL; } if (fd != NULL) { fclose(fd); fd = NULL; } return NULL; }
/** * \brief Loads the Reference info from the reference.config file. * * The reference.config file contains references that can be used in * Signatures. Each line of the file should have the following format - * config reference: system_name, reference_url. * * \param de_ctx Pointer to the Detection Engine Context that should be updated * with reference information. * * \retval 0 On success. * \retval -1 On failure. */ int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd) { fd = SCRConfInitContextAndLocalResources(de_ctx, fd); if (fd == NULL) { #ifdef UNITTESTS if (RunmodeIsUnittests() && fd == NULL) { return -1; } #endif SCLogError(SC_ERR_OPENING_FILE, "please check the \"reference-config-file\" " "option in your suricata.yaml file"); return -1; } SCRConfParseFile(de_ctx, fd); SCRConfDeInitLocalResources(de_ctx, fd); return 0; }
void RegisterOracle11gParsers(void) { char *proto_name = "oracle11g"; if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_ORACLE11G, proto_name); if (RunmodeIsUnittests()) { AppLayerProtoDetectPPRegister(IPPROTO_TCP, "1521", ALPROTO_ORACLE11G, 0, ORACLE11G_HEADER_SIZE, /* FIXME */ STREAM_TOSERVER, Oracle11gProbingParser); } else { int have_cfg = AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_ORACLE11G, 0, ORACLE11G_HEADER_SIZE, /* FIXME */ Oracle11gProbingParser); if (!have_cfg) { return; } } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol", proto_name); return; } if (AppLayerParserConfParserEnabled("oracle11g", proto_name)) { AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_ORACLE11G, STREAM_TOSERVER, Oracle11gParseClientRecord); AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_ORACLE11G, STREAM_TOCLIENT, Oracle11gParseServerRecord); AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gStateAlloc, Oracle11gStateFree); AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gGetTx); AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gGetTxCnt); AppLayerParserRegisterGetStateProgressCompletionStatus(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gGetAlstateProgressCompletionStatus); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gGetAlstateProgress); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_Oracle11G, Oracle11gParserRegisterTests); #endif return; }
void RegisterNFSUDPParsers(void) { const char *proto_name = "nfs"; /* Check if NFS TCP detection is enabled. If it does not exist in * the configuration file then it will be enabled by default. */ if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) { rs_nfs_init(&sfc); SCLogDebug("NFS UDP protocol detection enabled."); AppLayerProtoDetectRegisterProtocol(ALPROTO_NFS, proto_name); if (RunmodeIsUnittests()) { SCLogDebug("Unittest mode, registering default configuration."); AppLayerProtoDetectPPRegister(IPPROTO_UDP, NFS_DEFAULT_PORT, ALPROTO_NFS, 0, NFS_MIN_FRAME_LEN, STREAM_TOSERVER, NFSProbingParserTS, NFSProbingParserTC); } else { if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP, proto_name, ALPROTO_NFS, 0, NFS_MIN_FRAME_LEN, NFSProbingParserTS, NFSProbingParserTC)) { SCLogDebug("No NFS app-layer configuration, enabling NFS" " detection TCP detection on port %s.", NFS_DEFAULT_PORT); AppLayerProtoDetectPPRegister(IPPROTO_UDP, NFS_DEFAULT_PORT, ALPROTO_NFS, 0, NFS_MIN_FRAME_LEN, STREAM_TOSERVER, NFSProbingParserTS, NFSProbingParserTC); } } } else { SCLogDebug("Protocol detecter and parser disabled for NFS."); return; } if (AppLayerParserConfParserEnabled("udp", proto_name)) { SCLogDebug("Registering NFS protocol parser."); /* Register functions for state allocation and freeing. A * state is allocated for every new NFS flow. */ AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_NFS, NFSStateAlloc, NFSStateFree); /* Register request parser for parsing frame from server to client. */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_NFS, STREAM_TOSERVER, NFSParseRequest); /* Register response parser for parsing frames from server to client. */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_NFS, STREAM_TOCLIENT, NFSParseResponse); /* Register a function to be called by the application layer * when a transaction is to be freed. */ AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_NFS, NFSStateTxFree); AppLayerParserRegisterLoggerFuncs(IPPROTO_UDP, ALPROTO_NFS, NFSGetTxLogged, NFSSetTxLogged); /* Register a function to return the current transaction count. */ AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_NFS, NFSGetTxCnt); /* Transaction handling. */ AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_NFS, NFSGetAlstateProgressCompletionStatus); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP, ALPROTO_NFS, NFSGetStateProgress); AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_NFS, NFSGetTx); AppLayerParserRegisterGetTxIterator(IPPROTO_UDP, ALPROTO_NFS, RustNFSGetTxIterator); AppLayerParserRegisterGetFilesFunc(IPPROTO_UDP, ALPROTO_NFS, NFSGetFiles); /* What is this being registered for? */ AppLayerParserRegisterDetectStateFuncs(IPPROTO_UDP, ALPROTO_NFS, NFSGetTxDetectState, NFSSetTxDetectState); AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_NFS, NFSStateGetEventInfo); AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_NFS, NFSGetEvents); AppLayerParserRegisterDetectFlagsFuncs(IPPROTO_UDP, ALPROTO_NFS, NFSGetDetectFlags, NFSSetDetectFlags); } else { SCLogNotice("NFS protocol parsing disabled."); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_UDP, ALPROTO_NFS, NFSUDPParserRegisterTests); #endif }
void RegisterDNSUDPParsers(void) { char *proto_name = "dns"; /** DNS */ if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_DNS, proto_name); if (RunmodeIsUnittests()) { AppLayerProtoDetectPPRegister(IPPROTO_UDP, "53", ALPROTO_DNS, 0, sizeof(DNSHeader), STREAM_TOSERVER, DNSUdpProbingParser); } else { int have_cfg = AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP, proto_name, ALPROTO_DNS, 0, sizeof(DNSHeader), DNSUdpProbingParser); /* if we have no config, we enable the default port 53 */ if (!have_cfg) { SCLogWarning(SC_ERR_DNS_CONFIG, "no DNS UDP config found, " "enabling DNS detection on " "port 53."); AppLayerProtoDetectPPRegister(IPPROTO_UDP, "53", ALPROTO_DNS, 0, sizeof(DNSHeader), STREAM_TOSERVER, DNSUdpProbingParser); } } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol.", proto_name); return; } if (AppLayerParserConfParserEnabled("udp", proto_name)) { AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_DNS, STREAM_TOSERVER, DNSUDPRequestParse); AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_DNS, STREAM_TOCLIENT, DNSUDPResponseParse); AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_DNS, DNSStateAlloc, DNSStateFree); AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_DNS, DNSStateTransactionFree); AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_DNS, DNSGetEvents); AppLayerParserRegisterHasEventsFunc(IPPROTO_UDP, ALPROTO_DNS, DNSHasEvents); AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_DNS, DNSGetTx); AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_DNS, DNSGetTxCnt); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP, ALPROTO_DNS, DNSGetAlstateProgress); AppLayerParserRegisterGetStateProgressCompletionStatus(IPPROTO_UDP, ALPROTO_DNS, DNSGetAlstateProgressCompletionStatus); DNSAppLayerRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_DNS); DNSUDPConfigure(); } else { SCLogInfo("Parsed disabled for %s protocol. Protocol detection" "still on.", proto_name); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_UDP, ALPROTO_DNS, DNSUDPParserRegisterTests); #endif }
void RegisterTFTPParsers(void) { const char *proto_name = "tftp"; /* Check if TFTP UDP detection is enabled. If it does not exist in * the configuration file then it will be enabled by default. */ if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) { SCLogDebug("TFTP UDP protocol detection enabled."); AppLayerProtoDetectRegisterProtocol(ALPROTO_TFTP, proto_name); if (RunmodeIsUnittests()) { SCLogDebug("Unittest mode, registeringd default configuration."); AppLayerProtoDetectPPRegister(IPPROTO_UDP, TFTP_DEFAULT_PORT, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, STREAM_TOSERVER, TFTPProbingParser, NULL); } else { if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP, proto_name, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, TFTPProbingParser, NULL)) { SCLogDebug("No echo app-layer configuration, enabling echo" " detection UDP detection on port %s.", TFTP_DEFAULT_PORT); AppLayerProtoDetectPPRegister(IPPROTO_UDP, TFTP_DEFAULT_PORT, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, STREAM_TOSERVER,TFTPProbingParser, NULL); } } } else { SCLogDebug("Protocol detecter and parser disabled for TFTP."); return; } if (AppLayerParserConfParserEnabled("udp", proto_name)) { SCLogDebug("Registering TFTP protocol parser."); /* Register functions for state allocation and freeing. A * state is allocated for every new TFTP flow. */ AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TFTP, TFTPStateAlloc, TFTPStateFree); /* Register request parser for parsing frame from server to client. */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP, STREAM_TOSERVER, TFTPParseRequest); /* Register response parser for parsing frames from server to client. */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP, STREAM_TOCLIENT, TFTPParseResponse); /* Register a function to be called by the application layer * when a transaction is to be freed. */ AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_TFTP, TFTPStateTxFree); AppLayerParserRegisterLoggerFuncs(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetTxLogged, TFTPSetTxLogged); /* Register a function to return the current transaction count. */ AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetTxCnt); /* Transaction handling. */ AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_TFTP, TFTPGetAlstateProgressCompletionStatus); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetStateProgress); AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetTx); /* What is this being registered for? */ AppLayerParserRegisterDetectStateFuncs(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetTxDetectState, TFTPSetTxDetectState); AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_TFTP, TFTPStateGetEventInfo); AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetEvents); } else { SCLogDebug("TFTP protocol parsing disabled."); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_UDP, ALPROTO_TFTP, TFTPParserRegisterTests); #endif }