void AppLayerParserRegisterProtocolParsers(void) { SCEnter(); RegisterHTPParsers(); RegisterSSLParsers(); RegisterSMBParsers(); /** \todo bug 719 */ //RegisterSMB2Parsers(); RegisterDCERPCParsers(); RegisterDCERPCUDPParsers(); RegisterFTPParsers(); /* we are disabling the ssh parser temporarily, since we are moving away * from some of the archaic features we use in the app layer. We will * reintroduce this parser. Also do note that keywords that rely on * the ssh parser would now be disabled */ #if 0 RegisterSSHParsers(); #endif RegisterSMTPParsers(); RegisterDNSUDPParsers(); RegisterDNSTCPParsers(); /** IMAP */ AppLayerProtoDetectRegisterProtocol(ALPROTO_IMAP, "imap"); if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "imap")) { if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER) < 0) { SCLogInfo("imap proto registration failure\n"); exit(EXIT_FAILURE); } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol.", "imap"); } /** MSN Messenger */ AppLayerProtoDetectRegisterProtocol(ALPROTO_MSN, "msn"); if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "msn")) { if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_MSN, "msn", 10, 6, STREAM_TOSERVER) < 0) { SCLogInfo("msn proto registration failure\n"); exit(EXIT_FAILURE); } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol.", "msn"); } return; }
void AppLayerParserRegisterProtocolParsers(void) { SCEnter(); RegisterHTPParsers(); RegisterSSLParsers(); RegisterSMBParsers(); /** \todo bug 719 */ //RegisterSMB2Parsers(); RegisterDCERPCParsers(); RegisterDCERPCUDPParsers(); RegisterFTPParsers(); RegisterSSHParsers(); RegisterSMTPParsers(); RegisterDNSUDPParsers(); RegisterDNSTCPParsers(); RegisterModbusParsers(); RegisterENIPUDPParsers(); RegisterENIPTCPParsers(); RegisterDNP3Parsers(); RegisterTemplateParsers(); /** IMAP */ AppLayerProtoDetectRegisterProtocol(ALPROTO_IMAP, "imap"); if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "imap")) { if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP, "1|20|capability", 12, 0, STREAM_TOSERVER) < 0) { SCLogInfo("imap proto registration failure\n"); exit(EXIT_FAILURE); } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol.", "imap"); } /** MSN Messenger */ AppLayerProtoDetectRegisterProtocol(ALPROTO_MSN, "msn"); if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "msn")) { if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_MSN, "msn", 10, 6, STREAM_TOSERVER) < 0) { SCLogInfo("msn proto registration failure\n"); exit(EXIT_FAILURE); } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol.", "msn"); } return; }
void RegisterMSSqlParsers(void) { char *proto_name = "mssql"; if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_MSSQL, proto_name); if (RunmodeIsUnittests()) { AppLayerProtoDetectPPRegister( IPPROTO_TCP, "1443", ALPROTO_MSSQL, 0, sizeof(TDSHeader), STREAM_TOSERVER, MSSqlProbingParser); } else { int have_cfg = AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_MSSQL, 0, sizeof(TDSHeader), MSSqlProbingParser); /* if not configured, enable the default 3306 port */ if (!have_cfg) { return; } } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol", proto_name); return; } if (AppLayerParserConfParserEnabled("tcp", proto_name)) { AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_MSSQL, STREAM_TOSERVER, TDSParseClientRecord); AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_MSSQL, STREAM_TOCLIENT, TDSParseServerRecord); AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_MSSQL, TDSStateAlloc, TDSStateFree); /* TODO: should we add get/has event callbacks? */ AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_MSSQL, TDSGetTx); AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_MSSQL, TDSGetTxCnt); AppLayerParserRegisterGetStateProgressCompletionStatus(IPPROTO_TCP, ALPROTO_MSSQL, TDSGetAlstateProgressCompletionStatus); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_MSSQL, TDSGetAlstateProgress); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_MSSQL, TDSParserRegisterTests); #endif return; }
void RegisterSMB2Parsers(void) { /** SMB2 */ const char *proto_name = "smb2"; if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) { AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse); AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse); AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree); } else { SCLogInfo("Parsed disabled for %s protocol. Protocol detection" "still on.", proto_name); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_SMB2, SMB2ParserRegisterTests); #endif return; }
void RegisterOracle11gParsers(void) { char *proto_name = "oracle11g"; if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_ORACLE11G, proto_name); if (RunmodeIsUnittests()) { AppLayerProtoDetectPPRegister(IPPROTO_TCP, "1521", ALPROTO_ORACLE11G, 0, ORACLE11G_HEADER_SIZE, /* FIXME */ STREAM_TOSERVER, Oracle11gProbingParser); } else { int have_cfg = AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_ORACLE11G, 0, ORACLE11G_HEADER_SIZE, /* FIXME */ Oracle11gProbingParser); if (!have_cfg) { return; } } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol", proto_name); return; } if (AppLayerParserConfParserEnabled("oracle11g", proto_name)) { AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_ORACLE11G, STREAM_TOSERVER, Oracle11gParseClientRecord); AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_ORACLE11G, STREAM_TOCLIENT, Oracle11gParseServerRecord); AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gStateAlloc, Oracle11gStateFree); AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gGetTx); AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gGetTxCnt); AppLayerParserRegisterGetStateProgressCompletionStatus(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gGetAlstateProgressCompletionStatus); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_ORACLE11G, Oracle11gGetAlstateProgress); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_Oracle11G, Oracle11gParserRegisterTests); #endif return; }
void RegisterNFSUDPParsers(void) { const char *proto_name = "nfs"; /* Check if NFS TCP detection is enabled. If it does not exist in * the configuration file then it will be enabled by default. */ if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) { rs_nfs_init(&sfc); SCLogDebug("NFS UDP protocol detection enabled."); AppLayerProtoDetectRegisterProtocol(ALPROTO_NFS, proto_name); if (RunmodeIsUnittests()) { SCLogDebug("Unittest mode, registering default configuration."); AppLayerProtoDetectPPRegister(IPPROTO_UDP, NFS_DEFAULT_PORT, ALPROTO_NFS, 0, NFS_MIN_FRAME_LEN, STREAM_TOSERVER, NFSProbingParserTS, NFSProbingParserTC); } else { if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP, proto_name, ALPROTO_NFS, 0, NFS_MIN_FRAME_LEN, NFSProbingParserTS, NFSProbingParserTC)) { SCLogDebug("No NFS app-layer configuration, enabling NFS" " detection TCP detection on port %s.", NFS_DEFAULT_PORT); AppLayerProtoDetectPPRegister(IPPROTO_UDP, NFS_DEFAULT_PORT, ALPROTO_NFS, 0, NFS_MIN_FRAME_LEN, STREAM_TOSERVER, NFSProbingParserTS, NFSProbingParserTC); } } } else { SCLogDebug("Protocol detecter and parser disabled for NFS."); return; } if (AppLayerParserConfParserEnabled("udp", proto_name)) { SCLogDebug("Registering NFS protocol parser."); /* Register functions for state allocation and freeing. A * state is allocated for every new NFS flow. */ AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_NFS, NFSStateAlloc, NFSStateFree); /* Register request parser for parsing frame from server to client. */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_NFS, STREAM_TOSERVER, NFSParseRequest); /* Register response parser for parsing frames from server to client. */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_NFS, STREAM_TOCLIENT, NFSParseResponse); /* Register a function to be called by the application layer * when a transaction is to be freed. */ AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_NFS, NFSStateTxFree); AppLayerParserRegisterLoggerFuncs(IPPROTO_UDP, ALPROTO_NFS, NFSGetTxLogged, NFSSetTxLogged); /* Register a function to return the current transaction count. */ AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_NFS, NFSGetTxCnt); /* Transaction handling. */ AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_NFS, NFSGetAlstateProgressCompletionStatus); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP, ALPROTO_NFS, NFSGetStateProgress); AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_NFS, NFSGetTx); AppLayerParserRegisterGetTxIterator(IPPROTO_UDP, ALPROTO_NFS, RustNFSGetTxIterator); AppLayerParserRegisterGetFilesFunc(IPPROTO_UDP, ALPROTO_NFS, NFSGetFiles); /* What is this being registered for? */ AppLayerParserRegisterDetectStateFuncs(IPPROTO_UDP, ALPROTO_NFS, NFSGetTxDetectState, NFSSetTxDetectState); AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_NFS, NFSStateGetEventInfo); AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_NFS, NFSGetEvents); AppLayerParserRegisterDetectFlagsFuncs(IPPROTO_UDP, ALPROTO_NFS, NFSGetDetectFlags, NFSSetDetectFlags); } else { SCLogNotice("NFS protocol parsing disabled."); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_UDP, ALPROTO_NFS, NFSUDPParserRegisterTests); #endif }
void RegisterDNSUDPParsers(void) { char *proto_name = "dns"; /** DNS */ if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) { AppLayerProtoDetectRegisterProtocol(ALPROTO_DNS, proto_name); if (RunmodeIsUnittests()) { AppLayerProtoDetectPPRegister(IPPROTO_UDP, "53", ALPROTO_DNS, 0, sizeof(DNSHeader), STREAM_TOSERVER, DNSUdpProbingParser); } else { int have_cfg = AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP, proto_name, ALPROTO_DNS, 0, sizeof(DNSHeader), DNSUdpProbingParser); /* if we have no config, we enable the default port 53 */ if (!have_cfg) { SCLogWarning(SC_ERR_DNS_CONFIG, "no DNS UDP config found, " "enabling DNS detection on " "port 53."); AppLayerProtoDetectPPRegister(IPPROTO_UDP, "53", ALPROTO_DNS, 0, sizeof(DNSHeader), STREAM_TOSERVER, DNSUdpProbingParser); } } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol.", proto_name); return; } if (AppLayerParserConfParserEnabled("udp", proto_name)) { AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_DNS, STREAM_TOSERVER, DNSUDPRequestParse); AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_DNS, STREAM_TOCLIENT, DNSUDPResponseParse); AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_DNS, DNSStateAlloc, DNSStateFree); AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_DNS, DNSStateTransactionFree); AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_DNS, DNSGetEvents); AppLayerParserRegisterHasEventsFunc(IPPROTO_UDP, ALPROTO_DNS, DNSHasEvents); AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_DNS, DNSGetTx); AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_DNS, DNSGetTxCnt); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP, ALPROTO_DNS, DNSGetAlstateProgress); AppLayerParserRegisterGetStateProgressCompletionStatus(IPPROTO_UDP, ALPROTO_DNS, DNSGetAlstateProgressCompletionStatus); DNSAppLayerRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_DNS); DNSUDPConfigure(); } else { SCLogInfo("Parsed disabled for %s protocol. Protocol detection" "still on.", proto_name); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_UDP, ALPROTO_DNS, DNSUDPParserRegisterTests); #endif }
void RegisterTFTPParsers(void) { const char *proto_name = "tftp"; /* Check if TFTP UDP detection is enabled. If it does not exist in * the configuration file then it will be enabled by default. */ if (AppLayerProtoDetectConfProtoDetectionEnabled("udp", proto_name)) { SCLogDebug("TFTP UDP protocol detection enabled."); AppLayerProtoDetectRegisterProtocol(ALPROTO_TFTP, proto_name); if (RunmodeIsUnittests()) { SCLogDebug("Unittest mode, registeringd default configuration."); AppLayerProtoDetectPPRegister(IPPROTO_UDP, TFTP_DEFAULT_PORT, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, STREAM_TOSERVER, TFTPProbingParser, NULL); } else { if (!AppLayerProtoDetectPPParseConfPorts("udp", IPPROTO_UDP, proto_name, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, TFTPProbingParser, NULL)) { SCLogDebug("No echo app-layer configuration, enabling echo" " detection UDP detection on port %s.", TFTP_DEFAULT_PORT); AppLayerProtoDetectPPRegister(IPPROTO_UDP, TFTP_DEFAULT_PORT, ALPROTO_TFTP, 0, TFTP_MIN_FRAME_LEN, STREAM_TOSERVER,TFTPProbingParser, NULL); } } } else { SCLogDebug("Protocol detecter and parser disabled for TFTP."); return; } if (AppLayerParserConfParserEnabled("udp", proto_name)) { SCLogDebug("Registering TFTP protocol parser."); /* Register functions for state allocation and freeing. A * state is allocated for every new TFTP flow. */ AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TFTP, TFTPStateAlloc, TFTPStateFree); /* Register request parser for parsing frame from server to client. */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP, STREAM_TOSERVER, TFTPParseRequest); /* Register response parser for parsing frames from server to client. */ AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TFTP, STREAM_TOCLIENT, TFTPParseResponse); /* Register a function to be called by the application layer * when a transaction is to be freed. */ AppLayerParserRegisterTxFreeFunc(IPPROTO_UDP, ALPROTO_TFTP, TFTPStateTxFree); AppLayerParserRegisterLoggerFuncs(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetTxLogged, TFTPSetTxLogged); /* Register a function to return the current transaction count. */ AppLayerParserRegisterGetTxCnt(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetTxCnt); /* Transaction handling. */ AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_TFTP, TFTPGetAlstateProgressCompletionStatus); AppLayerParserRegisterGetStateProgressFunc(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetStateProgress); AppLayerParserRegisterGetTx(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetTx); /* What is this being registered for? */ AppLayerParserRegisterDetectStateFuncs(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetTxDetectState, TFTPSetTxDetectState); AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_TFTP, TFTPStateGetEventInfo); AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_TFTP, TFTPGetEvents); } else { SCLogDebug("TFTP protocol parsing disabled."); } #ifdef UNITTESTS AppLayerParserRegisterProtocolUnittests(IPPROTO_UDP, ALPROTO_TFTP, TFTPParserRegisterTests); #endif }