OISF · catenacyber · Apr 5, 2024 · Nov 16, 2023 · Nov 16, 2023 · Apr 5, 2024
@@ -253,6 +253,13 @@ pub extern "C" fn rs_init(context: &'static SuricataContext)
     init_ffi(context);
 }
 
+#[no_mangle]
+pub extern "C" fn rs_update_alproto_failed(alproto: AppProto) {
+    unsafe {
+        ALPROTO_FAILED = alproto;
+    }
+}
+
 /// DetectEngineStateFree wrapper.
 pub fn sc_detect_engine_state_free(state: *mut DetectEngineState)
 {

@@ -491,8 +491,8 @@ static inline AppProto PPGetProto(const AppLayerProtoDetectProbingParserElement
         if (AppProtoIsValid(alproto)) {
             SCReturnUInt(alproto);
         }
-        if (alproto == ALPROTO_FAILED ||
-            (pe->max_depth != 0 && buflen > pe->max_depth)) {
+        if (alproto == ALPROTO_FAILED || alproto == ALPROTO_INVALID ||
+                (pe->max_depth != 0 && buflen > pe->max_depth)) {
             alproto_masks[0] |= pe->alproto_mask;
         }
         pe = pe->next;

@@ -55,6 +55,10 @@
 #include "app-layer-rfb.h"
 #include "app-layer-http2.h"
 
+#ifdef ALPROTO_DYNAMIC_NB
+#include "util-plugin.h"
+#endif
+
 struct AppLayerParserThreadCtx_ {
     void *alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX];
 };
@@ -1776,6 +1780,15 @@ void AppLayerParserRegisterProtocolParsers(void)
     } else {
         SCLogInfo("Protocol detection and parser disabled for pop3 protocol.");
     }
+#ifdef ALPROTO_DYNAMIC_NB
+    for (size_t i = 0; i < ALPROTO_DYNAMIC_NB; i++) {
+        SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i);
+        if (app_layer_plugin == NULL) {
+            break;
+        }
+        app_layer_plugin->Register();
+    }
+#endif
 
     ValidateParsers();
 }

@@ -24,13 +24,16 @@
 
 #include "suricata-common.h"
 #include "app-layer-protos.h"
+#include "rust.h"
+
+AppProto ALPROTO_FAILED = ALPROTO_MAX_STATIC;
 
 typedef struct AppProtoStringTuple {
     AppProto alproto;
     const char *str;
 } AppProtoStringTuple;
 
-const AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = {
+AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = {
     { ALPROTO_UNKNOWN, "unknown" },
     { ALPROTO_HTTP1, "http1" },
     { ALPROTO_FTP, "ftp" },
@@ -67,10 +70,10 @@ const AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = {
     { ALPROTO_BITTORRENT_DHT, "bittorrent-dht" },
     { ALPROTO_POP3, "pop3" },
     { ALPROTO_HTTP, "http" },
-    { ALPROTO_FAILED, "failed" },
 #ifdef UNITTESTS
     { ALPROTO_TEST, "test" },
 #endif
+    { ALPROTO_MAX_STATIC, "failed" },
 };
 
 const char *AppProtoToString(AppProto alproto)
@@ -100,9 +103,21 @@ AppProto StringToAppProto(const char *proto_name)
 
     // We could use a Multi Pattern Matcher
     for (size_t i = 0; i < ARRAY_SIZE(AppProtoStrings); i++) {
-        if (strcmp(proto_name, AppProtoStrings[i].str) == 0)
+        if (AppProtoStrings[i].str != NULL && strcmp(proto_name, AppProtoStrings[i].str) == 0)
             return AppProtoStrings[i].alproto;
     }
 
     return ALPROTO_UNKNOWN;
 }
+
+void RegisterAppProtoString(AppProto alproto, const char *proto_name)
+{
+    if (alproto == ALPROTO_FAILED && alproto + 1 < ALPROTO_MAX) {
+        AppProtoStrings[alproto].str = proto_name;
+        AppProtoStrings[alproto].alproto = alproto;
+        ALPROTO_FAILED++;
+        rs_update_alproto_failed(ALPROTO_FAILED);
+        AppProtoStrings[ALPROTO_FAILED].str = "failed";
+        AppProtoStrings[ALPROTO_FAILED].alproto = ALPROTO_FAILED;
+    }
+}
@@ -67,20 +67,24 @@ enum AppProtoEnum {
     // HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2)
     ALPROTO_HTTP,
 
-    /* used by the probing parser when alproto detection fails
-     * permanently for that particular stream */
-    ALPROTO_FAILED,
 #ifdef UNITTESTS
     ALPROTO_TEST,
 #endif /* UNITESTS */
     /* keep last */
-    ALPROTO_MAX,
+    ALPROTO_MAX_STATIC,
+    ALPROTO_INVALID = 0xffff,
 };
 // NOTE: if ALPROTO's get >= 256, update SignatureNonPrefilterStore
 
 /* not using the enum as that is a unsigned int, so 4 bytes */
 typedef uint16_t AppProto;
+extern AppProto ALPROTO_FAILED;
 
+#ifdef ALPROTO_DYNAMIC_NB
+#define ALPROTO_MAX (ALPROTO_MAX_STATIC + 1 + ALPROTO_DYNAMIC_NB)
+#else
+#define ALPROTO_MAX (ALPROTO_MAX_STATIC + 1)
+#endif
 static inline bool AppProtoIsValid(AppProto a)
 {
     return ((a > ALPROTO_UNKNOWN && a < ALPROTO_FAILED));
@@ -119,4 +123,6 @@ const char *AppProtoToString(AppProto alproto);
  */
 AppProto StringToAppProto(const char *proto_name);
 
+void RegisterAppProtoString(AppProto alproto, const char *proto_name);
+
 #endif /* SURICATA_APP_LAYER_PROTOS_H */
@@ -905,42 +905,39 @@ int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *
                 tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
         PACKET_PROFILING_APP_PD_END(tctx);
 
-        switch (*alproto) {
-            case ALPROTO_UNKNOWN:
-                if (*alproto_otherdir != ALPROTO_UNKNOWN) {
-                    // Use recognized side
-                    f->alproto = *alproto_otherdir;
-                    // do not keep ALPROTO_UNKNOWN for this side so as not to loop
-                    *alproto = *alproto_otherdir;
-                    if (*alproto_otherdir == ALPROTO_FAILED) {
-                        SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
-                    }
-                } else {
-                    // First side of protocol is unknown
-                    *alproto = ALPROTO_FAILED;
+        if (*alproto == ALPROTO_UNKNOWN) {
+            if (*alproto_otherdir != ALPROTO_UNKNOWN) {
+                // Use recognized side
+                f->alproto = *alproto_otherdir;
+                // do not keep ALPROTO_UNKNOWN for this side so as not to loop
+                *alproto = *alproto_otherdir;
+                if (*alproto_otherdir == ALPROTO_FAILED) {
+                    SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
                 }
-                break;
-            case ALPROTO_FAILED:
-                if (*alproto_otherdir != ALPROTO_UNKNOWN) {
-                    // Use recognized side
-                    f->alproto = *alproto_otherdir;
-                    if (*alproto_otherdir == ALPROTO_FAILED) {
-                        SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
-                    }
+            } else {
+                // First side of protocol is unknown
+                *alproto = ALPROTO_FAILED;
+            }
+        } else if (*alproto == ALPROTO_FAILED) {
+            if (*alproto_otherdir != ALPROTO_UNKNOWN) {
+                // Use recognized side
+                f->alproto = *alproto_otherdir;
+                if (*alproto_otherdir == ALPROTO_FAILED) {
+                    SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
                 }
-                // else wait for second side of protocol
-                break;
-            default:
-                if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
-                    if (*alproto_otherdir != *alproto) {
-                        AppLayerDecoderEventsSetEventRaw(
-                                &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
-                        // data already sent to parser, we cannot change the protocol to use the one
-                        // of the server
-                    }
-                } else {
-                    f->alproto = *alproto;
+            }
+            // else wait for second side of protocol
+        } else {
+            if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
+                if (*alproto_otherdir != *alproto) {
+                    AppLayerDecoderEventsSetEventRaw(
+                            &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
+                    // data already sent to parser, we cannot change the protocol to use the one
+                    // of the server
                 }
+            } else {
+                f->alproto = *alproto;
+            }
         }
         if (*alproto_otherdir == ALPROTO_UNKNOWN) {
             if (f->alproto == ALPROTO_UNKNOWN) {

@@ -201,6 +201,22 @@ ConfNode *ConfGetNode(const char *name)
     return node;
 }
 
+ConfNode * ConfGetFirstNode(const ConfNode *parent) {
+    return TAILQ_FIRST(&parent->head);
+}
+
+ConfNode * ConfGetNextNode(const ConfNode *node) {
+    return TAILQ_NEXT(node, next);
+}
+
+const char * ConfGetNameNode(const ConfNode *node) {
+    return node->name;
+}
+
+const char * ConfGetValueNode(const ConfNode *node) {
+    return node->val;
+}
+
 /**
  * \brief Get the root configuration node.
  */

@@ -84,6 +84,11 @@ void ConfNodePrune(ConfNode *node);
 int ConfRemove(const char *name);
 bool ConfNodeHasChildren(const ConfNode *node);
 
+ConfNode * ConfGetFirstNode(const ConfNode *parent);
+ConfNode * ConfGetNextNode(const ConfNode *node);
+const char * ConfGetNameNode(const ConfNode *node);
+const char * ConfGetValueNode(const ConfNode *node);
+
 ConfNode *ConfGetChildWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name);
 ConfNode *ConfNodeLookupKeyValue(const ConfNode *base, const char *key, const char *value);
 int ConfGetChildValue(const ConfNode *base, const char *name, const char **vptr);

@@ -28,4 +28,15 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
         uint8_t flags, void *_alstate, void *tx, uint64_t tx_id);
 
+// file protocols with common file handling
+typedef struct {
+    AppProto al_proto;
+    int direction;
+    int to_client_progress;
+    int to_server_progress;
+} DetectFileHandlerProtocol_t;
+
+void DetectFileRegisterProto(
+        AppProto alproto, int direction, int to_client_progress, int to_server_progress);
+
 #endif /* SURICATA_DETECT_ENGINE_FILE_H */
@@ -28,6 +28,7 @@
 #include "detect-engine-mpm.h"
 #include "detect-engine-prefilter.h"
 #include "detect-parse.h"
+#include "detect-engine-content-inspection.h"
 
 int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver)
 {
@@ -84,24 +85,72 @@ int DetectHelperKeywordRegister(const SCSigTableElmt *kw)
 {
     if (DETECT_TBLSIZE_IDX >= DETECT_TBLSIZE) {
         void *tmp = SCRealloc(
-                sigmatch_table, (DETECT_TBLSIZE + DETECT_TBLSIZE_STEP) * sizeof(SigTableElmt));
+                              sigmatch_table, (DETECT_TBLSIZE + DETECT_TBLSIZE_STEP) * sizeof(SigTableElmt));
         if (unlikely(tmp == NULL)) {
             return -1;
         }
         sigmatch_table = tmp;
         DETECT_TBLSIZE += DETECT_TBLSIZE_STEP;
     }
-
+    
     sigmatch_table[DETECT_TBLSIZE_IDX].name = kw->name;
     sigmatch_table[DETECT_TBLSIZE_IDX].desc = kw->desc;
     sigmatch_table[DETECT_TBLSIZE_IDX].url = kw->url;
     sigmatch_table[DETECT_TBLSIZE_IDX].flags = kw->flags;
     sigmatch_table[DETECT_TBLSIZE_IDX].AppLayerTxMatch =
-            (int (*)(DetectEngineThreadCtx * det_ctx, Flow * f, uint8_t flags, void *alstate,
-                    void *txv, const Signature *s, const SigMatchCtx *ctx)) kw->AppLayerTxMatch;
+    (int (*)(DetectEngineThreadCtx * det_ctx, Flow * f, uint8_t flags, void *alstate,
+             void *txv, const Signature *s, const SigMatchCtx *ctx)) kw->AppLayerTxMatch;
     sigmatch_table[DETECT_TBLSIZE_IDX].Setup =
-            (int (*)(DetectEngineCtx * de, Signature * s, const char *raw)) kw->Setup;
+    (int (*)(DetectEngineCtx * de, Signature * s, const char *raw)) kw->Setup;
     sigmatch_table[DETECT_TBLSIZE_IDX].Free = (void (*)(DetectEngineCtx * de, void *ptr)) kw->Free;
     DETECT_TBLSIZE_IDX++;
     return DETECT_TBLSIZE_IDX - 1;
 }
+
+int DetectHelperTransformRegister(const SCPluginTransformTableElmt *kw)
+{
+    if (DETECT_TBLSIZE_IDX < DETECT_TBLSIZE) {
+        sigmatch_table[DETECT_TBLSIZE_IDX].name = kw->name;
+        sigmatch_table[DETECT_TBLSIZE_IDX].desc = kw->desc;
+        sigmatch_table[DETECT_TBLSIZE_IDX].flags = kw->flags;
+        sigmatch_table[DETECT_TBLSIZE_IDX].Transform = kw->Transform;
+        sigmatch_table[DETECT_TBLSIZE_IDX].Setup = kw->Setup;
+        sigmatch_table[DETECT_TBLSIZE_IDX].Free = kw->Free;
+        DETECT_TBLSIZE_IDX++;
+        return DETECT_TBLSIZE_IDX - 1;
+    }
+    return -1;
+}
+
+InspectionBuffer *DetectHelperGetMultiData(struct DetectEngineThreadCtx_ *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
+        const int list_id, uint32_t index,
+        bool (*GetBuf)(void *txv, const uint8_t flow_flags, uint32_t index, const uint8_t **buf, uint32_t *buf_len))
+{
+    InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
+    if (buffer == NULL) {
+        return NULL;
+    }
+    if (buffer->initialized) {
+        return buffer;
+    }
+
+    const uint8_t *data = NULL;
+    uint32_t data_len = 0;
+
+    if (!GetBuf(txv, flow_flags, index, &data, &data_len)) {
+        InspectionBufferSetupMultiEmpty(buffer);
+        return NULL;
+    }
+    InspectionBufferSetupMulti(buffer, transforms, data, data_len);
+    buffer->flags = DETECT_CI_FLAGS_SINGLE;
+    return buffer;
+}
+
+uint8_t * InspectionBufferPtr(InspectionBuffer *buf) {
+    return buf->inspect;
+}
+
+uint32_t InspectionBufferLength(InspectionBuffer *buf) {
+    return buf->inspect_len;
+}
@@ -29,13 +29,33 @@
 #include "rust.h"
 
 int DetectHelperKeywordRegister(const SCSigTableElmt *kw);
+
+typedef struct SCPluginTransformTableElmt {
+    const char *name;
+    const char *desc;
+    uint16_t flags;
+    int (*Setup)(DetectEngineCtx *, Signature *, const char *);
+    void (*Free)(DetectEngineCtx *, void *);
+    void (*Transform)(InspectionBuffer *buffer, void *options);
+} SCPluginTransformTableElmt;
+
+int DetectHelperTransformRegister(const SCPluginTransformTableElmt *kw);
 int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver);
 
 typedef bool (*SimpleGetTxBuffer)(void *, uint8_t, const uint8_t **, uint32_t *);
+typedef bool (*MultiGetTxBuffer)(void *, uint8_t, uint32_t, const uint8_t **, uint32_t *);
+
 InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx,
         const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
         const int list_id, SimpleGetTxBuffer GetBuf);
 int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto,
         bool toclient, bool toserver, InspectionBufferGetDataPtr GetData);
 
+InspectionBuffer *DetectHelperGetMultiData(struct DetectEngineThreadCtx_ *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
+        const int list_id, uint32_t index, MultiGetTxBuffer GetBuf);
+
+uint8_t * InspectionBufferPtr(InspectionBuffer *buf);
+uint32_t InspectionBufferLength(InspectionBuffer *buf);
+
 #endif /* SURICATA_DETECT_ENGINE_HELPER_H */