suricata
app-layer-events.c
Go to the documentation of this file.
1/* Copyright (C) 2014-2024 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23 */
24
25#include "app-layer-events.h"
26#include "util-enum.h"
27
28int SCAppLayerGetEventIdByName(const char *event_name, SCEnumCharMap *table, uint8_t *event_id)
29{
30 int value = SCMapEnumNameToValue(event_name, table);
31 if (value == -1) {
32 SCLogError("event \"%s\" not present in enum table.", event_name);
33 /* this should be treated as fatal */
34 return -1;
35 } else if (value < -1 || value > UINT8_MAX) {
36 SCLogError("event \"%s\" has out of range value", event_name);
37 /* this should be treated as fatal */
38 return -1;
39 }
40 *event_id = (uint8_t)value;
41 return 0;
42}
43
44/* events raised during protocol detection are stored in the
45 * packets storage, not in the flow. */
47 { "APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS",
49 { "APPLAYER_WRONG_DIRECTION_FIRST_DATA",
51 { "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION",
53 { "APPLAYER_PROTO_DETECTION_SKIPPED",
55 { "APPLAYER_NO_TLS_AFTER_STARTTLS",
57 { "APPLAYER_UNEXPECTED_PROTOCOL",
59 { NULL,
60 -1 },
61};
62
64 uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
65{
66 *event_name = SCMapEnumValueToName(event_id, app_layer_event_pkt_table);
67 if (*event_name == NULL) {
68 SCLogError("event \"%d\" not present in "
69 "app-layer-event's enum map table.",
70 event_id);
71 /* yes this is fatal */
72 return -1;
73 }
74
75 *event_type = APP_LAYER_EVENT_TYPE_PACKET;
76
77 return 0;
78}
79
80int AppLayerGetPktEventInfo(const char *event_name, uint8_t *event_id)
81{
82 return SCAppLayerGetEventIdByName(event_name, app_layer_event_pkt_table, event_id);
83}
84
85#define DECODER_EVENTS_BUFFER_STEPS 8
86
87/**
88 * \brief Set an app layer decoder event.
89 *
90 * \param sevents Pointer to a AppLayerDecoderEvents pointer. If *sevents is NULL
91 * memory will be allocated.
92 * \param event The event to be stored.
93 */
95{
96 if (*sevents == NULL) {
97 AppLayerDecoderEvents *new_devents = SCCalloc(1, sizeof(AppLayerDecoderEvents));
98 if (new_devents == NULL)
99 return;
100
101 *sevents = new_devents;
102
103 }
104 if ((*sevents)->cnt == UCHAR_MAX) {
105 /* we're full */
106 return;
107 }
108 if ((*sevents)->cnt == (*sevents)->events_buffer_size) {
109 int steps = DECODER_EVENTS_BUFFER_STEPS;
110 if (UCHAR_MAX - (*sevents)->cnt < steps)
111 steps = UCHAR_MAX - (*sevents)->cnt < steps;
112
113 void *ptr = SCRealloc((*sevents)->events,
114 ((*sevents)->cnt + steps) * sizeof(uint8_t));
115 if (ptr == NULL) {
116 /* couldn't grow buffer, but no reason to free old
117 * so we keep the events that may already be here */
118 return;
119 }
120 (*sevents)->events = ptr;
121 (*sevents)->events_buffer_size += steps;
122 }
123
124 (*sevents)->events[(*sevents)->cnt++] = event;
125}
126
128{
129 if (events != NULL) {
130 events->cnt = 0;
131 events->event_last_logged = 0;
132 }
133}
134
135
137{
138 if (events && *events != NULL) {
139 if ((*events)->events != NULL)
140 SCFree((*events)->events);
141 SCFree(*events);
142 *events = NULL;
143 }
144}
145
147 { "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM },
148 { "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
149 { "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION },
150 { "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR },
151 { "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR },
152 { "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR },
153 { "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
154 { "LZMA_IO_ERROR", FILE_DECODER_EVENT_LZMA_IO_ERROR },
155 { "LZMA_HEADER_TOO_SHORT_ERROR", FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR },
156 { "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
157 { "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
158 { "LZMA_XZ_ERROR", FILE_DECODER_EVENT_LZMA_XZ_ERROR },
159 { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
160 {
161 "TOO_MANY_BUFFERS",
163 },
164 {
165 "POST_MATCH_QUEUE_FAILED",
167 },
168 { NULL, -1 },
169};
170
172 const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
173{
174 if (SCAppLayerGetEventIdByName(event_name, det_ctx_event_table, event_id) == 0) {
175 *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
176 return 0;
177 }
178 return -1;
179}
SCEnumCharMap det_ctx_event_table[]
int AppLayerGetEventInfoById(uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
int SCAppLayerGetEventIdByName(const char *event_name, SCEnumCharMap *table, uint8_t *event_id)
int DetectEngineGetEventInfo(const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
int AppLayerGetPktEventInfo(const char *event_name, uint8_t *event_id)
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
#define DECODER_EVENTS_BUFFER_STEPS
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
SCEnumCharMap app_layer_event_pkt_table[]
void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
@ APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
enum AppLayerEventType AppLayerEventType
@ FILE_DECODER_EVENT_NO_MEM
Definition detect.h:1470
@ FILE_DECODER_EVENT_LZMA_IO_ERROR
Definition detect.h:1477
@ FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
Definition detect.h:1478
@ FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
Definition detect.h:1476
@ DETECT_EVENT_POST_MATCH_QUEUE_FAILED
Definition detect.h:1485
@ FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
Definition detect.h:1482
@ FILE_DECODER_EVENT_Z_BUF_ERROR
Definition detect.h:1475
@ DETECT_EVENT_TOO_MANY_BUFFERS
Definition detect.h:1484
@ FILE_DECODER_EVENT_LZMA_XZ_ERROR
Definition detect.h:1481
@ FILE_DECODER_EVENT_INVALID_SWF_VERSION
Definition detect.h:1472
@ FILE_DECODER_EVENT_LZMA_DECODER_ERROR
Definition detect.h:1479
@ FILE_DECODER_EVENT_INVALID_SWF_LENGTH
Definition detect.h:1471
@ FILE_DECODER_EVENT_Z_STREAM_ERROR
Definition detect.h:1474
@ FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
Definition detect.h:1480
@ FILE_DECODER_EVENT_Z_DATA_ERROR
Definition detect.h:1473
Data structure to store app layer decoder events.
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition util-enum.c:40
const char * SCMapEnumValueToName(int enum_value, SCEnumCharMap *table)
Maps an enum value to a string name, from the supplied table.
Definition util-enum.c:68
#define SCFree(p)
Definition util-mem.h:61
#define SCRealloc(ptr, sz)
Definition util-mem.h:50
#define SCCalloc(nm, sz)
Definition util-mem.h:53