#include "suricata-common.h"#include "suricata.h"#include "app-layer.h"#include "app-layer-parser.h"#include "app-layer-protos.h"#include "app-layer-expectation.h"#include "app-layer-ftp.h"#include "app-layer-htp-range.h"#include "app-layer-detect-proto.h"#include "app-layer-frames.h"#include "app-layer-events.h"#include "stream-tcp-reassemble.h"#include "stream-tcp-private.h"#include "stream-tcp-inline.h"#include "stream-tcp.h"#include "flow.h"#include "flow-util.h"#include "flow-private.h"#include "ippair.h"#include "util-debug.h"#include "util-print.h"#include "util-profiling.h"#include "util-validate.h"#include "decode-events.h"#include "app-layer-htp-mem.h"#include "util-exception-policy.h"#include "pkt-var.h"#include "stream-tcp-util.h"#include "stream.h"#include "util-unittest.h"
Go to the source code of this file.
Data Structures | |
| struct | AppLayerThreadCtx_ |
| This is for the app layer in general and it contains per thread context relevant to both the alpd and alp. More... | |
| struct | AppLayerCounterNames_ |
| struct | AppLayerCounters_ |
Macros | |
| #define | FLOW_PROTO_CHANGE_MAX_DEPTH 4096 |
| #define | MAX_COUNTER_SIZE 64 |
| #define | TEST_START |
| #define | TEST_END |
Typedefs | |
| typedef struct AppLayerCounterNames_ | AppLayerCounterNames |
| typedef struct AppLayerCounters_ | AppLayerCounters |
Functions | |
| void | AppLayerSetupCounters (void) |
| void | AppLayerDeSetupCounters (void) |
| void | AppLayerIncTxCounter (ThreadVars *tv, Flow *f, uint64_t step) |
| void | AppLayerIncGapErrorCounter (ThreadVars *tv, Flow *f) |
| void | AppLayerIncAllocErrorCounter (ThreadVars *tv, Flow *f) |
| void | AppLayerIncParserErrorCounter (ThreadVars *tv, Flow *f) |
| void | AppLayerIncInternalErrorCounter (ThreadVars *tv, Flow *f) |
| int | AppLayerHandleTCPData (ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir) |
| handle TCP data for the app-layer. | |
| int | AppLayerHandleUdp (ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f) |
| Handle a app layer UDP message. | |
| AppProto | AppLayerGetProtoByName (const char *alproto_name) |
| Given a protocol string, returns the corresponding internal protocol id. | |
| const char * | AppLayerGetProtoName (AppProto alproto) |
| Given the internal protocol id, returns a string representation of the protocol. | |
| void | AppLayerListSupportedProtocols (void) |
| int | AppLayerSetup (void) |
| Setup the app layer. | |
| int | AppLayerDeSetup (void) |
| De initializes the app layer. | |
| AppLayerThreadCtx * | AppLayerGetCtxThread (void) |
| Creates a new app layer thread context. | |
| void | AppLayerDestroyCtxThread (AppLayerThreadCtx *app_tctx) |
| Destroys the context created by AppLayerGetCtxThread(). | |
| void | AppLayerProfilingResetInternal (AppLayerThreadCtx *app_tctx) |
| void | AppLayerProfilingStoreInternal (AppLayerThreadCtx *app_tctx, Packet *p) |
| void | AppLayerRegisterGlobalCounters (void) |
| HACK to work around our broken unix manager (re)init loop. | |
| void | AppLayerRegisterThreadCounters (ThreadVars *tv) |
| Registers per flow counters for all protocols. | |
| void | AppLayerUnittestsRegister (void) |
Detailed Description
Generic App-layer functions
Definition in file app-layer.c.
Macro Definition Documentation
◆ FLOW_PROTO_CHANGE_MAX_DEPTH
| #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096 |
Definition at line 76 of file app-layer.c.
◆ MAX_COUNTER_SIZE
| #define MAX_COUNTER_SIZE 64 |
Definition at line 78 of file app-layer.c.
◆ TEST_END
| #define TEST_END |
Definition at line 1467 of file app-layer.c.
◆ TEST_START
| #define TEST_START |
Definition at line 1385 of file app-layer.c.
Typedef Documentation
◆ AppLayerCounterNames
| typedef struct AppLayerCounterNames_ AppLayerCounterNames |
◆ AppLayerCounters
| typedef struct AppLayerCounters_ AppLayerCounters |
Function Documentation
◆ AppLayerDeSetup()
| int AppLayerDeSetup | ( | void | ) |
De initializes the app layer.
Includes de initializing protocol detection and the protocol parser.
Definition at line 1095 of file app-layer.c.
References AppLayerDeSetupCounters(), AppLayerParserDeSetup(), AppLayerProtoDetectDeSetup(), FrameConfigDeInit(), SCEnter, and SCReturnInt.
Referenced by GlobalsDestroy().
◆ AppLayerDeSetupCounters()
| void AppLayerDeSetupCounters | ( | void | ) |
Definition at line 1371 of file app-layer.c.
References applayer_counter_names, applayer_counters, and SCFree.
Referenced by AppLayerDeSetup().
◆ AppLayerDestroyCtxThread()
| void AppLayerDestroyCtxThread | ( | AppLayerThreadCtx * | tctx | ) |
Destroys the context created by AppLayerGetCtxThread().
- Parameters
-
tctx Pointer to the thread context to destroy.
Definition at line 1129 of file app-layer.c.
References AppLayerThreadCtx_::alp_tctx, AppLayerThreadCtx_::alpd_tctx, AppLayerParserThreadCtxFree(), AppLayerProtoDetectDestroyCtxThread(), SCEnter, SCFree, and SCReturn.
Referenced by AppLayerGetCtxThread(), DecodeThreadVarsFree(), and StreamTcpReassembleFreeThreadCtx().
◆ AppLayerGetCtxThread()
| AppLayerThreadCtx * AppLayerGetCtxThread | ( | void | ) |
Creates a new app layer thread context.
- Return values
-
Pointer to the newly create thread context, on success; NULL, on failure.
Definition at line 1108 of file app-layer.c.
References AppLayerThreadCtx_::alp_tctx, AppLayerThreadCtx_::alpd_tctx, AppLayerDestroyCtxThread(), AppLayerParserThreadCtxAlloc(), AppLayerProtoDetectGetCtxThread(), SCCalloc, SCEnter, and SCReturnPtr.
Referenced by DecodeThreadVarsAlloc(), and StreamTcpReassembleInitThreadCtx().
◆ AppLayerGetProtoByName()
| AppProto AppLayerGetProtoByName | ( | const char * | alproto_name | ) |
Given a protocol string, returns the corresponding internal protocol id.
- Parameters
-
The internal protocol id.
Definition at line 1002 of file app-layer.c.
References AppLayerProtoDetectGetProtoByName(), SCEnter, and SCReturnCT.
◆ AppLayerGetProtoName()
| const char * AppLayerGetProtoName | ( | AppProto | alproto | ) |
Given the internal protocol id, returns a string representation of the protocol.
- Parameters
-
alproto The internal protocol id.
- Return values
-
String representation of the protocol.
Definition at line 1009 of file app-layer.c.
References AppLayerProtoDetectGetProtoName(), SCEnter, and SCReturnCT.
Referenced by AppLayerListSupportedProtocols(), AppLayerParserParse(), and AppLayerSetupCounters().
◆ AppLayerHandleTCPData()
| int AppLayerHandleTCPData | ( | ThreadVars * | tv, |
| TcpReassemblyThreadCtx * | ra_ctx, | ||
| Packet * | p, | ||
| Flow * | f, | ||
| TcpSession * | ssn, | ||
| TcpStream ** | stream, | ||
| uint8_t * | data, | ||
| uint32_t | data_len, | ||
| uint8_t | flags, | ||
| enum StreamUpdateDir | app_update_dir | ||
| ) |
handle TCP data for the app-layer.
Handles reassembled tcp stream.
First run protocol detection and then when the protocol is known invoke the app layer parser.
- Parameters
-
stream ptr-to-ptr to stream object. Might change if flow dir is reversed.
Definition at line 711 of file app-layer.c.
References AppLayerThreadCtx_::alp_tctx, Flow_::alparser, Flow_::alproto, Flow_::alproto_expect, Flow_::alproto_orig, Flow_::alproto_tc, ALPROTO_TLS, Flow_::alproto_ts, ALPROTO_UNKNOWN, Flow_::alstate, Packet_::app_layer_events, TcpReassemblyThreadCtx_::app_tctx, Packet_::app_update_direction, APPLAYER_NO_TLS_AFTER_STARTTLS, APPLAYER_UNEXPECTED_PROTOCOL, AppLayerDecoderEventsSetEventRaw(), AppLayerParserParse(), AppLayerParserStateProtoCleanup(), AppLayerProtoDetectReset(), AppProtoToString(), TcpSession_::client, DEBUG_ASSERT_FLOW_LOCKED, DEBUG_VALIDATE_BUG_ON, ExceptionPolicyApply(), flags, TcpSession_::flags, FlowChangeProto(), FlowUnsetChangeProtoFlag(), g_applayerparser_error_policy, PACKET_PROFILING_APP_END, PACKET_PROFILING_APP_START, PKT_DROP_REASON_APPLAYER_ERROR, PrintRawDataFp(), Flow_::protomap, SCEnter, SCLogDebug, SCReturnInt, TcpSession_::server, STREAMTCP_FLAG_APP_LAYER_DISABLED, StreamTcpResetStreamFlagAppProtoDetectionCompleted, StreamTcpSetStreamFlagAppProtoDetectionCompleted, StreamTcpUpdateAppLayerProgress(), and tv.
Referenced by StreamTcpReassembleAppLayer().
◆ AppLayerHandleUdp()
| int AppLayerHandleUdp | ( | ThreadVars * | tv, |
| AppLayerThreadCtx * | tctx, | ||
| Packet * | p, | ||
| Flow * | f | ||
| ) |
Handle a app layer UDP message.
Handles an udp chunk.
If the protocol is yet unknown, the proto detection code is run first.
- Parameters
-
dp_ctx Thread app layer detect context f locked flow p UDP packet
- Return values
-
0 ok -1 error
Definition at line 878 of file app-layer.c.
References AppLayerThreadCtx_::alp_tctx, AppLayerThreadCtx_::alpd_tctx, Flow_::alproto, ALPROTO_FAILED, Flow_::alproto_tc, Flow_::alproto_ts, ALPROTO_UNKNOWN, Packet_::app_layer_events, Packet_::app_update_direction, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS, AppLayerDecoderEventsSetEventRaw(), AppLayerParserParse(), AppLayerProfilingReset, AppLayerProtoDetectGetProto(), ExceptionPolicyApply(), flags, FLOW_PKT_TOSERVER, Packet_::flowflags, FlowSwap(), g_applayerparser_error_policy, PACKET_PROFILING_APP_END, PACKET_PROFILING_APP_PD_END, PACKET_PROFILING_APP_PD_START, PACKET_PROFILING_APP_START, PACKET_PROFILING_APP_STORE, PacketSwap(), Packet_::payload, Packet_::payload_len, PKT_DROP_REASON_APPLAYER_ERROR, SCEnter, SCLogDebug, SCReturnInt, SWAP_FLAGS, tv, and UPDATE_DIR_PACKET.
◆ AppLayerIncAllocErrorCounter()
| void AppLayerIncAllocErrorCounter | ( | ThreadVars * | tv, |
| Flow * | f | ||
| ) |
Definition at line 171 of file app-layer.c.
References AppLayerCounters_::alloc_error_id, Flow_::alproto, applayer_counters, likely, Flow_::protomap, StatsIncr(), and tv.
Referenced by AppLayerParserParse().
◆ AppLayerIncGapErrorCounter()
| void AppLayerIncGapErrorCounter | ( | ThreadVars * | tv, |
| Flow * | f | ||
| ) |
Definition at line 163 of file app-layer.c.
References Flow_::alproto, applayer_counters, AppLayerCounters_::gap_error_id, likely, Flow_::protomap, StatsIncr(), and tv.
Referenced by AppLayerParserParse().
◆ AppLayerIncInternalErrorCounter()
| void AppLayerIncInternalErrorCounter | ( | ThreadVars * | tv, |
| Flow * | f | ||
| ) |
Definition at line 187 of file app-layer.c.
References Flow_::alproto, applayer_counters, AppLayerCounters_::internal_error_id, likely, Flow_::protomap, StatsIncr(), and tv.
Referenced by AppLayerParserParse().
◆ AppLayerIncParserErrorCounter()
| void AppLayerIncParserErrorCounter | ( | ThreadVars * | tv, |
| Flow * | f | ||
| ) |
Definition at line 179 of file app-layer.c.
References Flow_::alproto, applayer_counters, likely, AppLayerCounters_::parser_error_id, Flow_::protomap, StatsIncr(), and tv.
Referenced by AppLayerParserParse().
◆ AppLayerIncTxCounter()
| void AppLayerIncTxCounter | ( | ThreadVars * | tv, |
| Flow * | f, | ||
| uint64_t | step | ||
| ) |
Definition at line 155 of file app-layer.c.
References Flow_::alproto, applayer_counters, AppLayerCounters_::counter_tx_id, likely, Flow_::protomap, StatsAddUI64(), and tv.
Referenced by AppLayerParserParse().
◆ AppLayerListSupportedProtocols()
| void AppLayerListSupportedProtocols | ( | void | ) |
Definition at line 1016 of file app-layer.c.
References AppLayerGetProtoName(), AppLayerProtoDetectSupportedAppProtocols(), g_alproto_max, SCEnter, and SCReturn.
Referenced by ListAppLayerProtocols().
◆ AppLayerProfilingResetInternal()
| void AppLayerProfilingResetInternal | ( | AppLayerThreadCtx * | app_tctx | ) |
Definition at line 1146 of file app-layer.c.
References PACKET_PROFILING_APP_RESET.
◆ AppLayerProfilingStoreInternal()
| void AppLayerProfilingStoreInternal | ( | AppLayerThreadCtx * | app_tctx, |
| Packet * | p | ||
| ) |
Definition at line 1151 of file app-layer.c.
References PACKET_PROFILING_APP_STORE.
◆ AppLayerRegisterGlobalCounters()
| void AppLayerRegisterGlobalCounters | ( | void | ) |
HACK to work around our broken unix manager (re)init loop.
Definition at line 1159 of file app-layer.c.
References ExpectationGetCounter(), FTPMemcapGlobalCounter(), FTPMemuseGlobalCounter(), HostGetMemcap(), HostGetMemuse(), HTPByteRangeMemcapGlobalCounter(), HTPByteRangeMemuseGlobalCounter(), HTPMemcapGlobalCounter(), HTPMemuseGlobalCounter(), IPPairGetMemuse(), and StatsRegisterGlobalCounter().
Referenced by PreRunInit().
◆ AppLayerRegisterThreadCounters()
| void AppLayerRegisterThreadCounters | ( | ThreadVars * | tv | ) |
Registers per flow counters for all protocols.
Definition at line 1307 of file app-layer.c.
References AppLayerCounters_::alloc_error_id, ALPROTO_FAILED, app_layer_error_eps_stats, applayer_counter_names, applayer_counters, AppLayerProtoDetectSupportedAppProtocols(), AppLayerCounters_::counter_id, AppLayerCounters_::counter_tx_id, AppLayerCounters_::eps_error, eps_error_summary, ExceptionPolicyCounters_::eps_id, ExceptionPolicyStatsSetts_::eps_name, EXCEPTION_POLICY_MAX, EXCEPTION_POLICY_NOT_SET, FLOW_PROTO_APPLAYER_MAX, FlowGetProtoMapping(), g_alproto_max, g_applayerparser_error_policy, g_stats_eps_per_app_proto_errors, AppLayerCounters_::gap_error_id, AppLayerCounters_::internal_error_id, name, AppLayerCounters_::parser_error_id, StatsRegisterCounter(), and tv.
◆ AppLayerSetup()
| int AppLayerSetup | ( | void | ) |
Setup the app layer.
Includes protocol detection setup and the protocol parser setup.
- Return values
-
0 On success. -1 On failure.
Definition at line 1078 of file app-layer.c.
References AppLayerParserRegisterProtocolParsers(), AppLayerParserSetup(), AppLayerProtoDetectPrepareState(), AppLayerProtoDetectSetup(), AppLayerSetupCounters(), FrameConfigInit(), SCEnter, and SCReturnInt.
Referenced by ListAppLayerHooks(), ListAppLayerProtocols(), ListKeywords(), LLVMFuzzerTestOneInput(), PostConfLoadedSetup(), and RunUnittests().
◆ AppLayerSetupCounters()
| void AppLayerSetupCounters | ( | void | ) |
Definition at line 1198 of file app-layer.c.
References ALPROTO_FAILED, app_layer_error_eps_stats, applayer_counter_names, applayer_counters, AppLayerGetProtoName(), AppLayerProtoDetectSupportedAppProtocols(), AppLayerProtoDetectSupportedIpprotos(), ExceptionPolicyStatsSetts_::eps_name, EXCEPTION_POLICY_MAX, EXCEPTION_POLICY_NOT_SET, ExceptionPolicyEnumToString(), FatalError, FLOW_PROTO_APPLAYER_MAX, FlowGetProtoMapping(), g_alproto_max, g_applayerparser_error_policy, name, SCCalloc, str, and unlikely.
Referenced by AppLayerSetup().
◆ AppLayerUnittestsRegister()
| void AppLayerUnittestsRegister | ( | void | ) |
Definition at line 2891 of file app-layer.c.
References SCEnter, SCReturn, and UtRegisterTest().
Variable Documentation
◆ app_layer_error_eps_stats
| ExceptionPolicyStatsSetts app_layer_error_eps_stats |
Definition at line 108 of file app-layer.c.
Referenced by AppLayerRegisterThreadCounters(), and AppLayerSetupCounters().
◆ applayer_counter_names
| AppLayerCounterNames(* applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX] |
Definition at line 100 of file app-layer.c.
Referenced by AppLayerDeSetupCounters(), AppLayerRegisterThreadCounters(), and AppLayerSetupCounters().
◆ applayer_counters
| AppLayerCounters(* applayer_counters)[FLOW_PROTO_APPLAYER_MAX] |
Definition at line 102 of file app-layer.c.
Referenced by AppLayerDeSetupCounters(), AppLayerIncAllocErrorCounter(), AppLayerIncGapErrorCounter(), AppLayerIncInternalErrorCounter(), AppLayerIncParserErrorCounter(), AppLayerIncTxCounter(), AppLayerRegisterThreadCounters(), and AppLayerSetupCounters().
◆ eps_error_summary
| ExceptionPolicyCounters eps_error_summary |
Definition at line 104 of file app-layer.c.
Referenced by AppLayerRegisterThreadCounters().
◆ g_applayerparser_error_policy
|
extern |
Definition at line 155 of file app-layer-parser.c.
Referenced by AppLayerErrorGetExceptionPolicy(), AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerRegisterThreadCounters(), and AppLayerSetupCounters().
◆ g_stats_eps_per_app_proto_errors
|
extern |
add per-proto app-layer error counters for exception policies stats? disabled by default
Definition at line 220 of file suricata.c.
Referenced by AppLayerRegisterThreadCounters(), and PostConfLoadedSetup().
