/src/suricata/src/app-layer-events.c

Source
/* Copyright (C) 2014-2024 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 */

#include "suricata-common.h"
#include "rust.h"
#include "app-layer-events.h"
#include "util-enum.h"

int SCAppLayerGetEventIdByName(const char *event_name, SCEnumCharMap *table, uint8_t *event_id)
{
    int value = SCMapEnumNameToValue(event_name, table);
    if (value == -1) {
        SCLogError("event \"%s\" not present in enum table.", event_name);
        /* this should be treated as fatal */
        return -1;
    } else if (value < -1 || value > UINT8_MAX) {
        SCLogError("event \"%s\" has out of range value", event_name);
        /* this should be treated as fatal */
        return -1;
    }
    *event_id = (uint8_t)value;
    return 0;
}

/* events raised during protocol detection are stored in the
 * packets storage, not in the flow. */
SCEnumCharMap app_layer_event_pkt_table[ ] = {
    { "APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS",
      APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS },
    { "APPLAYER_WRONG_DIRECTION_FIRST_DATA",
      APPLAYER_WRONG_DIRECTION_FIRST_DATA },
    { "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION",
      APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION },
    { "APPLAYER_PROTO_DETECTION_SKIPPED",
      APPLAYER_PROTO_DETECTION_SKIPPED },
    { "APPLAYER_NO_TLS_AFTER_STARTTLS",
      APPLAYER_NO_TLS_AFTER_STARTTLS },
    { "APPLAYER_UNEXPECTED_PROTOCOL",
      APPLAYER_UNEXPECTED_PROTOCOL },
    { NULL,
      -1 },
};

int AppLayerGetEventInfoById(
        uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
{
    *event_name = SCMapEnumValueToName(event_id, app_layer_event_pkt_table);
    if (*event_name == NULL) {
        SCLogError("event \"%d\" not present in "
                   "app-layer-event's enum map table.",
                event_id);
        /* yes this is fatal */
        return -1;
    }

    *event_type = APP_LAYER_EVENT_TYPE_PACKET;

    return 0;
}

int AppLayerGetPktEventInfo(const char *event_name, uint8_t *event_id)
{
    return SCAppLayerGetEventIdByName(event_name, app_layer_event_pkt_table, event_id);
}

#define DECODER_EVENTS_BUFFER_STEPS 8

/**
 * \brief Set an app layer decoder event.
 *
 * \param sevents Pointer to a AppLayerDecoderEvents pointer. If *sevents is NULL
 *                memory will be allocated.
 * \param event   The event to be stored.
 */
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
{
    if (*sevents == NULL) {
        AppLayerDecoderEvents *new_devents = SCCalloc(1, sizeof(AppLayerDecoderEvents));
        if (new_devents == NULL)
            return;

        *sevents = new_devents;

    }
    if ((*sevents)->cnt == UCHAR_MAX) {
        /* we're full */
        return;
    }
    if ((*sevents)->cnt == (*sevents)->events_buffer_size) {
        int steps = DECODER_EVENTS_BUFFER_STEPS;
        if (UCHAR_MAX - (*sevents)->cnt < steps)
            steps = UCHAR_MAX - (*sevents)->cnt < steps;

        void *ptr = SCRealloc((*sevents)->events,
                              ((*sevents)->cnt + steps) * sizeof(uint8_t));
        if (ptr == NULL) {
            /* couldn't grow buffer, but no reason to free old
             * so we keep the events that may already be here */
            return;
        }
        (*sevents)->events = ptr;
        (*sevents)->events_buffer_size += steps;
    }

    (*sevents)->events[(*sevents)->cnt++] = event;
}

void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
{
    if (events != NULL) {
        events->cnt = 0;
        events->event_last_logged = 0;
    }
}

void SCAppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
{
    if (events && *events != NULL) {
        if ((*events)->events != NULL)
            SCFree((*events)->events);
        SCFree(*events);
        *events = NULL;
    }
}

SCEnumCharMap det_ctx_event_table[] = {
    { "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM },
    { "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
    { "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION },
    { "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR },
    { "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR },
    { "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR },
    { "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
    { "LZMA_IO_ERROR", FILE_DECODER_EVENT_LZMA_IO_ERROR },
    { "LZMA_HEADER_TOO_SHORT_ERROR", FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR },
    { "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
    { "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
    { "LZMA_XZ_ERROR", FILE_DECODER_EVENT_LZMA_XZ_ERROR },
    { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
    {
            "TOO_MANY_BUFFERS",
            DETECT_EVENT_TOO_MANY_BUFFERS,
    },
    {
            "POST_MATCH_QUEUE_FAILED",
            DETECT_EVENT_POST_MATCH_QUEUE_FAILED,
    },
    { NULL, -1 },
};

int DetectEngineGetEventInfo(
        const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
{
    if (SCAppLayerGetEventIdByName(event_name, det_ctx_event_table, event_id) == 0) {
        *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
        return 0;
    }
    return -1;
}

Line	Count	Source
1		/* Copyright (C) 2014-2024 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		/**
19		* \file
20		*
21		* \author Victor Julien <victor@inliniac.net>
22		* \author Anoop Saldanha <anoopsaldanha@gmail.com>
23		*/
24
25		#include "suricata-common.h"
26		#include "rust.h"
27		#include "app-layer-events.h"
28		#include "util-enum.h"
29
30		int SCAppLayerGetEventIdByName(const char event_name, SCEnumCharMap table, uint8_t *event_id)
31	37.0k	{
32	37.0k	int value = SCMapEnumNameToValue(event_name, table);
33	37.0k	if (value == -1) {
34	2.92k	SCLogError("event \"%s\" not present in enum table.", event_name);
35		/* this should be treated as fatal */
36	2.92k	return -1;
37	34.0k	} else if (value < -1 \|\| value > UINT8_MAX) {
38	0	SCLogError("event \"%s\" has out of range value", event_name);
39		/* this should be treated as fatal */
40	0	return -1;
41	0	}
42	34.0k	*event_id = (uint8_t)value;
43	34.0k	return 0;
44	37.0k	}
45
46		/* events raised during protocol detection are stored in the
47		* packets storage, not in the flow. */
48		SCEnumCharMap app_layer_event_pkt_table[ ] = {
49		{ "APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS",
50		APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS },
51		{ "APPLAYER_WRONG_DIRECTION_FIRST_DATA",
52		APPLAYER_WRONG_DIRECTION_FIRST_DATA },
53		{ "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION",
54		APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION },
55		{ "APPLAYER_PROTO_DETECTION_SKIPPED",
56		APPLAYER_PROTO_DETECTION_SKIPPED },
57		{ "APPLAYER_NO_TLS_AFTER_STARTTLS",
58		APPLAYER_NO_TLS_AFTER_STARTTLS },
59		{ "APPLAYER_UNEXPECTED_PROTOCOL",
60		APPLAYER_UNEXPECTED_PROTOCOL },
61		{ NULL,
62		-1 },
63		};
64
65		int AppLayerGetEventInfoById(
66		uint8_t event_id, const char *event_name, AppLayerEventType event_type)
67	44.8k	{
68	44.8k	*event_name = SCMapEnumValueToName(event_id, app_layer_event_pkt_table);
69	44.8k	if (*event_name == NULL) {
70	0	SCLogError("event \"%d\" not present in "
71	0	"app-layer-event's enum map table.",
72	0	event_id);
73		/* yes this is fatal */
74	0	return -1;
75	0	}
76
77	44.8k	*event_type = APP_LAYER_EVENT_TYPE_PACKET;
78
79	44.8k	return 0;
80	44.8k	}
81
82		int AppLayerGetPktEventInfo(const char event_name, uint8_t event_id)
83	5.20k	{
84	5.20k	return SCAppLayerGetEventIdByName(event_name, app_layer_event_pkt_table, event_id);
85	5.20k	}
86
87	31.0M	#define DECODER_EVENTS_BUFFER_STEPS 8
88
89		/**
90		* \brief Set an app layer decoder event.
91		*
92		* \param sevents Pointer to a AppLayerDecoderEvents pointer. If *sevents is NULL
93		* memory will be allocated.
94		* \param event The event to be stored.
95		*/
96		void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
97	62.5M	{
98	62.5M	if (*sevents == NULL) {
99	30.6M	AppLayerDecoderEvents *new_devents = SCCalloc(1, sizeof(AppLayerDecoderEvents));
100	30.6M	if (new_devents == NULL)
101	0	return;
102
103	30.6M	*sevents = new_devents;
104
105	30.6M	}
106	62.5M	if ((*sevents)->cnt == UCHAR_MAX) {
107		/* we're full */
108	24.8M	return;
109	24.8M	}
110	37.6M	if ((sevents)->cnt == (sevents)->events_buffer_size) {
111	31.0M	int steps = DECODER_EVENTS_BUFFER_STEPS;
112	31.0M	if (UCHAR_MAX - (*sevents)->cnt < steps)
113	45.4k	steps = UCHAR_MAX - (*sevents)->cnt < steps;
114
115	31.0M	void ptr = SCRealloc((sevents)->events,
116	31.0M	((sevents)->cnt + steps) sizeof(uint8_t));
117	31.0M	if (ptr == NULL) {
118		/* couldn't grow buffer, but no reason to free old
119		* so we keep the events that may already be here */
120	0	return;
121	0	}
122	31.0M	(*sevents)->events = ptr;
123	31.0M	(*sevents)->events_buffer_size += steps;
124	31.0M	}
125
126	37.6M	(sevents)->events[(sevents)->cnt++] = event;
127	37.6M	}
128
129		void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
130	21.5M	{
131	21.5M	if (events != NULL) {
132	6.59M	events->cnt = 0;
133	6.59M	events->event_last_logged = 0;
134	6.59M	}
135	21.5M	}
136
137		void SCAppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
138	30.7M	{
139	30.7M	if (events && *events != NULL) {
140	30.6M	if ((*events)->events != NULL)
141	30.6M	SCFree((*events)->events);
142	30.6M	SCFree(*events);
143	30.6M	*events = NULL;
144	30.6M	}
145	30.7M	}
146
147		SCEnumCharMap det_ctx_event_table[] = {
148		{ "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM },
149		{ "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
150		{ "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION },
151		{ "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR },
152		{ "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR },
153		{ "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR },
154		{ "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
155		{ "LZMA_IO_ERROR", FILE_DECODER_EVENT_LZMA_IO_ERROR },
156		{ "LZMA_HEADER_TOO_SHORT_ERROR", FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR },
157		{ "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
158		{ "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
159		{ "LZMA_XZ_ERROR", FILE_DECODER_EVENT_LZMA_XZ_ERROR },
160		{ "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
161		{
162		"TOO_MANY_BUFFERS",
163		DETECT_EVENT_TOO_MANY_BUFFERS,
164		},
165		{
166		"POST_MATCH_QUEUE_FAILED",
167		DETECT_EVENT_POST_MATCH_QUEUE_FAILED,
168		},
169		{ NULL, -1 },
170		};
171
172		int DetectEngineGetEventInfo(
173		const char event_name, uint8_t event_id, AppLayerEventType *event_type)
174	3	{
175	3	if (SCAppLayerGetEventIdByName(event_name, det_ctx_event_table, event_id) == 0) {
176	2	*event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
177	2	return 0;
178	2	}
179	1	return -1;
180	3	}

Coverage Report

Created: 2026-02-14 06:42