plugins: app-layer plugins

Ticket: 5053
OISF · Nov 23, 2023 · d993f43 · d993f43
1 parent 02f2fd6
commit d993f43
Show file tree

Hide file tree

Showing 13 changed files with 172 additions and 28 deletions.
diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
@@ -63,6 +63,10 @@
 #include "app-layer-rdp.h"
 #include "app-layer-http2.h"
 
+#ifdef ALPROTO_DYNAMIC_NB
+#include "util-plugin.h"
+#endif
+
 struct AppLayerParserThreadCtx_ {
     void *alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX];
 };
@@ -1786,6 +1790,16 @@ void AppLayerParserRegisterProtocolParsers(void)
                   "imap");
     }
 
+#ifdef ALPROTO_DYNAMIC_NB
+    for (size_t i = 0; i < ALPROTO_DYNAMIC_NB; i++) {
+        SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i);
+        if (app_layer_plugin == NULL) {
+            break;
+        }
+        app_layer_plugin->Register();
+    }
+#endif
+
     ValidateParsers();
     return;
 }

diff --git a/src/app-layer-protos.c b/src/app-layer-protos.c
@@ -101,7 +101,7 @@ AppProto StringToAppProto(const char *proto_name)
 
     // We could use a Multi Pattern Matcher
     for (size_t i = 0; i < ARRAY_SIZE(AppProtoStrings); i++) {
-        if (strcmp(proto_name, AppProtoStrings[i].str) == 0)
+        if (AppProtoStrings[i].str != NULL && strcmp(proto_name, AppProtoStrings[i].str) == 0)
             return AppProtoStrings[i].alproto;
     }
 

diff --git a/src/detect-engine-file.h b/src/detect-engine-file.h
@@ -28,4 +28,15 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
         uint8_t flags, void *_alstate, void *tx, uint64_t tx_id);
 
+// file protocols with common file handling
+typedef struct {
+    AppProto al_proto;
+    int direction;
+    int to_client_progress;
+    int to_server_progress;
+} DetectFileHandlerProtocol_t;
+
+void DetectFileRegisterProto(
+        AppProto alproto, int direction, int to_client_progress, int to_server_progress);
+
 #endif /* __DETECT_ENGINE_FILE_H__ */
diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
@@ -309,6 +309,7 @@
 #include "util-path.h"
 #include "util-mpm-ac.h"
 #include "runmodes.h"
+#include "util-plugin.h"
 
 int DETECT_TBLSIZE = DETECT_TBLSIZE_STATIC;
 int DETECT_TBLSIZE_IDX = DETECT_TBLSIZE_STATIC;
@@ -456,14 +457,53 @@ int SigTableList(const char *keyword)
 
 static void DetectFileHandlerRegister(void)
 {
-    for (int i = 0; i < DETECT_TBLSIZE; i++) {
+    for (int i = 0; i < DETECT_TBLSIZE_STATIC; i++) {
         if (filehandler_table[i].name)
             DetectFileRegisterFileProtocols(&filehandler_table[i]);
     }
 }
 
+void SigTableCleanup(void)
+{
+    if (sigmatch_table != sigmatch_table_static) {
+        SCFree(sigmatch_table);
+        sigmatch_table = sigmatch_table_static;
+        DETECT_TBLSIZE = DETECT_TBLSIZE_STATIC;
+    }
+}
+
 void SigTableSetup(void)
 {
+#ifdef ALPROTO_DYNAMIC_NB
+    bool to_grow = false;
+    for (size_t i = 0; i < ALPROTO_DYNAMIC_NB; i++) {
+        SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i);
+        if (app_layer_plugin == NULL) {
+            break;
+        }
+        if (app_layer_plugin->keywords_nb > 0) {
+            DETECT_TBLSIZE += app_layer_plugin->keywords_nb;
+            to_grow = true;
+        }
+    }
+    if (to_grow) {
+        if (sigmatch_table == sigmatch_table_static) {
+            sigmatch_table = SCMalloc(DETECT_TBLSIZE * sizeof(SigTableElmt));
+            if (sigmatch_table == NULL) {
+                SCLogError("Failed to allocate bigger sigmatch_table, falling back to static one");
+                sigmatch_table = sigmatch_table_static;
+                DETECT_TBLSIZE = DETECT_TBLSIZE_STATIC;
+            }
+        } else {
+            void *tmp = SCRealloc(sigmatch_table, DETECT_TBLSIZE * sizeof(SigTableElmt));
+            if (tmp == NULL) {
+                SCLogError("Failed to reallocate bigger sigmatch_table, keeping one");
+            } else {
+                sigmatch_table = tmp;
+            }
+        }
+    }
+#endif
     memset(sigmatch_table, 0, DETECT_TBLSIZE * sizeof(SigTableElmt));
 
     DetectSidRegister();
@@ -696,6 +736,18 @@ void SigTableSetup(void)
     DetectQuicCyuHashRegister();
     DetectQuicCyuStringRegister();
 
+#ifdef ALPROTO_DYNAMIC_NB
+    for (size_t i = 0; i < ALPROTO_DYNAMIC_NB; i++) {
+        SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i);
+        if (app_layer_plugin == NULL) {
+            break;
+        }
+        if (app_layer_plugin->KeywordsRegister != NULL) {
+            app_layer_plugin->KeywordsRegister();
+        }
+    }
+#endif
+
     DetectBypassRegister();
     DetectConfigRegister();
 

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
@@ -347,6 +347,7 @@ enum DetectKeywordId {
 extern int DETECT_TBLSIZE;
 extern int DETECT_TBLSIZE_IDX;
 int SigTableList(const char *keyword);
+void SigTableCleanup(void);
 void SigTableSetup(void);
 void SigTableRegisterTests(void);
 

diff --git a/src/detect-parse.c b/src/detect-parse.c
@@ -68,6 +68,7 @@
 #include "string.h"
 #include "detect-parse.h"
 #include "detect-engine-iponly.h"
+#include "detect-engine-file.h"
 #include "app-layer-detect-proto.h"
 
 #include "action-globals.h"
@@ -76,32 +77,43 @@
 /* Table with all filehandler registrations */
 DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC];
 
-void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg)
+// file protocols with common file handling
+DetectFileHandlerProtocol_t al_protocols[ALPROTO_MAX] = {
+    { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+    { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+    { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+    { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+    { .al_proto = ALPROTO_HTTP1,
+            .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
+            .to_client_progress = HTP_RESPONSE_BODY,
+            .to_server_progress = HTP_REQUEST_BODY },
+    { .al_proto = ALPROTO_HTTP2,
+            .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
+            .to_client_progress = HTTP2StateDataServer,
+            .to_server_progress = HTTP2StateDataClient },
+    { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }, { .al_proto = ALPROTO_UNKNOWN }
+};
+
+void DetectFileRegisterProto(
+        AppProto alproto, int direction, int to_client_progress, int to_server_progress)
 {
-    // file protocols with common file handling
-    typedef struct {
-        AppProto al_proto;
-        int direction;
-        int to_client_progress;
-        int to_server_progress;
-    } DetectFileHandlerProtocol_t;
-    static DetectFileHandlerProtocol_t al_protocols[] = {
-        { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
-        { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
-        { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
-        { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
-        { .al_proto = ALPROTO_HTTP1,
-                .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
-                .to_client_progress = HTP_RESPONSE_BODY,
-                .to_server_progress = HTP_REQUEST_BODY },
-        { .al_proto = ALPROTO_HTTP2,
-                .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
-                .to_client_progress = HTTP2StateDataServer,
-                .to_server_progress = HTTP2StateDataClient },
-        { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }
-    };
+    size_t i = 0;
+    while (al_protocols[i].al_proto != ALPROTO_UNKNOWN) {
+        i++;
+    }
+    al_protocols[i].al_proto = alproto;
+    al_protocols[i].direction = direction;
+    al_protocols[i].to_client_progress = to_client_progress;
+    al_protocols[i].to_server_progress = to_server_progress;
+    al_protocols[i + 1].al_proto = ALPROTO_UNKNOWN;
+}
 
+void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg)
+{
     for (size_t i = 0; i < ARRAY_SIZE(al_protocols); i++) {
+        if (al_protocols[i].al_proto == ALPROTO_UNKNOWN) {
+            break;
+        }
         int direction = al_protocols[i].direction == 0
                                 ? (int)(SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)
                                 : al_protocols[i].direction;

diff --git a/src/detect.h b/src/detect.h
@@ -1544,6 +1544,7 @@ typedef struct DetectEngineMasterCtx_ {
 
 /* Table with all SigMatch registrations */
 extern SigTableElmt *sigmatch_table;
+extern SigTableElmt sigmatch_table_static[DETECT_TBLSIZE_STATIC];
 
 /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
 

diff --git a/src/output.c b/src/output.c
@@ -1346,3 +1346,11 @@ EveJsonSimpleAppLayerLogger *SCEveJsonSimpleGetLogger(AppProto alproto)
     }
     return NULL;
 }
+
+void RegisterAppProtoAppLayerLogger(AppProto alproto, EveJsonSimpleTxLogFunc log)
+{
+    if (alproto < ALPROTO_MAX) {
+        simple_json_applayer_loggers[alproto].proto = alproto;
+        simple_json_applayer_loggers[alproto].LogTx = log;
+    }
+}
diff --git a/src/output.h b/src/output.h
@@ -216,5 +216,6 @@ typedef struct EveJsonSimpleAppLayerLogger {
 } EveJsonSimpleAppLayerLogger;
 
 EveJsonSimpleAppLayerLogger *SCEveJsonSimpleGetLogger(AppProto alproto);
+void RegisterAppProtoAppLayerLogger(AppProto alproto, EveJsonSimpleTxLogFunc log);
 
 #endif /* ! __OUTPUT_H__ */
diff --git a/src/suricata-plugin.h b/src/suricata-plugin.h
@@ -74,4 +74,16 @@ typedef struct SCCapturePlugin_ {
 
 int SCPluginRegisterCapture(SCCapturePlugin *);
 
+typedef struct SCAppLayerPlugin_ {
+    char *name;
+    char *logname;
+    char *confname;
+    void (*Register)(void);
+    bool (*Logger)(void *tx, void *jb);
+    void (*KeywordsRegister)(void);
+    uint32_t keywords_nb;
+} SCAppLayerPlugin;
+
+int SCPluginRegisterAppLayer(SCAppLayerPlugin *);
+
 #endif /* __SURICATA_PLUGIN_H */
diff --git a/src/suricata.c b/src/suricata.c
@@ -385,6 +385,7 @@ static void GlobalsDestroy(SCInstance *suri)
     FeatureTrackingRelease();
     SCProtoNameRelease();
     TimeDeinit();
+    SigTableCleanup();
     TmqhCleanup();
     TmModuleRunDeInit();
     ParseSizeDeinit();
@@ -2673,6 +2674,9 @@ int PostConfLoadedSetup(SCInstance *suri)
 
     RunModeEngineIsIPS(
             suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name);
+#ifdef HAVE_PLUGINS
+    SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args);
+#endif
 
     if (EngineModeIsUnknown()) { // if still uninitialized, set the default
         SCLogInfo("Setting engine mode to IDS mode by default");
@@ -2740,9 +2744,6 @@ int PostConfLoadedSetup(SCInstance *suri)
 
     FeatureTrackingRegister(); /* must occur prior to output mod registration */
     RegisterAllModules();
-#ifdef HAVE_PLUGINS
-    SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args);
-#endif
     AppLayerHtpNeedFileInspection();
 
     StorageFinalize();

diff --git a/src/util-plugin.c b/src/util-plugin.c
@@ -22,6 +22,7 @@
 #include "output-eve-syslog.h"
 #include "util-plugin.h"
 #include "util-debug.h"
+#include "app-layer-protos.h"
 
 #ifdef HAVE_PLUGINS
 
@@ -211,4 +212,32 @@ SCCapturePlugin *SCPluginFindCaptureByName(const char *name)
     }
     return plugin;
 }
+
+#ifdef ALPROTO_DYNAMIC_NB
+static SCAppLayerPlugin *app_layer_plugins[ALPROTO_DYNAMIC_NB];
+static size_t app_layer_plugins_nb = 0;
+#endif
+
+int SCPluginRegisterAppLayer(SCAppLayerPlugin *plugin)
+{
+#ifdef ALPROTO_DYNAMIC_NB
+    if (app_layer_plugins_nb < ALPROTO_DYNAMIC_NB) {
+        app_layer_plugins[app_layer_plugins_nb] = plugin;
+        RegisterAppProtoString((AppProto)(ALPROTO_MAX_STATIC + app_layer_plugins_nb), plugin->name);
+        app_layer_plugins_nb++;
+        return 0;
+    }
+#endif
+    return 1;
+}
+
+SCAppLayerPlugin *SCPluginFindAppLayerByIndex(size_t i)
+{
+#ifdef ALPROTO_DYNAMIC_NB
+    if (i < ALPROTO_DYNAMIC_NB) {
+        return app_layer_plugins[i];
+    }
+#endif
+    return NULL;
+}
 #endif
diff --git a/src/util-plugin.h b/src/util-plugin.h
@@ -26,4 +26,6 @@ SCCapturePlugin *SCPluginFindCaptureByName(const char *name);
 
 bool RegisterPlugin(SCPlugin *, void *);
 
+SCAppLayerPlugin *SCPluginFindAppLayerByIndex(size_t i);
+
 #endif /* __UTIL_PLUGIN_H__ */