app-layer: API for mapping progress name vs id

victorjulien · Jan 27, 2025 · d96f271 · d96f271
1 parent c353db1
commit d96f271
Show file tree

Hide file tree

Showing 30 changed files with 136 additions and 0 deletions.
diff --git a/rust/src/applayer.rs b/rust/src/applayer.rs
@@ -410,6 +410,9 @@ pub struct RustParser {
 
     pub get_frame_id_by_name: Option<GetFrameIdByName>,
     pub get_frame_name_by_id: Option<GetFrameNameById>,
+
+    pub get_state_id_by_name: Option<GetStateIdByName>,
+    pub get_state_name_by_id: Option<GetStateNameById>,
 }
 
 /// Create a slice, given a buffer and a length
@@ -470,6 +473,8 @@ pub type GetStateDataFn = unsafe extern "C" fn(*mut c_void) -> *mut AppLayerStat
 pub type ApplyTxConfigFn = unsafe extern "C" fn (*mut c_void, *mut c_void, c_int, AppLayerTxConfig);
 pub type GetFrameIdByName = unsafe extern "C" fn(*const c_char) -> c_int;
 pub type GetFrameNameById = unsafe extern "C" fn(u8) -> *const c_char;
+pub type GetStateIdByName = unsafe extern "C" fn(*const c_char, u8) -> c_int;
+pub type GetStateNameById = unsafe extern "C" fn(c_int, u8) -> *const c_char;
 
 
 // Defined in app-layer-register.h

diff --git a/rust/src/applayertemplate/template.rs b/rust/src/applayertemplate/template.rs
@@ -396,6 +396,8 @@ pub unsafe extern "C" fn rs_template_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/bittorrent_dht/bittorrent_dht.rs b/rust/src/bittorrent_dht/bittorrent_dht.rs
@@ -286,6 +286,8 @@ pub unsafe extern "C" fn rs_bittorrent_dht_udp_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
@@ -1351,6 +1351,8 @@ pub unsafe extern "C" fn rs_dcerpc_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
@@ -382,6 +382,8 @@ pub unsafe extern "C" fn rs_dcerpc_udp_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/dhcp/dhcp.rs b/rust/src/dhcp/dhcp.rs
@@ -288,6 +288,8 @@ pub unsafe extern "C" fn SCRegisterDhcpParser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
@@ -1122,6 +1122,8 @@ pub unsafe extern "C" fn SCRegisterDnsUdpParser() {
         flags: 0,
         get_frame_id_by_name: Some(DnsFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(DnsFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();
@@ -1167,6 +1169,8 @@ pub unsafe extern "C" fn SCRegisterDnsTcpParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(DnsFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(DnsFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/enip/enip.rs b/rust/src/enip/enip.rs
@@ -619,6 +619,8 @@ pub unsafe extern "C" fn SCEnipRegisterParsers() {
         flags: 0,
         get_frame_id_by_name: Some(EnipFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(EnipFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
@@ -1570,6 +1570,8 @@ pub unsafe extern "C" fn rs_http2_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(Http2FrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(Http2FrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/ike/ike.rs b/rust/src/ike/ike.rs
@@ -428,6 +428,8 @@ pub unsafe extern "C" fn rs_ike_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs
@@ -613,6 +613,8 @@ pub unsafe extern "C" fn rs_register_krb5_parser() {
         flags              : 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
     // register UDP parser
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/ldap/ldap.rs b/rust/src/ldap/ldap.rs
@@ -678,6 +678,8 @@ pub unsafe extern "C" fn SCRegisterLdapTcpParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(LdapFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(LdapFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();
@@ -735,6 +737,8 @@ pub unsafe extern "C" fn SCRegisterLdapUdpParser() {
         flags: 0,
         get_frame_id_by_name: Some(LdapFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(LdapFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/modbus/modbus.rs b/rust/src/modbus/modbus.rs
@@ -418,6 +418,8 @@ pub unsafe extern "C" fn rs_modbus_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/mqtt/mqtt.rs b/rust/src/mqtt/mqtt.rs
@@ -797,6 +797,8 @@ pub unsafe extern "C" fn SCMqttRegisterParser() {
         flags: 0,
         get_frame_id_by_name: Some(MQTTFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(MQTTFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/nfs/nfs.rs b/rust/src/nfs/nfs.rs
@@ -2000,6 +2000,8 @@ pub unsafe extern "C" fn rs_nfs_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(NFSFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(NFSFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();
@@ -2077,6 +2079,8 @@ pub unsafe extern "C" fn rs_nfs_udp_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(NFSFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(NFSFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/ntp/ntp.rs b/rust/src/ntp/ntp.rs
@@ -285,6 +285,8 @@ pub unsafe extern "C" fn rs_register_ntp_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/pgsql/pgsql.rs b/rust/src/pgsql/pgsql.rs
@@ -811,6 +811,8 @@ pub unsafe extern "C" fn SCRegisterPgsqlParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/quic/quic.rs b/rust/src/quic/quic.rs
@@ -510,6 +510,8 @@ pub unsafe extern "C" fn rs_quic_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/rdp/rdp.rs b/rust/src/rdp/rdp.rs
@@ -496,6 +496,8 @@ pub unsafe extern "C" fn rs_rdp_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = std::ffi::CString::new("tcp").unwrap();

diff --git a/rust/src/rfb/rfb.rs b/rust/src/rfb/rfb.rs
@@ -871,6 +871,8 @@ pub unsafe extern "C" fn SCRfbRegisterParser() {
         flags: 0,
         get_frame_id_by_name: Some(RFBFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(RFBFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/sip/sip.rs b/rust/src/sip/sip.rs
@@ -583,6 +583,8 @@ pub unsafe extern "C" fn rs_sip_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(SIPFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SIPFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
@@ -2374,6 +2374,8 @@ pub unsafe extern "C" fn rs_smb_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(SMBFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SMBFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/snmp/snmp.rs b/rust/src/snmp/snmp.rs
@@ -410,6 +410,8 @@ pub unsafe extern "C" fn rs_register_snmp_parser() {
         flags              : 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
     let ip_proto_str = CString::new("udp").unwrap();
     if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {

diff --git a/rust/src/ssh/ssh.rs b/rust/src/ssh/ssh.rs
@@ -525,6 +525,8 @@ pub unsafe extern "C" fn SCRegisterSshParser() {
         flags: 0,
         get_frame_id_by_name: Some(SshFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SshFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/rust/src/telnet/telnet.rs b/rust/src/telnet/telnet.rs
@@ -540,6 +540,8 @@ pub unsafe extern "C" fn rs_telnet_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(TelnetFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(TelnetFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
 
     };
 

diff --git a/rust/src/websocket/websocket.rs b/rust/src/websocket/websocket.rs
@@ -369,6 +369,8 @@ pub unsafe extern "C" fn rs_websocket_register_parser() {
         flags: 0, // do not accept gaps as there is no good way to resync
         get_frame_id_by_name: Some(WebSocketFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(WebSocketFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
@@ -107,6 +107,9 @@ typedef struct AppLayerParserProtoCtx_
     AppLayerParserGetFrameIdByNameFn GetFrameIdByName;
     AppLayerParserGetFrameNameByIdFn GetFrameNameById;
 
+    AppLayerParserGetStateIdByNameFn GetStateIdByName;
+    AppLayerParserGetStateNameByIdFn GetStateNameById;
+
     /* each app-layer has its own value */
     uint32_t stream_depth;
 
@@ -547,6 +550,16 @@ void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto,
     SCReturn;
 }
 
+void AppLayerParserRegisterGetStateFuncs(uint8_t ipproto, AppProto alproto,
+        AppLayerParserGetStateIdByNameFn GetIdByNameFunc,
+        AppLayerParserGetStateNameByIdFn GetNameByIdFunc)
+{
+    SCEnter();
+    alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateIdByName = GetIdByNameFunc;
+    alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateNameById = GetNameByIdFunc;
+    SCReturn;
+}
+
 void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto,
         AppLayerParserGetFrameIdByNameFn GetIdByNameFunc,
         AppLayerParserGetFrameNameByIdFn GetNameByIdFunc)
@@ -1578,6 +1591,35 @@ void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *s
     SCReturn;
 }
 
+/**
+ *  \param id progress value id to get the name for
+ *  \param direction STREAM_TOSERVER/STREAM_TOCLIENT
+ */
+int AppLayerParserGetStateIdByName(
+        uint8_t ipproto, AppProto alproto, const char *name, const uint8_t direction)
+{
+    if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateIdByName != NULL) {
+        return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateIdByName(
+                name, direction);
+    } else {
+        return -1;
+    }
+}
+
+/**
+ *  \param id progress value id to get the name for
+ *  \param direction STREAM_TOSERVER/STREAM_TOCLIENT
+ */
+const char *AppLayerParserGetStateNameById(
+        uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
+{
+    if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateNameById != NULL) {
+        return alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetStateNameById(id, direction);
+    } else {
+        return NULL;
+    }
+}
+
 int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name)
 {
     if (alp_ctx.ctxs[alproto][FlowGetProtoMapping(ipproto)].GetFrameIdByName != NULL) {

diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h
@@ -155,6 +155,17 @@ typedef AppLayerGetTxIterTuple (*AppLayerGetTxIteratorFunc)
 
 /***** Parser related registration *****/
 
+/**
+ *  \param name progress name to get the id for
+ *  \param direction STREAM_TOSERVER/STREAM_TOCLIENT
+ */
+typedef int (*AppLayerParserGetStateIdByNameFn)(const char *name, const uint8_t direction);
+/**
+ *  \param id progress value id to get the name for
+ *  \param direction STREAM_TOSERVER/STREAM_TOCLIENT
+ */
+typedef const char *(*AppLayerParserGetStateNameByIdFn)(const int id, const uint8_t direction);
+
 typedef int (*AppLayerParserGetFrameIdByNameFn)(const char *frame_name);
 typedef const char *(*AppLayerParserGetFrameNameByIdFn)(const uint8_t id);
 
@@ -206,6 +217,9 @@ void AppLayerParserRegisterGetFrameFuncs(uint8_t ipproto, AppProto alproto,
         AppLayerParserGetFrameNameByIdFn GetFrameNameById);
 void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto,
         void (*SetStreamDepthFlag)(void *tx, uint8_t flags));
+void AppLayerParserRegisterGetStateFuncs(uint8_t ipproto, AppProto alproto,
+        AppLayerParserGetStateIdByNameFn GetStateIdByName,
+        AppLayerParserGetStateNameByIdFn GetStateNameById);
 
 void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto,
         AppLayerTxData *(*GetTxData)(void *tx));
@@ -293,6 +307,18 @@ void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *s
 int AppLayerParserIsEnabled(AppProto alproto);
 int AppLayerParserGetFrameIdByName(uint8_t ipproto, AppProto alproto, const char *name);
 const char *AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id);
+/**
+ *  \param name progress name to get the id for
+ *  \param direction STREAM_TOSERVER/STREAM_TOCLIENT
+ */
+int AppLayerParserGetStateIdByName(
+        uint8_t ipproto, AppProto alproto, const char *name, uint8_t direction);
+/**
+ *  \param id progress value id to get the name for
+ *  \param direction STREAM_TOSERVER/STREAM_TOCLIENT
+ */
+const char *AppLayerParserGetStateNameById(
+        uint8_t ipproto, AppProto alproto, const int id, uint8_t direction);
 
 /***** Cleanup *****/
 

diff --git a/src/app-layer-register.c b/src/app-layer-register.c
@@ -188,6 +188,11 @@ int AppLayerRegisterParser(const struct AppLayerParser *p, AppProto alproto)
                 p->ip_proto, alproto, p->GetFrameIdByName, p->GetFrameNameById);
     }
 
+    if (p->GetStateIdByName && p->GetStateNameById) {
+        AppLayerParserRegisterGetStateFuncs(
+                p->ip_proto, alproto, p->GetStateIdByName, p->GetStateNameById);
+    }
+
     return 0;
 }