Detect rule hook/v7

rust/src/applayer.rs

@@ -410,6 +410,9 @@ pub struct RustParser {
 
     pub get_frame_id_by_name: Option<GetFrameIdByName>,
     pub get_frame_name_by_id: Option<GetFrameNameById>,
+
+    pub get_state_id_by_name: Option<GetStateIdByName>,
+    pub get_state_name_by_id: Option<GetStateNameById>,
 }
 
 /// Create a slice, given a buffer and a length
@@ -470,6 +473,8 @@ pub type GetStateDataFn = unsafe extern "C" fn(*mut c_void) -> *mut AppLayerStat
 pub type ApplyTxConfigFn = unsafe extern "C" fn (*mut c_void, *mut c_void, c_int, AppLayerTxConfig);
 pub type GetFrameIdByName = unsafe extern "C" fn(*const c_char) -> c_int;
 pub type GetFrameNameById = unsafe extern "C" fn(u8) -> *const c_char;
+pub type GetStateIdByName = unsafe extern "C" fn(*const c_char, u8) -> c_int;
+pub type GetStateNameById = unsafe extern "C" fn(c_int, u8) -> *const c_char;
 
 
 // Defined in app-layer-register.h

rust/src/applayertemplate/template.rs

@@ -396,6 +396,8 @@ pub unsafe extern "C" fn rs_template_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/bittorrent_dht/bittorrent_dht.rs

@@ -286,6 +286,8 @@ pub unsafe extern "C" fn rs_bittorrent_dht_udp_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/dcerpc/dcerpc.rs

@@ -1282,6 +1282,8 @@ pub unsafe extern "C" fn rs_dcerpc_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(DCERPCFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(DCERPCFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/dcerpc/dcerpc_udp.rs

@@ -384,6 +384,8 @@ pub unsafe extern "C" fn rs_dcerpc_udp_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/dhcp/dhcp.rs

@@ -288,6 +288,8 @@ pub unsafe extern "C" fn SCRegisterDhcpParser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/dns/dns.rs

@@ -1122,6 +1122,8 @@ pub unsafe extern "C" fn SCRegisterDnsUdpParser() {
         flags: 0,
         get_frame_id_by_name: Some(DnsFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(DnsFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();
@@ -1167,6 +1169,8 @@ pub unsafe extern "C" fn SCRegisterDnsTcpParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(DnsFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(DnsFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/enip/enip.rs

@@ -619,6 +619,8 @@ pub unsafe extern "C" fn SCEnipRegisterParsers() {
         flags: 0,
         get_frame_id_by_name: Some(EnipFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(EnipFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/http2/http2.rs

@@ -1570,6 +1570,8 @@ pub unsafe extern "C" fn rs_http2_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(Http2FrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(Http2FrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/ike/ike.rs

@@ -428,6 +428,8 @@ pub unsafe extern "C" fn rs_ike_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/krb/krb5.rs

@@ -613,6 +613,8 @@ pub unsafe extern "C" fn rs_register_krb5_parser() {
         flags              : 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
     // register UDP parser
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/ldap/ldap.rs

@@ -678,6 +678,8 @@ pub unsafe extern "C" fn SCRegisterLdapTcpParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(LdapFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(LdapFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();
@@ -735,6 +737,8 @@ pub unsafe extern "C" fn SCRegisterLdapUdpParser() {
         flags: 0,
         get_frame_id_by_name: Some(LdapFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(LdapFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/modbus/modbus.rs

@@ -418,6 +418,8 @@ pub unsafe extern "C" fn rs_modbus_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/mqtt/mqtt.rs

@@ -797,6 +797,8 @@ pub unsafe extern "C" fn SCMqttRegisterParser() {
         flags: 0,
         get_frame_id_by_name: Some(MQTTFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(MQTTFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/nfs/nfs.rs

@@ -2000,6 +2000,8 @@ pub unsafe extern "C" fn rs_nfs_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(NFSFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(NFSFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();
@@ -2077,6 +2079,8 @@ pub unsafe extern "C" fn rs_nfs_udp_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(NFSFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(NFSFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/ntp/ntp.rs

@@ -285,6 +285,8 @@ pub unsafe extern "C" fn rs_register_ntp_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/pgsql/pgsql.rs

@@ -811,6 +811,8 @@ pub unsafe extern "C" fn SCRegisterPgsqlParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/quic/quic.rs

@@ -510,6 +510,8 @@ pub unsafe extern "C" fn rs_quic_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/rdp/rdp.rs

@@ -496,6 +496,8 @@ pub unsafe extern "C" fn rs_rdp_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = std::ffi::CString::new("tcp").unwrap();

rust/src/rfb/rfb.rs

@@ -871,6 +871,8 @@ pub unsafe extern "C" fn SCRfbRegisterParser() {
         flags: 0,
         get_frame_id_by_name: Some(RFBFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(RFBFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/sip/sip.rs

@@ -583,6 +583,8 @@ pub unsafe extern "C" fn rs_sip_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(SIPFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SIPFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

rust/src/smb/smb.rs

@@ -2374,6 +2374,8 @@ pub unsafe extern "C" fn rs_smb_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(SMBFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SMBFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/snmp/snmp.rs

@@ -410,6 +410,8 @@ pub unsafe extern "C" fn rs_register_snmp_parser() {
         flags              : 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
     let ip_proto_str = CString::new("udp").unwrap();
     if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {

rust/src/ssh/ssh.rs

@@ -525,6 +525,8 @@ pub unsafe extern "C" fn SCRegisterSshParser() {
         flags: 0,
         get_frame_id_by_name: Some(SshFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SshFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

rust/src/telnet/telnet.rs

@@ -540,6 +540,8 @@ pub unsafe extern "C" fn rs_telnet_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(TelnetFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(TelnetFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
 
     };
 

rust/src/websocket/websocket.rs

@@ -369,6 +369,8 @@ pub unsafe extern "C" fn rs_websocket_register_parser() {
         flags: 0, // do not accept gaps as there is no good way to resync
         get_frame_id_by_name: Some(WebSocketFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(WebSocketFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

src/Makefile.am

@@ -519,6 +519,7 @@ noinst_HEADERS = \
 	util-lua-hassh.h \
 	util-lua-http.h \
 	util-lua-ja3.h \
+	util-lua-packetlib.h \
 	util-lua-sandbox.h \
 	util-lua-smtp.h \
 	util-lua-ssh.h \
@@ -1071,6 +1072,7 @@ libsuricata_c_a_SOURCES = \
 	util-lua-hassh.c \
 	util-lua-http.c \
 	util-lua-ja3.c \
+	util-lua-packetlib.c \
 	util-lua-sandbox.c \
 	util-lua-smtp.c \
 	util-lua-ssh.c \

src/app-layer-frames.h

@@ -26,6 +26,8 @@
 
 #include "rust.h"
 
+/** special value for matching any type */
+#define FRAME_ANY_TYPE 62
 /** max 63 to fit the 64 bit per protocol space */
 #define FRAME_STREAM_TYPE 63
 

src/app-layer-htp.c

@@ -213,6 +213,82 @@ static const char *HTTPGetFrameNameById(const uint8_t frame_id)
     return name;
 }
 
+static SCEnumCharMap http_state_client_table[] = {
+    {
+            "request_not_started",
+            HTP_REQUEST_NOT_STARTED,
+    },
+    {
+            "request_line",
+            HTP_REQUEST_PROGRESS_LINE,
+    },
+    {
+            "request_headers",
+            HTP_REQUEST_PROGRESS_HEADERS,
+    },
+    {
+            "request_body",
+            HTP_REQUEST_PROGRESS_BODY,
+    },
+    {
+            "request_trailer",
+            HTP_REQUEST_PROGRESS_TRAILER,
+    },
+    {
+            "request_complete",
+            HTP_REQUEST_PROGRESS_COMPLETE,
+    },
+    { NULL, -1 },
+};
+
+static SCEnumCharMap http_state_server_table[] = {
+    {
+            "response_not_started",
+            HTP_RESPONSE_NOT_STARTED,
+    },
+    {
+            "response_line",
+            HTP_RESPONSE_PROGRESS_LINE,
+    },
+    {
+            "response_headers",
+            HTP_RESPONSE_PROGRESS_HEADERS,
+    },
+    {
+            "response_body",
+            HTP_RESPONSE_PROGRESS_BODY,
+    },
+    {
+            "response_trailer",
+            HTP_RESPONSE_PROGRESS_TRAILER,
+    },
+    {
+            "response_complete",
+            HTP_RESPONSE_PROGRESS_COMPLETE,
+    },
+    { NULL, -1 },
+};
+
+static int HtpStateGetStateIdByName(const char *name, const uint8_t direction)
+{
+    SCEnumCharMap *map =
+            direction == STREAM_TOSERVER ? http_state_client_table : http_state_server_table;
+
+    int id = SCMapEnumNameToValue(name, map);
+    if (id < 0) {
+        return -1;
+    }
+    return id;
+}
+
+static const char *HtpStateGetStateNameById(const int id, const uint8_t direction)
+{
+    SCEnumCharMap *map =
+            direction == STREAM_TOSERVER ? http_state_client_table : http_state_server_table;
+    const char *name = SCMapEnumValueToName(id, map);
+    return name;
+}
+
 static void *HTPStateGetTx(void *alstate, uint64_t tx_id);
 static int HTPStateGetAlstateProgress(void *tx, uint8_t direction);
 static uint64_t HTPStateGetTxCnt(void *alstate);
@@ -2873,6 +2949,9 @@ void RegisterHTPParsers(void)
         AppLayerParserRegisterGetFrameFuncs(
                 IPPROTO_TCP, ALPROTO_HTTP1, HTTPGetFrameIdByName, HTTPGetFrameNameById);
         /* app-layer-frame-documentation tag end: registering relevant callbacks */
+        AppLayerParserRegisterGetStateFuncs(
+                IPPROTO_TCP, ALPROTO_HTTP1, HtpStateGetStateIdByName, HtpStateGetStateNameById);
+
         HTPConfigure();
     } else {
         SCLogInfo("Parser disabled for %s protocol. Protocol detection still on.", proto_name);