OISF · victorjulien · Feb 27, 2025 · Dec 28, 2023 · Jan 20, 2025 · Jan 16, 2025
@@ -5278,6 +5278,16 @@
                                     "description":
                                             "Number of packets dropped due to inner tunnel packet being dropped",
                                     "type": "integer"
+                                },
+                                "default_packet_policy": {
+                                    "description":
+                                            "Number of packets dropped due to default packet policy",
+                                    "type": "integer"
+                                },
+                                "default_app_policy": {
+                                    "description":
+                                            "Number of packets dropped due to default app policy",
+                                    "type": "integer"
                                 }
                             },
                             "additionalProperties": false

@@ -411,6 +411,9 @@ pub struct RustParser {
 
     pub get_frame_id_by_name: Option<GetFrameIdByName>,
     pub get_frame_name_by_id: Option<GetFrameNameById>,
+
+    pub get_state_id_by_name: Option<GetStateIdByName>,
+    pub get_state_name_by_id: Option<GetStateNameById>,
 }
 
 /// Create a slice, given a buffer and a length
@@ -471,6 +474,8 @@ pub type GetStateDataFn = unsafe extern "C" fn(*mut c_void) -> *mut AppLayerStat
 pub type ApplyTxConfigFn = unsafe extern "C" fn (*mut c_void, *mut c_void, c_int, AppLayerTxConfig);
 pub type GetFrameIdByName = unsafe extern "C" fn(*const c_char) -> c_int;
 pub type GetFrameNameById = unsafe extern "C" fn(u8) -> *const c_char;
+pub type GetStateIdByName = unsafe extern "C" fn(*const c_char, u8) -> c_int;
+pub type GetStateNameById = unsafe extern "C" fn(c_int, u8) -> *const c_char;
 
 
 // Defined in app-layer-register.h

@@ -397,6 +397,8 @@ pub unsafe extern "C" fn rs_template_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -278,6 +278,8 @@ pub unsafe extern "C" fn SCRegisterBittorrentDhtUdpParser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -1246,6 +1246,8 @@ pub unsafe extern "C" fn SCRegisterDcerpcParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(DCERPCFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(DCERPCFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -378,6 +378,8 @@ pub unsafe extern "C" fn SCRegisterDcerpcUdpParser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -290,6 +290,8 @@ pub unsafe extern "C" fn SCRegisterDhcpParser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -1246,6 +1246,8 @@ pub unsafe extern "C" fn SCRegisterDnsUdpParser() {
         flags: 0,
         get_frame_id_by_name: Some(DnsFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(DnsFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();
@@ -1291,6 +1293,8 @@ pub unsafe extern "C" fn SCRegisterDnsTcpParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(DnsFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(DnsFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -620,6 +620,8 @@ pub unsafe extern "C" fn SCEnipRegisterParsers() {
         flags: 0,
         get_frame_id_by_name: Some(EnipFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(EnipFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -1571,6 +1571,8 @@ pub unsafe extern "C" fn rs_http2_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(Http2FrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(Http2FrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -429,6 +429,8 @@ pub unsafe extern "C" fn rs_ike_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -614,6 +614,8 @@ pub unsafe extern "C" fn rs_register_krb5_parser() {
         flags              : 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
     // register UDP parser
     let ip_proto_str = CString::new("udp").unwrap();

@@ -679,6 +679,8 @@ pub unsafe extern "C" fn SCRegisterLdapTcpParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(LdapFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(LdapFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();
@@ -736,6 +738,8 @@ pub unsafe extern "C" fn SCRegisterLdapUdpParser() {
         flags: 0,
         get_frame_id_by_name: Some(LdapFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(LdapFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -419,6 +419,8 @@ pub unsafe extern "C" fn rs_modbus_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -771,6 +771,8 @@ pub unsafe extern "C" fn SCMqttRegisterParser() {
         flags: 0,
         get_frame_id_by_name: Some(MQTTFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(MQTTFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -2001,6 +2001,8 @@ pub unsafe extern "C" fn rs_nfs_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(NFSFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(NFSFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();
@@ -2078,6 +2080,8 @@ pub unsafe extern "C" fn rs_nfs_udp_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(NFSFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(NFSFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -286,6 +286,8 @@ pub unsafe extern "C" fn rs_register_ntp_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -865,6 +865,8 @@ pub unsafe extern "C" fn SCRegisterPgsqlParser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -585,6 +585,8 @@ pub unsafe extern "C" fn rs_quic_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -497,6 +497,8 @@ pub unsafe extern "C" fn rs_rdp_register_parser() {
         flags: 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = std::ffi::CString::new("tcp").unwrap();

@@ -872,6 +872,8 @@ pub unsafe extern "C" fn SCRfbRegisterParser() {
         flags: 0,
         get_frame_id_by_name: Some(RFBFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(RFBFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -584,6 +584,8 @@ pub unsafe extern "C" fn rs_sip_register_parser() {
         flags: 0,
         get_frame_id_by_name: Some(SIPFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SIPFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("udp").unwrap();

@@ -2375,6 +2375,8 @@ pub unsafe extern "C" fn rs_smb_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(SMBFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SMBFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -411,6 +411,8 @@ pub unsafe extern "C" fn rs_register_snmp_parser() {
         flags              : 0,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
     let ip_proto_str = CString::new("udp").unwrap();
     if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {

@@ -526,6 +526,8 @@ pub unsafe extern "C" fn SCRegisterSshParser() {
         flags: 0,
         get_frame_id_by_name: Some(SshFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(SshFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -541,6 +541,8 @@ pub unsafe extern "C" fn rs_telnet_register_parser() {
         flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: Some(TelnetFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(TelnetFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
 
     };
 

@@ -370,6 +370,8 @@ pub unsafe extern "C" fn rs_websocket_register_parser() {
         flags: 0, // do not accept gaps as there is no good way to resync
         get_frame_id_by_name: Some(WebSocketFrameType::ffi_id_from_name),
         get_frame_name_by_id: Some(WebSocketFrameType::ffi_name_from_id),
+        get_state_id_by_name: None,
+        get_state_name_by_id: None,
     };
 
     let ip_proto_str = CString::new("tcp").unwrap();

@@ -89,6 +89,7 @@ noinst_HEADERS = \
 	defrag-timeout.h \
 	detect-app-layer-event.h \
 	detect-app-layer-protocol.h \
+	detect-app-layer-state.h \
 	detect-asn1.h \
 	detect-base64-data.h \
 	detect-base64-decode.h \
@@ -664,6 +665,7 @@ libsuricata_c_a_SOURCES = \
 	defrag-timeout.c \
 	detect-app-layer-event.c \
 	detect-app-layer-protocol.c \
+	detect-app-layer-state.c \
 	detect-asn1.c \
 	detect-base64-data.c \
 	detect-base64-decode.c \

@@ -33,9 +33,17 @@
 #define ACTION_REJECT_BOTH  0x10
 #define ACTION_PASS         0x20
 #define ACTION_CONFIG       0x40
+#define ACTION_ACCEPT       0x80 /**< firewall 'accept' rule */
 
 #define ACTION_REJECT_ANY   (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)
 
 #define ACTION_DROP_REJECT (ACTION_REJECT_ANY | ACTION_DROP)
 
+enum ActionScope {
+    ACTION_SCOPE_AUTO = 0,
+    ACTION_SCOPE_PACKET, /**< apply action to packet */
+    ACTION_SCOPE_FLOW,   /**< apply drop/pass/accept action to flow */
+    ACTION_SCOPE_HOOK    /**< apply action to current hook */
+};
+
 #endif /* SURICATA_ACTION_GLOBALS_H */
@@ -217,10 +217,10 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da
                              p->flow->todstbytecnt + p->flow->tosrcbytecnt);
         MemBufferWriteString(aft->buffer,
                 "FLOW ACTION:       DROP: %s\n"
-                "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n"
+                "FLOW PAYLOAD: %s, APP_LAYER: %s\n"
                 "FLOW APP_LAYER:    DETECTED: %s, PROTO %" PRIu16 "\n",
                 p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
-                p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
+                //                p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
                 p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
                 applayer ? "TRUE" : "FALSE",
                 (p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);

@@ -26,6 +26,8 @@
 
 #include "rust.h"
 
+/** special value for matching any type */
+#define FRAME_ANY_TYPE 62
 /** max 63 to fit the 64 bit per protocol space */
 #define FRAME_STREAM_TYPE 63