From 3e52abb7f2d966e700407aa003398bcc6029c0b1 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 20 Nov 2023 14:54:45 +0100 Subject: [PATCH 1/3] stats: always use tcp/udp prefix Even when on detection-only mode. So that we always have enip_tcp and enip_udp in stats and never just `enip`. Ticket: 6304 --- src/app-layer.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/app-layer.c b/src/app-layer.c index 3625e87e9ed6..102319042bcc 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -1061,16 +1061,18 @@ void AppLayerSetupCounters(void) for (uint8_t p = 0; p < IPPROTOS_MAX; p++) { const uint8_t ipproto = ipprotos[p]; const uint8_t ipproto_map = FlowGetProtoMapping(ipproto); - const uint8_t other_ipproto = ipproto == IPPROTO_TCP ? IPPROTO_UDP : IPPROTO_TCP; const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp"; + uint8_t ipprotos_all[256 / 8]; for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) { if (alprotos[alproto] == 1) { const char *tx_str = "app_layer.tx."; const char *alproto_str = AppLayerGetProtoName(alproto); - if (AppLayerParserProtoIsRegistered(ipproto, alproto) && - AppLayerParserProtoIsRegistered(other_ipproto, alproto)) { + memset(ipprotos_all, 0, sizeof(ipprotos_all)); + AppLayerProtoDetectSupportedIpprotos(alproto, ipprotos_all); + if ((ipprotos_all[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) && + (ipprotos_all[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)))) { snprintf(applayer_counter_names[ipproto_map][alproto].name, sizeof(applayer_counter_names[ipproto_map][alproto].name), "%s%s%s", str, alproto_str, ipproto_suffix); From 2016bc79aa44ef5644cdd4e99457f7afb5ebdb0a Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 11 Sep 2023 09:51:24 +0200 Subject: [PATCH 2/3] schema: adds missing modbus field ./stats/app_layer/error/modbus --- etc/schema.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/schema.json b/etc/schema.json index c194017ddf6f..e9daf9ef373c 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -3776,6 +3776,9 @@ "krb5_udp": { "$ref": "#/$defs/stats_applayer_error" }, + "modbus": { + "$ref": "#/$defs/stats_applayer_error" + }, "mqtt": { "$ref": "#/$defs/stats_applayer_error" }, From 6f348a8ca82a9ec0ca7f59f0b31448f0c3b089c9 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 14 Dec 2023 11:31:37 +0100 Subject: [PATCH 3/3] stats: incr app-proto flow counter for detection-only Ticket: 6633 --- src/app-layer.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/app-layer.c b/src/app-layer.c index 102319042bcc..4536a1730655 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -510,6 +510,20 @@ static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, if (r != 1) { StreamTcpUpdateAppLayerProgress(ssn, direction, data_len); } + if (r == 0) { + if (*alproto_otherdir == ALPROTO_UNKNOWN) { + TcpStream *opposing_stream; + if (stream == &ssn->client) { + opposing_stream = &ssn->server; + } else { + opposing_stream = &ssn->client; + } + if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(opposing_stream)) { + // can happen in detection-only + AppLayerIncFlowCounter(tv, f); + } + } + } if (r < 0) { goto parser_error; }