aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

file store: respect flowbits and other keywords

Browse Source 
The filestore keyword until now flagged a file, tx or ssn for storage as soon
as the keyword was inspected. This happens before flowbits and some other
keywords, so files were stored that weren't supposed to.

This patch makes the filestore keyword fill an array in the detect engine
thread ctx. Then if the full signature matches, a post-match filestore
function makes the store final.
remotes/origin/master-1.2.x
Victor Julien 14 years ago
parent 7173256754
commit 18d79c4215
6 changed files with 195 additions and 97 deletions
Show Stats Download Patch File Download Diff File

132
src/detect-filestore.c
Unescape Escape View File

@ -97,25 +97,15 @@ error:
}
/**
* \brief match the specified filestore
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectFilestoreData
*
* \retval 0 no match
* \retval 1 match
*
* \todo when we start supporting more protocols, the logic in this function
* needs to be put behind a api.
* \brief apply the post match filestore with options
*/
int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
static int FilestorePostMatchWithOptions(Packet *p, Flow *f, DetectFilestoreData *filestore, FileContainer *fc,
uint16_t file_id, uint16_t tx_id)
{
SCEnter();
DetectFilestoreData *filestore = m->ctx;
if (filestore != NULL) {
if (filestore == NULL) {
SCReturnInt(0);
}
int this_file = 0;
int this_tx = 0;
int this_flow = 0;
@ -143,9 +133,9 @@ int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f
case FILESTORE_SCOPE_DEFAULT:
if (rule_dir) {
this_file = 1;
} else if (flags & STREAM_TOCLIENT && toclient_dir) {
} else if (p->flowflags & FLOW_PKT_TOCLIENT && toclient_dir) {
this_file = 1;
} else if (flags & STREAM_TOSERVER && toserver_dir) {
} else if (p->flowflags & FLOW_PKT_TOSERVER && toserver_dir) {
this_file = 1;
}
break;
@ -158,23 +148,21 @@ int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f
}
if (this_file) {
File *file = (File *)state;
FileStore(file);
FileStoreFileById(fc, file_id);
} else if (this_tx) {
/* flag tx all files will be stored */
if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
HtpState *htp_state = f->alstate;
if (toserver_dir) {
htp_state->flags |= HTP_FLAG_STORE_FILES_TX_TS;
FileStoreAllFilesForTx(htp_state->files_ts, det_ctx->tx_id);
FileStoreAllFilesForTx(htp_state->files_ts, tx_id);
}
if (toclient_dir) {
htp_state->flags |= HTP_FLAG_STORE_FILES_TX_TC;
FileStoreAllFilesForTx(htp_state->files_tc, det_ctx->tx_id);
FileStoreAllFilesForTx(htp_state->files_tc, tx_id);
}
htp_state->store_tx_id = det_ctx->tx_id;
htp_state->store_tx_id = tx_id;
}
} else if (this_flow) {
/* flag flow all files will be stored */
if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
@ -189,13 +177,99 @@ int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f
}
}
} else {
File *file = (File *)state;
FileStore(file);
FileStoreFileById(fc, file_id);
}
SCReturnInt(0);
}
/**
* \brief post-match function for filestore
*
* The match function for filestore records store candidates in the det_ctx.
* When we are sure all parts of the signature matched, we run this function
* to finalize the filestore.
*/
int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p) {
uint8_t flags = 0;
SCEnter();
if (det_ctx->filestore_cnt == 0) {
SCReturnInt(0);
}
if (det_ctx->filestore_sm == NULL || p->flow == NULL) {
#ifndef DEBUG
SCReturnInt(0);
#else
BUG_ON(1);
#endif
}
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= STREAM_TOCLIENT;
else
flags |= STREAM_TOSERVER;
SCMutexLock(&p->flow->m);
FileContainer *ffc = AppLayerGetFilesFromFlow(p->flow, flags);
/* filestore for single files only */
if (det_ctx->filestore_sm->ctx == NULL) {
uint16_t u;
for (u = 0; u < det_ctx->filestore_cnt; u++) {
FileStoreFileById(ffc, det_ctx->filestore[u].file_id);
}
} else {
File *file = (File *)state;
FileStore(file);
DetectFilestoreData *filestore = det_ctx->filestore_sm->ctx;
uint16_t u;
for (u = 0; u < det_ctx->filestore_cnt; u++) {
FilestorePostMatchWithOptions(p, p->flow, filestore, ffc,
det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
}
}
SCMutexUnlock(&p->flow->m);
SCReturnInt(0);
}
/**
* \brief match the specified filestore
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectFilestoreData
*
* \retval 0 no match
* \retval 1 match
*
* \todo when we start supporting more protocols, the logic in this function
* needs to be put behind a api.
*/
int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
if (det_ctx->filestore_cnt > DETECT_FILESTORE_MAX) {
SCReturnInt(1);
}
File *file = (File *)state;
det_ctx->filestore[det_ctx->filestore_cnt].file_id = file->file_id;
det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id;
SCLogDebug("%u, file %u, tx %u", det_ctx->filestore_cnt,
det_ctx->filestore[det_ctx->filestore_cnt].file_id,
det_ctx->filestore[det_ctx->filestore_cnt].tx_id);
det_ctx->filestore_cnt++;
det_ctx->filestore_sm = m;
SCReturnInt(1);
}

1
src/detect-filestore.h
Unescape Escape View File

@ -41,4 +41,5 @@ typedef struct DetectFilestoreData_ {
/* prototypes */
void DetectFilestoreRegister (void);
int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p);
#endif /* __DETECT_FILESTORE_H__ */

4
src/detect.c
Unescape Escape View File

@ -1218,6 +1218,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
p->alerts.cnt = 0;
det_ctx->pkts++;
det_ctx->filestore_cnt = 0;
/* No need to perform any detection on this packet, if the the given flag is set.*/
if (p->flags & PKT_NOPACKET_INSPECTION) {
@ -1583,6 +1584,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
DetectReplaceExecute(p, det_ctx->replist);
det_ctx->replist = NULL;
DetectFilestorePostMatch(th_v, det_ctx,p);
if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, alert_flags, NULL);
}
@ -1604,6 +1606,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
DetectReplaceExecute(p, det_ctx->replist);
det_ctx->replist = NULL;
DetectFilestorePostMatch(th_v, det_ctx,p);
if (!(s->flags & SIG_FLAG_NOALERT)) {
/* only add once */
if (rmatch == 0) {
@ -1644,6 +1647,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
fmatch = 1;
DetectReplaceExecute(p, det_ctx->replist);
det_ctx->replist = NULL;
DetectFilestorePostMatch(th_v, det_ctx,p);
if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, alert_flags, alert_msg);

34
src/detect.h
Unescape Escape View File

@ -662,6 +662,8 @@ enum {
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
};
#define DETECT_FILESTORE_MAX 15
/**
* Detection engine thread data.
*/
@ -677,33 +679,20 @@ typedef struct DetectionEngineThreadCtx_ {
/* used by pcre match function alone */
uint32_t pcre_match_start_offset;
/* http_uri stuff for uricontent */
//char de_have_httpuri;
//char de_mpm_scanned_uri;
/* detectione engine context for hcbd mpm */
//char de_have_hcbd;
//char de_mpm_scanned_hcbd;
/* detectione engine context for hhd mpm */
//char de_have_hhd;
//char de_mpm_scanned_hhd;
/* detectione engine context for hrhd mpm */
//char de_have_hrhd;
//char de_mpm_scanned_hrhd;
uint8_t **hcbd_buffers;
uint32_t *hcbd_buffers_len;
uint16_t hcbd_buffers_list_len;
/* counter for the filestore array below -- up here for cache reasons. */
uint16_t filestore_cnt;
uint16_t hhd_buffers_list_len;
uint16_t hsbd_buffers_list_len;
uint8_t **hsbd_buffers;
uint32_t *hsbd_buffers_len;
uint16_t hsbd_buffers_list_len;
uint8_t **hhd_buffers;
uint32_t *hhd_buffers_len;
uint16_t hhd_buffers_list_len;
/** id for alert counter */
uint16_t counter_alerts;
@ -773,6 +762,15 @@ typedef struct DetectionEngineThreadCtx_ {
/* string to replace */
DetectReplaceList *replist;
/* Array in which the filestore keyword stores file id and tx id. If the
* full signature matches, these are processed by a post-match filestore
* function to finalize the store. */
struct {
uint16_t file_id;
uint16_t tx_id;
} filestore[DETECT_FILESTORE_MAX];
SigMatch *filestore_sm;
DetectEngineCtx *de_ctx;
#ifdef __SC_CUDA_SUPPORT__
/* each detection thread would have it's own queue where the cuda dispatcher

20
src/util-file.c
Unescape Escape View File

@ -636,6 +636,26 @@ void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint16_t tx_id
SCReturn;
}
/**
* \brief flag a file with id "file_id" to be stored.
*
* \param fc file store
* \param file_id the file's id
*/
void FileStoreFileById(FileContainer *fc, uint16_t file_id) {
File *ptr = NULL;
SCEnter();
if (fc != NULL) {
for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
if (ptr->file_id == file_id) {
ptr->store = 1;
}
}
}
}
void FileStoreAllFilesForTx(FileContainer *fc, uint16_t tx_id) {
File *ptr = NULL;

1
src/util-file.h
Unescape Escape View File

@ -163,5 +163,6 @@ int FileForceMagic(void);
void FileStoreAllFiles(FileContainer *);
void FileStoreAllFilesForTx(FileContainer *, uint16_t);
void FileStoreFileById(FileContainer *fc, uint16_t);
#endif /* __UTIL_FILE_H__ */

Write Preview
Loading…
Cancel
Save