detect/file: Filehandler registration logic

Add file handler registration functions for consolidated file handling. Issue: 4145
2 years ago · 2fd0025ede
parent f2e2576ff4
commit 2fd0025ede
3 changed files with 83 additions and 1 deletions
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@ -447,6 +447,14 @@ int SigTableList(const char *keyword)
    return TM_ECODE_DONE;
 }

+static void DetectFileHandlerRegister(void)
+{
+    for (int i = 0; i < DETECT_TBLSIZE; i++) {
+        if (filehandler_table[i].name)
+            DetectFileRegisterFileProtocols(&filehandler_table[i]);
+    }
+}
+
 void SigTableSetup(void)
 {
    memset(sigmatch_table, 0, sizeof(sigmatch_table));
@ -689,6 +697,8 @@ void SigTableSetup(void)
    DetectTransformUrlDecodeRegister();
    DetectTransformXorRegister();

+    DetectFileHandlerRegister();
+
    /* close keyword registration */
    DetectBufferTypeCloseRegistration();
 }
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -73,6 +73,58 @@
 #include "action-globals.h"
 #include "util-validate.h"

+/* Table with all filehandler registrations */
+DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];
+
+void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg)
+{
+    // file protocols with common file handling
+    typedef struct {
+        AppProto al_proto;
+        int direction;
+        int to_client_progress;
+        int to_server_progress;
+    } DetectFileHandlerProtocol_t;
+    static DetectFileHandlerProtocol_t al_protocols[] = {
+        { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_HTTP1,
+                .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
+                .to_client_progress = HTP_RESPONSE_BODY,
+                .to_server_progress = HTP_REQUEST_BODY },
+        { .al_proto = ALPROTO_HTTP2,
+                .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
+                .to_client_progress = HTTP2StateDataServer,
+                .to_server_progress = HTTP2StateDataClient },
+        { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }
+    };
+
+    for (size_t i = 0; i < ARRAY_SIZE(al_protocols); i++) {
+        int direction = al_protocols[i].direction == 0
+                                ? (int)(SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)
+                                : al_protocols[i].direction;
+
+        if (direction & SIG_FLAG_TOCLIENT) {
+            DetectAppLayerMpmRegister2(reg->name, SIG_FLAG_TOCLIENT, reg->priority,
+                    reg->PrefilterFn, reg->GetData, al_protocols[i].al_proto,
+                    al_protocols[i].to_client_progress);
+            DetectAppLayerInspectEngineRegister2(reg->name, al_protocols[i].al_proto,
+                    SIG_FLAG_TOCLIENT, al_protocols[i].to_client_progress, reg->Callback,
+                    reg->GetData);
+        }
+        if (direction & SIG_FLAG_TOSERVER) {
+            DetectAppLayerMpmRegister2(reg->name, SIG_FLAG_TOSERVER, reg->priority,
+                    reg->PrefilterFn, reg->GetData, al_protocols[i].al_proto,
+                    al_protocols[i].to_server_progress);
+            DetectAppLayerInspectEngineRegister2(reg->name, al_protocols[i].al_proto,
+                    SIG_FLAG_TOSERVER, al_protocols[i].to_server_progress, reg->Callback,
+                    reg->GetData);
+        }
+    }
+}
+
 /* Table with all SigMatch registrations */
 SigTableElmt sigmatch_table[DETECT_TBLSIZE];

@ -82,6 +134,9 @@ static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
        SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
        SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail);

+/**
+ * \brief Registration table for file handlers
+ */
 /**
 * \brief We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
 */
--- a/src/detect-parse.h
+++ b/src/detect-parse.h
@ -25,6 +25,24 @@
 #define __DETECT_PARSE_H__

 #include "detect.h"
+#include "detect-engine-mpm.h"
+
+/* File handler registration */
+#define MAX_DETECT_ALPROTO_CNT 10
+typedef struct DetectFileHandlerTableElmt_ {
+    const char *name;
+    int priority;
+    PrefilterRegisterFunc PrefilterFn;
+    InspectEngineFuncPtr2 Callback;
+    InspectionBufferGetDataPtr GetData;
+    int al_protocols[MAX_DETECT_ALPROTO_CNT];
+    int tx_progress;
+    int progress;
+} DetectFileHandlerTableElmt;
+void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *entry);
+
+/* File registration table */
+extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];

 /** Flags to indicate if the Signature parsing must be done
 *   switching the source and dest (for ip addresses and ports)
@ -104,4 +122,3 @@ int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UC
        PCRE2_SIZE *bufflen);

 #endif /* __DETECT_PARSE_H__ */
-