aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create separate detect API call (FileMatch) for file detection keywords. #531.

Browse Source
pull/44/head
Victor Julien 13 years ago
parent 12743ca5d7
commit 3849588c61
7 changed files with 100 additions and 74 deletions
Show Stats Download Patch File Download Diff File

6
src/detect-engine-file.c
Unescape Escape View File

@ -130,9 +130,9 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
for (sm = s->sm_lists[DETECT_SM_LIST_FILEMATCH]; sm != NULL; sm = sm->next) {
SCLogDebug("sm %p, sm->next %p", sm, sm->next);
if (sigmatch_table[sm->type].AppLayerMatch != NULL) {
if (sigmatch_table[sm->type].FileMatch != NULL) {
match = sigmatch_table[sm->type].
AppLayerMatch(tv, det_ctx, f, flags, (void *)file, s, sm);
FileMatch(tv, det_ctx, f, flags, file, s, sm);
if (match == 0) {
r = 2;
break;
@ -167,7 +167,7 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
DetectFilestoreData *fd = sm->ctx;
if (fd->scope > FILESTORE_SCOPE_DEFAULT) {
match = sigmatch_table[sm->type].
AppLayerMatch(tv, det_ctx, f, flags, NULL, s, sm);
FileMatch(tv, det_ctx, f, flags, /* no file */NULL, s, sm);
if (match == 1) {
r = 1;
}

31
src/detect-fileext.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation
/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -51,18 +51,18 @@
#include "stream-tcp.h"
#include "detect-fileext.h"
int DetectFileextMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *);
static int DetectFileextMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
uint8_t, File *, Signature *, SigMatch *);
static int DetectFileextSetup (DetectEngineCtx *, Signature *, char *);
void DetectFileextRegisterTests(void);
void DetectFileextFree(void *);
static void DetectFileextRegisterTests(void);
static void DetectFileextFree(void *);
/**
* \brief Registration function for keyword: fileext
*/
void DetectFileextRegister(void) {
sigmatch_table[DETECT_FILEEXT].name = "fileext";
sigmatch_table[DETECT_FILEEXT].Match = NULL;
sigmatch_table[DETECT_FILEEXT].AppLayerMatch = DetectFileextMatch;
sigmatch_table[DETECT_FILEEXT].FileMatch = DetectFileextMatch;
sigmatch_table[DETECT_FILEEXT].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup;
sigmatch_table[DETECT_FILEEXT].Free = DetectFileextFree;
@ -75,21 +75,24 @@ void DetectFileextRegister(void) {
/**
* \brief match the specified file extension
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectFileextData
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param f *LOCKED* flow
* \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFileextData
*
* \retval 0 no match
* \retval 1 match
*/
int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
static int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m)
{
SCEnter();
int ret = 0;
DetectFileextData *fileext = (DetectFileextData *)m->ctx;
File *file = (File *)state;
if (file->name == NULL)
SCReturnInt(0);
@ -130,7 +133,7 @@ int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
* \retval pointer to DetectFileextData on success
* \retval NULL on failure
*/
DetectFileextData *DetectFileextParse (char *str)
static DetectFileextData *DetectFileextParse (char *str)
{
DetectFileextData *fileext = NULL;
@ -224,7 +227,7 @@ error:
*
* \param fileext pointer to DetectFileextData
*/
void DetectFileextFree(void *ptr) {
static void DetectFileextFree(void *ptr) {
if (ptr != NULL) {
DetectFileextData *fileext = (DetectFileextData *)ptr;
if (fileext->ext != NULL)

32
src/detect-filemagic.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation
/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -52,18 +52,18 @@
#include "detect-filemagic.h"
int DetectFilemagicMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *);
static int DetectFilemagicMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
uint8_t, File *, Signature *, SigMatch *);
static int DetectFilemagicSetup (DetectEngineCtx *, Signature *, char *);
void DetectFilemagicRegisterTests(void);
void DetectFilemagicFree(void *);
static void DetectFilemagicRegisterTests(void);
static void DetectFilemagicFree(void *);
/**
* \brief Registration function for keyword: filemagic
*/
void DetectFilemagicRegister(void) {
sigmatch_table[DETECT_FILEMAGIC].name = "filemagic";
sigmatch_table[DETECT_FILEMAGIC].Match = NULL;
sigmatch_table[DETECT_FILEMAGIC].AppLayerMatch = DetectFilemagicMatch;
sigmatch_table[DETECT_FILEMAGIC].FileMatch = DetectFilemagicMatch;
sigmatch_table[DETECT_FILEMAGIC].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetup;
sigmatch_table[DETECT_FILEMAGIC].Free = DetectFilemagicFree;
@ -127,22 +127,24 @@ int FilemagicLookup(File *file) {
/**
* \brief match the specified filemagic
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectFilemagicData
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param f *LOCKED* flow
* \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFilemagicData
*
* \retval 0 no match
* \retval 1 match
*/
int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
static int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m)
{
SCEnter();
int ret = 0;
DetectFilemagicData *filemagic = (DetectFilemagicData *)m->ctx;
File *file = (File *)state;
if (file->txid < det_ctx->tx_id)
SCReturnInt(0);
@ -191,7 +193,7 @@ int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f
* \retval filemagic pointer to DetectFilemagicData on success
* \retval NULL on failure
*/
DetectFilemagicData *DetectFilemagicParse (char *str)
static DetectFilemagicData *DetectFilemagicParse (char *str)
{
DetectFilemagicData *filemagic = NULL;
@ -291,7 +293,7 @@ error:
*
* \param filemagic pointer to DetectFilemagicData
*/
void DetectFilemagicFree(void *ptr) {
static void DetectFilemagicFree(void *ptr) {
if (ptr != NULL) {
DetectFilemagicData *filemagic = (DetectFilemagicData *)ptr;
if (filemagic->bm_ctx != NULL) {

33
src/detect-filemd5.c
Unescape Escape View File

@ -66,8 +66,7 @@ static int DetectFileMd5SetupNoSupport (DetectEngineCtx *a, Signature *b, char *
*/
void DetectFileMd5Register(void) {
sigmatch_table[DETECT_FILEMD5].name = "filemd5";
sigmatch_table[DETECT_FILEMD5].Match = NULL;
sigmatch_table[DETECT_FILEMD5].AppLayerMatch = NULL;
sigmatch_table[DETECT_FILEMD5].FileMatch = NULL;
sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5SetupNoSupport;
sigmatch_table[DETECT_FILEMD5].Free = NULL;
@ -79,18 +78,18 @@ void DetectFileMd5Register(void) {
#else /* HAVE_NSS */
int DetectFileMd5Match (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *);
static int DetectFileMd5Match (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, File *, Signature *, SigMatch *);
static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, char *);
void DetectFileMd5RegisterTests(void);
void DetectFileMd5Free(void *);
static void DetectFileMd5RegisterTests(void);
static void DetectFileMd5Free(void *);
/**
* \brief Registration function for keyword: filemd5
*/
void DetectFileMd5Register(void) {
sigmatch_table[DETECT_FILEMD5].name = "filemd5";
sigmatch_table[DETECT_FILEMD5].Match = NULL;
sigmatch_table[DETECT_FILEMD5].AppLayerMatch = DetectFileMd5Match;
sigmatch_table[DETECT_FILEMD5].FileMatch = DetectFileMd5Match;
sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5Setup;
sigmatch_table[DETECT_FILEMD5].Free = DetectFileMd5Free;
@ -158,22 +157,24 @@ static int MD5MatchLookupString(ROHashTable *hash, char *string) {
/**
* \brief match the specified filemd5
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectFileMd5Data
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param f *LOCKED* flow
* \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFileMd5Data
*
* \retval 0 no match
* \retval 1 match
*/
int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
static int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m)
{
SCEnter();
int ret = 0;
DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)m->ctx;
File *file = (File *)state;
if (file->txid < det_ctx->tx_id) {
SCReturnInt(0);
}
@ -211,7 +212,7 @@ int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
* \retval filemd5 pointer to DetectFileMd5Data on success
* \retval NULL on failure
*/
DetectFileMd5Data *DetectFileMd5Parse (char *str)
static DetectFileMd5Data *DetectFileMd5Parse (char *str)
{
DetectFileMd5Data *filemd5 = NULL;
@ -341,7 +342,7 @@ error:
*
* \param filemd5 pointer to DetectFileMd5Data
*/
void DetectFileMd5Free(void *ptr) {
static void DetectFileMd5Free(void *ptr) {
if (ptr != NULL) {
DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)ptr;
if (filemd5->hash != NULL)

31
src/detect-filename.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation
/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -50,18 +50,18 @@
#include "detect-filename.h"
int DetectFilenameMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *);
static int DetectFilenameMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
uint8_t, File *, Signature *, SigMatch *);
static int DetectFilenameSetup (DetectEngineCtx *, Signature *, char *);
void DetectFilenameRegisterTests(void);
void DetectFilenameFree(void *);
static void DetectFilenameRegisterTests(void);
static void DetectFilenameFree(void *);
/**
* \brief Registration function for keyword: filename
*/
void DetectFilenameRegister(void) {
sigmatch_table[DETECT_FILENAME].name = "filename";
sigmatch_table[DETECT_FILENAME].Match = NULL;
sigmatch_table[DETECT_FILENAME].AppLayerMatch = DetectFilenameMatch;
sigmatch_table[DETECT_FILENAME].FileMatch = DetectFilenameMatch;
sigmatch_table[DETECT_FILENAME].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILENAME].Setup = DetectFilenameSetup;
sigmatch_table[DETECT_FILENAME].Free = DetectFilenameFree;
@ -74,21 +74,24 @@ void DetectFilenameRegister(void) {
/**
* \brief match the specified filename
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectFilenameData
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param f *LOCKED* flow
* \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFilenameData
*
* \retval 0 no match
* \retval 1 match
*/
int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
static int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m)
{
SCEnter();
int ret = 0;
DetectFilenameData *filename = m->ctx;
File *file = (File *)state;
if (file->name == NULL)
SCReturnInt(0);
@ -133,7 +136,7 @@ int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
* \retval filename pointer to DetectFilenameData on success
* \retval NULL on failure
*/
DetectFilenameData *DetectFilenameParse (char *str)
static DetectFilenameData *DetectFilenameParse (char *str)
{
DetectFilenameData *filename = NULL;
@ -232,7 +235,7 @@ error:
*
* \param filename pointer to DetectFilenameData
*/
void DetectFilenameFree(void *ptr) {
static void DetectFilenameFree(void *ptr) {
if (ptr != NULL) {
DetectFilenameData *filename = (DetectFilenameData *)ptr;
if (filename->bm_ctx != NULL) {

29
src/detect-filestore.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation
/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -20,6 +20,7 @@
*
* \author Victor Julien <victor@inliniac.net>
*
* Implements the filestore keyword
*/
#include "suricata-common.h"
@ -57,7 +58,8 @@
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *);
static int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, File *, Signature *, SigMatch *);
static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, char *);
static void DetectFilestoreFree(void *);
@ -66,8 +68,7 @@ static void DetectFilestoreFree(void *);
*/
void DetectFilestoreRegister(void) {
sigmatch_table[DETECT_FILESTORE].name = "filestore";
sigmatch_table[DETECT_FILESTORE].Match = NULL;
sigmatch_table[DETECT_FILESTORE].AppLayerMatch = DetectFilestoreMatch;
sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch;
sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup;
sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree;
@ -187,6 +188,10 @@ static int FilestorePostMatchWithOptions(Packet *p, Flow *f, DetectFilestoreData
/**
* \brief post-match function for filestore
*
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param p packet
*
* The match function for filestore records store candidates in the det_ctx.
* When we are sure all parts of the signature matched, we run this function
* to finalize the filestore.
@ -240,10 +245,13 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack
/**
* \brief match the specified filestore
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectFilestoreData
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param f *LOCKED* flow
* \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFilestoreData
*
* \retval 0 no match
* \retval 1 match
@ -251,8 +259,8 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack
* \todo when we start supporting more protocols, the logic in this function
* needs to be put behind a api.
*/
int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
static int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, File *file, Signature *s, SigMatch *m)
{
uint16_t file_id = 0;
@ -264,7 +272,6 @@ int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f
/* file can be NULL when a rule with filestore scope > file
* matches. */
File *file = (File *)state;
if (file != NULL) {
file_id = file->file_id;
}

12
src/detect.h
Unescape Escape View File

@ -38,6 +38,7 @@
#include "util-debug.h"
#include "util-error.h"
#include "util-radix-tree.h"
#include "util-file.h"
#include "detect-mark.h"
@ -795,13 +796,22 @@ typedef struct DetectionEngineThreadCtx_ {
#endif
} DetectEngineThreadCtx;
/** \brief element in sigmatch type table. */
/** \brief element in sigmatch type table.
* \note FileMatch pointer below takes a locked flow, AppLayerMatch an unlocked flow
*/
typedef struct SigTableElmt_ {
/** Packet match function pointer */
int (*Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
/** AppLayer match function pointer */
int (*AppLayerMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, Signature *, SigMatch *);
/** File match function pointer */
int (*FileMatch)(ThreadVars *, /**< thread local vars */
DetectEngineThreadCtx *,
Flow *, /**< *LOCKED* flow */
uint8_t flags, File *, Signature *, SigMatch *);
/** app layer proto from app-layer-protos.h this match applies to */
uint16_t alproto;

Write Preview
Loading…
Cancel
Save