aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create separate detect API call (FileMatch) for file detection keywords. #531.

Browse Source
pull/44/head
Victor Julien 13 years ago
parent 12743ca5d7
commit 3849588c61
7 changed files with 100 additions and 74 deletions
Show Stats Download Patch File Download Diff File

6
src/detect-engine-file.c
Unescape Escape View File

@ -130,9 +130,9 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
for (sm = s->sm_lists[DETECT_SM_LIST_FILEMATCH]; sm != NULL; sm = sm->next) { for (sm = s->sm_lists[DETECT_SM_LIST_FILEMATCH]; sm != NULL; sm = sm->next) {
SCLogDebug("sm %p, sm->next %p", sm, sm->next); SCLogDebug("sm %p, sm->next %p", sm, sm->next);
if (sigmatch_table[sm->type].AppLayerMatch != NULL) { if (sigmatch_table[sm->type].FileMatch != NULL) {
match = sigmatch_table[sm->type]. match = sigmatch_table[sm->type].
AppLayerMatch(tv, det_ctx, f, flags, (void *)file, s, sm); FileMatch(tv, det_ctx, f, flags, file, s, sm);
if (match == 0) { if (match == 0) {
r = 2; r = 2;
break; break;
@ -167,7 +167,7 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
DetectFilestoreData *fd = sm->ctx; DetectFilestoreData *fd = sm->ctx;
if (fd->scope > FILESTORE_SCOPE_DEFAULT) { if (fd->scope > FILESTORE_SCOPE_DEFAULT) {
match = sigmatch_table[sm->type]. match = sigmatch_table[sm->type].
AppLayerMatch(tv, det_ctx, f, flags, NULL, s, sm); FileMatch(tv, det_ctx, f, flags, /* no file */NULL, s, sm);
if (match == 1) { if (match == 1) {
r = 1; r = 1;
} }

31
src/detect-fileext.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation /* Copyright (C) 2007-2012 Open Information Security Foundation
* *
* You can copy, redistribute or modify this Program under the terms of * You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free * the GNU General Public License version 2 as published by the Free
@ -51,18 +51,18 @@
#include "stream-tcp.h" #include "stream-tcp.h"
#include "detect-fileext.h" #include "detect-fileext.h"
int DetectFileextMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); static int DetectFileextMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
uint8_t, File *, Signature *, SigMatch *);
static int DetectFileextSetup (DetectEngineCtx *, Signature *, char *); static int DetectFileextSetup (DetectEngineCtx *, Signature *, char *);
void DetectFileextRegisterTests(void); static void DetectFileextRegisterTests(void);
void DetectFileextFree(void *); static void DetectFileextFree(void *);
/** /**
* \brief Registration function for keyword: fileext * \brief Registration function for keyword: fileext
*/ */
void DetectFileextRegister(void) { void DetectFileextRegister(void) {
sigmatch_table[DETECT_FILEEXT].name = "fileext"; sigmatch_table[DETECT_FILEEXT].name = "fileext";
sigmatch_table[DETECT_FILEEXT].Match = NULL; sigmatch_table[DETECT_FILEEXT].FileMatch = DetectFileextMatch;
sigmatch_table[DETECT_FILEEXT].AppLayerMatch = DetectFileextMatch;
sigmatch_table[DETECT_FILEEXT].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEEXT].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup; sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup;
sigmatch_table[DETECT_FILEEXT].Free = DetectFileextFree; sigmatch_table[DETECT_FILEEXT].Free = DetectFileextFree;
@ -75,21 +75,24 @@ void DetectFileextRegister(void) {
/** /**
* \brief match the specified file extension * \brief match the specified file extension
* *
* \param t pointer to thread vars * \param t thread local vars
* \param det_ctx pointer to the pattern matcher thread * \param det_ctx pattern matcher thread local data
* \param p pointer to the current packet * \param f *LOCKED* flow
* \param m pointer to the sigmatch that we will cast into DetectFileextData * \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFileextData
* *
* \retval 0 no match * \retval 0 no match
* \retval 1 match * \retval 1 match
*/ */
int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) static int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m)
{ {
SCEnter(); SCEnter();
int ret = 0; int ret = 0;
DetectFileextData *fileext = (DetectFileextData *)m->ctx; DetectFileextData *fileext = (DetectFileextData *)m->ctx;
File *file = (File *)state;
if (file->name == NULL) if (file->name == NULL)
SCReturnInt(0); SCReturnInt(0);
@ -130,7 +133,7 @@ int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
* \retval pointer to DetectFileextData on success * \retval pointer to DetectFileextData on success
* \retval NULL on failure * \retval NULL on failure
*/ */
DetectFileextData *DetectFileextParse (char *str) static DetectFileextData *DetectFileextParse (char *str)
{ {
DetectFileextData *fileext = NULL; DetectFileextData *fileext = NULL;
@ -224,7 +227,7 @@ error:
* *
* \param fileext pointer to DetectFileextData * \param fileext pointer to DetectFileextData
*/ */
void DetectFileextFree(void *ptr) { static void DetectFileextFree(void *ptr) {
if (ptr != NULL) { if (ptr != NULL) {
DetectFileextData *fileext = (DetectFileextData *)ptr; DetectFileextData *fileext = (DetectFileextData *)ptr;
if (fileext->ext != NULL) if (fileext->ext != NULL)

32
src/detect-filemagic.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation /* Copyright (C) 2007-2012 Open Information Security Foundation
* *
* You can copy, redistribute or modify this Program under the terms of * You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free * the GNU General Public License version 2 as published by the Free
@ -52,18 +52,18 @@
#include "detect-filemagic.h" #include "detect-filemagic.h"
int DetectFilemagicMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); static int DetectFilemagicMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
uint8_t, File *, Signature *, SigMatch *);
static int DetectFilemagicSetup (DetectEngineCtx *, Signature *, char *); static int DetectFilemagicSetup (DetectEngineCtx *, Signature *, char *);
void DetectFilemagicRegisterTests(void); static void DetectFilemagicRegisterTests(void);
void DetectFilemagicFree(void *); static void DetectFilemagicFree(void *);
/** /**
* \brief Registration function for keyword: filemagic * \brief Registration function for keyword: filemagic
*/ */
void DetectFilemagicRegister(void) { void DetectFilemagicRegister(void) {
sigmatch_table[DETECT_FILEMAGIC].name = "filemagic"; sigmatch_table[DETECT_FILEMAGIC].name = "filemagic";
sigmatch_table[DETECT_FILEMAGIC].Match = NULL; sigmatch_table[DETECT_FILEMAGIC].FileMatch = DetectFilemagicMatch;
sigmatch_table[DETECT_FILEMAGIC].AppLayerMatch = DetectFilemagicMatch;
sigmatch_table[DETECT_FILEMAGIC].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEMAGIC].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetup; sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetup;
sigmatch_table[DETECT_FILEMAGIC].Free = DetectFilemagicFree; sigmatch_table[DETECT_FILEMAGIC].Free = DetectFilemagicFree;
@ -127,22 +127,24 @@ int FilemagicLookup(File *file) {
/** /**
* \brief match the specified filemagic * \brief match the specified filemagic
* *
* \param t pointer to thread vars * \param t thread local vars
* \param det_ctx pointer to the pattern matcher thread * \param det_ctx pattern matcher thread local data
* \param p pointer to the current packet * \param f *LOCKED* flow
* \param m pointer to the sigmatch that we will cast into DetectFilemagicData * \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFilemagicData
* *
* \retval 0 no match * \retval 0 no match
* \retval 1 match * \retval 1 match
*/ */
int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) static int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m)
{ {
SCEnter(); SCEnter();
int ret = 0; int ret = 0;
DetectFilemagicData *filemagic = (DetectFilemagicData *)m->ctx; DetectFilemagicData *filemagic = (DetectFilemagicData *)m->ctx;
File *file = (File *)state;
if (file->txid < det_ctx->tx_id) if (file->txid < det_ctx->tx_id)
SCReturnInt(0); SCReturnInt(0);
@ -191,7 +193,7 @@ int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f
* \retval filemagic pointer to DetectFilemagicData on success * \retval filemagic pointer to DetectFilemagicData on success
* \retval NULL on failure * \retval NULL on failure
*/ */
DetectFilemagicData *DetectFilemagicParse (char *str) static DetectFilemagicData *DetectFilemagicParse (char *str)
{ {
DetectFilemagicData *filemagic = NULL; DetectFilemagicData *filemagic = NULL;
@ -291,7 +293,7 @@ error:
* *
* \param filemagic pointer to DetectFilemagicData * \param filemagic pointer to DetectFilemagicData
*/ */
void DetectFilemagicFree(void *ptr) { static void DetectFilemagicFree(void *ptr) {
if (ptr != NULL) { if (ptr != NULL) {
DetectFilemagicData *filemagic = (DetectFilemagicData *)ptr; DetectFilemagicData *filemagic = (DetectFilemagicData *)ptr;
if (filemagic->bm_ctx != NULL) { if (filemagic->bm_ctx != NULL) {

33
src/detect-filemd5.c
Unescape Escape View File

@ -66,8 +66,7 @@ static int DetectFileMd5SetupNoSupport (DetectEngineCtx *a, Signature *b, char *
*/ */
void DetectFileMd5Register(void) { void DetectFileMd5Register(void) {
sigmatch_table[DETECT_FILEMD5].name = "filemd5"; sigmatch_table[DETECT_FILEMD5].name = "filemd5";
sigmatch_table[DETECT_FILEMD5].Match = NULL; sigmatch_table[DETECT_FILEMD5].FileMatch = NULL;
sigmatch_table[DETECT_FILEMD5].AppLayerMatch = NULL;
sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5SetupNoSupport; sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5SetupNoSupport;
sigmatch_table[DETECT_FILEMD5].Free = NULL; sigmatch_table[DETECT_FILEMD5].Free = NULL;
@ -79,18 +78,18 @@ void DetectFileMd5Register(void) {
#else /* HAVE_NSS */ #else /* HAVE_NSS */
int DetectFileMd5Match (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); static int DetectFileMd5Match (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, File *, Signature *, SigMatch *);
static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, char *); static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, char *);
void DetectFileMd5RegisterTests(void); static void DetectFileMd5RegisterTests(void);
void DetectFileMd5Free(void *); static void DetectFileMd5Free(void *);
/** /**
* \brief Registration function for keyword: filemd5 * \brief Registration function for keyword: filemd5
*/ */
void DetectFileMd5Register(void) { void DetectFileMd5Register(void) {
sigmatch_table[DETECT_FILEMD5].name = "filemd5"; sigmatch_table[DETECT_FILEMD5].name = "filemd5";
sigmatch_table[DETECT_FILEMD5].Match = NULL; sigmatch_table[DETECT_FILEMD5].FileMatch = DetectFileMd5Match;
sigmatch_table[DETECT_FILEMD5].AppLayerMatch = DetectFileMd5Match;
sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5Setup; sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5Setup;
sigmatch_table[DETECT_FILEMD5].Free = DetectFileMd5Free; sigmatch_table[DETECT_FILEMD5].Free = DetectFileMd5Free;
@ -158,22 +157,24 @@ static int MD5MatchLookupString(ROHashTable *hash, char *string) {
/** /**
* \brief match the specified filemd5 * \brief match the specified filemd5
* *
* \param t pointer to thread vars * \param t thread local vars
* \param det_ctx pointer to the pattern matcher thread * \param det_ctx pattern matcher thread local data
* \param p pointer to the current packet * \param f *LOCKED* flow
* \param m pointer to the sigmatch that we will cast into DetectFileMd5Data * \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFileMd5Data
* *
* \retval 0 no match * \retval 0 no match
* \retval 1 match * \retval 1 match
*/ */
int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) static int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m)
{ {
SCEnter(); SCEnter();
int ret = 0; int ret = 0;
DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)m->ctx; DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)m->ctx;
File *file = (File *)state;
if (file->txid < det_ctx->tx_id) { if (file->txid < det_ctx->tx_id) {
SCReturnInt(0); SCReturnInt(0);
} }
@ -211,7 +212,7 @@ int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
* \retval filemd5 pointer to DetectFileMd5Data on success * \retval filemd5 pointer to DetectFileMd5Data on success
* \retval NULL on failure * \retval NULL on failure
*/ */
DetectFileMd5Data *DetectFileMd5Parse (char *str) static DetectFileMd5Data *DetectFileMd5Parse (char *str)
{ {
DetectFileMd5Data *filemd5 = NULL; DetectFileMd5Data *filemd5 = NULL;
@ -341,7 +342,7 @@ error:
* *
* \param filemd5 pointer to DetectFileMd5Data * \param filemd5 pointer to DetectFileMd5Data
*/ */
void DetectFileMd5Free(void *ptr) { static void DetectFileMd5Free(void *ptr) {
if (ptr != NULL) { if (ptr != NULL) {
DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)ptr; DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)ptr;
if (filemd5->hash != NULL) if (filemd5->hash != NULL)

31
src/detect-filename.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation /* Copyright (C) 2007-2012 Open Information Security Foundation
* *
* You can copy, redistribute or modify this Program under the terms of * You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free * the GNU General Public License version 2 as published by the Free
@ -50,18 +50,18 @@
#include "detect-filename.h" #include "detect-filename.h"
int DetectFilenameMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); static int DetectFilenameMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
uint8_t, File *, Signature *, SigMatch *);
static int DetectFilenameSetup (DetectEngineCtx *, Signature *, char *); static int DetectFilenameSetup (DetectEngineCtx *, Signature *, char *);
void DetectFilenameRegisterTests(void); static void DetectFilenameRegisterTests(void);
void DetectFilenameFree(void *); static void DetectFilenameFree(void *);
/** /**
* \brief Registration function for keyword: filename * \brief Registration function for keyword: filename
*/ */
void DetectFilenameRegister(void) { void DetectFilenameRegister(void) {
sigmatch_table[DETECT_FILENAME].name = "filename"; sigmatch_table[DETECT_FILENAME].name = "filename";
sigmatch_table[DETECT_FILENAME].Match = NULL; sigmatch_table[DETECT_FILENAME].FileMatch = DetectFilenameMatch;
sigmatch_table[DETECT_FILENAME].AppLayerMatch = DetectFilenameMatch;
sigmatch_table[DETECT_FILENAME].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILENAME].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILENAME].Setup = DetectFilenameSetup; sigmatch_table[DETECT_FILENAME].Setup = DetectFilenameSetup;
sigmatch_table[DETECT_FILENAME].Free = DetectFilenameFree; sigmatch_table[DETECT_FILENAME].Free = DetectFilenameFree;
@ -74,21 +74,24 @@ void DetectFilenameRegister(void) {
/** /**
* \brief match the specified filename * \brief match the specified filename
* *
* \param t pointer to thread vars * \param t thread local vars
* \param det_ctx pointer to the pattern matcher thread * \param det_ctx pattern matcher thread local data
* \param p pointer to the current packet * \param f *LOCKED* flow
* \param m pointer to the sigmatch that we will cast into DetectFilenameData * \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFilenameData
* *
* \retval 0 no match * \retval 0 no match
* \retval 1 match * \retval 1 match
*/ */
int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) static int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m)
{ {
SCEnter(); SCEnter();
int ret = 0; int ret = 0;
DetectFilenameData *filename = m->ctx; DetectFilenameData *filename = m->ctx;
File *file = (File *)state;
if (file->name == NULL) if (file->name == NULL)
SCReturnInt(0); SCReturnInt(0);
@ -133,7 +136,7 @@ int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
* \retval filename pointer to DetectFilenameData on success * \retval filename pointer to DetectFilenameData on success
* \retval NULL on failure * \retval NULL on failure
*/ */
DetectFilenameData *DetectFilenameParse (char *str) static DetectFilenameData *DetectFilenameParse (char *str)
{ {
DetectFilenameData *filename = NULL; DetectFilenameData *filename = NULL;
@ -232,7 +235,7 @@ error:
* *
* \param filename pointer to DetectFilenameData * \param filename pointer to DetectFilenameData
*/ */
void DetectFilenameFree(void *ptr) { static void DetectFilenameFree(void *ptr) {
if (ptr != NULL) { if (ptr != NULL) {
DetectFilenameData *filename = (DetectFilenameData *)ptr; DetectFilenameData *filename = (DetectFilenameData *)ptr;
if (filename->bm_ctx != NULL) { if (filename->bm_ctx != NULL) {

29
src/detect-filestore.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation /* Copyright (C) 2007-2012 Open Information Security Foundation
* *
* You can copy, redistribute or modify this Program under the terms of * You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free * the GNU General Public License version 2 as published by the Free
@ -20,6 +20,7 @@
* *
* \author Victor Julien <victor@inliniac.net> * \author Victor Julien <victor@inliniac.net>
* *
* Implements the filestore keyword
*/ */
#include "suricata-common.h" #include "suricata-common.h"
@ -57,7 +58,8 @@
static pcre *parse_regex; static pcre *parse_regex;
static pcre_extra *parse_regex_study; static pcre_extra *parse_regex_study;
int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); static int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, File *, Signature *, SigMatch *);
static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, char *); static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, char *);
static void DetectFilestoreFree(void *); static void DetectFilestoreFree(void *);
@ -66,8 +68,7 @@ static void DetectFilestoreFree(void *);
*/ */
void DetectFilestoreRegister(void) { void DetectFilestoreRegister(void) {
sigmatch_table[DETECT_FILESTORE].name = "filestore"; sigmatch_table[DETECT_FILESTORE].name = "filestore";
sigmatch_table[DETECT_FILESTORE].Match = NULL; sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch;
sigmatch_table[DETECT_FILESTORE].AppLayerMatch = DetectFilestoreMatch;
sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup; sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup;
sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree; sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree;
@ -187,6 +188,10 @@ static int FilestorePostMatchWithOptions(Packet *p, Flow *f, DetectFilestoreData
/** /**
* \brief post-match function for filestore * \brief post-match function for filestore
* *
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param p packet
*
* The match function for filestore records store candidates in the det_ctx. * The match function for filestore records store candidates in the det_ctx.
* When we are sure all parts of the signature matched, we run this function * When we are sure all parts of the signature matched, we run this function
* to finalize the filestore. * to finalize the filestore.
@ -240,10 +245,13 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack
/** /**
* \brief match the specified filestore * \brief match the specified filestore
* *
* \param t pointer to thread vars * \param t thread local vars
* \param det_ctx pointer to the pattern matcher thread * \param det_ctx pattern matcher thread local data
* \param p pointer to the current packet * \param f *LOCKED* flow
* \param m pointer to the sigmatch that we will cast into DetectFilestoreData * \param flags direction flags
* \param file file being inspected
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectFilestoreData
* *
* \retval 0 no match * \retval 0 no match
* \retval 1 match * \retval 1 match
@ -251,8 +259,8 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack
* \todo when we start supporting more protocols, the logic in this function * \todo when we start supporting more protocols, the logic in this function
* needs to be put behind a api. * needs to be put behind a api.
*/ */
int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, static int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m) uint8_t flags, File *file, Signature *s, SigMatch *m)
{ {
uint16_t file_id = 0; uint16_t file_id = 0;
@ -264,7 +272,6 @@ int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f
/* file can be NULL when a rule with filestore scope > file /* file can be NULL when a rule with filestore scope > file
* matches. */ * matches. */
File *file = (File *)state;
if (file != NULL) { if (file != NULL) {
file_id = file->file_id; file_id = file->file_id;
} }

12
src/detect.h
Unescape Escape View File

@ -38,6 +38,7 @@
#include "util-debug.h" #include "util-debug.h"
#include "util-error.h" #include "util-error.h"
#include "util-radix-tree.h" #include "util-radix-tree.h"
#include "util-file.h"
#include "detect-mark.h" #include "detect-mark.h"
@ -795,13 +796,22 @@ typedef struct DetectionEngineThreadCtx_ {
#endif #endif
} DetectEngineThreadCtx; } DetectEngineThreadCtx;
/** \brief element in sigmatch type table. */ /** \brief element in sigmatch type table.
* \note FileMatch pointer below takes a locked flow, AppLayerMatch an unlocked flow
*/
typedef struct SigTableElmt_ { typedef struct SigTableElmt_ {
/** Packet match function pointer */ /** Packet match function pointer */
int (*Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); int (*Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
/** AppLayer match function pointer */ /** AppLayer match function pointer */
int (*AppLayerMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, Signature *, SigMatch *); int (*AppLayerMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, Signature *, SigMatch *);
/** File match function pointer */
int (*FileMatch)(ThreadVars *, /**< thread local vars */
DetectEngineThreadCtx *,
Flow *, /**< *LOCKED* flow */
uint8_t flags, File *, Signature *, SigMatch *);
/** app layer proto from app-layer-protos.h this match applies to */ /** app layer proto from app-layer-protos.h this match applies to */
uint16_t alproto; uint16_t alproto;

Write Preview
Loading…
Cancel
Save