From 53ebe4c5380781c740106e445e7782e3cbfee0a5 Mon Sep 17 00:00:00 2001 From: Duarte Silva Date: Tue, 24 May 2016 19:58:13 +0200 Subject: [PATCH] file-hashing: added configuration options and common parsing code --- src/log-file.c | 10 +------- src/log-filestore.c | 10 +------- src/output-json-file.c | 10 +------- src/util-detect-file-hash.c | 6 ++--- src/util-detect-file-hash.h | 2 +- src/util-file.c | 51 +++++++++++++++++++++++++++++++++++++ src/util-file.h | 4 +++ suricata.yaml.in | 12 ++++++--- 8 files changed, 71 insertions(+), 34 deletions(-) diff --git a/src/log-file.c b/src/log-file.c index bd5a5855eb..19821a22f8 100644 --- a/src/log-file.c +++ b/src/log-file.c @@ -444,15 +444,7 @@ static OutputCtx *LogFileLogInitCtx(ConfNode *conf) SCLogInfo("forcing magic lookup for logged files"); } - const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5"); - if (force_md5 != NULL && ConfValIsTrue(force_md5)) { -#ifdef HAVE_NSS - FileForceMd5Enable(); - SCLogInfo("forcing md5 calculation for logged files"); -#else - SCLogInfo("md5 calculation requires linking against libnss"); -#endif - } + FileForceHashParseCfg(conf); FileForceTrackingEnable(); SCReturnPtr(output_ctx, "OutputCtx"); } diff --git a/src/log-filestore.c b/src/log-filestore.c index d6be8f5f80..d793d341e2 100644 --- a/src/log-filestore.c +++ b/src/log-filestore.c @@ -481,15 +481,7 @@ static OutputCtx *LogFilestoreLogInitCtx(ConfNode *conf) SCLogInfo("forcing magic lookup for stored files"); } - const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5"); - if (force_md5 != NULL && ConfValIsTrue(force_md5)) { -#ifdef HAVE_NSS - FileForceMd5Enable(); - SCLogInfo("forcing md5 calculation for stored files"); -#else - SCLogInfo("md5 calculation requires linking against libnss"); -#endif - } + FileForceHashParseCfg(conf); SCLogInfo("storing files in %s", g_logfile_base_dir); SCReturnPtr(output_ctx, "OutputCtx"); diff --git a/src/output-json-file.c b/src/output-json-file.c index fb39bef720..4fb08b5ea1 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -288,15 +288,7 @@ OutputCtx *OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) SCLogConfig("forcing magic lookup for logged files"); } - const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5"); - if (force_md5 != NULL && ConfValIsTrue(force_md5)) { -#ifdef HAVE_NSS - FileForceMd5Enable(); - SCLogConfig("forcing md5 calculation for logged files"); -#else - SCLogInfo("md5 calculation requires linking against libnss"); -#endif - } + FileForceHashParseCfg(conf); } output_ctx->data = output_file_ctx; diff --git a/src/util-detect-file-hash.c b/src/util-detect-file-hash.c index 49b93eb8f7..2cd884975f 100644 --- a/src/util-detect-file-hash.c +++ b/src/util-detect-file-hash.c @@ -194,13 +194,13 @@ int DetectFileHashMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, } /** - * \brief Parse the filemd5 keyword + * \brief Parse the filemd5, filesha1 or filesha256 keyword * * \param det_ctx pattern matcher thread local data * \param str Pointer to the user provided option * \param type the hash algorithm * - * \retval filemd5 pointer to DetectFileHashData on success + * \retval hash pointer to DetectFileHashData on success * \retval NULL on failure */ static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx, @@ -210,7 +210,7 @@ static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx, FILE *fp = NULL; char *filename = NULL; - /* We have a correct filemd5 option */ + /* We have a correct hash algorithm option */ filehash = SCMalloc(sizeof(DetectFileHashData)); if (unlikely(filehash == NULL)) goto error; diff --git a/src/util-detect-file-hash.h b/src/util-detect-file-hash.h index 19d5418c3e..0e9835bb4d 100644 --- a/src/util-detect-file-hash.h +++ b/src/util-detect-file-hash.h @@ -28,7 +28,7 @@ #include "util-rohash.h" -typedef struct DetectFileHashData { +typedef struct DetectFileHashData_ { ROHashTable *hash; int negated; } DetectFileHashData; diff --git a/src/util-file.c b/src/util-file.c index f44549c6aa..ff35508161 100644 --- a/src/util-file.c +++ b/src/util-file.c @@ -124,6 +124,57 @@ void FileForceTrackingEnable(void) g_file_force_tracking = 1; } + +/** + * \brief Function to parse forced file hashing configuration. + */ +void FileForceHashParseCfg(ConfNode *conf) +{ + BUG_ON(conf == NULL); + + ConfNode *forcehash_node = NULL; + + if (conf != NULL) + forcehash_node = ConfNodeLookupChild(conf, "force-hash"); + + if (forcehash_node != NULL) { + ConfNode *field = NULL; + + TAILQ_FOREACH(field, &forcehash_node->head, next) { + if (field == NULL) { + break; + } + + if (strcasecmp("md5", field->val) == 0) { +#ifdef HAVE_NSS + FileForceMd5Enable(); + SCLogConfig("forcing md5 calculation for logged or stored files"); +#else + SCLogInfo("md5 calculation requires linking against libnss"); +#endif + } + + if (strcasecmp("sha1", field->val) == 0) { +#ifdef HAVE_NSS + FileForceSha1Enable(); + SCLogConfig("forcing sha1 calculation for logged or stored files"); +#else + SCLogInfo("sha1 calculation requires linking against libnss"); +#endif + } + + if (strcasecmp("sha256", field->val) == 0) { +#ifdef HAVE_NSS + FileForceSha256Enable(); + SCLogConfig("forcing sha256 calculation for logged or stored files"); +#else + SCLogInfo("sha256 calculation requires linking against libnss"); +#endif + } + } + } +} + int FileMagicSize(void) { /** \todo make this size configurable */ diff --git a/src/util-file.h b/src/util-file.h index fa9d75276b..9f55d8304c 100644 --- a/src/util-file.h +++ b/src/util-file.h @@ -29,6 +29,8 @@ #include #endif +#include "conf.h" + #include "util-streaming-buffer.h" #define FILE_TRUNCATED 0x0001 @@ -197,6 +199,8 @@ void FileDisableSha256(Flow *f, uint8_t); void FileForceSha256Enable(void); int FileForceSha256(void); +void FileForceHashParseCfg(ConfNode *); + void FileForceTrackingEnable(void); void FileStoreAllFiles(FileContainer *); diff --git a/suricata.yaml.in b/suricata.yaml.in index 7f4d075c11..f8be4b3d27 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -202,7 +202,9 @@ outputs: extended: yes # enable this for extended logging information - files: force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] #- drop: # alerts: yes # log alerts that caused drops # flows: all # start or all: 'start' logs only a single drop @@ -399,7 +401,9 @@ outputs: enabled: no # set to yes to enable log-dir: files # directory to store the files force-magic: no # force logging magic on all stored files - force-md5: no # force logging of md5 checksums + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] force-filestore: no # force storing of all files #waldo: file.waldo # waldo file to store the file_id across runs @@ -411,7 +415,9 @@ outputs: #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] # Log TCP data after stream normalization # 2 types: file or dir. File logs into a single logfile. Dir creates