file-hashing: added configuration options and common parsing code

10 years ago · 53ebe4c538
parent 89eb935f73
commit 53ebe4c538
8 changed files with 71 additions and 34 deletions
--- a/src/log-file.c
+++ b/src/log-file.c
@ -444,15 +444,7 @@ static OutputCtx *LogFileLogInitCtx(ConfNode *conf)
        SCLogInfo("forcing magic lookup for logged files");
    }

-    const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
-    if (force_md5 != NULL && ConfValIsTrue(force_md5)) {
-#ifdef HAVE_NSS
-        FileForceMd5Enable();
-        SCLogInfo("forcing md5 calculation for logged files");
-#else
-        SCLogInfo("md5 calculation requires linking against libnss");
-#endif
-    }
+    FileForceHashParseCfg(conf);
    FileForceTrackingEnable();
    SCReturnPtr(output_ctx, "OutputCtx");
 }
--- a/src/log-filestore.c
+++ b/src/log-filestore.c
@ -481,15 +481,7 @@ static OutputCtx *LogFilestoreLogInitCtx(ConfNode *conf)
        SCLogInfo("forcing magic lookup for stored files");
    }

-    const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
-    if (force_md5 != NULL && ConfValIsTrue(force_md5)) {
-#ifdef HAVE_NSS
-        FileForceMd5Enable();
-        SCLogInfo("forcing md5 calculation for stored files");
-#else
-        SCLogInfo("md5 calculation requires linking against libnss");
-#endif
-    }
+    FileForceHashParseCfg(conf);
    SCLogInfo("storing files in %s", g_logfile_base_dir);

    SCReturnPtr(output_ctx, "OutputCtx");
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@ -288,15 +288,7 @@ OutputCtx *OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
            SCLogConfig("forcing magic lookup for logged files");
        }

-        const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
-        if (force_md5 != NULL && ConfValIsTrue(force_md5)) {
-#ifdef HAVE_NSS
-            FileForceMd5Enable();
-            SCLogConfig("forcing md5 calculation for logged files");
-#else
-            SCLogInfo("md5 calculation requires linking against libnss");
-#endif
-        }
+        FileForceHashParseCfg(conf);
    }

    output_ctx->data = output_file_ctx;
--- a/src/util-detect-file-hash.c
+++ b/src/util-detect-file-hash.c
@ -194,13 +194,13 @@ int DetectFileHashMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
 }

 /**
- * \brief Parse the filemd5 keyword
+ * \brief Parse the filemd5, filesha1 or filesha256 keyword
 *
 * \param det_ctx pattern matcher thread local data
 * \param str Pointer to the user provided option
 * \param type the hash algorithm
 *
- * \retval filemd5 pointer to DetectFileHashData on success
+ * \retval hash pointer to DetectFileHashData on success
 * \retval NULL on failure
 */
 static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
@ -210,7 +210,7 @@ static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
    FILE *fp = NULL;
    char *filename = NULL;

-    /* We have a correct filemd5 option */
+    /* We have a correct hash algorithm option */
    filehash = SCMalloc(sizeof(DetectFileHashData));
    if (unlikely(filehash == NULL))
        goto error;
--- a/src/util-detect-file-hash.h
+++ b/src/util-detect-file-hash.h
@ -28,7 +28,7 @@

 #include "util-rohash.h"

-typedef struct DetectFileHashData {
+typedef struct DetectFileHashData_ {
    ROHashTable *hash;
    int negated;
 } DetectFileHashData;
--- a/src/util-file.c
+++ b/src/util-file.c
@ -124,6 +124,57 @@ void FileForceTrackingEnable(void)
    g_file_force_tracking = 1;
 }

+
+/**
+ * \brief Function to parse forced file hashing configuration.
+ */
+void FileForceHashParseCfg(ConfNode *conf)
+{
+    BUG_ON(conf == NULL);
+
+    ConfNode *forcehash_node = NULL;
+
+    if (conf != NULL)
+        forcehash_node = ConfNodeLookupChild(conf, "force-hash");
+
+    if (forcehash_node != NULL) {
+        ConfNode *field = NULL;
+
+        TAILQ_FOREACH(field, &forcehash_node->head, next) {
+            if (field == NULL) {
+                break;
+            }
+
+            if (strcasecmp("md5", field->val) == 0) {
+#ifdef HAVE_NSS
+                FileForceMd5Enable();
+                SCLogConfig("forcing md5 calculation for logged or stored files");
+#else
+                SCLogInfo("md5 calculation requires linking against libnss");
+#endif
+            }
+
+            if (strcasecmp("sha1", field->val) == 0) {
+#ifdef HAVE_NSS
+                FileForceSha1Enable();
+                SCLogConfig("forcing sha1 calculation for logged or stored files");
+#else
+                SCLogInfo("sha1 calculation requires linking against libnss");
+#endif
+            }
+
+            if (strcasecmp("sha256", field->val) == 0) {
+#ifdef HAVE_NSS
+                FileForceSha256Enable();
+                SCLogConfig("forcing sha256 calculation for logged or stored files");
+#else
+                SCLogInfo("sha256 calculation requires linking against libnss");
+#endif
+            }
+        }
+    }
+}
+
 int FileMagicSize(void)
 {
    /** \todo make this size configurable */
--- a/src/util-file.h
+++ b/src/util-file.h
@ -29,6 +29,8 @@
 #include <sechash.h>
 #endif

+#include "conf.h"
+
 #include "util-streaming-buffer.h"

 #define FILE_TRUNCATED  0x0001
@ -197,6 +199,8 @@ void FileDisableSha256(Flow *f, uint8_t);
 void FileForceSha256Enable(void);
 int FileForceSha256(void);

+void FileForceHashParseCfg(ConfNode *);
+
 void FileForceTrackingEnable(void);

 void FileStoreAllFiles(FileContainer *);
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -202,7 +202,9 @@ outputs:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: no   # force logging magic on all logged files
-            force-md5: no     # force logging of md5 checksums
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            #force-hash: [md5]
        #- drop:
        #    alerts: yes      # log alerts that caused drops
        #    flows: all       # start or all: 'start' logs only a single drop
@ -399,7 +401,9 @@ outputs:
      enabled: no       # set to yes to enable
      log-dir: files    # directory to store the files
      force-magic: no   # force logging magic on all stored files
-      force-md5: no     # force logging of md5 checksums
+      # force logging of checksums, available hash functions are md5,
+      # sha1 and sha256
+      #force-hash: [md5]
      force-filestore: no # force storing of all files
      #waldo: file.waldo # waldo file to store the file_id across runs

@ -411,7 +415,9 @@ outputs:
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

      force-magic: no   # force logging magic on all logged files
-      force-md5: no     # force logging of md5 checksums
+      # force logging of checksums, available hash functions are md5,
+      # sha1 and sha256
+      #force-hash: [md5]

  # Log TCP data after stream normalization
  # 2 types: file or dir. File logs into a single logfile. Dir creates