From e75956717d6a90abeccd51a8c71bf0b3ea8a9e8b Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 5 Jun 2023 14:01:07 +0200 Subject: [PATCH] detect/files: centralize definition of protocols Protocols supporting files are only defined in one place, which gets used by all keywords, which can handle some exceptions (like HTTP2 not having file names) --- src/detect-engine-file.c | 23 +++++++++++ src/detect-engine-file.h | 8 ++++ src/detect-file-data.c | 84 ++++++++++------------------------------ src/detect-filemagic.c | 28 ++++++-------- src/detect-filename.c | 77 ++++++++++++++---------------------- 5 files changed, 91 insertions(+), 129 deletions(-) diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c index 0ce8c7a0d5..1738c94589 100644 --- a/src/detect-engine-file.c +++ b/src/detect-engine-file.c @@ -49,6 +49,29 @@ #include "util-profiling.h" #include "util-validate.h" +FileAppProto file_protos_ts_static[] = { + { ALPROTO_HTTP1, HTP_REQUEST_BODY }, + { ALPROTO_SMTP, 0 }, + { ALPROTO_FTP, 0 }, + { ALPROTO_FTPDATA, 0 }, + { ALPROTO_SMB, 0 }, + { ALPROTO_NFS, 0 }, + { ALPROTO_HTTP2, HTTP2StateDataClient }, + { ALPROTO_UNKNOWN, 0 }, +}; + +FileAppProto file_protos_tc_static[] = { + { ALPROTO_HTTP1, HTP_RESPONSE_BODY }, + { ALPROTO_FTP, 0 }, + { ALPROTO_FTPDATA, 0 }, + { ALPROTO_SMB, 0 }, + { ALPROTO_NFS, 0 }, + { ALPROTO_HTTP2, HTTP2StateDataServer }, + { ALPROTO_UNKNOWN, 0 }, +}; + +FileAppProto *file_protos_ts = file_protos_ts_static; +FileAppProto *file_protos_tc = file_protos_tc_static; /** * \brief Inspect the file inspecting keywords. diff --git a/src/detect-engine-file.h b/src/detect-engine-file.h index 3705a8f6e6..2f731087ea 100644 --- a/src/detect-engine-file.h +++ b/src/detect-engine-file.h @@ -28,4 +28,12 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *_alstate, void *tx, uint64_t tx_id); +typedef struct FileAppProto { + AppProto alproto; + int progress; +} FileAppProto; + +extern FileAppProto *file_protos_ts; +extern FileAppProto *file_protos_tc; + #endif /* __DETECT_ENGINE_FILE_H__ */ diff --git a/src/detect-file-data.c b/src/detect-file-data.c index 546e046c24..e8f70803de 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -34,6 +34,7 @@ #include "detect-engine-state.h" #include "detect-engine-prefilter.h" #include "detect-engine-content-inspection.h" +#include "detect-engine-file.h" #include "detect-file-data.h" #include "app-layer-parser.h" @@ -88,71 +89,28 @@ void DetectFiledataRegister(void) #endif sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT; - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, - PrefilterMpmFiledataRegister, NULL, - ALPROTO_SMTP, 0); - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmHTTPFiledataRegister, - NULL, ALPROTO_HTTP1, HTP_RESPONSE_BODY); - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, - NULL, ALPROTO_HTTP1, HTP_REQUEST_BODY); - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, - PrefilterMpmFiledataRegister, NULL, - ALPROTO_SMB, 0); - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, - PrefilterMpmFiledataRegister, NULL, - ALPROTO_SMB, 0); - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, - PrefilterMpmFiledataRegister, NULL, - ALPROTO_HTTP2, HTTP2StateDataClient); - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, - PrefilterMpmFiledataRegister, NULL, - ALPROTO_HTTP2, HTTP2StateDataServer); - DetectAppLayerMpmRegister2( - "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_NFS, 0); - DetectAppLayerMpmRegister2( - "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_NFS, 0); - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, - NULL, ALPROTO_FTPDATA, 0); - DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, - NULL, ALPROTO_FTPDATA, 0); - DetectAppLayerMpmRegister2( - "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0); - DetectAppLayerMpmRegister2( - "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0); - - DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT, - HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL); - DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOSERVER, - HTP_REQUEST_BODY, DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2("file_data", - ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectFiledata, NULL); + for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) { + DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, + NULL, file_protos_ts[i].alproto, file_protos_ts[i].progress); + DetectAppLayerInspectEngineRegister2("file_data", file_protos_ts[i].alproto, + SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFiledata, NULL); + } + for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) { + if (file_protos_tc[i].alproto == ALPROTO_HTTP1) { + // special case for HTTP1 + DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, + PrefilterMpmHTTPFiledataRegister, NULL, ALPROTO_HTTP1, HTP_RESPONSE_BODY); + DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT, + HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL); + continue; + } + DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, + NULL, file_protos_tc[i].alproto, file_protos_tc[i].progress); + DetectAppLayerInspectEngineRegister2("file_data", file_protos_tc[i].alproto, + SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFiledata, NULL); + } DetectBufferTypeRegisterSetupCallback("file_data", DetectFiledataSetupCallback); - DetectAppLayerInspectEngineRegister2("file_data", - ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2("file_data", - ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2("file_data", - ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateDataClient, - DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2("file_data", - ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateDataServer, - DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2( - "file_data", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2( - "file_data", ALPROTO_NFS, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2( - "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2( - "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2( - "file_data", ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL); - DetectAppLayerInspectEngineRegister2( - "file_data", ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL); DetectBufferTypeSetDescriptionByName("file_data", "data from tracked files"); DetectBufferTypeSupportsMultiInstance("file_data"); diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index 3672538afe..628aa842fd 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -34,6 +34,7 @@ #include "detect-engine-mpm.h" #include "detect-engine-prefilter.h" #include "detect-engine-content-inspection.h" +#include "detect-engine-file.h" #include "flow.h" #include "flow-var.h" @@ -135,28 +136,21 @@ void DetectFilemagicRegister(void) g_file_match_list_id = DetectBufferTypeRegister("files"); - AppProto protos_ts[] = { ALPROTO_HTTP1, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, - ALPROTO_HTTP2, 0 }; - AppProto protos_tc[] = { ALPROTO_HTTP1, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, - 0 }; - - for (int i = 0; protos_ts[i] != 0; i++) { - DetectAppLayerInspectEngineRegister2("file.magic", protos_ts[i], - SIG_FLAG_TOSERVER, 0, - DetectEngineInspectFilemagic, NULL); + for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) { + DetectAppLayerInspectEngineRegister2("file.magic", file_protos_ts[i].alproto, + SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFilemagic, NULL); DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOSERVER, 2, - PrefilterMpmFilemagicRegister, NULL, protos_ts[i], - 0); + PrefilterMpmFilemagicRegister, NULL, file_protos_ts[i].alproto, + file_protos_ts[i].progress); } - for (int i = 0; protos_tc[i] != 0; i++) { - DetectAppLayerInspectEngineRegister2("file.magic", protos_tc[i], - SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectFilemagic, NULL); + for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) { + DetectAppLayerInspectEngineRegister2("file.magic", file_protos_tc[i].alproto, + SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFilemagic, NULL); DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOCLIENT, 2, - PrefilterMpmFilemagicRegister, NULL, protos_tc[i], - 0); + PrefilterMpmFilemagicRegister, NULL, file_protos_tc[i].alproto, + file_protos_tc[i].progress); } DetectBufferTypeSetDescriptionByName("file.magic", diff --git a/src/detect-filename.c b/src/detect-filename.c index 8a9b5d4e88..548e4aaee9 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -103,59 +103,38 @@ void DetectFilenameRegister(void) sigmatch_table[DETECT_FILE_NAME].Setup = DetectFilenameSetupSticky; sigmatch_table[DETECT_FILE_NAME].flags = SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; - DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP1, SIG_FLAG_TOSERVER, - HTP_REQUEST_BODY, DetectFileInspectGeneric, NULL); - DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT, - HTP_RESPONSE_BODY, DetectFileInspectGeneric, NULL); - - DetectAppLayerInspectEngineRegister2( - "files", ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL); - - DetectAppLayerInspectEngineRegister2( - "files", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL); - DetectAppLayerInspectEngineRegister2( - "files", ALPROTO_NFS, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL); - - DetectAppLayerInspectEngineRegister2( - "files", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL); - DetectAppLayerInspectEngineRegister2( - "files", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL); - - DetectAppLayerInspectEngineRegister2( - "files", ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL); - DetectAppLayerInspectEngineRegister2( - "files", ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL); - - //this is used by filestore - DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP2, SIG_FLAG_TOSERVER, - HTTP2StateDataClient, DetectFileInspectGeneric, NULL); - DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, - HTTP2StateDataServer, DetectFileInspectGeneric, NULL); - + // this is required by filestore, and filesize + for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) { + DetectAppLayerInspectEngineRegister2("files", file_protos_ts[i].alproto, SIG_FLAG_TOSERVER, + file_protos_ts[i].progress, DetectFileInspectGeneric, NULL); + } + for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) { + DetectAppLayerInspectEngineRegister2("files", file_protos_tc[i].alproto, SIG_FLAG_TOCLIENT, + file_protos_tc[i].progress, DetectFileInspectGeneric, NULL); + } g_file_match_list_id = DetectBufferTypeGetByName("files"); - AppProto protos_ts[] = { ALPROTO_HTTP1, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, - ALPROTO_NFS, 0 }; - AppProto protos_tc[] = { ALPROTO_HTTP1, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS, - 0 }; - - for (int i = 0; protos_ts[i] != 0; i++) { - DetectAppLayerInspectEngineRegister2("file.name", protos_ts[i], - SIG_FLAG_TOSERVER, 0, - DetectEngineInspectFilename, NULL); + for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) { + if (file_protos_ts[i].alproto == ALPROTO_HTTP2) { + // no filename on HTTP2 files + continue; + } + DetectAppLayerInspectEngineRegister2("file.name", file_protos_ts[i].alproto, + SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFilename, NULL); - DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2, - PrefilterMpmFilenameRegister, NULL, protos_ts[i], - 0); + DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilenameRegister, + NULL, file_protos_ts[i].alproto, file_protos_ts[i].progress); } - for (int i = 0; protos_tc[i] != 0; i++) { - DetectAppLayerInspectEngineRegister2("file.name", protos_tc[i], - SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectFilename, NULL); - - DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2, - PrefilterMpmFilenameRegister, NULL, protos_tc[i], - 0); + for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) { + if (file_protos_tc[i].alproto == ALPROTO_HTTP2) { + // no filename on HTTP2 files + continue; + } + DetectAppLayerInspectEngineRegister2("file.name", file_protos_tc[i].alproto, + SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFilename, NULL); + + DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilenameRegister, + NULL, file_protos_tc[i].alproto, file_protos_tc[i].progress); } DetectBufferTypeSetDescriptionByName("file.name", "file name");