detect/files: centralize definition of protocols

Protocols supporting files are only defined in one place, which
gets used by all keywords, which can handle some exceptions
(like HTTP2 not having file names)

src/detect-engine-file.c

@@ -49,6 +49,29 @@
 #include "util-profiling.h"
 #include "util-validate.h"
 
+FileAppProto file_protos_ts_static[] = {
+    { ALPROTO_HTTP1, HTP_REQUEST_BODY },
+    { ALPROTO_SMTP, 0 },
+    { ALPROTO_FTP, 0 },
+    { ALPROTO_FTPDATA, 0 },
+    { ALPROTO_SMB, 0 },
+    { ALPROTO_NFS, 0 },
+    { ALPROTO_HTTP2, HTTP2StateDataClient },
+    { ALPROTO_UNKNOWN, 0 },
+};
+
+FileAppProto file_protos_tc_static[] = {
+    { ALPROTO_HTTP1, HTP_RESPONSE_BODY },
+    { ALPROTO_FTP, 0 },
+    { ALPROTO_FTPDATA, 0 },
+    { ALPROTO_SMB, 0 },
+    { ALPROTO_NFS, 0 },
+    { ALPROTO_HTTP2, HTTP2StateDataServer },
+    { ALPROTO_UNKNOWN, 0 },
+};
+
+FileAppProto *file_protos_ts = file_protos_ts_static;
+FileAppProto *file_protos_tc = file_protos_tc_static;
 
 /**
  *  \brief Inspect the file inspecting keywords.

src/detect-engine-file.h

@@ -28,4 +28,12 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
         uint8_t flags, void *_alstate, void *tx, uint64_t tx_id);
 
+typedef struct FileAppProto {
+    AppProto alproto;
+    int progress;
+} FileAppProto;
+
+extern FileAppProto *file_protos_ts;
+extern FileAppProto *file_protos_tc;
+
 #endif /* __DETECT_ENGINE_FILE_H__ */

src/detect-file-data.c

@@ -34,6 +34,7 @@
 #include "detect-engine-state.h"
 #include "detect-engine-prefilter.h"
 #include "detect-engine-content-inspection.h"
+#include "detect-engine-file.h"
 #include "detect-file-data.h"
 
 #include "app-layer-parser.h"
@@ -88,71 +89,28 @@ void DetectFiledataRegister(void)
 #endif
     sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT;
 
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2,
+    for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
-            PrefilterMpmFiledataRegister, NULL,
+        DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
-            ALPROTO_SMTP, 0);
+                NULL, file_protos_ts[i].alproto, file_protos_ts[i].progress);
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmHTTPFiledataRegister,
+        DetectAppLayerInspectEngineRegister2("file_data", file_protos_ts[i].alproto,
-            NULL, ALPROTO_HTTP1, HTP_RESPONSE_BODY);
+                SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFiledata, NULL);
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
+    }
-            NULL, ALPROTO_HTTP1, HTP_REQUEST_BODY);
+    for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) {
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2,
+        if (file_protos_tc[i].alproto == ALPROTO_HTTP1) {
-            PrefilterMpmFiledataRegister, NULL,
+            // special case for HTTP1
-            ALPROTO_SMB, 0);
+            DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2,
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2,
+                    PrefilterMpmHTTPFiledataRegister, NULL, ALPROTO_HTTP1, HTP_RESPONSE_BODY);
-            PrefilterMpmFiledataRegister, NULL,
+            DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
-            ALPROTO_SMB, 0);
+                    HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL);
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2,
+            continue;
-            PrefilterMpmFiledataRegister, NULL,
+        }
-            ALPROTO_HTTP2, HTTP2StateDataClient);
+        DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister,
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2,
+                NULL, file_protos_tc[i].alproto, file_protos_tc[i].progress);
-            PrefilterMpmFiledataRegister, NULL,
+        DetectAppLayerInspectEngineRegister2("file_data", file_protos_tc[i].alproto,
-            ALPROTO_HTTP2, HTTP2StateDataServer);
+                SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFiledata, NULL);
-    DetectAppLayerMpmRegister2(
+    }
-            "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_NFS, 0);
-    DetectAppLayerMpmRegister2(
-            "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_NFS, 0);
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
-            NULL, ALPROTO_FTPDATA, 0);
-    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister,
-            NULL, ALPROTO_FTPDATA, 0);
-    DetectAppLayerMpmRegister2(
-            "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
-    DetectAppLayerMpmRegister2(
-            "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
-
-    DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
-            HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL);
-    DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
-            HTP_REQUEST_BODY, DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2("file_data",
-            ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectFiledata, NULL);
     DetectBufferTypeRegisterSetupCallback("file_data",
             DetectFiledataSetupCallback);
-    DetectAppLayerInspectEngineRegister2("file_data",
-            ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
-            DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2("file_data",
-            ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2("file_data",
-            ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateDataClient,
-            DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2("file_data",
-            ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateDataServer,
-            DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "file_data", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "file_data", ALPROTO_NFS, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "file_data", ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "file_data", ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
 
     DetectBufferTypeSetDescriptionByName("file_data", "data from tracked files");
     DetectBufferTypeSupportsMultiInstance("file_data");

src/detect-filemagic.c

@@ -34,6 +34,7 @@
 #include "detect-engine-mpm.h"
 #include "detect-engine-prefilter.h"
 #include "detect-engine-content-inspection.h"
+#include "detect-engine-file.h"
 
 #include "flow.h"
 #include "flow-var.h"
@@ -135,28 +136,21 @@ void DetectFilemagicRegister(void)
 
     g_file_match_list_id = DetectBufferTypeRegister("files");
 
-    AppProto protos_ts[] = { ALPROTO_HTTP1, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS,
+    for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
-        ALPROTO_HTTP2, 0 };
+        DetectAppLayerInspectEngineRegister2("file.magic", file_protos_ts[i].alproto,
-    AppProto protos_tc[] = { ALPROTO_HTTP1, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2,
+                SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFilemagic, NULL);
-        0 };
-
-    for (int i = 0; protos_ts[i] != 0; i++) {
-        DetectAppLayerInspectEngineRegister2("file.magic", protos_ts[i],
-                SIG_FLAG_TOSERVER, 0,
-                DetectEngineInspectFilemagic, NULL);
 
         DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOSERVER, 2,
-                PrefilterMpmFilemagicRegister, NULL, protos_ts[i],
+                PrefilterMpmFilemagicRegister, NULL, file_protos_ts[i].alproto,
-                0);
+                file_protos_ts[i].progress);
     }
-    for (int i = 0; protos_tc[i] != 0; i++) {
+    for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) {
-        DetectAppLayerInspectEngineRegister2("file.magic", protos_tc[i],
+        DetectAppLayerInspectEngineRegister2("file.magic", file_protos_tc[i].alproto,
-                SIG_FLAG_TOCLIENT, 0,
+                SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFilemagic, NULL);
-                DetectEngineInspectFilemagic, NULL);
 
         DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOCLIENT, 2,
-                PrefilterMpmFilemagicRegister, NULL, protos_tc[i],
+                PrefilterMpmFilemagicRegister, NULL, file_protos_tc[i].alproto,
-                0);
+                file_protos_tc[i].progress);
     }
 
     DetectBufferTypeSetDescriptionByName("file.magic",

src/detect-filename.c

@@ -103,59 +103,38 @@ void DetectFilenameRegister(void)
     sigmatch_table[DETECT_FILE_NAME].Setup = DetectFilenameSetupSticky;
     sigmatch_table[DETECT_FILE_NAME].flags = SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
 
-    DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
+    // this is required by filestore, and filesize
-            HTP_REQUEST_BODY, DetectFileInspectGeneric, NULL);
+    for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
-    DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
+        DetectAppLayerInspectEngineRegister2("files", file_protos_ts[i].alproto, SIG_FLAG_TOSERVER,
-            HTP_RESPONSE_BODY, DetectFileInspectGeneric, NULL);
+                file_protos_ts[i].progress, DetectFileInspectGeneric, NULL);
-
+    }
-    DetectAppLayerInspectEngineRegister2(
+    for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) {
-            "files", ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL);
+        DetectAppLayerInspectEngineRegister2("files", file_protos_tc[i].alproto, SIG_FLAG_TOCLIENT,
-
+                file_protos_tc[i].progress, DetectFileInspectGeneric, NULL);
-    DetectAppLayerInspectEngineRegister2(
+    }
-            "files", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "files", ALPROTO_NFS, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL);
-
-    DetectAppLayerInspectEngineRegister2(
-            "files", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "files", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL);
-
-    DetectAppLayerInspectEngineRegister2(
-            "files", ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL);
-    DetectAppLayerInspectEngineRegister2(
-            "files", ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL);
-
-    //this is used by filestore
-    DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
-            HTTP2StateDataClient, DetectFileInspectGeneric, NULL);
-    DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT,
-            HTTP2StateDataServer, DetectFileInspectGeneric, NULL);
-
     g_file_match_list_id = DetectBufferTypeGetByName("files");
 
-    AppProto protos_ts[] = { ALPROTO_HTTP1, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB,
+    for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
-        ALPROTO_NFS, 0 };
+        if (file_protos_ts[i].alproto == ALPROTO_HTTP2) {
-    AppProto protos_tc[] = { ALPROTO_HTTP1, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS,
+            // no filename on HTTP2 files
-        0 };
+            continue;
-
+        }
-    for (int i = 0; protos_ts[i] != 0; i++) {
+        DetectAppLayerInspectEngineRegister2("file.name", file_protos_ts[i].alproto,
-        DetectAppLayerInspectEngineRegister2("file.name", protos_ts[i],
+                SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFilename, NULL);
-                SIG_FLAG_TOSERVER, 0,
-                DetectEngineInspectFilename, NULL);
 
-        DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2,
+        DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilenameRegister,
-                PrefilterMpmFilenameRegister, NULL, protos_ts[i],
+                NULL, file_protos_ts[i].alproto, file_protos_ts[i].progress);
-                0);
     }
-    for (int i = 0; protos_tc[i] != 0; i++) {
+    for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) {
-        DetectAppLayerInspectEngineRegister2("file.name", protos_tc[i],
+        if (file_protos_tc[i].alproto == ALPROTO_HTTP2) {
-                SIG_FLAG_TOCLIENT, 0,
+            // no filename on HTTP2 files
-                DetectEngineInspectFilename, NULL);
+            continue;
-
+        }
-        DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2,
+        DetectAppLayerInspectEngineRegister2("file.name", file_protos_tc[i].alproto,
-                PrefilterMpmFilenameRegister, NULL, protos_tc[i],
+                SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFilename, NULL);
-                0);
+
+        DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilenameRegister,
+                NULL, file_protos_tc[i].alproto, file_protos_tc[i].progress);
     }
 
     DetectBufferTypeSetDescriptionByName("file.name", "file name");