]>
Commit | Line | Data |
---|---|---|
4cbe7519 VJ |
1 | /* Copyright (C) 2007-2011 Open Information Security Foundation |
2 | * | |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
18 | /** | |
19 | * \file | |
20 | * | |
21 | * \author Victor Julien <victor@inliniac.net> | |
22 | * | |
23 | */ | |
24 | ||
25 | #ifndef __UTIL_FILE_H__ | |
26 | #define __UTIL_FILE_H__ | |
27 | ||
53ebe4c5 DS |
28 | #include "conf.h" |
29 | ||
e43ce0a9 VJ |
30 | #include "util-streaming-buffer.h" |
31 | ||
e4acbcbb JI |
32 | /* Hack: Pulling rust.h to get the SCSha256 causes all sorts of problems with |
33 | * header include orders, which is something we'll have to resolve as we provide | |
34 | * more functionality via Rust. But this lets me continue with replacing nss | |
35 | * without fighting the headers at this time. */ | |
36 | typedef struct SCSha256 SCSha256; | |
37 | #define SC_SHA256_LEN 32 | |
38 | ||
39 | typedef struct SCSha1 SCSha1; | |
40 | #define SC_SHA1_LEN 20 | |
41 | ||
42 | typedef struct SCMd5 SCMd5; | |
43 | #define SC_MD5_LEN 16 | |
44 | ||
4426f3ff VJ |
45 | #define FILE_TRUNCATED BIT_U16(0) |
46 | #define FILE_NOMAGIC BIT_U16(1) | |
47 | #define FILE_NOMD5 BIT_U16(2) | |
48 | #define FILE_MD5 BIT_U16(3) | |
49 | #define FILE_NOSHA1 BIT_U16(4) | |
50 | #define FILE_SHA1 BIT_U16(5) | |
51 | #define FILE_NOSHA256 BIT_U16(6) | |
52 | #define FILE_SHA256 BIT_U16(7) | |
53 | #define FILE_LOGGED BIT_U16(8) | |
54 | #define FILE_NOSTORE BIT_U16(9) | |
55 | #define FILE_STORE BIT_U16(10) | |
56 | #define FILE_STORED BIT_U16(11) | |
57 | #define FILE_NOTRACK BIT_U16(12) /**< track size of file */ | |
58 | #define FILE_USE_DETECT BIT_U16(13) /**< use content_inspected tracker */ | |
58af3913 | 59 | #define FILE_HAS_GAPS BIT_U16(15) |
4cbe7519 VJ |
60 | |
61 | typedef enum FileState_ { | |
62 | FILE_STATE_NONE = 0, /**< no state */ | |
63 | FILE_STATE_OPENED, /**< flow file is opened */ | |
64 | FILE_STATE_CLOSED, /**< flow file is completed, | |
65 | there will be no more data. */ | |
66 | FILE_STATE_TRUNCATED, /**< flow file is not complete, but | |
67 | there will be no more data. */ | |
4cbe7519 VJ |
68 | FILE_STATE_ERROR, /**< file is in an error state */ |
69 | FILE_STATE_MAX | |
70 | } FileState; | |
71 | ||
4cbe7519 | 72 | typedef struct File_ { |
8f71333e | 73 | uint16_t flags; |
914f7fa7 | 74 | uint16_t name_len; |
ce08a43b | 75 | FileState state; |
e43ce0a9 | 76 | StreamingBuffer *sb; |
d4d18e31 | 77 | uint64_t txid; /**< tx this file is part of */ |
b82e71b9 | 78 | uint32_t file_track_id; /**< id used by protocol parser */ |
944ab48b | 79 | uint32_t file_store_id; /**< id used in store file name file.<id> */ |
775e6745 EL |
80 | int fd; /**< file descriptor for filestore, not |
81 | open if equal to -1 */ | |
4cbe7519 | 82 | uint8_t *name; |
810e43f3 | 83 | #ifdef HAVE_MAGIC |
4cbe7519 | 84 | char *magic; |
810e43f3 | 85 | #endif |
4cbe7519 | 86 | struct File_ *next; |
e4acbcbb JI |
87 | SCMd5 *md5_ctx; |
88 | uint8_t md5[SC_MD5_LEN]; | |
89 | SCSha1 *sha1_ctx; | |
90 | uint8_t sha1[SC_SHA1_LEN]; | |
91 | SCSha256 *sha256_ctx; | |
92 | uint8_t sha256[SC_SHA256_LEN]; | |
77358a41 VJ |
93 | uint64_t content_inspected; /**< used in pruning if FILE_USE_DETECT |
94 | * flag is set */ | |
e43ce0a9 | 95 | uint64_t content_stored; |
fbc2dbac | 96 | uint64_t size; |
4ac9cd2c VJ |
97 | uint32_t inspect_window; |
98 | uint32_t inspect_min_size; | |
bef190f7 PA |
99 | uint64_t start; |
100 | uint64_t end; | |
1378f376 | 101 | |
102 | uint32_t *sid; /* signature id of a rule that triggered the filestore event */ | |
103 | uint32_t sid_cnt; | |
104 | uint32_t sid_max; | |
4cbe7519 VJ |
105 | } File; |
106 | ||
107 | typedef struct FileContainer_ { | |
108 | File *head; | |
109 | File *tail; | |
110 | } FileContainer; | |
111 | ||
ab1200fb | 112 | FileContainer *FileContainerAlloc(void); |
4cbe7519 VJ |
113 | void FileContainerFree(FileContainer *); |
114 | ||
115 | void FileContainerRecycle(FileContainer *); | |
116 | ||
117 | void FileContainerAdd(FileContainer *, File *); | |
118 | ||
119 | /** | |
120 | * \brief Open a new File | |
121 | * | |
122 | * \param ffc flow container | |
e43ce0a9 | 123 | * \param sbcfg buffer config |
4cbe7519 VJ |
124 | * \param name filename character array |
125 | * \param name_len filename len | |
126 | * \param data initial data | |
127 | * \param data_len initial data len | |
128 | * \param flags open flags | |
129 | * | |
130 | * \retval ff flowfile object | |
131 | * | |
132 | * \note filename is not a string, so it's not nul terminated. | |
e43ce0a9 VJ |
133 | * |
134 | * If flags contains the FILE_USE_DETECT bit, the pruning code will | |
135 | * consider not just the content_stored tracker, but also content_inspected. | |
136 | * It's the responsibility of the API user to make sure this tracker is | |
137 | * properly updated. | |
4cbe7519 | 138 | */ |
45c5030f | 139 | int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *, |
c4c93872 VJ |
140 | uint32_t track_id, const uint8_t *name, uint16_t name_len, |
141 | const uint8_t *data, uint32_t data_len, uint16_t flags); | |
e43ce0a9 | 142 | |
4cbe7519 VJ |
143 | /** |
144 | * \brief Close a File | |
145 | * | |
146 | * \param ffc the container | |
147 | * \param data final data if any | |
148 | * \param data_len data len if any | |
149 | * \param flags flags | |
150 | * | |
151 | * \retval 0 ok | |
152 | * \retval -1 error | |
153 | */ | |
e3703ee1 | 154 | int FileCloseFile(FileContainer *, const uint8_t *data, uint32_t data_len, |
a2ceb980 | 155 | uint16_t flags); |
c4c93872 VJ |
156 | int FileCloseFileById(FileContainer *, uint32_t track_id, |
157 | const uint8_t *data, uint32_t data_len, uint16_t flags); | |
2e8fd612 VJ |
158 | int FileCloseFilePtr(File *ff, const uint8_t *data, |
159 | uint32_t data_len, uint16_t flags); | |
4cbe7519 VJ |
160 | |
161 | /** | |
162 | * \brief Store a chunk of file data in the flow. The open "flowfile" | |
163 | * will be used. | |
164 | * | |
165 | * \param ffc the container | |
166 | * \param data data chunk | |
167 | * \param data_len data chunk len | |
168 | * | |
169 | * \retval 0 ok | |
170 | * \retval -1 error | |
171 | */ | |
e3703ee1 | 172 | int FileAppendData(FileContainer *, const uint8_t *data, uint32_t data_len); |
c4c93872 VJ |
173 | int FileAppendDataById(FileContainer *, uint32_t track_id, |
174 | const uint8_t *data, uint32_t data_len); | |
58af3913 VJ |
175 | int FileAppendGAPById(FileContainer *ffc, uint32_t track_id, |
176 | const uint8_t *data, uint32_t data_len); | |
4cbe7519 | 177 | |
f302f354 VJ |
178 | void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min); |
179 | ||
bef190f7 PA |
180 | /** |
181 | * \brief Sets the offset range for a file. | |
182 | * | |
183 | * \param ffc the container | |
184 | * \param start start offset | |
185 | * \param end end offset | |
186 | * | |
187 | * \retval 0 ok | |
188 | * \retval -1 error | |
189 | */ | |
190 | int FileSetRange(FileContainer *, uint64_t start, uint64_t end); | |
191 | ||
4cbe7519 VJ |
192 | /** |
193 | * \brief Tag a file for storing | |
194 | * | |
195 | * \param ff The file to store | |
196 | */ | |
197 | int FileStore(File *); | |
198 | ||
199 | /** | |
200 | * \brief Set the TX id for a file | |
201 | * | |
202 | * \param ff The file to store | |
203 | * \param txid the tx id | |
204 | */ | |
d4d18e31 | 205 | int FileSetTx(File *, uint64_t txid); |
71ddc43d | 206 | void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id); |
4cbe7519 | 207 | |
4cbe7519 VJ |
208 | /** |
209 | * \brief disable file storing for a transaction | |
210 | * | |
211 | * \param f flow | |
212 | * \param tx_id transaction id | |
213 | */ | |
d4d18e31 | 214 | void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id); |
4cbe7519 | 215 | |
006cd5ae | 216 | void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id); |
4cbe7519 VJ |
217 | void FilePrune(FileContainer *ffc); |
218 | ||
559747e3 TD |
219 | void FileForceFilestoreEnable(void); |
220 | int FileForceFilestore(void); | |
3f214b50 GL |
221 | void FileReassemblyDepthEnable(uint32_t size); |
222 | uint32_t FileReassemblyDepth(void); | |
4cbe7519 VJ |
223 | |
224 | void FileForceMagicEnable(void); | |
225 | int FileForceMagic(void); | |
226 | ||
69b3df96 VJ |
227 | void FileForceMd5Enable(void); |
228 | int FileForceMd5(void); | |
229 | ||
a6d928e2 DS |
230 | void FileForceSha1Enable(void); |
231 | int FileForceSha1(void); | |
232 | ||
89eb935f DS |
233 | void FileForceSha256Enable(void); |
234 | int FileForceSha256(void); | |
235 | ||
500e8da6 VJ |
236 | void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction); |
237 | ||
53ebe4c5 DS |
238 | void FileForceHashParseCfg(ConfNode *); |
239 | ||
c9e93ec5 VJ |
240 | void FileForceTrackingEnable(void); |
241 | ||
9878eca0 | 242 | void FileStoreAllFiles(FileContainer *); |
006cd5ae VJ |
243 | void FileStoreAllFilesForTx(FileContainer *, uint64_t); |
244 | void FileStoreFileById(FileContainer *fc, uint32_t); | |
9878eca0 | 245 | |
869109a6 VJ |
246 | void FileTruncateAllOpenFiles(FileContainer *); |
247 | ||
569cc5d2 EL |
248 | uint64_t FileDataSize(const File *file); |
249 | uint64_t FileTrackedSize(const File *file); | |
e43ce0a9 | 250 | |
4426f3ff VJ |
251 | uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction); |
252 | ||
4cbe7519 | 253 | #endif /* __UTIL_FILE_H__ */ |