[people/ms/suricata.git] / src / util-file.h

/* Copyright (C) 2007-2011 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 *
 */

#ifndef __UTIL_FILE_H__
#define __UTIL_FILE_H__

#include "conf.h"

#include "util-streaming-buffer.h"

/* Hack: Pulling rust.h to get the SCSha256 causes all sorts of problems with
 *   header include orders, which is something we'll have to resolve as we provide
 *   more functionality via Rust. But this lets me continue with replacing nss
 *   without fighting the headers at this time. */
typedef struct SCSha256 SCSha256;
#define SC_SHA256_LEN 32

typedef struct SCSha1 SCSha1;
#define SC_SHA1_LEN 20

typedef struct SCMd5 SCMd5;
#define SC_MD5_LEN 16

#define FILE_TRUNCATED  BIT_U16(0)
#define FILE_NOMAGIC    BIT_U16(1)
#define FILE_NOMD5      BIT_U16(2)
#define FILE_MD5        BIT_U16(3)
#define FILE_NOSHA1     BIT_U16(4)
#define FILE_SHA1       BIT_U16(5)
#define FILE_NOSHA256   BIT_U16(6)
#define FILE_SHA256     BIT_U16(7)
#define FILE_LOGGED     BIT_U16(8)
#define FILE_NOSTORE    BIT_U16(9)
#define FILE_STORE      BIT_U16(10)
#define FILE_STORED     BIT_U16(11)
#define FILE_NOTRACK    BIT_U16(12) /**< track size of file */
#define FILE_USE_DETECT BIT_U16(13) /**< use content_inspected tracker */
#define FILE_HAS_GAPS   BIT_U16(15)

typedef enum FileState_ {
    FILE_STATE_NONE = 0,    /**< no state */
    FILE_STATE_OPENED,      /**< flow file is opened */
    FILE_STATE_CLOSED,      /**< flow file is completed,
                                     there will be no more data. */
    FILE_STATE_TRUNCATED,   /**< flow file is not complete, but
                                     there will be no more data. */
    FILE_STATE_ERROR,       /**< file is in an error state */
    FILE_STATE_MAX
} FileState;

typedef struct File_ {
    uint16_t flags;
    uint16_t name_len;
    FileState state;
    StreamingBuffer *sb;
    uint64_t txid;                  /**< tx this file is part of */
    uint32_t file_track_id;         /**< id used by protocol parser */
    uint32_t file_store_id;         /**< id used in store file name file.<id> */
    int fd;                         /**< file descriptor for filestore, not
                                        open if equal to -1 */
    uint8_t *name;
#ifdef HAVE_MAGIC
    char *magic;
#endif
    struct File_ *next;
    SCMd5 *md5_ctx;
    uint8_t md5[SC_MD5_LEN];
    SCSha1 *sha1_ctx;
    uint8_t sha1[SC_SHA1_LEN];
    SCSha256 *sha256_ctx;
    uint8_t sha256[SC_SHA256_LEN];
    uint64_t content_inspected;     /**< used in pruning if FILE_USE_DETECT
                                     *   flag is set */
    uint64_t content_stored;
    uint64_t size;
    uint32_t inspect_window;
    uint32_t inspect_min_size;
    uint64_t start;
    uint64_t end;

    uint32_t *sid; /* signature id of a rule that triggered the filestore event */
    uint32_t sid_cnt;
    uint32_t sid_max;
} File;

typedef struct FileContainer_ {
    File *head;
    File *tail;
} FileContainer;

FileContainer *FileContainerAlloc(void);
void FileContainerFree(FileContainer *);

void FileContainerRecycle(FileContainer *);

void FileContainerAdd(FileContainer *, File *);

/**
 *  \brief Open a new File
 *
 *  \param ffc flow container
 *  \param sbcfg buffer config
 *  \param name filename character array
 *  \param name_len filename len
 *  \param data initial data
 *  \param data_len initial data len
 *  \param flags open flags
 *
 *  \retval ff flowfile object
 *
 *  \note filename is not a string, so it's not nul terminated.
 *
 *  If flags contains the FILE_USE_DETECT bit, the pruning code will
 *  consider not just the content_stored tracker, but also content_inspected.
 *  It's the responsibility of the API user to make sure this tracker is
 *  properly updated.
 */
int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *,
        uint32_t track_id, const uint8_t *name, uint16_t name_len,
        const uint8_t *data, uint32_t data_len, uint16_t flags);

/**
 *  \brief Close a File
 *
 *  \param ffc the container
 *  \param data final data if any
 *  \param data_len data len if any
 *  \param flags flags
 *
 *  \retval 0 ok
 *  \retval -1 error
 */
int FileCloseFile(FileContainer *, const uint8_t *data, uint32_t data_len,
        uint16_t flags);
int FileCloseFileById(FileContainer *, uint32_t track_id,
        const uint8_t *data, uint32_t data_len, uint16_t flags);
int FileCloseFilePtr(File *ff, const uint8_t *data,
        uint32_t data_len, uint16_t flags);

/**
 *  \brief Store a chunk of file data in the flow. The open "flowfile"
 *         will be used.
 *
 *  \param ffc the container
 *  \param data data chunk
 *  \param data_len data chunk len
 *
 *  \retval 0 ok
 *  \retval -1 error
 */
int FileAppendData(FileContainer *, const uint8_t *data, uint32_t data_len);
int FileAppendDataById(FileContainer *, uint32_t track_id,
        const uint8_t *data, uint32_t data_len);
int FileAppendGAPById(FileContainer *ffc, uint32_t track_id,
        const uint8_t *data, uint32_t data_len);

void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min);

/**
 *  \brief Sets the offset range for a file.
 *
 *  \param ffc the container
 *  \param start start offset
 *  \param end end offset
 *
 *  \retval 0 ok
 *  \retval -1 error
 */
int FileSetRange(FileContainer *, uint64_t start, uint64_t end);

/**
 *  \brief Tag a file for storing
 *
 *  \param ff The file to store
 */
int FileStore(File *);

/**
 *  \brief Set the TX id for a file
 *
 *  \param ff The file to store
 *  \param txid the tx id
 */
int FileSetTx(File *, uint64_t txid);
void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id);

/**
 *  \brief disable file storing for a transaction
 *
 *  \param f flow
 *  \param tx_id transaction id
 */
void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id);

void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id);
void FilePrune(FileContainer *ffc);

void FileForceFilestoreEnable(void);
int FileForceFilestore(void);
void FileReassemblyDepthEnable(uint32_t size);
uint32_t FileReassemblyDepth(void);

void FileForceMagicEnable(void);
int FileForceMagic(void);

void FileForceMd5Enable(void);
int FileForceMd5(void);

void FileForceSha1Enable(void);
int FileForceSha1(void);

void FileForceSha256Enable(void);
int FileForceSha256(void);

void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction);

void FileForceHashParseCfg(ConfNode *);

void FileForceTrackingEnable(void);

void FileStoreAllFiles(FileContainer *);
void FileStoreAllFilesForTx(FileContainer *, uint64_t);
void FileStoreFileById(FileContainer *fc, uint32_t);

void FileTruncateAllOpenFiles(FileContainer *);

uint64_t FileDataSize(const File *file);
uint64_t FileTrackedSize(const File *file);

uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction);

#endif /* __UTIL_FILE_H__ */
Commit	Line	Data
4cbe7519 VJ	1	/* Copyright (C) 2007-2011 Open Information Security Foundation
	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \file
	20	*
	21	* \author Victor Julien <victor@inliniac.net>
	22	*
	23	*/
	24
	25	#ifndef __UTIL_FILE_H__
	26	#define __UTIL_FILE_H__
	27
53ebe4c5 DS	28	#include "conf.h"
53ebe4c5 DS	29
e43ce0a9 VJ	30	#include "util-streaming-buffer.h"
e43ce0a9 VJ	31
e4acbcbb JI	32	/* Hack: Pulling rust.h to get the SCSha256 causes all sorts of problems with
	33	* header include orders, which is something we'll have to resolve as we provide
	34	* more functionality via Rust. But this lets me continue with replacing nss
	35	* without fighting the headers at this time. */
	36	typedef struct SCSha256 SCSha256;
	37	#define SC_SHA256_LEN 32
	38
	39	typedef struct SCSha1 SCSha1;
	40	#define SC_SHA1_LEN 20
	41
	42	typedef struct SCMd5 SCMd5;
	43	#define SC_MD5_LEN 16
	44
4426f3ff VJ	45	#define FILE_TRUNCATED BIT_U16(0)
	46	#define FILE_NOMAGIC BIT_U16(1)
	47	#define FILE_NOMD5 BIT_U16(2)
	48	#define FILE_MD5 BIT_U16(3)
	49	#define FILE_NOSHA1 BIT_U16(4)
	50	#define FILE_SHA1 BIT_U16(5)
	51	#define FILE_NOSHA256 BIT_U16(6)
	52	#define FILE_SHA256 BIT_U16(7)
	53	#define FILE_LOGGED BIT_U16(8)
	54	#define FILE_NOSTORE BIT_U16(9)
	55	#define FILE_STORE BIT_U16(10)
	56	#define FILE_STORED BIT_U16(11)
	57	#define FILE_NOTRACK BIT_U16(12) /*< track size of file /
	58	#define FILE_USE_DETECT BIT_U16(13) /*< use content_inspected tracker /
58af3913	59	#define FILE_HAS_GAPS BIT_U16(15)
4cbe7519 VJ	60
	61	typedef enum FileState_ {
	62	FILE_STATE_NONE = 0, /*< no state /
	63	FILE_STATE_OPENED, /*< flow file is opened /
	64	FILE_STATE_CLOSED, /**< flow file is completed,
	65	there will be no more data. */
	66	FILE_STATE_TRUNCATED, /**< flow file is not complete, but
	67	there will be no more data. */
4cbe7519 VJ	68	FILE_STATE_ERROR, /*< file is in an error state /
	69	FILE_STATE_MAX
	70	} FileState;
	71
4cbe7519	72	typedef struct File_ {
8f71333e	73	uint16_t flags;
914f7fa7	74	uint16_t name_len;
ce08a43b	75	FileState state;
e43ce0a9	76	StreamingBuffer *sb;
d4d18e31	77	uint64_t txid; /*< tx this file is part of /
b82e71b9	78	uint32_t file_track_id; /*< id used by protocol parser /
944ab48b	79	uint32_t file_store_id; /*< id used in store file name file.<id> /
775e6745 EL	80	int fd; /**< file descriptor for filestore, not
775e6745 EL	81	open if equal to -1 */
4cbe7519	82	uint8_t *name;
810e43f3	83	#ifdef HAVE_MAGIC
4cbe7519	84	char *magic;
810e43f3	85	#endif
4cbe7519	86	struct File_ *next;
e4acbcbb JI	87	SCMd5 *md5_ctx;
	88	uint8_t md5[SC_MD5_LEN];
	89	SCSha1 *sha1_ctx;
	90	uint8_t sha1[SC_SHA1_LEN];
	91	SCSha256 *sha256_ctx;
	92	uint8_t sha256[SC_SHA256_LEN];
77358a41 VJ	93	uint64_t content_inspected; /**< used in pruning if FILE_USE_DETECT
77358a41 VJ	94	* flag is set */
e43ce0a9	95	uint64_t content_stored;
fbc2dbac	96	uint64_t size;
4ac9cd2c VJ	97	uint32_t inspect_window;
4ac9cd2c VJ	98	uint32_t inspect_min_size;
bef190f7 PA	99	uint64_t start;
bef190f7 PA	100	uint64_t end;
1378f376	101
	102	uint32_t sid; / signature id of a rule that triggered the filestore event */
	103	uint32_t sid_cnt;
	104	uint32_t sid_max;
4cbe7519 VJ	105	} File;
	106
	107	typedef struct FileContainer_ {
	108	File *head;
	109	File *tail;
	110	} FileContainer;
	111
ab1200fb	112	FileContainer *FileContainerAlloc(void);
4cbe7519 VJ	113	void FileContainerFree(FileContainer *);
	114
	115	void FileContainerRecycle(FileContainer *);
	116
	117	void FileContainerAdd(FileContainer , File );
	118
	119	/**
	120	* \brief Open a new File
	121	*
	122	* \param ffc flow container
e43ce0a9	123	* \param sbcfg buffer config
4cbe7519 VJ	124	* \param name filename character array
	125	* \param name_len filename len
	126	* \param data initial data
	127	* \param data_len initial data len
	128	* \param flags open flags
	129	*
	130	* \retval ff flowfile object
	131	*
	132	* \note filename is not a string, so it's not nul terminated.
e43ce0a9 VJ	133	*
	134	* If flags contains the FILE_USE_DETECT bit, the pruning code will
	135	* consider not just the content_stored tracker, but also content_inspected.
	136	* It's the responsibility of the API user to make sure this tracker is
	137	* properly updated.
4cbe7519	138	*/
45c5030f	139	int FileOpenFileWithId(FileContainer , const StreamingBufferConfig ,
c4c93872 VJ	140	uint32_t track_id, const uint8_t *name, uint16_t name_len,
c4c93872 VJ	141	const uint8_t *data, uint32_t data_len, uint16_t flags);
e43ce0a9	142
4cbe7519 VJ	143	/**
	144	* \brief Close a File
	145	*
	146	* \param ffc the container
	147	* \param data final data if any
	148	* \param data_len data len if any
	149	* \param flags flags
	150	*
	151	* \retval 0 ok
	152	* \retval -1 error
	153	*/
e3703ee1	154	int FileCloseFile(FileContainer , const uint8_t data, uint32_t data_len,
a2ceb980	155	uint16_t flags);
c4c93872 VJ	156	int FileCloseFileById(FileContainer *, uint32_t track_id,
c4c93872 VJ	157	const uint8_t *data, uint32_t data_len, uint16_t flags);
2e8fd612 VJ	158	int FileCloseFilePtr(File ff, const uint8_t data,
2e8fd612 VJ	159	uint32_t data_len, uint16_t flags);
4cbe7519 VJ	160
	161	/**
	162	* \brief Store a chunk of file data in the flow. The open "flowfile"
	163	* will be used.
	164	*
	165	* \param ffc the container
	166	* \param data data chunk
	167	* \param data_len data chunk len
	168	*
	169	* \retval 0 ok
	170	* \retval -1 error
	171	*/
e3703ee1	172	int FileAppendData(FileContainer , const uint8_t data, uint32_t data_len);
c4c93872 VJ	173	int FileAppendDataById(FileContainer *, uint32_t track_id,
c4c93872 VJ	174	const uint8_t *data, uint32_t data_len);
58af3913 VJ	175	int FileAppendGAPById(FileContainer *ffc, uint32_t track_id,
58af3913 VJ	176	const uint8_t *data, uint32_t data_len);
4cbe7519	177
f302f354 VJ	178	void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min);
f302f354 VJ	179
bef190f7 PA	180	/**
	181	* \brief Sets the offset range for a file.
	182	*
	183	* \param ffc the container
	184	* \param start start offset
	185	* \param end end offset
	186	*
	187	* \retval 0 ok
	188	* \retval -1 error
	189	*/
	190	int FileSetRange(FileContainer *, uint64_t start, uint64_t end);
	191
4cbe7519 VJ	192	/**
	193	* \brief Tag a file for storing
	194	*
	195	* \param ff The file to store
	196	*/
	197	int FileStore(File *);
	198
	199	/**
	200	* \brief Set the TX id for a file
	201	*
	202	* \param ff The file to store
	203	* \param txid the tx id
	204	*/
d4d18e31	205	int FileSetTx(File *, uint64_t txid);
71ddc43d	206	void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id);
4cbe7519	207
4cbe7519 VJ	208	/**
	209	* \brief disable file storing for a transaction
	210	*
	211	* \param f flow
	212	* \param tx_id transaction id
	213	*/
d4d18e31	214	void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id);
4cbe7519	215
006cd5ae	216	void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id);
4cbe7519 VJ	217	void FilePrune(FileContainer *ffc);
4cbe7519 VJ	218
559747e3 TD	219	void FileForceFilestoreEnable(void);
559747e3 TD	220	int FileForceFilestore(void);
3f214b50 GL	221	void FileReassemblyDepthEnable(uint32_t size);
3f214b50 GL	222	uint32_t FileReassemblyDepth(void);
4cbe7519 VJ	223
	224	void FileForceMagicEnable(void);
	225	int FileForceMagic(void);
	226
69b3df96 VJ	227	void FileForceMd5Enable(void);
	228	int FileForceMd5(void);
	229
a6d928e2 DS	230	void FileForceSha1Enable(void);
	231	int FileForceSha1(void);
	232
89eb935f DS	233	void FileForceSha256Enable(void);
	234	int FileForceSha256(void);
	235
500e8da6 VJ	236	void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction);
500e8da6 VJ	237
53ebe4c5 DS	238	void FileForceHashParseCfg(ConfNode *);
53ebe4c5 DS	239
c9e93ec5 VJ	240	void FileForceTrackingEnable(void);
c9e93ec5 VJ	241
9878eca0	242	void FileStoreAllFiles(FileContainer *);
006cd5ae VJ	243	void FileStoreAllFilesForTx(FileContainer *, uint64_t);
006cd5ae VJ	244	void FileStoreFileById(FileContainer *fc, uint32_t);
9878eca0	245
869109a6 VJ	246	void FileTruncateAllOpenFiles(FileContainer *);
869109a6 VJ	247
569cc5d2 EL	248	uint64_t FileDataSize(const File *file);
569cc5d2 EL	249	uint64_t FileTrackedSize(const File *file);
e43ce0a9	250
4426f3ff VJ	251	uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction);
4426f3ff VJ	252
4cbe7519	253	#endif /* __UTIL_FILE_H__ */