file_capture.cc
file_cache.cc
file_cache.h
+ file_cache_share.cc
+ file_cache_share.h
file_config.cc
file_config.h
file_flows.cc
file_service.cc
file_stats.cc
file_stats.h
- file_cache_share.cc
- file_cache_share.h
)
install (FILES ${FILE_API_INCLUDES}
#include "main/thread_config.h"
#include "packet_io/active.h"
#include "packet_io/packet_tracer.h"
-#include "time/packet_time.h"
#include "pub_sub/file_events.h"
+#include "time/packet_time.h"
#include "file_flows.h"
#include "file_module.h"
#include "file_service.h"
#include "file_stats.h"
-#include "file_cache_share.h"
#define DEFAULT_FILE_LOOKUP_TIMEOUT_CACHED_ITEM 3600 // 1 hour
return node->file;
}
-FileContext* FileCache::add(const FileHashKey& hashKey, int64_t timeout, bool &cache_full, int64_t& cache_expire, FileInspect* ins)
+FileContext* FileCache::add(const FileHashKey& hashKey, int64_t timeout, bool &cache_full, int64_t& cache_expire, bool cache_sync)
{
FileNode new_node;
/*
if (!file)
{
- if (ins)
- new_node.file = new FileContext(ins);
- else
- new_node.file = new FileContext;
-
+ new_node.file = new FileContext;
int ret = fileHash->insert((void*)&hashKey, &new_node);
cache_expire = new_node.cache_expire_time.tv_sec;
PacketTracer::log("add:Insert failed in file cache, returning\n");
cache_full = true;
}
- if (!ins)
+
+ if (!cache_sync)
FILE_DEBUG(file_trace, DEFAULT_TRACE_OPTION_ID, TRACE_CRITICAL_LEVEL, GET_CURRENT_PACKET,
"add:Insert failed in file cache, returning\n");
file_counts.cache_add_fails++;
}
else
{
- if (!ins)
+ if (!cache_sync)
FILE_DEBUG(file_trace, DEFAULT_TRACE_OPTION_ID, TRACE_CRITICAL_LEVEL, GET_CURRENT_PACKET,
"add:file already found in file cache, returning\n");
return file;
void set_block_timeout(int64_t);
void set_lookup_timeout(int64_t);
void set_max_files(int64_t);
- snort::FileContext* add(const FileHashKey&, int64_t timeout, bool &cache_full, int64_t& cache_expire, FileInspect* ins = nullptr);
+ snort::FileContext* add(const FileHashKey&, int64_t timeout, bool &cache_full, int64_t& cache_expire, bool cache_sync = false);
snort::FileContext* get_file(snort::Flow*, uint64_t file_id, bool to_create, bool using_cache_entry);
FileVerdict cached_verdict_lookup(snort::Packet*, snort::FileInfo*,
snort::FilePolicyBase*,const uint8_t* current_data, uint32_t current_data_len);
bool apply_verdict(snort::Packet*, snort::FileContext*, FileVerdict, bool resume,
snort::FilePolicyBase*);
-
private:
snort::FileContext* find(const FileHashKey&, int64_t, int64_t& cache_expire);
//--------------------------------------------------------------------------
// file_cache_share.cc author Shilpa Nagpal <shinagpa@cisco.com>
-
+#ifdef HAVE_CONFIG_H
#include "config.h"
+#endif
#include "file_cache_share.h"
#include "file_service.h"
FileHashKey key = fe.get_hashkey();
FileInfo file = fe.get_file_ctx();
- LogMessage("File Cache Sharing: Received event with file_id %lu\n", key.file_id);
-
FileCache* file_cache = FileService::get_file_cache();
if (file_cache)
{
bool cache_full = false;
int64_t cache_expire = 0;
- FileContext* file_got = file_cache->add(key, timeout, cache_full, cache_expire, ins);
+ FileContext* file_got = file_cache->add(key, timeout, cache_full, cache_expire, true);
if (file_got)
{
*((FileInfo*)(file_got)) = file;
}
}
-bool serialize_file_event(snort::DataEvent* event, char*& buffer, uint16_t* len)
+bool serialize_file_event(DataEvent* event, char*& buffer, uint16_t* len)
{
if (!event)
return false;
- snort::FileMPEvent* file_event = static_cast<snort::FileMPEvent*>(event);
+ FileMPEvent* file_event = static_cast<FileMPEvent*>(event);
uint16_t event_buffer_len = file_event->get_data_len();
if (event_buffer_len == 0)
return false;
-
+
buffer = new char[event_buffer_len];
if (!buffer)
return false;
- file_event->serialize(buffer, len);
+ *len = event_buffer_len;
+ file_event->serialize(buffer, *len);
return true;
}
-bool deserialize_file_event(const char* buffer, uint16_t len, snort::DataEvent*& event)
+bool deserialize_file_event(const char* buffer, uint16_t len, DataEvent*& event)
{
if (!buffer || len == 0)
return false;
- snort::FileMPEvent* file_event = new snort::FileMPEvent();
+ FileMPEvent* file_event = new FileMPEvent();
if (!file_event)
return false;
#include "framework/mp_data_bus.h"
#include "pub_sub/file_events.h"
+namespace snort
+{
class FileCacheShare : public snort::DataHandler
{
public:
- FileCacheShare(FileInspect* fi) : DataHandler(FILE_ID_NAME) { ins = fi; }
+ FileCacheShare() : DataHandler(FILE_ID_NAME) {}
void handle(snort::DataEvent&, snort::Flow*) override;
-private:
- FileInspect* ins;
};
-
+}
bool serialize_file_event(snort::DataEvent* event, char*& buffer, uint16_t* len);
bool deserialize_file_event(const char* buffer, uint16_t len, snort::DataEvent*& event);
FileCache* file_cache = FileService::get_file_cache();
assert(file_cache);
context = file_cache->get_file(flow, file_id, false, true);
+ if (context)
+ {
+ FileConfig *fc = get_file_config(SnortConfig::get_conf());
+
+ if (!context->get_config())
+ context->set_config(fc);
+ }
FILE_DEBUG(file_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, GET_CURRENT_PACKET,
"get_file_context:trying to get context from cache\n");
}
#include "log/messages.h"
#include "file_cache.h"
+#include "file_cache_share.h"
#include "file_config.h"
#include "file_flows.h"
#include "file_module.h"
#include "file_service.h"
-#include "file_cache_share.h"
using namespace snort;
FileService::set_max_file_depth(sc);
- if(sc->mp_dbus)
+ if (sc->mp_dbus)
{
MPSerializeFunc serialize_func = serialize_file_event;
MPDeserializeFunc deserialize_func = deserialize_file_event;
MPDataBus::register_event_helpers(file_pub_key, FileMPEvents::FILE_SHARE_SYNC, serialize_func, deserialize_func);
- MPDataBus::subscribe(file_pub_key, FileMPEvents::FILE_SHARE_SYNC, new FileCacheShare(this));
+ MPDataBus::subscribe(file_pub_key, FileMPEvents::FILE_SHARE_SYNC, new FileCacheShare());
}
return true;
}
}
}
-void FileInfo::serialize(char* buffer, uint16_t* len)
+void FileInfo::serialize(char* buffer, uint16_t buffer_len)
{
- int offset = *len;
-
+ uint16_t offset = 0;
auto write_bool = [&](bool val) {
memcpy(buffer + offset, &val, sizeof(val));
offset += sizeof(val);
auto write_string = [&](const std::string& str, bool is_set) {
write_bool(is_set);
- if (is_set)
+ if (is_set && offset < buffer_len)
{
uint32_t len = static_cast<uint32_t>(str.length());
memcpy(buffer + offset, &len, sizeof(len));
offset += len;
}
};
+
+ if (sha256)
+ is_sha256_set = true;
- memcpy(buffer + offset,(uint16_t *) sha256, SHA256_HASH_SIZE);
- offset += SHA256_HASH_SIZE;
- memcpy(buffer + offset, &verdict, sizeof(verdict));
+ memcpy(buffer, &is_sha256_set, sizeof(is_sha256_set));
+ offset += sizeof(is_sha256_set);
+
+ if (is_sha256_set && sha256 && offset < buffer_len)
+ {
+ memcpy(buffer + offset,(uint16_t *) sha256, SHA256_HASH_SIZE);
+ offset += SHA256_HASH_SIZE;
+ }
+
+ memcpy(buffer + offset, &verdict, sizeof(verdict));
offset += sizeof(verdict);
memcpy(buffer + offset, &file_size, sizeof(file_size));
offset += sizeof(file_size);
write_bool(file_signature_enabled);
write_bool(file_capture_enabled);
write_bool(is_partial);
-
- *len = offset;
}
-void FileInfo::deserialize(const char* buffer, uint16_t& offset)
+void FileInfo::deserialize(const char* buffer, uint16_t buffer_len)
{
+ uint16_t offset = 0;
auto read_bool = [&](bool& val) {
memcpy(&val, buffer + offset, sizeof(val));
offset += sizeof(val);
auto read_string = [&](std::string& str, bool& is_set) {
read_bool(is_set);
- if (is_set)
+ if (is_set && offset < buffer_len)
{
uint32_t len = 0;
memcpy(&len, buffer + offset, sizeof(len));
}
};
- if (!sha256)
- sha256 = new uint8_t[SHA256_HASH_SIZE];
- memcpy(sha256, (const uint8_t *)(buffer + offset), SHA256_HASH_SIZE);
- offset += SHA256_HASH_SIZE;
+ memcpy(&is_sha256_set, buffer + offset, sizeof(is_sha256_set));
+ offset += sizeof(is_sha256_set);
+
+ if (is_sha256_set && offset < buffer_len)
+ {
+ if (!sha256)
+ sha256 = new uint8_t[SHA256_HASH_SIZE];
+ memcpy(sha256, (const uint8_t *)(buffer + offset), SHA256_HASH_SIZE);
+ offset += SHA256_HASH_SIZE;
+ }
memcpy(&verdict, buffer + offset, sizeof(verdict));
offset += sizeof(verdict);
memcpy(&file_size, buffer + offset, sizeof(file_size));
return user_file_data;
}
-FileContext::FileContext (FileInspect* ins)
-{
- file_type_context = nullptr;
- file_signature_context = nullptr;
- file_capture = nullptr;
- file_segments = nullptr;
- inspector = ins;
- ins->add_global_ref();
- config = ins->config;
-}
-
FileContext::FileContext ()
{
file_type_context = nullptr;
file_signature_context = nullptr;
file_capture = nullptr;
file_segments = nullptr;
- inspector = (FileInspect*)InspectorManager::acquire_file_inspector();
- config = inspector->config;
+ if (SnortConfig::get_conf())
+ {
+ inspector = (FileInspect*)InspectorManager::acquire_file_inspector();
+ config = inspector->config;
+ }
+ else
+ {
+ inspector = nullptr;
+ config = nullptr;
+ }
}
FileContext::~FileContext ()
stop_file_capture();
delete file_segments;
- InspectorManager::release(inspector);
+
+ if (inspector)
+ InspectorManager::release(inspector);
}
/* stop file type identification */
void set_partial_flag(bool partial);
bool is_partial_download() const;
- void serialize(char* buffer, uint16_t* offset);
- void deserialize(const char* buffer, uint16_t& offset);
+ void serialize(char* buffer, uint16_t buffer_len);
+ void deserialize(const char* buffer, uint16_t buffer_len);
protected:
std::string file_name;
FileDirection direction = FILE_DOWNLOAD;
uint32_t file_type_id = SNORT_FILE_TYPE_CONTINUE;
uint8_t* sha256 = nullptr;
+ bool is_sha256_set = false;
uint64_t file_id = 0;
FileCapture* file_capture = nullptr;
bool file_type_enabled = false;
// Configuration functions
void remove_segments();
void reset();
+ void set_config(FileConfig* fc) { config = fc; }
+ FileConfig* get_config() { return config; }
private:
uint64_t processed_bytes = 0;
void* file_type_context;
eve_process_event.h
expect_events.h
external_event_ids.h
+ file_events.h
+ file_events_ids.h
finalize_packet_event.h
ftp_events.h
http_event_ids.h
ssh_events.h
ssl_events.h
dns_events.h
- file_events.h
- file_events_ids.h
)
add_library( pub_sub OBJECT
#ifndef FILE_MP_EVENTS_H
#define FILE_MP_EVENTS_H
-#include "framework/mp_data_bus.h"
-#include "file_events_ids.h"
#include "file_api/file_cache.h"
+#include "file_events_ids.h"
+#include "framework/mp_data_bus.h"
#include "hash/hashes.h"
namespace snort
class SO_PUBLIC FileMPEvent : public snort::DataEvent
{
- public:
+public:
FileMPEvent(const FileHashKey& key, int64_t tm, FileInfo& file) : timeout(tm), hashkey(key), file_ctx(file)
{
- len = sizeof(timeout) + sizeof(hashkey.sip) + sizeof(hashkey.sgroup) +
- sizeof(hashkey.dip) + sizeof(hashkey.dgroup) +
- sizeof(hashkey.file_id) + sizeof(hashkey.asid) + sizeof(hashkey.padding) +
- sizeof(file) + SHA256_HASH_SIZE;
+ len = sizeof(timeout) + sizeof(hashkey.sip) + sizeof(hashkey.sgroup)
+ + sizeof(hashkey.dip) + sizeof(hashkey.dgroup)
+ + sizeof(hashkey.file_id) + sizeof(hashkey.asid) + sizeof(hashkey.padding)
+ + sizeof(file) + SHA256_HASH_SIZE;
}
FileMPEvent() : hashkey()
{
- timeout = 0;
+ timeout = 0;
len = 0;
}
int64_t get_timeout()
{
- return timeout;
+ return timeout;
}
FileInfo get_file_ctx()
return len;
}
- void deserialize(const char* d, uint16_t len)
+ void deserialize(const char* buffer, uint16_t len)
{
uint16_t offset = 0;
- memcpy(&timeout, d, sizeof(timeout));
+ memcpy(&timeout, buffer, sizeof(timeout));
offset += sizeof(timeout);
- memcpy(&hashkey.sip, d + offset, sizeof(hashkey.sip));
+ memcpy(&hashkey.sip, buffer + offset, sizeof(hashkey.sip));
offset += sizeof(hashkey.sip);
- memcpy(&hashkey.sgroup, d + offset, sizeof(hashkey.sgroup));
+ memcpy(&hashkey.sgroup, buffer + offset, sizeof(hashkey.sgroup));
offset += sizeof(hashkey.sgroup);
- memcpy(&hashkey.dip, d + offset, sizeof(hashkey.dip));
+ memcpy(&hashkey.dip, buffer + offset, sizeof(hashkey.dip));
offset += sizeof(hashkey.dip);
- memcpy(&hashkey.dgroup, d + offset, sizeof(hashkey.dgroup));
+ memcpy(&hashkey.dgroup, buffer + offset, sizeof(hashkey.dgroup));
offset += sizeof(hashkey.dgroup);
- memcpy(&hashkey.file_id, d + offset, sizeof(hashkey.file_id));
+ memcpy(&hashkey.file_id, buffer + offset, sizeof(hashkey.file_id));
offset += sizeof(hashkey.file_id);
- memcpy(&hashkey.asid, d + offset, sizeof(hashkey.asid));
+ memcpy(&hashkey.asid, buffer + offset, sizeof(hashkey.asid));
offset += sizeof(hashkey.asid);
- memcpy(&hashkey.padding, d + offset, sizeof(hashkey.padding));
+ memcpy(&hashkey.padding, buffer + offset, sizeof(hashkey.padding));
offset += sizeof(hashkey.padding);
- file_ctx.deserialize(d, offset);
+ if (offset < len)
+ file_ctx.deserialize(buffer + offset, len - offset);
this->len = len;
}
- void serialize(char* buffer, uint16_t* len)
+ void serialize(char* buffer, uint16_t len)
{
uint16_t offset = 0;
memcpy(buffer, &timeout, sizeof(timeout));
offset += sizeof(hashkey.asid);
memcpy(buffer + offset, &hashkey.padding, sizeof(hashkey.padding));
offset += sizeof(hashkey.padding);
- file_ctx.serialize(buffer, &offset);
- *len = offset;
+ if (offset < len)
+ file_ctx.serialize(buffer + offset, len - offset);
}
- private:
- int64_t timeout;
- FileHashKey hashkey;
- FileInfo file_ctx;
- uint16_t len;
+private:
+ int64_t timeout;
+ FileHashKey hashkey;
+ FileInfo file_ctx;
+ uint16_t len;
};
}
{
struct FileMPEvents
-{ enum : unsigned {
-
- FILE_SHARE = 0,
- FILE_SHARE_SYNC,
- num_ids
-}; };
+{
+ enum : unsigned {
+ FILE_SHARE = 0,
+ FILE_SHARE_SYNC,
+ num_ids
+ };
+};
const PubKey file_pub_key { "file_mp_events", FileMPEvents::num_ids };
projects / thirdparty / snort3.git / commitdiff
