bool trace_type = false;
bool trace_signature = false;
bool trace_stream = false;
+ int64_t verdict_delay = 0;
private:
FileIdentifier fileIdentifier;
#include "file_cache.h"
#include "file_config.h"
+#include "file_enforcer.h"
#include "file_lib.h"
#include "file_service.h"
unsigned FileFlows::file_flow_data_id = 0;
+void FileFlows::handle_retransmit (Packet*)
+{
+ if (file_policy == nullptr)
+ return;
+
+ FileContext* file = get_current_file_context();
+ if ((file == nullptr) or (file->verdict != FILE_VERDICT_PENDING))
+ return;
+
+ FileVerdict verdict = file_policy->signature_lookup(flow, file);
+ FileEnforcer* file_enforcer = FileService::get_file_enforcer();
+ if (file_enforcer)
+ file_enforcer->apply_verdict(flow, file, verdict, false,file_policy);
+ file->log_file_event(flow, file_policy);
+}
+
FileFlows* FileFlows::get_file_flows(Flow* flow)
{
static void init()
{ file_flow_data_id = FlowData::create_flow_data_id(); }
+ void handle_retransmit(Packet*) override;
+
// Factory method to get file flows
static FileFlows* get_file_flows(Flow*);
static FilePolicyBase* get_file_policy(Flow*);
FileVerdict FileContext::file_signature_lookup(Flow* flow)
{
- if (get_file_sig_sha256() && is_file_signature_enabled())
+ if (get_file_sig_sha256())
{
FilePolicyBase* policy = FileFlows::get_file_policy(flow);
{
if (get_file_sig_sha256())
{
- //Check file type based on file policy
verdict = policy->signature_lookup(flow, this);
if ( verdict != FILE_VERDICT_UNKNOWN || final_lookup )
{
{ "trace_stream", Parameter::PT_BOOL, nullptr, "false",
"enable runtime dump of file data" },
+ { "verdict_delay", Parameter::PT_INT, "0:", "0",
+ "number of queries to return final verdict" },
+
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
else if ( v.is("trace_stream") )
fc->trace_stream = v.get_bool();
+ else if ( v.is("verdict_delay") )
+ {
+ fc->verdict_delay = v.get_long();
+ fp.set_verdict_delay(fc->verdict_delay);
+ }
+
else if ( v.is("file_rules") )
return true;
auto search = file_shas.find(sha);
if (search != file_shas.end())
- return search->second;
+ {
+ if (verdict_delay > 0)
+ {
+ verdict_delay--;
+ return FILE_VERDICT_PENDING;
+ }
+ else
+ return search->second;
+ }
}
return FILE_VERDICT_UNKNOWN;
void set_file_signature(bool enabled);
void set_file_capture(bool enabled);
void load();
+ void set_verdict_delay(int64_t delay) { verdict_delay = delay; }
private:
FileRule& match_file_rule(Flow*, FileInfo* file);
bool type_enabled = false;
bool signature_enabled = false;
bool capture_enabled = false;
+ int64_t verdict_delay = 0;
+
};
#endif
projects / thirdparty / snort3.git / commitdiff
