Merge pull request #1077 in SNORT/snort3 from file_log to master

author Hui Cao (huica) <huica@cisco.com>

Thu, 30 Nov 2017 21:13:49 +0000 (16:13 -0500)

committer Hui Cao (huica) <huica@cisco.com>

Thu, 30 Nov 2017 21:13:49 +0000 (16:13 -0500)
author Hui Cao (huica) <huica@cisco.com>
Thu, 30 Nov 2017 21:13:49 +0000 (16:13 -0500)
committer Hui Cao (huica) <huica@cisco.com>
Thu, 30 Nov 2017 21:13:49 +0000 (16:13 -0500)
diff --git a/src/file_api/file_api.h b/src/file_api/file_api.h

index 5d151142d1687f96ebd13af3e550e176fc8ffc33..aa1ec565225753bfa0995e612b03e3e02a3f5446 100644 (file)
--- a/src/file_api/file_api.h
+++ b/src/file_api/file_api.h
@@ -37,8 +37,12 @@
  #define     FILE_ALL_ON                          0xFFFFFFFF
  #define     FILE_ALL_OFF                         0x00000000
  
-#define     FILE_RESUME_BLOCK                    0x01
-#define     FILE_RESUME_LOG                      0x02
+enum FileAction
+{
+    FILE_ACTION_DEFAULT = 0,
+    FILE_RESUME_BLOCK,
+    FILE_RESUME_LOG
+};
  
  #define UTF_16_LE_BOM "\xFF\xFE"
  #define UTF_16_LE_BOM_LEN 2
@@ -131,7 +135,7 @@ public:
      virtual FileVerdict signature_lookup(Flow*, FileInfo*)
      { return FILE_VERDICT_UNKNOWN; }
  
-    virtual void log_file_action(Flow*, int) { }
+    virtual void log_file_action(Flow*, FileInfo*, FileAction) { }
  
  };
  
diff --git a/src/file_api/file_enforcer.cc b/src/file_api/file_enforcer.cc

index db5205620105b6331f4bf985d8e6ec83b0d9f2bd..aae7048d33b61005d6ff8d5f6a231ff6aeec3b60 100644 (file)
--- a/src/file_api/file_enforcer.cc
+++ b/src/file_api/file_enforcer.cc
@@ -168,7 +168,7 @@ bool FileEnforcer::apply_verdict(Flow* flow, FileInfo* file, FileVerdict verdict
      if (verdict == FILE_VERDICT_LOG)
      {
          if (resume)
-            policy->log_file_action(flow, FILE_RESUME_LOG);
+            policy->log_file_action(flow, file, FILE_RESUME_LOG);
      }
      else if (verdict == FILE_VERDICT_BLOCK)
      {
@@ -176,7 +176,7 @@ bool FileEnforcer::apply_verdict(Flow* flow, FileInfo* file, FileVerdict verdict
          Active::set_delayed_action(Active::ACT_BLOCK, true);
          store_verdict(flow, file);
          if (resume)
-            policy->log_file_action(flow, FILE_RESUME_BLOCK);
+            policy->log_file_action(flow, file, FILE_RESUME_BLOCK);
          return true;
      }
      else if (verdict == FILE_VERDICT_REJECT)
@@ -185,7 +185,7 @@ bool FileEnforcer::apply_verdict(Flow* flow, FileInfo* file, FileVerdict verdict
          Active::set_delayed_action(Active::ACT_RESET, true);
          store_verdict(flow, file);
          if (resume)
-            policy->log_file_action(flow, FILE_RESUME_BLOCK);
+            policy->log_file_action(flow, file, FILE_RESUME_BLOCK);
          return true;
      }
      else if (verdict == FILE_VERDICT_PENDING)
@@ -193,7 +193,7 @@ bool FileEnforcer::apply_verdict(Flow* flow, FileInfo* file, FileVerdict verdict
          /*Take the cached verdict*/
          Active::set_delayed_action(Active::ACT_DROP, true);
          if (resume)
-            policy->log_file_action(flow, FILE_RESUME_BLOCK);
+            policy->log_file_action(flow, file, FILE_RESUME_BLOCK);
          return true;
      }
  
diff --git a/src/file_api/file_flows.cc b/src/file_api/file_flows.cc

index e5b4ace63497b0647d13557c385cfc01970abae7..e325441590de72a40e5a1da3d5980f6b52fdbd6a 100644 (file)
--- a/src/file_api/file_flows.cc
+++ b/src/file_api/file_flows.cc
@@ -233,7 +233,7 @@ void FileFlows::set_file_name(const uint8_t* fname, uint32_t name_size)
          if (fname and name_size)
              context->set_file_name((const char*)fname, name_size);
  
-        context->log_file_event(flow);
+        context->log_file_event(flow, file_policy);
      }
  }
  
diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc

index 46aa29a91a795b44da076d0e5d43b040d92ceea5..1b4d403278cfaa3217dcd6a4b90f41824247848e 100644 (file)
--- a/src/file_api/file_lib.cc
+++ b/src/file_api/file_lib.cc
@@ -301,11 +301,13 @@ inline void FileContext::finalize_file_type()
      file_type_context = nullptr;
  }
  
-void FileContext::log_file_event(Flow* flow)
+void FileContext::log_file_event(Flow* flow, FilePolicyBase* policy)
  {
      // wait for file name is set to log file event
      if ( is_file_name_set() )
      {
+        bool log_needed = true;
+
          switch (verdict)
          {
          case FILE_VERDICT_LOG:
@@ -322,8 +324,13 @@ void FileContext::log_file_event(Flow* flow)
              DataBus::publish("file_event", (const uint8_t*)"RESET", 5, flow);
              break;
          default:
+            log_needed = false;
              break;
          }
+
+        if (policy and log_needed)
+            policy->log_file_action(flow, this, FILE_ACTION_DEFAULT);
+
          if ( config->trace_type )
              print(std::cout);
      }
@@ -350,7 +357,7 @@ void FileContext::finish_signature_lookup(Flow* flow, bool final_lookup, FilePol
          FileVerdict verdict = policy->signature_lookup(flow, this);
          if ( verdict != FILE_VERDICT_UNKNOWN || final_lookup )
          {
-            log_file_event(flow);
+            log_file_event(flow, policy);
              config_file_signature(false);
              file_stats->signatures_processed[get_file_type()][get_file_direction()]++;
          }
@@ -440,7 +447,7 @@ bool FileContext::process(Flow* flow, const uint8_t* file_data, int data_size,
                      file_enforcer->apply_verdict(flow, this, v, false, policy);
              }
  
-            log_file_event(flow);
+            log_file_event(flow, policy);
          }
      }
  
diff --git a/src/file_api/file_lib.h b/src/file_api/file_lib.h

index 05673dfa66d6144590b2297d296c074fb1a7fe0d..8f05361b855d139c650a7a4d960a0eb0438c77f2 100644 (file)
--- a/src/file_api/file_lib.h
+++ b/src/file_api/file_lib.h
@@ -114,7 +114,7 @@ public:
      void update_file_size(int data_size, FilePosition position);
      void stop_file_capture();
      FileCaptureState process_file_capture(const uint8_t* file_data, int data_size, FilePosition);
-    void log_file_event(Flow*);
+    void log_file_event(Flow*, FilePolicyBase*);
      FileVerdict file_signature_lookup(Flow*);
  
      void set_signature_state(bool gen_sig);
diff --git a/src/file_api/file_policy.cc b/src/file_api/file_policy.cc

index 156256684a84e17c4dddccfb2a92cc5b1456b66f..6443e6d7d48c07775803957830e692f3a48e06b5 100644 (file)
--- a/src/file_api/file_policy.cc
+++ b/src/file_api/file_policy.cc
@@ -149,7 +149,7 @@ void FilePolicy::policy_check(Flow*, FileInfo* file)
      file->config_file_capture(capture_enabled);
  }
  
-FileVerdict FilePolicy::type_lookup(Flow* flow, FileInfo* file)
+FileVerdict FilePolicy::type_lookup(Flow*, FileInfo* file)
  {
      FileRule rule = match_file_rule(nullptr, file);
      file->config_file_signature(rule.use.signature_enabled);
author	Hui Cao (huica) <huica@cisco.com>
	Thu, 30 Nov 2017 21:13:49 +0000 (16:13 -0500)
committer	Hui Cao (huica) <huica@cisco.com>
	Thu, 30 Nov 2017 21:13:49 +0000 (16:13 -0500)
src/file_api/file_api.h		patch \| blob \| blame \| history
src/file_api/file_enforcer.cc		patch \| blob \| blame \| history
src/file_api/file_flows.cc		patch \| blob \| blame \| history
src/file_api/file_lib.cc		patch \| blob \| blame \| history
src/file_api/file_lib.h		patch \| blob \| blame \| history
src/file_api/file_policy.cc		patch \| blob \| blame \| history