From: Hui Cao (huica) <huica@cisco.com>
Date: Wed, 13 Dec 2017 18:40:37 +0000 (-0500)
Subject: Merge pull request #1084 in SNORT/snort3 from file_pending to master
X-Git-Tag: 3.0.0-241~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ba09bbaa64ef24416dc798a7a6e778b61ae1bc9;p=thirdparty%2Fsnort3.git

Merge pull request #1084 in SNORT/snort3 from file_pending to master

Squashed commit of the following:

commit d469965dd4064a5a3d96154e9e60ddd7819c0c97
Author: huica <huica@cisco.com>
Date:   Thu Dec 7 12:56:00 2017 -0500

    File api: support file verdict delay during signature lookup
---

diff --git a/src/file_api/file_config.h b/src/file_api/file_config.h
index 17a0b71be..5d18c0b31 100644
--- a/src/file_api/file_config.h
+++ b/src/file_api/file_config.h
@@ -68,6 +68,7 @@ public:
     bool trace_type = false;
     bool trace_signature = false;
     bool trace_stream = false;
+    int64_t verdict_delay = 0;
 
 private:
     FileIdentifier fileIdentifier;
diff --git a/src/file_api/file_flows.cc b/src/file_api/file_flows.cc
index e32544159..8bb97daa0 100644
--- a/src/file_api/file_flows.cc
+++ b/src/file_api/file_flows.cc
@@ -35,11 +35,28 @@
 
 #include "file_cache.h"
 #include "file_config.h"
+#include "file_enforcer.h"
 #include "file_lib.h"
 #include "file_service.h"
 
 unsigned FileFlows::file_flow_data_id = 0;
 
+void FileFlows::handle_retransmit (Packet*)
+{
+    if (file_policy == nullptr)
+        return;
+
+    FileContext* file = get_current_file_context();
+    if ((file == nullptr) or (file->verdict != FILE_VERDICT_PENDING))
+        return;
+
+    FileVerdict verdict = file_policy->signature_lookup(flow, file);
+    FileEnforcer* file_enforcer = FileService::get_file_enforcer();
+    if (file_enforcer)
+        file_enforcer->apply_verdict(flow, file, verdict, false,file_policy);
+    file->log_file_event(flow, file_policy);
+}
+
 FileFlows* FileFlows::get_file_flows(Flow* flow)
 {
 
diff --git a/src/file_api/file_flows.h b/src/file_api/file_flows.h
index 7e651e466..c1720a74e 100644
--- a/src/file_api/file_flows.h
+++ b/src/file_api/file_flows.h
@@ -52,6 +52,8 @@ public:
     static void init()
     { file_flow_data_id = FlowData::create_flow_data_id(); }
 
+    void handle_retransmit(Packet*) override;
+
     // Factory method to get file flows
     static FileFlows* get_file_flows(Flow*);
     static FilePolicyBase* get_file_policy(Flow*);
diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc
index 963c17716..6a5a069c9 100644
--- a/src/file_api/file_lib.cc
+++ b/src/file_api/file_lib.cc
@@ -338,7 +338,7 @@ void FileContext::log_file_event(Flow* flow, FilePolicyBase* policy)
 
 FileVerdict FileContext::file_signature_lookup(Flow* flow)
 {
-    if (get_file_sig_sha256() && is_file_signature_enabled())
+    if (get_file_sig_sha256())
     {
         FilePolicyBase* policy = FileFlows::get_file_policy(flow);
 
@@ -353,7 +353,6 @@ void FileContext::finish_signature_lookup(Flow* flow, bool final_lookup, FilePol
 {
     if (get_file_sig_sha256())
     {
-        //Check file type based on file policy
         verdict = policy->signature_lookup(flow, this);
         if ( verdict != FILE_VERDICT_UNKNOWN || final_lookup )
         {
diff --git a/src/file_api/file_module.cc b/src/file_api/file_module.cc
index 00f5b9ac1..5678a2244 100644
--- a/src/file_api/file_module.cc
+++ b/src/file_api/file_module.cc
@@ -174,6 +174,9 @@ static const Parameter file_id_params[] =
     { "trace_stream", Parameter::PT_BOOL, nullptr, "false",
       "enable runtime dump of file data" },
 
+    { "verdict_delay", Parameter::PT_INT, "0:", "0",
+      "number of queries to return final verdict" },
+
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
 
@@ -275,6 +278,12 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*)
     else if ( v.is("trace_stream") )
         fc->trace_stream = v.get_bool();
 
+    else if ( v.is("verdict_delay") )
+    {
+        fc->verdict_delay = v.get_long();
+        fp.set_verdict_delay(fc->verdict_delay);
+    }
+
     else if ( v.is("file_rules") )
         return true;
 
diff --git a/src/file_api/file_policy.cc b/src/file_api/file_policy.cc
index 557cee8b4..ff4c8f919 100644
--- a/src/file_api/file_policy.cc
+++ b/src/file_api/file_policy.cc
@@ -135,7 +135,15 @@ FileVerdict FilePolicy::match_file_signature(Flow*, FileInfo* file)
 
         auto search = file_shas.find(sha);
         if (search != file_shas.end())
-            return search->second;
+        {
+            if (verdict_delay > 0)
+            {
+                verdict_delay--;
+                return FILE_VERDICT_PENDING;
+            }
+            else
+                return search->second;
+        }
     }
 
     return FILE_VERDICT_UNKNOWN;
diff --git a/src/file_api/file_policy.h b/src/file_api/file_policy.h
index cad51ec2d..c25399bc1 100644
--- a/src/file_api/file_policy.h
+++ b/src/file_api/file_policy.h
@@ -71,6 +71,7 @@ public:
     void set_file_signature(bool enabled);
     void set_file_capture(bool enabled);
     void load();
+    void set_verdict_delay(int64_t delay) { verdict_delay = delay; }
 
 private:
     FileRule& match_file_rule(Flow*, FileInfo* file);
@@ -80,6 +81,8 @@ private:
     bool type_enabled = false;
     bool signature_enabled = false;
     bool capture_enabled = false;
+    int64_t verdict_delay = 0;
+
 };
 
 #endif