From: Hui Cao (huica) Date: Thu, 30 Nov 2017 21:13:49 +0000 (-0500) Subject: Merge pull request #1077 in SNORT/snort3 from file_log to master X-Git-Tag: 3.0.0-241~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe0c0d5fa56203325916e944cbabd2c7d81c0163;p=thirdparty%2Fsnort3.git Merge pull request #1077 in SNORT/snort3 from file_log to master Squashed commit of the following: commit d63f4e2f48c8dbd92496ccb99e8c0a9a39f9cc56 Author: huica Date: Wed Nov 29 15:31:37 2017 -0500 File policy: add support for file event logging --- diff --git a/src/file_api/file_api.h b/src/file_api/file_api.h index 5d151142d..aa1ec5652 100644 --- a/src/file_api/file_api.h +++ b/src/file_api/file_api.h @@ -37,8 +37,12 @@ #define FILE_ALL_ON 0xFFFFFFFF #define FILE_ALL_OFF 0x00000000 -#define FILE_RESUME_BLOCK 0x01 -#define FILE_RESUME_LOG 0x02 +enum FileAction +{ + FILE_ACTION_DEFAULT = 0, + FILE_RESUME_BLOCK, + FILE_RESUME_LOG +}; #define UTF_16_LE_BOM "\xFF\xFE" #define UTF_16_LE_BOM_LEN 2 @@ -131,7 +135,7 @@ public: virtual FileVerdict signature_lookup(Flow*, FileInfo*) { return FILE_VERDICT_UNKNOWN; } - virtual void log_file_action(Flow*, int) { } + virtual void log_file_action(Flow*, FileInfo*, FileAction) { } }; diff --git a/src/file_api/file_enforcer.cc b/src/file_api/file_enforcer.cc index db5205620..aae7048d3 100644 --- a/src/file_api/file_enforcer.cc +++ b/src/file_api/file_enforcer.cc @@ -168,7 +168,7 @@ bool FileEnforcer::apply_verdict(Flow* flow, FileInfo* file, FileVerdict verdict if (verdict == FILE_VERDICT_LOG) { if (resume) - policy->log_file_action(flow, FILE_RESUME_LOG); + policy->log_file_action(flow, file, FILE_RESUME_LOG); } else if (verdict == FILE_VERDICT_BLOCK) { @@ -176,7 +176,7 @@ bool FileEnforcer::apply_verdict(Flow* flow, FileInfo* file, FileVerdict verdict Active::set_delayed_action(Active::ACT_BLOCK, true); store_verdict(flow, file); if (resume) - policy->log_file_action(flow, FILE_RESUME_BLOCK); + policy->log_file_action(flow, file, FILE_RESUME_BLOCK); return true; } else if (verdict == FILE_VERDICT_REJECT) @@ -185,7 +185,7 @@ bool FileEnforcer::apply_verdict(Flow* flow, FileInfo* file, FileVerdict verdict Active::set_delayed_action(Active::ACT_RESET, true); store_verdict(flow, file); if (resume) - policy->log_file_action(flow, FILE_RESUME_BLOCK); + policy->log_file_action(flow, file, FILE_RESUME_BLOCK); return true; } else if (verdict == FILE_VERDICT_PENDING) @@ -193,7 +193,7 @@ bool FileEnforcer::apply_verdict(Flow* flow, FileInfo* file, FileVerdict verdict /*Take the cached verdict*/ Active::set_delayed_action(Active::ACT_DROP, true); if (resume) - policy->log_file_action(flow, FILE_RESUME_BLOCK); + policy->log_file_action(flow, file, FILE_RESUME_BLOCK); return true; } diff --git a/src/file_api/file_flows.cc b/src/file_api/file_flows.cc index e5b4ace63..e32544159 100644 --- a/src/file_api/file_flows.cc +++ b/src/file_api/file_flows.cc @@ -233,7 +233,7 @@ void FileFlows::set_file_name(const uint8_t* fname, uint32_t name_size) if (fname and name_size) context->set_file_name((const char*)fname, name_size); - context->log_file_event(flow); + context->log_file_event(flow, file_policy); } } diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc index 46aa29a91..1b4d40327 100644 --- a/src/file_api/file_lib.cc +++ b/src/file_api/file_lib.cc @@ -301,11 +301,13 @@ inline void FileContext::finalize_file_type() file_type_context = nullptr; } -void FileContext::log_file_event(Flow* flow) +void FileContext::log_file_event(Flow* flow, FilePolicyBase* policy) { // wait for file name is set to log file event if ( is_file_name_set() ) { + bool log_needed = true; + switch (verdict) { case FILE_VERDICT_LOG: @@ -322,8 +324,13 @@ void FileContext::log_file_event(Flow* flow) DataBus::publish("file_event", (const uint8_t*)"RESET", 5, flow); break; default: + log_needed = false; break; } + + if (policy and log_needed) + policy->log_file_action(flow, this, FILE_ACTION_DEFAULT); + if ( config->trace_type ) print(std::cout); } @@ -350,7 +357,7 @@ void FileContext::finish_signature_lookup(Flow* flow, bool final_lookup, FilePol FileVerdict verdict = policy->signature_lookup(flow, this); if ( verdict != FILE_VERDICT_UNKNOWN || final_lookup ) { - log_file_event(flow); + log_file_event(flow, policy); config_file_signature(false); file_stats->signatures_processed[get_file_type()][get_file_direction()]++; } @@ -440,7 +447,7 @@ bool FileContext::process(Flow* flow, const uint8_t* file_data, int data_size, file_enforcer->apply_verdict(flow, this, v, false, policy); } - log_file_event(flow); + log_file_event(flow, policy); } } diff --git a/src/file_api/file_lib.h b/src/file_api/file_lib.h index 05673dfa6..8f05361b8 100644 --- a/src/file_api/file_lib.h +++ b/src/file_api/file_lib.h @@ -114,7 +114,7 @@ public: void update_file_size(int data_size, FilePosition position); void stop_file_capture(); FileCaptureState process_file_capture(const uint8_t* file_data, int data_size, FilePosition); - void log_file_event(Flow*); + void log_file_event(Flow*, FilePolicyBase*); FileVerdict file_signature_lookup(Flow*); void set_signature_state(bool gen_sig); diff --git a/src/file_api/file_policy.cc b/src/file_api/file_policy.cc index 156256684..6443e6d7d 100644 --- a/src/file_api/file_policy.cc +++ b/src/file_api/file_policy.cc @@ -149,7 +149,7 @@ void FilePolicy::policy_check(Flow*, FileInfo* file) file->config_file_capture(capture_enabled); } -FileVerdict FilePolicy::type_lookup(Flow* flow, FileInfo* file) +FileVerdict FilePolicy::type_lookup(Flow*, FileInfo* file) { FileRule rule = match_file_rule(nullptr, file); file->config_file_signature(rule.use.signature_enabled);