Pull request #3305: http_inspect, mime: VBA macro decompression for HTTP MIME file...

Merge in SNORT/snort3 from ~AMARNAYA/snort3:vba_upload to master

Squashed commit of the following:

commit e03395379f228c35acfbbe8e1777e415182e1140
Author: Amarnath Nayak <amarnaya@cisco.com>
Date:   Tue Feb 8 16:55:17 2022 +0000

    http_inspect, mime: VBA macro decompression for HTTP MIME file uploads

diff --git a/src/mime/file_mime_decode.cc b/src/mime/file_mime_decode.cc
index 43b4a5cfc5068a72e9a40a8adee21e3db8b08b21..7d388777be608a3eed67a77cb967e6dc98254192 100644 (file)
--- a/src/mime/file_mime_decode.cc
+++ b/src/mime/file_mime_decode.cc
@@ -232,6 +232,13 @@ void MimeDecode::clear_decomp_vba_data()
     decompressed_vba_data.reset();
 }
 
+const BufferData& MimeDecode::_get_ole_buf()
+{
+    if (ole_data.length() <= 0)
+        return BufferData::buffer_null;
+    return ole_data;
+}
+
 void MimeDecode::file_decomp_reset()
 {
     if ( fd_state == nullptr )

diff --git a/src/mime/file_mime_decode.h b/src/mime/file_mime_decode.h
index 3851c693c3a1cb5dbe537fb61e6d0f3964241d20..3095bff9692c21de0cfd8bbae7651423cc6b706e 100644 (file)
--- a/src/mime/file_mime_decode.h
+++ b/src/mime/file_mime_decode.h
@@ -82,6 +82,7 @@ public:
 
     DecodeResult decompress_data(const uint8_t* buf_in, uint32_t size_in,
                                  const uint8_t*& buf_out, uint32_t& size_out);
+    const BufferData& _get_ole_buf();
     const BufferData& get_decomp_vba_data();
     void clear_decomp_vba_data();
 

diff --git a/src/mime/file_mime_process.cc b/src/mime/file_mime_process.cc
index d5cdd86a50b2ab0d824492996e0e469ea31909d7..6e29cf22b137eda713f510dcdaf3a55feb839437 100644 (file)
--- a/src/mime/file_mime_process.cc
+++ b/src/mime/file_mime_process.cc
@@ -706,6 +706,14 @@ void MimeSession::set_mime_stats(MimeStats* stats)
     mime_stats = stats;
 }
 
+const BufferData& MimeSession::get_ole_buf()
+{
+    if (!decode_state)
+        return BufferData::buffer_null;
+
+    return decode_state->_get_ole_buf();
+}
+
 const BufferData& MimeSession::get_vba_inspect_buf()
 {
     if (!decode_state)

diff --git a/src/mime/file_mime_process.h b/src/mime/file_mime_process.h
index 94ddd2ce1afc0175599e1488bbac24f8c263047b..616a947e400b07e133657257eede69c7961192d2 100644 (file)
--- a/src/mime/file_mime_process.h
+++ b/src/mime/file_mime_process.h
@@ -73,6 +73,7 @@ public:
     MailLogState* get_log_state();
     void set_mime_stats(MimeStats*);
 
+    const BufferData& get_ole_buf();
     const BufferData& get_vba_inspect_buf();
 
 protected:

diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 2c7e3156eb12ae344dda1c6783f87f9806ea8806..dd44d0460632106ae8c3d27d4c44ebae8e3d7dba 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -26,6 +26,7 @@
 #include "decompress/file_olefile.h"
 #include "file_api/file_flows.h"
 #include "file_api/file_service.h"
+#include "helpers/buffer_data.h"
 #include "pub_sub/http_request_body_event.h"
 
 #include "http_api.h"
@@ -482,7 +483,11 @@ void HttpMsgBody::do_file_processing(const Field& file_data)
                 (section_end - ptr), true, SNORT_FILE_POSITION_UNKNOWN);
             ptr++;
         }
-
+        
+        const BufferData& vba_buf = session_data->mime_state[source_id]->get_ole_buf();
+        if (vba_buf.data_ptr())
+            ole_data.set(vba_buf.length(), vba_buf.data_ptr());
+        
         session_data->file_octets[source_id] += file_data.length();
     }
 }