]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
detect/file: Filehandler registration logic
authorJeff Lucovsky <jlucovsky@oisf.net>
Mon, 10 Jul 2023 14:39:02 +0000 (10:39 -0400)
committerVictor Julien <vjulien@oisf.net>
Fri, 14 Jul 2023 15:56:23 +0000 (17:56 +0200)
Add file handler registration functions for consolidated file handling.

Issue: 4145

src/detect-engine-register.c
src/detect-parse.c
src/detect-parse.h

index 6fa45042a5de785f3425e87f06429fa9c707edfd..df6e4a738ffcb2a8527e0f0c248bef878d4fec63 100644 (file)
@@ -447,6 +447,14 @@ int SigTableList(const char *keyword)
     return TM_ECODE_DONE;
 }
 
+static void DetectFileHandlerRegister(void)
+{
+    for (int i = 0; i < DETECT_TBLSIZE; i++) {
+        if (filehandler_table[i].name)
+            DetectFileRegisterFileProtocols(&filehandler_table[i]);
+    }
+}
+
 void SigTableSetup(void)
 {
     memset(sigmatch_table, 0, sizeof(sigmatch_table));
@@ -689,6 +697,8 @@ void SigTableSetup(void)
     DetectTransformUrlDecodeRegister();
     DetectTransformXorRegister();
 
+    DetectFileHandlerRegister();
+
     /* close keyword registration */
     DetectBufferTypeCloseRegistration();
 }
index 152a821c56d28a0350ddb1ec150eee2dc3a7ffe8..2e109c3ecb2b7afe373302ff37a660e15260e8a0 100644 (file)
 #include "action-globals.h"
 #include "util-validate.h"
 
+/* Table with all filehandler registrations */
+DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];
+
+void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg)
+{
+    // file protocols with common file handling
+    typedef struct {
+        AppProto al_proto;
+        int direction;
+        int to_client_progress;
+        int to_server_progress;
+    } DetectFileHandlerProtocol_t;
+    static DetectFileHandlerProtocol_t al_protocols[] = {
+        { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_HTTP1,
+                .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
+                .to_client_progress = HTP_RESPONSE_BODY,
+                .to_server_progress = HTP_REQUEST_BODY },
+        { .al_proto = ALPROTO_HTTP2,
+                .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
+                .to_client_progress = HTTP2StateDataServer,
+                .to_server_progress = HTTP2StateDataClient },
+        { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }
+    };
+
+    for (size_t i = 0; i < ARRAY_SIZE(al_protocols); i++) {
+        int direction = al_protocols[i].direction == 0
+                                ? (int)(SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)
+                                : al_protocols[i].direction;
+
+        if (direction & SIG_FLAG_TOCLIENT) {
+            DetectAppLayerMpmRegister2(reg->name, SIG_FLAG_TOCLIENT, reg->priority,
+                    reg->PrefilterFn, reg->GetData, al_protocols[i].al_proto,
+                    al_protocols[i].to_client_progress);
+            DetectAppLayerInspectEngineRegister2(reg->name, al_protocols[i].al_proto,
+                    SIG_FLAG_TOCLIENT, al_protocols[i].to_client_progress, reg->Callback,
+                    reg->GetData);
+        }
+        if (direction & SIG_FLAG_TOSERVER) {
+            DetectAppLayerMpmRegister2(reg->name, SIG_FLAG_TOSERVER, reg->priority,
+                    reg->PrefilterFn, reg->GetData, al_protocols[i].al_proto,
+                    al_protocols[i].to_server_progress);
+            DetectAppLayerInspectEngineRegister2(reg->name, al_protocols[i].al_proto,
+                    SIG_FLAG_TOSERVER, al_protocols[i].to_server_progress, reg->Callback,
+                    reg->GetData);
+        }
+    }
+}
+
 /* Table with all SigMatch registrations */
 SigTableElmt sigmatch_table[DETECT_TBLSIZE];
 
@@ -82,6 +134,9 @@ static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
         SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
         SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail);
 
+/**
+ * \brief Registration table for file handlers
+ */
 /**
  * \brief We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
  */
index 75d4b7ef85a6edf983650e2aa62f15957e1aeb07..33a2d515f0d28d71516c08018308ac37e8a6cee6 100644 (file)
 #define __DETECT_PARSE_H__
 
 #include "detect.h"
+#include "detect-engine-mpm.h"
+
+/* File handler registration */
+#define MAX_DETECT_ALPROTO_CNT 10
+typedef struct DetectFileHandlerTableElmt_ {
+    const char *name;
+    int priority;
+    PrefilterRegisterFunc PrefilterFn;
+    InspectEngineFuncPtr2 Callback;
+    InspectionBufferGetDataPtr GetData;
+    int al_protocols[MAX_DETECT_ALPROTO_CNT];
+    int tx_progress;
+    int progress;
+} DetectFileHandlerTableElmt;
+void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *entry);
+
+/* File registration table */
+extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];
 
 /** Flags to indicate if the Signature parsing must be done
 *   switching the source and dest (for ip addresses and ports)
@@ -104,4 +122,3 @@ int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UC
         PCRE2_SIZE *bufflen);
 
 #endif /* __DETECT_PARSE_H__ */
-