detect/file.data: support ftp and ftp-data

author Victor Julien <victor@inliniac.net>

Mon, 11 Jan 2021 14:28:30 +0000 (15:28 +0100)

committer Victor Julien <victor@inliniac.net>

Tue, 12 Jan 2021 17:29:09 +0000 (18:29 +0100)
author Victor Julien <victor@inliniac.net>
Mon, 11 Jan 2021 14:28:30 +0000 (15:28 +0100)
committer Victor Julien <victor@inliniac.net>
Tue, 12 Jan 2021 17:29:09 +0000 (18:29 +0100)
diff --git a/src/detect-file-data.c b/src/detect-file-data.c

index d34f5260b9be6082a504138fa01f319546d42080..cc39cb91817ef592fb52ce208cc359e1dde411e0 100644 (file)
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -115,6 +115,14 @@ void DetectFiledataRegister(void)
      DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2,
              PrefilterMpmFiledataRegister, NULL,
              ALPROTO_HTTP2, HTTP2StateDataServer);
+    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
+            NULL, ALPROTO_FTPDATA, 0);
+    DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister,
+            NULL, ALPROTO_FTPDATA, 0);
+    DetectAppLayerMpmRegister2(
+            "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
+    DetectAppLayerMpmRegister2(
+            "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
  
      DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
              HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, HttpServerBodyGetDataCallback);
@@ -135,6 +143,14 @@ void DetectFiledataRegister(void)
      DetectAppLayerInspectEngineRegister2("file_data",
              ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateDataServer,
              DetectEngineInspectFiledata, NULL);
+    DetectAppLayerInspectEngineRegister2(
+            "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
+    DetectAppLayerInspectEngineRegister2(
+            "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
+    DetectAppLayerInspectEngineRegister2(
+            "file_data", ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
+    DetectAppLayerInspectEngineRegister2(
+            "file_data", ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
  
      DetectBufferTypeSetDescriptionByName("file_data",
              "http response body, smb files or smtp attachments data");
@@ -250,9 +266,10 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha
      SCEnter();
  
      if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) ||
-        (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP &&
-        s->alproto != ALPROTO_SMTP && s->alproto != ALPROTO_SMB &&
-        s->alproto != ALPROTO_HTTP2)) {
+            (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP &&
+                    s->alproto != ALPROTO_SMTP && s->alproto != ALPROTO_SMB &&
+                    s->alproto != ALPROTO_HTTP2 && s->alproto != ALPROTO_FTP &&
+                    s->alproto != ALPROTO_FTPDATA)) {
          SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
          return -1;
      }
author	Victor Julien <victor@inliniac.net>
	Mon, 11 Jan 2021 14:28:30 +0000 (15:28 +0100)
committer	Victor Julien <victor@inliniac.net>
	Tue, 12 Jan 2021 17:29:09 +0000 (18:29 +0100)