detect/filestore: use postmatch callback

author Victor Julien <victor@inliniac.net>

Fri, 15 Mar 2019 20:41:49 +0000 (21:41 +0100)

committer Victor Julien <victor@inliniac.net>

Thu, 21 Mar 2019 18:19:04 +0000 (19:19 +0100)
author Victor Julien <victor@inliniac.net>
Fri, 15 Mar 2019 20:41:49 +0000 (21:41 +0100)
committer Victor Julien <victor@inliniac.net>
Thu, 21 Mar 2019 18:19:04 +0000 (19:19 +0100)
diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h

index a871ad41e4cca95f7c7022fb1af4a4b19a43b4f6..89d44bee6a53ef601c68e800b8df7d2209c97079 100644 (file)
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -178,6 +178,7 @@ enum {
      DETECT_FILE_NAME,
      DETECT_FILEEXT,
      DETECT_FILESTORE,
+    DETECT_FILESTORE_POSTMATCH,
      DETECT_FILEMAGIC,
      DETECT_FILEMD5,
      DETECT_FILESHA1,
diff --git a/src/detect-filestore.c b/src/detect-filestore.c

index b2f84d911444555591029f2fec67890b53d9a87a..8d88e02159871fc831132099c81857734b38878e 100644 (file)
--- a/src/detect-filestore.c
+++ b/src/detect-filestore.c
@@ -62,6 +62,8 @@ static pcre_extra *parse_regex_study;
  
  static int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *,
          Flow *, uint8_t, File *, const Signature *, const SigMatchCtx *);
+static int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
+        Packet *p, const Signature *s, const SigMatchCtx *ctx);
  static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, const char *);
  static void DetectFilestoreFree(void *);
  static void DetectFilestoreRegisterTests(void);
@@ -81,6 +83,10 @@ void DetectFilestoreRegister(void)
      sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests;
      sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_OPTIONAL_OPT;
  
+    sigmatch_table[DETECT_FILESTORE_POSTMATCH].name = "__filestore__postmatch__";
+    sigmatch_table[DETECT_FILESTORE_POSTMATCH].Match = DetectFilestorePostMatch;
+    sigmatch_table[DETECT_FILESTORE_POSTMATCH].Free  = DetectFilestoreFree;
+
      DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
  
      g_file_match_list_id = DetectBufferTypeRegister("files");
@@ -184,7 +190,8 @@ static int FilestorePostMatchWithOptions(Packet *p, Flow *f, const DetectFilesto
   *  When we are sure all parts of the signature matched, we run this function
   *  to finalize the filestore.
   */
-int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s)
+static int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
+        Packet *p, const Signature *s, const SigMatchCtx *ctx)
  {
      uint8_t flags = 0;
  
@@ -216,14 +223,11 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack
  
      /* filestore for single files only */
      if (s->filestore_ctx == NULL) {
-        uint16_t u;
-        for (u = 0; u < det_ctx->filestore_cnt; u++) {
+        for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
              FileStoreFileById(ffc, det_ctx->filestore[u].file_id);
          }
      } else {
-        uint16_t u;
-
-        for (u = 0; u < det_ctx->filestore_cnt; u++) {
+        for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
              FilestorePostMatchWithOptions(p, p->flow, s->filestore_ctx, ffc,
                      det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
          }
@@ -427,6 +431,14 @@ static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, const ch
      SigMatchAppendSMToList(s, sm, g_file_match_list_id);
      s->filestore_ctx = (const DetectFilestoreData *)sm->ctx;
  
+    sm = SigMatchAlloc();
+    if (unlikely(sm == NULL))
+        goto error;
+    sm->type = DETECT_FILESTORE_POSTMATCH;
+    sm->ctx = NULL;
+    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
+
+
      s->flags |= SIG_FLAG_FILESTORE;
      return 0;
  
diff --git a/src/detect-filestore.h b/src/detect-filestore.h

index 09d2e25f18dae48e01012980279c60568cb22b9f..f394842fbd8bde409ff28446294265ac430cec58 100644 (file)
--- a/src/detect-filestore.h
+++ b/src/detect-filestore.h
@@ -41,7 +41,4 @@ typedef struct DetectFilestoreData_ {
  /* prototypes */
  void DetectFilestoreRegister (void);
  
-int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
-        Packet *p, const Signature *);
-
  #endif /* __DETECT_FILESTORE_H__ */
diff --git a/src/detect.c b/src/detect.c

index ea568a45173557bf5cbe62fe0c4216b8f00aa0ed..d1ecf9501da759a08a06126f6e56673b0c114dfa 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -164,11 +164,6 @@ static void DetectRunPostMatch(ThreadVars *tv,
              smd++;
          }
      }
-
-    if (s->flags & SIG_FLAG_FILESTORE)
-        DetectFilestorePostMatch(tv, det_ctx, p, s);
-
-    return;
  }
  
  /**
author	Victor Julien <victor@inliniac.net>
	Fri, 15 Mar 2019 20:41:49 +0000 (21:41 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 21 Mar 2019 18:19:04 +0000 (19:19 +0100)
src/detect-engine-register.h		patch \| blob \| blame \| history
src/detect-filestore.c		patch \| blob \| blame \| history
src/detect-filestore.h		patch \| blob \| blame \| history
src/detect.c		patch \| blob \| blame \| history