Merge pull request #3076 in SNORT/snort3 from ~BRASTULT/snort3:decompress_depth to...

Squashed commit of the following:

commit d056c241b14ced1f3357bd7c35f9ae2aea69ec85
Author: Brandon Stultz <brastult@cisco.com>
Date:   Mon Sep 20 18:02:37 2021 -0400

    lua: fix Talos tweak snaplen

commit 3f4aa706fea3ea693f3a9b008d5e548a169519c7
Author: Brandon Stultz <brastult@cisco.com>
Date:   Fri Sep 17 14:02:13 2021 -0400

    file_api: add decompress_buffer_size

diff --git a/lua/talos.lua b/lua/talos.lua
index a165fc4b33a875c21405e564c26d4ea312e99c09..afa0a8f86d6b106d0a2491636d500b51ea8c059d 100644 (file)
--- a/lua/talos.lua
+++ b/lua/talos.lua
@@ -13,25 +13,14 @@ function file_exists(name)
     end
 end
 
-daq =
+snort =
 {
-    modules =
-    {
-        {
-            name = 'pcap',
-            mode = 'read-file'
-        },
-        {
-            name = 'dump',
-            variables = { 'output=none' }
-        },
-    },
-    snaplen = 65535
+    ['-Q'] = true,
+    ['-s'] = 65535,
+    ['--daq'] = 'dump',
+    ['--daq-var'] = 'output=none'
 }
 
-snort = { }
-snort['-Q'] = true
-
 if file_exists('local.rules') then
     snort['-R'] = 'local.rules'
 end

diff --git a/src/file_api/file_module.cc b/src/file_api/file_module.cc
index 32925f0d09ba77edd5f3e47bef4d6c55ed6b128b..bb94996de0fbb6e6e8fe48e98b6a513db4beb6f3 100644 (file)
--- a/src/file_api/file_module.cc
+++ b/src/file_api/file_module.cc
@@ -196,13 +196,16 @@ static const Parameter file_id_params[] =
       "Non-Encoded MIME attachment extraction depth (-1 no limit)" },
 
     { "decompress_pdf", Parameter::PT_BOOL, nullptr, "false",
-      "decompress pdf files in MIME attachments" },
+      "decompress pdf files" },
 
     { "decompress_swf", Parameter::PT_BOOL, nullptr, "false",
-      "decompress swf files in MIME attachments" },
+      "decompress swf files" },
 
     { "decompress_zip", Parameter::PT_BOOL, nullptr, "false",
-      "decompress zip files in MIME attachments" },
+      "decompress zip files" },
+
+    { "decompress_buffer_size", Parameter::PT_INT, "1024:max31", "100000",
+      "file decompression buffer size" },
 
     { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
       "Quoted Printable decoding depth (-1 no limit)" },
@@ -346,6 +349,9 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*)
     else if ( v.is("decompress_zip") )
         FileService::decode_conf.set_decompress_zip(v.get_bool());
 
+    else if ( v.is("decompress_buffer_size") )
+        FileService::decode_conf.set_decompress_buffer_size(v.get_uint32());
+
     else if (v.is("b64_decode_depth"))
     {
         int32_t value = v.get_int32();

diff --git a/src/mime/decode_buffer.cc b/src/mime/decode_buffer.cc
index e0c89041659424402be0294a48e0dd622ecd59d1..f44ee018e74617442f4be8a0f62ddb0be0b7dc72 100644 (file)
--- a/src/mime/decode_buffer.cc
+++ b/src/mime/decode_buffer.cc
@@ -24,6 +24,7 @@
 
 #include "decode_buffer.h"
 
+#include "file_mime_config.h"
 #include "utils/util.h"
 
 void DecodeBuffer::reset_saved()
@@ -93,8 +94,6 @@ uint32_t DecodeBuffer::get_encode_avail()
     }
 }
 
-#define MAX_DEPTH       65536
-
 DecodeBuffer::DecodeBuffer(int max_depth)
 {
     if (!max_depth)

diff --git a/src/mime/file_mime_config.cc b/src/mime/file_mime_config.cc
index 1884c9501b7fb7cf06290540dedd0f128bb7c8f2..9036cf10ae90b672b5c7ba6b7037eea5716b0ca0 100644 (file)
--- a/src/mime/file_mime_config.cc
+++ b/src/mime/file_mime_config.cc
@@ -111,6 +111,16 @@ bool DecodeConfig::is_decompress_zip() const
     return decompress_zip;
 }
 
+void DecodeConfig::set_decompress_buffer_size(uint32_t size)
+{
+    decompress_buffer_size = size;
+}
+
+uint32_t DecodeConfig::get_decompress_buffer_size() const
+{
+    return decompress_buffer_size;
+}
+
 int64_t DecodeConfig::get_file_depth() const
 {
     return file_depth;
@@ -161,5 +171,6 @@ void DecodeConfig::show(bool full) const
     ConfigLogger::log_flag("decompress_pdf", decompress_pdf);
     ConfigLogger::log_flag("decompress_swf", decompress_swf);
     ConfigLogger::log_flag("decompress_zip", decompress_zip);
+    ConfigLogger::log_value("decompress_buffer_size", decompress_buffer_size);
 }
 

diff --git a/src/mime/file_mime_config.h b/src/mime/file_mime_config.h
index ad26160d0a53d96b6d65be292b5638c5b60adb75..189cc31347795bbc5a224050faf6bec3b1ec983f 100644 (file)
--- a/src/mime/file_mime_config.h
+++ b/src/mime/file_mime_config.h
@@ -27,10 +27,11 @@
 /*These are temporary values*/
 #define DEFAULT_MIME_MEMCAP           838860
 #define DEFAULT_DEPTH                 1464
+#define DEFAULT_DECOMP                100000
 #define MAX_LOG_MEMCAP                104857600
 #define MIN_LOG_MEMCAP                3276
 #define MIN_MIME_MEM                  3276
-#define MAX_DEPTH                     65535
+#define MAX_DEPTH                     65536
 #define MIN_DEPTH                     (-1)
 
 namespace snort
@@ -62,6 +63,9 @@ public:
     void set_decompress_zip(bool);
     bool is_decompress_zip() const;
 
+    void set_decompress_buffer_size(uint32_t);
+    uint32_t get_decompress_buffer_size() const;
+
     int64_t get_file_depth() const;
     bool is_decoding_enabled() const;
     void sync_all_depths();
@@ -77,6 +81,7 @@ private:
     bool decompress_pdf = false;
     bool decompress_swf = false;
     bool decompress_zip = false;
+    uint32_t decompress_buffer_size = DEFAULT_DECOMP;
     int64_t file_depth = MIN_DEPTH;
     bool decode_enabled = true;
 };

diff --git a/src/mime/file_mime_context_data.cc b/src/mime/file_mime_context_data.cc
index de835defffa517675be75504aec4570fbf6e8761..c78590f81ea411471895090dc939264852d366b0 100644 (file)
--- a/src/mime/file_mime_context_data.cc
+++ b/src/mime/file_mime_context_data.cc
@@ -24,17 +24,19 @@
 #include "file_mime_context_data.h"
 
 #include "detection/detection_engine.h"
+#include "file_api/file_service.h"
 #include "utils/util.h"
 
 using namespace snort;
 
-#define MAX_DEPTH       65536
 unsigned MimeDecodeContextData::mime_ips_id = 0;
 
 MimeDecodeContextData::MimeDecodeContextData()
 {
     decode_buf = (uint8_t*)snort_alloc(MAX_DEPTH);
-    decompress_buf = (uint8_t*)snort_alloc(MAX_DEPTH);
+
+    decompress_buf_size = FileService::decode_conf.get_decompress_buffer_size();
+    decompress_buf = (uint8_t*)snort_alloc(decompress_buf_size);
 }
 
 MimeDecodeContextData::~MimeDecodeContextData()
@@ -62,3 +64,10 @@ uint8_t* MimeDecodeContextData::get_decompress_buf()
     return data->decompress_buf;
 }
 
+uint32_t MimeDecodeContextData::get_decompress_buf_size()
+{
+    MimeDecodeContextData* data = IpsContextData::get<MimeDecodeContextData>(mime_ips_id);
+
+    return data->decompress_buf_size;
+}
+

diff --git a/src/mime/file_mime_context_data.h b/src/mime/file_mime_context_data.h
index b6db3df80169cf4ea0f25e94eac28a19d6031444..646fe454eb324ba6a7544668a9332b43e4ae7e0c 100644 (file)
--- a/src/mime/file_mime_context_data.h
+++ b/src/mime/file_mime_context_data.h
@@ -32,10 +32,13 @@ public:
 
     uint8_t* decode_buf = nullptr;
     uint8_t* decompress_buf = nullptr;
+    uint32_t decompress_buf_size = 0;
 
     static void init();
+
     static uint8_t* get_decode_buf();
     static uint8_t* get_decompress_buf();
+    static uint32_t get_decompress_buf_size();
 };
 
 #endif

diff --git a/src/mime/file_mime_decode.cc b/src/mime/file_mime_decode.cc
index 4eca743a224720ea0c4d2218765b12c619d4ea7a..6efac62482174fd65c5e16fb645962646f95a7f0 100644 (file)
--- a/src/mime/file_mime_decode.cc
+++ b/src/mime/file_mime_decode.cc
@@ -156,10 +156,11 @@ DecodeResult MimeDecode::decompress_data(const uint8_t* buf_in, uint32_t size_in
         return result;
 
     uint8_t* decompress_buf = MimeDecodeContextData::get_decompress_buf();
+    uint32_t decompress_buf_size = MimeDecodeContextData::get_decompress_buf_size();
     fd_state->Next_In = buf_in;
     fd_state->Avail_In = size_in;
     fd_state->Next_Out = decompress_buf;
-    fd_state->Avail_Out = MAX_DEPTH;
+    fd_state->Avail_Out = decompress_buf_size;
 
     const fd_status_t status = File_Decomp(fd_state);
 

diff --git a/src/service_inspectors/http_inspect/http_field.cc b/src/service_inspectors/http_inspect/http_field.cc
index edad4c17e47fcc29faff06976bc6c2d6f8a5e460..c9761bd82d23b439b575e3c2636155a7c2f2381b 100644 (file)
--- a/src/service_inspectors/http_inspect/http_field.cc
+++ b/src/service_inspectors/http_inspect/http_field.cc
@@ -56,7 +56,6 @@ void Field::set(int32_t length, const uint8_t* start, bool own_the_buffer_)
     assert(strt == nullptr);
     assert(start != nullptr);
     assert(length >= 0);
-    assert(length <= MAX_OCTETS);
     strt = start;
     len = length;
     own_the_buffer = own_the_buffer_;

diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 1ec84a0feabdf4fa32be289025fbf822f5de3571..fc16227c36f32557c2f6da1cfbb147c2803c372e 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -24,6 +24,7 @@
 #include "http_msg_body.h"
 
 #include "file_api/file_flows.h"
+#include "file_api/file_service.h"
 #include "pub_sub/http_request_body_event.h"
 
 #include "http_api.h"
@@ -248,13 +249,14 @@ void HttpMsgBody::do_file_decompression(const Field& input, Field& output)
         output.set(input);
         return;
     }
-    uint8_t* buffer = new uint8_t[MAX_OCTETS];
+    const uint32_t buffer_size = FileService::decode_conf.get_decompress_buffer_size();
+    uint8_t* buffer = new uint8_t[buffer_size];
     session_data->fd_alert_context.infractions = transaction->get_infractions(source_id);
     session_data->fd_alert_context.events = session_data->events[source_id];
     session_data->fd_state->Next_In = input.start();
     session_data->fd_state->Avail_In = (uint32_t)input.length();
     session_data->fd_state->Next_Out = buffer;
-    session_data->fd_state->Avail_Out = MAX_OCTETS;
+    session_data->fd_state->Avail_Out = buffer_size;
 
     const fd_status_t status = File_Decomp(session_data->fd_state);