else
{
set_file_data((uint8_t*)session->server.response.body,
- (uint16_t)detect_data_size);
+ (uint16_t)detect_data_size);
}
FileFlows* file_flows = FileFlows::get_file_flows(p->flow);
if (hsd == NULL)
return -1;
- if ((hsd->log_flags & HTTP_LOG_GZIP_DATA) && ( get_file_data().len > 0 ))
+ DataPointer file_data;
+ DetectionEngine::get_file_data(file_data);
+
+ if ((hsd->log_flags & HTTP_LOG_GZIP_DATA) && (file_data.len > 0 ))
return 0;
else
return -1;
{
if (!IsGzipData(flow))
{
- DataPointer& gzip = get_file_data();
+ DataPointer file_data;
+ DetectionEngine::get_file_data(file_data);
- *buf = gzip.data;
- *len = gzip.len;
+ *buf = (uint8_t*)file_data.data;
+ *len = file_data.len;
*type = EVENT_INFO_GZIP_DATA;
return 1;
}
if (hsd == NULL)
return -1;
- if ((hsd->log_flags & HTTP_LOG_JSNORM_DATA) && ( get_file_data().len > 0 ))
+ DataPointer file_data;
+ DetectionEngine::get_file_data(file_data);
+
+ if ((hsd->log_flags & HTTP_LOG_JSNORM_DATA) && (file_data.len > 0 ))
return 0;
else
return -1;
{
if (!IsJSNormData(flow))
{
- DataPointer& js = get_file_data();
+ DataPointer file_data;
+ DetectionEngine::get_file_data(file_data);
- *buf = js.data;
- *len = js.len;
+ *buf = (uint8_t*)file_data.data;
+ *len = file_data.len;
*type = EVENT_INFO_JSNORM_DATA;
return 1;
}
#include "codecs/codec_module.h"
#include "framework/codec.h"
#include "log/text_log.h"
+#include "main/snort_config.h"
#include "protocols/eth.h"
#include "protocols/packet_manager.h"
#include "detection_engine.h"
-#include "detection/detection_engine.h"
#include "events/sfeventq.h"
#include "filters/sfthreshold.h"
#include "framework/endianness.h"
#include "utils/stats.h"
#include "context_switcher.h"
+#include "detection_util.h"
#include "detect.h"
#include "fp_detect.h"
#include "ips_context.h"
MpseStash* DetectionEngine::get_stash()
{ return Snort::get_switcher()->get_context()->stash; }
+// we need to stay in the current context until rebuild is successful
+// any events while rebuilding will be logged against the current packet
Packet* DetectionEngine::set_packet()
{
- // we need to stay in the current context until rebuild is successful
- // any events while rebuilding will be logged against the current packet
- // FIXIT-H bypass the interrupt / complete
-
ContextSwitcher* sw = Snort::get_switcher();
+
+ // FIXIT-H bypass the interrupt / complete
const IpsContext* c = sw->interrupt();
Packet* p = c->packet;
sw->complete();
p->pkt = c->buf;
p->reset();
-
return p;
}
return Snort::get_switcher()->get_context()->buf;
}
+// similar to set_packet() because http_inspect does everything via the
+// splitter, ie before reassembly. maybe that should change. for now
+// we do it this way.
+void DetectionEngine::set_next_file_data(const DataPointer& dp)
+{
+ ContextSwitcher* sw = Snort::get_switcher();
+
+ // FIXIT-H bypass the interrupt / complete
+ IpsContext* c = sw->interrupt();
+ c->file_data = dp;
+ sw->complete();
+}
+
+void DetectionEngine::get_next_file_data(DataPointer& dp)
+{
+ ContextSwitcher* sw = Snort::get_switcher();
+
+ // FIXIT-H bypass the interrupt / complete
+ IpsContext* c = sw->interrupt();
+ dp = c->file_data;
+ sw->complete();
+}
+
+void DetectionEngine::set_file_data(const DataPointer& dp)
+{ Snort::get_switcher()->get_context()->file_data = dp; }
+
+void DetectionEngine::get_file_data(DataPointer& dp)
+{ dp = Snort::get_switcher()->get_context()->file_data; }
+
void DetectionEngine::set_data(unsigned id, IpsContextData* p)
{ Snort::get_switcher()->get_context()->set_context_data(id, p); }
// DetectionEngine manages a detection context. To detect a rebuilt
// packet (PDU), first call set_packet(). If rebuild is successful,
-// then instantiate a new DetectionContext() to detect that packet.
+// then instantiate a new DetectionEngine to detect that packet.
#include "actions/actions.h"
+#include "detection/detection_util.h"
#include "main/snort_types.h"
+struct DataPointer;
+struct Packet;
+
class IpsContext;
class IpsContextData;
-struct Packet;
class SO_PUBLIC DetectionEngine
{
static void set_encode_packet(Packet*);
static Packet* get_encode_packet();
+ static void set_next_file_data(const DataPointer&);
+ static void get_next_file_data(DataPointer&);
+
+ static void set_file_data(const DataPointer&);
+ static void get_file_data(DataPointer&);
+
static class MpseStash* get_stash();
static uint8_t* get_buffer(unsigned& max);
static struct SF_EVENTQ* get_event_queue();
};
+static inline void set_next_file_data(const uint8_t* p, unsigned n)
+{
+ DataPointer dp { p, n };
+ DetectionEngine::set_next_file_data(dp);
+}
+
+static inline void set_file_data(const uint8_t* p, unsigned n)
+{
+ DataPointer dp { p, n };
+ DetectionEngine::set_file_data(dp);
+}
+
+// FIXIT-H refactor detection resets
+// this should only be called by framework
+static inline void clear_file_data()
+{ set_file_data(nullptr, 0); }
+
#endif
struct DataPointer
{
- uint8_t* data;
+ const uint8_t* data;
unsigned len;
};
unsigned len;
};
-extern THREAD_LOCAL DataPointer g_file_data;
-
#define SetDetectLimit(pktPtr, altLen) \
{ \
pktPtr->alt_dsize = altLen; \
#define IsLimitedDetect(pktPtr) (pktPtr->packet_flags & PKT_HTTP_DECODE)
-SO_PUBLIC DataPointer& get_file_data();
-SO_PUBLIC void set_file_data(uint8_t*, unsigned);
-
// FIXIT-L event trace should be placed in its own files
void EventTrace_Init();
void EventTrace_Term();
return ( snort_conf->event_trace_max > 0 );
}
-inline void DetectReset()
-{ set_file_data(nullptr, 0); }
-
#endif
{
// FIXIT-M file data should be obtained from
// inspector gadget as is done with SEARCH_BUFFER
- if ( g_file_data.len )
- SEARCH_DATA(g_file_data.data, g_file_data.len, pc.file_searches);
+ DataPointer file_data;
+ DetectionEngine::get_file_data(file_data);
+ if ( file_data.len )
+ SEARCH_DATA(file_data.data, file_data.len, pc.file_searches);
}
}
return 0;
// required to get a decent decl of pkth
#include "protocols/packet.h"
+#include "detection/detection_util.h"
+
class SO_PUBLIC IpsContextData
{
public:
DAQ_PktHdr_t* pkth;
uint8_t* buf;
+ DataPointer file_data;
+
class MpseStash* stash;
struct OtnxMatchData* otnx;
uint64_t pkt_count;
#endif
#include "detection/detection_defines.h"
-#include "detection/detection_util.h"
+#include "detection/detection_engine.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
{
Profile profile(fileDataPerfStats);
- DataPointer& dp = get_file_data();
+ DataPointer dp;
+ DetectionEngine::get_file_data(dp);
if ( !dp.data || !dp.len )
return DETECTION_OPTION_NO_MATCH;
#include <sfbpf_dlt.h>
-#include "detection/detection_util.h"
+#include "detection/detection_engine.h"
#include "detection/signature.h"
#include "events/event.h"
#include "main/snort_config.h"
* Returns: void function
*--------------------------------------------------------------------
*/
-static void LogCharData(TextLog* log, const char* data, int len)
+static void LogCharData(TextLog* log, const uint8_t* data, int len)
{
- const char* pb = data;
- const char* end = data + len;
+ const uint8_t* pb = data;
+ const uint8_t* end = data + len;
int lineCount = 0;
if ( !data )
{
if (SnortConfig::output_char_data())
{
- LogCharData(log, (const char*)p->data, p->dsize);
+ LogCharData(log, p->data, p->dsize);
- DataPointer& fdata = get_file_data();
+ DataPointer file_data;
+ DetectionEngine::get_file_data(file_data);
- if ( fdata.len > 0 )
+ if ( file_data.len > 0 )
{
TextLog_Print(log, "%s\n", "File data");
- LogCharData(log, (const char*)fdata.data, fdata.len);
+ LogCharData(log, file_data.data, file_data.len);
}
}
else
{
LogNetData(log, p->data, p->dsize, p);
- if ( g_file_data.len > 0 )
+ DataPointer file_data;
+ DetectionEngine::get_file_data(file_data);
+
+ if ( file_data.len > 0 )
{
TextLog_Print(log, "%s\n", "File data");
- LogNetData(log, g_file_data.data, g_file_data.len, p);
+ LogNetData(log, file_data.data, file_data.len, p);
}
}
}
DetectionEngine de;
main_hook(p);
- DetectReset(); // FIXIT-H context
-
+ clear_file_data();
DetectionEngine::set_detects(save_detect);
}
if ( !(p->packet_flags & PKT_IGNORE) )
{
- DetectReset();
+ clear_file_data();
main_hook(p);
}
#include "file_mime_process.h"
-#include "detection/detection_util.h"
+#include "detection/detection_engine.h"
#include "file_api/file_flows.h"
#include "log/messages.h"
#include "search_engines/search_tool.h"
// FIXIT-L why is this being set? we don't search file data until
// we set it again below after decoding. can it be deleted?
if ( decode_conf && (!decode_conf->is_ignore_data()))
- set_file_data((uint8_t*)start, (end - start));
+ set_file_data(start, (end - start));
if (data_state == STATE_DATA_HEADER)
{
if (detection_size)
{
- set_file_data((uint8_t*)file_data,
+ set_file_data(file_data,
(detection_size > UINT16_MAX) ? UINT16_MAX : (uint16_t)detection_size);
DCE2_FileDetect();
((ftracker->ff_file_offset == ftracker->ff_bytes_processed) &&
((file_data_depth == 0) || (ftracker->ff_bytes_processed < (uint64_t)file_data_depth))))
{
- set_file_data((uint8_t*)data_ptr,
- (data_len > UINT16_MAX) ? UINT16_MAX : (uint16_t)data_len);
-
+ set_file_data(data_ptr, (data_len > UINT16_MAX) ? UINT16_MAX : (uint16_t)data_len);
DCE2_FileDetect();
}
DetectionEngine::detect(top_pkt);
// Reset file data pointer after detecting
- set_file_data(nullptr, 0);
+ clear_file_data();
dce2_detected = 1;
}
#include "ftp_data.h"
-#include "detection/detection_util.h"
+#include "detection/detection_engine.h"
#include "file_api/file_flows.h"
#include "file_api/file_service.h"
#include "packet_io/active.h"
// implementation stuff
//-------------------------------------------------------------------------
-// FIXIT-L seems like file_data should be const pointer.
-// Need to root this out and eliminate const-removing casts.
static void FTPDataProcess(
Packet* p, FTP_DATA_SESSION* data_ssn, uint8_t* file_data, uint16_t data_length)
{
int status;
- set_file_data((uint8_t*)p->data, p->dsize);
+ set_file_data(p->data, p->dsize);
if (data_ssn->packet_flags & FTPDATA_FLG_REST)
{
js_norm_body.length() : session_data->detect_depth_remaining[source_id];
detect_data.set(detect_length, js_norm_body.start());
session_data->detect_depth_remaining[source_id] -= detect_length;
+
// Always set file data. File processing will later set a new value in some cases.
- set_file_data(const_cast<uint8_t*>(detect_data.start()), (unsigned)detect_data.length());
+ set_next_file_data(
+ const_cast<uint8_t*>(detect_data.start()), (unsigned)detect_data.length());
}
if (session_data->file_depth_remaining[source_id] > 0)
get_classic_buffer(HTTP_BUFFER_CLIENT_BODY, 0, 0).print(output,
HttpApi::classic_buffer_names[HTTP_BUFFER_CLIENT_BODY-1]);
- DataPointer& body = get_file_data();
+ DataPointer body;
+ DetectionEngine::get_next_file_data(body);
+
if (body.len > 0)
{
Field(body.len, body.data).print(output, "file_data");
#include "file_session.h"
-#include "detection/detection_util.h"
+#include "detection/detection_engine.h"
#include "file_api/file_flows.h"
#include "packet_io/sfdaq.h"
#include "profiler/profiler_defs.h"
if (file_name)
file_flows->set_file_name((uint8_t*)file_name, strlen(file_name));
}
- set_file_data((uint8_t*)p->data, p->dsize);
+ set_file_data(p->data, p->dsize);
return 0;
}
projects / thirdparty / snort3.git / commitdiff
