File *file = files->head;
while (file) {
+ SCLogDebug("file %p, file->chunks_head %p", file, file->chunks_head);
if (file->chunks_head) {
uint32_t window = smtp_config.content_inspect_window;
if (file->chunks_head->stream_offset == 0)
if (tx && tx->de_state) {
SCLogDebug("DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW set");
tx->de_state->dir_state[0].flags |= DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW;
+ } else if (tx == NULL) {
+ SCLogDebug("DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW NOT set, no TX");
+ } else if (tx->de_state == NULL) {
+ SCLogDebug("DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW NOT set, no TX DESTATE");
}
}
File *file = ffc->head;
for (; file != NULL; file = file->next) {
SCLogDebug("file");
-
if (file->state == FILE_STATE_NONE) {
SCLogDebug("file state FILE_STATE_NONE");
continue;
}
}
+ if (r == DETECT_ENGINE_INSPECT_SIG_NO_MATCH && store_r == DETECT_ENGINE_INSPECT_SIG_MATCH) {
+ SCLogDebug("stored MATCH, current file NOMATCH");
+ SCReturnInt(DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES);
+ }
+
if (store_r == DETECT_ENGINE_INSPECT_SIG_MATCH)
r = DETECT_ENGINE_INSPECT_SIG_MATCH;
SCReturnInt(r);
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id);
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE;
+ } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
+ SCLogDebug("match with more files ahead");
+ r = match;
}
-
end:
SCReturnInt(r);
}
engine = engine->next;
total_matches++;
continue;
+ } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
+ /* if the file engine matched, but indicated more
+ * files are still in progress, we don't set inspect
+ * flags as these would end inspection for this tx */
+ engine = engine->next;
+ total_matches++;
+ continue;
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
inspect_flags |= engine->inspect_flags;
engine = engine->next;
total_matches++;
continue;
+ } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
+ /* if the file engine matched, but indicated more
+ * files are still in progress, we don't set inspect
+ * flags as these would end inspection for this tx */
+ engine = engine->next;
+ total_matches++;
+ continue;
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
inspect_flags |= engine->inspect_flags;
#define DETECT_ENGINE_INSPECT_SIG_MATCH 1
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH 2
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE 3
+/** hack to work around a file inspection limitation. Since there can be
+ * multiple files in a TX and the detection engine really don't know
+ * about that, we have to give the file inspection engine a way to
+ * indicate that one of the files matched, but that there are still
+ * more files that have ongoing inspection. */
+#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES 4
/** number of DeStateStoreItem's in one DeStateStore object */
#define DE_STATE_CHUNK_SIZE 15
}
}
+ SCLogDebug("file->state %d. Is >= FILE_STATE_CLOSED: %s", file->state, (file->state >= FILE_STATE_CLOSED) ? "yes" : "no");
+
/* file is done when state is closed+, logging/storing is done (if any) */
if (file->state >= FILE_STATE_CLOSED &&
(!RunModeOutputFileEnabled() || (file->flags & FILE_LOGGED)) &&
BUG_ON(file != ffc->head);
+ SCLogDebug("removing file %p", file);
+
File *file_next = file->next;
/* update head and tail */
projects / thirdparty / suricata.git / commitdiff
