#include "util-profiling.h"
#include "util-validate.h"
+FileAppProto file_protos_ts_static[] = {
+ { ALPROTO_HTTP1, HTP_REQUEST_BODY },
+ { ALPROTO_SMTP, 0 },
+ { ALPROTO_FTP, 0 },
+ { ALPROTO_FTPDATA, 0 },
+ { ALPROTO_SMB, 0 },
+ { ALPROTO_NFS, 0 },
+ { ALPROTO_HTTP2, HTTP2StateDataClient },
+ { ALPROTO_UNKNOWN, 0 },
+};
+
+FileAppProto file_protos_tc_static[] = {
+ { ALPROTO_HTTP1, HTP_RESPONSE_BODY },
+ { ALPROTO_FTP, 0 },
+ { ALPROTO_FTPDATA, 0 },
+ { ALPROTO_SMB, 0 },
+ { ALPROTO_NFS, 0 },
+ { ALPROTO_HTTP2, HTTP2StateDataServer },
+ { ALPROTO_UNKNOWN, 0 },
+};
+
+FileAppProto *file_protos_ts = file_protos_ts_static;
+FileAppProto *file_protos_tc = file_protos_tc_static;
/**
* \brief Inspect the file inspecting keywords.
const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
uint8_t flags, void *_alstate, void *tx, uint64_t tx_id);
+typedef struct FileAppProto {
+ AppProto alproto;
+ int progress;
+} FileAppProto;
+
+extern FileAppProto *file_protos_ts;
+extern FileAppProto *file_protos_tc;
+
#endif /* __DETECT_ENGINE_FILE_H__ */
#include "detect-engine-state.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-content-inspection.h"
+#include "detect-engine-file.h"
#include "detect-file-data.h"
#include "app-layer-parser.h"
#endif
sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT;
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2,
- PrefilterMpmFiledataRegister, NULL,
- ALPROTO_SMTP, 0);
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmHTTPFiledataRegister,
- NULL, ALPROTO_HTTP1, HTP_RESPONSE_BODY);
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
- NULL, ALPROTO_HTTP1, HTP_REQUEST_BODY);
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2,
- PrefilterMpmFiledataRegister, NULL,
- ALPROTO_SMB, 0);
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2,
- PrefilterMpmFiledataRegister, NULL,
- ALPROTO_SMB, 0);
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2,
- PrefilterMpmFiledataRegister, NULL,
- ALPROTO_HTTP2, HTTP2StateDataClient);
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2,
- PrefilterMpmFiledataRegister, NULL,
- ALPROTO_HTTP2, HTTP2StateDataServer);
- DetectAppLayerMpmRegister2(
- "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_NFS, 0);
- DetectAppLayerMpmRegister2(
- "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_NFS, 0);
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
- NULL, ALPROTO_FTPDATA, 0);
- DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister,
- NULL, ALPROTO_FTPDATA, 0);
- DetectAppLayerMpmRegister2(
- "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
- DetectAppLayerMpmRegister2(
- "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
-
- DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
- HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL);
- DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
- HTP_REQUEST_BODY, DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2("file_data",
- ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0,
- DetectEngineInspectFiledata, NULL);
+ for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
+ DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
+ NULL, file_protos_ts[i].alproto, file_protos_ts[i].progress);
+ DetectAppLayerInspectEngineRegister2("file_data", file_protos_ts[i].alproto,
+ SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFiledata, NULL);
+ }
+ for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) {
+ if (file_protos_tc[i].alproto == ALPROTO_HTTP1) {
+ // special case for HTTP1
+ DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2,
+ PrefilterMpmHTTPFiledataRegister, NULL, ALPROTO_HTTP1, HTP_RESPONSE_BODY);
+ DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
+ HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL);
+ continue;
+ }
+ DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister,
+ NULL, file_protos_tc[i].alproto, file_protos_tc[i].progress);
+ DetectAppLayerInspectEngineRegister2("file_data", file_protos_tc[i].alproto,
+ SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFiledata, NULL);
+ }
DetectBufferTypeRegisterSetupCallback("file_data",
DetectFiledataSetupCallback);
- DetectAppLayerInspectEngineRegister2("file_data",
- ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
- DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2("file_data",
- ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
- DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2("file_data",
- ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateDataClient,
- DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2("file_data",
- ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateDataServer,
- DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2(
- "file_data", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2(
- "file_data", ALPROTO_NFS, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2(
- "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2(
- "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2(
- "file_data", ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
- DetectAppLayerInspectEngineRegister2(
- "file_data", ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
DetectBufferTypeSetDescriptionByName("file_data", "data from tracked files");
DetectBufferTypeSupportsMultiInstance("file_data");
#include "detect-engine-mpm.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-content-inspection.h"
+#include "detect-engine-file.h"
#include "flow.h"
#include "flow-var.h"
g_file_match_list_id = DetectBufferTypeRegister("files");
- AppProto protos_ts[] = { ALPROTO_HTTP1, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS,
- ALPROTO_HTTP2, 0 };
- AppProto protos_tc[] = { ALPROTO_HTTP1, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2,
- 0 };
-
- for (int i = 0; protos_ts[i] != 0; i++) {
- DetectAppLayerInspectEngineRegister2("file.magic", protos_ts[i],
- SIG_FLAG_TOSERVER, 0,
- DetectEngineInspectFilemagic, NULL);
+ for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
+ DetectAppLayerInspectEngineRegister2("file.magic", file_protos_ts[i].alproto,
+ SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFilemagic, NULL);
DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOSERVER, 2,
- PrefilterMpmFilemagicRegister, NULL, protos_ts[i],
- 0);
+ PrefilterMpmFilemagicRegister, NULL, file_protos_ts[i].alproto,
+ file_protos_ts[i].progress);
}
- for (int i = 0; protos_tc[i] != 0; i++) {
- DetectAppLayerInspectEngineRegister2("file.magic", protos_tc[i],
- SIG_FLAG_TOCLIENT, 0,
- DetectEngineInspectFilemagic, NULL);
+ for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) {
+ DetectAppLayerInspectEngineRegister2("file.magic", file_protos_tc[i].alproto,
+ SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFilemagic, NULL);
DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOCLIENT, 2,
- PrefilterMpmFilemagicRegister, NULL, protos_tc[i],
- 0);
+ PrefilterMpmFilemagicRegister, NULL, file_protos_tc[i].alproto,
+ file_protos_tc[i].progress);
}
DetectBufferTypeSetDescriptionByName("file.magic",
sigmatch_table[DETECT_FILE_NAME].Setup = DetectFilenameSetupSticky;
sigmatch_table[DETECT_FILE_NAME].flags = SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
- DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
- HTP_REQUEST_BODY, DetectFileInspectGeneric, NULL);
- DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
- HTP_RESPONSE_BODY, DetectFileInspectGeneric, NULL);
-
- DetectAppLayerInspectEngineRegister2(
- "files", ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL);
-
- DetectAppLayerInspectEngineRegister2(
- "files", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL);
- DetectAppLayerInspectEngineRegister2(
- "files", ALPROTO_NFS, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL);
-
- DetectAppLayerInspectEngineRegister2(
- "files", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL);
- DetectAppLayerInspectEngineRegister2(
- "files", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL);
-
- DetectAppLayerInspectEngineRegister2(
- "files", ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, DetectFileInspectGeneric, NULL);
- DetectAppLayerInspectEngineRegister2(
- "files", ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, DetectFileInspectGeneric, NULL);
-
- //this is used by filestore
- DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
- HTTP2StateDataClient, DetectFileInspectGeneric, NULL);
- DetectAppLayerInspectEngineRegister2("files", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT,
- HTTP2StateDataServer, DetectFileInspectGeneric, NULL);
-
+ // this is required by filestore, and filesize
+ for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
+ DetectAppLayerInspectEngineRegister2("files", file_protos_ts[i].alproto, SIG_FLAG_TOSERVER,
+ file_protos_ts[i].progress, DetectFileInspectGeneric, NULL);
+ }
+ for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) {
+ DetectAppLayerInspectEngineRegister2("files", file_protos_tc[i].alproto, SIG_FLAG_TOCLIENT,
+ file_protos_tc[i].progress, DetectFileInspectGeneric, NULL);
+ }
g_file_match_list_id = DetectBufferTypeGetByName("files");
- AppProto protos_ts[] = { ALPROTO_HTTP1, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB,
- ALPROTO_NFS, 0 };
- AppProto protos_tc[] = { ALPROTO_HTTP1, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS,
- 0 };
-
- for (int i = 0; protos_ts[i] != 0; i++) {
- DetectAppLayerInspectEngineRegister2("file.name", protos_ts[i],
- SIG_FLAG_TOSERVER, 0,
- DetectEngineInspectFilename, NULL);
+ for (int i = 0; file_protos_ts[i].alproto != ALPROTO_UNKNOWN; i++) {
+ if (file_protos_ts[i].alproto == ALPROTO_HTTP2) {
+ // no filename on HTTP2 files
+ continue;
+ }
+ DetectAppLayerInspectEngineRegister2("file.name", file_protos_ts[i].alproto,
+ SIG_FLAG_TOSERVER, file_protos_ts[i].progress, DetectEngineInspectFilename, NULL);
- DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2,
- PrefilterMpmFilenameRegister, NULL, protos_ts[i],
- 0);
+ DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilenameRegister,
+ NULL, file_protos_ts[i].alproto, file_protos_ts[i].progress);
}
- for (int i = 0; protos_tc[i] != 0; i++) {
- DetectAppLayerInspectEngineRegister2("file.name", protos_tc[i],
- SIG_FLAG_TOCLIENT, 0,
- DetectEngineInspectFilename, NULL);
-
- DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2,
- PrefilterMpmFilenameRegister, NULL, protos_tc[i],
- 0);
+ for (int i = 0; file_protos_tc[i].alproto != ALPROTO_UNKNOWN; i++) {
+ if (file_protos_tc[i].alproto == ALPROTO_HTTP2) {
+ // no filename on HTTP2 files
+ continue;
+ }
+ DetectAppLayerInspectEngineRegister2("file.name", file_protos_tc[i].alproto,
+ SIG_FLAG_TOCLIENT, file_protos_tc[i].progress, DetectEngineInspectFilename, NULL);
+
+ DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilenameRegister,
+ NULL, file_protos_tc[i].alproto, file_protos_tc[i].progress);
}
DetectBufferTypeSetDescriptionByName("file.name", "file name");
projects / thirdparty / suricata.git / commitdiff
