#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-file.h"
+#include "detect-engine-prefilter.h"
+#include "detect-engine-content-inspection.h"
#include "flow.h"
#include "flow-var.h"
static int DetectFilenameMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
uint8_t, File *, const Signature *, const SigMatchCtx *);
static int DetectFilenameSetup (DetectEngineCtx *, Signature *, const char *);
+static int DetectFilenameSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
static void DetectFilenameRegisterTests(void);
static void DetectFilenameFree(void *);
static int g_file_match_list_id = 0;
+static int g_file_name_buffer_id = 0;
+
+static int PrefilterMpmFilenameRegister(DetectEngineCtx *de_ctx,
+ SigGroupHead *sgh, MpmCtx *mpm_ctx,
+ const DetectMpmAppLayerRegistery *mpm_reg, int list_id);
+static int DetectEngineInspectFilename(
+ DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+ const DetectEngineAppInspectionEngine *engine,
+ const Signature *s,
+ Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
/**
* \brief Registration function for keyword: filename
sigmatch_table[DETECT_FILENAME].RegisterTests = DetectFilenameRegisterTests;
sigmatch_table[DETECT_FILENAME].flags = SIGMATCH_QUOTES_OPTIONAL|SIGMATCH_HANDLE_NEGATION;
+ sigmatch_table[DETECT_FILE_NAME].name = "file.name";
+ sigmatch_table[DETECT_FILE_NAME].desc = "sticky buffer to match on the file name";
+ sigmatch_table[DETECT_FILE_NAME].url = DOC_URL DOC_VERSION "/rules/file-keywords.html#filename";
+ sigmatch_table[DETECT_FILE_NAME].Setup = DetectFilenameSetupSticky;
+ sigmatch_table[DETECT_FILE_NAME].flags = SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
+
DetectAppLayerInspectEngineRegister("files",
ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_BODY,
DetectFileInspectGeneric);
DetectAppLayerInspectEngineRegister("files",
ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0,
DetectFileInspectGeneric);
-
DetectAppLayerInspectEngineRegister("files",
ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0,
DetectFileInspectGeneric);
g_file_match_list_id = DetectBufferTypeGetByName("files");
+ AppProto protos_ts[] = {
+ ALPROTO_HTTP, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, 0 };
+ AppProto protos_tc[] = {
+ ALPROTO_HTTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, 0 };
+
+ for (int i = 0; protos_ts[i] != 0; i++) {
+ DetectAppLayerInspectEngineRegister2("file.name", protos_ts[i],
+ SIG_FLAG_TOSERVER, 0,
+ DetectEngineInspectFilename, NULL);
+
+ DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2,
+ PrefilterMpmFilenameRegister, NULL, protos_ts[i],
+ 0);
+ }
+ for (int i = 0; protos_tc[i] != 0; i++) {
+ DetectAppLayerInspectEngineRegister2("file.name", protos_tc[i],
+ SIG_FLAG_TOCLIENT, 0,
+ DetectEngineInspectFilename, NULL);
+
+ DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2,
+ PrefilterMpmFilenameRegister, NULL, protos_tc[i],
+ 0);
+ }
+
+ DetectBufferTypeSetDescriptionByName("file.name",
+ "http user agent");
+
+ g_file_name_buffer_id = DetectBufferTypeGetByName("file.name");
SCLogDebug("registering filename rule option");
return;
}
}
}
+/* file.name implementation */
+
+/**
+ * \brief this function setup the file.data keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s Pointer to the Signature to which the current keyword belongs
+ * \param str Should hold an empty string always
+ *
+ * \retval 0 On success
+ */
+static int DetectFilenameSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+ if (DetectBufferSetActiveList(s, g_file_name_buffer_id) < 0)
+ return -1;
+ return 0;
+}
+
+static InspectionBuffer *FilenameGetDataCallback(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms,
+ Flow *f, uint8_t flow_flags, File *cur_file,
+ int list_id, int local_file_id, bool first)
+{
+ SCEnter();
+
+ InspectionBufferMultipleForList *fb = InspectionBufferGetMulti(det_ctx, list_id);
+ InspectionBuffer *buffer = InspectionBufferMultipleForListGet(fb, local_file_id);
+ if (buffer == NULL)
+ return NULL;
+ if (!first && buffer->inspect != NULL)
+ return buffer;
+
+ const uint8_t *data = cur_file->name;
+ uint32_t data_len = cur_file->name_len;
+
+ InspectionBufferSetup(buffer, data, data_len);
+ InspectionBufferApplyTransforms(buffer, transforms);
+
+ SCReturnPtr(buffer, "InspectionBuffer");
+}
+
+static int DetectEngineInspectFilename(
+ DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+ const DetectEngineAppInspectionEngine *engine,
+ const Signature *s,
+ Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
+{
+ int r = 0;
+
+ const DetectEngineTransforms *transforms = NULL;
+ if (!engine->mpm) {
+ transforms = engine->v2.transforms;
+ }
+
+ FileContainer *ffc = AppLayerParserGetFiles(f->proto, f->alproto,
+ f->alstate, flags);
+ if (ffc == NULL) {
+ return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+ }
+
+ int local_file_id = 0;
+ File *file = ffc->head;
+ for (; file != NULL; file = file->next) {
+ if (file->txid != tx_id)
+ continue;
+
+ InspectionBuffer *buffer = FilenameGetDataCallback(det_ctx,
+ transforms, f, flags, file, engine->sm_list, local_file_id, false);
+ if (buffer == NULL)
+ continue;
+
+ det_ctx->buffer_offset = 0;
+ det_ctx->discontinue_matching = 0;
+ det_ctx->inspection_recursion_counter = 0;
+ int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
+ f,
+ (uint8_t *)buffer->inspect,
+ buffer->inspect_len,
+ buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ if (match == 1) {
+ r = 1;
+ break;
+ }
+ local_file_id++;
+ }
+
+ if (r == 1)
+ return DETECT_ENGINE_INSPECT_SIG_MATCH;
+ else
+ return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+}
+
+typedef struct PrefilterMpmFilename {
+ int list_id;
+ const MpmCtx *mpm_ctx;
+ const DetectEngineTransforms *transforms;
+} PrefilterMpmFilename;
+
+/** \brief Filedata Filedata Mpm prefilter callback
+ *
+ * \param det_ctx detection engine thread ctx
+ * \param p packet to inspect
+ * \param f flow to inspect
+ * \param txv tx to inspect
+ * \param pectx inspection context
+ */
+static void PrefilterTxFilename(DetectEngineThreadCtx *det_ctx,
+ const void *pectx,
+ Packet *p, Flow *f, void *txv,
+ const uint64_t idx, const uint8_t flags)
+{
+ SCEnter();
+
+ const PrefilterMpmFilename *ctx = (const PrefilterMpmFilename *)pectx;
+ const MpmCtx *mpm_ctx = ctx->mpm_ctx;
+ const int list_id = ctx->list_id;
+
+ FileContainer *ffc = AppLayerParserGetFiles(f->proto, f->alproto,
+ f->alstate, flags);
+ int local_file_id = 0;
+ if (ffc != NULL) {
+ File *file = ffc->head;
+ for (; file != NULL; file = file->next) {
+ if (file->txid != idx)
+ continue;
+
+ InspectionBuffer *buffer = FilenameGetDataCallback(det_ctx,
+ ctx->transforms, f, flags, file, list_id, local_file_id, true);
+ if (buffer == NULL)
+ continue;
+
+ if (buffer->inspect_len >= mpm_ctx->minlen) {
+ (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+ &det_ctx->mtcu, &det_ctx->pmq,
+ buffer->inspect, buffer->inspect_len);
+ }
+ }
+ }
+}
+
+static void PrefilterMpmFilenameFree(void *ptr)
+{
+ SCFree(ptr);
+}
+
+static int PrefilterMpmFilenameRegister(DetectEngineCtx *de_ctx,
+ SigGroupHead *sgh, MpmCtx *mpm_ctx,
+ const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
+{
+ PrefilterMpmFilename *pectx = SCCalloc(1, sizeof(*pectx));
+ if (pectx == NULL)
+ return -1;
+ pectx->list_id = list_id;
+ pectx->mpm_ctx = mpm_ctx;
+ pectx->transforms = &mpm_reg->v2.transforms;
+
+ return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFilename,
+ mpm_reg->v2.alproto, mpm_reg->v2.tx_min_progress,
+ pectx, PrefilterMpmFilenameFree, mpm_reg->pname);
+}
+
#ifdef UNITTESTS /* UNITTESTS */
+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectFilenameSignatureParseTest01(void)
+{
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; nocase; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; endswith; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; endswith; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; bsize:10; sid:1;)", true));
+
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; rawbytes; sid:1;)", false));
+ FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; file.name; sid:1;)", false));
+ //FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; file.name; content:\"abc\"; sid:1;)", false));
+ PASS;
+}
/**
* \test DetectFilenameTestParse01
*/
void DetectFilenameRegisterTests(void)
{
#ifdef UNITTESTS /* UNITTESTS */
+ UtRegisterTest("DetectFilenameSignatureParseTest01", DetectFilenameSignatureParseTest01);
+
UtRegisterTest("DetectFilenameTestParse01", DetectFilenameTestParse01);
UtRegisterTest("DetectFilenameTestParse02", DetectFilenameTestParse02);
UtRegisterTest("DetectFilenameTestParse03", DetectFilenameTestParse03);