]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
detect/files: fix file sigs state handling 3815/head
authorVictor Julien <victor@inliniac.net>
Tue, 23 Apr 2019 09:20:59 +0000 (11:20 +0200)
committerVictor Julien <victor@inliniac.net>
Wed, 24 Apr 2019 18:15:39 +0000 (20:15 +0200)
Make sure all file sig mismatches indicate this in their return
code, not just the ones with filestore enabled. This is needed
to tell the stateful detect engine that it is dealing with a file
sig, so it can make sure these are inspected correctly even if
there are possibly multiple files per tx.

src/detect-engine-file.c
src/detect-engine-state.h
src/detect-filename.c
src/detect.c

index 0b1fdead1188b83da7d8de9b85cbc944c3e620df..dee3c584e0430f12db0c13c3295733b13b933960 100644 (file)
@@ -147,7 +147,7 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
                         FileMatch(tv, det_ctx, f, flags, file, s, smd->ctx);
                     KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
                     if (match == 0) {
-                        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
+                        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
                         break;
                     } else if (smd->is_last) {
                         r = DETECT_ENGINE_INSPECT_SIG_MATCH;
@@ -165,11 +165,6 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
             if (r == DETECT_ENGINE_INSPECT_SIG_MATCH)
                 store_r = DETECT_ENGINE_INSPECT_SIG_MATCH;
 
-            /* if this is a filestore sig, and the sig can't match
-             * return 3 so we can distinguish */
-            if ((s->flags & SIG_FLAG_FILESTORE) && r == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH)
-                r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE;
-
             /* continue, this file may (or may not) be unable to match
              * maybe we have more that can :) */
         }
@@ -244,9 +239,9 @@ int DetectFileInspectGeneric(ThreadVars *tv,
     } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
         SCLogDebug("sid %u can't match on this transaction", s->id);
         r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-    } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
-        SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id);
-        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE;
+    } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
+        SCLogDebug("sid %u can't match on this transaction (file sig)", s->id);
+        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
     } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
         SCLogDebug("match with more files ahead");
         r = match;
index 5a8e17af01339dc0d6e4069b1bc2c2ae21c41836..154f8bbaf30219f3eeee9bd9ce53164493d3f103 100644 (file)
 #define DETECT_ENGINE_INSPECT_SIG_NO_MATCH 0
 #define DETECT_ENGINE_INSPECT_SIG_MATCH 1
 #define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH 2
-#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE 3
+/** indicate that the file inspection portion of a sig didn't match.
+ *  This is used to handle state keeping as the detect engine is still
+ *  only marginally aware of files. */
+#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES 3
 /** hack to work around a file inspection limitation. Since there can be
  *  multiple files in a TX and the detection engine really don't know
  *  about that, we have to give the file inspection engine a way to
index 41c695fc2cf43542883f3bab5bbe45b61837e5b9..2b5fb90285a5a62ddad93a830044983402a873e2 100644 (file)
@@ -375,8 +375,6 @@ static int DetectEngineInspectFilename(
         const Signature *s,
         Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 {
-    int r = 0;
-
     const DetectEngineTransforms *transforms = NULL;
     if (!engine->mpm) {
         transforms = engine->v2.transforms;
@@ -388,9 +386,9 @@ static int DetectEngineInspectFilename(
         return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
     }
 
+    int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
     int local_file_id = 0;
-    File *file = ffc->head;
-    for (; file != NULL; file = file->next) {
+    for (File *file = ffc->head; file != NULL; file = file->next) {
         if (file->txid != tx_id)
             continue;
 
@@ -409,16 +407,13 @@ static int DetectEngineInspectFilename(
                                               buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
                                               DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
         if (match == 1) {
-            r = 1;
-            break;
+            return DETECT_ENGINE_INSPECT_SIG_MATCH;
+        } else {
+            r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
         }
         local_file_id++;
     }
-
-    if (r == 1)
-        return DETECT_ENGINE_INSPECT_SIG_MATCH;
-    else
-        return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE;
+    return r;
 }
 
 typedef struct PrefilterMpmFilename {
index 2280f766faf5258e35cdfe9cd28e57940d10e9d5..db49012120a13a70cae8ef9b2036fbb78fd337a1 100644 (file)
@@ -1231,7 +1231,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
             } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
                 inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
                 inspect_flags |= BIT_U32(engine->id);
-            } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
+            } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
                 inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
                 inspect_flags |= BIT_U32(engine->id);
                 file_no_match = 1;