From: magenbluten <magenbluten@codemonkey.cc>
Date: Fri, 15 Feb 2019 14:31:41 +0000 (+0000)
Subject: filestore v2: print sid in json output
X-Git-Tag: suricata-5.0.0-beta1~195
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1378f376a141c6c7fb9b6b6a4f09aaacec6e877b;p=thirdparty%2Fsuricata.git

filestore v2: print sid in json output
---

diff --git a/src/detect-filestore.c b/src/detect-filestore.c
index 5c474927c5..b2f84d9114 100644
--- a/src/detect-filestore.c
+++ b/src/detect-filestore.c
@@ -264,8 +264,27 @@ static int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
      * matches. */
     if (file != NULL) {
         file_id = file->file_store_id;
+        if (file->sid != NULL && s->id > 0) {
+            if (file->sid_cnt >= file->sid_max) {
+                void *p = SCRealloc(file->sid, sizeof(uint32_t) * (file->sid_max + 8));
+                if (p == NULL) {
+                    SCFree(file->sid);
+                    file->sid = NULL;
+                    file->sid_cnt = 0;
+                    file->sid_max = 0;
+                    goto continue_after_realloc_fail;
+                } else {
+                    file->sid = p;
+                    file->sid_max += 8;
+                }
+            }
+            file->sid[file->sid_cnt] = s->id;
+            file->sid_cnt++;
+        }
     }
 
+continue_after_realloc_fail:
+
     det_ctx->filestore[det_ctx->filestore_cnt].file_id = file_id;
     det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id;
 
diff --git a/src/output-json-file.c b/src/output-json-file.c
index 18bd2adf7f..25b05d959c 100644
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -149,6 +149,18 @@ json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff,
     char filename_string[filename_size];
     BytesToStringBuffer(ff->name, ff->name_len, filename_string, filename_size);
     json_object_set_new(fjs, "filename", SCJsonString(filename_string));
+
+    json_t *sig_ids = json_array();
+    if (unlikely(sig_ids == NULL)) {
+        json_decref(js);
+        return NULL;
+    }
+
+    for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
+        json_array_append(sig_ids, json_integer(ff->sid[i]));
+    }
+    json_object_set_new(fjs, "sid", sig_ids);
+
 #ifdef HAVE_MAGIC
     if (ff->magic)
         json_object_set_new(fjs, "magic", json_string((char *)ff->magic));
diff --git a/src/util-file.c b/src/util-file.c
index 4c2581982a..d3fd235ab0 100644
--- a/src/util-file.c
+++ b/src/util-file.c
@@ -454,6 +454,13 @@ static File *FileAlloc(const uint8_t *name, uint16_t name_len)
     new->name_len = name_len;
     memcpy(new->name, name, name_len);
 
+    new->sid_cnt = 0;
+    new->sid_max = 8;
+    /* SCMalloc() is allowed to fail here because sid well be checked later on */
+    new->sid = SCMalloc(sizeof(uint32_t) * new->sid_max);
+    if (new->sid == NULL)
+        new->sid_max = 0;
+
     return new;
 }
 
@@ -464,6 +471,8 @@ static void FileFree(File *ff)
 
     if (ff->name != NULL)
         SCFree(ff->name);
+    if (ff->sid != NULL)
+        SCFree(ff->sid);
 #ifdef HAVE_MAGIC
     /* magic returned by libmagic is strdup'd by MagicLookup. */
     if (ff->magic != NULL)
diff --git a/src/util-file.h b/src/util-file.h
index 535e42ff17..4f67e73d3f 100644
--- a/src/util-file.h
+++ b/src/util-file.h
@@ -89,6 +89,10 @@ typedef struct File_ {
                                      *   flag is set */
     uint64_t content_stored;
     uint64_t size;
+
+    uint32_t *sid; /* signature id of a rule that triggered the filestore event */
+    uint32_t sid_cnt;
+    uint32_t sid_max;
 } File;
 
 typedef struct FileContainer_ {