From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Mon, 10 Jul 2023 14:39:02 +0000 (-0400)
Subject: detect/file: Filehandler registration logic
X-Git-Tag: suricata-7.0.0~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2fd0025edeb6be5747d2439571b4a68c34dfbbf9;p=thirdparty%2Fsuricata.git

detect/file: Filehandler registration logic

Add file handler registration functions for consolidated file handling.

Issue: 4145
---

diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
index 6fa45042a5..df6e4a738f 100644
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@@ -447,6 +447,14 @@ int SigTableList(const char *keyword)
     return TM_ECODE_DONE;
 }
 
+static void DetectFileHandlerRegister(void)
+{
+    for (int i = 0; i < DETECT_TBLSIZE; i++) {
+        if (filehandler_table[i].name)
+            DetectFileRegisterFileProtocols(&filehandler_table[i]);
+    }
+}
+
 void SigTableSetup(void)
 {
     memset(sigmatch_table, 0, sizeof(sigmatch_table));
@@ -689,6 +697,8 @@ void SigTableSetup(void)
     DetectTransformUrlDecodeRegister();
     DetectTransformXorRegister();
 
+    DetectFileHandlerRegister();
+
     /* close keyword registration */
     DetectBufferTypeCloseRegistration();
 }
diff --git a/src/detect-parse.c b/src/detect-parse.c
index 152a821c56..2e109c3ecb 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -73,6 +73,58 @@
 #include "action-globals.h"
 #include "util-validate.h"
 
+/* Table with all filehandler registrations */
+DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];
+
+void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg)
+{
+    // file protocols with common file handling
+    typedef struct {
+        AppProto al_proto;
+        int direction;
+        int to_client_progress;
+        int to_server_progress;
+    } DetectFileHandlerProtocol_t;
+    static DetectFileHandlerProtocol_t al_protocols[] = {
+        { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
+        { .al_proto = ALPROTO_HTTP1,
+                .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
+                .to_client_progress = HTP_RESPONSE_BODY,
+                .to_server_progress = HTP_REQUEST_BODY },
+        { .al_proto = ALPROTO_HTTP2,
+                .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
+                .to_client_progress = HTTP2StateDataServer,
+                .to_server_progress = HTTP2StateDataClient },
+        { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }
+    };
+
+    for (size_t i = 0; i < ARRAY_SIZE(al_protocols); i++) {
+        int direction = al_protocols[i].direction == 0
+                                ? (int)(SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)
+                                : al_protocols[i].direction;
+
+        if (direction & SIG_FLAG_TOCLIENT) {
+            DetectAppLayerMpmRegister2(reg->name, SIG_FLAG_TOCLIENT, reg->priority,
+                    reg->PrefilterFn, reg->GetData, al_protocols[i].al_proto,
+                    al_protocols[i].to_client_progress);
+            DetectAppLayerInspectEngineRegister2(reg->name, al_protocols[i].al_proto,
+                    SIG_FLAG_TOCLIENT, al_protocols[i].to_client_progress, reg->Callback,
+                    reg->GetData);
+        }
+        if (direction & SIG_FLAG_TOSERVER) {
+            DetectAppLayerMpmRegister2(reg->name, SIG_FLAG_TOSERVER, reg->priority,
+                    reg->PrefilterFn, reg->GetData, al_protocols[i].al_proto,
+                    al_protocols[i].to_server_progress);
+            DetectAppLayerInspectEngineRegister2(reg->name, al_protocols[i].al_proto,
+                    SIG_FLAG_TOSERVER, al_protocols[i].to_server_progress, reg->Callback,
+                    reg->GetData);
+        }
+    }
+}
+
 /* Table with all SigMatch registrations */
 SigTableElmt sigmatch_table[DETECT_TBLSIZE];
 
@@ -82,6 +134,9 @@ static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
         SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
         SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail);
 
+/**
+ * \brief Registration table for file handlers
+ */
 /**
  * \brief We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
  */
diff --git a/src/detect-parse.h b/src/detect-parse.h
index 75d4b7ef85..33a2d515f0 100644
--- a/src/detect-parse.h
+++ b/src/detect-parse.h
@@ -25,6 +25,24 @@
 #define __DETECT_PARSE_H__
 
 #include "detect.h"
+#include "detect-engine-mpm.h"
+
+/* File handler registration */
+#define MAX_DETECT_ALPROTO_CNT 10
+typedef struct DetectFileHandlerTableElmt_ {
+    const char *name;
+    int priority;
+    PrefilterRegisterFunc PrefilterFn;
+    InspectEngineFuncPtr2 Callback;
+    InspectionBufferGetDataPtr GetData;
+    int al_protocols[MAX_DETECT_ALPROTO_CNT];
+    int tx_progress;
+    int progress;
+} DetectFileHandlerTableElmt;
+void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *entry);
+
+/* File registration table */
+extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];
 
 /** Flags to indicate if the Signature parsing must be done
 *   switching the source and dest (for ip addresses and ports)
@@ -104,4 +122,3 @@ int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UC
         PCRE2_SIZE *bufflen);
 
 #endif /* __DETECT_PARSE_H__ */
-