From: Victor Julien Date: Fri, 15 Mar 2019 20:41:49 +0000 (+0100) Subject: detect/filestore: use postmatch callback X-Git-Tag: suricata-5.0.0-beta1~129 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7497c633c426379788bee8796ca3cea48701197d;p=thirdparty%2Fsuricata.git detect/filestore: use postmatch callback --- diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index a871ad41e4..89d44bee6a 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -178,6 +178,7 @@ enum { DETECT_FILE_NAME, DETECT_FILEEXT, DETECT_FILESTORE, + DETECT_FILESTORE_POSTMATCH, DETECT_FILEMAGIC, DETECT_FILEMD5, DETECT_FILESHA1, diff --git a/src/detect-filestore.c b/src/detect-filestore.c index b2f84d9114..8d88e02159 100644 --- a/src/detect-filestore.c +++ b/src/detect-filestore.c @@ -62,6 +62,8 @@ static pcre_extra *parse_regex_study; static int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, File *, const Signature *, const SigMatchCtx *); +static int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Packet *p, const Signature *s, const SigMatchCtx *ctx); static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, const char *); static void DetectFilestoreFree(void *); static void DetectFilestoreRegisterTests(void); @@ -81,6 +83,10 @@ void DetectFilestoreRegister(void) sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests; sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_OPTIONAL_OPT; + sigmatch_table[DETECT_FILESTORE_POSTMATCH].name = "__filestore__postmatch__"; + sigmatch_table[DETECT_FILESTORE_POSTMATCH].Match = DetectFilestorePostMatch; + sigmatch_table[DETECT_FILESTORE_POSTMATCH].Free = DetectFilestoreFree; + DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_file_match_list_id = DetectBufferTypeRegister("files"); @@ -184,7 +190,8 @@ static int FilestorePostMatchWithOptions(Packet *p, Flow *f, const DetectFilesto * When we are sure all parts of the signature matched, we run this function * to finalize the filestore. */ -int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s) +static int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Packet *p, const Signature *s, const SigMatchCtx *ctx) { uint8_t flags = 0; @@ -216,14 +223,11 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack /* filestore for single files only */ if (s->filestore_ctx == NULL) { - uint16_t u; - for (u = 0; u < det_ctx->filestore_cnt; u++) { + for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) { FileStoreFileById(ffc, det_ctx->filestore[u].file_id); } } else { - uint16_t u; - - for (u = 0; u < det_ctx->filestore_cnt; u++) { + for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) { FilestorePostMatchWithOptions(p, p->flow, s->filestore_ctx, ffc, det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id); } @@ -427,6 +431,14 @@ static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, const ch SigMatchAppendSMToList(s, sm, g_file_match_list_id); s->filestore_ctx = (const DetectFilestoreData *)sm->ctx; + sm = SigMatchAlloc(); + if (unlikely(sm == NULL)) + goto error; + sm->type = DETECT_FILESTORE_POSTMATCH; + sm->ctx = NULL; + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH); + + s->flags |= SIG_FLAG_FILESTORE; return 0; diff --git a/src/detect-filestore.h b/src/detect-filestore.h index 09d2e25f18..f394842fbd 100644 --- a/src/detect-filestore.h +++ b/src/detect-filestore.h @@ -41,7 +41,4 @@ typedef struct DetectFilestoreData_ { /* prototypes */ void DetectFilestoreRegister (void); -int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, - Packet *p, const Signature *); - #endif /* __DETECT_FILESTORE_H__ */ diff --git a/src/detect.c b/src/detect.c index ea568a4517..d1ecf9501d 100644 --- a/src/detect.c +++ b/src/detect.c @@ -164,11 +164,6 @@ static void DetectRunPostMatch(ThreadVars *tv, smd++; } } - - if (s->flags & SIG_FLAG_FILESTORE) - DetectFilestorePostMatch(tv, det_ctx, p, s); - - return; } /**