From: Victor Julien <victor@inliniac.net>
Date: Wed, 20 Apr 2016 16:42:01 +0000 (+0200)
Subject: http: flag destate about new files
X-Git-Tag: suricata-3.1RC1~232
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83e0529b2b7cf953c83a6fbf5c59279f02574caf;p=thirdparty%2Fsuricata.git

http: flag destate about new files

The stateful detection engine needs some assistance when inspecting
transactions with multiple files. This patch flags the detect state
(if any) about the availability of new files in http. For http it
should only apply to multipart bodies although the flag is set for
all files.
---

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index a3db82b189..4e76c5feb2 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -1226,6 +1226,19 @@ static void HtpRequestBodyReassemble(HtpTxUserData *htud,
     *chunks_buffer_len = buf_len;
 }
 
+static void FlagDetectStateNewFile(HtpTxUserData *tx, int dir)
+{
+    if (tx && tx->de_state) {
+        if (dir == STREAM_TOSERVER) {
+            SCLogDebug("DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW set");
+            tx->de_state->dir_state[0].flags |= DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW;
+        } else if (STREAM_TOCLIENT) {
+            SCLogDebug("DETECT_ENGINE_STATE_FLAG_FILE_TC_NEW set");
+            tx->de_state->dir_state[1].flags |= DETECT_ENGINE_STATE_FLAG_FILE_TC_NEW;
+        }
+    }
+}
+
 /**
  *  \brief Setup boundary buffers
  */
@@ -1428,6 +1441,7 @@ int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud,
                         goto end;
                     }
                 }
+                FlagDetectStateNewFile(htud, STREAM_TOSERVER);
 
                 htud->request_body.body_parsed += (header_end - chunks_buffer);
                 htud->tsflags &= ~HTP_FILENAME_SET;
@@ -1472,6 +1486,8 @@ int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud,
                     } else if (result == -2) {
                         htud->tsflags |= HTP_DONTSTORE;
                     }
+                    FlagDetectStateNewFile(htud, STREAM_TOSERVER);
+
                 } else if (header_next - filedata > 2) {
                     filedata_len = header_next - filedata - 2;
                     SCLogDebug("filedata_len %u", filedata_len);
@@ -1488,6 +1504,7 @@ int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud,
                             goto end;
                         }
                     }
+                    FlagDetectStateNewFile(htud, STREAM_TOSERVER);
 
                     htud->tsflags &= ~HTP_FILENAME_SET;
                     htud->request_body.body_parsed += (header_end - chunks_buffer);
@@ -1568,6 +1585,7 @@ static int HtpRequestBodyHandlePOST(HtpState *hstate, HtpTxUserData *htud,
             } else if (result == -2) {
                 htud->tsflags |= HTP_DONTSTORE;
             } else {
+                FlagDetectStateNewFile(htud, STREAM_TOSERVER);
                 htud->tsflags |= HTP_FILENAME_SET;
                 htud->tsflags &= ~HTP_DONTSTORE;
             }
@@ -1621,6 +1639,7 @@ static int HtpRequestBodyHandlePUT(HtpState *hstate, HtpTxUserData *htud,
             } else if (result == -2) {
                 htud->tsflags |= HTP_DONTSTORE;
             } else {
+                FlagDetectStateNewFile(htud, STREAM_TOSERVER);
                 htud->tsflags |= HTP_FILENAME_SET;
                 htud->tsflags &= ~HTP_DONTSTORE;
             }
@@ -1688,6 +1707,7 @@ int HtpResponseBodyHandle(HtpState *hstate, HtpTxUserData *htud,
             } else if (result == -2) {
                 htud->tcflags |= HTP_DONTSTORE;
             } else {
+                FlagDetectStateNewFile(htud, STREAM_TOCLIENT);
                 htud->tcflags |= HTP_FILENAME_SET;
                 htud->tcflags &= ~HTP_DONTSTORE;
             }