From: Victor Julien Date: Thu, 30 Aug 2012 08:02:02 +0000 (+0200) Subject: file: implement filesize keyword. #489. X-Git-Tag: suricata-1.4beta1~53 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f71333e12803ccd7aa82ad12abb57ff98d890bb;p=thirdparty%2Fsuricata.git file: implement filesize keyword. #489. --- diff --git a/src/Makefile.am b/src/Makefile.am index 17becad4bc..00f5cb3503 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -170,6 +170,7 @@ detect-fileext.c detect-fileext.h \ detect-filestore.c detect-filestore.h \ detect-filemagic.c detect-filemagic.h \ detect-filemd5.c detect-filemd5.h \ +detect-filesize.c detect-filesize.h \ detect-http-stat-code.c detect-http-stat-code.h \ detect-ssl-version.c detect-ssl-version.h \ detect-ssl-state.c detect-ssl-state.h \ diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c index 6925c1e304..251ee57fb3 100644 --- a/src/detect-engine-file.c +++ b/src/detect-engine-file.c @@ -126,6 +126,12 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, break; } + if (s->file_flags & FILE_SIG_NEED_SIZE && file->state < FILE_STATE_CLOSED) { + SCLogDebug("sig needs filesize, but state < FILE_STATE_CLOSED"); + r = 0; + break; + } + /* run the file match functions. */ for (sm = s->sm_lists[DETECT_SM_LIST_FILEMATCH]; sm != NULL; sm = sm->next) { SCLogDebug("sm %p, sm->next %p", sm, sm->next); diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index d42a6d69f7..8c833bd76b 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -1599,6 +1599,33 @@ void SigGroupHeadSetFilemagicFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { return; } +/** + * \brief Set the need size flag in the sgh. + * + * \param de_ctx detection engine ctx for the signatures + * \param sgh sig group head to set the flag in + */ +void SigGroupHeadSetFilesizeFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { + Signature *s = NULL; + uint32_t sig = 0; + + if (sgh == NULL) + return; + + for (sig = 0; sig < sgh->sig_cnt; sig++) { + s = sgh->match_array[sig]; + if (s == NULL) + continue; + + if (SignatureIsFilesizeInspecting(s)) { + sgh->flags |= SIG_GROUP_HEAD_HAVEFILESIZE; + break; + } + } + + return; +} + /** * \brief Set the need magic flag in the sgh. * diff --git a/src/detect-engine-siggroup.h b/src/detect-engine-siggroup.h index 588e761f84..ff44aaf288 100644 --- a/src/detect-engine-siggroup.h +++ b/src/detect-engine-siggroup.h @@ -89,5 +89,6 @@ int SigGroupHeadBuildHeadArray(DetectEngineCtx *, SigGroupHead *); void SigGroupHeadSetFilemagicFlag(DetectEngineCtx *, SigGroupHead *); void SigGroupHeadSetFilestoreCount(DetectEngineCtx *, SigGroupHead *); void SigGroupHeadSetFileMd5Flag(DetectEngineCtx *, SigGroupHead *); +void SigGroupHeadSetFilesizeFlag(DetectEngineCtx *, SigGroupHead *); #endif /* __DETECT_ENGINE_SIGGROUP_H__ */ diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 3cdf0d7444..de7ae7de90 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -1770,7 +1770,7 @@ static int DeStateSigTest03(void) { goto end; } - if (file->store != 1) { + if (!(file->flags & FILE_STORE)) { printf("file is set to store, but sig didn't match: "); goto end; } @@ -1885,7 +1885,7 @@ static int DeStateSigTest04(void) { goto end; } - if (file->store == 1) { + if (file->flags & FILE_STORE) { printf("file is set to store, but sig didn't match: "); goto end; } @@ -2000,8 +2000,8 @@ static int DeStateSigTest05(void) { goto end; } - if (file->store != -1) { - printf("file is not set to \"no store\", but %d: ", file->store); + if (!(file->flags & FILE_NOSTORE)) { + printf("file is not set to \"no store\": "); goto end; } @@ -2115,8 +2115,8 @@ static int DeStateSigTest06(void) { goto end; } - if (file->store != -1) { - printf("file is not set to \"no store\", but %d: ", file->store); + if (!(file->flags & FILE_NOSTORE)) { + printf("file is not set to \"no store\": "); goto end; } @@ -2247,7 +2247,7 @@ static int DeStateSigTest07(void) { goto end; } - if (file->store == 1) { + if (file->flags & FILE_STORE) { printf("file is set to store, but sig didn't match: "); goto end; } diff --git a/src/detect-filesize.c b/src/detect-filesize.c new file mode 100644 index 0000000000..e40f20cfc7 --- /dev/null +++ b/src/detect-filesize.c @@ -0,0 +1,531 @@ +/* Copyright (C) 2007-2012 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien + * + * Implements the filesize keyword + */ + +#include "suricata-common.h" +#include "app-layer-protos.h" +#include "app-layer-htp.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine-state.h" + +#include "detect-filesize.h" +#include "util-debug.h" +#include "util-byte.h" +#include "flow-util.h" +#include "stream-tcp.h" + +/** + * \brief Regex for parsing our filesize + */ +#define PARSE_REGEX "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,23})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,23}))?\\s*$" + +static pcre *parse_regex; +static pcre_extra *parse_regex_study; + +/*prototypes*/ +static int DetectFilesizeMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, + uint8_t flags, void *state, Signature *s, SigMatch *m); +static int DetectFilesizeSetup (DetectEngineCtx *, Signature *, char *); +static void DetectFilesizeFree (void *); +static void DetectFilesizeRegisterTests (void); + +/** + * \brief Registration function for filesize: keyword + */ + +void DetectFilesizeRegister(void) +{ + sigmatch_table[DETECT_FILESIZE].name = "filesize"; + sigmatch_table[DETECT_FILESIZE].alproto = ALPROTO_HTTP; + sigmatch_table[DETECT_FILESIZE].AppLayerMatch = DetectFilesizeMatch; + sigmatch_table[DETECT_FILESIZE].Setup = DetectFilesizeSetup; + sigmatch_table[DETECT_FILESIZE].Free = DetectFilesizeFree; + sigmatch_table[DETECT_FILESIZE].RegisterTests = DetectFilesizeRegisterTests; + sigmatch_table[DETECT_FILESIZE].flags |= SIGMATCH_PAYLOAD; /** XXX necessary? */ + + const char *eb; + int eo; + int opts = 0; + + parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL); + if (parse_regex == NULL) { + SCLogDebug("pcre compile of \"%s\" failed at offset %" PRId32 ": %s", + PARSE_REGEX, eo, eb); + goto error; + } + + parse_regex_study = pcre_study(parse_regex, 0, &eb); + if (eb != NULL) { + SCLogDebug("pcre study failed: %s", eb); + goto error; + } + return; + +error: + if (parse_regex != NULL) + SCFree(parse_regex); + if (parse_regex_study != NULL) + SCFree(parse_regex_study); + return; +} + +/** + * \brief This function is used to match filesize rule option. + * + * \param t thread local vars + * \param det_ctx pattern matcher thread local data + * \param f *LOCKED* flow + * \param flags direction flags + * \param file file being inspected + * \param s signature being inspected + * \param m sigmatch that we will cast into DetectFilesizeData + * + * \retval 0 no match + * \retval 1 match + */ +static int DetectFilesizeMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, + uint8_t flags, void *state, Signature *s, SigMatch *m) +{ + SCEnter(); + + DetectFilesizeData *fsd = m->ctx; + File *file = (File *)state; + int ret = 0; + SCLogDebug("file size %"PRIu64", check %"PRIu64, file->size, fsd->size1); + + if (file->state == FILE_STATE_CLOSED) { + switch (fsd->mode) { + case DETECT_FILESIZE_EQ: + if (file->size == fsd->size1) + ret = 1; + break; + case DETECT_FILESIZE_LT: + if (file->size < fsd->size1) + ret = 1; + break; + case DETECT_FILESIZE_GT: + if (file->size > fsd->size1) + ret = 1; + break; + case DETECT_FILESIZE_RA: + if (file->size > fsd->size1 && file->size < fsd->size2) + ret = 1; + break; + } + /* truncated, error: only see if what we have meets the GT condition */ + } else if (file->state > FILE_STATE_CLOSED) { + if (fsd->mode == DETECT_FILESIZE_GT && file->size > fsd->size1) + ret = 1; + } + SCReturnInt(ret); +} + +/** + * \brief parse filesize options + * + * \param str pointer to the user provided filesize + * + * \retval fsd pointer to DetectFilesizeData on success + * \retval NULL on failure + */ +static DetectFilesizeData *DetectFilesizeParse (char *str) +{ + + DetectFilesizeData *fsd = NULL; + char *arg1 = NULL; + char *arg2 = NULL; + char *arg3 = NULL; + char *arg4 = NULL; +#define MAX_SUBSTRINGS 30 + int ret = 0, res = 0; + int ov[MAX_SUBSTRINGS]; + + ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), + 0, 0, ov, MAX_SUBSTRINGS); + if (ret < 3 || ret > 5) { + SCLogError(SC_ERR_PCRE_PARSE, "filesize option pcre parse error: \"%s\"", str); + goto error; + } + const char *str_ptr; + + SCLogDebug("ret %d", ret); + + res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr); + if (res < 0) { + SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); + goto error; + } + arg1 = (char *) str_ptr; + SCLogDebug("Arg1 \"%s\"", arg1); + + res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 2, &str_ptr); + if (res < 0) { + SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); + goto error; + } + arg2 = (char *) str_ptr; + SCLogDebug("Arg2 \"%s\"", arg2); + + if (ret > 3) { + res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 3, &str_ptr); + if (res < 0) { + SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); + goto error; + } + arg3 = (char *) str_ptr; + SCLogDebug("Arg3 \"%s\"", arg3); + + if (ret > 4) { + res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 4, &str_ptr); + if (res < 0) { + SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); + goto error; + } + arg4 = (char *) str_ptr; + SCLogDebug("Arg4 \"%s\"", arg4); + } + } + + fsd = SCMalloc(sizeof (DetectFilesizeData)); + if (fsd == NULL) + goto error; + memset(fsd, 0, sizeof(DetectFilesizeData)); + + if (arg1[0] == '<') + fsd->mode = DETECT_FILESIZE_LT; + else if (arg1[0] == '>') + fsd->mode = DETECT_FILESIZE_GT; + else + fsd->mode = DETECT_FILESIZE_EQ; + + if (arg3 != NULL && strcmp("<>", arg3) == 0) { + if (strlen(arg1) != 0) { + SCLogError(SC_ERR_INVALID_ARGUMENT,"Range specified but mode also set"); + goto error; + } + fsd->mode = DETECT_FILESIZE_RA; + } + + /** set the first value */ + if (ByteExtractStringUint64(&fsd->size1,10,strlen(arg2),arg2) <= 0){ + SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg2); + goto error; + } + + /** set the second value if specified */ + if (arg4 != NULL && strlen(arg4) > 0) { + if (fsd->mode != DETECT_FILESIZE_RA) { + SCLogError(SC_ERR_INVALID_ARGUMENT,"Multiple filesize values specified" + " but mode is not range"); + goto error; + } + + if(ByteExtractStringUint64(&fsd->size2,10,strlen(arg4),arg4) <= 0) + { + SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg4); + goto error; + } + + if (fsd->size2 <= fsd->size1){ + SCLogError(SC_ERR_INVALID_ARGUMENT,"filesize2:%"PRIu64" <= filesize:" + "%"PRIu64"",fsd->size2,fsd->size1); + goto error; + } + } + + pcre_free_substring(arg1); + pcre_free_substring(arg2); + if (arg3 != NULL) + pcre_free_substring(arg3); + if (arg4 != NULL) + pcre_free_substring(arg4); + return fsd; + +error: + if (fsd) + SCFree(fsd); + if (arg1 != NULL) + SCFree(arg1); + if (arg2 != NULL) + SCFree(arg2); + if (arg3 != NULL) + SCFree(arg3); + if (arg4 != NULL) + SCFree(arg4); + return NULL; +} + +/** + * \brief this function is used to parse filesize data into the current signature + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param str pointer to the user provided options + * + * \retval 0 on Success + * \retval -1 on Failure + */ +static int DetectFilesizeSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) +{ + SCEnter(); + DetectFilesizeData *fsd = NULL; + SigMatch *sm = NULL; + + fsd = DetectFilesizeParse(str); + if (fsd == NULL) + goto error; + + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + + sm->type = DETECT_FILESIZE; + sm->ctx = (void *)fsd; + + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH); + + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + goto error; + } + + AppLayerHtpNeedFileInspection(); + + /** \todo remove this once we support more than http */ + s->alproto = ALPROTO_HTTP; + + s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_SIZE); + SCReturnInt(0); + +error: + if (fsd != NULL) + DetectFilesizeFree(fsd); + if (sm != NULL) + SCFree(sm); + SCReturnInt(-1); +} + +/** + * \brief this function will free memory associated with DetectFilesizeData + * + * \param ptr pointer to DetectFilesizeData + */ +static void DetectFilesizeFree(void *ptr) +{ + DetectFilesizeData *fsd = (DetectFilesizeData *)ptr; + SCFree(fsd); +} + +#ifdef UNITTESTS + +#include "stream.h" +#include "stream-tcp-private.h" +#include "stream-tcp-reassemble.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "app-layer-parser.h" + +/** \test Test the Filesize keyword setup */ +static int DetectFilesizeParseTest01(void) +{ + int ret = 0; + DetectFilesizeData *fsd = NULL; + + fsd = DetectFilesizeParse("10"); + if (fsd != NULL) { + if (fsd->size1 == 10 && fsd->mode == DETECT_FILESIZE_EQ) + ret = 1; + + DetectFilesizeFree(fsd); + } + return ret; +} + +/** \test Test the Filesize keyword setup */ +static int DetectFilesizeParseTest02(void) +{ + int ret = 0; + DetectFilesizeData *fsd = NULL; + + fsd = DetectFilesizeParse(" < 10 "); + if (fsd != NULL) { + if (fsd->size1 == 10 && fsd->mode == DETECT_FILESIZE_LT) + ret = 1; + + DetectFilesizeFree(fsd); + } + return ret; +} + +/** \test Test the Filesize keyword setup */ +static int DetectFilesizeParseTest03(void) +{ + int ret = 0; + DetectFilesizeData *fsd = NULL; + + fsd = DetectFilesizeParse(" > 10 "); + if (fsd != NULL) { + if (fsd->size1 == 10 && fsd->mode == DETECT_FILESIZE_GT) + ret = 1; + + DetectFilesizeFree(fsd); + } + return ret; +} + +/** \test Test the Filesize keyword setup */ +static int DetectFilesizeParseTest04(void) +{ + int ret = 0; + DetectFilesizeData *fsd = NULL; + + fsd = DetectFilesizeParse(" 5 <> 10 "); + if (fsd != NULL) { + if (fsd->size1 == 5 && fsd->size2 == 10 && + fsd->mode == DETECT_FILESIZE_RA) + ret = 1; + + DetectFilesizeFree(fsd); + } + return ret; +} + +/** \test Test the Filesize keyword setup */ +static int DetectFilesizeParseTest05(void) +{ + int ret = 0; + DetectFilesizeData *fsd = NULL; + + fsd = DetectFilesizeParse("5<>10"); + if (fsd != NULL) { + if (fsd->size1 == 5 && fsd->size2 == 10 && + fsd->mode == DETECT_FILESIZE_RA) + ret = 1; + + DetectFilesizeFree(fsd); + } + return ret; +} + +/** + * \brief this function is used to initialize the detection engine context and + * setup the signature with passed values. + * + */ + +static int DetectFilesizeInitTest(DetectEngineCtx **de_ctx, Signature **sig, + DetectFilesizeData **fsd, char *str) +{ + char fullstr[1024]; + int result = 0; + + *de_ctx = NULL; + *sig = NULL; + + if (snprintf(fullstr, 1024, "alert http any any -> any any (msg:\"Filesize " + "test\"; filesize:%s; sid:1;)", str) >= 1024) { + goto end; + } + + *de_ctx = DetectEngineCtxInit(); + if (*de_ctx == NULL) { + goto end; + } + + (*de_ctx)->flags |= DE_QUIET; + + (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr); + if ((*de_ctx)->sig_list == NULL) { + goto end; + } + + *sig = (*de_ctx)->sig_list; + + *fsd = DetectFilesizeParse(str); + + result = 1; + +end: + return result; +} + +/** + * \test DetectFilesizeSetpTest01 is a test for setting up an valid filesize values + * with valid "<>" operator and include spaces arround the given values. + * In the test the values are setup with initializing the detection engine + * context and setting up the signature itself. + */ + +static int DetectFilesizeSetpTest01(void) { + + DetectFilesizeData *fsd = NULL; + uint8_t res = 0; + Signature *sig = NULL; + DetectEngineCtx *de_ctx = NULL; + + res = DetectFilesizeInitTest(&de_ctx, &sig, &fsd, "1 <> 2 "); + if (res == 0) { + goto end; + } + + if(fsd == NULL) + goto cleanup; + + if (fsd != NULL) { + if (fsd->size1 == 1 && fsd->size2 == 2 && + fsd->mode == DETECT_FILESIZE_RA) + res = 1; + } + +cleanup: + if (fsd) + SCFree(fsd); + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); +end: + return res; +} + +#endif /* UNITTESTS */ + +/** + * \brief this function registers unit tests for DetectFilesize + */ +void DetectFilesizeRegisterTests(void) +{ +#ifdef UNITTESTS + UtRegisterTest("DetectFilesizeParseTest01", DetectFilesizeParseTest01, 1); + UtRegisterTest("DetectFilesizeParseTest02", DetectFilesizeParseTest02, 1); + UtRegisterTest("DetectFilesizeParseTest03", DetectFilesizeParseTest03, 1); + UtRegisterTest("DetectFilesizeParseTest04", DetectFilesizeParseTest04, 1); + UtRegisterTest("DetectFilesizeParseTest05", DetectFilesizeParseTest05, 1); + UtRegisterTest("DetectFilesizeSetpTest01", DetectFilesizeSetpTest01, 1); +#endif /* UNITTESTS */ +} diff --git a/src/detect-filesize.h b/src/detect-filesize.h new file mode 100644 index 0000000000..cecb29f0e8 --- /dev/null +++ b/src/detect-filesize.h @@ -0,0 +1,42 @@ +/* Copyright (C) 2007-2012 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien + */ + +#ifndef __DETECT_FILESIZE_H__ +#define __DETECT_FILESIZE_H__ + +#define DETECT_FILESIZE_LT 0 /**< "less than" operator */ +#define DETECT_FILESIZE_GT 1 /**< "greater than" operator */ +#define DETECT_FILESIZE_RA 2 /**< range operator */ +#define DETECT_FILESIZE_EQ 3 /**< equal operator */ + +typedef struct DetectFilesizeData_ { + uint64_t size1; /**< 1st value in the signature*/ + uint64_t size2; /**< 2nd value in the signature*/ + uint8_t mode; /**< operator used in the signature */ +} DetectFilesizeData; + +//int DetectFilesizeMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, +// uint8_t, void *, Signature *, SigMatch *); +void DetectFilesizeRegister(void); + +#endif /* _DETECT_URILEN_H */ diff --git a/src/detect.c b/src/detect.c index 2971771f62..8e70d83520 100644 --- a/src/detect.c +++ b/src/detect.c @@ -97,6 +97,7 @@ #include "detect-filestore.h" #include "detect-filemagic.h" #include "detect-filemd5.h" +#include "detect-filesize.h" #include "detect-dsize.h" #include "detect-flowvar.h" #include "detect-flowint.h" @@ -1915,6 +1916,14 @@ end: SCLogDebug("disabling md5 for flow"); FileDisableMd5(p->flow, STREAM_TOSERVER); } + + /* see if this sgh requires us to consider filesize */ + if (p->flow->sgh_toserver == NULL || + !(p->flow->sgh_toserver->flags & SIG_GROUP_HEAD_HAVEFILESIZE)) + { + SCLogDebug("disabling filesize for flow"); + FileDisableFilesize(p->flow, STREAM_TOSERVER); + } } else if (p->flowflags & FLOW_PKT_TOCLIENT && !(p->flow->flags & FLOW_SGH_TOCLIENT)) { p->flow->sgh_toclient = det_ctx->sgh; p->flow->flags |= FLOW_SGH_TOCLIENT; @@ -1938,6 +1947,14 @@ end: SCLogDebug("disabling md5 for flow"); FileDisableMd5(p->flow, STREAM_TOCLIENT); } + + /* see if this sgh requires us to consider filesize */ + if (p->flow->sgh_toclient == NULL || + !(p->flow->sgh_toclient->flags & SIG_GROUP_HEAD_HAVEFILESIZE)) + { + SCLogDebug("disabling filesize for flow"); + FileDisableFilesize(p->flow, STREAM_TOCLIENT); + } } } @@ -2113,6 +2130,24 @@ int SignatureIsFileMd5Inspecting(Signature *s) { return 0; } +/** + * \brief Check if a signature contains the filesize keyword. + * + * \param s signature + * + * \retval 0 no + * \retval 1 yes + */ +int SignatureIsFilesizeInspecting(Signature *s) { + if (s == NULL) + return 0; + + if (s->file_flags & FILE_SIG_NEED_SIZE) + return 1; + + return 0; +} + /** \brief Test is a initialized signature is IP only * \param de_ctx detection engine ctx * \param s the signature @@ -4073,6 +4108,7 @@ int SigAddressPrepareStage4(DetectEngineCtx *de_ctx) { SigGroupHeadBuildHeadArray(de_ctx, sgh); SigGroupHeadSetFilemagicFlag(de_ctx, sgh); SigGroupHeadSetFileMd5Flag(de_ctx, sgh); + SigGroupHeadSetFilesizeFlag(de_ctx, sgh); SigGroupHeadSetFilestoreCount(de_ctx, sgh); SCLogDebug("filestore count %u", sgh->filestore_cnt); } @@ -4743,6 +4779,7 @@ void SigTableSetup(void) { DetectFilestoreRegister(); DetectFilemagicRegister(); DetectFileMd5Register(); + DetectFilesizeRegister(); DetectAppLayerEventRegister(); DetectHttpUARegister(); diff --git a/src/detect.h b/src/detect.h index cec3d87b71..2c883f7bf3 100644 --- a/src/detect.h +++ b/src/detect.h @@ -295,6 +295,7 @@ typedef struct DetectPort_ { #define FILE_SIG_NEED_MAGIC 0x08 /**< need the start of the file */ #define FILE_SIG_NEED_FILECONTENT 0x10 #define FILE_SIG_NEED_MD5 0x20 +#define FILE_SIG_NEED_SIZE 0x40 /* Detection Engine flags */ #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */ @@ -845,6 +846,7 @@ typedef struct SigTableElmt_ { #define SIG_GROUP_HEAD_MPM_HSCD (1 << 17) #define SIG_GROUP_HEAD_MPM_HUAD (1 << 18) #define SIG_GROUP_HEAD_HAVEFILEMD5 (1 << 19) +#define SIG_GROUP_HEAD_HAVEFILESIZE (1 << 20) typedef struct SigGroupHeadInitData_ { /* list of content containers @@ -1047,6 +1049,7 @@ enum { DETECT_FILESTORE, DETECT_FILEMAGIC, DETECT_FILEMD5, + DETECT_FILESIZE, /* make sure this stays last */ DETECT_TBLSIZE, @@ -1084,6 +1087,7 @@ Signature *DetectGetTagSignature(void); int SignatureIsFilestoring(Signature *); int SignatureIsFilemagicInspecting(Signature *); int SignatureIsFileMd5Inspecting(Signature *); +int SignatureIsFilesizeInspecting(Signature *); #endif /* __DETECT_H__ */ diff --git a/src/flow.h b/src/flow.h index 70e5b026a8..5b030eed56 100644 --- a/src/flow.h +++ b/src/flow.h @@ -102,6 +102,10 @@ #define FLOW_FILE_NO_MD5_TS 0x10000000 #define FLOW_FILE_NO_MD5_TC 0x20000000 +/** no size tracking of files in this flow */ +#define FLOW_FILE_NO_SIZE_TS 0x40000000 +#define FLOW_FILE_NO_SIZE_TC 0x80000000 + #define FLOW_IS_IPV4(f) \ (((f)->flags & FLOW_IPV4) == FLOW_IPV4) #define FLOW_IS_IPV6(f) \ diff --git a/src/log-filestore.c b/src/log-filestore.c index 2649c31273..15c893ae89 100644 --- a/src/log-filestore.c +++ b/src/log-filestore.c @@ -305,8 +305,8 @@ static TmEcode LogFilestoreLogWrap(ThreadVars *tv, Packet *p, void *data, Packet continue; } - if (ff->store != 1) { - SCLogDebug("ff->store %d, so not 1", ff->store); + if (!(ff->flags & FILE_STORE)) { + SCLogDebug("ff FILE_STORE not set"); continue; } diff --git a/src/util-file.c b/src/util-file.c index 996c71ee1d..dc25167b34 100644 --- a/src/util-file.c +++ b/src/util-file.c @@ -94,9 +94,6 @@ static int FileAppendFileDataFilePtr(File *ff, FileData *ffd) { ff->chunks_tail = ffd; } - ff->size += ffd->len; - SCLogDebug("file size %"PRIu64, ff->size); - #ifdef DEBUG ff->chunks_cnt++; if (ff->chunks_cnt > ff->chunks_cnt_max) @@ -148,7 +145,7 @@ static void FilePruneFile(File *file) { while (fd != NULL) { SCLogDebug("fd %p", fd); - if (file->store == -1 || fd->stored == 1) { + if (file->flags & FILE_NOSTORE || fd->stored == 1) { file->chunks_head = fd->next; if (file->chunks_tail == fd) file->chunks_tail = fd->next; @@ -352,7 +349,7 @@ void FileContainerAdd(FileContainer *ffc, File *ff) { * \param ff The file to store */ int FileStore(File *ff) { - ff->store = 1; + ff->flags |= FILE_STORE; SCReturnInt(0); } @@ -384,8 +381,7 @@ static int FileStoreNoStoreCheck(File *ff) { SCReturnInt(0); } - - if (ff->store == -1) { + if (ff->flags & FILE_NOSTORE) { if (ff->state == FILE_STATE_OPENED && ff->size >= (uint64_t)FileMagicSize()) { @@ -416,23 +412,28 @@ int FileAppendData(FileContainer *ffc, uint8_t *data, uint32_t data_len) { } if (ffc->tail->state != FILE_STATE_OPENED) { - if (ffc->tail->store == -1) { + if (ffc->tail->flags & FILE_NOSTORE) { SCReturnInt(-2); } SCReturnInt(-1); } + ffc->tail->size += data_len; + SCLogDebug("file size is now %"PRIu64, ffc->tail->size); + if (FileStoreNoStoreCheck(ffc->tail) == 1) { #ifdef HAVE_NSS /* no storage but forced md5 */ - if (g_file_force_tracking || ffc->tail->md5_ctx) { + if (ffc->tail->md5_ctx) { if (ffc->tail->md5_ctx) HASH_Update(ffc->tail->md5_ctx, data, data_len); - ffc->tail->size += data_len; SCReturnInt(0); } #endif + if (g_file_force_tracking || (!(ffc->tail->flags & FILE_NOTRACK))) + SCReturnInt(0); + ffc->tail->state = FILE_STATE_TRUNCATED; SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED"); SCReturnInt(-2); @@ -482,9 +483,10 @@ File *FileOpenFile(FileContainer *ffc, uint8_t *name, } if (flags & FILE_STORE) { - ff->store = 1; + ff->flags |= FILE_STORE; } else if (flags & FILE_NOSTORE) { - ff->store = -1; + SCLogDebug("not storing this file"); + ff->flags |= FILE_NOSTORE; } if (flags & FILE_NOMAGIC) { SCLogDebug("not doing magic for this file"); @@ -511,6 +513,8 @@ File *FileOpenFile(FileContainer *ffc, uint8_t *name, if (data != NULL) { //PrintRawDataFp(stdout, data, data_len); + ff->size += data_len; + SCLogDebug("file size is now %"PRIu64, ff->size); FileData *ffd = FileDataAlloc(data, data_len); if (ffd == NULL) { @@ -542,16 +546,18 @@ static int FileCloseFilePtr(File *ff, uint8_t *data, SCReturnInt(-1); } + ff->size += data_len; + SCLogDebug("file size is now %"PRIu64, ff->size); + if (data != NULL) { //PrintRawDataFp(stdout, data, data_len); - if (ff->store == -1) { + if (ff->flags & FILE_NOSTORE) { #ifdef HAVE_NSS /* no storage but md5 */ if (ff->md5_ctx) HASH_Update(ff->md5_ctx, data, data_len); #endif - ff->size += data_len; } else { FileData *ffd = FileDataAlloc(data, data_len); if (ffd == NULL) { @@ -573,7 +579,8 @@ static int FileCloseFilePtr(File *ff, uint8_t *data, SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED"); if (flags & FILE_NOSTORE) { - ff->store = -1; + SCLogDebug("not storing this file"); + ff->flags |= FILE_NOSTORE; } } else { ff->state = FILE_STATE_CLOSED; @@ -639,8 +646,10 @@ void FileDisableStoring(Flow *f, uint8_t direction) { FileContainer *ffc = AppLayerGetFilesFromFlow(f, direction); if (ffc != NULL) { for (ptr = ffc->head; ptr != NULL; ptr = ptr->next) { - if (ptr->store == 0) { - ptr->store = -1; + /* if we're already storing, we'll continue */ + if (!(ptr->flags & FILE_STORE)) { + SCLogDebug("not storing this file"); + ptr->flags |= FILE_NOSTORE; } } } @@ -715,6 +724,37 @@ void FileDisableMd5(Flow *f, uint8_t direction) { SCReturn; } +/** + * \brief disable file size tracking for this flow + * + * \param f *LOCKED* flow + * \param direction flow direction + */ +void FileDisableFilesize(Flow *f, uint8_t direction) { + File *ptr = NULL; + + SCEnter(); + + DEBUG_ASSERT_FLOW_LOCKED(f); + + if (direction == STREAM_TOSERVER) + f->flags |= FLOW_FILE_NO_SIZE_TS; + else + f->flags |= FLOW_FILE_NO_SIZE_TC; + + FileContainer *ffc = AppLayerGetFilesFromFlow(f, direction); + if (ffc != NULL) { + for (ptr = ffc->head; ptr != NULL; ptr = ptr->next) { + SCLogDebug("disabling size tracking for file %p from direction %s", + ptr, direction == STREAM_TOSERVER ? "toserver":"toclient"); + ptr->flags |= FILE_NOTRACK; + } + } + + SCReturn; +} + + /** * \brief set no store flag, close file if needed * @@ -727,7 +767,8 @@ void FileDisableStoringForFile(File *ff) { SCReturn; } - ff->store = -1; + SCLogDebug("not storing this file"); + ff->flags |= FILE_NOSTORE; if (ff->state == FILE_STATE_OPENED && ff->size >= (uint64_t)FileMagicSize()) { (void)FileCloseFilePtr(ff, NULL, 0, @@ -753,7 +794,7 @@ void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint16_t tx_id if (ffc != NULL) { for (ptr = ffc->head; ptr != NULL; ptr = ptr->next) { if (ptr->txid == tx_id) { - if (ptr->store == 1) { + if (ptr->flags & FILE_STORE) { /* weird, already storing -- let it continue*/ SCLogDebug("file is already being stored"); } else { @@ -780,7 +821,7 @@ void FileStoreFileById(FileContainer *fc, uint16_t file_id) { if (fc != NULL) { for (ptr = fc->head; ptr != NULL; ptr = ptr->next) { if (ptr->file_id == file_id) { - ptr->store = 1; + ptr->flags |= FILE_STORE; } } } @@ -794,7 +835,7 @@ void FileStoreAllFilesForTx(FileContainer *fc, uint16_t tx_id) { if (fc != NULL) { for (ptr = fc->head; ptr != NULL; ptr = ptr->next) { if (ptr->txid == tx_id) { - ptr->store = 1; + ptr->flags |= FILE_STORE; } } } @@ -807,7 +848,7 @@ void FileStoreAllFiles(FileContainer *fc) { if (fc != NULL) { for (ptr = fc->head; ptr != NULL; ptr = ptr->next) { - ptr->store = 1; + ptr->flags |= FILE_STORE; } } } diff --git a/src/util-file.h b/src/util-file.h index 777e43acef..b0858450e8 100644 --- a/src/util-file.h +++ b/src/util-file.h @@ -29,14 +29,15 @@ #include #endif -#define FILE_TRUNCATED 0x01 -#define FILE_NOSTORE 0x02 -#define FILE_NOMAGIC 0x04 -#define FILE_STORE 0x08 -#define FILE_MD5 0x10 -#define FILE_LOGGED 0x20 -#define FILE_STORED 0x40 -#define FILE_NOMD5 0x80 +#define FILE_TRUNCATED 0x0001 +#define FILE_NOMAGIC 0x0002 +#define FILE_NOMD5 0x0004 +#define FILE_MD5 0x0008 +#define FILE_LOGGED 0x0010 +#define FILE_NOSTORE 0x0020 +#define FILE_STORE 0x0040 +#define FILE_STORED 0x0080 +#define FILE_NOTRACK 0x0100 /**< track size of file */ typedef enum FileState_ { FILE_STATE_NONE = 0, /**< no state */ @@ -58,8 +59,7 @@ typedef struct FileData_ { } FileData; typedef struct File_ { - uint8_t flags; - int8_t store; /**< need storing? 0: no, 1: yes, -1: won't */ + uint16_t flags; uint16_t txid; /**< tx this file is part of */ unsigned int file_id; uint8_t *name; @@ -156,6 +156,8 @@ int FileSetTx(File *, uint16_t txid); */ void FileDisableStoring(struct Flow_ *, uint8_t); +void FileDisableFilesize(Flow *f, uint8_t direction); + /** * \brief disable file storing for a transaction *