From: Victor Julien <vjulien@oisf.net>
Date: Sat, 5 Aug 2023 09:46:20 +0000 (+0200)
Subject: detect/file: correct registration for HTTP
X-Git-Tag: suricata-6.0.14~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c90d0171759a810bba4d634de1da2f46ef36ecf;p=thirdparty%2Fsuricata.git

detect/file: correct registration for HTTP

Register file.name and file.magic at correct progress values.
In HTTP1, the files are (part of) the body, so make sure the file
detection logic only runs when the parser has started processing
the body.
---

diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c
index 2af09b48ef..607f650cd8 100644
--- a/src/detect-filemagic.c
+++ b/src/detect-filemagic.c
@@ -112,10 +112,19 @@ void DetectFilemagicRegister(void)
     sigmatch_table[DETECT_FILE_MAGIC].Setup = DetectFilemagicSetupSticky;
     sigmatch_table[DETECT_FILE_MAGIC].flags = SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
 
-    AppProto protos_ts[] = {
-        ALPROTO_HTTP, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
-    AppProto protos_tc[] = {
-        ALPROTO_HTTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
+    AppProto protos_ts[] = { ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2,
+        0 };
+    AppProto protos_tc[] = { ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
+
+    DetectAppLayerInspectEngineRegister2("file.magic", ALPROTO_HTTP, SIG_FLAG_TOSERVER,
+            HTP_REQUEST_BODY, DetectEngineInspectFilemagic, NULL);
+    DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilemagicRegister,
+            NULL, ALPROTO_HTTP, HTP_REQUEST_BODY);
+
+    DetectAppLayerInspectEngineRegister2("file.magic", ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
+            HTP_RESPONSE_BODY, DetectEngineInspectFilemagic, NULL);
+    DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilemagicRegister,
+            NULL, ALPROTO_HTTP, HTP_RESPONSE_BODY);
 
     for (int i = 0; protos_ts[i] != 0; i++) {
         DetectAppLayerInspectEngineRegister2("file.magic", protos_ts[i],
diff --git a/src/detect-filename.c b/src/detect-filename.c
index 6cd111ceff..4848d22ed9 100644
--- a/src/detect-filename.c
+++ b/src/detect-filename.c
@@ -142,10 +142,19 @@ void DetectFilenameRegister(void)
 
     g_file_match_list_id = DetectBufferTypeGetByName("files");
 
-    AppProto protos_ts[] = { ALPROTO_HTTP, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB,
-        ALPROTO_NFS, 0 };
-    AppProto protos_tc[] = { ALPROTO_HTTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS,
+    AppProto protos_ts[] = { ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS,
         0 };
+    AppProto protos_tc[] = { ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS, 0 };
+
+    DetectAppLayerInspectEngineRegister2("file.name", ALPROTO_HTTP, SIG_FLAG_TOSERVER,
+            HTP_REQUEST_BODY, DetectEngineInspectFilename, NULL);
+    DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilenameRegister,
+            NULL, ALPROTO_HTTP, HTP_REQUEST_BODY);
+
+    DetectAppLayerInspectEngineRegister2("file.name", ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
+            HTP_RESPONSE_BODY, DetectEngineInspectFilename, NULL);
+    DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilenameRegister,
+            NULL, ALPROTO_HTTP, HTP_RESPONSE_BODY);
 
     for (int i = 0; protos_ts[i] != 0; i++) {
         DetectAppLayerInspectEngineRegister2("file.name", protos_ts[i],