From: Victor Julien <victor@inliniac.net>
Date: Mon, 22 May 2017 20:38:52 +0000 (+0200)
Subject: detect/file: cleanups
X-Git-Tag: suricata-4.0.0-beta1~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a636d96b150fc09ebce198424c58a7fd0761a5e7;p=thirdparty%2Fsuricata.git

detect/file: cleanups

TX id is enfored in the engine, so the keywords don't need to.

Unify detect file engines.
---

diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c
index fba9edcc02..26a5239305 100644
--- a/src/detect-engine-file.c
+++ b/src/detect-engine-file.c
@@ -70,8 +70,6 @@
  *  \retval 1 match
  *  \retval 2 can't match
  *  \retval 3 can't match filestore signature
- *
- *  \note flow is not locked at this time
  */
 static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
         Flow *f, const Signature *s, const SigMatchData *smd,
@@ -213,52 +211,7 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
 }
 
 /**
- *  \brief Inspect the file inspecting keywords against the HTTP transactions.
- *
- *  \param tv thread vars
- *  \param det_ctx detection engine thread ctx
- *  \param f flow
- *  \param s signature to inspect
- *  \param alstate state
- *  \param flags direction flag
- *
- *  \retval 0 no match
- *  \retval 1 match
- *  \retval 2 can't match
- *  \retval 3 can't match filestore signature
- *
- *  \note flow should be locked when this function's called.
- */
-int DetectFileInspectHttp(ThreadVars *tv,
-        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
-        const Signature *s, const SigMatchData *smd,
-        Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
-{
-    int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
-    FileContainer *ffc;
-    HtpState *htp_state = (HtpState *)alstate;
-
-    if (flags & STREAM_TOCLIENT)
-        ffc = htp_state->files_tc;
-    else
-        ffc = htp_state->files_ts;
-
-    int match = DetectFileInspect(tv, det_ctx, f, s, smd, flags, ffc);
-    if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
-        r = DETECT_ENGINE_INSPECT_SIG_MATCH;
-    } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
-        SCLogDebug("sid %u can't match on this transaction", s->id);
-        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-    } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
-        SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id);
-        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE;
-    }
-
-    return r;
-}
-
-/**
- *  \brief Inspect the file inspecting keywords against the SMTP transactions.
+ *  \brief Inspect the file inspecting keywords against the state
  *
  *  \param tv thread vars
  *  \param det_ctx detection engine thread ctx
@@ -274,27 +227,24 @@ int DetectFileInspectHttp(ThreadVars *tv,
  *
  *  \note flow is not locked at this time
  */
-int DetectFileInspectSmtp(ThreadVars *tv,
+int DetectFileInspectGeneric(ThreadVars *tv,
         DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
         const Signature *s, const SigMatchData *smd,
         Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
 {
     SCEnter();
-    int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
-    SMTPState *smtp_state = NULL;
-    FileContainer *ffc;
 
-    smtp_state = (SMTPState *)alstate;
-    if (smtp_state == NULL) {
-        SCLogDebug("no SMTP state");
-        goto end;
+    if (alstate == NULL) {
+        SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
     }
 
-    if (flags & STREAM_TOSERVER)
-        ffc = smtp_state->files_ts;
-    else
-        goto end;
+    const uint8_t direction = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
+    FileContainer *ffc = AppLayerParserGetFiles(f->proto, f->alproto, alstate, direction);
+    if (ffc == NULL || ffc->head == NULL) {
+        SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
+    }
 
+    int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
     int match = DetectFileInspect(tv, det_ctx, f, s, smd, flags, ffc);
     if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
         r = DETECT_ENGINE_INSPECT_SIG_MATCH;
@@ -309,6 +259,5 @@ int DetectFileInspectSmtp(ThreadVars *tv,
         r = match;
     }
 
-end:
     SCReturnInt(r);
 }
diff --git a/src/detect-engine-file.h b/src/detect-engine-file.h
index 180b2edd29..839f202d56 100644
--- a/src/detect-engine-file.h
+++ b/src/detect-engine-file.h
@@ -34,4 +34,9 @@ int DetectFileInspectSmtp(ThreadVars *tv,
         const Signature *s, const SigMatchData *smd,
         Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
 
+int DetectFileInspectGeneric(ThreadVars *tv,
+        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+        const Signature *s, const SigMatchData *smd,
+        Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
+
 #endif /* __DETECT_ENGINE_FILE_H__ */
diff --git a/src/detect-file-hash-common.c b/src/detect-file-hash-common.c
index baa14818c3..c9f7ab2918 100644
--- a/src/detect-file-hash-common.c
+++ b/src/detect-file-hash-common.c
@@ -153,14 +153,6 @@ int DetectFileHashMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
     int ret = 0;
     DetectFileHashData *filehash = (DetectFileHashData *)m;
 
-    if (file->txid < det_ctx->tx_id) {
-        SCReturnInt(0);
-    }
-
-    if (file->txid > det_ctx->tx_id) {
-        SCReturnInt(0);
-    }
-
     if (file->state != FILE_STATE_CLOSED) {
         SCReturnInt(0);
     }
diff --git a/src/detect-fileext.c b/src/detect-fileext.c
index 73160a426b..223ebfc216 100644
--- a/src/detect-fileext.c
+++ b/src/detect-fileext.c
@@ -103,12 +103,6 @@ static int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
     if (file->name == NULL)
         SCReturnInt(0);
 
-    if (file->txid < det_ctx->tx_id)
-        SCReturnInt(0);
-
-    if (file->txid > det_ctx->tx_id)
-        SCReturnInt(0);
-
     if (file->name_len <= fileext->len)
         SCReturnInt(0);
 
diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c
index 8145add23b..09d19bb3ba 100644
--- a/src/detect-filemagic.c
+++ b/src/detect-filemagic.c
@@ -187,12 +187,6 @@ static int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
     int ret = 0;
     DetectFilemagicData *filemagic = (DetectFilemagicData *)m;
 
-    if (file->txid < det_ctx->tx_id)
-        SCReturnInt(0);
-
-    if (file->txid > det_ctx->tx_id)
-        SCReturnInt(0);
-
     DetectFilemagicThreadData *tfilemagic = (DetectFilemagicThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, filemagic->thread_ctx_id);
     if (tfilemagic == NULL) {
         SCReturnInt(0);
diff --git a/src/detect-filename.c b/src/detect-filename.c
index d67148d6f2..273328dec7 100644
--- a/src/detect-filename.c
+++ b/src/detect-filename.c
@@ -75,14 +75,14 @@ void DetectFilenameRegister(void)
 
     DetectAppLayerInspectEngineRegister("files",
             ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_BODY,
-            DetectFileInspectHttp);
+            DetectFileInspectGeneric);
     DetectAppLayerInspectEngineRegister("files",
             ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_BODY,
-            DetectFileInspectHttp);
+            DetectFileInspectGeneric);
 
     DetectAppLayerInspectEngineRegister("files",
             ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0,
-            DetectFileInspectSmtp);
+            DetectFileInspectGeneric);
 
     g_file_match_list_id = DetectBufferTypeGetByName("files");
 
@@ -115,12 +115,6 @@ static int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
     if (file->name == NULL)
         SCReturnInt(0);
 
-    if (file->txid < det_ctx->tx_id)
-        SCReturnInt(0);
-
-    if (file->txid > det_ctx->tx_id)
-        SCReturnInt(0);
-
     if (BoyerMooreNocase(filename->name, filename->len, file->name,
                 file->name_len, filename->bm_ctx) != NULL)
     {