From 26ba647d58c01efce2e38ac31194b884046c2084 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Thu, 7 May 2015 23:34:15 +0200 Subject: [PATCH] filedata: read inspected tracker settings from suricata.yaml --- src/app-layer-smtp.c | 52 ++++++++++++++++++++++++++----- src/app-layer-smtp.h | 9 ++++++ src/detect-engine-filedata-smtp.c | 11 +++---- suricata.yaml.in | 6 +++- 4 files changed, 62 insertions(+), 16 deletions(-) diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index 4bf3e4607e..e03cad8947 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -55,6 +55,14 @@ #include "conf.h" #include "util-mem.h" +#include "util-misc.h" + +/* content-limit default value */ +#define FILEDATA_CONTENT_LIMIT 1000 +/* content-inspect-min-size default value */ +#define FILEDATA_CONTENT_INSPECT_MIN_SIZE 1000 +/* content-inspect-window default value */ +#define FILEDATA_CONTENT_INSPECT_WINDOW 1000 #define SMTP_MAX_REQUEST_AND_REPLY_LINE_LENGTH 510 @@ -211,15 +219,8 @@ SCEnumCharMap smtp_reply_map[ ] = { { NULL, -1 }, }; -typedef struct SMTPConfig { - - int decode_mime; - MimeDecConfig mime_config; - -} SMTPConfig; - /* Create SMTP config structure */ -static SMTPConfig smtp_config = { 0, { 0, 0, 0, 0 } }; +SMTPConfig smtp_config = { 0, { 0, 0, 0, 0 }, 0, 0, 0}; /** * \brief Configure SMTP Mime Decoder by parsing out mime section of YAML @@ -232,6 +233,9 @@ static void SMTPConfigure(void) { SCEnter(); int ret = 0, val; intmax_t imval; + uint32_t content_limit = 0; + uint32_t content_inspect_min_size = 0; + uint32_t content_inspect_window = 0; ConfNode *config = ConfGetNode("app-layer.protocols.smtp.mime"); if (config != NULL) { @@ -265,6 +269,38 @@ static void SMTPConfigure(void) { /* Pass mime config data to MimeDec API */ MimeDecSetConfig(&smtp_config.mime_config); + ConfNode *t = ConfGetNode("app-layer.protocols.smtp.inspected-tracker"); + ConfNode *p = NULL; + + if (t == NULL) + return; + + TAILQ_FOREACH(p, &t->head, next) { + if (strcasecmp("content-limit", p->name) == 0) { + if (ParseSizeStringU32(p->val, &content_limit) < 0) { + SCLogWarning(SC_ERR_SIZE_PARSE, "Error parsing content-limit " + "from conf file - %s. Killing engine", p->val); + content_limit = FILEDATA_CONTENT_LIMIT; + } + } + + if (strcasecmp("content-inspect-min-size", p->name) == 0) { + if (ParseSizeStringU32(p->val, &content_inspect_min_size) < 0) { + SCLogWarning(SC_ERR_SIZE_PARSE, "Error parsing content-inspect-min-size-limit " + "from conf file - %s. Killing engine", p->val); + content_inspect_min_size = FILEDATA_CONTENT_INSPECT_MIN_SIZE; + } + } + + if (strcasecmp("content-inspect-window", p->name) == 0) { + if (ParseSizeStringU32(p->val, &content_inspect_window) < 0) { + SCLogWarning(SC_ERR_SIZE_PARSE, "Error parsing content-inspect-window " + "from conf file - %s. Killing engine", p->val); + content_inspect_window = FILEDATA_CONTENT_INSPECT_WINDOW; + } + } + } + SCReturn; } diff --git a/src/app-layer-smtp.h b/src/app-layer-smtp.h index b11e335b1c..02090c61c0 100644 --- a/src/app-layer-smtp.h +++ b/src/app-layer-smtp.h @@ -68,6 +68,15 @@ typedef struct SMTPTransaction_ { TAILQ_ENTRY(SMTPTransaction_) next; } SMTPTransaction; +typedef struct SMTPConfig { + + int decode_mime; + MimeDecConfig mime_config; + uint32_t content_limit; + uint32_t content_inspect_min_size; + uint32_t content_inspect_window; +} SMTPConfig; + typedef struct SMTPState_ { SMTPTransaction *curr_tx; TAILQ_HEAD(, SMTPTransaction_) tx_list; /**< transaction list */ diff --git a/src/detect-engine-filedata-smtp.c b/src/detect-engine-filedata-smtp.c index 6f2bbbad62..f3687607f7 100644 --- a/src/detect-engine-filedata-smtp.c +++ b/src/detect-engine-filedata-smtp.c @@ -53,9 +53,6 @@ #include "conf-yaml-loader.h" #define BUFFER_STEP 50 -#define FILECONTENT_CONTENT_LIMIT 1000 -#define FILECONTENT_INSPECT_MIN_SIZE 1000 -#define FILECONTENT_INSPECT_WINDOW 1000 static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size) { @@ -137,9 +134,9 @@ static uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id, goto end; } - if ((FILECONTENT_CONTENT_LIMIT == 0 || - curr_file->content_len_so_far < FILECONTENT_CONTENT_LIMIT) && - curr_file->content_len_so_far < FILECONTENT_INSPECT_MIN_SIZE && + if ((smtp_config.content_limit == 0 || + curr_file->content_len_so_far < smtp_config.content_limit) && + curr_file->content_len_so_far < smtp_config.content_inspect_min_size && !(flags & STREAM_EOF)) { SCLogDebug("we still haven't seen the entire content. " "Let's defer content inspection till we see the " @@ -154,7 +151,7 @@ static uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id, /* see if we can filter out chunks */ if (curr_file->content_inspected > 0) { if (curr_chunk->stream_offset < curr_file->content_inspected) { - if ((curr_file->content_inspected - curr_chunk->stream_offset) > FILECONTENT_INSPECT_WINDOW) { + if ((curr_file->content_inspected - curr_chunk->stream_offset) > smtp_config.content_inspect_window) { curr_chunk = curr_chunk->next; continue; } else { diff --git a/suricata.yaml.in b/suricata.yaml.in index 8189cbede6..8d16815bee 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1238,7 +1238,11 @@ app-layer: # Extract URLs and save in state data structure extract-urls: yes - + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 1000 + content-inspect-min-size: 1000 + content-inspect-window: 1000 imap: enabled: detection-only msn: -- 2.47.2