From: Victor Julien Date: Wed, 29 Aug 2012 08:01:34 +0000 (+0200) Subject: Create separate detect API call (FileMatch) for file detection keywords. #531. X-Git-Tag: suricata-1.4beta1~55 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3849588c61a0fbad79dfab31cfa3fec200ad9467;p=thirdparty%2Fsuricata.git Create separate detect API call (FileMatch) for file detection keywords. #531. --- diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c index cf5ab2a713..6925c1e304 100644 --- a/src/detect-engine-file.c +++ b/src/detect-engine-file.c @@ -130,9 +130,9 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, for (sm = s->sm_lists[DETECT_SM_LIST_FILEMATCH]; sm != NULL; sm = sm->next) { SCLogDebug("sm %p, sm->next %p", sm, sm->next); - if (sigmatch_table[sm->type].AppLayerMatch != NULL) { + if (sigmatch_table[sm->type].FileMatch != NULL) { match = sigmatch_table[sm->type]. - AppLayerMatch(tv, det_ctx, f, flags, (void *)file, s, sm); + FileMatch(tv, det_ctx, f, flags, file, s, sm); if (match == 0) { r = 2; break; @@ -167,7 +167,7 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, DetectFilestoreData *fd = sm->ctx; if (fd->scope > FILESTORE_SCOPE_DEFAULT) { match = sigmatch_table[sm->type]. - AppLayerMatch(tv, det_ctx, f, flags, NULL, s, sm); + FileMatch(tv, det_ctx, f, flags, /* no file */NULL, s, sm); if (match == 1) { r = 1; } diff --git a/src/detect-fileext.c b/src/detect-fileext.c index 2b874a5d76..6d724b3429 100644 --- a/src/detect-fileext.c +++ b/src/detect-fileext.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2011 Open Information Security Foundation +/* Copyright (C) 2007-2012 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -51,18 +51,18 @@ #include "stream-tcp.h" #include "detect-fileext.h" -int DetectFileextMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); +static int DetectFileextMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, + uint8_t, File *, Signature *, SigMatch *); static int DetectFileextSetup (DetectEngineCtx *, Signature *, char *); -void DetectFileextRegisterTests(void); -void DetectFileextFree(void *); +static void DetectFileextRegisterTests(void); +static void DetectFileextFree(void *); /** * \brief Registration function for keyword: fileext */ void DetectFileextRegister(void) { sigmatch_table[DETECT_FILEEXT].name = "fileext"; - sigmatch_table[DETECT_FILEEXT].Match = NULL; - sigmatch_table[DETECT_FILEEXT].AppLayerMatch = DetectFileextMatch; + sigmatch_table[DETECT_FILEEXT].FileMatch = DetectFileextMatch; sigmatch_table[DETECT_FILEEXT].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup; sigmatch_table[DETECT_FILEEXT].Free = DetectFileextFree; @@ -75,21 +75,24 @@ void DetectFileextRegister(void) { /** * \brief match the specified file extension * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param p pointer to the current packet - * \param m pointer to the sigmatch that we will cast into DetectFileextData + * \param t thread local vars + * \param det_ctx pattern matcher thread local data + * \param f *LOCKED* flow + * \param flags direction flags + * \param file file being inspected + * \param s signature being inspected + * \param m sigmatch that we will cast into DetectFileextData * * \retval 0 no match * \retval 1 match */ -int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) +static int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m) { SCEnter(); int ret = 0; DetectFileextData *fileext = (DetectFileextData *)m->ctx; - File *file = (File *)state; if (file->name == NULL) SCReturnInt(0); @@ -130,7 +133,7 @@ int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, * \retval pointer to DetectFileextData on success * \retval NULL on failure */ -DetectFileextData *DetectFileextParse (char *str) +static DetectFileextData *DetectFileextParse (char *str) { DetectFileextData *fileext = NULL; @@ -224,7 +227,7 @@ error: * * \param fileext pointer to DetectFileextData */ -void DetectFileextFree(void *ptr) { +static void DetectFileextFree(void *ptr) { if (ptr != NULL) { DetectFileextData *fileext = (DetectFileextData *)ptr; if (fileext->ext != NULL) diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index d58e73f8bb..725a148e2b 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2011 Open Information Security Foundation +/* Copyright (C) 2007-2012 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -52,18 +52,18 @@ #include "detect-filemagic.h" -int DetectFilemagicMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); +static int DetectFilemagicMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, + uint8_t, File *, Signature *, SigMatch *); static int DetectFilemagicSetup (DetectEngineCtx *, Signature *, char *); -void DetectFilemagicRegisterTests(void); -void DetectFilemagicFree(void *); +static void DetectFilemagicRegisterTests(void); +static void DetectFilemagicFree(void *); /** * \brief Registration function for keyword: filemagic */ void DetectFilemagicRegister(void) { sigmatch_table[DETECT_FILEMAGIC].name = "filemagic"; - sigmatch_table[DETECT_FILEMAGIC].Match = NULL; - sigmatch_table[DETECT_FILEMAGIC].AppLayerMatch = DetectFilemagicMatch; + sigmatch_table[DETECT_FILEMAGIC].FileMatch = DetectFilemagicMatch; sigmatch_table[DETECT_FILEMAGIC].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetup; sigmatch_table[DETECT_FILEMAGIC].Free = DetectFilemagicFree; @@ -127,22 +127,24 @@ int FilemagicLookup(File *file) { /** * \brief match the specified filemagic * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param p pointer to the current packet - * \param m pointer to the sigmatch that we will cast into DetectFilemagicData + * \param t thread local vars + * \param det_ctx pattern matcher thread local data + * \param f *LOCKED* flow + * \param flags direction flags + * \param file file being inspected + * \param s signature being inspected + * \param m sigmatch that we will cast into DetectFilemagicData * * \retval 0 no match * \retval 1 match */ -int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) +static int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m) { SCEnter(); int ret = 0; DetectFilemagicData *filemagic = (DetectFilemagicData *)m->ctx; - File *file = (File *)state; - if (file->txid < det_ctx->tx_id) SCReturnInt(0); @@ -191,7 +193,7 @@ int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f * \retval filemagic pointer to DetectFilemagicData on success * \retval NULL on failure */ -DetectFilemagicData *DetectFilemagicParse (char *str) +static DetectFilemagicData *DetectFilemagicParse (char *str) { DetectFilemagicData *filemagic = NULL; @@ -291,7 +293,7 @@ error: * * \param filemagic pointer to DetectFilemagicData */ -void DetectFilemagicFree(void *ptr) { +static void DetectFilemagicFree(void *ptr) { if (ptr != NULL) { DetectFilemagicData *filemagic = (DetectFilemagicData *)ptr; if (filemagic->bm_ctx != NULL) { diff --git a/src/detect-filemd5.c b/src/detect-filemd5.c index afc184fb64..6ceece9b9e 100644 --- a/src/detect-filemd5.c +++ b/src/detect-filemd5.c @@ -66,8 +66,7 @@ static int DetectFileMd5SetupNoSupport (DetectEngineCtx *a, Signature *b, char * */ void DetectFileMd5Register(void) { sigmatch_table[DETECT_FILEMD5].name = "filemd5"; - sigmatch_table[DETECT_FILEMD5].Match = NULL; - sigmatch_table[DETECT_FILEMD5].AppLayerMatch = NULL; + sigmatch_table[DETECT_FILEMD5].FileMatch = NULL; sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5SetupNoSupport; sigmatch_table[DETECT_FILEMD5].Free = NULL; @@ -79,18 +78,18 @@ void DetectFileMd5Register(void) { #else /* HAVE_NSS */ -int DetectFileMd5Match (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); +static int DetectFileMd5Match (ThreadVars *, DetectEngineThreadCtx *, + Flow *, uint8_t, File *, Signature *, SigMatch *); static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, char *); -void DetectFileMd5RegisterTests(void); -void DetectFileMd5Free(void *); +static void DetectFileMd5RegisterTests(void); +static void DetectFileMd5Free(void *); /** * \brief Registration function for keyword: filemd5 */ void DetectFileMd5Register(void) { sigmatch_table[DETECT_FILEMD5].name = "filemd5"; - sigmatch_table[DETECT_FILEMD5].Match = NULL; - sigmatch_table[DETECT_FILEMD5].AppLayerMatch = DetectFileMd5Match; + sigmatch_table[DETECT_FILEMD5].FileMatch = DetectFileMd5Match; sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5Setup; sigmatch_table[DETECT_FILEMD5].Free = DetectFileMd5Free; @@ -158,22 +157,24 @@ static int MD5MatchLookupString(ROHashTable *hash, char *string) { /** * \brief match the specified filemd5 * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param p pointer to the current packet - * \param m pointer to the sigmatch that we will cast into DetectFileMd5Data + * \param t thread local vars + * \param det_ctx pattern matcher thread local data + * \param f *LOCKED* flow + * \param flags direction flags + * \param file file being inspected + * \param s signature being inspected + * \param m sigmatch that we will cast into DetectFileMd5Data * * \retval 0 no match * \retval 1 match */ -int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) +static int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m) { SCEnter(); int ret = 0; DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)m->ctx; - File *file = (File *)state; - if (file->txid < det_ctx->tx_id) { SCReturnInt(0); } @@ -211,7 +212,7 @@ int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, * \retval filemd5 pointer to DetectFileMd5Data on success * \retval NULL on failure */ -DetectFileMd5Data *DetectFileMd5Parse (char *str) +static DetectFileMd5Data *DetectFileMd5Parse (char *str) { DetectFileMd5Data *filemd5 = NULL; @@ -341,7 +342,7 @@ error: * * \param filemd5 pointer to DetectFileMd5Data */ -void DetectFileMd5Free(void *ptr) { +static void DetectFileMd5Free(void *ptr) { if (ptr != NULL) { DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)ptr; if (filemd5->hash != NULL) diff --git a/src/detect-filename.c b/src/detect-filename.c index 5c9e6759fd..16275388ec 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2011 Open Information Security Foundation +/* Copyright (C) 2007-2012 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -50,18 +50,18 @@ #include "detect-filename.h" -int DetectFilenameMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); +static int DetectFilenameMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, + uint8_t, File *, Signature *, SigMatch *); static int DetectFilenameSetup (DetectEngineCtx *, Signature *, char *); -void DetectFilenameRegisterTests(void); -void DetectFilenameFree(void *); +static void DetectFilenameRegisterTests(void); +static void DetectFilenameFree(void *); /** * \brief Registration function for keyword: filename */ void DetectFilenameRegister(void) { sigmatch_table[DETECT_FILENAME].name = "filename"; - sigmatch_table[DETECT_FILENAME].Match = NULL; - sigmatch_table[DETECT_FILENAME].AppLayerMatch = DetectFilenameMatch; + sigmatch_table[DETECT_FILENAME].FileMatch = DetectFilenameMatch; sigmatch_table[DETECT_FILENAME].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILENAME].Setup = DetectFilenameSetup; sigmatch_table[DETECT_FILENAME].Free = DetectFilenameFree; @@ -74,21 +74,24 @@ void DetectFilenameRegister(void) { /** * \brief match the specified filename * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param p pointer to the current packet - * \param m pointer to the sigmatch that we will cast into DetectFilenameData + * \param t thread local vars + * \param det_ctx pattern matcher thread local data + * \param f *LOCKED* flow + * \param flags direction flags + * \param file file being inspected + * \param s signature being inspected + * \param m sigmatch that we will cast into DetectFilenameData * * \retval 0 no match * \retval 1 match */ -int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) +static int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, File *file, Signature *s, SigMatch *m) { SCEnter(); int ret = 0; DetectFilenameData *filename = m->ctx; - File *file = (File *)state; if (file->name == NULL) SCReturnInt(0); @@ -133,7 +136,7 @@ int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, * \retval filename pointer to DetectFilenameData on success * \retval NULL on failure */ -DetectFilenameData *DetectFilenameParse (char *str) +static DetectFilenameData *DetectFilenameParse (char *str) { DetectFilenameData *filename = NULL; @@ -232,7 +235,7 @@ error: * * \param filename pointer to DetectFilenameData */ -void DetectFilenameFree(void *ptr) { +static void DetectFilenameFree(void *ptr) { if (ptr != NULL) { DetectFilenameData *filename = (DetectFilenameData *)ptr; if (filename->bm_ctx != NULL) { diff --git a/src/detect-filestore.c b/src/detect-filestore.c index be811e6434..d39cf08eae 100644 --- a/src/detect-filestore.c +++ b/src/detect-filestore.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2011 Open Information Security Foundation +/* Copyright (C) 2007-2012 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -20,6 +20,7 @@ * * \author Victor Julien * + * Implements the filestore keyword */ #include "suricata-common.h" @@ -57,7 +58,8 @@ static pcre *parse_regex; static pcre_extra *parse_regex_study; -int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); +static int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *, + Flow *, uint8_t, File *, Signature *, SigMatch *); static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, char *); static void DetectFilestoreFree(void *); @@ -66,8 +68,7 @@ static void DetectFilestoreFree(void *); */ void DetectFilestoreRegister(void) { sigmatch_table[DETECT_FILESTORE].name = "filestore"; - sigmatch_table[DETECT_FILESTORE].Match = NULL; - sigmatch_table[DETECT_FILESTORE].AppLayerMatch = DetectFilestoreMatch; + sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch; sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup; sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree; @@ -187,6 +188,10 @@ static int FilestorePostMatchWithOptions(Packet *p, Flow *f, DetectFilestoreData /** * \brief post-match function for filestore * + * \param t thread local vars + * \param det_ctx pattern matcher thread local data + * \param p packet + * * The match function for filestore records store candidates in the det_ctx. * When we are sure all parts of the signature matched, we run this function * to finalize the filestore. @@ -240,10 +245,13 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack /** * \brief match the specified filestore * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param p pointer to the current packet - * \param m pointer to the sigmatch that we will cast into DetectFilestoreData + * \param t thread local vars + * \param det_ctx pattern matcher thread local data + * \param f *LOCKED* flow + * \param flags direction flags + * \param file file being inspected + * \param s signature being inspected + * \param m sigmatch that we will cast into DetectFilestoreData * * \retval 0 no match * \retval 1 match @@ -251,8 +259,8 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack * \todo when we start supporting more protocols, the logic in this function * needs to be put behind a api. */ -int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, - uint8_t flags, void *state, Signature *s, SigMatch *m) +static int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, + uint8_t flags, File *file, Signature *s, SigMatch *m) { uint16_t file_id = 0; @@ -264,7 +272,6 @@ int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f /* file can be NULL when a rule with filestore scope > file * matches. */ - File *file = (File *)state; if (file != NULL) { file_id = file->file_id; } diff --git a/src/detect.h b/src/detect.h index dbb692d473..cec3d87b71 100644 --- a/src/detect.h +++ b/src/detect.h @@ -38,6 +38,7 @@ #include "util-debug.h" #include "util-error.h" #include "util-radix-tree.h" +#include "util-file.h" #include "detect-mark.h" @@ -795,13 +796,22 @@ typedef struct DetectionEngineThreadCtx_ { #endif } DetectEngineThreadCtx; -/** \brief element in sigmatch type table. */ +/** \brief element in sigmatch type table. + * \note FileMatch pointer below takes a locked flow, AppLayerMatch an unlocked flow + */ typedef struct SigTableElmt_ { /** Packet match function pointer */ int (*Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); /** AppLayer match function pointer */ int (*AppLayerMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, Signature *, SigMatch *); + + /** File match function pointer */ + int (*FileMatch)(ThreadVars *, /**< thread local vars */ + DetectEngineThreadCtx *, + Flow *, /**< *LOCKED* flow */ + uint8_t flags, File *, Signature *, SigMatch *); + /** app layer proto from app-layer-protos.h this match applies to */ uint16_t alproto;