|
|
|
|
/* Copyright (C) 2007-2011 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __DETECT_FILESTORE_H__
|
|
|
|
|
#define __DETECT_FILESTORE_H__
|
|
|
|
|
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
13 years ago
|
|
|
#define FILESTORE_DIR_DEFAULT 0 /* rule dir */
|
|
|
|
|
#define FILESTORE_DIR_TOSERVER 1
|
|
|
|
|
#define FILESTORE_DIR_TOCLIENT 2
|
|
|
|
|
#define FILESTORE_DIR_BOTH 3
|
|
|
|
|
|
|
|
|
|
#define FILESTORE_SCOPE_DEFAULT 0 /* per file */
|
|
|
|
|
#define FILESTORE_SCOPE_TX 1 /* per transaction */
|
|
|
|
|
#define FILESTORE_SCOPE_SSN 2 /* per flow/ssn */
|
|
|
|
|
|
|
|
|
|
typedef struct DetectFilestoreData_ {
|
|
|
|
|
int16_t direction;
|
|
|
|
|
int16_t scope;
|
|
|
|
|
} DetectFilestoreData;
|
|
|
|
|
|
|
|
|
|
/* prototypes */
|
|
|
|
|
void DetectFilestoreRegister (void);
|
|
|
|
|
|
|
|
|
|
int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *);
|
|
|
|
|
#endif /* __DETECT_FILESTORE_H__ */
|
