|
|
|
|
/* Copyright (C) 2007-2012 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
|
|
|
*
|
|
|
|
|
* Implements the filestore keyword
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "suricata-common.h"
|
|
|
|
|
#include "threads.h"
|
|
|
|
|
#include "debug.h"
|
|
|
|
|
#include "decode.h"
|
|
|
|
|
|
|
|
|
|
#include "detect.h"
|
|
|
|
|
#include "detect-parse.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-engine.h"
|
|
|
|
|
#include "detect-engine-mpm.h"
|
|
|
|
|
#include "detect-engine-state.h"
|
|
|
|
|
|
|
|
|
|
#include "flow.h"
|
|
|
|
|
#include "flow-var.h"
|
|
|
|
|
#include "flow-util.h"
|
|
|
|
|
|
|
|
|
|
#include "util-debug.h"
|
|
|
|
|
#include "util-spm-bm.h"
|
|
|
|
|
#include "util-unittest.h"
|
|
|
|
|
#include "util-unittest-helper.h"
|
|
|
|
|
|
|
|
|
|
#include "app-layer.h"
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
#include "app-layer-parser.h"
|
|
|
|
|
|
|
|
|
|
#include "stream-tcp.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-filestore.h"
|
|
|
|
|
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
/**
|
|
|
|
|
* \brief Regex for parsing our flow options
|
|
|
|
|
*/
|
|
|
|
|
#define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
|
|
|
|
|
|
|
|
|
|
static pcre *parse_regex;
|
|
|
|
|
static pcre_extra *parse_regex_study;
|
|
|
|
|
|
|
|
|
|
static int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *,
|
|
|
|
|
Flow *, uint8_t, File *, Signature *, SigMatch *);
|
|
|
|
|
static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, char *);
|
|
|
|
|
static void DetectFilestoreFree(void *);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Registration function for keyword: filestore
|
|
|
|
|
*/
|
|
|
|
|
void DetectFilestoreRegister(void)
|
|
|
|
|
{
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].name = "filestore";
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched";
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filestore";
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch;
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP;
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup;
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree;
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].RegisterTests = NULL;
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_NOOPT;
|
|
|
|
|
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
const char *eb;
|
|
|
|
|
int eo;
|
|
|
|
|
int opts = 0;
|
|
|
|
|
|
|
|
|
|
parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
|
|
|
|
|
if(parse_regex == NULL)
|
|
|
|
|
{
|
|
|
|
|
SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed at offset %" PRId32 ": %s", PARSE_REGEX, eo, eb);
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
parse_regex_study = pcre_study(parse_regex, 0, &eb);
|
|
|
|
|
if(eb != NULL)
|
|
|
|
|
{
|
|
|
|
|
SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
SCLogDebug("registering filestore rule option");
|
|
|
|
|
return;
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
error:
|
|
|
|
|
/* XXX */
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief apply the post match filestore with options
|
|
|
|
|
*/
|
|
|
|
|
static int FilestorePostMatchWithOptions(Packet *p, Flow *f, DetectFilestoreData *filestore, FileContainer *fc,
|
|
|
|
|
uint16_t file_id, uint16_t tx_id)
|
|
|
|
|
{
|
|
|
|
|
if (filestore == NULL) {
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int this_file = 0;
|
|
|
|
|
int this_tx = 0;
|
|
|
|
|
int this_flow = 0;
|
|
|
|
|
int rule_dir = 0;
|
|
|
|
|
int toserver_dir = 0;
|
|
|
|
|
int toclient_dir = 0;
|
|
|
|
|
|
|
|
|
|
switch (filestore->direction) {
|
|
|
|
|
case FILESTORE_DIR_DEFAULT:
|
|
|
|
|
rule_dir = 1;
|
|
|
|
|
break;
|
|
|
|
|
case FILESTORE_DIR_BOTH:
|
|
|
|
|
toserver_dir = 1;
|
|
|
|
|
toclient_dir = 1;
|
|
|
|
|
break;
|
|
|
|
|
case FILESTORE_DIR_TOSERVER:
|
|
|
|
|
toserver_dir = 1;
|
|
|
|
|
break;
|
|
|
|
|
case FILESTORE_DIR_TOCLIENT:
|
|
|
|
|
toclient_dir = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (filestore->scope) {
|
|
|
|
|
case FILESTORE_SCOPE_DEFAULT:
|
|
|
|
|
if (rule_dir) {
|
|
|
|
|
this_file = 1;
|
|
|
|
|
} else if ((p->flowflags & FLOW_PKT_TOCLIENT) && toclient_dir) {
|
|
|
|
|
this_file = 1;
|
|
|
|
|
} else if ((p->flowflags & FLOW_PKT_TOSERVER) && toserver_dir) {
|
|
|
|
|
this_file = 1;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case FILESTORE_SCOPE_TX:
|
|
|
|
|
this_tx = 1;
|
|
|
|
|
break;
|
|
|
|
|
case FILESTORE_SCOPE_SSN:
|
|
|
|
|
this_flow = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (this_file) {
|
|
|
|
|
FileStoreFileById(fc, file_id);
|
|
|
|
|
} else if (this_tx) {
|
|
|
|
|
/* flag tx all files will be stored */
|
|
|
|
|
if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
|
|
|
|
|
HtpState *htp_state = f->alstate;
|
|
|
|
|
if (toserver_dir) {
|
|
|
|
|
htp_state->flags |= HTP_FLAG_STORE_FILES_TX_TS;
|
|
|
|
|
FileStoreAllFilesForTx(htp_state->files_ts, tx_id);
|
|
|
|
|
}
|
|
|
|
|
if (toclient_dir) {
|
|
|
|
|
htp_state->flags |= HTP_FLAG_STORE_FILES_TX_TC;
|
|
|
|
|
FileStoreAllFilesForTx(htp_state->files_tc, tx_id);
|
|
|
|
|
}
|
|
|
|
|
htp_state->store_tx_id = tx_id;
|
|
|
|
|
}
|
|
|
|
|
} else if (this_flow) {
|
|
|
|
|
/* flag flow all files will be stored */
|
|
|
|
|
if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
|
|
|
|
|
HtpState *htp_state = f->alstate;
|
|
|
|
|
if (toserver_dir) {
|
|
|
|
|
htp_state->flags |= HTP_FLAG_STORE_FILES_TS;
|
|
|
|
|
FileStoreAllFiles(htp_state->files_ts);
|
|
|
|
|
}
|
|
|
|
|
if (toclient_dir) {
|
|
|
|
|
htp_state->flags |= HTP_FLAG_STORE_FILES_TC;
|
|
|
|
|
FileStoreAllFiles(htp_state->files_tc);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
FileStoreFileById(fc, file_id);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief post-match function for filestore
|
|
|
|
|
*
|
|
|
|
|
* \param t thread local vars
|
|
|
|
|
* \param det_ctx pattern matcher thread local data
|
|
|
|
|
* \param p packet
|
|
|
|
|
*
|
|
|
|
|
* The match function for filestore records store candidates in the det_ctx.
|
|
|
|
|
* When we are sure all parts of the signature matched, we run this function
|
|
|
|
|
* to finalize the filestore.
|
|
|
|
|
*/
|
|
|
|
|
int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s)
|
|
|
|
|
{
|
|
|
|
|
uint8_t flags = 0;
|
|
|
|
|
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
if (det_ctx->filestore_cnt == 0) {
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->filestore_sm == NULL || p->flow == NULL) {
|
|
|
|
|
#ifndef DEBUG
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
#else
|
|
|
|
|
BUG_ON(1);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (p->flowflags & FLOW_PKT_TOCLIENT)
|
|
|
|
|
flags |= STREAM_TOCLIENT;
|
|
|
|
|
else
|
|
|
|
|
flags |= STREAM_TOSERVER;
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(p->flow);
|
|
|
|
|
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
FileContainer *ffc = AppLayerParserGetFiles(p->flow->proto, p->flow->alproto,
|
|
|
|
|
p->flow->alstate, flags);
|
|
|
|
|
|
|
|
|
|
/* filestore for single files only */
|
|
|
|
|
if (s->filestore_sm->ctx == NULL) {
|
|
|
|
|
uint16_t u;
|
|
|
|
|
for (u = 0; u < det_ctx->filestore_cnt; u++) {
|
|
|
|
|
FileStoreFileById(ffc, det_ctx->filestore[u].file_id);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
DetectFilestoreData *filestore = s->filestore_sm->ctx;
|
|
|
|
|
uint16_t u;
|
|
|
|
|
|
|
|
|
|
for (u = 0; u < det_ctx->filestore_cnt; u++) {
|
|
|
|
|
FilestorePostMatchWithOptions(p, p->flow, filestore, ffc,
|
|
|
|
|
det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_UNLOCK(p->flow);
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief match the specified filestore
|
|
|
|
|
*
|
|
|
|
|
* \param t thread local vars
|
|
|
|
|
* \param det_ctx pattern matcher thread local data
|
|
|
|
|
* \param f *LOCKED* flow
|
|
|
|
|
* \param flags direction flags
|
|
|
|
|
* \param file file being inspected
|
|
|
|
|
* \param s signature being inspected
|
|
|
|
|
* \param m sigmatch that we will cast into DetectFilestoreData
|
|
|
|
|
*
|
|
|
|
|
* \retval 0 no match
|
|
|
|
|
* \retval 1 match
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
*
|
|
|
|
|
* \todo when we start supporting more protocols, the logic in this function
|
|
|
|
|
* needs to be put behind a api.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
|
|
|
|
|
uint8_t flags, File *file, Signature *s, SigMatch *m)
|
|
|
|
|
{
|
|
|
|
|
uint16_t file_id = 0;
|
|
|
|
|
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
if (det_ctx->filestore_cnt >= DETECT_FILESTORE_MAX) {
|
|
|
|
|
SCReturnInt(1);
|
|
|
|
|
}
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
|
|
|
|
|
/* file can be NULL when a rule with filestore scope > file
|
|
|
|
|
* matches. */
|
|
|
|
|
if (file != NULL) {
|
|
|
|
|
file_id = file->file_id;
|
|
|
|
|
}
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
|
|
|
|
|
det_ctx->filestore[det_ctx->filestore_cnt].file_id = file_id;
|
|
|
|
|
det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id;
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
|
|
|
|
|
SCLogDebug("%u, file %u, tx %"PRIu64, det_ctx->filestore_cnt,
|
|
|
|
|
det_ctx->filestore[det_ctx->filestore_cnt].file_id,
|
|
|
|
|
det_ctx->filestore[det_ctx->filestore_cnt].tx_id);
|
|
|
|
|
|
|
|
|
|
det_ctx->filestore_cnt++;
|
|
|
|
|
SCReturnInt(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief this function is used to parse filestore options
|
|
|
|
|
* \brief into the current signature
|
|
|
|
|
*
|
|
|
|
|
* \param de_ctx pointer to the Detection Engine Context
|
|
|
|
|
* \param s pointer to the Current Signature
|
|
|
|
|
* \param str pointer to the user provided "filestore" option
|
|
|
|
|
*
|
|
|
|
|
* \retval 0 on Success
|
|
|
|
|
* \retval -1 on Failure
|
|
|
|
|
*/
|
|
|
|
|
static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
|
|
|
|
|
{
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
DetectFilestoreData *fd = NULL;
|
|
|
|
|
SigMatch *sm = NULL;
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
char *args[3] = {NULL,NULL,NULL};
|
|
|
|
|
#define MAX_SUBSTRINGS 30
|
|
|
|
|
int ret = 0, res = 0;
|
|
|
|
|
int ov[MAX_SUBSTRINGS];
|
|
|
|
|
|
|
|
|
|
sm = SigMatchAlloc();
|
|
|
|
|
if (sm == NULL)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
sm->type = DETECT_FILESTORE;
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
|
|
|
|
|
if (str != NULL && strlen(str) > 0) {
|
|
|
|
|
SCLogDebug("str %s", str);
|
|
|
|
|
|
|
|
|
|
ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0, ov, MAX_SUBSTRINGS);
|
|
|
|
|
if (ret < 1 || ret > 4) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, str);
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret > 1) {
|
|
|
|
|
const char *str_ptr;
|
|
|
|
|
res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
args[0] = (char *)str_ptr;
|
|
|
|
|
|
|
|
|
|
if (ret > 2) {
|
|
|
|
|
res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 2, &str_ptr);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
args[1] = (char *)str_ptr;
|
|
|
|
|
}
|
|
|
|
|
if (ret > 3) {
|
|
|
|
|
res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 3, &str_ptr);
|
|
|
|
|
if (res < 0) {
|
|
|
|
|
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
args[2] = (char *)str_ptr;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fd = SCMalloc(sizeof(DetectFilestoreData));
|
|
|
|
|
if (unlikely(fd == NULL))
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
goto error;
|
|
|
|
|
memset(fd, 0x00, sizeof(DetectFilestoreData));
|
|
|
|
|
|
|
|
|
|
if (args[0] != NULL) {
|
|
|
|
|
SCLogDebug("first arg %s", args[0]);
|
|
|
|
|
|
|
|
|
|
if (strcasecmp(args[0], "request") == 0 ||
|
|
|
|
|
strcasecmp(args[0], "to_server") == 0)
|
|
|
|
|
{
|
|
|
|
|
fd->direction = FILESTORE_DIR_TOSERVER;
|
|
|
|
|
fd->scope = FILESTORE_SCOPE_TX;
|
|
|
|
|
}
|
|
|
|
|
else if (strcasecmp(args[0], "response") == 0 ||
|
|
|
|
|
strcasecmp(args[0], "to_client") == 0)
|
|
|
|
|
{
|
|
|
|
|
fd->direction = FILESTORE_DIR_TOCLIENT;
|
|
|
|
|
fd->scope = FILESTORE_SCOPE_TX;
|
|
|
|
|
}
|
|
|
|
|
else if (strcasecmp(args[0], "both") == 0)
|
|
|
|
|
{
|
|
|
|
|
fd->direction = FILESTORE_DIR_BOTH;
|
|
|
|
|
fd->scope = FILESTORE_SCOPE_TX;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
fd->direction = FILESTORE_DIR_DEFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (args[1] != NULL) {
|
|
|
|
|
SCLogDebug("second arg %s", args[1]);
|
|
|
|
|
|
|
|
|
|
if (strcasecmp(args[1], "file") == 0)
|
|
|
|
|
{
|
|
|
|
|
fd->scope = FILESTORE_SCOPE_DEFAULT;
|
|
|
|
|
} else if (strcasecmp(args[1], "tx") == 0)
|
|
|
|
|
{
|
|
|
|
|
fd->scope = FILESTORE_SCOPE_TX;
|
|
|
|
|
} else if (strcasecmp(args[1], "ssn") == 0 ||
|
|
|
|
|
strcasecmp(args[1], "flow") == 0)
|
|
|
|
|
{
|
|
|
|
|
fd->scope = FILESTORE_SCOPE_SSN;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (fd->scope == 0)
|
|
|
|
|
fd->scope = FILESTORE_SCOPE_DEFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sm->ctx = fd;
|
|
|
|
|
} else {
|
|
|
|
|
sm->ctx = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
|
|
|
|
|
s->filestore_sm = sm;
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
AppLayerHtpNeedFileInspection();
|
|
|
|
|
|
|
|
|
|
s->alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
s->flags |= SIG_FLAG_FILESTORE;
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
error:
|
|
|
|
|
if (sm != NULL)
|
|
|
|
|
SCFree(sm);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void DetectFilestoreFree(void *ptr)
|
|
|
|
|
{
|
|
|
|
|
if (ptr != NULL) {
|
|
|
|
|
SCFree(ptr);
|
|
|
|
|
}
|
|
|
|
|
}
|
