|
|
|
|
/* Copyright (C) 2007-2011 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __UTIL_FILE_H__
|
|
|
|
|
#define __UTIL_FILE_H__
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_NSS
|
|
|
|
|
#include <sechash.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include "util-streaming-buffer.h"
|
|
|
|
|
|
|
|
|
|
#define FILE_TRUNCATED 0x0001
|
|
|
|
|
#define FILE_NOMAGIC 0x0002
|
|
|
|
|
#define FILE_NOMD5 0x0004
|
|
|
|
|
#define FILE_MD5 0x0008
|
|
|
|
|
#define FILE_LOGGED 0x0010
|
|
|
|
|
#define FILE_NOSTORE 0x0020
|
|
|
|
|
#define FILE_STORE 0x0040
|
|
|
|
|
#define FILE_STORED 0x0080
|
|
|
|
|
#define FILE_NOTRACK 0x0100 /**< track size of file */
|
|
|
|
|
#define FILE_USE_DETECT 0x0200 /**< use content_inspected tracker */
|
|
|
|
|
|
|
|
|
|
typedef enum FileState_ {
|
|
|
|
|
FILE_STATE_NONE = 0, /**< no state */
|
|
|
|
|
FILE_STATE_OPENED, /**< flow file is opened */
|
|
|
|
|
FILE_STATE_CLOSED, /**< flow file is completed,
|
|
|
|
|
there will be no more data. */
|
|
|
|
|
FILE_STATE_TRUNCATED, /**< flow file is not complete, but
|
|
|
|
|
there will be no more data. */
|
|
|
|
|
FILE_STATE_ERROR, /**< file is in an error state */
|
|
|
|
|
FILE_STATE_MAX
|
|
|
|
|
} FileState;
|
|
|
|
|
|
|
|
|
|
typedef struct File_ {
|
|
|
|
|
uint16_t flags;
|
|
|
|
|
uint16_t name_len;
|
|
|
|
|
int16_t state;
|
|
|
|
|
StreamingBuffer *sb;
|
|
|
|
|
uint64_t txid; /**< tx this file is part of */
|
|
|
|
|
uint32_t file_id;
|
|
|
|
|
uint8_t *name;
|
|
|
|
|
char *magic;
|
|
|
|
|
struct File_ *next;
|
|
|
|
|
#ifdef HAVE_NSS
|
|
|
|
|
HASHContext *md5_ctx;
|
|
|
|
|
uint8_t md5[MD5_LENGTH];
|
|
|
|
|
#endif
|
|
|
|
|
uint64_t content_inspected; /**< used in pruning if FILE_USE_DETECT
|
|
|
|
|
* flag is set */
|
|
|
|
|
uint64_t content_stored;
|
|
|
|
|
} File;
|
|
|
|
|
|
|
|
|
|
typedef struct FileContainer_ {
|
|
|
|
|
File *head;
|
|
|
|
|
File *tail;
|
|
|
|
|
} FileContainer;
|
|
|
|
|
|
|
|
|
|
FileContainer *FileContainerAlloc();
|
|
|
|
|
void FileContainerFree(FileContainer *);
|
|
|
|
|
|
|
|
|
|
void FileContainerRecycle(FileContainer *);
|
|
|
|
|
|
|
|
|
|
void FileContainerAdd(FileContainer *, File *);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Open a new File
|
|
|
|
|
*
|
|
|
|
|
* \param ffc flow container
|
|
|
|
|
* \param sbcfg buffer config
|
|
|
|
|
* \param name filename character array
|
|
|
|
|
* \param name_len filename len
|
|
|
|
|
* \param data initial data
|
|
|
|
|
* \param data_len initial data len
|
|
|
|
|
* \param flags open flags
|
|
|
|
|
*
|
|
|
|
|
* \retval ff flowfile object
|
|
|
|
|
*
|
|
|
|
|
* \note filename is not a string, so it's not nul terminated.
|
|
|
|
|
*
|
|
|
|
|
* If flags contains the FILE_USE_DETECT bit, the pruning code will
|
|
|
|
|
* consider not just the content_stored tracker, but also content_inspected.
|
|
|
|
|
* It's the responsibility of the API user to make sure this tracker is
|
|
|
|
|
* properly updated.
|
|
|
|
|
*/
|
|
|
|
|
File *FileOpenFile(FileContainer *, const StreamingBufferConfig *,
|
|
|
|
|
const uint8_t *name, uint16_t name_len,
|
|
|
|
|
const uint8_t *data, uint32_t data_len, uint16_t flags);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Close a File
|
|
|
|
|
*
|
|
|
|
|
* \param ffc the container
|
|
|
|
|
* \param data final data if any
|
|
|
|
|
* \param data_len data len if any
|
|
|
|
|
* \param flags flags
|
|
|
|
|
*
|
|
|
|
|
* \retval 0 ok
|
|
|
|
|
* \retval -1 error
|
|
|
|
|
*/
|
|
|
|
|
int FileCloseFile(FileContainer *, const uint8_t *data, uint32_t data_len,
|
|
|
|
|
uint16_t flags);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Store a chunk of file data in the flow. The open "flowfile"
|
|
|
|
|
* will be used.
|
|
|
|
|
*
|
|
|
|
|
* \param ffc the container
|
|
|
|
|
* \param data data chunk
|
|
|
|
|
* \param data_len data chunk len
|
|
|
|
|
*
|
|
|
|
|
* \retval 0 ok
|
|
|
|
|
* \retval -1 error
|
|
|
|
|
*/
|
|
|
|
|
int FileAppendData(FileContainer *, const uint8_t *data, uint32_t data_len);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Tag a file for storing
|
|
|
|
|
*
|
|
|
|
|
* \param ff The file to store
|
|
|
|
|
*/
|
|
|
|
|
int FileStore(File *);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Set the TX id for a file
|
|
|
|
|
*
|
|
|
|
|
* \param ff The file to store
|
|
|
|
|
* \param txid the tx id
|
|
|
|
|
*/
|
|
|
|
|
int FileSetTx(File *, uint64_t txid);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief disable file storage for a flow
|
|
|
|
|
*
|
|
|
|
|
* \param f *LOCKED* flow
|
|
|
|
|
*/
|
|
|
|
|
void FileDisableStoring(struct Flow_ *, uint8_t);
|
|
|
|
|
|
|
|
|
|
void FileDisableFilesize(Flow *f, uint8_t direction);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief disable file storing for a transaction
|
|
|
|
|
*
|
|
|
|
|
* \param f flow
|
|
|
|
|
* \param tx_id transaction id
|
|
|
|
|
*/
|
|
|
|
|
void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id);
|
|
|
|
|
|
|
|
|
|
void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id);
|
|
|
|
|
void FilePrune(FileContainer *ffc);
|
|
|
|
|
|
|
|
|
|
void FileForceFilestoreEnable(void);
|
|
|
|
|
int FileForceFilestore(void);
|
|
|
|
|
|
|
|
|
|
void FileDisableMagic(Flow *f, uint8_t);
|
|
|
|
|
void FileForceMagicEnable(void);
|
|
|
|
|
int FileForceMagic(void);
|
|
|
|
|
|
|
|
|
|
void FileDisableMd5(Flow *f, uint8_t);
|
|
|
|
|
void FileForceMd5Enable(void);
|
|
|
|
|
int FileForceMd5(void);
|
|
|
|
|
|
|
|
|
|
void FileForceTrackingEnable(void);
|
|
|
|
|
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
void FileStoreAllFiles(FileContainer *);
|
|
|
|
|
void FileStoreAllFilesForTx(FileContainer *, uint64_t);
|
|
|
|
|
void FileStoreFileById(FileContainer *fc, uint32_t);
|
file handling: expand filestore keyword
Filestore keyword by default (... filestore; ... ) marks only the file in the
same direction as the rule match for storing. This makes sense when inspecting
individual files (filemagic, filename, etc) but not so much when looking at
suspicious file requests, where the actual file is in the response.
The filestore keyword now takes 2 optional options:
filestore:<direction>,<scope>;
By default the direction is "same as rule match", and scope is "currently
inspected file".
For direction the following values are possible: "request" and "to_server",
"response" and "to_client", "both".
For scope the following values are possible: "tx" for all files in the current
HTTP/1.1 transation, "ssn" and "flow" for all files in the session/flow.
For the above case, where a suspious request should lead to a response file
download, this would work:
alert http ... content:"/suspicious/"; http_uri; filestore:response; ...
14 years ago
|
|
|
|
|
|
|
|
void FileTruncateAllOpenFiles(FileContainer *);
|
|
|
|
|
|
|
|
|
|
uint64_t FileSize(const File *file);
|
|
|
|
|
|
|
|
|
|
#endif /* __UTIL_FILE_H__ */
|
