file magic: don't disable inspecting magic for both directions if files in only one direction don't need magic.

14 years ago · 22349f863b
parent ba4613aef1
commit 22349f863b
3 changed files with 40 additions and 13 deletions
--- a/src/app-layer-htp-file.c
+++ b/src/app-layer-htp-file.c
@ -106,6 +106,15 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len,
                (s->flags & HTP_FLAG_STORE_FILES_TX_TS && txid == s->store_tx_id)) {
            flags |= FILE_STORE;
        }
+
+        if (s->f->flags & FLOW_FILE_NO_MAGIC_TC) {
+            SCLogDebug("no magic for this flow in toclient direction, so none for this file");
+            flags |= FILE_NOMAGIC;
+        }
+
+        if (!(flags & FILE_STORE) && s->f->flags & FLOW_FILE_NO_STORE_TC) {
+            flags |= FILE_NOSTORE;
+        }
    } else {
        if (s->files_ts == NULL) {
            s->files_ts = FileContainerAlloc();
@ -122,6 +131,14 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len,
                (s->flags & HTP_FLAG_STORE_FILES_TX_TC && txid == s->store_tx_id)) {
            flags |= FILE_STORE;
        }
+        if (s->f->flags & FLOW_FILE_NO_MAGIC_TS) {
+            SCLogDebug("no magic for this flow in toserver direction, so none for this file");
+            flags |= FILE_NOMAGIC;
+        }
+
+        if (!(flags & FILE_STORE) && s->f->flags & FLOW_FILE_NO_STORE_TS) {
+            flags |= FILE_NOSTORE;
+        }
    }

    /* if the previous file is in the same txid, we reset the file part of the
@ -149,13 +166,6 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len,
        }
    }

-    if (!(flags & FILE_STORE) && s->f->flags & FLOW_FILE_NO_STORE) {
-        flags |= FILE_NOSTORE;
-    }
-    if (s->f->flags & FLOW_FILE_NO_MAGIC) {
-        flags |= FILE_NOMAGIC;
-    }
-
    if (FileOpenFile(files, filename, filename_len,
                data, data_len, flags) == NULL)
    {
--- a/src/flow.h
+++ b/src/flow.h
@ -42,7 +42,11 @@
 /** At least on packet from the destination address was seen */
 #define FLOW_TO_DST_SEEN                  0x00000002

-// vacany 3x
+// vacany 1x
+
+/** no magic on files in this flow */
+#define FLOW_FILE_NO_MAGIC_TS             0x00000008
+#define FLOW_FILE_NO_MAGIC_TC             0x00000010

 /** Flow was inspected against IP-Only sigs in the toserver direction */
 #define FLOW_TOSERVER_IPONLY_SET          0x00000020
@ -86,9 +90,8 @@
 #define FLOW_TC_PM_PP_ALPROTO_DETECT_DONE 0x00400000
 #define FLOW_TIMEOUT_REASSEMBLY_DONE      0x00800000
 /** even if the flow has files, don't store 'm */
-#define FLOW_FILE_NO_STORE                0x01000000
-/** no magic on files in this flow */
-#define FLOW_FILE_NO_MAGIC                0x02000000
+#define FLOW_FILE_NO_STORE_TS             0x01000000
+#define FLOW_FILE_NO_STORE_TC             0x02000000

 /** flow is ipv4 */
 #define FLOW_IPV4                         0x04000000
--- a/src/util-file.c
+++ b/src/util-file.c
@ -27,6 +27,7 @@
 #include "suricata.h"
 #include "debug.h"
 #include "flow.h"
+#include "stream.h"
 #include "util-hash.h"
 #include "util-debug.h"
 #include "util-memcmp.h"
@ -126,6 +127,10 @@ static void FilePruneFile(File *file) {
        /* need magic but haven't set it yet, bail out */
        if (file->magic == NULL)
            SCReturn;
+        else
+            SCLogDebug("file->magic %s", file->magic);
+    } else {
+        SCLogDebug("file->flags & FILE_NOMAGIC == true");
    }

    /* okay, we now know we can prune */
@ -471,6 +476,7 @@ File *FileOpenFile(FileContainer *ffc, uint8_t *name,
        ff->store = -1;
    }
    if (flags & FILE_NOMAGIC) {
+        SCLogDebug("no doing magic for this file");
        ff->flags |= FILE_NOMAGIC;
    }

@ -592,7 +598,10 @@ void FileDisableStoring(Flow *f, uint8_t direction) {

    DEBUG_ASSERT_FLOW_LOCKED(f);

-    f->flags |= FLOW_FILE_NO_STORE;
+    if (direction == STREAM_TOSERVER)
+        f->flags |= FLOW_FILE_NO_STORE_TS;
+    else
+        f->flags |= FLOW_FILE_NO_STORE_TC;

    FileContainer *ffc = AppLayerGetFilesFromFlow(f, direction);
    if (ffc != NULL) {
@ -618,11 +627,16 @@ void FileDisableMagic(Flow *f, uint8_t direction) {

    DEBUG_ASSERT_FLOW_LOCKED(f);

-    f->flags |= FLOW_FILE_NO_MAGIC;
+    if (direction == STREAM_TOSERVER)
+        f->flags |= FLOW_FILE_NO_MAGIC_TS;
+    else
+        f->flags |= FLOW_FILE_NO_MAGIC_TC;

    FileContainer *ffc = AppLayerGetFilesFromFlow(f, direction);
    if (ffc != NULL) {
        for (ptr = ffc->head; ptr != NULL; ptr = ptr->next) {
+            SCLogDebug("disabling magic for file %p from direction %s",
+                    ptr, direction == STREAM_TOSERVER ? "toserver":"toclient");
            ptr->flags |= FILE_NOMAGIC;
        }
    }