aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

file magic: don't disable inspecting magic for both directions if files in only one direction don't need magic.

Browse Source
remotes/origin/HEAD
Victor Julien 14 years ago
parent ba4613aef1
commit 22349f863b
3 changed files with 40 additions and 13 deletions
Show Stats Download Patch File Download Diff File

24
src/app-layer-htp-file.c
Unescape Escape View File

@ -106,6 +106,15 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len,
(s->flags & HTP_FLAG_STORE_FILES_TX_TS && txid == s->store_tx_id)) { (s->flags & HTP_FLAG_STORE_FILES_TX_TS && txid == s->store_tx_id)) {
flags |= FILE_STORE; flags |= FILE_STORE;
} }
if (s->f->flags & FLOW_FILE_NO_MAGIC_TC) {
SCLogDebug("no magic for this flow in toclient direction, so none for this file");
flags |= FILE_NOMAGIC;
}
if (!(flags & FILE_STORE) && s->f->flags & FLOW_FILE_NO_STORE_TC) {
flags |= FILE_NOSTORE;
}
} else { } else {
if (s->files_ts == NULL) { if (s->files_ts == NULL) {
s->files_ts = FileContainerAlloc(); s->files_ts = FileContainerAlloc();
@ -122,6 +131,14 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len,
(s->flags & HTP_FLAG_STORE_FILES_TX_TC && txid == s->store_tx_id)) { (s->flags & HTP_FLAG_STORE_FILES_TX_TC && txid == s->store_tx_id)) {
flags |= FILE_STORE; flags |= FILE_STORE;
} }
if (s->f->flags & FLOW_FILE_NO_MAGIC_TS) {
SCLogDebug("no magic for this flow in toserver direction, so none for this file");
flags |= FILE_NOMAGIC;
}
if (!(flags & FILE_STORE) && s->f->flags & FLOW_FILE_NO_STORE_TS) {
flags |= FILE_NOSTORE;
}
} }
/* if the previous file is in the same txid, we reset the file part of the /* if the previous file is in the same txid, we reset the file part of the
@ -149,13 +166,6 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len,
} }
} }
if (!(flags & FILE_STORE) && s->f->flags & FLOW_FILE_NO_STORE) {
flags |= FILE_NOSTORE;
}
if (s->f->flags & FLOW_FILE_NO_MAGIC) {
flags |= FILE_NOMAGIC;
}
if (FileOpenFile(files, filename, filename_len, if (FileOpenFile(files, filename, filename_len,
data, data_len, flags) == NULL) data, data_len, flags) == NULL)
{ {

11
src/flow.h
Unescape Escape View File

@ -42,7 +42,11 @@
/** At least on packet from the destination address was seen */ /** At least on packet from the destination address was seen */
#define FLOW_TO_DST_SEEN 0x00000002 #define FLOW_TO_DST_SEEN 0x00000002
// vacany 3x // vacany 1x
/** no magic on files in this flow */
#define FLOW_FILE_NO_MAGIC_TS 0x00000008
#define FLOW_FILE_NO_MAGIC_TC 0x00000010
/** Flow was inspected against IP-Only sigs in the toserver direction */ /** Flow was inspected against IP-Only sigs in the toserver direction */
#define FLOW_TOSERVER_IPONLY_SET 0x00000020 #define FLOW_TOSERVER_IPONLY_SET 0x00000020
@ -86,9 +90,8 @@
#define FLOW_TC_PM_PP_ALPROTO_DETECT_DONE 0x00400000 #define FLOW_TC_PM_PP_ALPROTO_DETECT_DONE 0x00400000
#define FLOW_TIMEOUT_REASSEMBLY_DONE 0x00800000 #define FLOW_TIMEOUT_REASSEMBLY_DONE 0x00800000
/** even if the flow has files, don't store 'm */ /** even if the flow has files, don't store 'm */
#define FLOW_FILE_NO_STORE 0x01000000 #define FLOW_FILE_NO_STORE_TS 0x01000000
/** no magic on files in this flow */ #define FLOW_FILE_NO_STORE_TC 0x02000000
#define FLOW_FILE_NO_MAGIC 0x02000000
/** flow is ipv4 */ /** flow is ipv4 */
#define FLOW_IPV4 0x04000000 #define FLOW_IPV4 0x04000000

18
src/util-file.c
Unescape Escape View File

@ -27,6 +27,7 @@
#include "suricata.h" #include "suricata.h"
#include "debug.h" #include "debug.h"
#include "flow.h" #include "flow.h"
#include "stream.h"
#include "util-hash.h" #include "util-hash.h"
#include "util-debug.h" #include "util-debug.h"
#include "util-memcmp.h" #include "util-memcmp.h"
@ -126,6 +127,10 @@ static void FilePruneFile(File *file) {
/* need magic but haven't set it yet, bail out */ /* need magic but haven't set it yet, bail out */
if (file->magic == NULL) if (file->magic == NULL)
SCReturn; SCReturn;
else
SCLogDebug("file->magic %s", file->magic);
} else {
SCLogDebug("file->flags & FILE_NOMAGIC == true");
} }
/* okay, we now know we can prune */ /* okay, we now know we can prune */
@ -471,6 +476,7 @@ File *FileOpenFile(FileContainer *ffc, uint8_t *name,
ff->store = -1; ff->store = -1;
} }
if (flags & FILE_NOMAGIC) { if (flags & FILE_NOMAGIC) {
SCLogDebug("no doing magic for this file");
ff->flags |= FILE_NOMAGIC; ff->flags |= FILE_NOMAGIC;
} }
@ -592,7 +598,10 @@ void FileDisableStoring(Flow *f, uint8_t direction) {
DEBUG_ASSERT_FLOW_LOCKED(f); DEBUG_ASSERT_FLOW_LOCKED(f);
f->flags |= FLOW_FILE_NO_STORE; if (direction == STREAM_TOSERVER)
f->flags |= FLOW_FILE_NO_STORE_TS;
else
f->flags |= FLOW_FILE_NO_STORE_TC;
FileContainer *ffc = AppLayerGetFilesFromFlow(f, direction); FileContainer *ffc = AppLayerGetFilesFromFlow(f, direction);
if (ffc != NULL) { if (ffc != NULL) {
@ -618,11 +627,16 @@ void FileDisableMagic(Flow *f, uint8_t direction) {
DEBUG_ASSERT_FLOW_LOCKED(f); DEBUG_ASSERT_FLOW_LOCKED(f);
f->flags |= FLOW_FILE_NO_MAGIC; if (direction == STREAM_TOSERVER)
f->flags |= FLOW_FILE_NO_MAGIC_TS;
else
f->flags |= FLOW_FILE_NO_MAGIC_TC;
FileContainer *ffc = AppLayerGetFilesFromFlow(f, direction); FileContainer *ffc = AppLayerGetFilesFromFlow(f, direction);
if (ffc != NULL) { if (ffc != NULL) {
for (ptr = ffc->head; ptr != NULL; ptr = ptr->next) { for (ptr = ffc->head; ptr != NULL; ptr = ptr->next) {
SCLogDebug("disabling magic for file %p from direction %s",
ptr, direction == STREAM_TOSERVER ? "toserver":"toclient");
ptr->flags |= FILE_NOMAGIC; ptr->flags |= FILE_NOMAGIC;
} }
} }

Write Preview
Loading…
Cancel
Save