mirror of https://github.com/OISF/suricata
				
				
				
			Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.
							parent
							
								
									3e7baa6810
								
							
						
					
					
						commit
						23e01d23d3
					
				| @ -0,0 +1,186 @@ | ||||
| /* Copyright (C) 2007-2011 Open Information Security Foundation
 | ||||
|  * | ||||
|  * You can copy, redistribute or modify this Program under the terms of | ||||
|  * the GNU General Public License version 2 as published by the Free | ||||
|  * Software Foundation. | ||||
|  * | ||||
|  * This program is distributed in the hope that it will be useful, | ||||
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||
|  * GNU General Public License for more details. | ||||
|  * | ||||
|  * You should have received a copy of the GNU General Public License | ||||
|  * version 2 along with this program; if not, write to the Free Software | ||||
|  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||||
|  * 02110-1301, USA. | ||||
|  */ | ||||
| 
 | ||||
| /**
 | ||||
|  * \file | ||||
|  * | ||||
|  * \author Victor Julien <victor@inliniac.net> | ||||
|  */ | ||||
| 
 | ||||
| #include "suricata-common.h" | ||||
| 
 | ||||
| #include "decode.h" | ||||
| 
 | ||||
| #include "detect.h" | ||||
| #include "detect-engine.h" | ||||
| #include "detect-parse.h" | ||||
| #include "detect-engine-state.h" | ||||
| 
 | ||||
| #include "detect-engine-uri.h" | ||||
| #include "detect-engine-hcbd.h" | ||||
| #include "detect-engine-hhd.h" | ||||
| #include "detect-engine-hrhd.h" | ||||
| #include "detect-engine-hmd.h" | ||||
| #include "detect-engine-hcd.h" | ||||
| #include "detect-engine-hrud.h" | ||||
| #include "detect-engine-dcepayload.h" | ||||
| 
 | ||||
| #include "stream-tcp.h" | ||||
| #include "stream-tcp-private.h" | ||||
| #include "stream-tcp-reassemble.h" | ||||
| 
 | ||||
| #include "app-layer-parser.h" | ||||
| #include "app-layer-protos.h" | ||||
| #include "app-layer-htp.h" | ||||
| #include "app-layer-smb.h" | ||||
| #include "app-layer-dcerpc-common.h" | ||||
| #include "app-layer-dcerpc.h" | ||||
| 
 | ||||
| #include "util-unittest.h" | ||||
| #include "util-unittest-helper.h" | ||||
| #include "util-profiling.h" | ||||
| 
 | ||||
| 
 | ||||
| /**
 | ||||
|  *  \brief Inspect the file inspecting keywords. | ||||
|  * | ||||
|  *  \param tv thread vars | ||||
|  *  \param det_ctx detection engine thread ctx | ||||
|  *  \param f flow | ||||
|  *  \param s signature to inspect | ||||
|  * | ||||
|  *  \retval 0 no match | ||||
|  *  \retval 1 match | ||||
|  *  \retval 2 can't match | ||||
|  *  \retval 3 can't match filestore signature | ||||
|  * | ||||
|  *  \note flow is not locked at this time | ||||
|  */ | ||||
| static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Flow *f, Signature *s) { | ||||
|     SigMatch *sm = NULL; | ||||
|     int r = 0; | ||||
|     int match = 0; | ||||
| 
 | ||||
|     SCLogDebug("file inspection..."); | ||||
| 
 | ||||
|     SCMutexLock(&f->files_m); | ||||
|     if (f->files != NULL) { | ||||
|         FlowFile *file = f->files->head; | ||||
|         for (; file != NULL; file = file->next) { | ||||
|             SCLogDebug("file"); | ||||
| 
 | ||||
|             if (file->state == FLOWFILE_STATE_NONE) { | ||||
|                 SCLogDebug("file state FLOWFILE_STATE_NONE"); | ||||
|                 continue; | ||||
|             } | ||||
| 
 | ||||
|             if (file->txid < det_ctx->tx_id) { | ||||
|                 SCLogDebug("file->txid < det_ctx->tx_id == %u < %u", file->txid, det_ctx->tx_id); | ||||
|                 continue; | ||||
|             } | ||||
| 
 | ||||
|             if (file->txid > det_ctx->tx_id) { | ||||
|                 SCLogDebug("file->txid > det_ctx->tx_id == %u > %u", file->txid, det_ctx->tx_id); | ||||
|                 break; | ||||
|             } | ||||
| 
 | ||||
|             if (s->file_flags & FILE_SIG_NEED_FILENAME && file->name == NULL) { | ||||
|                 SCLogDebug("sig needs filename, but we don't have any"); | ||||
|                 r = 0; | ||||
|                 break; | ||||
|             } | ||||
| 
 | ||||
|             /* run the file match functions. */ | ||||
|             for (sm = s->sm_lists[DETECT_SM_LIST_FILEMATCH]; sm != NULL; sm = sm->next) { | ||||
|                 SCLogDebug("sm %p, sm->next %p", sm, sm->next); | ||||
| 
 | ||||
|                 if (sigmatch_table[sm->type].AppLayerMatch != NULL) { | ||||
|                     match = sigmatch_table[sm->type]. | ||||
|                         AppLayerMatch(tv, det_ctx, f, 0, (void *)file, s, sm); | ||||
|                     if (match == 0) { | ||||
|                         r = 2; | ||||
|                         break; | ||||
|                     } else if (sm->next == NULL) { | ||||
|                         r = 1; | ||||
|                         break; | ||||
|                     } | ||||
|                 } | ||||
|             } | ||||
| 
 | ||||
|             if (r == 1) | ||||
|                 break; | ||||
| 
 | ||||
|             /* if this is a filestore sig, and the sig can't match
 | ||||
|              * return 3 so we can distinguish */ | ||||
|             if (s->init_flags & SIG_FLAG_FILESTORE && r == 2) | ||||
|                 r = 3; | ||||
|         } | ||||
|     } | ||||
| 
 | ||||
|     SCMutexUnlock(&f->files_m); | ||||
|     SCReturnInt(r); | ||||
| } | ||||
| 
 | ||||
| int DetectFileInspectHttp(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Flow *f, Signature *s, void *alstate) { | ||||
|     SCEnter(); | ||||
| 
 | ||||
|     int r = 0; | ||||
|     HtpState *htp_state = NULL; | ||||
|     size_t idx = 0; | ||||
|     size_t start_tx = 0; | ||||
|     size_t end_tx = 0; | ||||
|     int match = 0; | ||||
| 
 | ||||
|     htp_state = (HtpState *)alstate; | ||||
|     if (htp_state == NULL) { | ||||
|         SCLogDebug("no HTTP state"); | ||||
|         SCReturnInt(0); | ||||
|     } | ||||
| 
 | ||||
|     /* locking the flow, we will inspect the htp state */ | ||||
|     SCMutexLock(&f->m); | ||||
|     if (htp_state->connp != NULL && htp_state->connp->conn != NULL) | ||||
|     { | ||||
|         start_tx = AppLayerTransactionGetInspectId(f); | ||||
|         end_tx = list_size(htp_state->connp->conn->transactions); | ||||
| 
 | ||||
|     } | ||||
|     SCMutexUnlock(&f->m); | ||||
| 
 | ||||
|     for (idx = start_tx ; idx < end_tx; idx++) | ||||
|     { | ||||
|         /* inspect files for this transaction */ | ||||
|         det_ctx->tx_id = (uint16_t)idx; | ||||
| 
 | ||||
|         match = DetectFileInspect(tv, det_ctx, f, s); | ||||
|         if (match == 1) { | ||||
|             r = 1; | ||||
|         } else if (match == 2) { | ||||
|             if (r != 1) { | ||||
|                 SCLogDebug("sid %u can't match on this transaction", s->id); | ||||
|                 r = 2; | ||||
|             } | ||||
|         } else if (match == 3) { | ||||
|             if (r != 1) { | ||||
|                 SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id); | ||||
|                 r = 3; | ||||
|             } | ||||
|         } | ||||
|     } | ||||
| 
 | ||||
|     SCReturnInt(r); | ||||
| } | ||||
| @ -0,0 +1,29 @@ | ||||
| /* Copyright (C) 2007-2011 Open Information Security Foundation
 | ||||
|  * | ||||
|  * You can copy, redistribute or modify this Program under the terms of | ||||
|  * the GNU General Public License version 2 as published by the Free | ||||
|  * Software Foundation. | ||||
|  * | ||||
|  * This program is distributed in the hope that it will be useful, | ||||
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||
|  * GNU General Public License for more details. | ||||
|  * | ||||
|  * You should have received a copy of the GNU General Public License | ||||
|  * version 2 along with this program; if not, write to the Free Software | ||||
|  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||||
|  * 02110-1301, USA. | ||||
|  */ | ||||
| 
 | ||||
| /**
 | ||||
|  * \file | ||||
|  * | ||||
|  * \author Victor Julien <victor@inliniac.net> | ||||
|  */ | ||||
| 
 | ||||
| #ifndef __DETECT_ENGINE_FILE_H__ | ||||
| #define __DETECT_ENGINE_FILE_H__ | ||||
| 
 | ||||
| int DetectFileInspectHttp(ThreadVars *, DetectEngineThreadCtx *, Flow *, Signature *, void *); | ||||
| 
 | ||||
| #endif /* __DETECT_ENGINE_FILE_H__ */ | ||||
| @ -0,0 +1,131 @@ | ||||
| /* Copyright (C) 2007-2011 Open Information Security Foundation
 | ||||
|  * | ||||
|  * You can copy, redistribute or modify this Program under the terms of | ||||
|  * the GNU General Public License version 2 as published by the Free | ||||
|  * Software Foundation. | ||||
|  * | ||||
|  * This program is distributed in the hope that it will be useful, | ||||
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||
|  * GNU General Public License for more details. | ||||
|  * | ||||
|  * You should have received a copy of the GNU General Public License | ||||
|  * version 2 along with this program; if not, write to the Free Software | ||||
|  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||||
|  * 02110-1301, USA. | ||||
|  */ | ||||
| 
 | ||||
| /**
 | ||||
|  * \file | ||||
|  * | ||||
|  * \author Victor Julien <victor@inliniac.net> | ||||
|  * | ||||
|  */ | ||||
| 
 | ||||
| #include "suricata-common.h" | ||||
| #include "threads.h" | ||||
| #include "debug.h" | ||||
| #include "decode.h" | ||||
| 
 | ||||
| #include "detect.h" | ||||
| #include "detect-parse.h" | ||||
| 
 | ||||
| #include "detect-engine.h" | ||||
| #include "detect-engine-mpm.h" | ||||
| #include "detect-engine-state.h" | ||||
| 
 | ||||
| #include "flow.h" | ||||
| #include "flow-var.h" | ||||
| #include "flow-util.h" | ||||
| 
 | ||||
| #include "util-debug.h" | ||||
| #include "util-spm-bm.h" | ||||
| #include "util-unittest.h" | ||||
| #include "util-unittest-helper.h" | ||||
| 
 | ||||
| #include "app-layer.h" | ||||
| 
 | ||||
| #include "stream-tcp.h" | ||||
| 
 | ||||
| #include "detect-filestore.h" | ||||
| 
 | ||||
| int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); | ||||
| static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, char *); | ||||
| 
 | ||||
| /**
 | ||||
|  * \brief Registration function for keyword: filestore | ||||
|  */ | ||||
| void DetectFilestoreRegister(void) { | ||||
|     sigmatch_table[DETECT_FILESTORE].name = "filestore"; | ||||
|     sigmatch_table[DETECT_FILESTORE].Match = NULL; | ||||
|     sigmatch_table[DETECT_FILESTORE].AppLayerMatch = DetectFilestoreMatch; | ||||
|     sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP; | ||||
|     sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup; | ||||
|     sigmatch_table[DETECT_FILESTORE].Free  = NULL; | ||||
|     sigmatch_table[DETECT_FILESTORE].RegisterTests = NULL; | ||||
| 
 | ||||
| 	SCLogDebug("registering filestore rule option"); | ||||
|     return; | ||||
| } | ||||
| 
 | ||||
| /**
 | ||||
|  * \brief match the specified filestore | ||||
|  * | ||||
|  * \param t pointer to thread vars | ||||
|  * \param det_ctx pointer to the pattern matcher thread | ||||
|  * \param p pointer to the current packet | ||||
|  * \param m pointer to the sigmatch that we will cast into DetectFilestoreData | ||||
|  * | ||||
|  * \retval 0 no match | ||||
|  * \retval 1 match | ||||
|  */ | ||||
| int DetectFilestoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, | ||||
|         uint8_t flags, void *state, Signature *s, SigMatch *m) | ||||
| { | ||||
|     SCEnter(); | ||||
|     FlowFile *file = (FlowFile *)state; | ||||
|     FlowFileStore(file); | ||||
|     SCReturnInt(1); | ||||
| } | ||||
| 
 | ||||
| /**
 | ||||
|  * \brief this function is used to parse filestore options | ||||
|  * \brief into the current signature | ||||
|  * | ||||
|  * \param de_ctx pointer to the Detection Engine Context | ||||
|  * \param s pointer to the Current Signature | ||||
|  * \param str pointer to the user provided "filestore" option | ||||
|  * | ||||
|  * \retval 0 on Success | ||||
|  * \retval -1 on Failure | ||||
|  */ | ||||
| static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) | ||||
| { | ||||
|     SigMatch *sm = NULL; | ||||
| 
 | ||||
|     sm = SigMatchAlloc(); | ||||
|     if (sm == NULL) | ||||
|         goto error; | ||||
| 
 | ||||
|     sm->type = DETECT_FILESTORE; | ||||
|     sm->ctx = NULL; | ||||
| 
 | ||||
|     SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH); | ||||
| 
 | ||||
|     if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { | ||||
|         SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); | ||||
|         goto error; | ||||
|     } | ||||
| 
 | ||||
|     AppLayerHtpNeedFileInspection(); | ||||
| 
 | ||||
|     s->alproto = ALPROTO_HTTP; | ||||
| 
 | ||||
|     s->init_flags |= SIG_FLAG_FILESTORE; | ||||
|     return 0; | ||||
| 
 | ||||
| error: | ||||
|     if (sm != NULL) | ||||
|         SCFree(sm); | ||||
|     return -1; | ||||
| } | ||||
| @ -0,0 +1,30 @@ | ||||
| /* Copyright (C) 2007-2011 Open Information Security Foundation
 | ||||
|  * | ||||
|  * You can copy, redistribute or modify this Program under the terms of | ||||
|  * the GNU General Public License version 2 as published by the Free | ||||
|  * Software Foundation. | ||||
|  * | ||||
|  * This program is distributed in the hope that it will be useful, | ||||
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||
|  * GNU General Public License for more details. | ||||
|  * | ||||
|  * You should have received a copy of the GNU General Public License | ||||
|  * version 2 along with this program; if not, write to the Free Software | ||||
|  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||||
|  * 02110-1301, USA. | ||||
|  */ | ||||
| 
 | ||||
| /**
 | ||||
|  * \file | ||||
|  * | ||||
|  * \author Victor Julien <victor@inliniac.net> | ||||
|  */ | ||||
| 
 | ||||
| #ifndef __DETECT_FILESTORE_H__ | ||||
| #define __DETECT_FILESTORE_H__ | ||||
| 
 | ||||
| /* prototypes */ | ||||
| void DetectFilestoreRegister (void); | ||||
| 
 | ||||
| #endif /* __DETECT_FILESTORE_H__ */ | ||||
					Loading…
					
					
				
		Reference in New Issue