filedata: read inspected tracker settings from suricata.yaml

10 years ago · 26ba647d58
parent 4b5848616f
commit 26ba647d58
4 changed files with 62 additions and 16 deletions
--- a/src/app-layer-smtp.c
+++ b/src/app-layer-smtp.c
@ -55,6 +55,14 @@
 #include "conf.h"

 #include "util-mem.h"
+#include "util-misc.h"
+
+/* content-limit default value */
+#define FILEDATA_CONTENT_LIMIT 1000
+/* content-inspect-min-size default value */
+#define FILEDATA_CONTENT_INSPECT_MIN_SIZE 1000
+/* content-inspect-window default value */
+#define FILEDATA_CONTENT_INSPECT_WINDOW 1000

 #define SMTP_MAX_REQUEST_AND_REPLY_LINE_LENGTH 510

@ -211,15 +219,8 @@ SCEnumCharMap smtp_reply_map[ ] = {
    {  NULL,  -1 },
 };

-typedef struct SMTPConfig {
-
-    int decode_mime;
-    MimeDecConfig mime_config;
-
-} SMTPConfig;
-
 /* Create SMTP config structure */
-static SMTPConfig smtp_config = { 0, { 0, 0, 0, 0 } };
+SMTPConfig smtp_config = { 0, { 0, 0, 0, 0 }, 0, 0, 0};

 /**
 * \brief Configure SMTP Mime Decoder by parsing out mime section of YAML
@ -232,6 +233,9 @@ static void SMTPConfigure(void) {
    SCEnter();
    int ret = 0, val;
    intmax_t imval;
+    uint32_t content_limit = 0;
+    uint32_t content_inspect_min_size = 0;
+    uint32_t content_inspect_window = 0;

    ConfNode *config = ConfGetNode("app-layer.protocols.smtp.mime");
    if (config != NULL) {
@ -265,6 +269,38 @@ static void SMTPConfigure(void) {
    /* Pass mime config data to MimeDec API */
    MimeDecSetConfig(&smtp_config.mime_config);

+    ConfNode *t = ConfGetNode("app-layer.protocols.smtp.inspected-tracker");
+    ConfNode *p = NULL;
+
+    if (t == NULL)
+        return;
+
+    TAILQ_FOREACH(p, &t->head, next) {
+        if (strcasecmp("content-limit", p->name) == 0) {
+            if (ParseSizeStringU32(p->val, &content_limit) < 0) {
+                SCLogWarning(SC_ERR_SIZE_PARSE, "Error parsing content-limit "
+                             "from conf file - %s. Killing engine", p->val);
+                content_limit = FILEDATA_CONTENT_LIMIT;
+            }
+        }
+
+        if (strcasecmp("content-inspect-min-size", p->name) == 0) {
+            if (ParseSizeStringU32(p->val, &content_inspect_min_size) < 0) {
+                SCLogWarning(SC_ERR_SIZE_PARSE, "Error parsing content-inspect-min-size-limit "
+                             "from conf file - %s. Killing engine", p->val);
+                content_inspect_min_size = FILEDATA_CONTENT_INSPECT_MIN_SIZE;
+            }
+        }
+
+        if (strcasecmp("content-inspect-window", p->name) == 0) {
+            if (ParseSizeStringU32(p->val, &content_inspect_window) < 0) {
+                SCLogWarning(SC_ERR_SIZE_PARSE, "Error parsing content-inspect-window "
+                             "from conf file - %s. Killing engine", p->val);
+                content_inspect_window = FILEDATA_CONTENT_INSPECT_WINDOW;
+            }
+        }
+    }
+
    SCReturn;
 }

--- a/src/app-layer-smtp.h
+++ b/src/app-layer-smtp.h
@ -68,6 +68,15 @@ typedef struct SMTPTransaction_ {
    TAILQ_ENTRY(SMTPTransaction_) next;
 } SMTPTransaction;

+typedef struct SMTPConfig {
+
+    int decode_mime;
+    MimeDecConfig mime_config;
+    uint32_t content_limit;
+    uint32_t content_inspect_min_size;
+    uint32_t content_inspect_window;
+} SMTPConfig;
+
 typedef struct SMTPState_ {
    SMTPTransaction *curr_tx;
    TAILQ_HEAD(, SMTPTransaction_) tx_list;  /**< transaction list */
--- a/src/detect-engine-filedata-smtp.c
+++ b/src/detect-engine-filedata-smtp.c
@ -53,9 +53,6 @@
 #include "conf-yaml-loader.h"

 #define BUFFER_STEP 50
-#define FILECONTENT_CONTENT_LIMIT 1000
-#define FILECONTENT_INSPECT_MIN_SIZE 1000
-#define FILECONTENT_INSPECT_WINDOW 1000

 static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
 {
@ -137,9 +134,9 @@ static uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id,
        goto end;
    }

-    if ((FILECONTENT_CONTENT_LIMIT == 0 ||
-         curr_file->content_len_so_far < FILECONTENT_CONTENT_LIMIT) &&
-        curr_file->content_len_so_far < FILECONTENT_INSPECT_MIN_SIZE &&
+    if ((smtp_config.content_limit == 0 ||
+         curr_file->content_len_so_far < smtp_config.content_limit) &&
+        curr_file->content_len_so_far < smtp_config.content_inspect_min_size &&
        !(flags & STREAM_EOF)) {
        SCLogDebug("we still haven't seen the entire content. "
                   "Let's defer content inspection till we see the "
@ -154,7 +151,7 @@ static uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id,
            /* see if we can filter out chunks */
            if (curr_file->content_inspected > 0) {
                if (curr_chunk->stream_offset < curr_file->content_inspected) {
-                    if ((curr_file->content_inspected - curr_chunk->stream_offset) > FILECONTENT_INSPECT_WINDOW) {
+                    if ((curr_file->content_inspected - curr_chunk->stream_offset) > smtp_config.content_inspect_window) {
                        curr_chunk = curr_chunk->next;
                        continue;
                    } else {
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -1238,7 +1238,11 @@ app-layer:

        # Extract URLs and save in state data structure
        extract-urls: yes
-
+      # Configure inspected-tracker for file_data keyword
+      inspected-tracker:
+        content-limit: 1000
+        content-inspect-min-size: 1000
+        content-inspect-window: 1000
    imap:
      enabled: detection-only
    msn: