|
|
|
|
@ -115,6 +115,14 @@ void DetectFiledataRegister(void)
|
|
|
|
|
DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2,
|
|
|
|
|
PrefilterMpmFiledataRegister, NULL,
|
|
|
|
|
ALPROTO_HTTP2, HTTP2StateDataServer);
|
|
|
|
|
DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister,
|
|
|
|
|
NULL, ALPROTO_FTPDATA, 0);
|
|
|
|
|
DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister,
|
|
|
|
|
NULL, ALPROTO_FTPDATA, 0);
|
|
|
|
|
DetectAppLayerMpmRegister2(
|
|
|
|
|
"file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
|
|
|
|
|
DetectAppLayerMpmRegister2(
|
|
|
|
|
"file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
|
|
|
|
|
|
|
|
|
|
DetectAppLayerInspectEngineRegister2("file_data", ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
|
|
|
|
|
HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, HttpServerBodyGetDataCallback);
|
|
|
|
|
@ -135,6 +143,14 @@ void DetectFiledataRegister(void)
|
|
|
|
|
DetectAppLayerInspectEngineRegister2("file_data",
|
|
|
|
|
ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateDataServer,
|
|
|
|
|
DetectEngineInspectFiledata, NULL);
|
|
|
|
|
DetectAppLayerInspectEngineRegister2(
|
|
|
|
|
"file_data", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
|
|
|
|
|
DetectAppLayerInspectEngineRegister2(
|
|
|
|
|
"file_data", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
|
|
|
|
|
DetectAppLayerInspectEngineRegister2(
|
|
|
|
|
"file_data", ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
|
|
|
|
|
DetectAppLayerInspectEngineRegister2(
|
|
|
|
|
"file_data", ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
|
|
|
|
|
|
|
|
|
|
DetectBufferTypeSetDescriptionByName("file_data",
|
|
|
|
|
"http response body, smb files or smtp attachments data");
|
|
|
|
|
@ -250,9 +266,10 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) ||
|
|
|
|
|
(s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP &&
|
|
|
|
|
s->alproto != ALPROTO_SMTP && s->alproto != ALPROTO_SMB &&
|
|
|
|
|
s->alproto != ALPROTO_HTTP2)) {
|
|
|
|
|
(s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP &&
|
|
|
|
|
s->alproto != ALPROTO_SMTP && s->alproto != ALPROTO_SMB &&
|
|
|
|
|
s->alproto != ALPROTO_HTTP2 && s->alproto != ALPROTO_FTP &&
|
|
|
|
|
s->alproto != ALPROTO_FTPDATA)) {
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
Victor Julien
4 years ago