From 4b5848616f903997674f57e1ed3e1af561d0ba95 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Tue, 10 Mar 2015 16:21:14 +0100 Subject: [PATCH] filedata: implement inspected tracker --- src/detect-engine-filedata-smtp.c | 46 +++++++++++++++++++++++++++++++ src/util-file.c | 2 ++ src/util-file.h | 2 ++ 3 files changed, 50 insertions(+) diff --git a/src/detect-engine-filedata-smtp.c b/src/detect-engine-filedata-smtp.c index c9eedd4df5..6f2bbbad62 100644 --- a/src/detect-engine-filedata-smtp.c +++ b/src/detect-engine-filedata-smtp.c @@ -53,6 +53,9 @@ #include "conf-yaml-loader.h" #define BUFFER_STEP 50 +#define FILECONTENT_CONTENT_LIMIT 1000 +#define FILECONTENT_INSPECT_MIN_SIZE 1000 +#define FILECONTENT_INSPECT_WINDOW 1000 static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size) { @@ -122,10 +125,50 @@ static uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id, index = (tx_id - det_ctx->smtp_start_tx_id); } + /* no new data */ + if (curr_file->content_inspected == curr_file->content_len_so_far) { + SCLogDebug("no new data"); + goto end; + } + + curr_chunk = curr_file->chunks_head; + if (curr_chunk == NULL) { + SCLogDebug("no data chunks to inspect for this transaction"); + goto end; + } + + if ((FILECONTENT_CONTENT_LIMIT == 0 || + curr_file->content_len_so_far < FILECONTENT_CONTENT_LIMIT) && + curr_file->content_len_so_far < FILECONTENT_INSPECT_MIN_SIZE && + !(flags & STREAM_EOF)) { + SCLogDebug("we still haven't seen the entire content. " + "Let's defer content inspection till we see the " + "entire content."); + goto end; + } + if (curr_file != NULL) { + int first = 1; curr_chunk = curr_file->chunks_head; while (curr_chunk != NULL) { /* see if we can filter out chunks */ + if (curr_file->content_inspected > 0) { + if (curr_chunk->stream_offset < curr_file->content_inspected) { + if ((curr_file->content_inspected - curr_chunk->stream_offset) > FILECONTENT_INSPECT_WINDOW) { + curr_chunk = curr_chunk->next; + continue; + } else { + /* include this one */ + } + } else { + /* include this one */ + } + } + + if (first) { + det_ctx->smtp[index].offset = curr_chunk->stream_offset; + first = 0; + } /* see if we need to grow the buffer */ if (det_ctx->smtp[index].buffer == NULL || (det_ctx->smtp[index].buffer_len + curr_chunk->len) > det_ctx->smtp[index].buffer_size) { @@ -146,6 +189,9 @@ static uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id, curr_chunk = curr_chunk->next; } + + /* updat inspected tracker */ + curr_file->content_inspected = curr_file->chunks_tail->stream_offset + curr_file->chunks_tail->len; } buffer = det_ctx->smtp[index].buffer; diff --git a/src/util-file.c b/src/util-file.c index de24261dad..bfb68e1e03 100644 --- a/src/util-file.c +++ b/src/util-file.c @@ -97,9 +97,11 @@ static int FileAppendFileDataFilePtr(File *ff, FileData *ffd) if (ff->chunks_tail == NULL) { ff->chunks_head = ffd; ff->chunks_tail = ffd; + ff->content_len_so_far = ffd->len; } else { ff->chunks_tail->next = ffd; ff->chunks_tail = ffd; + ff->content_len_so_far += ffd->len; } #ifdef DEBUG diff --git a/src/util-file.h b/src/util-file.h index 18c1378434..9cfc3a8593 100644 --- a/src/util-file.h +++ b/src/util-file.h @@ -79,6 +79,8 @@ typedef struct File_ { uint64_t chunks_cnt; uint64_t chunks_cnt_max; #endif + uint64_t content_len_so_far; + uint64_t content_inspected; } File; typedef struct FileContainer_ {