aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Initial on the fly MD5 calculation for extracted files using libnss.

Browse Source
remotes/origin/HEAD
Victor Julien 14 years ago
parent 2f7717a1a7
commit 69b3df96fb
5 changed files with 114 additions and 0 deletions
Show Stats Download Patch File Download Diff File

57
configure.in
Unescape Escape View File

@ -1013,6 +1013,63 @@ AC_CHECK_HEADER(pcap.h,,[AC_ERROR(pcap.h not found ...)])
fi
fi
#libnspr
AC_ARG_WITH(libnspr_includes,
[ --with-libnspr-includes=DIR libnspr include directory],
[with_libnspr_includes="$withval"],[with_libnspr_includes=no])
AC_ARG_WITH(libnspr_libraries,
[ --with-libnspr-libraries=DIR libnspr library directory],
[with_libnspr_libraries="$withval"],[with_libnspr_libraries="no"])
if test "$with_libnspr_includes" != "no"; then
CPPFLAGS="${CPPFLAGS} -I${with_libnspr_includes}"
fi
AC_CHECK_HEADER(nspr.h,,[AC_ERROR(nspr.h not found ...)])
if test "$with_libnspr_libraries" != "no"; then
LDFLAGS="${LDFLAGS} -L${with_libnspr_libraries}"
fi
MAGIC=""
AC_CHECK_LIB(nspr4, PR_GetCurrentThread,, NSPR="no")
if test "$NSPR" = "no"; then
echo
echo " ERROR! libnspr library not found, go get it"
echo " from Mozilla."
echo
exit 1
fi
#libnss
AC_ARG_WITH(libnss_includes,
[ --with-libnss-includes=DIR libnss include directory],
[with_libnss_includes="$withval"],[with_libnss_includes=no])
AC_ARG_WITH(libnss_libraries,
[ --with-libnss-libraries=DIR libnss library directory],
[with_libnss_libraries="$withval"],[with_libnss_libraries="no"])
if test "$with_libnss_includes" != "no"; then
CPPFLAGS="${CPPFLAGS} -I${with_libnss_includes}"
fi
AC_CHECK_HEADER(sechash.h,,[AC_ERROR(sechash.h not found ...)])
if test "$with_libnss_libraries" != "no"; then
LDFLAGS="${LDFLAGS} -L${with_libnss_libraries}"
fi
MAGIC=""
AC_CHECK_LIB(nss3, HASH_Begin,, NSS="no")
if test "$NSS" = "no"; then
echo
echo " ERROR! libnss library not found, go get it"
echo " from Mozilla."
echo
exit 1
fi
#libmagic
AC_ARG_WITH(libmagic_includes,
[ --with-libmagic-includes=DIR libmagic include directory],

14
src/log-file.c
Unescape Escape View File

@ -160,6 +160,14 @@ static void LogFileLogCloseMetaFile(File *ff) {
switch (ff->state) {
case FILE_STATE_CLOSED:
fprintf(fp, "STATE: CLOSED\n");
if (ff->flags & FILE_MD5) {
fprintf(fp, "MD5: ");
size_t x;
for (x = 0; x < sizeof(ff->md5); x++) {
fprintf(fp, "%02x", ff->md5[x]);
}
fprintf(fp, "\n");
}
break;
case FILE_STATE_TRUNCATED:
fprintf(fp, "STATE: TRUNCATED\n");
@ -472,6 +480,12 @@ static OutputCtx *LogFileLogInitCtx(ConfNode *conf)
SCLogInfo("forcing magic lookup for stored files");
}
const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
if (force_md5 != NULL && ConfValIsTrue(force_md5)) {
FileForceMd5Enable();
SCLogInfo("forcing md5 calculation for stored files");
}
const char *waldo = ConfNodeLookupChildValue(conf, "waldo");
if (waldo != NULL && strlen(waldo) > 0) {
if (PathIsAbsolute(waldo)) {

5
src/suricata.c
Unescape Escape View File

@ -28,6 +28,8 @@
#include <signal.h>
#include <pthread.h>
#include <nss.h>
#include "suricata.h"
#include "decode.h"
#include "detect.h"
@ -638,6 +640,9 @@ int main(int argc, char **argv)
SC_ATOMIC_INIT(engine_stage);
/* init NSS for md5 */
NSS_NoDB_Init(NULL);
/* initialize the logging subsys */
SCLogInitLogModule(NULL);

30
src/util-file.c
Unescape Escape View File

@ -38,6 +38,11 @@
*/
static int g_file_force_magic = 0;
/** \brief switch to force md5 calculation on all files
* regardless of the rules.
*/
static int g_file_force_md5 = 0;
/* prototypes */
static void FileFree(File *);
static void FileDataFree(FileData *);
@ -46,10 +51,18 @@ void FileForceMagicEnable(void) {
g_file_force_magic = 1;
}
void FileForceMd5Enable(void) {
g_file_force_md5 = 1;
}
int FileForceMagic(void) {
return g_file_force_magic;
}
int FileForceMd5(void) {
return g_file_force_md5;
}
int FileMagicSize(void) {
/** \todo make this size configurable */
return 512;
@ -79,6 +92,8 @@ static int FileAppendFileDataFilePtr(File *ff, FileData *ffd) {
ff->chunks_cnt_max = ff->chunks_cnt;
#endif
if (ff->md5_ctx)
HASH_Update(ff->md5_ctx, ffd->data, ffd->len);
SCReturnInt(0);
}
@ -272,6 +287,12 @@ static File *FileAlloc(uint8_t *name, uint16_t name_len) {
new->name_len = name_len;
memcpy(new->name, name, name_len);
if (g_file_force_md5) {
new->md5_ctx = HASH_Create(HASH_AlgMD5);
if (new->md5_ctx != NULL) {
HASH_Begin(new->md5_ctx);
}
}
return new;
}
@ -296,6 +317,9 @@ static void FileFree(File *ff) {
}
}
if (ff->md5_ctx)
HASH_Destroy(ff->md5_ctx);
SCLogDebug("ff chunks_cnt %"PRIu64", chunks_cnt_max %"PRIu64,
ff->chunks_cnt, ff->chunks_cnt_max);
SCFree(ff);
@ -508,6 +532,12 @@ static int FileCloseFilePtr(File *ff, uint8_t *data,
} else {
ff->state = FILE_STATE_CLOSED;
SCLogDebug("flowfile state transitioned to FILE_STATE_CLOSED");
if (ff->md5_ctx) {
unsigned int len = 0;
HASH_End(ff->md5_ctx, ff->md5, &len, sizeof(ff->md5));
ff->flags |= FILE_MD5;
}
}
SCReturnInt(0);

8
src/util-file.h
Unescape Escape View File

@ -25,10 +25,13 @@
#ifndef __UTIL_FILE_H__
#define __UTIL_FILE_H__
#include "nss/sechash.h"
#define FILE_TRUNCATED 0x01
#define FILE_NOSTORE 0x02
#define FILE_NOMAGIC 0x04
#define FILE_STORE 0x08
#define FILE_MD5 0x10
typedef enum FileState_ {
FILE_STATE_NONE = 0, /**< no state */
@ -63,6 +66,8 @@ typedef struct File_ {
FileData *chunks_head;
FileData *chunks_tail;
struct File_ *next;
HASHContext *md5_ctx;
uint8_t md5[MD5_LENGTH];
#ifdef DEBUG
uint64_t chunks_cnt;
uint64_t chunks_cnt_max;
@ -161,6 +166,9 @@ void FilePrune(FileContainer *ffc);
void FileForceMagicEnable(void);
int FileForceMagic(void);
void FileForceMd5Enable(void);
int FileForceMd5(void);
void FileStoreAllFiles(FileContainer *);
void FileStoreAllFilesForTx(FileContainer *, uint16_t);
void FileStoreFileById(FileContainer *fc, uint16_t);

Write Preview
Loading…
Cancel
Save