|
|
|
|
@ -62,6 +62,8 @@ static pcre_extra *parse_regex_study;
|
|
|
|
|
|
|
|
|
|
static int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *,
|
|
|
|
|
Flow *, uint8_t, File *, const Signature *, const SigMatchCtx *);
|
|
|
|
|
static int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
Packet *p, const Signature *s, const SigMatchCtx *ctx);
|
|
|
|
|
static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, const char *);
|
|
|
|
|
static void DetectFilestoreFree(void *);
|
|
|
|
|
static void DetectFilestoreRegisterTests(void);
|
|
|
|
|
@ -81,6 +83,10 @@ void DetectFilestoreRegister(void)
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests;
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_OPTIONAL_OPT;
|
|
|
|
|
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE_POSTMATCH].name = "__filestore__postmatch__";
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE_POSTMATCH].Match = DetectFilestorePostMatch;
|
|
|
|
|
sigmatch_table[DETECT_FILESTORE_POSTMATCH].Free = DetectFilestoreFree;
|
|
|
|
|
|
|
|
|
|
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
|
|
|
|
|
|
|
|
|
|
g_file_match_list_id = DetectBufferTypeRegister("files");
|
|
|
|
|
@ -184,7 +190,8 @@ static int FilestorePostMatchWithOptions(Packet *p, Flow *f, const DetectFilesto
|
|
|
|
|
* When we are sure all parts of the signature matched, we run this function
|
|
|
|
|
* to finalize the filestore.
|
|
|
|
|
*/
|
|
|
|
|
int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s)
|
|
|
|
|
static int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
Packet *p, const Signature *s, const SigMatchCtx *ctx)
|
|
|
|
|
{
|
|
|
|
|
uint8_t flags = 0;
|
|
|
|
|
|
|
|
|
|
@ -216,14 +223,11 @@ int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Pack
|
|
|
|
|
|
|
|
|
|
/* filestore for single files only */
|
|
|
|
|
if (s->filestore_ctx == NULL) {
|
|
|
|
|
uint16_t u;
|
|
|
|
|
for (u = 0; u < det_ctx->filestore_cnt; u++) {
|
|
|
|
|
for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
|
|
|
|
|
FileStoreFileById(ffc, det_ctx->filestore[u].file_id);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
uint16_t u;
|
|
|
|
|
|
|
|
|
|
for (u = 0; u < det_ctx->filestore_cnt; u++) {
|
|
|
|
|
for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
|
|
|
|
|
FilestorePostMatchWithOptions(p, p->flow, s->filestore_ctx, ffc,
|
|
|
|
|
det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
|
|
|
|
|
}
|
|
|
|
|
@ -427,6 +431,14 @@ static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, const ch
|
|
|
|
|
SigMatchAppendSMToList(s, sm, g_file_match_list_id);
|
|
|
|
|
s->filestore_ctx = (const DetectFilestoreData *)sm->ctx;
|
|
|
|
|
|
|
|
|
|
sm = SigMatchAlloc();
|
|
|
|
|
if (unlikely(sm == NULL))
|
|
|
|
|
goto error;
|
|
|
|
|
sm->type = DETECT_FILESTORE_POSTMATCH;
|
|
|
|
|
sm->ctx = NULL;
|
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
s->flags |= SIG_FLAG_FILESTORE;
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
|
Victor Julien
7 years ago