smtp file_data: mpm prefilter engine

9 years ago · 7acdc66061
parent 0019a7bd9f
commit 7acdc66061
4 changed files with 39 additions and 72 deletions
--- a/src/detect-engine-filedata-smtp.c
+++ b/src/detect-engine-filedata-smtp.c
@ -1,4 +1,4 @@
-/* Copyright (C) 2015 Open Information Security Foundation
+/* Copyright (C) 2015-2016 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
@ -19,6 +19,7 @@
 /** \file
 *
 * \author Giuseppe Longo <giuseppelng@gmail.com>
+ * \author Victor Julien <victor@inliniac.net>
 *
 */

@ -32,6 +33,7 @@
 #include "detect-parse.h"
 #include "detect-engine-state.h"
 #include "detect-engine-content-inspection.h"
+#include "detect-engine-prefilter.h"

 #include "flow-util.h"
 #include "util-debug.h"
@ -233,64 +235,53 @@ void DetectEngineCleanSMTPBuffers(DetectEngineThreadCtx *det_ctx)
    return;
 }

-/**
- * \brief SMTP Filedata match -- searches for one pattern per signature.
+/** \brief SMTP Filedata Mpm prefilter callback
 *
- * \param det_ctx    Detection engine thread ctx.
- * \param buffer     Buffer to inspect.
- * \param buffer_len buffer length.
- * \param flags      Flags
+ *  \param det_ctx detection engine thread ctx
+ *  \param p packet to inspect
+ *  \param f flow to inspect
+ *  \param txv tx to inspect
+ *  \param pectx inspection context
 *
- *  \retval ret Number of matches.
+ *  \todo check files against actual tx
 */
-static inline uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx,
-                              const uint8_t *buffer, const uint32_t buffer_len,
-                              const uint8_t flags)
+static void PrefilterTxSmtpFiledata(DetectEngineThreadCtx *det_ctx,
+        const void *pectx,
+        Packet *p, Flow *f, void *txv,
+        const uint64_t idx, const uint8_t flags)
 {
    SCEnter();

-    uint32_t ret = 0;
-
-    DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
-    DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL);
-
-    if (buffer_len >= det_ctx->sgh->mpm_smtp_filedata_ctx_ts->minlen) {
-        ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type].
-            Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu,
-                    &det_ctx->pmq, buffer, buffer_len);
-    }
-
-    SCReturnUInt(ret);
-}
-
-int DetectEngineRunSMTPMpm(DetectEngineCtx *de_ctx,
-                           DetectEngineThreadCtx *det_ctx, Flow *f,
-                           SMTPState *smtp_state, uint8_t flags,
-                           void *tx, uint64_t idx)
-{
+    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
+    SMTPState *smtp_state = f->alstate;
    FileContainer *ffc = smtp_state->files_ts;
-    uint32_t cnt = 0;
-    uint32_t buffer_len = 0;
-    uint32_t stream_start_offset = 0;
-    const uint8_t *buffer = NULL;
-
    if (ffc != NULL) {
        File *file = ffc->head;
        for (; file != NULL; file = file->next) {
-            buffer = DetectEngineSMTPGetBufferForTX(idx,
-                                                    de_ctx, det_ctx,
+            uint32_t buffer_len = 0;
+            uint32_t stream_start_offset = 0;
+
+            const uint8_t *buffer = DetectEngineSMTPGetBufferForTX(idx,
+                                                    NULL, det_ctx,
                                                    f, file,
                                                    flags,
                                                    &buffer_len,
                                                    &stream_start_offset);
-            if (buffer_len == 0)
-                goto end;
-
-            cnt += SMTPFiledataPatternSearch(det_ctx, (uint8_t *)buffer, buffer_len, flags);
+            if (buffer != NULL && buffer_len >= mpm_ctx->minlen) {
+                (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+                        &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
+            }
        }
    }
-end:
-    return cnt;
+}
+
+int PrefilterTxSmtpFiledataRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
+{
+    SCEnter();
+
+    return PrefilterAppendTxEngine(sgh, PrefilterTxSmtpFiledata,
+        ALPROTO_SMTP, 0,
+        mpm_ctx, NULL);
 }

 #ifdef UNITTESTS
--- a/src/detect-engine-filedata-smtp.h
+++ b/src/detect-engine-filedata-smtp.h
@ -25,6 +25,8 @@

 #include "app-layer-smtp.h"

+int PrefilterTxSmtpFiledataRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx);
+
 int DetectEngineInspectSMTPFiledata(ThreadVars *tv,
                                    DetectEngineCtx *de_ctx,
                                    DetectEngineThreadCtx *det_ctx,
@ -33,11 +35,6 @@ int DetectEngineInspectSMTPFiledata(ThreadVars *tv,
                                    void *tx, uint64_t tx_id);
 void DetectEngineCleanSMTPBuffers(DetectEngineThreadCtx *det_ctx);

-int DetectEngineRunSMTPMpm(DetectEngineCtx *de_ctx,
-                           DetectEngineThreadCtx *det_ctx, Flow *f,
-                           SMTPState *smtp_state, uint8_t flags,
-                           void *tx, uint64_t idx);
-
 void DetectEngineSMTPFiledataRegisterTests(void);

 #endif /* __DETECT_ENGINE_FILEDATA_SMTP_H__ */
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@ -63,6 +63,7 @@
 #include "detect-engine-hcbd.h"
 #include "detect-engine-hsbd.h"
 #include "detect-engine-dns.h"
+#include "detect-engine-filedata-smtp.h"

 #include "stream.h"

@ -116,7 +117,8 @@ AppLayerMpms app_mpms[] = {
    { "http_method", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HMDMATCH,
        SIG_GROUP_HEAD_MPM_HMD, PrefilterTxMethodRegister, 7},

-    { "file_data", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_FD_SMTP, NULL, 8}, /* smtp */
+    { "file_data", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_FILEDATA,
+        SIG_GROUP_HEAD_MPM_FD_SMTP, PrefilterTxSmtpFiledataRegister, 8}, /* smtp */
    { "file_data", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_FILEDATA,
        SIG_GROUP_HEAD_MPM_HSBD, PrefilterTxHttpResponseBodyRegister, 9}, /* http server body */

--- a/src/detect.c
+++ b/src/detect.c
@ -902,29 +902,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSUBJECT);
                }
            }
-        } else if (alproto == ALPROTO_SMTP && has_state) {
-            if (p->flowflags & FLOW_PKT_TOSERVER) {
-                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_FD_SMTP) {
-                    void *alstate = FlowGetAppState(p->flow);
-                    if (alstate == NULL) {
-                        SCLogDebug("no alstate");
-                        return;
-                    }
-
-                    SMTPState *smtp_state = (SMTPState *)alstate;
-                    uint64_t idx = AppLayerParserGetTransactionInspectId(p->flow->alparser, flags);
-                    uint64_t total_txs = AppLayerParserGetTxCnt(p->flow->proto, alproto, alstate);
-                    for (; idx < total_txs; idx++) {
-                        void *tx = AppLayerParserGetTx(p->flow->proto, alproto, alstate, idx);
-                        if (tx == NULL)
-                            continue;
-
-                        PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_FD_SMTP);
-                        DetectEngineRunSMTPMpm(de_ctx, det_ctx, p->flow, smtp_state, flags, tx, idx);
-                        PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_FD_SMTP);
-                    }
-                }
-            }
        }
    } else {
        SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");