aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

file inspect: stateful inspection split

Browse Source 
Split stateful detection of the files in a HTTP state between toserver
and toclient inspection.
remotes/origin/master-1.2.x
Victor Julien 14 years ago
parent d59ca75e46
commit 96d20098b0
3 changed files with 71 additions and 48 deletions
Show Stats Download Patch File Download Diff File

24
src/app-layer-htp-file.c
Unescape Escape View File

@ -96,14 +96,6 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len,
}
}
/* if the previous file is in the same txid, we
* reset the file part of the stateful detection
* engine. */
if (s->files_tc && s->files_tc->tail && s->files_tc->tail->txid == txid) {
SCLogDebug("new file in same tx, resetting de_state");
DeStateResetFileInspection(s->f);
}
files = s->files_tc;
} else {
if (s->files_ts == NULL) {
@ -114,17 +106,17 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len,
}
}
/* if the previous file is in the same txid, we
* reset the file part of the stateful detection
* engine. */
if (s->files_ts && s->files_ts->tail && s->files_ts->tail->txid == txid) {
SCLogDebug("new file in same tx, resetting de_state");
DeStateResetFileInspection(s->f);
}
files = s->files_ts;
}
/* if the previous file is in the same txid, we
* reset the file part of the stateful detection
* engine. */
if (files != NULL && files->tail != NULL && files->tail->txid == txid) {
SCLogDebug("new file in same tx, resetting de_state");
DeStateResetFileInspection(s->f, direction);
}
if (s->f->flags & FLOW_FILE_NO_STORE) {
flags |= FILE_NOSTORE;
}

62
src/detect-engine-state.c
Unescape Escape View File

@ -465,11 +465,11 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
SCLogDebug("inspecting http raw uri");
}
if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_FILE_INSPECT;
inspect_flags |= DE_STATE_FLAG_FILE_TS_INSPECT;
match = DetectFileInspectHttp(tv, det_ctx, f, s, alstate, flags);
if (match == 1) {
match_flags |= DE_STATE_FLAG_FILE_MATCH;
match_flags |= DE_STATE_FLAG_FILE_TS_MATCH;
} else if (match == 2) {
match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
} else if (match == 3) {
@ -518,12 +518,12 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT;
}
if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_FILE_INSPECT;
inspect_flags |= DE_STATE_FLAG_FILE_TC_INSPECT;
match = DetectFileInspectHttp(tv, det_ctx, f, s, alstate, flags);
SCLogDebug("match %d", match);
if (match == 1) {
match_flags |= DE_STATE_FLAG_FILE_MATCH;
match_flags |= DE_STATE_FLAG_FILE_TC_MATCH;
} else if (match == 2) {
match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
} else if (match == 3) {
@ -670,9 +670,18 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
/* if we already fully matched previously, detect that here */
if (item->flags & DE_STATE_FLAG_FULL_MATCH) {
if (item->flags & DE_STATE_FLAG_FILE_INSPECT && f->de_state->flags & DE_STATE_FILE_NEW) {
if (flags & STREAM_TOSERVER &&
item->flags & DE_STATE_FLAG_FILE_TS_INSPECT &&
f->de_state->flags & DE_STATE_FILE_TS_NEW)
{
/* new file, fall through */
item->flags &= ~DE_STATE_FLAG_FILE_TS_INSPECT;
} else if (flags & STREAM_TOCLIENT &&
item->flags & DE_STATE_FLAG_FILE_TC_INSPECT &&
f->de_state->flags & DE_STATE_FILE_TC_NEW)
{
/* new file, fall through */
item->flags &= ~DE_STATE_FLAG_FILE_INSPECT;
item->flags &= ~DE_STATE_FLAG_FILE_TC_INSPECT;
} else {
det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_FULL;
SCLogDebug("full match state");
@ -682,10 +691,22 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
/* if we know for sure we can't ever match, detect that here */
if (item->flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
if (item->flags & DE_STATE_FLAG_FILE_INSPECT && f->de_state->flags & DE_STATE_FILE_NEW) {
if (flags & STREAM_TOSERVER &&
item->flags & DE_STATE_FLAG_FILE_TS_INSPECT &&
f->de_state->flags & DE_STATE_FILE_TS_NEW) {
/* new file, fall through */
item->flags &= ~DE_STATE_FLAG_FILE_INSPECT;
item->flags &= ~DE_STATE_FLAG_FILE_TS_INSPECT;
item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH;
} else if (flags & STREAM_TOCLIENT &&
item->flags & DE_STATE_FLAG_FILE_TC_INSPECT &&
f->de_state->flags & DE_STATE_FILE_TC_NEW) {
/* new file, fall through */
item->flags &= ~DE_STATE_FLAG_FILE_TC_INSPECT;
item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH;
} else {
det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NOMATCH;
continue;
@ -789,12 +810,12 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
}
if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_FILE_MATCH)) {
inspect_flags |= DE_STATE_FLAG_FILE_INSPECT;
if (!(item->flags & DE_STATE_FLAG_FILE_TS_MATCH)) {
inspect_flags |= DE_STATE_FLAG_FILE_TS_INSPECT;
match = DetectFileInspectHttp(tv, det_ctx, f, s, alstate, flags);
if (match == 1) {
match_flags |= DE_STATE_FLAG_FILE_MATCH;
match_flags |= DE_STATE_FLAG_FILE_TS_MATCH;
} else if (match == 2) {
match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
} else if (match == 3) {
@ -844,12 +865,12 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT;
}
if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_FILE_MATCH)) {
inspect_flags |= DE_STATE_FLAG_FILE_INSPECT;
if (!(item->flags & DE_STATE_FLAG_FILE_TC_MATCH)) {
inspect_flags |= DE_STATE_FLAG_FILE_TC_INSPECT;
match = DetectFileInspectHttp(tv, det_ctx, f, s, alstate, flags);
if (match == 1) {
match_flags |= DE_STATE_FLAG_FILE_MATCH;
match_flags |= DE_STATE_FLAG_FILE_TC_MATCH;
} else if (match == 2) {
match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
} else if (match == 3) {
@ -968,7 +989,11 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
}
end:
f->de_state->flags &= ~DE_STATE_FILE_NEW;
if (flags & STREAM_TOCLIENT)
f->de_state->flags &= ~DE_STATE_FILE_TC_NEW;
else
f->de_state->flags &= ~DE_STATE_FILE_TS_NEW;
SCMutexUnlock(&f->de_state_m);
SCReturnInt(0);
}
@ -992,14 +1017,17 @@ int DeStateRestartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngin
SCReturnInt(0);
}
void DeStateResetFileInspection(Flow *f) {
void DeStateResetFileInspection(Flow *f, uint8_t direction) {
if (f == NULL) {
SCReturn;
}
SCMutexLock(&f->de_state_m);
if (f->de_state != NULL) {
f->de_state->flags |= DE_STATE_FILE_NEW;
if (direction & STREAM_TOCLIENT)
f->de_state->flags |= DE_STATE_FILE_TC_NEW;
else
f->de_state->flags |= DE_STATE_FILE_TS_NEW;
}
SCMutexUnlock(&f->de_state_m);
}

33
src/detect-engine-state.h
Unescape Escape View File

@ -60,23 +60,26 @@
#define DE_STATE_FLAG_HMD_MATCH 0x0040 /**< hmd payload inspection part matched */
#define DE_STATE_FLAG_HCD_MATCH 0x0080 /**< hcd payload inspection part matched */
#define DE_STATE_FLAG_HRUD_MATCH 0x0100 /**< hrud payload inspection part matched */
#define DE_STATE_FLAG_FILE_MATCH 0x0200
#define DE_STATE_FLAG_FULL_MATCH 0x0400 /**< sig already fully matched */
#define DE_STATE_FLAG_SIG_CANT_MATCH 0x0800 /**< signature has no chance of matching */
#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */
#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */
#define DE_STATE_FLAG_HCBD_INSPECT DE_STATE_FLAG_HCBD_MATCH /**< hcbd payload inspection part inspected */
#define DE_STATE_FLAG_HHD_INSPECT DE_STATE_FLAG_HHD_MATCH /**< hhd payload inspection part inspected */
#define DE_STATE_FLAG_HRHD_INSPECT DE_STATE_FLAG_HRHD_MATCH /**< hrhd payload inspection part inspected */
#define DE_STATE_FLAG_HMD_INSPECT DE_STATE_FLAG_HMD_MATCH /**< hmd payload inspection part inspected */
#define DE_STATE_FLAG_HCD_INSPECT DE_STATE_FLAG_HCD_MATCH /**< hcd payload inspection part inspected */
#define DE_STATE_FLAG_HRUD_INSPECT DE_STATE_FLAG_HRUD_MATCH /**< hrud payload inspection part inspected */
#define DE_STATE_FLAG_FILE_INSPECT DE_STATE_FLAG_FILE_MATCH
#define DE_STATE_FLAG_FILE_TC_MATCH 0x0200
#define DE_STATE_FLAG_FILE_TS_MATCH 0x0400
#define DE_STATE_FLAG_FULL_MATCH 0x0800 /**< sig already fully matched */
#define DE_STATE_FLAG_SIG_CANT_MATCH 0x1000 /**< signature has no chance of matching */
#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */
#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */
#define DE_STATE_FLAG_HCBD_INSPECT DE_STATE_FLAG_HCBD_MATCH /**< hcbd payload inspection part inspected */
#define DE_STATE_FLAG_HHD_INSPECT DE_STATE_FLAG_HHD_MATCH /**< hhd payload inspection part inspected */
#define DE_STATE_FLAG_HRHD_INSPECT DE_STATE_FLAG_HRHD_MATCH /**< hrhd payload inspection part inspected */
#define DE_STATE_FLAG_HMD_INSPECT DE_STATE_FLAG_HMD_MATCH /**< hmd payload inspection part inspected */
#define DE_STATE_FLAG_HCD_INSPECT DE_STATE_FLAG_HCD_MATCH /**< hcd payload inspection part inspected */
#define DE_STATE_FLAG_HRUD_INSPECT DE_STATE_FLAG_HRUD_MATCH /**< hrud payload inspection part inspected */
#define DE_STATE_FLAG_FILE_TC_INSPECT DE_STATE_FLAG_FILE_TC_MATCH
#define DE_STATE_FLAG_FILE_TS_INSPECT DE_STATE_FLAG_FILE_TS_MATCH
/* state flags */
#define DE_STATE_FILE_STORE_DISABLED 0x0001
#define DE_STATE_FILE_NEW 0x0002
#define DE_STATE_FILE_TC_NEW 0x0002
#define DE_STATE_FILE_TS_NEW 0x0004
/** per signature detection engine state */
typedef enum {
@ -139,7 +142,7 @@ int DeStateDetectContinueDetection(ThreadVars *, DetectEngineCtx *,
const char *DeStateMatchResultToString(DeStateMatchResult);
int DeStateUpdateInspectTransactionId(Flow *, char);
void DeStateResetFileInspection(Flow *f);
void DeStateResetFileInspection(Flow *f, uint8_t);
#endif /* __DETECT_ENGINE_STATE_H__ */

Write Preview
Loading…
Cancel
Save