diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c index b8a5646e63..bb16dd09c3 100644 --- a/src/app-layer-htp-file.c +++ b/src/app-layer-htp-file.c @@ -96,14 +96,6 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len, } } - /* if the previous file is in the same txid, we - * reset the file part of the stateful detection - * engine. */ - if (s->files_tc && s->files_tc->tail && s->files_tc->tail->txid == txid) { - SCLogDebug("new file in same tx, resetting de_state"); - DeStateResetFileInspection(s->f); - } - files = s->files_tc; } else { if (s->files_ts == NULL) { @@ -114,17 +106,17 @@ int HTPFileOpen(HtpState *s, uint8_t *filename, uint16_t filename_len, } } - /* if the previous file is in the same txid, we - * reset the file part of the stateful detection - * engine. */ - if (s->files_ts && s->files_ts->tail && s->files_ts->tail->txid == txid) { - SCLogDebug("new file in same tx, resetting de_state"); - DeStateResetFileInspection(s->f); - } - files = s->files_ts; } + /* if the previous file is in the same txid, we + * reset the file part of the stateful detection + * engine. */ + if (files != NULL && files->tail != NULL && files->tail->txid == txid) { + SCLogDebug("new file in same tx, resetting de_state"); + DeStateResetFileInspection(s->f, direction); + } + if (s->f->flags & FLOW_FILE_NO_STORE) { flags |= FILE_NOSTORE; } diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index b9b04a9d13..322c79e632 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -465,11 +465,11 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, SCLogDebug("inspecting http raw uri"); } if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_FILE_INSPECT; + inspect_flags |= DE_STATE_FLAG_FILE_TS_INSPECT; match = DetectFileInspectHttp(tv, det_ctx, f, s, alstate, flags); if (match == 1) { - match_flags |= DE_STATE_FLAG_FILE_MATCH; + match_flags |= DE_STATE_FLAG_FILE_TS_MATCH; } else if (match == 2) { match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; } else if (match == 3) { @@ -518,12 +518,12 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; } if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_FILE_INSPECT; + inspect_flags |= DE_STATE_FLAG_FILE_TC_INSPECT; match = DetectFileInspectHttp(tv, det_ctx, f, s, alstate, flags); SCLogDebug("match %d", match); if (match == 1) { - match_flags |= DE_STATE_FLAG_FILE_MATCH; + match_flags |= DE_STATE_FLAG_FILE_TC_MATCH; } else if (match == 2) { match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; } else if (match == 3) { @@ -670,9 +670,18 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete /* if we already fully matched previously, detect that here */ if (item->flags & DE_STATE_FLAG_FULL_MATCH) { - if (item->flags & DE_STATE_FLAG_FILE_INSPECT && f->de_state->flags & DE_STATE_FILE_NEW) { + if (flags & STREAM_TOSERVER && + item->flags & DE_STATE_FLAG_FILE_TS_INSPECT && + f->de_state->flags & DE_STATE_FILE_TS_NEW) + { + /* new file, fall through */ + item->flags &= ~DE_STATE_FLAG_FILE_TS_INSPECT; + } else if (flags & STREAM_TOCLIENT && + item->flags & DE_STATE_FLAG_FILE_TC_INSPECT && + f->de_state->flags & DE_STATE_FILE_TC_NEW) + { /* new file, fall through */ - item->flags &= ~DE_STATE_FLAG_FILE_INSPECT; + item->flags &= ~DE_STATE_FLAG_FILE_TC_INSPECT; } else { det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_FULL; SCLogDebug("full match state"); @@ -682,10 +691,22 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete /* if we know for sure we can't ever match, detect that here */ if (item->flags & DE_STATE_FLAG_SIG_CANT_MATCH) { - if (item->flags & DE_STATE_FLAG_FILE_INSPECT && f->de_state->flags & DE_STATE_FILE_NEW) { + if (flags & STREAM_TOSERVER && + item->flags & DE_STATE_FLAG_FILE_TS_INSPECT && + f->de_state->flags & DE_STATE_FILE_TS_NEW) { + /* new file, fall through */ - item->flags &= ~DE_STATE_FLAG_FILE_INSPECT; + item->flags &= ~DE_STATE_FLAG_FILE_TS_INSPECT; item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH; + + } else if (flags & STREAM_TOCLIENT && + item->flags & DE_STATE_FLAG_FILE_TC_INSPECT && + f->de_state->flags & DE_STATE_FILE_TC_NEW) { + + /* new file, fall through */ + item->flags &= ~DE_STATE_FLAG_FILE_TC_INSPECT; + item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH; + } else { det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NOMATCH; continue; @@ -789,12 +810,12 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete } if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_FILE_MATCH)) { - inspect_flags |= DE_STATE_FLAG_FILE_INSPECT; + if (!(item->flags & DE_STATE_FLAG_FILE_TS_MATCH)) { + inspect_flags |= DE_STATE_FLAG_FILE_TS_INSPECT; match = DetectFileInspectHttp(tv, det_ctx, f, s, alstate, flags); if (match == 1) { - match_flags |= DE_STATE_FLAG_FILE_MATCH; + match_flags |= DE_STATE_FLAG_FILE_TS_MATCH; } else if (match == 2) { match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; } else if (match == 3) { @@ -844,12 +865,12 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; } if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_FILE_MATCH)) { - inspect_flags |= DE_STATE_FLAG_FILE_INSPECT; + if (!(item->flags & DE_STATE_FLAG_FILE_TC_MATCH)) { + inspect_flags |= DE_STATE_FLAG_FILE_TC_INSPECT; match = DetectFileInspectHttp(tv, det_ctx, f, s, alstate, flags); if (match == 1) { - match_flags |= DE_STATE_FLAG_FILE_MATCH; + match_flags |= DE_STATE_FLAG_FILE_TC_MATCH; } else if (match == 2) { match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; } else if (match == 3) { @@ -968,7 +989,11 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete } end: - f->de_state->flags &= ~DE_STATE_FILE_NEW; + if (flags & STREAM_TOCLIENT) + f->de_state->flags &= ~DE_STATE_FILE_TC_NEW; + else + f->de_state->flags &= ~DE_STATE_FILE_TS_NEW; + SCMutexUnlock(&f->de_state_m); SCReturnInt(0); } @@ -992,14 +1017,17 @@ int DeStateRestartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngin SCReturnInt(0); } -void DeStateResetFileInspection(Flow *f) { +void DeStateResetFileInspection(Flow *f, uint8_t direction) { if (f == NULL) { SCReturn; } SCMutexLock(&f->de_state_m); if (f->de_state != NULL) { - f->de_state->flags |= DE_STATE_FILE_NEW; + if (direction & STREAM_TOCLIENT) + f->de_state->flags |= DE_STATE_FILE_TC_NEW; + else + f->de_state->flags |= DE_STATE_FILE_TS_NEW; } SCMutexUnlock(&f->de_state_m); } diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index dfab9d19b7..71dd3c680f 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -60,23 +60,26 @@ #define DE_STATE_FLAG_HMD_MATCH 0x0040 /**< hmd payload inspection part matched */ #define DE_STATE_FLAG_HCD_MATCH 0x0080 /**< hcd payload inspection part matched */ #define DE_STATE_FLAG_HRUD_MATCH 0x0100 /**< hrud payload inspection part matched */ -#define DE_STATE_FLAG_FILE_MATCH 0x0200 -#define DE_STATE_FLAG_FULL_MATCH 0x0400 /**< sig already fully matched */ -#define DE_STATE_FLAG_SIG_CANT_MATCH 0x0800 /**< signature has no chance of matching */ - -#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */ -#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */ -#define DE_STATE_FLAG_HCBD_INSPECT DE_STATE_FLAG_HCBD_MATCH /**< hcbd payload inspection part inspected */ -#define DE_STATE_FLAG_HHD_INSPECT DE_STATE_FLAG_HHD_MATCH /**< hhd payload inspection part inspected */ -#define DE_STATE_FLAG_HRHD_INSPECT DE_STATE_FLAG_HRHD_MATCH /**< hrhd payload inspection part inspected */ -#define DE_STATE_FLAG_HMD_INSPECT DE_STATE_FLAG_HMD_MATCH /**< hmd payload inspection part inspected */ -#define DE_STATE_FLAG_HCD_INSPECT DE_STATE_FLAG_HCD_MATCH /**< hcd payload inspection part inspected */ -#define DE_STATE_FLAG_HRUD_INSPECT DE_STATE_FLAG_HRUD_MATCH /**< hrud payload inspection part inspected */ -#define DE_STATE_FLAG_FILE_INSPECT DE_STATE_FLAG_FILE_MATCH +#define DE_STATE_FLAG_FILE_TC_MATCH 0x0200 +#define DE_STATE_FLAG_FILE_TS_MATCH 0x0400 +#define DE_STATE_FLAG_FULL_MATCH 0x0800 /**< sig already fully matched */ +#define DE_STATE_FLAG_SIG_CANT_MATCH 0x1000 /**< signature has no chance of matching */ + +#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */ +#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */ +#define DE_STATE_FLAG_HCBD_INSPECT DE_STATE_FLAG_HCBD_MATCH /**< hcbd payload inspection part inspected */ +#define DE_STATE_FLAG_HHD_INSPECT DE_STATE_FLAG_HHD_MATCH /**< hhd payload inspection part inspected */ +#define DE_STATE_FLAG_HRHD_INSPECT DE_STATE_FLAG_HRHD_MATCH /**< hrhd payload inspection part inspected */ +#define DE_STATE_FLAG_HMD_INSPECT DE_STATE_FLAG_HMD_MATCH /**< hmd payload inspection part inspected */ +#define DE_STATE_FLAG_HCD_INSPECT DE_STATE_FLAG_HCD_MATCH /**< hcd payload inspection part inspected */ +#define DE_STATE_FLAG_HRUD_INSPECT DE_STATE_FLAG_HRUD_MATCH /**< hrud payload inspection part inspected */ +#define DE_STATE_FLAG_FILE_TC_INSPECT DE_STATE_FLAG_FILE_TC_MATCH +#define DE_STATE_FLAG_FILE_TS_INSPECT DE_STATE_FLAG_FILE_TS_MATCH /* state flags */ #define DE_STATE_FILE_STORE_DISABLED 0x0001 -#define DE_STATE_FILE_NEW 0x0002 +#define DE_STATE_FILE_TC_NEW 0x0002 +#define DE_STATE_FILE_TS_NEW 0x0004 /** per signature detection engine state */ typedef enum { @@ -139,7 +142,7 @@ int DeStateDetectContinueDetection(ThreadVars *, DetectEngineCtx *, const char *DeStateMatchResultToString(DeStateMatchResult); int DeStateUpdateInspectTransactionId(Flow *, char); -void DeStateResetFileInspection(Flow *f); +void DeStateResetFileInspection(Flow *f, uint8_t); #endif /* __DETECT_ENGINE_STATE_H__ */