diff --git a/src/Makefile.am b/src/Makefile.am index 2805699fe5..23f6dbe41e 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -164,6 +164,7 @@ detect-filename.c detect-filename.h \ detect-fileext.c detect-fileext.h \ detect-filestore.c detect-filestore.h \ detect-filemagic.c detect-filemagic.h \ +detect-filemd5.c detect-filemd5.h \ detect-http-stat-code.c detect-http-stat-code.h \ detect-ssl-version.c detect-ssl-version.h \ detect-ssl-state.c detect-ssl-state.h \ diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c index ee7f3572eb..cc2f427387 100644 --- a/src/detect-engine-file.c +++ b/src/detect-engine-file.c @@ -120,6 +120,12 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, break; } + if (s->file_flags & FILE_SIG_NEED_FILEMD5 && (!(file->flags & FILE_MD5))) { + SCLogDebug("sig needs file md5, but we don't have any"); + r = 0; + break; + } + /* run the file match functions. */ for (sm = s->sm_lists[DETECT_SM_LIST_FILEMATCH]; sm != NULL; sm = sm->next) { SCLogDebug("sm %p, sm->next %p", sm, sm->next); diff --git a/src/detect-filemd5.c b/src/detect-filemd5.c new file mode 100644 index 0000000000..2ad97943e3 --- /dev/null +++ b/src/detect-filemd5.c @@ -0,0 +1,361 @@ +/* Copyright (C) 2007-2012 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien + * + */ + +#include "suricata-common.h" +#include "threads.h" +#include "debug.h" +#include "decode.h" + +#include "detect.h" +#include "detect-parse.h" + +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" + +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" + +#include "util-debug.h" +#include "util-spm-bm.h" +#include "util-print.h" + +#include "util-unittest.h" +#include "util-unittest-helper.h" + +#include "app-layer.h" + +#include "stream-tcp.h" + +#include "detect-filemd5.h" + +#include "queue.h" +#include "util-rohash.h" + +int DetectFileMd5Match (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *); +static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, char *); +void DetectFileMd5RegisterTests(void); +void DetectFileMd5Free(void *); + +/** + * \brief Registration function for keyword: filemd5 + */ +void DetectFileMd5Register(void) { + sigmatch_table[DETECT_FILEMD5].name = "filemd5"; + sigmatch_table[DETECT_FILEMD5].Match = NULL; + sigmatch_table[DETECT_FILEMD5].AppLayerMatch = DetectFileMd5Match; + sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP; + sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5Setup; + sigmatch_table[DETECT_FILEMD5].Free = DetectFileMd5Free; + sigmatch_table[DETECT_FILEMD5].RegisterTests = DetectFileMd5RegisterTests; + + SCLogDebug("registering filemd5 rule option"); + return; +} + +static int Md5ReadString(uint8_t *md5, char *str) { + if (strlen(str) != 32) { + SCLogError(SC_ERR_INVALID_MD5, "md5 string not 32 bytes"); + return -1; + } + + int i, x; + for (x = 0, i = 0; i < 32; i+=2, x++) { + char buf[3] = { 0, 0, 0}; + buf[0] = str[i]; + buf[1] = str[i+1]; + + long value = strtol(buf, NULL, 16); + if (value >= 0 && value <= 255) + md5[x] = (uint8_t)value; + else { + SCLogError(SC_ERR_INVALID_MD5, "md5 byte out of range %ld", value); + return -1; + } + } + + return 1; +} + +static int MD5LoadHash(ROHashTable *hash, char *string) { + uint8_t md5[16]; + + if (Md5ReadString(md5, string) == 1) { + if (ROHashInitQueueValue(hash, &md5, (uint16_t)sizeof(md5)) != 1) + return -1; + } + + return 1; +} + +static int MD5MatchLookupBuffer(ROHashTable *hash, uint8_t *buf, size_t buflen) { + void *ptr = ROHashLookup(hash, buf, (uint16_t)buflen); + if (ptr == NULL) + return 0; + else + return 1; +} + +static int MD5MatchLookupString(ROHashTable *hash, char *string) { + uint8_t md5[16]; + if (Md5ReadString(md5, string) == 1) { + void *ptr = ROHashLookup(hash, &md5, (uint16_t)sizeof(md5)); + if (ptr == NULL) + return 0; + else + return 1; + } + return 0; +} + +/** + * \brief match the specified filemd5 + * + * \param t pointer to thread vars + * \param det_ctx pointer to the pattern matcher thread + * \param p pointer to the current packet + * \param m pointer to the sigmatch that we will cast into DetectFileMd5Data + * + * \retval 0 no match + * \retval 1 match + */ +int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) +{ + SCEnter(); + int ret = 0; + DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)m->ctx; + + File *file = (File *)state; + + if (file->txid < det_ctx->tx_id) { + SCReturnInt(0); + } + + if (file->txid > det_ctx->tx_id) { + SCReturnInt(0); + } + + if (file->state != FILE_STATE_CLOSED) { + SCReturnInt(0); + } + + if (file->flags & FILE_MD5) { + if (MD5MatchLookupBuffer(filemd5->hash, file->md5, sizeof(file->md5)) == 1) { + ret = 1; + } + } + + SCReturnInt(ret); +} + +/** + * \brief Parse the filemd5 keyword + * + * \param idstr Pointer to the user provided option + * + * \retval filemd5 pointer to DetectFileMd5Data on success + * \retval NULL on failure + */ +DetectFileMd5Data *DetectFileMd5Parse (char *str) +{ + DetectFileMd5Data *filemd5 = NULL; + + /* We have a correct filemd5 option */ + filemd5 = SCMalloc(sizeof(DetectFileMd5Data)); + if (filemd5 == NULL) + goto error; + + memset(filemd5, 0x00, sizeof(DetectFileMd5Data)); + + filemd5->hash = ROHashInit(18, 16); + if (filemd5->hash == NULL) { + goto error; + } + + /* get full filename */ + char *filename = DetectLoadCompleteSigPath(str); + if (filename == NULL) { + goto error; + } + + char line[8192] = ""; + FILE *fp = fopen(filename, "r"); + if (fp == NULL) { + SCLogError(SC_ERR_OPENING_RULE_FILE, "opening md5 file %s: %s", filename, strerror(errno)); + return NULL; + } + + while(fgets(line, (int)sizeof(line), fp) != NULL) { + size_t len = strlen(line); + + /* ignore comments and empty lines */ + if (line[0] == '\n' || line [0] == '\r' || line[0] == ' ' || line[0] == '#' || line[0] == '\t') + continue; + + while (isspace(line[--len])); + + /* Check if we have a trailing newline, and remove it */ + len = strlen(line); + if (len > 0 && (line[len - 1] == '\n' || line[len - 1] == '\r')) { + line[len - 1] = '\0'; + } + + /* cut off longer lines */ + if (strlen(line) > 32) + line[32] = 0x00; + + if (MD5LoadHash(filemd5->hash, line) != 1) { + goto error; + } + } + fclose(fp); + fp = NULL; + + if (ROHashInitFinalize(filemd5->hash) != 1) { + goto error; + } + SCLogInfo("MD5 hash size %u bytes", ROHashMemorySize(filemd5->hash)); + + return filemd5; + +error: + if (filemd5 != NULL) + DetectFileMd5Free(filemd5); + return NULL; +} + +/** + * \brief this function is used to parse filemd5 options + * \brief into the current signature + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param str pointer to the user provided "filemd5" option + * + * \retval 0 on Success + * \retval -1 on Failure + */ +static int DetectFileMd5Setup (DetectEngineCtx *de_ctx, Signature *s, char *str) +{ + DetectFileMd5Data *filemd5 = NULL; + SigMatch *sm = NULL; + + filemd5 = DetectFileMd5Parse(str); + if (filemd5 == NULL) + goto error; + + /* Okay so far so good, lets get this into a SigMatch + * and put it in the Signature. */ + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + + sm->type = DETECT_FILEMD5; + sm->ctx = (void *)filemd5; + + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH); + + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + goto error; + } + + AppLayerHtpNeedFileInspection(); + + /** \todo remove this once we support more than http */ + s->alproto = ALPROTO_HTTP; + + s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_FILEMD5); + return 0; + +error: + if (filemd5 != NULL) + DetectFileMd5Free(filemd5); + if (sm != NULL) + SCFree(sm); + return -1; +} + +/** + * \brief this function will free memory associated with DetectFileMd5Data + * + * \param filemd5 pointer to DetectFileMd5Data + */ +void DetectFileMd5Free(void *ptr) { + if (ptr != NULL) { + DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)ptr; + SCFree(filemd5); + } +} + +#ifdef UNITTESTS +static int MD5MatchTest01(void) { + ROHashTable *hash = ROHashInit(4, 16); + if (hash == NULL) { + return 0; + } + if (MD5LoadHash(hash, "d80f93a93dc5f3ee945704754d6e0a36") != 1) + return 0; + if (MD5LoadHash(hash, "92a49985b384f0d993a36e4c2d45e206") != 1) + return 0; + if (MD5LoadHash(hash, "11adeaacc8c309815f7bc3e33888f281") != 1) + return 0; + if (MD5LoadHash(hash, "22e10a8fe02344ade0bea8836a1714af") != 1) + return 0; + if (MD5LoadHash(hash, "c3db2cbf02c68f073afcaee5634677bc") != 1) + return 0; + if (MD5LoadHash(hash, "7ed095da259638f42402fb9e74287a17") != 1) + return 0; + + if (ROHashInitFinalize(hash) != 1) { + return 0; + } + + if (MD5MatchLookupString(hash, "d80f93a93dc5f3ee945704754d6e0a36") != 1) + return 0; + if (MD5MatchLookupString(hash, "92a49985b384f0d993a36e4c2d45e206") != 1) + return 0; + if (MD5MatchLookupString(hash, "11adeaacc8c309815f7bc3e33888f281") != 1) + return 0; + if (MD5MatchLookupString(hash, "22e10a8fe02344ade0bea8836a1714af") != 1) + return 0; + if (MD5MatchLookupString(hash, "c3db2cbf02c68f073afcaee5634677bc") != 1) + return 0; + if (MD5MatchLookupString(hash, "7ed095da259638f42402fb9e74287a17") != 1) + return 0; + /* shouldnt match */ + if (MD5MatchLookupString(hash, "33333333333333333333333333333333") == 1) + return 0; + + ROHashFree(hash); + return 1; +} +#endif + +void DetectFileMd5RegisterTests(void) { +#ifdef UNITTESTS + UtRegisterTest("MD5MatchTest01", MD5MatchTest01, 1); +#endif +} diff --git a/src/detect-filemd5.h b/src/detect-filemd5.h new file mode 100644 index 0000000000..3b69565bec --- /dev/null +++ b/src/detect-filemd5.h @@ -0,0 +1,36 @@ +/* Copyright (C) 2007-2012 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien + */ + +#ifndef __DETECT_FILEMD5_H__ +#define __DETECT_FILEMD5_H__ + +#include "util-rohash.h" + +typedef struct DetectFileMd5Data { + ROHashTable *hash; +} DetectFileMd5Data; + +/* prototypes */ +void DetectFileMd5cRegister (void); + +#endif /* __DETECT_FILEMD5_H__ */ diff --git a/src/detect.c b/src/detect.c index 4a634fc7fd..cfb0310624 100644 --- a/src/detect.c +++ b/src/detect.c @@ -4529,6 +4529,7 @@ void SigTableSetup(void) { DetectFileextRegister(); DetectFilestoreRegister(); DetectFilemagicRegister(); + DetectFileMd5Register(); DetectAppLayerEventRegister(); uint8_t i = 0; diff --git a/src/detect.h b/src/detect.h index ed5b084e1a..5982774c23 100644 --- a/src/detect.h +++ b/src/detect.h @@ -289,6 +289,7 @@ typedef struct DetectPort_ { #define FILE_SIG_NEED_TYPE 0x04 #define FILE_SIG_NEED_MAGIC 0x08 /**< need the start of the file */ #define FILE_SIG_NEED_FILECONTENT 0x10 +#define FILE_SIG_NEED_FILEMD5 0x20 /* Detection Engine flags */ #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */ @@ -1018,6 +1019,7 @@ enum { DETECT_FILEEXT, DETECT_FILESTORE, DETECT_FILEMAGIC, + DETECT_FILEMD5, /* make sure this stays last */ DETECT_TBLSIZE, @@ -1040,6 +1042,7 @@ int SigGroupBuild(DetectEngineCtx *); int SigGroupCleanup (DetectEngineCtx *de_ctx); void SigAddressPrepareBidirectionals (DetectEngineCtx *); +char *DetectLoadCompleteSigPath(char *sig_file); int SigLoadSignatures (DetectEngineCtx *, char *, int); void SigTableList(void); void SigTableSetup(void); diff --git a/src/util-error.c b/src/util-error.c index 9ef6a1a65c..3bda5d08ad 100644 --- a/src/util-error.c +++ b/src/util-error.c @@ -228,6 +228,7 @@ const char * SCErrorToString(SCError err) CASE_CODE (SC_ERR_FLOW_INIT); CASE_CODE (SC_ERR_HOST_INIT); CASE_CODE (SC_ERR_MEM_BUFFER_API); + CASE_CODE (SC_ERR_INVALID_MD5); default: return "UNKNOWN_ERROR"; diff --git a/src/util-error.h b/src/util-error.h index 6774f86289..e16f58107a 100644 --- a/src/util-error.h +++ b/src/util-error.h @@ -242,6 +242,7 @@ typedef enum { SC_ERR_FLOW_INIT, SC_ERR_HOST_INIT, SC_ERR_MEM_BUFFER_API, + SC_ERR_INVALID_MD5, } SCError; const char *SCErrorToString(SCError); diff --git a/src/util-rohash.c b/src/util-rohash.c index 706971bd88..008b597b4c 100644 --- a/src/util-rohash.c +++ b/src/util-rohash.c @@ -98,6 +98,11 @@ void ROHashFree(ROHashTable *table) { } } +uint32_t ROHashMemorySize(ROHashTable *table) { + return (uint32_t)(hashsize(table->hash_bits) * sizeof(ROHashTableOffsets) + + table->items * table->item_size + sizeof(ROHashTable)); +} + /** * \retval NULL not found * \retval ptr found diff --git a/src/util-rohash.h b/src/util-rohash.h index 5351b38922..720eace5f6 100644 --- a/src/util-rohash.h +++ b/src/util-rohash.h @@ -24,6 +24,8 @@ #ifndef __UTIL_ROHASH_H__ #define __UTIL_ROHASH_H__ +#include "queue.h" + typedef struct ROHashTable_ { uint8_t locked; uint8_t hash_bits; @@ -38,6 +40,7 @@ ROHashTable *ROHashInit(uint8_t hash_bits, uint16_t item_size); int ROHashInitFinalize(ROHashTable *table); void ROHashFree(ROHashTable *table); int ROHashInitQueueValue(ROHashTable *table, void *value, uint16_t size); +uint32_t ROHashMemorySize(ROHashTable *table); /* run time */ void *ROHashLookup(ROHashTable *table, void *data, uint16_t size);