Add filemd5 keyword that loads a list of md5's to match a file's md5 against.

src/Makefile.am

@@ -164,6 +164,7 @@ detect-filename.c detect-filename.h \
 detect-fileext.c detect-fileext.h \
 detect-filestore.c detect-filestore.h \
 detect-filemagic.c detect-filemagic.h \
+detect-filemd5.c detect-filemd5.h \
 detect-http-stat-code.c detect-http-stat-code.h \
 detect-ssl-version.c detect-ssl-version.h \
 detect-ssl-state.c detect-ssl-state.h \

src/detect-engine-file.c

@@ -120,6 +120,12 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
                 break;
             }
 
+            if (s->file_flags & FILE_SIG_NEED_FILEMD5 && (!(file->flags & FILE_MD5))) {
+                SCLogDebug("sig needs file md5, but we don't have any");
+                r = 0;
+                break;
+            }
+
             /* run the file match functions. */
             for (sm = s->sm_lists[DETECT_SM_LIST_FILEMATCH]; sm != NULL; sm = sm->next) {
                 SCLogDebug("sm %p, sm->next %p", sm, sm->next);

src/detect-filemd5.c

@@ -0,0 +1,361 @@
+/* Copyright (C) 2007-2012 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Victor Julien <victor@inliniac.net>
+ *
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+
+#include "util-debug.h"
+#include "util-spm-bm.h"
+#include "util-print.h"
+
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+
+#include "app-layer.h"
+
+#include "stream-tcp.h"
+
+#include "detect-filemd5.h"
+
+#include "queue.h"
+#include "util-rohash.h"
+
+int DetectFileMd5Match (ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, void *, Signature *, SigMatch *);
+static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, char *);
+void DetectFileMd5RegisterTests(void);
+void DetectFileMd5Free(void *);
+
+/**
+ * \brief Registration function for keyword: filemd5
+ */
+void DetectFileMd5Register(void) {
+    sigmatch_table[DETECT_FILEMD5].name = "filemd5";
+    sigmatch_table[DETECT_FILEMD5].Match = NULL;
+    sigmatch_table[DETECT_FILEMD5].AppLayerMatch = DetectFileMd5Match;
+    sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP;
+    sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5Setup;
+    sigmatch_table[DETECT_FILEMD5].Free  = DetectFileMd5Free;
+    sigmatch_table[DETECT_FILEMD5].RegisterTests = DetectFileMd5RegisterTests;
+
+	SCLogDebug("registering filemd5 rule option");
+    return;
+}
+
+static int Md5ReadString(uint8_t *md5, char *str) {
+    if (strlen(str) != 32) {
+        SCLogError(SC_ERR_INVALID_MD5, "md5 string not 32 bytes");
+        return -1;
+    }
+
+    int i, x;
+    for (x = 0, i = 0; i < 32; i+=2, x++) {
+        char buf[3] = { 0, 0, 0};
+        buf[0] = str[i];
+        buf[1] = str[i+1];
+
+        long value = strtol(buf, NULL, 16);
+        if (value >= 0 && value <= 255)
+            md5[x] = (uint8_t)value;
+        else {
+            SCLogError(SC_ERR_INVALID_MD5, "md5 byte out of range %ld", value);
+            return -1;
+        }
+    }
+
+    return 1;
+}
+
+static int MD5LoadHash(ROHashTable *hash, char *string) {
+    uint8_t md5[16];
+
+    if (Md5ReadString(md5, string) == 1) {
+        if (ROHashInitQueueValue(hash, &md5, (uint16_t)sizeof(md5)) != 1)
+            return -1;
+    }
+
+    return 1;
+}
+
+static int MD5MatchLookupBuffer(ROHashTable *hash, uint8_t *buf, size_t buflen) {
+    void *ptr = ROHashLookup(hash, buf, (uint16_t)buflen);
+    if (ptr == NULL)
+        return 0;
+    else
+        return 1;
+}
+
+static int MD5MatchLookupString(ROHashTable *hash, char *string) {
+    uint8_t md5[16];
+    if (Md5ReadString(md5, string) == 1) {
+        void *ptr = ROHashLookup(hash, &md5, (uint16_t)sizeof(md5));
+        if (ptr == NULL)
+            return 0;
+        else
+            return 1;
+    }
+    return 0;
+}
+
+/**
+ * \brief match the specified filemd5
+ *
+ * \param t pointer to thread vars
+ * \param det_ctx pointer to the pattern matcher thread
+ * \param p pointer to the current packet
+ * \param m pointer to the sigmatch that we will cast into DetectFileMd5Data
+ *
+ * \retval 0 no match
+ * \retval 1 match
+ */
+int DetectFileMd5Match (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
+{
+    SCEnter();
+    int ret = 0;
+    DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)m->ctx;
+
+    File *file = (File *)state;
+
+    if (file->txid < det_ctx->tx_id) {
+        SCReturnInt(0);
+    }
+
+    if (file->txid > det_ctx->tx_id) {
+        SCReturnInt(0);
+    }
+
+    if (file->state != FILE_STATE_CLOSED) {
+        SCReturnInt(0);
+    }
+
+    if (file->flags & FILE_MD5) {
+        if (MD5MatchLookupBuffer(filemd5->hash, file->md5, sizeof(file->md5)) == 1) {
+            ret = 1;
+        }
+    }
+
+    SCReturnInt(ret);
+}
+
+/**
+ * \brief Parse the filemd5 keyword
+ *
+ * \param idstr Pointer to the user provided option
+ *
+ * \retval filemd5 pointer to DetectFileMd5Data on success
+ * \retval NULL on failure
+ */
+DetectFileMd5Data *DetectFileMd5Parse (char *str)
+{
+    DetectFileMd5Data *filemd5 = NULL;
+
+    /* We have a correct filemd5 option */
+    filemd5 = SCMalloc(sizeof(DetectFileMd5Data));
+    if (filemd5 == NULL)
+        goto error;
+
+    memset(filemd5, 0x00, sizeof(DetectFileMd5Data));
+
+    filemd5->hash = ROHashInit(18, 16);
+    if (filemd5->hash == NULL) {
+        goto error;
+    }
+
+    /* get full filename */
+    char *filename = DetectLoadCompleteSigPath(str);
+    if (filename == NULL) {
+        goto error;
+    }
+
+    char line[8192] = "";
+    FILE *fp = fopen(filename, "r");
+    if (fp == NULL) {
+        SCLogError(SC_ERR_OPENING_RULE_FILE, "opening md5 file %s: %s", filename, strerror(errno));
+        return NULL;
+    }
+
+    while(fgets(line, (int)sizeof(line), fp) != NULL) {
+        size_t len = strlen(line);
+
+        /* ignore comments and empty lines */
+        if (line[0] == '\n' || line [0] == '\r' || line[0] == ' ' || line[0] == '#' || line[0] == '\t')
+            continue;
+
+        while (isspace(line[--len]));
+
+        /* Check if we have a trailing newline, and remove it */
+        len = strlen(line);
+        if (len > 0 && (line[len - 1] == '\n' || line[len - 1] == '\r')) {
+            line[len - 1] = '\0';
+        }
+
+        /* cut off longer lines */
+        if (strlen(line) > 32)
+            line[32] = 0x00;
+
+        if (MD5LoadHash(filemd5->hash, line) != 1) {
+            goto error;
+        }
+    }
+    fclose(fp);
+    fp = NULL;
+
+    if (ROHashInitFinalize(filemd5->hash) != 1) {
+        goto error;
+    }
+    SCLogInfo("MD5 hash size %u bytes", ROHashMemorySize(filemd5->hash));
+
+    return filemd5;
+
+error:
+    if (filemd5 != NULL)
+        DetectFileMd5Free(filemd5);
+    return NULL;
+}
+
+/**
+ * \brief this function is used to parse filemd5 options
+ * \brief into the current signature
+ *
+ * \param de_ctx pointer to the Detection Engine Context
+ * \param s pointer to the Current Signature
+ * \param str pointer to the user provided "filemd5" option
+ *
+ * \retval 0 on Success
+ * \retval -1 on Failure
+ */
+static int DetectFileMd5Setup (DetectEngineCtx *de_ctx, Signature *s, char *str)
+{
+    DetectFileMd5Data *filemd5 = NULL;
+    SigMatch *sm = NULL;
+
+    filemd5 = DetectFileMd5Parse(str);
+    if (filemd5 == NULL)
+        goto error;
+
+    /* Okay so far so good, lets get this into a SigMatch
+     * and put it in the Signature. */
+    sm = SigMatchAlloc();
+    if (sm == NULL)
+        goto error;
+
+    sm->type = DETECT_FILEMD5;
+    sm->ctx = (void *)filemd5;
+
+    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
+
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        goto error;
+    }
+
+    AppLayerHtpNeedFileInspection();
+
+    /** \todo remove this once we support more than http */
+    s->alproto = ALPROTO_HTTP;
+
+    s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_FILEMD5);
+    return 0;
+
+error:
+    if (filemd5 != NULL)
+        DetectFileMd5Free(filemd5);
+    if (sm != NULL)
+        SCFree(sm);
+    return -1;
+}
+
+/**
+ * \brief this function will free memory associated with DetectFileMd5Data
+ *
+ * \param filemd5 pointer to DetectFileMd5Data
+ */
+void DetectFileMd5Free(void *ptr) {
+    if (ptr != NULL) {
+        DetectFileMd5Data *filemd5 = (DetectFileMd5Data *)ptr;
+        SCFree(filemd5);
+    }
+}
+
+#ifdef UNITTESTS
+static int MD5MatchTest01(void) {
+    ROHashTable *hash = ROHashInit(4, 16);
+    if (hash == NULL) {
+        return 0;
+    }
+    if (MD5LoadHash(hash, "d80f93a93dc5f3ee945704754d6e0a36") != 1)
+        return 0;
+    if (MD5LoadHash(hash, "92a49985b384f0d993a36e4c2d45e206") != 1)
+        return 0;
+    if (MD5LoadHash(hash, "11adeaacc8c309815f7bc3e33888f281") != 1)
+        return 0;
+    if (MD5LoadHash(hash, "22e10a8fe02344ade0bea8836a1714af") != 1)
+        return 0;
+    if (MD5LoadHash(hash, "c3db2cbf02c68f073afcaee5634677bc") != 1)
+        return 0;
+    if (MD5LoadHash(hash, "7ed095da259638f42402fb9e74287a17") != 1)
+        return 0;
+
+    if (ROHashInitFinalize(hash) != 1) {
+        return 0;
+    }
+
+    if (MD5MatchLookupString(hash, "d80f93a93dc5f3ee945704754d6e0a36") != 1)
+        return 0;
+    if (MD5MatchLookupString(hash, "92a49985b384f0d993a36e4c2d45e206") != 1)
+        return 0;
+    if (MD5MatchLookupString(hash, "11adeaacc8c309815f7bc3e33888f281") != 1)
+        return 0;
+    if (MD5MatchLookupString(hash, "22e10a8fe02344ade0bea8836a1714af") != 1)
+        return 0;
+    if (MD5MatchLookupString(hash, "c3db2cbf02c68f073afcaee5634677bc") != 1)
+        return 0;
+    if (MD5MatchLookupString(hash, "7ed095da259638f42402fb9e74287a17") != 1)
+        return 0;
+    /* shouldnt match */
+    if (MD5MatchLookupString(hash, "33333333333333333333333333333333") == 1)
+        return 0;
+
+    ROHashFree(hash);
+    return 1;
+}
+#endif
+
+void DetectFileMd5RegisterTests(void) {
+#ifdef UNITTESTS
+    UtRegisterTest("MD5MatchTest01", MD5MatchTest01, 1);
+#endif
+}

src/detect-filemd5.h

@@ -0,0 +1,36 @@
+/* Copyright (C) 2007-2012 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Victor Julien <victor@inliniac.net>
+ */
+
+#ifndef __DETECT_FILEMD5_H__
+#define __DETECT_FILEMD5_H__
+
+#include "util-rohash.h"
+
+typedef struct DetectFileMd5Data {
+    ROHashTable *hash;
+} DetectFileMd5Data;
+
+/* prototypes */
+void DetectFileMd5cRegister (void);
+
+#endif /* __DETECT_FILEMD5_H__ */

src/detect.c

@@ -4529,6 +4529,7 @@ void SigTableSetup(void) {
     DetectFileextRegister();
     DetectFilestoreRegister();
     DetectFilemagicRegister();
+    DetectFileMd5Register();
     DetectAppLayerEventRegister();
 
     uint8_t i = 0;

src/detect.h

@@ -289,6 +289,7 @@ typedef struct DetectPort_ {
 #define FILE_SIG_NEED_TYPE          0x04
 #define FILE_SIG_NEED_MAGIC         0x08    /**< need the start of the file */
 #define FILE_SIG_NEED_FILECONTENT   0x10
+#define FILE_SIG_NEED_FILEMD5       0x20
 
 /* Detection Engine flags */
 #define DE_QUIET           0x01     /**< DE is quiet (esp for unittests) */
@@ -1018,6 +1019,7 @@ enum {
     DETECT_FILEEXT,
     DETECT_FILESTORE,
     DETECT_FILEMAGIC,
+    DETECT_FILEMD5,
 
     /* make sure this stays last */
     DETECT_TBLSIZE,
@@ -1040,6 +1042,7 @@ int SigGroupBuild(DetectEngineCtx *);
 int SigGroupCleanup (DetectEngineCtx *de_ctx);
 void SigAddressPrepareBidirectionals (DetectEngineCtx *);
 
+char *DetectLoadCompleteSigPath(char *sig_file);
 int SigLoadSignatures (DetectEngineCtx *, char *, int);
 void SigTableList(void);
 void SigTableSetup(void);

src/util-error.c

@@ -228,6 +228,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_FLOW_INIT);
         CASE_CODE (SC_ERR_HOST_INIT);
         CASE_CODE (SC_ERR_MEM_BUFFER_API);
+        CASE_CODE (SC_ERR_INVALID_MD5);
 
         default:
             return "UNKNOWN_ERROR";

src/util-error.h

@@ -242,6 +242,7 @@ typedef enum {
     SC_ERR_FLOW_INIT,
     SC_ERR_HOST_INIT,
     SC_ERR_MEM_BUFFER_API,
+    SC_ERR_INVALID_MD5,
 } SCError;
 
 const char *SCErrorToString(SCError);

src/util-rohash.c

@@ -98,6 +98,11 @@ void ROHashFree(ROHashTable *table) {
     }
 }
 
+uint32_t ROHashMemorySize(ROHashTable *table) {
+    return (uint32_t)(hashsize(table->hash_bits) * sizeof(ROHashTableOffsets) +
+            table->items * table->item_size + sizeof(ROHashTable));
+}
+
 /**
  *  \retval NULL not found
  *  \retval ptr found

src/util-rohash.h

@@ -24,6 +24,8 @@
 #ifndef __UTIL_ROHASH_H__
 #define __UTIL_ROHASH_H__
 
+#include "queue.h"
+
 typedef struct ROHashTable_ {
     uint8_t locked;
     uint8_t hash_bits;
@@ -38,6 +40,7 @@ ROHashTable *ROHashInit(uint8_t hash_bits, uint16_t item_size);
 int ROHashInitFinalize(ROHashTable *table);
 void ROHashFree(ROHashTable *table);
 int ROHashInitQueueValue(ROHashTable *table, void *value, uint16_t size);
+uint32_t ROHashMemorySize(ROHashTable *table);
 
 /* run time */
 void *ROHashLookup(ROHashTable *table, void *data, uint16_t size);