detect/file: cleanups

TX id is enfored in the engine, so the keywords don't need to. Unify detect file engines.
8 years ago · a636d96b15
parent 2aad2d605d
commit a636d96b15
6 changed files with 18 additions and 90 deletions
--- a/src/detect-engine-file.c
+++ b/src/detect-engine-file.c
@ -70,8 +70,6 @@
 *  \retval 1 match
 *  \retval 2 can't match
 *  \retval 3 can't match filestore signature
- *
- *  \note flow is not locked at this time
 */
 static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
        Flow *f, const Signature *s, const SigMatchData *smd,
@ -213,52 +211,7 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
 }

 /**
- *  \brief Inspect the file inspecting keywords against the HTTP transactions.
- *
- *  \param tv thread vars
- *  \param det_ctx detection engine thread ctx
- *  \param f flow
- *  \param s signature to inspect
- *  \param alstate state
- *  \param flags direction flag
- *
- *  \retval 0 no match
- *  \retval 1 match
- *  \retval 2 can't match
- *  \retval 3 can't match filestore signature
- *
- *  \note flow should be locked when this function's called.
- */
-int DetectFileInspectHttp(ThreadVars *tv,
-        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
-        const Signature *s, const SigMatchData *smd,
-        Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
-{
-    int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
-    FileContainer *ffc;
-    HtpState *htp_state = (HtpState *)alstate;
-
-    if (flags & STREAM_TOCLIENT)
-        ffc = htp_state->files_tc;
-    else
-        ffc = htp_state->files_ts;
-
-    int match = DetectFileInspect(tv, det_ctx, f, s, smd, flags, ffc);
-    if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
-        r = DETECT_ENGINE_INSPECT_SIG_MATCH;
-    } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
-        SCLogDebug("sid %u can't match on this transaction", s->id);
-        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-    } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
-        SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id);
-        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE;
-    }
-
-    return r;
-}
-
-/**
- *  \brief Inspect the file inspecting keywords against the SMTP transactions.
+ *  \brief Inspect the file inspecting keywords against the state
 *
 *  \param tv thread vars
 *  \param det_ctx detection engine thread ctx
@ -274,27 +227,24 @@ int DetectFileInspectHttp(ThreadVars *tv,
 *
 *  \note flow is not locked at this time
 */
-int DetectFileInspectSmtp(ThreadVars *tv,
+int DetectFileInspectGeneric(ThreadVars *tv,
        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
        const Signature *s, const SigMatchData *smd,
        Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
 {
    SCEnter();
-    int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
-    SMTPState *smtp_state = NULL;
-    FileContainer *ffc;

-    smtp_state = (SMTPState *)alstate;
-    if (smtp_state == NULL) {
-        SCLogDebug("no SMTP state");
-        goto end;
+    if (alstate == NULL) {
+        SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
    }

-    if (flags & STREAM_TOSERVER)
-        ffc = smtp_state->files_ts;
-    else
-        goto end;
+    const uint8_t direction = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
+    FileContainer *ffc = AppLayerParserGetFiles(f->proto, f->alproto, alstate, direction);
+    if (ffc == NULL || ffc->head == NULL) {
+        SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
+    }

+    int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
    int match = DetectFileInspect(tv, det_ctx, f, s, smd, flags, ffc);
    if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
        r = DETECT_ENGINE_INSPECT_SIG_MATCH;
@ -309,6 +259,5 @@ int DetectFileInspectSmtp(ThreadVars *tv,
        r = match;
    }

-end:
    SCReturnInt(r);
 }
--- a/src/detect-engine-file.h
+++ b/src/detect-engine-file.h
@ -34,4 +34,9 @@ int DetectFileInspectSmtp(ThreadVars *tv,
        const Signature *s, const SigMatchData *smd,
        Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id);

+int DetectFileInspectGeneric(ThreadVars *tv,
+        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+        const Signature *s, const SigMatchData *smd,
+        Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
+
 #endif /* __DETECT_ENGINE_FILE_H__ */
--- a/src/detect-file-hash-common.c
+++ b/src/detect-file-hash-common.c
@ -153,14 +153,6 @@ int DetectFileHashMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
    int ret = 0;
    DetectFileHashData *filehash = (DetectFileHashData *)m;

-    if (file->txid < det_ctx->tx_id) {
-        SCReturnInt(0);
-    }
-
-    if (file->txid > det_ctx->tx_id) {
-        SCReturnInt(0);
-    }
-
    if (file->state != FILE_STATE_CLOSED) {
        SCReturnInt(0);
    }
--- a/src/detect-fileext.c
+++ b/src/detect-fileext.c
@ -103,12 +103,6 @@ static int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
    if (file->name == NULL)
        SCReturnInt(0);

-    if (file->txid < det_ctx->tx_id)
-        SCReturnInt(0);
-
-    if (file->txid > det_ctx->tx_id)
-        SCReturnInt(0);
-
    if (file->name_len <= fileext->len)
        SCReturnInt(0);

--- a/src/detect-filemagic.c
+++ b/src/detect-filemagic.c
@ -187,12 +187,6 @@ static int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
    int ret = 0;
    DetectFilemagicData *filemagic = (DetectFilemagicData *)m;

-    if (file->txid < det_ctx->tx_id)
-        SCReturnInt(0);
-
-    if (file->txid > det_ctx->tx_id)
-        SCReturnInt(0);
-
    DetectFilemagicThreadData *tfilemagic = (DetectFilemagicThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, filemagic->thread_ctx_id);
    if (tfilemagic == NULL) {
        SCReturnInt(0);
--- a/src/detect-filename.c
+++ b/src/detect-filename.c
@ -75,14 +75,14 @@ void DetectFilenameRegister(void)

    DetectAppLayerInspectEngineRegister("files",
            ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_BODY,
-            DetectFileInspectHttp);
+            DetectFileInspectGeneric);
    DetectAppLayerInspectEngineRegister("files",
            ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_BODY,
-            DetectFileInspectHttp);
+            DetectFileInspectGeneric);

    DetectAppLayerInspectEngineRegister("files",
            ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0,
-            DetectFileInspectSmtp);
+            DetectFileInspectGeneric);

    g_file_match_list_id = DetectBufferTypeGetByName("files");

@ -115,12 +115,6 @@ static int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
    if (file->name == NULL)
        SCReturnInt(0);

-    if (file->txid < det_ctx->tx_id)
-        SCReturnInt(0);
-
-    if (file->txid > det_ctx->tx_id)
-        SCReturnInt(0);
-
    if (BoyerMooreNocase(filename->name, filename->len, file->name,
                file->name_len, filename->bm_ctx) != NULL)
    {