aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

files: use dynamic list

Browse Source
pull/2559/head
Victor Julien 8 years ago
parent e4bfdd53c2
commit b68343e372
14 changed files with 46 additions and 25 deletions
Show Stats Download Patch File Download Diff File

1
src/detect-engine-file.c
Unescape Escape View File

@ -81,7 +81,6 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
int match = 0;
int store_r = 0;
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_FILEMATCH);
SCLogDebug("file inspection... %p", ffc);
if (ffc != NULL) {

3
src/detect-engine.c
Unescape Escape View File

@ -2808,9 +2808,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
case DETECT_SM_LIST_TMATCH:
return "tag";
case DETECT_SM_LIST_FILEMATCH:
return "file";
case DETECT_SM_LIST_BASE64_DATA:
return "base64_data";

5
src/detect-fileext.c
Unescape Escape View File

@ -56,6 +56,7 @@ static int DetectFileextMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
static int DetectFileextSetup (DetectEngineCtx *, Signature *, char *);
static void DetectFileextRegisterTests(void);
static void DetectFileextFree(void *);
static int g_file_match_list_id = 0;
/**
* \brief Registration function for keyword: fileext
@ -70,6 +71,8 @@ void DetectFileextRegister(void)
sigmatch_table[DETECT_FILEEXT].Free = DetectFileextFree;
sigmatch_table[DETECT_FILEEXT].RegisterTests = DetectFileextRegisterTests;
g_file_match_list_id = DetectBufferTypeRegister("files");
SCLogDebug("registering fileext rule option");
return;
}
@ -208,7 +211,7 @@ static int DetectFileextSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
sm->type = DETECT_FILEEXT;
sm->ctx = (void *)fileext;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
SigMatchAppendSMToList(s, sm, g_file_match_list_id);
s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_FILENAME);
return 0;

5
src/detect-filemagic.c
Unescape Escape View File

@ -80,6 +80,7 @@ static int DetectFilemagicMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
static int DetectFilemagicSetup (DetectEngineCtx *, Signature *, char *);
static void DetectFilemagicRegisterTests(void);
static void DetectFilemagicFree(void *);
static int g_file_match_list_id = 0;
/**
* \brief Registration function for keyword: filemagic
@ -94,6 +95,8 @@ void DetectFilemagicRegister(void)
sigmatch_table[DETECT_FILEMAGIC].Free = DetectFilemagicFree;
sigmatch_table[DETECT_FILEMAGIC].RegisterTests = DetectFilemagicRegisterTests;
g_file_match_list_id = DetectBufferTypeRegister("files");
SCLogDebug("registering filemagic rule option");
return;
}
@ -377,7 +380,7 @@ static int DetectFilemagicSetup (DetectEngineCtx *de_ctx, Signature *s, char *st
sm->type = DETECT_FILEMAGIC;
sm->ctx = (void *)filemagic;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
SigMatchAppendSMToList(s, sm, g_file_match_list_id);
s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_MAGIC);
return 0;

7
src/detect-filemd5.c
Unescape Escape View File

@ -24,6 +24,7 @@
#include "suricata-common.h"
#include "detect-engine.h"
#include "util-detect-file-hash.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
@ -56,6 +57,8 @@ void DetectFileMd5Register(void)
#else /* HAVE_NSS */
static int g_file_match_list_id = 0;
static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, char *);
static void DetectFileMd5RegisterTests(void);
@ -72,6 +75,8 @@ void DetectFileMd5Register(void)
sigmatch_table[DETECT_FILEMD5].Free = DetectFileHashFree;
sigmatch_table[DETECT_FILEMD5].RegisterTests = DetectFileMd5RegisterTests;
g_file_match_list_id = DetectBufferTypeRegister("files");
SCLogDebug("registering filemd5 rule option");
return;
}
@ -89,7 +94,7 @@ void DetectFileMd5Register(void)
*/
static int DetectFileMd5Setup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
return DetectFileHashSetup(de_ctx, s, str, DETECT_FILEMD5);
return DetectFileHashSetup(de_ctx, s, str, DETECT_FILEMD5, g_file_match_list_id);
}
#ifdef UNITTESTS

17
src/detect-filename.c
Unescape Escape View File

@ -57,6 +57,7 @@ static int DetectFilenameMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
static int DetectFilenameSetup (DetectEngineCtx *, Signature *, char *);
static void DetectFilenameRegisterTests(void);
static void DetectFilenameFree(void *);
static int g_file_match_list_id = 0;
/**
* \brief Registration function for keyword: filename
@ -71,17 +72,19 @@ void DetectFilenameRegister(void)
sigmatch_table[DETECT_FILENAME].Free = DetectFilenameFree;
sigmatch_table[DETECT_FILENAME].RegisterTests = DetectFilenameRegisterTests;
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_FILEMATCH,
DetectAppLayerInspectEngineRegister2("files",
ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectFileInspectHttp);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_FILEMATCH,
DetectAppLayerInspectEngineRegister2("files",
ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DetectFileInspectHttp);
DetectAppLayerInspectEngineRegister(ALPROTO_SMTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_FILEMATCH,
DetectAppLayerInspectEngineRegister2("files",
ALPROTO_SMTP, SIG_FLAG_TOSERVER,
DetectFileInspectSmtp);
g_file_match_list_id = DetectBufferTypeGetByName("files");
SCLogDebug("registering filename rule option");
return;
}
@ -225,7 +228,7 @@ static int DetectFilenameSetup (DetectEngineCtx *de_ctx, Signature *s, char *str
sm->type = DETECT_FILENAME;
sm->ctx = (void *)filename;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
SigMatchAppendSMToList(s, sm, g_file_match_list_id);
s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_FILENAME);
return 0;

6
src/detect-filesha1.c
Unescape Escape View File

@ -25,6 +25,7 @@
#include "suricata-common.h"
#include "detect-engine.h"
#include "util-detect-file-hash.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
@ -59,6 +60,7 @@ void DetectFileSha1Register(void)
static int DetectFileSha1Setup (DetectEngineCtx *, Signature *, char *);
static void DetectFileSha1RegisterTests(void);
static int g_file_match_list_id = 0;
/**
* \brief Registration function for keyword: filesha1
@ -73,6 +75,8 @@ void DetectFileSha1Register(void)
sigmatch_table[DETECT_FILESHA1].Free = DetectFileHashFree;
sigmatch_table[DETECT_FILESHA1].RegisterTests = DetectFileSha1RegisterTests;
g_file_match_list_id = DetectBufferTypeRegister("files");
SCLogDebug("registering filesha1 rule option");
return;
}
@ -90,7 +94,7 @@ void DetectFileSha1Register(void)
*/
static int DetectFileSha1Setup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
return DetectFileHashSetup(de_ctx, s, str, DETECT_FILESHA1);
return DetectFileHashSetup(de_ctx, s, str, DETECT_FILESHA1, g_file_match_list_id);
}
#ifdef UNITTESTS

6
src/detect-filesha256.c
Unescape Escape View File

@ -25,6 +25,7 @@
#include "suricata-common.h"
#include "detect-engine.h"
#include "util-detect-file-hash.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
@ -59,6 +60,7 @@ void DetectFileSha256Register(void)
static int DetectFileSha256Setup (DetectEngineCtx *, Signature *, char *);
static void DetectFileSha256RegisterTests(void);
static int g_file_match_list_id = 0;
/**
* \brief Registration function for keyword: filesha256
@ -73,6 +75,8 @@ void DetectFileSha256Register(void)
sigmatch_table[DETECT_FILESHA256].Free = DetectFileHashFree;
sigmatch_table[DETECT_FILESHA256].RegisterTests = DetectFileSha256RegisterTests;
g_file_match_list_id = DetectBufferTypeRegister("files");
SCLogDebug("registering filesha256 rule option");
return;
}
@ -90,7 +94,7 @@ void DetectFileSha256Register(void)
*/
static int DetectFileSha256Setup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
return DetectFileHashSetup(de_ctx, s, str, DETECT_FILESHA256);
return DetectFileHashSetup(de_ctx, s, str, DETECT_FILESHA256, g_file_match_list_id);
}
#ifdef UNITTESTS

6
src/detect-filesize.c
Unescape Escape View File

@ -31,6 +31,7 @@
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-state.h"
#include "detect-filesize.h"
@ -53,6 +54,7 @@ static int DetectFilesizeMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, F
static int DetectFilesizeSetup (DetectEngineCtx *, Signature *, char *);
static void DetectFilesizeFree (void *);
static void DetectFilesizeRegisterTests (void);
static int g_file_match_list_id = 0;
/**
* \brief Registration function for filesize: keyword
@ -70,6 +72,8 @@ void DetectFilesizeRegister(void)
sigmatch_table[DETECT_FILESIZE].flags |= SIGMATCH_PAYLOAD; /** XXX necessary? */
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_file_match_list_id = DetectBufferTypeRegister("files");
}
/**
@ -286,7 +290,7 @@ static int DetectFilesizeSetup (DetectEngineCtx *de_ctx, Signature *s, char *str
sm->type = DETECT_FILESIZE;
sm->ctx = (SigMatchCtx *)fsd;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
SigMatchAppendSMToList(s, sm, g_file_match_list_id);
s->file_flags |= (FILE_SIG_NEED_FILE|FILE_SIG_NEED_SIZE);
SCReturnInt(0);

5
src/detect-filestore.c
Unescape Escape View File

@ -64,6 +64,7 @@ static int DetectFilestoreMatch (ThreadVars *, DetectEngineThreadCtx *,
static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, char *);
static void DetectFilestoreFree(void *);
static void DetectFilestoreRegisterTests(void);
static int g_file_match_list_id = 0;
/**
* \brief Registration function for keyword: filestore
@ -80,6 +81,8 @@ void DetectFilestoreRegister(void)
sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_OPTIONAL_OPT;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_file_match_list_id = DetectBufferTypeRegister("files");
}
/**
@ -401,7 +404,7 @@ static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, char *st
AppLayerHtpNeedFileInspection();
}
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
SigMatchAppendSMToList(s, sm, g_file_match_list_id);
s->filestore_ctx = (const DetectFilestoreData *)sm->ctx;
s->flags |= SIG_FLAG_FILESTORE;

2
src/detect-parse.c
Unescape Escape View File

@ -145,7 +145,6 @@ const char *DetectListToHumanString(int list)
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag");
CASE_CODE_STRING(DETECT_SM_LIST_FILEMATCH, "file");
CASE_CODE_STRING(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, "template");
CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch");
CASE_CODE_STRING(DETECT_SM_LIST_SUPPRESS, "suppress");
@ -167,7 +166,6 @@ const char *DetectListToString(int list)
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
CASE_CODE(DETECT_SM_LIST_TMATCH);
CASE_CODE(DETECT_SM_LIST_FILEMATCH);
CASE_CODE(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH);
CASE_CODE(DETECT_SM_LIST_POSTMATCH);
CASE_CODE(DETECT_SM_LIST_SUPPRESS);

2
src/detect.h
Unescape Escape View File

@ -118,8 +118,6 @@ enum DetectSigmatchListEnum {
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT = DETECT_SM_LIST_BUILTIN_MAX,
DETECT_SM_LIST_FILEMATCH,
DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH,
DETECT_SM_LIST_MAX,

4
src/util-detect-file-hash.c
Unescape Escape View File

@ -303,7 +303,7 @@ error:
* \retval -1 on Failure
*/
int DetectFileHashSetup (DetectEngineCtx *de_ctx, Signature *s, char *str,
uint32_t type)
uint32_t type, int list)
{
DetectFileHashData *filehash = NULL;
SigMatch *sm = NULL;
@ -321,7 +321,7 @@ int DetectFileHashSetup (DetectEngineCtx *de_ctx, Signature *s, char *str,
sm->type = type;
sm->ctx = (void *)filehash;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
SigMatchAppendSMToList(s, sm, list);
s->file_flags |= FILE_SIG_NEED_FILE;

2
src/util-detect-file-hash.h
Unescape Escape View File

@ -39,7 +39,7 @@ int LoadHashTable(ROHashTable *, char *, char *, int, uint32_t);
int DetectFileHashMatch(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t,
File *, const Signature *, const SigMatchData *);
int DetectFileHashSetup(DetectEngineCtx *, Signature *, char *, uint32_t);
int DetectFileHashSetup(DetectEngineCtx *, Signature *, char *, uint32_t, int);
void DetectFileHashFree(void *);
#endif /* __UTIL_DETECT_FILE_HASH_H__ */

Write Preview
Loading…
Cancel
Save