mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
195 lines
5.1 KiB
C
195 lines
5.1 KiB
C
/* Copyright (C) 2007-2011 Open Information Security Foundation
|
|
*
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
* the GNU General Public License version 2 as published by the Free
|
|
* Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
*
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
*
|
|
*/
|
|
|
|
#ifndef __UTIL_FILE_H__
|
|
#define __UTIL_FILE_H__
|
|
|
|
#ifdef HAVE_NSS
|
|
#include <sechash.h>
|
|
#endif
|
|
|
|
#include "util-streaming-buffer.h"
|
|
|
|
#define FILE_TRUNCATED 0x0001
|
|
#define FILE_NOMAGIC 0x0002
|
|
#define FILE_NOMD5 0x0004
|
|
#define FILE_MD5 0x0008
|
|
#define FILE_LOGGED 0x0010
|
|
#define FILE_NOSTORE 0x0020
|
|
#define FILE_STORE 0x0040
|
|
#define FILE_STORED 0x0080
|
|
#define FILE_NOTRACK 0x0100 /**< track size of file */
|
|
#define FILE_USE_DETECT 0x0200 /**< use content_inspected tracker */
|
|
|
|
typedef enum FileState_ {
|
|
FILE_STATE_NONE = 0, /**< no state */
|
|
FILE_STATE_OPENED, /**< flow file is opened */
|
|
FILE_STATE_CLOSED, /**< flow file is completed,
|
|
there will be no more data. */
|
|
FILE_STATE_TRUNCATED, /**< flow file is not complete, but
|
|
there will be no more data. */
|
|
FILE_STATE_ERROR, /**< file is in an error state */
|
|
FILE_STATE_MAX
|
|
} FileState;
|
|
|
|
typedef struct File_ {
|
|
uint16_t flags;
|
|
uint16_t name_len;
|
|
int16_t state;
|
|
StreamingBuffer *sb;
|
|
uint64_t txid; /**< tx this file is part of */
|
|
uint32_t file_id;
|
|
uint8_t *name;
|
|
char *magic;
|
|
struct File_ *next;
|
|
#ifdef HAVE_NSS
|
|
HASHContext *md5_ctx;
|
|
uint8_t md5[MD5_LENGTH];
|
|
#endif
|
|
uint64_t content_inspected; /**< used in pruning if FILE_USE_DETECT
|
|
* flag is set */
|
|
uint64_t content_stored;
|
|
} File;
|
|
|
|
typedef struct FileContainer_ {
|
|
File *head;
|
|
File *tail;
|
|
} FileContainer;
|
|
|
|
FileContainer *FileContainerAlloc();
|
|
void FileContainerFree(FileContainer *);
|
|
|
|
void FileContainerRecycle(FileContainer *);
|
|
|
|
void FileContainerAdd(FileContainer *, File *);
|
|
|
|
/**
|
|
* \brief Open a new File
|
|
*
|
|
* \param ffc flow container
|
|
* \param sbcfg buffer config
|
|
* \param name filename character array
|
|
* \param name_len filename len
|
|
* \param data initial data
|
|
* \param data_len initial data len
|
|
* \param flags open flags
|
|
*
|
|
* \retval ff flowfile object
|
|
*
|
|
* \note filename is not a string, so it's not nul terminated.
|
|
*
|
|
* If flags contains the FILE_USE_DETECT bit, the pruning code will
|
|
* consider not just the content_stored tracker, but also content_inspected.
|
|
* It's the responsibility of the API user to make sure this tracker is
|
|
* properly updated.
|
|
*/
|
|
File *FileOpenFile(FileContainer *, const StreamingBufferConfig *,
|
|
const uint8_t *name, uint16_t name_len,
|
|
const uint8_t *data, uint32_t data_len, uint16_t flags);
|
|
|
|
/**
|
|
* \brief Close a File
|
|
*
|
|
* \param ffc the container
|
|
* \param data final data if any
|
|
* \param data_len data len if any
|
|
* \param flags flags
|
|
*
|
|
* \retval 0 ok
|
|
* \retval -1 error
|
|
*/
|
|
int FileCloseFile(FileContainer *, const uint8_t *data, uint32_t data_len,
|
|
uint16_t flags);
|
|
|
|
/**
|
|
* \brief Store a chunk of file data in the flow. The open "flowfile"
|
|
* will be used.
|
|
*
|
|
* \param ffc the container
|
|
* \param data data chunk
|
|
* \param data_len data chunk len
|
|
*
|
|
* \retval 0 ok
|
|
* \retval -1 error
|
|
*/
|
|
int FileAppendData(FileContainer *, const uint8_t *data, uint32_t data_len);
|
|
|
|
/**
|
|
* \brief Tag a file for storing
|
|
*
|
|
* \param ff The file to store
|
|
*/
|
|
int FileStore(File *);
|
|
|
|
/**
|
|
* \brief Set the TX id for a file
|
|
*
|
|
* \param ff The file to store
|
|
* \param txid the tx id
|
|
*/
|
|
int FileSetTx(File *, uint64_t txid);
|
|
|
|
/**
|
|
* \brief disable file storage for a flow
|
|
*
|
|
* \param f *LOCKED* flow
|
|
*/
|
|
void FileDisableStoring(struct Flow_ *, uint8_t);
|
|
|
|
void FileDisableFilesize(Flow *f, uint8_t direction);
|
|
|
|
/**
|
|
* \brief disable file storing for a transaction
|
|
*
|
|
* \param f flow
|
|
* \param tx_id transaction id
|
|
*/
|
|
void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id);
|
|
|
|
void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id);
|
|
void FilePrune(FileContainer *ffc);
|
|
|
|
void FileForceFilestoreEnable(void);
|
|
int FileForceFilestore(void);
|
|
|
|
void FileDisableMagic(Flow *f, uint8_t);
|
|
void FileForceMagicEnable(void);
|
|
int FileForceMagic(void);
|
|
|
|
void FileDisableMd5(Flow *f, uint8_t);
|
|
void FileForceMd5Enable(void);
|
|
int FileForceMd5(void);
|
|
|
|
void FileForceTrackingEnable(void);
|
|
|
|
void FileStoreAllFiles(FileContainer *);
|
|
void FileStoreAllFilesForTx(FileContainer *, uint64_t);
|
|
void FileStoreFileById(FileContainer *fc, uint32_t);
|
|
|
|
void FileTruncateAllOpenFiles(FileContainer *);
|
|
|
|
uint64_t FileSize(const File *file);
|
|
|
|
#endif /* __UTIL_FILE_H__ */
|