suricata
detect-engine-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
30 #include "detect-parse.h"
31 #include "detect-engine-state.h"
32 
33 #include "detect-filestore.h"
34 
36 #include "detect-engine-file.h"
37 
38 #include "stream-tcp.h"
39 #include "stream-tcp-private.h"
40 #include "stream-tcp-reassemble.h"
41 
42 #include "app-layer-parser.h"
43 #include "app-layer-protos.h"
44 #include "app-layer-htp.h"
46 #include "app-layer-dcerpc.h"
47 #include "app-layer-smtp.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 #include "util-profiling.h"
52 #include "util-validate.h"
53 
54 
55 /**
56  * \brief Inspect the file inspecting keywords.
57  *
58  * \param tv thread vars
59  * \param det_ctx detection engine thread ctx
60  * \param f flow
61  * \param s signature to inspect
62  *
63  * \retval 0 no match
64  * \retval 1 match
65  * \retval 2 can't match
66  * \retval 3 can't match filestore signature
67  */
68 static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
69  Flow *f, const Signature *s, const SigMatchData *smd,
70  uint8_t flags, FileContainer *ffc)
71 {
72  int r = 0;
73  int match = 0;
74  int store_r = 0;
75 
76  SCLogDebug("file inspection... %p", ffc);
77 
78  if (ffc != NULL) {
79  File *file = ffc->head;
80  for (; file != NULL; file = file->next) {
81  SCLogDebug("file");
82 
83  if (file->state == FILE_STATE_NONE) {
84  SCLogDebug("file state FILE_STATE_NONE");
85  continue;
86  }
87 
88  if (file->txid < det_ctx->tx_id) {
89  SCLogDebug("file->txid < det_ctx->tx_id == %"PRIu64" < %"PRIu64, file->txid, det_ctx->tx_id);
90  continue;
91  }
92 
93  if (file->txid > det_ctx->tx_id) {
94  SCLogDebug("file->txid > det_ctx->tx_id == %"PRIu64" > %"PRIu64, file->txid, det_ctx->tx_id);
95  break;
96  }
97 
98  if ((s->file_flags & FILE_SIG_NEED_FILENAME) && file->name == NULL) {
99  SCLogDebug("sig needs filename, but we don't have any");
101  continue;
102  }
103 
104  uint64_t file_size = FileDataSize(file);
105  if ((s->file_flags & FILE_SIG_NEED_MAGIC) && file_size == 0) {
106  SCLogDebug("sig needs file content, but we don't have any");
108  continue;
109  }
110 
111  if ((s->file_flags & FILE_SIG_NEED_FILECONTENT) && file_size == 0) {
112  SCLogDebug("sig needs file content, but we don't have any");
114  continue;
115  }
116 
117  if ((s->file_flags & FILE_SIG_NEED_MD5) && (!(file->flags & FILE_MD5))) {
118  SCLogDebug("sig needs file md5, but we don't have any");
120  continue;
121  }
122 
123  if ((s->file_flags & FILE_SIG_NEED_SHA1) && (!(file->flags & FILE_SHA1))) {
124  SCLogDebug("sig needs file sha1, but we don't have any");
126  continue;
127  }
128 
129  if ((s->file_flags & FILE_SIG_NEED_SHA256) && (!(file->flags & FILE_SHA256))) {
130  SCLogDebug("sig needs file sha256, but we don't have any");
132  continue;
133  }
134 
135  if ((s->file_flags & FILE_SIG_NEED_SIZE) && file->state < FILE_STATE_CLOSED) {
136  SCLogDebug("sig needs filesize, but state < FILE_STATE_CLOSED");
138  continue;
139  }
140 
141  /* run the file match functions. */
142  while (1) {
143  SCLogDebug("smd %p", smd);
144 
145  if (sigmatch_table[smd->type].FileMatch != NULL) {
147  match = sigmatch_table[smd->type].
148  FileMatch(det_ctx, f, flags, file, s, smd->ctx);
149  KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
150  if (match == 0) {
152  break;
153  } else if (smd->is_last) {
155  break;
156  }
157  }
158  if (smd->is_last)
159  break;
160  smd++;
161  }
162 
163  /* continue inspection for other files as we may want to store
164  * those as well. We'll return 1 (match) regardless of their
165  * results though */
168 
169  /* continue, this file may (or may not) be unable to match
170  * maybe we have more that can :) */
171  }
172  } else {
173  /* if we have a filestore sm with a scope > file (so tx, ssn) we
174  * run it here */
175  if (smd != NULL && smd->is_last && smd->type == DETECT_FILESTORE &&
176  smd->ctx != NULL)
177  {
179  if (fd->scope > FILESTORE_SCOPE_DEFAULT) {
181  match = sigmatch_table[smd->type].
182  FileMatch(det_ctx, f, flags, /* no file */NULL, s, smd->ctx);
183  KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
184 
185  if (match == 1) {
187  }
188  }
189  }
190  }
191 
193  SCLogDebug("stored MATCH, current file NOMATCH");
195  }
196 
197  if (store_r == DETECT_ENGINE_INSPECT_SIG_MATCH)
199  SCReturnInt(r);
200 }
201 
202 /**
203  * \brief Inspect the file inspecting keywords against the state
204  *
205  * \param tv thread vars
206  * \param det_ctx detection engine thread ctx
207  * \param f flow
208  * \param s signature to inspect
209  * \param alstate state
210  * \param flags direction flag
211  *
212  * \retval 0 no match
213  * \retval 1 match
214  * \retval 2 can't match
215  * \retval 3 can't match filestore signature
216  *
217  * \note flow is not locked at this time
218  */
221  const Signature *s, const SigMatchData *smd,
222  Flow *f, uint8_t flags, void *_alstate, void *tx, uint64_t tx_id)
223 {
224  SCEnter();
225  DEBUG_VALIDATE_BUG_ON(f->alstate != _alstate);
226 
227  const uint8_t direction = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
228  FileContainer *ffc = AppLayerParserGetFiles(f, direction);
229  if (ffc == NULL || ffc->head == NULL) {
231  }
232 
234  int match = DetectFileInspect(tv, det_ctx, f, s, smd, flags, ffc);
235  if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
237  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
238  SCLogDebug("sid %u can't match on this transaction", s->id);
240  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
241  SCLogDebug("sid %u can't match on this transaction (file sig)", s->id);
243  } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
244  SCLogDebug("match with more files ahead");
245  r = match;
246  }
247 
248  SCReturnInt(r);
249 }
app-layer-dcerpc.h
FileContainer_
Definition: util-file.h:100
detect-engine.h
DetectFileInspectGeneric
int DetectFileInspectGeneric(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *_alstate, void *tx, uint64_t tx_id)
Inspect the file inspecting keywords against the state.
Definition: detect-engine-file.c:219
FILE_SIG_NEED_SHA1
#define FILE_SIG_NEED_SHA1
Definition: detect.h:288
DetectFilestoreData_::scope
int16_t scope
Definition: detect-filestore.h:38
stream-tcp.h
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:43
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1081
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:331
Flow_
Flow data structure.
Definition: flow.h:343
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1186
File_::state
FileState state
Definition: util-file.h:66
DETECT_FILESTORE
@ DETECT_FILESTORE
Definition: detect-engine-register.h:184
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:864
stream-tcp-reassemble.h
FILE_SIG_NEED_FILENAME
#define FILE_SIG_NEED_FILENAME
Definition: detect.h:284
SigMatchData_
Data needed for Match()
Definition: detect.h:328
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:69
util-unittest.h
util-unittest-helper.h
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:83
FILE_SIG_NEED_MD5
#define FILE_SIG_NEED_MD5
Definition: detect.h:287
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:44
app-layer-htp.h
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
FILE_SIG_NEED_MAGIC
#define FILE_SIG_NEED_MAGIC
Definition: detect.h:285
detect-engine-file.h
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
FileContainer_::head
File * head
Definition: util-file.h:101
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
SigMatchData_::type
uint8_t type
Definition: detect.h:329
app-layer-parser.h
util-profiling.h
FILE_SIG_NEED_SHA256
#define FILE_SIG_NEED_SHA256
Definition: detect.h:289
app-layer-dcerpc-common.h
stream-tcp-private.h
File_::name
uint8_t * name
Definition: util-file.h:73
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-filestore.h
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:291
File_::flags
uint16_t flags
Definition: util-file.h:64
DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
Definition: detect-engine-state.h:50
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:55
File_
Definition: util-file.h:63
flags
uint8_t flags
Definition: decode-gre.h:0
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:330
suricata-common.h
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:541
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
File_::next
struct File_ * next
Definition: util-file.h:77
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FILE_MD5
#define FILE_MD5
Definition: util-file.h:39
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
DetectFilestoreData_
Definition: detect-filestore.h:36
Flow_::alstate
void * alstate
Definition: flow.h:454
Signature_::id
uint32_t id
Definition: detect.h:560
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
app-layer-protos.h
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:41
File_::txid
uint64_t txid
Definition: util-file.h:68
FILE_SIG_NEED_FILECONTENT
#define FILE_SIG_NEED_FILECONTENT
Definition: detect.h:286
FILESTORE_SCOPE_DEFAULT
#define FILESTORE_SCOPE_DEFAULT
Definition: detect-filestore.h:32
app-layer-smtp.h
detect-engine-dcepayload.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
FILE_SIG_NEED_SIZE
#define FILE_SIG_NEED_SIZE
Definition: detect.h:290
FILE_STATE_NONE
@ FILE_STATE_NONE
Definition: util-file.h:53