suricata
detect-engine-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
30 #include "detect-parse.h"
31 #include "detect-engine-state.h"
32 
33 #include "detect-filestore.h"
34 
36 #include "detect-engine-file.h"
37 
38 #include "stream-tcp.h"
39 #include "stream-tcp-private.h"
40 #include "stream-tcp-reassemble.h"
41 
42 #include "app-layer-parser.h"
43 #include "app-layer-protos.h"
44 #include "app-layer-htp.h"
46 #include "app-layer-dcerpc.h"
47 #include "app-layer-smtp.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 #include "util-profiling.h"
52 
53 
54 /**
55  * \brief Inspect the file inspecting keywords.
56  *
57  * \param tv thread vars
58  * \param det_ctx detection engine thread ctx
59  * \param f flow
60  * \param s signature to inspect
61  *
62  * \retval 0 no match
63  * \retval 1 match
64  * \retval 2 can't match
65  * \retval 3 can't match filestore signature
66  */
67 static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
68  Flow *f, const Signature *s, const SigMatchData *smd,
69  uint8_t flags, FileContainer *ffc)
70 {
71  int r = 0;
72  int match = 0;
73  int store_r = 0;
74 
75  SCLogDebug("file inspection... %p", ffc);
76 
77  if (ffc != NULL) {
78  File *file = ffc->head;
79  for (; file != NULL; file = file->next) {
80  SCLogDebug("file");
81 
82  if (file->state == FILE_STATE_NONE) {
83  SCLogDebug("file state FILE_STATE_NONE");
84  continue;
85  }
86 
87  if (file->txid < det_ctx->tx_id) {
88  SCLogDebug("file->txid < det_ctx->tx_id == %"PRIu64" < %"PRIu64, file->txid, det_ctx->tx_id);
89  continue;
90  }
91 
92  if (file->txid > det_ctx->tx_id) {
93  SCLogDebug("file->txid > det_ctx->tx_id == %"PRIu64" > %"PRIu64, file->txid, det_ctx->tx_id);
94  break;
95  }
96 
97  if ((s->file_flags & FILE_SIG_NEED_FILENAME) && file->name == NULL) {
98  SCLogDebug("sig needs filename, but we don't have any");
100  continue;
101  }
102 
103  uint64_t file_size = FileDataSize(file);
104  if ((s->file_flags & FILE_SIG_NEED_MAGIC) && file_size == 0) {
105  SCLogDebug("sig needs file content, but we don't have any");
107  continue;
108  }
109 
110  if ((s->file_flags & FILE_SIG_NEED_FILECONTENT) && file_size == 0) {
111  SCLogDebug("sig needs file content, but we don't have any");
113  continue;
114  }
115 
116  if ((s->file_flags & FILE_SIG_NEED_MD5) && (!(file->flags & FILE_MD5))) {
117  SCLogDebug("sig needs file md5, but we don't have any");
119  continue;
120  }
121 
122  if ((s->file_flags & FILE_SIG_NEED_SHA1) && (!(file->flags & FILE_SHA1))) {
123  SCLogDebug("sig needs file sha1, but we don't have any");
125  continue;
126  }
127 
128  if ((s->file_flags & FILE_SIG_NEED_SHA256) && (!(file->flags & FILE_SHA256))) {
129  SCLogDebug("sig needs file sha256, but we don't have any");
131  continue;
132  }
133 
134  if ((s->file_flags & FILE_SIG_NEED_SIZE) && file->state < FILE_STATE_CLOSED) {
135  SCLogDebug("sig needs filesize, but state < FILE_STATE_CLOSED");
137  continue;
138  }
139 
140  /* run the file match functions. */
141  while (1) {
142  SCLogDebug("smd %p", smd);
143 
144  if (sigmatch_table[smd->type].FileMatch != NULL) {
146  match = sigmatch_table[smd->type].
147  FileMatch(tv, det_ctx, f, flags, file, s, smd->ctx);
148  KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
149  if (match == 0) {
151  break;
152  } else if (smd->is_last) {
154  break;
155  }
156  }
157  if (smd->is_last)
158  break;
159  smd++;
160  }
161 
162  /* continue inspection for other files as we may want to store
163  * those as well. We'll return 1 (match) regardless of their
164  * results though */
167 
168  /* continue, this file may (or may not) be unable to match
169  * maybe we have more that can :) */
170  }
171  } else {
172  /* if we have a filestore sm with a scope > file (so tx, ssn) we
173  * run it here */
174  if (smd != NULL && smd->is_last && smd->type == DETECT_FILESTORE &&
175  smd->ctx != NULL)
176  {
178  if (fd->scope > FILESTORE_SCOPE_DEFAULT) {
180  match = sigmatch_table[smd->type].
181  FileMatch(tv, det_ctx, f, flags, /* no file */NULL, s, smd->ctx);
182  KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
183 
184  if (match == 1) {
186  }
187  }
188  }
189  }
190 
192  SCLogDebug("stored MATCH, current file NOMATCH");
194  }
195 
196  if (store_r == DETECT_ENGINE_INSPECT_SIG_MATCH)
198  SCReturnInt(r);
199 }
200 
201 /**
202  * \brief Inspect the file inspecting keywords against the state
203  *
204  * \param tv thread vars
205  * \param det_ctx detection engine thread ctx
206  * \param f flow
207  * \param s signature to inspect
208  * \param alstate state
209  * \param flags direction flag
210  *
211  * \retval 0 no match
212  * \retval 1 match
213  * \retval 2 can't match
214  * \retval 3 can't match filestore signature
215  *
216  * \note flow is not locked at this time
217  */
219  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
220  const Signature *s, const SigMatchData *smd,
221  Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
222 {
223  SCEnter();
224 
225  if (alstate == NULL) {
227  }
228 
229  const uint8_t direction = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
230  FileContainer *ffc = AppLayerParserGetFiles(f->proto, f->alproto, alstate, direction);
231  if (ffc == NULL || ffc->head == NULL) {
233  }
234 
236  int match = DetectFileInspect(tv, det_ctx, f, s, smd, flags, ffc);
237  if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
239  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
240  SCLogDebug("sid %u can't match on this transaction", s->id);
242  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
243  SCLogDebug("sid %u can't match on this transaction (file sig)", s->id);
245  } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
246  SCLogDebug("match with more files ahead");
247  r = match;
248  }
249 
250  SCReturnInt(r);
251 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1431
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
#define KEYWORD_PROFILING_END(ctx, type, m)
uint8_t proto
Definition: flow.h:344
uint32_t id
Definition: detect.h:547
uint8_t is_last
Definition: detect.h:334
#define FILE_SHA256
Definition: util-file.h:43
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:277
#define FILE_SIG_NEED_FILENAME
Definition: detect.h:288
Data needed for Match()
Definition: detect.h:332
Signature container.
Definition: detect.h:514
struct File_ * next
Definition: util-file.h:79
int DetectFileInspectGeneric(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Inspect the file inspecting keywords against the state.
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
main detection engine ctx
Definition: detect.h:743
#define KEYWORD_PROFILING_START
int(* FileMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1161
uint16_t flags
Definition: util-file.h:65
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Data structures and function prototypes for keeping state for the detection engine.
#define FILE_SIG_NEED_MAGIC
Definition: detect.h:289
uint64_t txid
Definition: util-file.h:69
#define SCEnter(...)
Definition: util-debug.h:337
#define STREAM_TOCLIENT
Definition: stream.h:32
#define SCReturnInt(x)
Definition: util-debug.h:341
#define FILE_MD5
Definition: util-file.h:39
#define FILE_SIG_NEED_MD5
Definition: detect.h:291
#define FILE_SHA1
Definition: util-file.h:41
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
uint8_t type
Definition: detect.h:333
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
uint16_t tx_id
#define FILE_SIG_NEED_SHA1
Definition: detect.h:292
#define FILE_SIG_NEED_FILECONTENT
Definition: detect.h:290
#define STREAM_TOSERVER
Definition: stream.h:31
#define FILE_SIG_NEED_SHA256
Definition: detect.h:293
FileState state
Definition: util-file.h:67
#define FILESTORE_SCOPE_DEFAULT
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
uint8_t file_flags
Definition: detect.h:528
FileContainer * AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t direction)
Flow data structure.
Definition: flow.h:325
uint8_t * name
Definition: util-file.h:75
SigMatchCtx * ctx
Definition: detect.h:335
#define FILE_SIG_NEED_SIZE
Definition: detect.h:294