suricata
detect-engine-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
30 #include "detect-parse.h"
31 #include "detect-engine-state.h"
32 
33 #include "detect-filestore.h"
34 
36 #include "detect-engine-file.h"
37 
38 #include "stream-tcp.h"
39 #include "stream-tcp-private.h"
40 #include "stream-tcp-reassemble.h"
41 
42 #include "app-layer-parser.h"
43 #include "app-layer-protos.h"
44 #include "app-layer-htp.h"
45 #include "app-layer-smtp.h"
46 
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "util-profiling.h"
50 #include "util-validate.h"
51 
52 
53 /**
54  * \brief Inspect the file inspecting keywords.
55  *
56  * \param tv thread vars
57  * \param det_ctx detection engine thread ctx
58  * \param f flow
59  * \param s signature to inspect
60  *
61  * \retval 0 no match
62  * \retval 1 match
63  * \retval 2 can't match
64  * \retval 3 can't match filestore signature
65  */
66 static uint8_t DetectFileInspect(DetectEngineThreadCtx *det_ctx, Flow *f, const Signature *s,
67  const SigMatchData *smd, uint8_t flags, FileContainer *ffc)
68 {
69  uint8_t r = 0;
70  int match = 0;
71  int store_r = 0;
72 
73  SCLogDebug("file inspection... %p", ffc);
74 
75  for (File *file = ffc->head; file != NULL; file = file->next) {
76  SCLogDebug("file");
77 
78  if (file->state == FILE_STATE_NONE) {
79  SCLogDebug("file state FILE_STATE_NONE");
80  continue;
81  }
82 
83  if ((s->file_flags & FILE_SIG_NEED_FILENAME) && file->name == NULL) {
84  SCLogDebug("sig needs filename, but we don't have any");
86  continue;
87  }
88 
89  uint64_t file_size = FileDataSize(file);
90  if ((s->file_flags & FILE_SIG_NEED_MAGIC) && file_size == 0) {
91  SCLogDebug("sig needs file content, but we don't have any");
93  continue;
94  }
95 
96  if ((s->file_flags & FILE_SIG_NEED_FILECONTENT) && file_size == 0) {
97  SCLogDebug("sig needs file content, but we don't have any");
99  continue;
100  }
101 
102  if ((s->file_flags & FILE_SIG_NEED_MD5) && (!(file->flags & FILE_MD5))) {
103  SCLogDebug("sig needs file md5, but we don't have any");
105  continue;
106  }
107 
108  if ((s->file_flags & FILE_SIG_NEED_SHA1) && (!(file->flags & FILE_SHA1))) {
109  SCLogDebug("sig needs file sha1, but we don't have any");
111  continue;
112  }
113 
114  if ((s->file_flags & FILE_SIG_NEED_SHA256) && (!(file->flags & FILE_SHA256))) {
115  SCLogDebug("sig needs file sha256, but we don't have any");
117  continue;
118  }
119 
120  if ((s->file_flags & FILE_SIG_NEED_SIZE) && file->state < FILE_STATE_CLOSED) {
121  SCLogDebug("sig needs filesize, but state < FILE_STATE_CLOSED");
123  continue;
124  }
125 
126  /* run the file match functions. */
127  while (1) {
128  SCLogDebug("smd %p", smd);
129 
130  if (sigmatch_table[smd->type].FileMatch != NULL) {
132  match = sigmatch_table[smd->type].FileMatch(det_ctx, f, flags, file, s, smd->ctx);
133  KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
134  if (match == 0) {
136  break;
137  } else if (smd->is_last) {
139  break;
140  }
141  }
142  if (smd->is_last)
143  break;
144  smd++;
145  }
146 
147  /* continue inspection for other files as we may want to store
148  * those as well. We'll return 1 (match) regardless of their
149  * results though */
152 
153  /* continue, this file may (or may not) be unable to match
154  * maybe we have more that can :) */
155  }
156 
158  SCLogDebug("stored MATCH, current file NOMATCH");
160  }
161 
162  if (store_r == DETECT_ENGINE_INSPECT_SIG_MATCH)
164  SCReturnInt(r);
165 }
166 
167 /**
168  * \brief Inspect the file inspecting keywords against the state
169  *
170  * \param det_ctx detection engine thread ctx
171  * \param f flow
172  * \param s signature to inspect
173  * \param alstate state
174  * \param flags direction flag
175  *
176  * \retval 0 no match
177  * \retval 1 match
178  * \retval 2 can't match
179  * \retval 3 can't match filestore signature
180  *
181  * \note flow is not locked at this time
182  */
184  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
185  uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
186 {
187  SCEnter();
188  DEBUG_VALIDATE_BUG_ON(f->alstate != alstate);
189 
190  const uint8_t direction = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
191  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, alstate, tx, direction);
192  FileContainer *ffc = files.fc;
193  SCLogDebug("tx %p tx_id %" PRIu64 " ffc %p ffc->head %p sid %u", tx, tx_id, ffc,
194  ffc ? ffc->head : NULL, s->id);
195  if (ffc == NULL) {
197  } else if (ffc->head == NULL) {
199  }
200 
202  uint8_t match = DetectFileInspect(det_ctx, f, s, engine->smd, flags, ffc);
203  if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
205  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
206  SCLogDebug("sid %u can't match on this transaction", s->id);
208  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
209  SCLogDebug("sid %u can't match on this transaction (file sig)", s->id);
211  } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
212  SCLogDebug("match with more files ahead");
213  r = match;
214  }
215 
216  SCReturnInt(r);
217 }
DetectEngineAppInspectionEngine_
Definition: detect.h:418
FileContainer_
Definition: util-file.h:113
detect-engine.h
FILE_SIG_NEED_SHA1
#define FILE_SIG_NEED_SHA1
Definition: detect.h:310
stream-tcp.h
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:52
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:353
Flow_
Flow data structure.
Definition: flow.h:343
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1244
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:827
stream-tcp-reassemble.h
FILE_SIG_NEED_FILENAME
#define FILE_SIG_NEED_FILENAME
Definition: detect.h:306
SigMatchData_
Data needed for Match()
Definition: detect.h:350
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:351
util-unittest.h
util-unittest-helper.h
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
FILE_SIG_NEED_MD5
#define FILE_SIG_NEED_MD5
Definition: detect.h:309
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:44
app-layer-htp.h
decode.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1058
FILE_SIG_NEED_MAGIC
#define FILE_SIG_NEED_MAGIC
Definition: detect.h:307
detect-engine-file.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
app-layer-parser.h
util-profiling.h
FILE_SIG_NEED_SHA256
#define FILE_SIG_NEED_SHA256
Definition: detect.h:311
stream-tcp-private.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-filestore.h
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:323
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:435
DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
Definition: detect-engine-state.h:50
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
flags
uint8_t flags
Definition: decode-gre.h:0
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:352
suricata-common.h
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:598
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:77
File_::next
struct File_ * next
Definition: util-file.h:92
FILE_MD5
#define FILE_MD5
Definition: util-file.h:48
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
util-validate.h
Flow_::alstate
void * alstate
Definition: flow.h:468
Signature_::id
uint32_t id
Definition: detect.h:617
DetectFileInspectGeneric
uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Inspect the file inspecting keywords against the state.
Definition: detect-engine-file.c:183
detect-parse.h
Signature_
Signature container.
Definition: detect.h:582
app-layer-protos.h
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:50
FILE_SIG_NEED_FILECONTENT
#define FILE_SIG_NEED_FILECONTENT
Definition: detect.h:308
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:890
app-layer-smtp.h
detect-engine-dcepayload.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:104
FILE_SIG_NEED_SIZE
#define FILE_SIG_NEED_SIZE
Definition: detect.h:312
FILE_STATE_NONE
@ FILE_STATE_NONE
Definition: util-file.h:69