suricata
detect-file-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
37 #include "detect-file-data.h"
38 
39 #include "app-layer-parser.h"
40 #include "app-layer-htp.h"
41 #include "app-layer-smtp.h"
42 
43 #include "flow.h"
44 #include "flow-var.h"
45 #include "flow-util.h"
46 
47 #include "util-debug.h"
48 #include "util-spm-bm.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
52 #include "util-profiling.h"
53 
54 static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectFiledataRegisterTests(void);
57 #endif
58 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
59  Signature *s);
60 static int g_file_data_buffer_id = 0;
61 
62 static inline HtpBody *GetResponseBody(htp_tx_t *tx);
63 
64 /* HTTP */
65 static int PrefilterMpmHTTPFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
66  MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id);
67 
68 /* file API */
69 static uint8_t DetectEngineInspectFiledata(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
70  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
71  void *alstate, void *txv, uint64_t tx_id);
73  SigGroupHead *sgh, MpmCtx *mpm_ctx,
74  const DetectBufferMpmRegistery *mpm_reg, int list_id);
75 
76 static uint8_t DetectEngineInspectBufferHttpBody(DetectEngineCtx *de_ctx,
78  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
79 
80 /**
81  * \brief Registration function for keyword: file_data
82  */
84 {
85  sigmatch_table[DETECT_FILE_DATA].name = "file.data";
86  sigmatch_table[DETECT_FILE_DATA].alias = "file_data";
87  sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on file data";
88  sigmatch_table[DETECT_FILE_DATA].url = "/rules/http-keywords.html#file-data";
89  sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
90 #ifdef UNITTESTS
92 #endif
94 
97  ALPROTO_SMTP, 0);
98  DetectAppLayerMpmRegister2("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmHTTPFiledataRegister,
99  NULL, ALPROTO_HTTP1, HTP_RESPONSE_BODY);
101  NULL, ALPROTO_HTTP1, HTP_REQUEST_BODY);
104  ALPROTO_SMB, 0);
107  ALPROTO_SMB, 0);
110  ALPROTO_HTTP2, HTTP2StateDataClient);
113  ALPROTO_HTTP2, HTTP2StateDataServer);
115  "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_NFS, 0);
117  "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_NFS, 0);
119  NULL, ALPROTO_FTPDATA, 0);
121  NULL, ALPROTO_FTPDATA, 0);
123  "file_data", SIG_FLAG_TOSERVER, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
125  "file_data", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFiledataRegister, NULL, ALPROTO_FTP, 0);
126 
128  HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL);
130  HTP_REQUEST_BODY, DetectEngineInspectFiledata, NULL);
133  DetectEngineInspectFiledata, NULL);
135  DetectFiledataSetupCallback);
138  DetectEngineInspectFiledata, NULL);
141  DetectEngineInspectFiledata, NULL);
143  ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateDataClient,
144  DetectEngineInspectFiledata, NULL);
146  ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateDataServer,
147  DetectEngineInspectFiledata, NULL);
149  "file_data", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
151  "file_data", ALPROTO_NFS, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
153  "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
155  "file_data", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
157  "file_data", ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFiledata, NULL);
159  "file_data", ALPROTO_FTP, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFiledata, NULL);
160 
161  DetectBufferTypeSetDescriptionByName("file_data", "data from tracked files");
162 
163  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
164 }
165 
166 static void SetupDetectEngineConfig(DetectEngineCtx *de_ctx) {
168  return;
169 
170  /* initialize default */
171  for (int i = 0; i < (int)ALPROTO_MAX; i++) {
175  }
176 
177  /* add protocol specific settings here */
178 
179  /* SMTP */
183 
185 }
186 
187 /**
188  * \brief this function is used to parse filedata options
189  * \brief into the current signature
190  *
191  * \param de_ctx pointer to the Detection Engine Context
192  * \param s pointer to the Current Signature
193  * \param str pointer to the user provided "filestore" option
194  *
195  * \retval 0 on Success
196  * \retval -1 on Failure
197  */
198 static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
199 {
200  SCEnter();
201 
202  if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) ||
203  (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP1 &&
204  s->alproto != ALPROTO_SMTP && s->alproto != ALPROTO_SMB &&
205  s->alproto != ALPROTO_HTTP2 && s->alproto != ALPROTO_FTP &&
206  s->alproto != ALPROTO_FTPDATA && s->alproto != ALPROTO_HTTP &&
207  s->alproto != ALPROTO_NFS)) {
208  SCLogError("rule contains conflicting keywords.");
209  return -1;
210  }
211 
213  !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) {
214  SCLogError("Can't use file_data with "
215  "flow:to_client or flow:from_server with smtp.");
216  return -1;
217  }
218 
219  if (DetectBufferSetActiveList(s, DetectBufferTypeGetByName("file_data")) < 0)
220  return -1;
221 
223  SetupDetectEngineConfig(de_ctx);
224  return 0;
225 }
226 
227 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
228  Signature *s)
229 {
230  if (s->alproto == ALPROTO_HTTP1 || s->alproto == ALPROTO_UNKNOWN ||
231  s->alproto == ALPROTO_HTTP) {
233  }
234 
235  /* server body needs to be inspected in sync with stream if possible */
237 
238  SCLogDebug("callback invoked by %u", s->id);
239 }
240 
241 /* common */
242 
243 typedef struct PrefilterMpmFiledata {
244  int list_id;
246  const MpmCtx *mpm_ctx;
249 
250 static void PrefilterMpmFiledataFree(void *ptr)
251 {
252  SCFree(ptr);
253 }
254 
255 /* HTTP based detection */
256 
257 static inline HtpBody *GetResponseBody(htp_tx_t *tx)
258 {
259  HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
260  if (htud == NULL) {
261  SCLogDebug("no htud");
262  return NULL;
263  }
264 
265  return &htud->response_body;
266 }
267 
268 static inline InspectionBuffer *HttpServerBodyXformsGetDataCallback(DetectEngineThreadCtx *det_ctx,
269  const DetectEngineTransforms *transforms, const int list_id, InspectionBuffer *base_buffer)
270 {
271  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
272  if (buffer->inspect != NULL)
273  return buffer;
274 
275  InspectionBufferSetup(det_ctx, list_id, buffer, base_buffer->inspect, base_buffer->inspect_len);
276  buffer->inspect_offset = base_buffer->inspect_offset;
277  InspectionBufferApplyTransforms(buffer, transforms);
278  SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len);
279  SCReturnPtr(buffer, "InspectionBuffer");
280 }
281 
282 static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *det_ctx,
283  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
284  const int list_id, const int base_id)
285 {
286  SCEnter();
287 
288  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, base_id);
289  if (base_id != list_id && buffer->inspect != NULL)
290  return HttpServerBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
291  else if (buffer->inspect != NULL)
292  return buffer;
293 
294  htp_tx_t *tx = txv;
295  HtpState *htp_state = f->alstate;
296  const uint8_t flags = flow_flags;
297 
298  HtpBody *body = GetResponseBody(tx);
299  if (body == NULL) {
300  return NULL;
301  }
302 
303  /* no new data */
304  if (body->body_inspected == body->content_len_so_far) {
305  SCLogDebug("no new data");
306  return NULL;
307  }
308 
309  HtpBodyChunk *cur = body->first;
310  if (cur == NULL) {
311  SCLogDebug("No http chunks to inspect for this transaction");
312  return NULL;
313  }
314 
315  SCLogDebug("response.body_limit %u response_body.content_len_so_far %" PRIu64
316  ", response.inspect_min_size %" PRIu32 ", EOF %s, progress > body? %s",
317  htp_state->cfg->response.body_limit, body->content_len_so_far,
318  htp_state->cfg->response.inspect_min_size, flags & STREAM_EOF ? "true" : "false",
320  HTP_RESPONSE_BODY)
321  ? "true"
322  : "false");
323 
324  if (!htp_state->cfg->http_body_inline) {
325  /* inspect the body if the transfer is complete or we have hit
326  * our body size limit */
327  if ((htp_state->cfg->response.body_limit == 0 ||
328  body->content_len_so_far < htp_state->cfg->response.body_limit) &&
329  body->content_len_so_far < htp_state->cfg->response.inspect_min_size &&
330  !(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, tx, flags) >
331  HTP_RESPONSE_BODY) &&
332  !(flags & STREAM_EOF)) {
333  SCLogDebug("we still haven't seen the entire response body. "
334  "Let's defer body inspection till we see the "
335  "entire body.");
336  return NULL;
337  }
338  }
339 
340  /* get the inspect buffer
341  *
342  * make sure that we have at least the configured inspect_win size.
343  * If we have more, take at least 1/4 of the inspect win size before
344  * the new data.
345  */
346  uint64_t offset = 0;
347  if (body->body_inspected > htp_state->cfg->response.inspect_min_size) {
349  uint64_t inspect_win = body->content_len_so_far - body->body_inspected;
350  SCLogDebug("inspect_win %"PRIu64, inspect_win);
351  if (inspect_win < htp_state->cfg->response.inspect_window) {
352  uint64_t inspect_short = htp_state->cfg->response.inspect_window - inspect_win;
353  if (body->body_inspected < inspect_short)
354  offset = 0;
355  else
356  offset = body->body_inspected - inspect_short;
357  } else {
358  offset = body->body_inspected - (htp_state->cfg->response.inspect_window / 4);
359  }
360  }
361 
362  const uint8_t *data;
363  uint32_t data_len;
364 
366  &data, &data_len, offset);
367  InspectionBufferSetup(det_ctx, base_id, buffer, data, data_len);
368  buffer->inspect_offset = offset;
369  body->body_inspected = body->content_len_so_far;
370  SCLogDebug("body->body_inspected now: %" PRIu64, body->body_inspected);
371 
372  /* built-in 'transformation' */
373  if (htp_state->cfg->swf_decompression_enabled) {
374  int swf_file_type = FileIsSwfFile(data, data_len);
375  if (swf_file_type == FILE_SWF_ZLIB_COMPRESSION ||
376  swf_file_type == FILE_SWF_LZMA_COMPRESSION)
377  {
378  (void)FileSwfDecompression(data, data_len,
379  det_ctx,
380  buffer,
381  htp_state->cfg->swf_compression_type,
382  htp_state->cfg->swf_decompress_depth,
383  htp_state->cfg->swf_compress_depth);
384  }
385  }
386 
387  if (base_id != list_id) {
388  buffer = HttpServerBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
389  }
390  SCReturnPtr(buffer, "InspectionBuffer");
391 }
392 
393 static uint8_t DetectEngineInspectBufferHttpBody(DetectEngineCtx *de_ctx,
395  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
396 {
397  bool eof =
398  (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
399  const InspectionBuffer *buffer = HttpServerBodyGetDataCallback(
400  det_ctx, engine->v2.transforms, f, flags, txv, engine->sm_list, engine->sm_list_base);
401  if (buffer == NULL || buffer->inspect == NULL) {
403  }
404 
405  const uint32_t data_len = buffer->inspect_len;
406  const uint8_t *data = buffer->inspect;
407  const uint64_t offset = buffer->inspect_offset;
408 
409  uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
410  ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
411  ci_flags |= buffer->flags;
412 
413  det_ctx->discontinue_matching = 0;
414  det_ctx->buffer_offset = 0;
415  det_ctx->inspection_recursion_counter = 0;
416 
417  /* Inspect all the uricontents fetched on each
418  * transaction at the app layer */
419  int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data,
421  if (r == 1) {
423  }
424 
425  if (flags & STREAM_TOSERVER) {
426  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, txv, flags) >
427  HTP_REQUEST_BODY)
429  } else {
430  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, txv, flags) >
431  HTP_RESPONSE_BODY)
433  }
435 }
436 
437 /** \brief Filedata Filedata Mpm prefilter callback
438  *
439  * \param det_ctx detection engine thread ctx
440  * \param pectx inspection context
441  * \param p packet to inspect
442  * \param f flow to inspect
443  * \param txv tx to inspect
444  * \param idx transaction id
445  * \param flags STREAM_* flags including direction
446  */
447 static void PrefilterTxHTTPFiledata(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
448  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
449 {
450  SCEnter();
451 
452  const PrefilterMpmFiledata *ctx = (const PrefilterMpmFiledata *)pectx;
453  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
454  const int list_id = ctx->list_id;
455 
456  InspectionBuffer *buffer = HttpServerBodyGetDataCallback(
457  det_ctx, ctx->transforms, f, flags, txv, list_id, ctx->base_list_id);
458  if (buffer == NULL)
459  return;
460 
461  if (buffer->inspect_len >= mpm_ctx->minlen) {
462  (void)mpm_table[mpm_ctx->mpm_type].Search(
463  mpm_ctx, &det_ctx->mtcu, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
464  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
465  }
466 }
467 
468 static int PrefilterMpmHTTPFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
469  MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
470 {
471  PrefilterMpmFiledata *pectx = SCCalloc(1, sizeof(*pectx));
472  if (pectx == NULL)
473  return -1;
474  pectx->list_id = list_id;
475  pectx->base_list_id = mpm_reg->sm_list_base;
476  SCLogDebug("list_id %d base_list_id %d", list_id, pectx->base_list_id);
477  pectx->mpm_ctx = mpm_ctx;
478  pectx->transforms = &mpm_reg->transforms;
479 
480  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHTTPFiledata, mpm_reg->app_v2.alproto,
481  mpm_reg->app_v2.tx_min_progress, pectx, PrefilterMpmFiledataFree, mpm_reg->pname);
482 }
483 
484 /* file API based inspection */
485 
486 static inline InspectionBuffer *FiledataWithXformsGetDataCallback(DetectEngineThreadCtx *det_ctx,
487  const DetectEngineTransforms *transforms, const int list_id, int local_file_id,
488  InspectionBuffer *base_buffer)
489 {
490  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_file_id);
491  if (buffer == NULL) {
492  SCLogDebug("list_id: %d: no buffer", list_id);
493  return NULL;
494  }
495  if (buffer->initialized) {
496  SCLogDebug("list_id: %d: returning %p", list_id, buffer);
497  return buffer;
498  }
499 
500  InspectionBufferSetupMulti(buffer, transforms, base_buffer->inspect, base_buffer->inspect_len);
501  buffer->inspect_offset = base_buffer->inspect_offset;
502  SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len);
503  SCReturnPtr(buffer, "InspectionBuffer");
504 }
505 
506 static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx,
507  const DetectEngineTransforms *transforms, Flow *f, uint8_t flow_flags, File *cur_file,
508  const int list_id, const int base_id, int local_file_id)
509 {
510  SCEnter();
511  SCLogDebug("starting: list_id %d base_id %d", list_id, base_id);
512 
513  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, base_id, local_file_id);
514  SCLogDebug("base: buffer %p", buffer);
515  if (buffer == NULL)
516  return NULL;
517  if (base_id != list_id && buffer->inspect != NULL) {
518  SCLogDebug("handle xform %s", (list_id != base_id) ? "true" : "false");
519  return FiledataWithXformsGetDataCallback(
520  det_ctx, transforms, list_id, local_file_id, buffer);
521  }
522  if (buffer->initialized) {
523  SCLogDebug("base_id: %d, not first: use %p", base_id, buffer);
524  return buffer;
525  }
526 
527  const uint64_t file_size = FileDataSize(cur_file);
528  const DetectEngineCtx *de_ctx = det_ctx->de_ctx;
529  const uint32_t content_limit = de_ctx->filedata_config[f->alproto].content_limit;
530  const uint32_t content_inspect_min_size = de_ctx->filedata_config[f->alproto].content_inspect_min_size;
531  // TODO this is unused, is that right?
532  //const uint32_t content_inspect_window = de_ctx->filedata_config[f->alproto].content_inspect_window;
533 
534  SCLogDebug("[list %d] content_limit %u, content_inspect_min_size %u", list_id, content_limit,
535  content_inspect_min_size);
536 
537  SCLogDebug("[list %d] file %p size %" PRIu64 ", state %d", list_id, cur_file, file_size,
538  cur_file->state);
539 
540  /* no new data */
541  if (cur_file->content_inspected == file_size) {
542  SCLogDebug("no new data");
543  return NULL;
544  }
545 
546  if (file_size == 0) {
547  SCLogDebug("no data to inspect for this transaction");
548  return NULL;
549  }
550 
551  if ((content_limit == 0 || file_size < content_limit) &&
552  file_size < content_inspect_min_size &&
553  !(flow_flags & STREAM_EOF) && !(cur_file->state > FILE_STATE_OPENED)) {
554  SCLogDebug("we still haven't seen the entire content. "
555  "Let's defer content inspection till we see the "
556  "entire content.");
557  return NULL;
558  }
559 
560  const uint8_t *data;
561  uint32_t data_len;
562 
564  &data, &data_len,
565  cur_file->content_inspected);
566  InspectionBufferSetupMulti(buffer, NULL, data, data_len);
567  SCLogDebug("[list %d] [before] buffer offset %" PRIu64 "; buffer len %" PRIu32
568  "; data_len %" PRIu32 "; file_size %" PRIu64,
569  list_id, buffer->inspect_offset, buffer->inspect_len, data_len, file_size);
570  buffer->inspect_offset = cur_file->content_inspected;
571 
572  /* update inspected tracker */
573  cur_file->content_inspected = buffer->inspect_len + buffer->inspect_offset;
574  SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected);
575 
576  /* get buffer for the list id if it is different from the base id */
577  if (list_id != base_id) {
578  SCLogDebug("regular %d has been set up: now handle xforms id %d", base_id, list_id);
579  InspectionBuffer *tbuffer = FiledataWithXformsGetDataCallback(
580  det_ctx, transforms, list_id, local_file_id, buffer);
581  SCReturnPtr(tbuffer, "InspectionBuffer");
582  } else {
583  SCLogDebug("regular buffer %p size %u", buffer, buffer->inspect_len);
584  SCReturnPtr(buffer, "InspectionBuffer");
585  }
586 }
587 
588 static uint8_t DetectEngineInspectFiledata(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
589  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
590  void *alstate, void *txv, uint64_t tx_id)
591 {
592  int r = 0;
593  int match = 0;
594 
595  const DetectEngineTransforms *transforms = NULL;
596  if (!engine->mpm) {
597  transforms = engine->v2.transforms;
598  }
599 
600  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, alstate, txv, flags);
601  FileContainer *ffc = files.fc;
602  if (ffc == NULL) {
604  }
605 
606  int local_file_id = 0;
607  File *file = ffc->head;
608  for (; file != NULL; file = file->next) {
609  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx, transforms, f, flags, file,
610  engine->sm_list, engine->sm_list_base, local_file_id);
611  if (buffer == NULL)
612  continue;
613 
614  bool eof = (file->state == FILE_STATE_CLOSED);
615  uint8_t ciflags = eof ? DETECT_CI_FLAGS_END : 0;
616  if (buffer->inspect_offset == 0)
617  ciflags |= DETECT_CI_FLAGS_START;
618 
619  det_ctx->buffer_offset = 0;
620  det_ctx->discontinue_matching = 0;
621  det_ctx->inspection_recursion_counter = 0;
622  match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
623  NULL, f,
624  (uint8_t *)buffer->inspect,
625  buffer->inspect_len,
626  buffer->inspect_offset, ciflags,
628  if (match == 1) {
629  r = 1;
630  break;
631  }
632  local_file_id++;
633  }
634 
635  if (r == 1)
637  else
639 }
640 
641 /** \brief Filedata Filedata Mpm prefilter callback
642  *
643  * \param det_ctx detection engine thread ctx
644  * \param pectx inspection context
645  * \param p packet to inspect
646  * \param f flow to inspect
647  * \param txv tx to inspect
648  * \param idx transaction id
649  * \param flags STREAM_* flags including direction
650  */
651 static void PrefilterTxFiledata(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
652  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *txd, const uint8_t flags)
653 {
654  SCEnter();
655 
656  if (!AppLayerParserHasFilesInDir(txd, flags))
657  return;
658 
659  const PrefilterMpmFiledata *ctx = (const PrefilterMpmFiledata *)pectx;
660  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
661  const int list_id = ctx->list_id;
662 
663  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, f->alstate, txv, flags);
664  FileContainer *ffc = files.fc;
665  if (ffc != NULL) {
666  int local_file_id = 0;
667  for (File *file = ffc->head; file != NULL; file = file->next) {
668  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx, ctx->transforms, f, flags,
669  file, list_id, ctx->base_list_id, local_file_id);
670  if (buffer == NULL)
671  continue;
672 
673  if (buffer->inspect_len >= mpm_ctx->minlen) {
674  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
675  &det_ctx->mtcu, &det_ctx->pmq,
676  buffer->inspect, buffer->inspect_len);
677  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
678  }
679  local_file_id++;
680  }
681  }
682 }
683 
685  SigGroupHead *sgh, MpmCtx *mpm_ctx,
686  const DetectBufferMpmRegistery *mpm_reg, int list_id)
687 {
688  PrefilterMpmFiledata *pectx = SCCalloc(1, sizeof(*pectx));
689  if (pectx == NULL)
690  return -1;
691  pectx->list_id = list_id;
692  pectx->base_list_id = mpm_reg->sm_list_base;
693  pectx->mpm_ctx = mpm_ctx;
694  pectx->transforms = &mpm_reg->transforms;
695 
696  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFiledata,
697  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
698  pectx, PrefilterMpmFiledataFree, mpm_reg->pname);
699 }
700 
701 #ifdef UNITTESTS
702 #include "tests/detect-file-data.c"
703 #endif
HtpState_::cfg
const struct HTPCfgRec_ * cfg
Definition: app-layer-htp.h:252
SMTPConfig::content_limit
uint32_t content_limit
Definition: app-layer-smtp.h:98
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:394
FileContainer_
Definition: util-file.h:113
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1053
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
DETECT_CI_FLAGS_START
#define DETECT_CI_FLAGS_START
Definition: detect-engine-content-inspection.h:39
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1238
InspectionBuffer::initialized
bool initialized
Definition: detect.h:341
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
HtpBody_::sb
StreamingBuffer * sb
Definition: app-layer-htp.h:188
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:250
DetectEngineTransforms
Definition: detect.h:372
HTPCfgRec_::response
HTPCfgDir response
Definition: app-layer-htp.h:172
SIG_FLAG_INIT_NEED_FLUSH
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:255
Signature_::alproto
AppProto alproto
Definition: detect.h:544
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SIG_FLAG_INIT_FILEDATA
#define SIG_FLAG_INIT_FILEDATA
Definition: detect.h:257
HTPCfgDir_::body_limit
uint32_t body_limit
Definition: app-layer-htp.h:149
Flow_::proto
uint8_t proto
Definition: flow.h:379
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:640
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1122
FILE_SWF_LZMA_COMPRESSION
@ FILE_SWF_LZMA_COMPRESSION
Definition: util-file-decompression.h:34
FileSwfDecompression
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
Definition: util-file-decompression.c:71
InspectionBuffer
Definition: detect.h:337
threads.h
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:70
Flow_
Flow data structure.
Definition: flow.h:357
File_::state
FileState state
Definition: util-file.h:82
DetectBufferTypeRegisterSetupCallback
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
Definition: detect-engine.c:1255
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
detect-file-data.h
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:397
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:626
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:342
FILEDATA_CONTENT_LIMIT
#define FILEDATA_CONTENT_LIMIT
Definition: app-layer-smtp.c:63
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:503
DetectEngineCtx_::filedata_config
struct DetectEngineCtx_::@92 filedata_config[ALPROTO_MAX]
HTPCfgRec_::swf_compress_depth
uint32_t swf_compress_depth
Definition: app-layer-htp.h:169
StreamingBufferGetDataAtOffset
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
Definition: util-streaming-buffer.c:1587
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:75
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
PrefilterMpmFiledata
struct PrefilterMpmFiledata PrefilterMpmFiledata
DetectEngineCtx_::content_inspect_window
uint32_t content_inspect_window
Definition: detect.h:903
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
detect-engine-prefilter.h
HTPCfgDir_::inspect_window
uint32_t inspect_window
Definition: app-layer-htp.h:151
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1132
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1364
HtpBody_::first
HtpBodyChunk * first
Definition: app-layer-htp.h:185
HtpState_
Definition: app-layer-htp.h:244
SMTPConfig::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: app-layer-smtp.h:99
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
File_::sb
StreamingBuffer * sb
Definition: util-file.h:83
HtpBody_::content_len_so_far
uint64_t content_len_so_far
Definition: app-layer-htp.h:191
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:396
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:44
PrefilterMpmFiledata::transforms
const DetectEngineTransforms * transforms
Definition: detect-file-data.c:247
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
app-layer-htp.h
decode.h
util-debug.h
HTPCfgRec_::http_body_inline
int http_body_inline
Definition: app-layer-htp.h:164
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
HTPCfgDir_::inspect_min_size
uint32_t inspect_min_size
Definition: app-layer-htp.h:150
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
PrefilterMpmFiledataRegister
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-file-data.c:684
HTPCfgRec_::swf_decompress_depth
uint32_t swf_decompress_depth
Definition: app-layer-htp.h:168
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
PrefilterMpmFiledata::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-file-data.c:246
DetectFiledataRegister
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
Definition: detect-file-data.c:83
HTPCfgRec_::swf_decompression_enabled
int swf_decompression_enabled
Definition: app-layer-htp.h:166
FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
Definition: app-layer-smtp.c:65
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:339
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
smtp_config
SMTPConfig smtp_config
Definition: app-layer-smtp.c:245
util-profiling.h
PrefilterMpmFiledata::base_list_id
int base_list_id
Definition: detect-file-data.c:245
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:428
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:40
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
FileIsSwfFile
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
Definition: util-file-decompression.c:41
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
AppLayerHtpEnableResponseBodyCallback
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
Definition: app-layer-htp.c:482
HTPCfgRec_::swf_compression_type
HtpSwfCompressType swf_compression_type
Definition: app-layer-htp.h:167
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:61
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
HtpTxUserData_::response_body
HtpBody response_body
Definition: app-layer-htp.h:223
DETECT_FILE_DATA
@ DETECT_FILE_DATA
Definition: detect-engine-register.h:179
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:323
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1092
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:99
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1303
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:307
HtpBody_
Definition: app-layer-htp.h:184
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:628
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:558
SigTableElmt_::alias
const char * alias
Definition: detect.h:1239
suricata-common.h
FILE_SWF_ZLIB_COMPRESSION
@ FILE_SWF_ZLIB_COMPRESSION
Definition: util-file-decompression.h:33
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1550
HtpBodyChunk_
Definition: app-layer-htp.h:176
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1111
File_::next
struct File_ * next
Definition: util-file.h:92
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
util-spm-bm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1431
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
HtpTxUserData_
Definition: app-layer-htp.h:207
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:398
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:340
DetectFiledataRegisterTests
void DetectFiledataRegisterTests(void)
Definition: detect-file-data.c:162
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338
str
#define str(s)
Definition: suricata-common.h:280
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1446
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:482
Signature_::id
uint32_t id
Definition: detect.h:574
DetectEngineCtx_::content_limit
uint32_t content_limit
Definition: detect.h:901
detect-parse.h
FILEDATA_CONTENT_INSPECT_WINDOW
#define FILEDATA_CONTENT_INSPECT_WINDOW
Definition: app-layer-smtp.c:67
Signature_
Signature container.
Definition: detect.h:540
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:404
util-file-decompression.h
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
DetectEngineCtx_::filedata_config_initialized
bool filedata_config_initialized
Definition: detect.h:905
DetectEngineCtx_::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: detect.h:902
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1159
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1384
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1423
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:890
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1293
app-layer-smtp.h
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
PrefilterMpmFiledata
Definition: detect-file-data.c:243
MpmCtx_
Definition: util-mpm.h:88
flow.h
detect-file-data.c
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterMpmFiledata::list_id
int list_id
Definition: detect-file-data.c:244
flow-var.h
SMTPConfig::content_inspect_window
uint32_t content_inspect_window
Definition: app-layer-smtp.h:100
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
HtpBody_::body_inspected
uint64_t body_inspected
Definition: app-layer-htp.h:195
DetectBufferMpmRegistery_::sm_list_base
int16_t sm_list_base
Definition: detect.h:631
DetectProtoContainsProto
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
Definition: detect-engine-proto.c:135