suricata
detect-file-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-buffer.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-state.h"
38 #include "detect-engine-file.h"
39 #include "detect-file-data.h"
40 
41 #include "app-layer.h"
42 #include "app-layer-parser.h"
43 #include "app-layer-htp.h"
44 #include "app-layer-smtp.h"
45 
46 #include "flow.h"
47 #include "flow-var.h"
48 #include "flow-util.h"
49 
50 #include "util-debug.h"
51 #include "util-spm-bm.h"
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
55 #include "util-profiling.h"
56 
57 static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *);
58 #ifdef UNITTESTS
59 static void DetectFiledataRegisterTests(void);
60 #endif
61 static void DetectFiledataSetupCallback(
62  const DetectEngineCtx *de_ctx, Signature *s, const DetectBufferType *map);
63 static int g_file_data_buffer_id = 0;
64 
65 /* file API */
67  const DetectBufferMpmRegistry *mpm_reg, int list_id);
68 
69 // file protocols with common file handling
70 typedef struct {
71  int direction;
73  uint8_t progress_ts;
74  uint8_t progress_tc;
76 
77 /* Table with all filehandler registrations */
79 
80 #define ALPROTO_WITHFILES_MAX 16
81 
82 // file protocols with common file handling
85  { .alproto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
86  { .alproto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
87  { .alproto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
88  { .alproto = ALPROTO_HTTP1,
89  .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
90  .progress_tc = HTP_RESPONSE_PROGRESS_BODY,
91  .progress_ts = HTP_REQUEST_PROGRESS_BODY },
92  { .alproto = ALPROTO_HTTP2,
93  .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
94  .progress_tc = HTTP2ProgData,
95  .progress_ts = HTTP2ProgData },
96  { .alproto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }, { .alproto = ALPROTO_UNKNOWN }
97 };
98 
100  AppProto alproto, int direction, uint8_t progress_tc, uint8_t progress_ts)
101 {
102  size_t i = 0;
103  while (i < ALPROTO_WITHFILES_MAX && al_protocols[i].alproto != ALPROTO_UNKNOWN) {
104  i++;
105  }
106  if (i == ALPROTO_WITHFILES_MAX) {
107  return;
108  }
109  al_protocols[i].alproto = alproto;
110  al_protocols[i].direction = direction;
111  al_protocols[i].progress_tc = progress_tc;
112  al_protocols[i].progress_ts = progress_ts;
113  if (i + 1 < ALPROTO_WITHFILES_MAX) {
115  }
116 }
117 
119 {
120  for (size_t i = 0; i < g_alproto_max; i++) {
121  if (al_protocols[i].alproto == ALPROTO_UNKNOWN) {
122  break;
123  }
124  int direction = al_protocols[i].direction == 0
126  : al_protocols[i].direction;
127 
128  if (direction & SIG_FLAG_TOCLIENT) {
133  }
134  if (direction & SIG_FLAG_TOSERVER) {
139  }
140  }
141 }
142 
143 /**
144  * \brief Registration function for keyword: file_data
145  */
147 {
148  sigmatch_table[DETECT_FILE_DATA].name = "file.data";
149  sigmatch_table[DETECT_FILE_DATA].alias = "file_data";
150  sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on file data";
151  sigmatch_table[DETECT_FILE_DATA].url = "/rules/file-keywords.html#file-data";
152  sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
153 #ifdef UNITTESTS
155 #endif
158 
159  filehandler_table[DETECT_FILE_DATA].name = "file_data";
163 
164  DetectBufferTypeRegisterSetupCallback("file_data", DetectFiledataSetupCallback);
165 
166  DetectBufferTypeSetDescriptionByName("file_data", "data from tracked files");
168 
169  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
170 }
171 
172 static void SetupDetectEngineConfig(DetectEngineCtx *de_ctx) {
173  if (de_ctx->filedata_config)
174  return;
175 
177  if (unlikely(de_ctx->filedata_config == NULL))
178  return;
179  /* initialize default */
180  for (AppProto i = 0; i < g_alproto_max; i++) {
183  }
184 
185  /* add protocol specific settings here */
186 
187  /* help scan-build understand the protocol specific logic is within the array bounds. */
189 
190  /* SMTP */
194 }
195 
196 /**
197  * \brief this function is used to parse filedata options
198  * \brief into the current signature
199  *
200  * \param de_ctx pointer to the Detection Engine Context
201  * \param s pointer to the Current Signature
202  * \param str pointer to the user provided "filestore" option
203  *
204  * \retval 0 on Success
205  * \retval -1 on Failure
206  */
207 static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
208 {
209  SCEnter();
210 
211  if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto) &&
212  !AppLayerParserSupportsFiles(IPPROTO_UDP, s->alproto)) {
213  SCLogError("The 'file_data' keyword cannot be used with protocol %s",
215  return -1;
216  }
217 
219  !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) {
220  SCLogError("The 'file-data' keyword cannot be used with SMTP flow:to_client or "
221  "flow:from_server.");
222  return -1;
223  }
224 
226  return -1;
227 
230  // we cannot use a transactional rule with a fast pattern to client and this
232  SCLogError("fast_pattern cannot be used on to_client keyword for "
233  "transactional rule with a streaming buffer to server %u",
234  s->id);
235  return -1;
236  }
238  }
239 
240  SetupDetectEngineConfig(de_ctx);
241  return 0;
242 }
243 
244 static void DetectFiledataSetupCallback(
245  const DetectEngineCtx *de_ctx, Signature *s, const DetectBufferType *map)
246 {
247  if (s->alproto == ALPROTO_HTTP1 || s->alproto == ALPROTO_UNKNOWN ||
248  s->alproto == ALPROTO_HTTP) {
250  }
251 
252  /* server body needs to be inspected in sync with stream if possible */
254 
255  SCLogDebug("callback invoked by %u", s->id);
256 }
257 
258 /* common */
259 
260 static void PrefilterMpmFiledataFree(void *ptr)
261 {
262  SCFree(ptr);
263 }
264 
265 /* file API based inspection */
266 
267 static inline InspectionBuffer *FiledataWithXformsGetDataCallback(DetectEngineThreadCtx *det_ctx,
268  const DetectEngineTransforms *transforms, const int list_id, int local_file_id,
269  InspectionBuffer *base_buffer)
270 {
271  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_file_id);
272  if (buffer == NULL) {
273  SCLogDebug("list_id: %d: no buffer", list_id);
274  return NULL;
275  }
276  if (buffer->initialized) {
277  SCLogDebug("list_id: %d: returning %p", list_id, buffer);
278  return buffer;
279  }
280 
282  det_ctx, buffer, transforms, base_buffer->inspect, base_buffer->inspect_len);
283  buffer->inspect_offset = base_buffer->inspect_offset;
284  SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len);
285  SCReturnPtr(buffer, "InspectionBuffer");
286 }
287 
288 static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx,
289  const DetectEngineTransforms *transforms, Flow *f, uint8_t flow_flags, File *cur_file,
290  const int list_id, const int base_id, int local_file_id, void *txv)
291 {
292  SCEnter();
293  SCLogDebug("starting: list_id %d base_id %d", list_id, base_id);
294 
295  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, base_id, local_file_id);
296  SCLogDebug("base: buffer %p", buffer);
297  if (buffer == NULL)
298  return NULL;
299  if (base_id != list_id && buffer->inspect != NULL) {
300  SCLogDebug("handle xform %s", (list_id != base_id) ? "true" : "false");
301  return FiledataWithXformsGetDataCallback(
302  det_ctx, transforms, list_id, local_file_id, buffer);
303  }
304  if (buffer->initialized) {
305  SCLogDebug("base_id: %d, not first: use %p", base_id, buffer);
306  return buffer;
307  }
308 
309  const uint64_t file_size = FileDataSize(cur_file);
310  const DetectEngineCtx *de_ctx = det_ctx->de_ctx;
311  uint32_t content_limit = FILEDATA_CONTENT_LIMIT;
312  uint32_t content_inspect_min_size = FILEDATA_CONTENT_INSPECT_MIN_SIZE;
313  if (de_ctx->filedata_config) {
314  content_limit = de_ctx->filedata_config[f->alproto].content_limit;
315  content_inspect_min_size = de_ctx->filedata_config[f->alproto].content_inspect_min_size;
316  }
317 
318  SCLogDebug("[list %d] content_limit %u, content_inspect_min_size %u", list_id, content_limit,
319  content_inspect_min_size);
320 
321  SCLogDebug("[list %d] file %p size %" PRIu64 ", state %d", list_id, cur_file, file_size,
322  cur_file->state);
323 
324  /* no new data */
325  if (cur_file->content_inspected == file_size) {
326  SCLogDebug("no new data");
327  goto empty_return;
328  }
329 
330  if (file_size == 0) {
331  SCLogDebug("no data to inspect for this transaction");
332  goto empty_return;
333  }
334 
335  SCLogDebug("offset %" PRIu64, StreamingBufferGetOffset(cur_file->sb));
336  SCLogDebug("size %" PRIu64, cur_file->size);
337  SCLogDebug("content_inspected %" PRIu64, cur_file->content_inspected);
338  SCLogDebug("inspect_window %" PRIu32, cur_file->inspect_window);
339  SCLogDebug("inspect_min_size %" PRIu32, cur_file->inspect_min_size);
340 
341  bool ips = false;
342  uint64_t offset = 0;
343  if (f->alproto == ALPROTO_HTTP1) {
344 
345  htp_tx_t *tx = txv;
346  HtpState *htp_state = f->alstate;
347  ips = htp_state->cfg->http_body_inline;
348 
349  const bool body_done = AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, tx,
350  flow_flags) > HTP_RESPONSE_PROGRESS_BODY;
351 
352  SCLogDebug("response.body_limit %u file_size %" PRIu64
353  ", cur_file->inspect_min_size %" PRIu32 ", EOF %s, progress > body? %s",
354  htp_state->cfg->response.body_limit, file_size, cur_file->inspect_min_size,
355  flow_flags & STREAM_EOF ? "true" : "false", BOOL2STR(body_done));
356 
357  if (!htp_state->cfg->http_body_inline) {
358  /* inspect the body if the transfer is complete or we have hit
359  * our body size limit */
360  if ((htp_state->cfg->response.body_limit == 0 ||
361  file_size < htp_state->cfg->response.body_limit) &&
362  file_size < cur_file->inspect_min_size && !body_done &&
363  !(flow_flags & STREAM_EOF)) {
364  SCLogDebug("we still haven't seen the entire response body. "
365  "Let's defer body inspection till we see the "
366  "entire body.");
367  goto empty_return;
368  }
369  SCLogDebug("inline and we're continuing");
370  }
371 
372  bool force = (flow_flags & STREAM_EOF) || (cur_file->state > FILE_STATE_OPENED) ||
373  body_done || htp_state->cfg->http_body_inline;
374  /* get the inspect buffer
375  *
376  * make sure that we have at least the configured inspect_win size.
377  * If we have more, take at least 1/4 of the inspect win size before
378  * the new data.
379  */
380  if (cur_file->content_inspected == 0) {
381  if (!force && file_size < cur_file->inspect_min_size) {
382  SCLogDebug("skip as file_size %" PRIu64 " < inspect_min_size %u", file_size,
383  cur_file->inspect_min_size);
384  goto empty_return;
385  }
386  } else {
387  uint64_t new_data = file_size - cur_file->content_inspected;
388  DEBUG_VALIDATE_BUG_ON(new_data == 0);
389  if (new_data < cur_file->inspect_window) {
390  uint64_t inspect_short = cur_file->inspect_window - new_data;
391  if (cur_file->content_inspected < inspect_short) {
392  offset = 0;
393  SCLogDebug("offset %" PRIu64, offset);
394  } else {
395  offset = cur_file->content_inspected - inspect_short;
396  SCLogDebug("offset %" PRIu64, offset);
397  }
398  } else {
399  BUG_ON(cur_file->content_inspected == 0);
400  uint32_t margin = cur_file->inspect_window / 4;
401  if ((uint64_t)margin <= cur_file->content_inspected) {
402  offset = cur_file->content_inspected - (cur_file->inspect_window / 4);
403  } else {
404  offset = 0;
405  }
406  SCLogDebug("offset %" PRIu64 " (data from offset %" PRIu64 ")", offset,
407  file_size - offset);
408  }
409  }
410 
411  } else {
412  if ((content_limit == 0 || file_size < content_limit) &&
413  file_size < content_inspect_min_size && !(flow_flags & STREAM_EOF) &&
414  !(cur_file->state > FILE_STATE_OPENED)) {
415  SCLogDebug("we still haven't seen the entire content. "
416  "Let's defer content inspection till we see the "
417  "entire content. We've seen %ld and need at least %d",
418  file_size, content_inspect_min_size);
419  goto empty_return;
420  }
421  offset = cur_file->content_inspected;
422  }
423 
424  const uint8_t *data;
425  uint32_t data_len;
426 
427  SCLogDebug("Fetching data at offset: %ld", offset);
428  StreamingBufferGetDataAtOffset(cur_file->sb, &data, &data_len, offset);
429  SCLogDebug("data_len %u", data_len);
430  /* update inspected tracker */
431  buffer->inspect_offset = offset;
432 
433  if (ips && file_size < cur_file->inspect_min_size) {
434  // don't update content_inspected yet
435  } else {
436  SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected);
437  cur_file->content_inspected = MAX(cur_file->content_inspected, offset + data_len);
438  SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected);
439  }
440 
441  InspectionBufferSetupMulti(det_ctx, buffer, NULL, data, data_len);
442  SCLogDebug("[list %d] [before] buffer offset %" PRIu64 "; buffer len %" PRIu32
443  "; data_len %" PRIu32 "; file_size %" PRIu64,
444  list_id, buffer->inspect_offset, buffer->inspect_len, data_len, file_size);
445 
446  if (f->alproto == ALPROTO_HTTP1 && flow_flags & STREAM_TOCLIENT) {
447  HtpState *htp_state = f->alstate;
448  /* built-in 'transformation' */
449  if (htp_state->cfg->swf_decompression_enabled) {
450  int swf_file_type = FileIsSwfFile(data, data_len);
451  if (swf_file_type == FILE_SWF_ZLIB_COMPRESSION ||
452  swf_file_type == FILE_SWF_LZMA_COMPRESSION) {
453  SCLogDebug("decompressing ...");
454  (void)FileSwfDecompression(data, data_len, det_ctx, buffer,
455  htp_state->cfg->swf_compression_type, htp_state->cfg->swf_decompress_depth,
456  htp_state->cfg->swf_compress_depth);
457  SCLogDebug("uncompressed buffer %p size %u; buf: \"%s\"", buffer,
458  buffer->inspect_len, (char *)buffer->inspect);
459  }
460  }
461  }
462 
463  SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected);
464 
465  /* get buffer for the list id if it is different from the base id */
466  if (list_id != base_id) {
467  SCLogDebug("regular %d has been set up: now handle xforms id %d", base_id, list_id);
468  InspectionBuffer *tbuffer = FiledataWithXformsGetDataCallback(
469  det_ctx, transforms, list_id, local_file_id, buffer);
470  SCReturnPtr(tbuffer, "InspectionBuffer");
471  }
472  SCReturnPtr(buffer, "InspectionBuffer");
473 
474 empty_return:
476  return NULL;
477 }
478 
480  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
481  void *alstate, void *txv, uint64_t tx_id)
482 {
483  const DetectEngineTransforms *transforms = NULL;
484  if (!engine->mpm) {
485  transforms = engine->v2.transforms;
486  }
487 
489  FileContainer *ffc = files.fc;
490  if (ffc == NULL) {
492  }
493  if (ffc->head == NULL) {
494  const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) >
495  engine->progress);
496  if (eof && engine->match_on_null) {
498  }
500  }
501 
502  int local_file_id = 0;
503  File *file = ffc->head;
504  for (; file != NULL; file = file->next) {
505  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx, transforms, f, flags, file,
506  engine->sm_list, engine->sm_list_base, local_file_id, txv);
507  if (buffer == NULL) {
508  local_file_id++;
509  continue;
510  }
511 
512  bool eof = (file->state == FILE_STATE_CLOSED);
513  uint8_t ciflags = eof ? DETECT_CI_FLAGS_END : 0;
514  if (buffer->inspect_offset == 0)
515  ciflags |= DETECT_CI_FLAGS_START;
516 
517  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
518  buffer->inspect, buffer->inspect_len, buffer->inspect_offset, ciflags,
520  if (match) {
522  }
523  local_file_id++;
524  }
525 
527 }
528 
529 typedef struct PrefilterMpmFiledata {
530  int list_id;
532  const MpmCtx *mpm_ctx;
535 
536 /** \brief Filedata Filedata Mpm prefilter callback
537  *
538  * \param det_ctx detection engine thread ctx
539  * \param pectx inspection context
540  * \param p packet to inspect
541  * \param f flow to inspect
542  * \param txv tx to inspect
543  * \param idx transaction id
544  * \param flags STREAM_* flags including direction
545  */
546 static void PrefilterTxFiledata(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
547  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *txd, const uint8_t flags)
548 {
549  SCEnter();
550 
552  return;
553 
554  const PrefilterMpmFiledata *ctx = (const PrefilterMpmFiledata *)pectx;
555  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
556  const int list_id = ctx->list_id;
557 
559  FileContainer *ffc = files.fc;
560  if (ffc != NULL) {
561  int local_file_id = 0;
562  for (File *file = ffc->head; file != NULL; file = file->next) {
563  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx, ctx->transforms, f, flags,
564  file, list_id, ctx->base_list_id, local_file_id, txv);
565  if (buffer == NULL) {
566  local_file_id++;
567  continue;
568  }
569  SCLogDebug("[%" PRIu64 "] buffer size %u", PcapPacketCntGet(p), buffer->inspect_len);
570 
571  if (buffer->inspect_len >= mpm_ctx->minlen) {
572  uint32_t prev_rule_id_array_cnt = det_ctx->pmq.rule_id_array_cnt;
573  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
574  buffer->inspect, buffer->inspect_len);
575  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
576 
577  if (det_ctx->pmq.rule_id_array_cnt > prev_rule_id_array_cnt) {
578  SCLogDebug(
579  "%u matches", det_ctx->pmq.rule_id_array_cnt - prev_rule_id_array_cnt);
580  }
581  }
582  local_file_id++;
583  }
584  }
585 }
586 
588  const DetectBufferMpmRegistry *mpm_reg, int list_id)
589 {
590  PrefilterMpmFiledata *pectx = SCCalloc(1, sizeof(*pectx));
591  if (pectx == NULL)
592  return -1;
593  pectx->list_id = list_id;
594  pectx->base_list_id = mpm_reg->sm_list_base;
595  pectx->mpm_ctx = mpm_ctx;
596  pectx->transforms = &mpm_reg->transforms;
597 
598  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFiledata,
599  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
600  pectx, PrefilterMpmFiledataFree, mpm_reg->pname);
601 }
602 
603 #ifdef UNITTESTS
604 #include "tests/detect-file-data.c"
605 #endif
DETECT_TBLSIZE_STATIC
@ DETECT_TBLSIZE_STATIC
Definition: detect-engine-register.h:296
HtpState_::cfg
const struct HTPCfgRec_ * cfg
Definition: app-layer-htp.h:190
AppLayerParserHasFilesInDir
#define AppLayerParserHasFilesInDir(txd, direction)
check if tx (possibly) has files in this tx for the direction
Definition: app-layer-parser.h:336
SMTPConfig::content_limit
uint32_t content_limit
Definition: app-layer-smtp.h:107
DetectEngineAppInspectionEngine_
Definition: detect.h:416
SigTableElmt_::url
const char * url
Definition: detect.h:1512
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:420
FileContainer_
Definition: util-file.h:37
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:99
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@82 v2
detect-engine.h
DetectBufferTypeRegisterSetupCallback
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *, const DetectBufferType *))
Definition: detect-engine.c:1568
SigTableElmt_::desc
const char * desc
Definition: detect.h:1511
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_CI_FLAGS_START
#define DETECT_CI_FLAGS_START
Definition: detect-engine-content-inspection.h:40
al_protocols
DetectFileHandlerProtocol al_protocols[ALPROTO_WITHFILES_MAX]
Definition: detect-file-data.c:83
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1509
InspectionBuffer::initialized
bool initialized
Definition: detect-engine-inspect-buffer.h:38
PrefilterRuleStore_::rule_id_array_cnt
uint32_t rule_id_array_cnt
Definition: util-prefilter.h:40
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1679
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:291
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:391
DetectBufferMpmRegistry_::sm_list_base
int16_t sm_list_base
Definition: detect.h:775
HTPCfgRec_::response
HTPCfgDir response
Definition: app-layer-htp.h:117
File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:171
SIG_FLAG_INIT_NEED_FLUSH
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:297
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1500
File_::size
uint64_t size
Definition: util-file.h:169
PcapPacketCntGet
uint64_t PcapPacketCntGet(const Packet *p)
Definition: decode.c:1180
Signature_::alproto
AppProto alproto
Definition: detect.h:680
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
SIG_FLAG_INIT_FILEDATA
#define SIG_FLAG_INIT_FILEDATA
Definition: detect.h:300
DetectEngineCtx_::filedata_config
DetectFileDataCfg * filedata_config
Definition: detect.h:1086
HTPCfgDir_::body_limit
uint32_t body_limit
Definition: app-layer-htp.h:96
SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT
#define SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT
Definition: detect.h:306
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@90::@92 app_v2
Flow_::proto
uint8_t proto
Definition: flow.h:376
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
DetectFileDataCfg
Definition: detect.h:955
FileSwfDecompression
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
Definition: util-file-decompression.c:71
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
threads.h
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:137
Flow_
Flow data structure.
Definition: flow.h:354
File_::state
FileState state
Definition: util-file.h:149
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1399
ctx
struct Thresholds ctx
AppLayerParserSupportsFiles
bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1188
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:973
PrefilterMpmFiledataRegister
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-file-data.c:587
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1333
SIG_FLAG_INIT_FORCE_TOCLIENT
#define SIG_FLAG_INIT_FORCE_TOCLIENT
Definition: detect.h:301
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:770
detect-file-data.h
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:425
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
FILEDATA_CONTENT_LIMIT
#define FILEDATA_CONTENT_LIMIT
Definition: app-layer-smtp.c:59
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:612
DetectBufferType_
Definition: detect.h:449
p
Packet * p
Definition: fuzz_iprep.c:21
HTPCfgRec_::swf_compress_depth
uint32_t swf_compress_depth
Definition: app-layer-htp.h:114
StreamingBufferGetDataAtOffset
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
Definition: util-streaming-buffer.c:1827
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
MAX
#define MAX(x, y)
Definition: suricata-common.h:420
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1491
PrefilterMpmFiledata
struct PrefilterMpmFiledata PrefilterMpmFiledata
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:783
detect-engine-prefilter.h
util-unittest.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, uint8_t progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:272
HtpState_
Definition: app-layer-htp.h:183
SMTPConfig::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: app-layer-smtp.h:108
util-unittest-helper.h
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:890
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1383
File_::sb
StreamingBuffer * sb
Definition: util-file.h:150
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:424
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:46
FILE_SWF_ZLIB_COMPRESSION
@ FILE_SWF_ZLIB_COMPRESSION
Definition: util-file-decompression.h:33
SIGMATCH_SUPPORT_DIR
#define SIGMATCH_SUPPORT_DIR
Definition: detect-engine-register.h:336
SIGMATCH_INFO_MULTI_BUFFER
#define SIGMATCH_INFO_MULTI_BUFFER
Definition: detect-engine-register.h:338
PrefilterMpmFiledata::transforms
const DetectEngineTransforms * transforms
Definition: detect-file-data.c:533
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
app-layer-htp.h
DetectFileDataCfg::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: detect.h:957
decode.h
DetectBufferMpmRegistry_::pname
char pname[DETECT_PROFILE_NAME_LEN]
Definition: detect.h:772
util-debug.h
HTPCfgRec_::http_body_inline
int http_body_inline
Definition: app-layer-htp.h:109
AppLayerTxData
Definition: app-layer-parser.h:163
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:30
DetectEngineThreadCtx_
Definition: detect.h:1291
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
detect-engine-file.h
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:542
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:38
detect.h
DetectFileHandlerProtocol::alproto
AppProto alproto
Definition: detect-file-data.c:72
HTPCfgRec_::swf_decompress_depth
uint32_t swf_decompress_depth
Definition: app-layer-htp.h:113
ALPROTO_WITHFILES_MAX
#define ALPROTO_WITHFILES_MAX
Definition: detect-file-data.c:80
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:41
PrefilterMpmFiledata::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-file-data.c:532
DetectFiledataRegister
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
Definition: detect-file-data.c:146
HTPCfgRec_::swf_decompression_enabled
int swf_decompression_enabled
Definition: app-layer-htp.h:111
FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
Definition: app-layer-smtp.c:61
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect-engine-inspect-buffer.h:36
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:108
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint64_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:751
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *tx, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1104
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
smtp_config
SMTPConfig smtp_config
Definition: app-layer-smtp.c:293
DetectFileHandlerTableElmt_
Definition: detect-file-data.h:32
util-profiling.h
PrefilterMpmFiledata::base_list_id
int base_list_id
Definition: detect-file-data.c:531
Signature_::flags
uint32_t flags
Definition: detect.h:676
DetectFileHandlerProtocol::progress_tc
uint8_t progress_tc
Definition: detect-file-data.c:74
Packet_
Definition: decode.h:515
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:42
DetectEngineAppInspectionEngine_::match_on_null
bool match_on_null
Definition: detect.h:423
DetectFileRegisterProto
void DetectFileRegisterProto(AppProto alproto, int direction, uint8_t progress_tc, uint8_t progress_ts)
Definition: detect-file-data.c:99
DetectFileDataCfg::content_limit
uint32_t content_limit
Definition: detect.h:956
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:754
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:300
FileIsSwfFile
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
Definition: util-file-decompression.c:41
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
AppLayerHtpEnableResponseBodyCallback
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
Definition: app-layer-htp.c:559
DetectFileHandlerTableElmt_::priority
int priority
Definition: detect-file-data.h:34
HTPCfgRec_::swf_compression_type
HtpSwfCompressType swf_compression_type
Definition: app-layer-htp.h:112
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:186
DetectFileHandlerProtocol::direction
int direction
Definition: detect-file-data.c:71
DETECT_FILE_DATA
@ DETECT_FILE_DATA
Definition: detect-engine-register.h:202
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1395
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:308
DetectFileHandlerProtocol
Definition: detect-file-data.c:70
detect-engine-content-inspection.h
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:439
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:166
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:138
File_
Definition: util-file.h:146
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:286
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1510
AppLayerGetFileState
Definition: util-file.h:44
suricata-common.h
AppLayerGetFileState::fc
FileContainer * fc
Definition: util-file.h:45
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect-engine-register.h:313
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
File_::next
struct File_ * next
Definition: util-file.h:159
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, uint8_t tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:152
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
detect-engine-buffer.h
DetectFileHandlerTableElmt_::PrefilterFn
PrefilterRegisterFunc PrefilterFn
Definition: detect-file-data.h:35
util-spm-bm.h
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:40
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER
#define SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER
Definition: detect.h:304
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect-engine-inspect-buffer.h:37
DetectFiledataRegisterTests
void DetectFiledataRegisterTests(void)
Definition: detect-file-data.c:64
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect-engine-inspect-buffer.h:35
str
#define str(s)
Definition: suricata-common.h:316
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
SCFree
#define SCFree(p)
Definition: util-mem.h:61
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int8_t tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:356
Flow_::alstate
void * alstate
Definition: flow.h:479
Signature_::id
uint32_t id
Definition: detect.h:720
detect-parse.h
Signature_
Signature container.
Definition: detect.h:675
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1014
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:436
util-file-decompression.h
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:77
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:170
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
DetectFileHandlerTableElmt_::Callback
InspectEngineFuncPtr Callback
Definition: detect-file-data.h:36
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1414
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine-inspect-buffer.c:144
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
DetectFileHandlerTableElmt_::name
const char * name
Definition: detect-file-data.h:33
app-layer-smtp.h
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1480
PrefilterMpmFiledata
Definition: detect-file-data.c:529
MpmCtx_
Definition: util-mpm.h:97
flow.h
detect-file-data.c
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterMpmFiledata::list_id
int list_id
Definition: detect-file-data.c:530
DetectFileRegisterFileProtocols
void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg)
Definition: detect-file-data.c:118
flow-var.h
DetectEngineInspectFiledata
uint8_t DetectEngineInspectFiledata(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect-file-data.c:479
filehandler_table
DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]
Definition: detect-file-data.c:78
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:157
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine-inspect-buffer.c:76
FILE_SWF_LZMA_COMPRESSION
@ FILE_SWF_LZMA_COMPRESSION
Definition: util-file-decompression.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1498
app-layer.h
DetectEngineAppInspectionEngine_::progress
uint8_t progress
Definition: detect.h:426
DetectFileHandlerProtocol::progress_ts
uint8_t progress_ts
Definition: detect-file-data.c:73