Go to the documentation of this file.
62 static int g_file_data_buffer_id = 0;
133 SCLogError(
"The 'file_data' keyword cannot be used with non-TCP protocols");
138 SCLogError(
"The 'file_data' keyword cannot be used with TCP protocol %s",
145 SCLogError(
"The 'file-data' keyword cannot be used with SMTP flow:to_client or "
146 "flow:from_server.");
154 SetupDetectEngineConfig(
de_ctx);
174 static void PrefilterMpmFiledataFree(
void *ptr)
186 if (buffer == NULL) {
187 SCLogDebug(
"list_id: %d: no buffer", list_id);
191 SCLogDebug(
"list_id: %d: returning %p", list_id, buffer);
203 const int list_id,
const int base_id,
int local_file_id,
void *txv)
206 SCLogDebug(
"starting: list_id %d base_id %d", list_id, base_id);
212 if (base_id != list_id && buffer->
inspect != NULL) {
213 SCLogDebug(
"handle xform %s", (list_id != base_id) ?
"true" :
"false");
214 return FiledataWithXformsGetDataCallback(
215 det_ctx, transforms, list_id, local_file_id, buffer);
218 SCLogDebug(
"base_id: %d, not first: use %p", base_id, buffer);
231 SCLogDebug(
"[list %d] content_limit %u, content_inspect_min_size %u", list_id, content_limit,
232 content_inspect_min_size);
234 SCLogDebug(
"[list %d] file %p size %" PRIu64
", state %d", list_id, cur_file, file_size,
243 if (file_size == 0) {
244 SCLogDebug(
"no data to inspect for this transaction");
248 SCLogDebug(
"offset %" PRIu64, StreamingBufferGetOffset(cur_file->
sb));
263 flow_flags) > HTP_RESPONSE_BODY;
265 SCLogDebug(
"response.body_limit %u file_size %" PRIu64
266 ", cur_file->inspect_min_size %" PRIu32
", EOF %s, progress > body? %s",
268 flow_flags & STREAM_EOF ?
"true" :
"false",
BOOL2STR(body_done));
274 file_size < htp_state->cfg->response.body_limit) &&
275 file_size < cur_file->inspect_min_size && !body_done &&
276 !(flow_flags & STREAM_EOF)) {
277 SCLogDebug(
"we still haven't seen the entire response body. "
278 "Let's defer body inspection till we see the "
294 if (!force && file_size < cur_file->inspect_min_size) {
295 SCLogDebug(
"skip as file_size %" PRIu64
" < inspect_min_size %u", file_size,
302 if (new_data < cur_file->inspect_window) {
314 if ((uint64_t)margin <= cur_file->content_inspected) {
325 if ((content_limit == 0 || file_size < content_limit) &&
326 file_size < content_inspect_min_size && !(flow_flags & STREAM_EOF) &&
328 SCLogDebug(
"we still haven't seen the entire content. "
329 "Let's defer content inspection till we see the "
330 "entire content. We've seen %ld and need at least %d",
331 file_size, content_inspect_min_size);
346 if (ips && file_size < cur_file->inspect_min_size) {
355 SCLogDebug(
"[list %d] [before] buffer offset %" PRIu64
"; buffer len %" PRIu32
356 "; data_len %" PRIu32
"; file_size %" PRIu64,
370 SCLogDebug(
"uncompressed buffer %p size %u; buf: \"%s\"", buffer,
379 if (list_id != base_id) {
380 SCLogDebug(
"regular %d has been set up: now handle xforms id %d", base_id, list_id);
382 det_ctx, transforms, list_id, local_file_id, buffer);
394 void *alstate,
void *txv, uint64_t tx_id)
407 int local_file_id = 0;
409 for (; file != NULL; file = file->
next) {
447 if (!AppLayerParserHasFilesInDir(txd,
flags))
452 const int list_id =
ctx->list_id;
457 int local_file_id = 0;
458 for (
File *file = ffc->
head; file != NULL; file = file->
next) {
460 file, list_id,
ctx->base_list_id, local_file_id, txv);
493 mpm_reg->
app_v2.alproto, mpm_reg->
app_v2.tx_min_progress,
494 pectx, PrefilterMpmFiledataFree, mpm_reg->
pname);
const struct HTPCfgRec_ * cfg
@ FILE_SWF_LZMA_COMPRESSION
SigTableElmt * sigmatch_table
#define DETECT_CI_FLAGS_START
uint32_t rule_id_array_cnt
Container for matching data for a signature group.
#define SIG_FLAG_INIT_FLOW
uint32_t inspect_min_size
#define SIG_FLAG_INIT_NEED_FLUSH
#define SIG_FLAG_INIT_FILEDATA
DetectFileDataCfg * filedata_config
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
struct DetectBufferMpmRegistry_::@84::@86 app_v2
bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
main detection engine ctx
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
void DetectBufferTypeSupportsMultiInstance(const char *name)
struct DetectEngineAppInspectionEngine_::@79 v2
one time registration of keywords at start up
#define FILEDATA_CONTENT_LIMIT
uint32_t swf_compress_depth
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
#define SIG_FLAG_TOCLIENT
DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
DetectEngineTransforms transforms
uint32_t content_inspect_min_size
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
int DetectBufferTypeGetByName(const char *name)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
const DetectEngineTransforms * transforms
#define SIG_FLAG_TOSERVER
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
uint32_t content_inspect_min_size
uint32_t swf_decompress_depth
#define DETECT_ENGINE_INSPECT_SIG_MATCH
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
int swf_decompression_enabled
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
#define DETECT_CI_FLAGS_END
SignatureInitData * init_data
#define SCReturnPtr(x, type)
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
Data structures and function prototypes for keeping state for the detection engine.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
HtpSwfCompressType swf_compression_type
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
uint64_t FileDataSize(const File *file)
get the size of the file data
uint64_t content_inspected
struct AppLayerTxData AppLayerTxData
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
PrefilterRegisterFunc PrefilterFn
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
void DetectFiledataRegisterTests(void)
#define SCLogError(...)
Macro used to log ERROR messages.
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
const DetectEngineTransforms * transforms
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
InspectEngineFuncPtr Callback
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
@ FILE_SWF_ZLIB_COMPRESSION
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
AppProto alproto
application level protocol
uint8_t DetectEngineInspectFiledata(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
void(* RegisterTests)(void)
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto