Go to the documentation of this file.
60 static int g_file_data_buffer_id = 0;
62 static inline HtpBody *GetResponseBody(htp_tx_t *tx);
69 static int DetectEngineInspectFiledata(
73 Flow *f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id);
128 HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL);
131 DetectEngineInspectFiledata, NULL);
133 DetectFiledataSetupCallback);
136 DetectEngineInspectFiledata, NULL);
139 DetectEngineInspectFiledata, NULL);
142 DetectEngineInspectFiledata, NULL);
145 DetectEngineInspectFiledata, NULL);
160 "http response body, smb files or smtp attachments data");
165 #define FILEDATA_CONTENT_LIMIT 100000
166 #define FILEDATA_CONTENT_INSPECT_MIN_SIZE 32768
167 #define FILEDATA_CONTENT_INSPECT_WINDOW 4096
219 "flow:to_server or flow:from_client with http.");
226 "flow:to_client or flow:from_server with smtp.");
234 SetupDetectEngineConfig(
de_ctx);
261 static void PrefilterMpmFiledataFree(
void *ptr)
268 static inline HtpBody *GetResponseBody(htp_tx_t *tx)
295 const int list_id,
const int base_id)
300 if (base_id != list_id && buffer->
inspect != NULL)
301 return HttpServerBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
302 else if (buffer->
inspect != NULL)
307 const uint8_t
flags = flow_flags;
309 HtpBody *body = GetResponseBody(tx);
322 SCLogDebug(
"No http chunks to inspect for this transaction");
326 SCLogDebug(
"response.body_limit %u response_body.content_len_so_far %" PRIu64
327 ", response.inspect_min_size %" PRIu32
", EOF %s, progress > body? %s",
342 HTP_RESPONSE_BODY) &&
343 !(
flags & STREAM_EOF)) {
344 SCLogDebug(
"we still haven't seen the entire response body. "
345 "Let's defer body inspection till we see the "
361 SCLogDebug(
"inspect_win %"PRIu64, inspect_win);
362 if (inspect_win < htp_state->cfg->response.inspect_window) {
377 &data, &data_len,
offset);
398 if (base_id != list_id) {
399 buffer = HttpServerBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
412 if (buffer == NULL || buffer->
inspect == NULL) {
417 const uint8_t *data = buffer->
inspect;
422 ci_flags |= buffer->
flags;
436 if (
flags & STREAM_TOSERVER) {
459 Flow *f,
void *txv,
const uint64_t idx,
const uint8_t
flags)
465 const int list_id = ctx->
list_id;
491 mpm_reg->
app_v2.tx_min_progress, pectx, PrefilterMpmFiledataFree, mpm_reg->
pname);
501 if (buffer == NULL) {
502 SCLogDebug(
"list_id: %d: no buffer", list_id);
505 if (!first && buffer->
inspect != NULL) {
506 SCLogDebug(
"list_id: %d: returning %p", list_id, buffer);
518 const int list_id,
const int base_id,
int local_file_id,
bool first)
522 "starting: list_id %d base_id %d first %s", list_id, base_id, first ?
"true" :
"false");
528 if (base_id != list_id && buffer->
inspect != NULL) {
529 SCLogDebug(
"handle xform %s", (list_id != base_id) ?
"true" :
"false");
530 return FiledataWithXformsGetDataCallback(
531 det_ctx, transforms, list_id, local_file_id, buffer, first);
533 if (!first && buffer->
inspect != NULL) {
534 SCLogDebug(
"base_id: %d, not first: use %p", base_id, buffer);
545 SCLogDebug(
"[list %d] first: %d, content_limit %u, content_inspect_min_size %u", list_id,
546 first ? 1 : 0, content_limit, content_inspect_min_size);
548 SCLogDebug(
"[list %d] file %p size %" PRIu64
", state %d", list_id, cur_file, file_size,
557 if (file_size == 0) {
558 SCLogDebug(
"no data to inspect for this transaction");
562 if ((content_limit == 0 || file_size < content_limit) &&
563 file_size < content_inspect_min_size &&
565 SCLogDebug(
"we still haven't seen the entire content. "
566 "Let's defer content inspection till we see the "
578 SCLogDebug(
"[list %d] [before] buffer offset %" PRIu64
"; buffer len %" PRIu32
579 "; data_len %" PRIu32
"; file_size %" PRIu64,
588 if (list_id != base_id) {
589 SCLogDebug(
"regular %d has been set up: now handle xforms id %d", base_id, list_id);
591 det_ctx, transforms, list_id, local_file_id, buffer, first);
599 static int DetectEngineInspectFiledata(
603 Flow *f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
618 int local_file_id = 0;
620 for (; file != NULL; file = file->
next) {
621 if (file->
txid != tx_id)
669 const uint64_t idx,
const uint8_t
flags)
675 const int list_id = ctx->
list_id;
679 int local_file_id = 0;
680 for (
File *file = ffc->
head; file != NULL; file = file->
next) {
681 if (file->
txid != idx)
712 mpm_reg->
app_v2.alproto, mpm_reg->
app_v2.tx_min_progress,
713 pectx, PrefilterMpmFiledataFree, mpm_reg->
pname);
const struct HTPCfgRec_ * cfg
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
#define DETECT_CI_FLAGS_START
Container for matching data for a signature group.
#define SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_NEED_FLUSH
#define FILEDATA_CONTENT_LIMIT
#define SIG_FLAG_INIT_FILEDATA
#define FILEDATA_CONTENT_INSPECT_WINDOW
DetectEngineTransforms transforms
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
struct DetectBufferMpmRegistery_::@87::@89 app_v2
main detection engine ctx
@ SC_ERR_INVALID_SIGNATURE
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
one time registration of keywords at start up
struct DetectEngineCtx_::@92 filedata_config[ALPROTO_MAX]
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
uint32_t swf_compress_depth
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
struct PrefilterMpmFiledata PrefilterMpmFiledata
uint32_t content_inspect_window
struct DetectEngineAppInspectionEngine_::@84 v2
@ FILE_SWF_ZLIB_COMPRESSION
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
uint32_t content_inspect_min_size
int DetectBufferTypeGetByName(const char *name)
uint64_t content_len_so_far
const DetectEngineTransforms * transforms
#define SIG_FLAG_TOSERVER
uint32_t inspect_min_size
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
uint32_t swf_decompress_depth
@ FILE_SWF_LZMA_COMPRESSION
#define DETECT_ENGINE_INSPECT_SIG_MATCH
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
int swf_decompression_enabled
#define DETECT_CI_FLAGS_END
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
SignatureInitData * init_data
#define SCReturnPtr(x, type)
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
Data structures and function prototypes for keeping state for the detection engine.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
HtpSwfCompressType swf_compression_type
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
uint64_t FileDataSize(const File *file)
get the size of the file data
uint16_t discontinue_matching
uint64_t content_inspected
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int inspection_recursion_counter
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
void DetectFiledataRegisterTests(void)
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
const DetectEngineTransforms * transforms
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
bool filedata_config_initialized
uint32_t content_inspect_min_size
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
int DetectBufferSetActiveList(Signature *s, const int list)
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
AppProto alproto
application level protocol
uint32_t content_inspect_window
void(* RegisterTests)(void)
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
@ SC_ERR_CONFLICTING_RULE_KEYWORDS