suricata
detect-file-hash-common.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Duarte Silva <duarte.silva@serializing.me>
23  *
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-file-hash-common.h"
32 
33 #include "app-layer-htp.h"
34 
35 /**
36  * \brief Read the bytes of a hash from an hexadecimal string
37  *
38  * \param hash buffer to store the resulting bytes
39  * \param string hexadecimal string representing the hash
40  * \param filename file name from where the string was read
41  * \param line_no file line number from where the string was read
42  * \param expected_len the expected length of the string that was read
43  *
44  * \retval -1 the hexadecimal string is invalid
45  * \retval 1 the hexadecimal string was read successfully
46  */
47 int ReadHashString(uint8_t *hash, const char *string, const char *filename, int line_no,
48  uint16_t expected_len)
49 {
50  if (strlen(string) != expected_len) {
51  SCLogError("%s:%d hash string not %d characters", filename, line_no, expected_len);
52  return -1;
53  }
54 
55  int i, x;
56  for (x = 0, i = 0; i < expected_len; i+=2, x++) {
57  char buf[3] = { 0, 0, 0 };
58  buf[0] = string[i];
59  buf[1] = string[i+1];
60 
61  long value = strtol(buf, NULL, 16);
62  if (value >= 0 && value <= 255)
63  hash[x] = (uint8_t)value;
64  else {
65  SCLogError("%s:%d hash byte out of range %ld", filename, line_no, value);
66  return -1;
67  }
68  }
69 
70  return 1;
71 }
72 
73 /**
74  * \brief Store a hash into the hash table
75  *
76  * \param hash_table hash table that will hold the hash
77  * \param string hexadecimal string representing the hash
78  * \param filename file name from where the string was read
79  * \param line_no file line number from where the string was read
80  * \param type the hash algorithm
81  *
82  * \retval -1 failed to load the hash into the hash table
83  * \retval 1 successfully loaded the has into the hash table
84  */
85 int LoadHashTable(ROHashTable *hash_table, const char *string, const char *filename,
86  int line_no, uint32_t type)
87 {
88  /* allocate the maximum size a hash can have (in this case is SHA256, 32 bytes) */
89  uint8_t hash[32];
90  /* specify the actual size that should be read depending on the hash algorithm */
91  uint16_t size = 32;
92 
93  if (type == DETECT_FILEMD5) {
94  size = 16;
95  }
96  else if (type == DETECT_FILESHA1) {
97  size = 20;
98  }
99 
100  /* every byte represented with hexadecimal digits is two characters */
101  uint16_t expected_len = (size * 2);
102 
103  if (ReadHashString(hash, string, filename, line_no, expected_len) == 1) {
104  if (ROHashInitQueueValue(hash_table, &hash, size) != 1)
105  return -1;
106  }
107 
108  return 1;
109 }
110 
111 /**
112  * \brief Match a hash stored in a hash table
113  *
114  * \param hash_table hash table that will hold the hash
115  * \param hash buffer containing the bytes of the has
116  * \param hash_len length of the hash buffer
117  *
118  * \retval 0 didn't find the specified hash
119  * \retval 1 the hash matched a stored value
120  */
121 static int HashMatchHashTable(ROHashTable *hash_table, uint8_t *hash,
122  size_t hash_len)
123 {
124  void *ptr = ROHashLookup(hash_table, hash, (uint16_t)hash_len);
125  if (ptr == NULL)
126  return 0;
127  else
128  return 1;
129 }
130 
131 /**
132  * \brief Match the specified file hash
133  *
134  * \param det_ctx pattern matcher thread local data
135  * \param f *LOCKED* flow
136  * \param flags direction flags
137  * \param file file being inspected
138  * \param s signature being inspected
139  * \param m sigmatch that we will cast into DetectFileHashData
140  *
141  * \retval 0 no match
142  * \retval 1 match
143  */
144 int DetectFileHashMatch (DetectEngineThreadCtx *det_ctx,
145  Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
146 {
147  SCEnter();
148  int ret = 0;
149  DetectFileHashData *filehash = (DetectFileHashData *)m;
150 
151  if (file->state != FILE_STATE_CLOSED) {
152  SCReturnInt(0);
153  }
154 
155  int match = -1;
156 
157  if (s->file_flags & FILE_SIG_NEED_MD5 && file->flags & FILE_MD5) {
158  match = HashMatchHashTable(filehash->hash, file->md5, sizeof(file->md5));
159  }
160  else if (s->file_flags & FILE_SIG_NEED_SHA1 && file->flags & FILE_SHA1) {
161  match = HashMatchHashTable(filehash->hash, file->sha1, sizeof(file->sha1));
162  }
163  else if (s->file_flags & FILE_SIG_NEED_SHA256 && file->flags & FILE_SHA256) {
164  match = HashMatchHashTable(filehash->hash, file->sha256, sizeof(file->sha256));
165  }
166 
167  if (match == 1) {
168  if (filehash->negated == 0)
169  ret = 1;
170  else
171  ret = 0;
172  }
173  else if (match == 0) {
174  if (filehash->negated == 0)
175  ret = 0;
176  else
177  ret = 1;
178  }
179 
180  SCReturnInt(ret);
181 }
182 
183 static const char *hexcodes = "ABCDEFabcdef0123456789";
184 
185 /**
186  * \brief Parse the filemd5, filesha1 or filesha256 keyword
187  *
188  * \param det_ctx pattern matcher thread local data
189  * \param str Pointer to the user provided option
190  * \param type the hash algorithm
191  *
192  * \retval hash pointer to DetectFileHashData on success
193  * \retval NULL on failure
194  */
195 static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
196  const char *str, uint32_t type)
197 {
198  DetectFileHashData *filehash = NULL;
199  FILE *fp = NULL;
200  char *filename = NULL;
201  char *rule_filename = NULL;
202 
203  /* We have a correct hash algorithm option */
204  filehash = SCCalloc(1, sizeof(DetectFileHashData));
205  if (unlikely(filehash == NULL))
206  goto error;
207 
208  if (strlen(str) && str[0] == '!') {
209  filehash->negated = 1;
210  str++;
211  }
212 
213  if (type == DETECT_FILEMD5) {
214  filehash->hash = ROHashInit(18, 16);
215  }
216  else if (type == DETECT_FILESHA1) {
217  filehash->hash = ROHashInit(18, 20);
218  }
219  else if (type == DETECT_FILESHA256) {
220  filehash->hash = ROHashInit(18, 32);
221  }
222 
223  if (filehash->hash == NULL) {
224  goto error;
225  }
226 
227  /* get full filename */
228  filename = DetectLoadCompleteSigPath(de_ctx, str);
229  if (filename == NULL) {
230  goto error;
231  }
232 
233  rule_filename = SCStrdup(de_ctx->rule_file);
234  if (rule_filename == NULL) {
235  goto error;
236  }
237 
238  char line[8192] = "";
239  fp = fopen(filename, "r");
240  if (fp == NULL) {
241 #ifdef HAVE_LIBGEN_H
242  if (de_ctx->rule_file != NULL) {
243  char *dir = dirname(rule_filename);
244  if (dir != NULL) {
245  char path[PATH_MAX];
246  snprintf(path, sizeof(path), "%s/%s", dir, str);
247  fp = fopen(path, "r");
248  if (fp == NULL) {
249  SCLogError("opening hash file %s: %s", path, strerror(errno));
250  goto error;
251  }
252  }
253  }
254  if (fp == NULL) {
255 #endif
256  SCLogError("opening hash file %s: %s", filename, strerror(errno));
257  goto error;
258 #ifdef HAVE_LIBGEN_H
259  }
260 #endif
261  }
262 
263  int line_no = 0;
264  while(fgets(line, (int)sizeof(line), fp) != NULL) {
265  size_t valid = 0, len = strlen(line);
266  line_no++;
267 
268  while (strchr(hexcodes, line[valid]) != NULL && valid++ < len);
269 
270  /* lines that do not contain sequentially any valid character are ignored */
271  if (valid == 0)
272  continue;
273 
274  /* ignore anything after the sequence of valid characters */
275  line[valid] = '\0';
276 
277  if (LoadHashTable(filehash->hash, line, filename, line_no, type) != 1) {
278  goto error;
279  }
280  }
281  fclose(fp);
282  fp = NULL;
283 
284  if (ROHashInitFinalize(filehash->hash) != 1) {
285  goto error;
286  }
287  SCLogInfo("Hash hash table size %u bytes%s", ROHashMemorySize(filehash->hash), filehash->negated ? ", negated match" : "");
288 
289  SCFree(rule_filename);
290  SCFree(filename);
291  return filehash;
292 
293 error:
294  if (filehash != NULL)
295  DetectFileHashFree((DetectEngineCtx *) de_ctx, filehash);
296  if (fp != NULL)
297  fclose(fp);
298  if (filename != NULL)
299  SCFree(filename);
300  if (rule_filename != NULL) {
301  SCFree(rule_filename);
302  }
303  return NULL;
304 }
305 
306 /**
307  * \brief this function is used to parse filemd5, filesha1 and filesha256 options
308  * \brief into the current signature
309  *
310  * \param de_ctx pointer to the Detection Engine Context
311  * \param s pointer to the Current Signature
312  * \param str pointer to the user provided "filemd5", "filesha1" or "filesha256" option
313  * \param type type of file hash to setup
314  *
315  * \retval 0 on Success
316  * \retval -1 on Failure
317  */
318 int DetectFileHashSetup(
319  DetectEngineCtx *de_ctx, Signature *s, const char *str, uint16_t type, int list)
320 {
321  DetectFileHashData *filehash = NULL;
322 
323  filehash = DetectFileHashParse(de_ctx, str, type);
324  if (filehash == NULL)
325  goto error;
326 
327  /* Okay so far so good, lets get this into a SigMatch
328  * and put it in the Signature. */
329 
330  if (SCSigMatchAppendSMToList(de_ctx, s, type, (SigMatchCtx *)filehash, list) == NULL) {
331  goto error;
332  }
333 
334  s->file_flags |= FILE_SIG_NEED_FILE;
335 
336  // Setup the file flags depending on the hashing algorithm
337  if (type == DETECT_FILEMD5) {
338  s->file_flags |= FILE_SIG_NEED_MD5;
339  }
340  if (type == DETECT_FILESHA1) {
341  s->file_flags |= FILE_SIG_NEED_SHA1;
342  }
343  if (type == DETECT_FILESHA256) {
344  s->file_flags |= FILE_SIG_NEED_SHA256;
345  }
346  return 0;
347 
348 error:
349  if (filehash != NULL)
350  DetectFileHashFree(de_ctx, filehash);
351  return -1;
352 }
353 
354 /**
355  * \brief this function will free memory associated with DetectFileHashData
356  *
357  * \param filehash pointer to DetectFileHashData
358  */
359 void DetectFileHashFree(DetectEngineCtx *de_ctx, void *ptr)
360 {
361  if (ptr != NULL) {
362  DetectFileHashData *filehash = (DetectFileHashData *)ptr;
363  if (filehash->hash != NULL)
364  ROHashFree(filehash->hash);
365  SCFree(filehash);
366  }
367 }
len
uint8_t len
Definition: app-layer-dnp3.h:2
FILE_SIG_NEED_SHA1
#define FILE_SIG_NEED_SHA1
Definition: detect.h:325
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:52
Flow_
Flow data structure.
Definition: flow.h:356
File_::state
FileState state
Definition: util-file.h:82
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
ROHashTable_
Definition: util-rohash.h:27
m
SCMutex m
Definition: flow-hash.h:6
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:96
DetectFileHashData_
Definition: detect-file-hash-common.h:31
DetectFileHashData_::hash
ROHashTable * hash
Definition: detect-file-hash-common.h:32
FILE_SIG_NEED_MD5
#define FILE_SIG_NEED_MD5
Definition: detect.h:324
ROHashInitFinalize
int ROHashInitFinalize(ROHashTable *table)
create final hash data structure
Definition: util-rohash.c:181
DetectFileHashFree
void DetectFileHashFree(DetectEngineCtx *de_ctx, void *ptr)
this function will free memory associated with DetectFileHashData
Definition: detect-file-hash-common.c:359
app-layer-htp.h
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:94
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectFileHashSetup
int DetectFileHashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str, uint16_t type, int list)
this function is used to parse filemd5, filesha1 and filesha256 options
Definition: detect-file-hash-common.c:318
DetectEngineThreadCtx_
Definition: detect.h:1244
ROHashLookup
void * ROHashLookup(ROHashTable *table, void *data, uint16_t size)
Definition: util-rohash.c:113
SCEnter
#define SCEnter(...)
Definition: util-debug.h:277
DetectFileHashMatch
int DetectFileHashMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
Match the specified file hash.
Definition: detect-file-hash-common.c:144
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
FILE_SIG_NEED_SHA256
#define FILE_SIG_NEED_SHA256
Definition: detect.h:326
ROHashMemorySize
uint32_t ROHashMemorySize(ROHashTable *table)
Definition: util-rohash.c:102
type
uint16_t type
Definition: decode-vlan.c:106
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:225
DETECT_FILESHA1
@ DETECT_FILESHA1
Definition: detect-engine-register.h:239
detect-file-hash-common.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
File_::flags
uint16_t flags
Definition: util-file.h:80
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
DetectEngineCtx_::rule_file
const char * rule_file
Definition: detect.h:1024
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:684
ROHashInit
ROHashTable * ROHashInit(uint8_t hash_bits, uint16_t item_size)
initialize a new rohash
Definition: util-rohash.c:64
FILE_MD5
#define FILE_MD5
Definition: util-file.h:48
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
ROHashInitQueueValue
int ROHashInitQueueValue(ROHashTable *table, void *value, uint16_t size)
Add a new value to the hash.
Definition: util-rohash.c:151
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:98
DETECT_FILEMD5
@ DETECT_FILEMD5
Definition: detect-engine-register.h:238
str
#define str(s)
Definition: suricata-common.h:308
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
ROHashFree
void ROHashFree(ROHashTable *table)
Definition: util-rohash.c:91
LoadHashTable
int LoadHashTable(ROHashTable *hash_table, const char *string, const char *filename, int line_no, uint32_t type)
Store a hash into the hash table.
Definition: detect-file-hash-common.c:85
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:50
FILE_SIG_NEED_FILE
#define FILE_SIG_NEED_FILE
Definition: detect.h:320
DetectLoadCompleteSigPath
char * DetectLoadCompleteSigPath(const DetectEngineCtx *de_ctx, const char *sig_file)
Create the path if default-rule-path was specified.
Definition: detect-engine-loader.c:106
DetectFileHashData_::negated
int negated
Definition: detect-file-hash-common.h:33
ReadHashString
int ReadHashString(uint8_t *hash, const char *string, const char *filename, int line_no, uint16_t expected_len)
Read the bytes of a hash from an hexadecimal string.
Definition: detect-file-hash-common.c:47
DETECT_FILESHA256
@ DETECT_FILESHA256
Definition: detect-engine-register.h:240
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:281