suricata
detect-file-hash-common.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Duarte Silva <duarte.silva@serializing.me>
23  *
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
32 
33 #include "app-layer-htp.h"
34 
35 #ifdef HAVE_NSS
36 
37 /**
38  * \brief Read the bytes of a hash from an hexadecimal string
39  *
40  * \param hash buffer to store the resulting bytes
41  * \param string hexadecimal string representing the hash
42  * \param filename file name from where the string was read
43  * \param line_no file line number from where the string was read
44  * \param expected_len the expected length of the string that was read
45  *
46  * \retval -1 the hexadecimal string is invalid
47  * \retval 1 the hexadecimal string was read successfully
48  */
49 int ReadHashString(uint8_t *hash, const char *string, const char *filename, int line_no,
50  uint16_t expected_len)
51 {
52  if (strlen(string) != expected_len) {
53  SCLogError(SC_ERR_INVALID_HASH, "%s:%d hash string not %d characters",
54  filename, line_no, expected_len);
55  return -1;
56  }
57 
58  int i, x;
59  for (x = 0, i = 0; i < expected_len; i+=2, x++) {
60  char buf[3] = { 0, 0, 0 };
61  buf[0] = string[i];
62  buf[1] = string[i+1];
63 
64  long value = strtol(buf, NULL, 16);
65  if (value >= 0 && value <= 255)
66  hash[x] = (uint8_t)value;
67  else {
68  SCLogError(SC_ERR_INVALID_HASH, "%s:%d hash byte out of range %ld",
69  filename, line_no, value);
70  return -1;
71  }
72  }
73 
74  return 1;
75 }
76 
77 /**
78  * \brief Store a hash into the hash table
79  *
80  * \param hash_table hash table that will hold the hash
81  * \param string hexadecimal string representing the hash
82  * \param filename file name from where the string was read
83  * \param line_no file line number from where the string was read
84  * \param type the hash algorithm
85  *
86  * \retval -1 failed to load the hash into the hash table
87  * \retval 1 successfully loaded the has into the hash table
88  */
89 int LoadHashTable(ROHashTable *hash_table, const char *string, const char *filename,
90  int line_no, uint32_t type)
91 {
92  /* allocate the maximum size a hash can have (in this case is SHA256, 32 bytes) */
93  uint8_t hash[32];
94  /* specify the actual size that should be read depending on the hash algorithm */
95  uint16_t size = 32;
96 
97  if (type == DETECT_FILEMD5) {
98  size = 16;
99  }
100  else if (type == DETECT_FILESHA1) {
101  size = 20;
102  }
103 
104  /* every byte represented with hexadecimal digits is two characters */
105  uint16_t expected_len = (size * 2);
106 
107  if (ReadHashString(hash, string, filename, line_no, expected_len) == 1) {
108  if (ROHashInitQueueValue(hash_table, &hash, size) != 1)
109  return -1;
110  }
111 
112  return 1;
113 }
114 
115 /**
116  * \brief Match a hash stored in a hash table
117  *
118  * \param hash_table hash table that will hold the hash
119  * \param hash buffer containing the bytes of the has
120  * \param hash_len length of the hash buffer
121  *
122  * \retval 0 didn't find the specified hash
123  * \retval 1 the hash matched a stored value
124  */
125 static int HashMatchHashTable(ROHashTable *hash_table, uint8_t *hash,
126  size_t hash_len)
127 {
128  void *ptr = ROHashLookup(hash_table, hash, (uint16_t)hash_len);
129  if (ptr == NULL)
130  return 0;
131  else
132  return 1;
133 }
134 
135 /**
136  * \brief Match the specified file hash
137  *
138  * \param t thread local vars
139  * \param det_ctx pattern matcher thread local data
140  * \param f *LOCKED* flow
141  * \param flags direction flags
142  * \param file file being inspected
143  * \param s signature being inspected
144  * \param m sigmatch that we will cast into DetectFileHashData
145  *
146  * \retval 0 no match
147  * \retval 1 match
148  */
150  Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
151 {
152  SCEnter();
153  int ret = 0;
154  DetectFileHashData *filehash = (DetectFileHashData *)m;
155 
156  if (file->state != FILE_STATE_CLOSED) {
157  SCReturnInt(0);
158  }
159 
160  int match = -1;
161 
162  if (s->file_flags & FILE_SIG_NEED_MD5 && file->flags & FILE_MD5) {
163  match = HashMatchHashTable(filehash->hash, file->md5, sizeof(file->md5));
164  }
165  else if (s->file_flags & FILE_SIG_NEED_SHA1 && file->flags & FILE_SHA1) {
166  match = HashMatchHashTable(filehash->hash, file->sha1, sizeof(file->sha1));
167  }
168  else if (s->file_flags & FILE_SIG_NEED_SHA256 && file->flags & FILE_SHA256) {
169  match = HashMatchHashTable(filehash->hash, file->sha256, sizeof(file->sha256));
170  }
171 
172  if (match == 1) {
173  if (filehash->negated == 0)
174  ret = 1;
175  else
176  ret = 0;
177  }
178  else if (match == 0) {
179  if (filehash->negated == 0)
180  ret = 0;
181  else
182  ret = 1;
183  }
184 
185  SCReturnInt(ret);
186 }
187 
188 static const char *hexcodes = "ABCDEFabcdef0123456789";
189 
190 /**
191  * \brief Parse the filemd5, filesha1 or filesha256 keyword
192  *
193  * \param det_ctx pattern matcher thread local data
194  * \param str Pointer to the user provided option
195  * \param type the hash algorithm
196  *
197  * \retval hash pointer to DetectFileHashData on success
198  * \retval NULL on failure
199  */
200 static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
201  const char *str, uint32_t type)
202 {
203  DetectFileHashData *filehash = NULL;
204  FILE *fp = NULL;
205  char *filename = NULL;
206 
207  /* We have a correct hash algorithm option */
208  filehash = SCMalloc(sizeof(DetectFileHashData));
209  if (unlikely(filehash == NULL))
210  goto error;
211 
212  memset(filehash, 0x00, sizeof(DetectFileHashData));
213 
214  if (strlen(str) && str[0] == '!') {
215  filehash->negated = 1;
216  str++;
217  }
218 
219  if (type == DETECT_FILEMD5) {
220  filehash->hash = ROHashInit(18, 16);
221  }
222  else if (type == DETECT_FILESHA1) {
223  filehash->hash = ROHashInit(18, 20);
224  }
225  else if (type == DETECT_FILESHA256) {
226  filehash->hash = ROHashInit(18, 32);
227  }
228 
229  if (filehash->hash == NULL) {
230  goto error;
231  }
232 
233  /* get full filename */
234  filename = DetectLoadCompleteSigPath(de_ctx, str);
235  if (filename == NULL) {
236  goto error;
237  }
238 
239  char line[8192] = "";
240  fp = fopen(filename, "r");
241  if (fp == NULL) {
242 #ifdef HAVE_LIBGEN_H
243  if (de_ctx->rule_file != NULL) {
244  char *dir = dirname(de_ctx->rule_file);
245  if (dir != NULL) {
246  char path[PATH_MAX];
247  snprintf(path, sizeof(path), "%s/%s", dir, str);
248  fp = fopen(path, "r");
249  if (fp == NULL) {
251  "opening hash file %s: %s", path, strerror(errno));
252  goto error;
253  }
254  }
255  }
256  if (fp == NULL) {
257 #endif
258  SCLogError(SC_ERR_OPENING_RULE_FILE, "opening hash file %s: %s", filename, strerror(errno));
259  goto error;
260 #ifdef HAVE_LIBGEN_H
261  }
262 #endif
263  }
264 
265  int line_no = 0;
266  while(fgets(line, (int)sizeof(line), fp) != NULL) {
267  size_t valid = 0, len = strlen(line);
268  line_no++;
269 
270  while (strchr(hexcodes, line[valid]) != NULL && valid++ < len);
271 
272  /* lines that do not contain sequentially any valid character are ignored */
273  if (valid == 0)
274  continue;
275 
276  /* ignore anything after the sequence of valid characters */
277  line[valid] = '\0';
278 
279  if (LoadHashTable(filehash->hash, line, filename, line_no, type) != 1) {
280  goto error;
281  }
282  }
283  fclose(fp);
284  fp = NULL;
285 
286  if (ROHashInitFinalize(filehash->hash) != 1) {
287  goto error;
288  }
289  SCLogInfo("Hash hash table size %u bytes%s", ROHashMemorySize(filehash->hash), filehash->negated ? ", negated match" : "");
290 
291  SCFree(filename);
292  return filehash;
293 
294 error:
295  if (filehash != NULL)
296  DetectFileHashFree(filehash);
297  if (fp != NULL)
298  fclose(fp);
299  if (filename != NULL)
300  SCFree(filename);
301  return NULL;
302 }
303 
304 /**
305  * \brief this function is used to parse filemd5, filesha1 and filesha256 options
306  * \brief into the current signature
307  *
308  * \param de_ctx pointer to the Detection Engine Context
309  * \param s pointer to the Current Signature
310  * \param str pointer to the user provided "filemd5", "filesha1" or "filesha256" option
311  * \param type type of file hash to setup
312  *
313  * \retval 0 on Success
314  * \retval -1 on Failure
315  */
316 int DetectFileHashSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str,
317  uint32_t type, int list)
318 {
319  DetectFileHashData *filehash = NULL;
320  SigMatch *sm = NULL;
321 
322  filehash = DetectFileHashParse(de_ctx, str, type);
323  if (filehash == NULL)
324  goto error;
325 
326  /* Okay so far so good, lets get this into a SigMatch
327  * and put it in the Signature. */
328  sm = SigMatchAlloc();
329  if (sm == NULL)
330  goto error;
331 
332  sm->type = type;
333  sm->ctx = (void *)filehash;
334 
335  SigMatchAppendSMToList(s, sm, list);
336 
338 
339  // Setup the file flags depending on the hashing algorithm
340  if (type == DETECT_FILEMD5) {
342  }
343  if (type == DETECT_FILESHA1) {
345  }
346  if (type == DETECT_FILESHA256) {
348  }
349  return 0;
350 
351 error:
352  if (filehash != NULL)
353  DetectFileHashFree(filehash);
354  if (sm != NULL)
355  SCFree(sm);
356  return -1;
357 }
358 
359 /**
360  * \brief this function will free memory associated with DetectFileHashData
361  *
362  * \param filehash pointer to DetectFileHashData
363  */
364 void DetectFileHashFree(void *ptr)
365 {
366  if (ptr != NULL) {
367  DetectFileHashData *filehash = (DetectFileHashData *)ptr;
368  if (filehash->hash != NULL)
369  ROHashFree(filehash->hash);
370  SCFree(filehash);
371  }
372 }
373 
374 #endif /* HAVE_NSS */
uint16_t flags
#define unlikely(expr)
Definition: util-optimize.h:35
#define FILE_SHA256
Definition: util-file.h:43
uint32_t ROHashMemorySize(ROHashTable *table)
Definition: util-rohash.c:103
void DetectFileHashFree(void *)
Signature container.
Definition: detect.h:495
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
main detection engine ctx
Definition: detect.h:723
#define str(s)
void * ROHashLookup(ROHashTable *table, void *data, uint16_t size)
Definition: util-rohash.c:113
uint16_t flags
Definition: util-file.h:65
char * rule_file
Definition: detect.h:827
uint8_t type
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
ROHashTable * ROHashInit(uint8_t hash_bits, uint16_t item_size)
initialize a new rohash
Definition: util-rohash.c:64
#define SCEnter(...)
Definition: util-debug.h:337
int ReadHashString(uint8_t *, const char *, const char *, int, uint16_t)
uint8_t type
Definition: detect.h:323
#define SCReturnInt(x)
Definition: util-debug.h:341
#define FILE_MD5
Definition: util-file.h:39
#define FILE_SIG_NEED_MD5
Definition: detect.h:290
#define FILE_SIG_NEED_FILE
Definition: detect.h:286
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
char * DetectLoadCompleteSigPath(const DetectEngineCtx *de_ctx, const char *sig_file)
Create the path if default-rule-path was specified.
#define FILE_SHA1
Definition: util-file.h:41
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
#define SCFree(a)
Definition: util-mem.h:228
int ROHashInitFinalize(ROHashTable *table)
create final hash data structure
Definition: util-rohash.c:183
void ROHashFree(ROHashTable *table)
Definition: util-rohash.c:92
#define FILE_SIG_NEED_SHA1
Definition: detect.h:291
int LoadHashTable(ROHashTable *, const char *, const char *, int, uint32_t)
#define FILE_SIG_NEED_SHA256
Definition: detect.h:292
FileState state
Definition: util-file.h:67
SCMutex m
Definition: flow-hash.h:105
int DetectFileHashSetup(DetectEngineCtx *, Signature *, const char *, uint32_t, int)
int DetectFileHashMatch(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t, File *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
int ROHashInitQueueValue(ROHashTable *table, void *value, uint16_t size)
Add a new value to the hash.
Definition: util-rohash.c:152
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
uint8_t file_flags
Definition: detect.h:509
Flow data structure.
Definition: flow.h:324
a single match condition for a signature
Definition: detect.h:322