Go to the documentation of this file.
60 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
71 static void DetectFilestoreRegisterTests(
void);
73 static int g_file_match_list_id = 0;
106 if (filestore == NULL) {
114 int toserver_dir = 0;
115 int toclient_dir = 0;
133 switch (filestore->
scope) {
153 }
else if (this_tx) {
167 }
else if (this_flow) {
223 flags |= STREAM_TOCLIENT;
225 flags |= STREAM_TOSERVER;
271 uint32_t file_id = 0;
283 if (file->
sid != NULL && s->
id > 0) {
291 goto continue_after_realloc_fail;
302 continue_after_realloc_fail:
330 static bool warn_not_configured =
false;
331 static uint32_t de_version = 0;
334 if (!warn_not_configured || (
de_ctx->
version != de_version)) {
336 SCLogDebug(
"reload-detected; re-checking feature presence; DE version now %"PRIu32,
341 "file-store output log which is not enabled. "
342 "Enable the output \"file-store\".");
344 warn_not_configured =
true;
350 char *args[3] = {NULL,NULL,NULL};
351 int ret = 0,
res = 0;
357 "filestore can't work with bypass keyword");
367 if (
str != NULL && strlen(
str) > 0) {
374 if (ret < 1 || ret > 4) {
380 pcre2len =
sizeof(str_0);
381 res = pcre2_substring_copy_bynumber(
382 parse_regex.
match, 1, (PCRE2_UCHAR8 *)str_0, &pcre2len);
387 args[0] = (
char *)str_0;
390 pcre2len =
sizeof(str_1);
391 res = pcre2_substring_copy_bynumber(
392 parse_regex.
match, 2, (PCRE2_UCHAR8 *)str_1, &pcre2len);
397 args[1] = (
char *)str_1;
400 pcre2len =
sizeof(str_2);
401 res = pcre2_substring_copy_bynumber(
402 parse_regex.
match, 3, (PCRE2_UCHAR8 *)str_2, &pcre2len);
407 args[2] = (
char *)str_2;
416 if (args[0] != NULL) {
419 if (strcasecmp(args[0],
"request") == 0 ||
420 strcasecmp(args[0],
"to_server") == 0)
425 else if (strcasecmp(args[0],
"response") == 0 ||
426 strcasecmp(args[0],
"to_client") == 0)
431 else if (strcasecmp(args[0],
"both") == 0)
440 if (args[1] != NULL) {
443 if (strcasecmp(args[1],
"file") == 0)
446 }
else if (strcasecmp(args[1],
"tx") == 0)
449 }
else if (strcasecmp(args[1],
"ssn") == 0 ||
450 strcasecmp(args[1],
"flow") == 0)
501 static int DetectFilestoreTest01(
void)
512 "(bypass; filestore; "
513 "content:\"message\"; http_host; "
522 void DetectFilestoreRegisterTests(
void)
void FileStoreAllFilesForTx(FileContainer *fc, uint64_t tx_id)
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
const struct DetectFilestoreData_ * filestore_ctx
void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define FILESTORE_DIR_DEFAULT
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FLOW_PKT_TOSERVER
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
#define HTP_FLAG_STORE_FILES_TX_TC
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void * FlowGetAppState(const Flow *f)
#define FILESTORE_SCOPE_TX
@ DETECT_SM_LIST_POSTMATCH
bool RequiresFeature(const char *feature_name)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define DETECT_FILESTORE_MAX
struct DetectEngineThreadCtx_::@99 filestore[DETECT_FILESTORE_MAX]
#define FILESTORE_SCOPE_SSN
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
@ SC_ERR_PCRE_COPY_SUBSTRING
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
uint32_t FileReassemblyDepth(void)
#define FILESTORE_DIR_TOCLIENT
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define FLOW_PKT_TOCLIENT
#define HTP_FLAG_STORE_FILES_TS
SigMatch * SigMatchAlloc(void)
#define HTP_FLAG_STORE_FILES_TX_TS
#define SCRealloc(ptr, sz)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define FILESTORE_DIR_BOTH
#define FILESTORE_DIR_TOSERVER
void DetectFilestoreRegister(void)
Registration function for keyword: filestore.
#define FEATURE_OUTPUT_FILESTORE
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectBufferTypeRegister(const char *name)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
#define SIGMATCH_OPTIONAL_OPT
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
#define PARSE_REGEX
Regex for parsing our flow options.
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
#define FILESTORE_SCOPE_DEFAULT
#define HTP_FLAG_STORE_FILES_TC
AppProto alproto
application level protocol
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
#define SIG_FLAG_FILESTORE
void(* RegisterTests)(void)
void FileStoreAllFiles(FileContainer *fc)
@ DETECT_FILESTORE_POSTMATCH
@ SC_ERR_CONFLICTING_RULE_KEYWORDS