suricata
util-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "flow.h"
29 #include "stream.h"
30 #include "stream-tcp.h"
31 #include "runmodes.h"
32 #include "util-hash.h"
33 #include "util-debug.h"
34 #include "util-memcmp.h"
35 #include "util-print.h"
36 #include "app-layer-parser.h"
37 #include "util-validate.h"
38 #include "rust.h"
39 
40 extern int g_detect_disabled;
41 
42 /** \brief mask of file flags we'll not set
43  * This mask is set based on global file settings and
44  * cannot be overridden by detection.
45  */
46 static uint16_t g_file_flow_mask = 0;
47 
48 /** \brief switch to force filestore on all files
49  * regardless of the rules.
50  */
51 static int g_file_force_filestore = 0;
52 
53 /** \brief switch to force magic checks on all files
54  * regardless of the rules.
55  */
56 static int g_file_force_magic = 0;
57 
58 /** \brief switch to force md5 calculation on all files
59  * regardless of the rules.
60  */
61 static int g_file_force_md5 = 0;
62 
63 /** \brief switch to force sha1 calculation on all files
64  * regardless of the rules.
65  */
66 static int g_file_force_sha1 = 0;
67 
68 /** \brief switch to force sha256 calculation on all files
69  * regardless of the rules.
70  */
71 static int g_file_force_sha256 = 0;
72 
73 /** \brief switch to force tracking off all files
74  * regardless of the rules.
75  */
76 static int g_file_force_tracking = 0;
77 
78 /** \brief switch to use g_file_store_reassembly_depth
79  * to reassembly files
80  */
81 static int g_file_store_enable = 0;
82 
83 /** \brief stream_config.reassembly_depth equivalent
84  * for files
85  */
86 static uint32_t g_file_store_reassembly_depth = 0;
87 
88 /* prototypes */
89 static void FileFree(File *, const StreamingBufferConfig *cfg);
90 static void FileEndSha256(File *ff);
91 
93 {
94  g_file_force_filestore = 1;
95  g_file_flow_mask |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);
96 }
97 
99 {
100  g_file_force_magic = 1;
101  g_file_flow_mask |= (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC);
102 }
103 
105 {
106  g_file_force_md5 = 1;
107  g_file_flow_mask |= (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC);
108 }
109 
111 {
112  g_file_force_sha1 = 1;
113  g_file_flow_mask |= (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC);
114 }
115 
117 {
118  g_file_force_sha256 = 1;
119  g_file_flow_mask |= (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC);
120 }
121 
123 {
124  return g_file_force_filestore;
125 }
126 
127 void FileReassemblyDepthEnable(uint32_t size)
128 {
129  g_file_store_enable = 1;
130  g_file_store_reassembly_depth = size;
131 }
132 
133 uint32_t FileReassemblyDepth(void)
134 {
135  if (g_file_store_enable == 1)
136  return g_file_store_reassembly_depth;
137  else
139 }
140 
141 int FileForceMagic(void)
142 {
143  return g_file_force_magic;
144 }
145 
146 int FileForceMd5(void)
147 {
148  return g_file_force_md5;
149 }
150 
151 int FileForceSha1(void)
152 {
153  return g_file_force_sha1;
154 }
155 
157 {
158  return g_file_force_sha256;
159 }
160 
162 {
163  g_file_force_tracking = 1;
164  g_file_flow_mask |= (FLOWFILE_NO_SIZE_TS|FLOWFILE_NO_SIZE_TC);
165 }
166 
167 /**
168  * \brief Function to parse forced file hashing configuration.
169  */
171 {
172  BUG_ON(conf == NULL);
173 
174  ConfNode *forcehash_node = NULL;
175 
176  /* legacy option */
177  const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
178  if (force_md5 != NULL) {
179  SCLogWarning("deprecated 'force-md5' option "
180  "found. Please use 'force-hash: [md5]' instead");
181 
182  if (ConfValIsTrue(force_md5)) {
183  if (g_disable_hashing) {
184  SCLogInfo(
185  "not forcing md5 calculation for logged files: hashing globally disabled");
186  } else {
188  SCLogInfo("forcing md5 calculation for logged files");
189  }
190  }
191  }
192 
193  if (conf != NULL)
194  forcehash_node = ConfNodeLookupChild(conf, "force-hash");
195 
196  if (forcehash_node != NULL) {
197  ConfNode *field = NULL;
198 
199  TAILQ_FOREACH(field, &forcehash_node->head, next) {
200  if (strcasecmp("md5", field->val) == 0) {
201  if (g_disable_hashing) {
202  SCLogInfo("not forcing md5 calculation for logged files: hashing globally "
203  "disabled");
204  } else {
206  SCLogConfig("forcing md5 calculation for logged or stored files");
207  }
208  }
209 
210  if (strcasecmp("sha1", field->val) == 0) {
211  if (g_disable_hashing) {
212  SCLogInfo("not forcing sha1 calculation for logged files: hashing globally "
213  "disabled");
214  } else {
216  SCLogConfig("forcing sha1 calculation for logged or stored files");
217  }
218  }
219 
220  if (strcasecmp("sha256", field->val) == 0) {
221  if (g_disable_hashing) {
222  SCLogInfo("not forcing sha256 calculation for logged files: hashing globally "
223  "disabled");
224  } else {
226  SCLogConfig("forcing sha256 calculation for logged or stored files");
227  }
228  }
229  }
230  }
231 }
232 
233 uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
234 {
235  uint16_t flags = 0;
236 
237  if (direction == STREAM_TOSERVER) {
238  if ((flow_file_flags & (FLOWFILE_NO_STORE_TS | FLOWFILE_STORE_TS)) ==
240  flags |= FILE_NOSTORE;
241  } else if (flow_file_flags & FLOWFILE_STORE_TS) {
242  flags |= FILE_STORE;
243  }
244 
245  if (flow_file_flags & FLOWFILE_NO_MAGIC_TS) {
246  flags |= FILE_NOMAGIC;
247  }
248 
249  if (flow_file_flags & FLOWFILE_NO_MD5_TS) {
250  flags |= FILE_NOMD5;
251  }
252 
253  if (flow_file_flags & FLOWFILE_NO_SHA1_TS) {
254  flags |= FILE_NOSHA1;
255  }
256 
257  if (flow_file_flags & FLOWFILE_NO_SHA256_TS) {
258  flags |= FILE_NOSHA256;
259  }
260  } else {
261  if ((flow_file_flags & (FLOWFILE_NO_STORE_TC | FLOWFILE_STORE_TC)) ==
263  flags |= FILE_NOSTORE;
264  } else if (flow_file_flags & FLOWFILE_STORE_TC) {
265  flags |= FILE_STORE;
266  }
267 
268  if (flow_file_flags & FLOWFILE_NO_MAGIC_TC) {
269  flags |= FILE_NOMAGIC;
270  }
271 
272  if (flow_file_flags & FLOWFILE_NO_MD5_TC) {
273  flags |= FILE_NOMD5;
274  }
275 
276  if (flow_file_flags & FLOWFILE_NO_SHA1_TC) {
277  flags |= FILE_NOSHA1;
278  }
279 
280  if (flow_file_flags & FLOWFILE_NO_SHA256_TC) {
281  flags |= FILE_NOSHA256;
282  }
283  }
285 
286  SCLogDebug("direction %02x flags %02x", direction, flags);
287  return flags;
288 }
289 
290 uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
291 {
292  return FileFlowFlagsToFlags(flow->file_flags, direction);
293 }
294 
295 void FileApplyTxFlags(const AppLayerTxData *txd, const uint8_t direction, File *file)
296 {
297  SCLogDebug("file flags %04x STORE %s NOSTORE %s", file->flags,
298  (file->flags & FILE_STORE) ? "true" : "false",
299  (file->flags & FILE_NOSTORE) ? "true" : "false");
300  uint16_t update_flags = FileFlowFlagsToFlags(txd->file_flags, direction);
302  (file->flags & (FILE_STORE | FILE_NOSTORE)) == (FILE_STORE | FILE_NOSTORE));
303  if (file->flags & FILE_STORE)
304  update_flags &= ~FILE_NOSTORE;
305 
306  file->flags |= update_flags;
307  SCLogDebug("file flags %04x STORE %s NOSTORE %s", file->flags,
308  (file->flags & FILE_STORE) ? "true" : "false",
309  (file->flags & FILE_NOSTORE) ? "true" : "false");
311  (file->flags & (FILE_STORE | FILE_NOSTORE)) == (FILE_STORE | FILE_NOSTORE));
312 }
313 
314 static int FileMagicSize(void)
315 {
316  /** \todo make this size configurable */
317  return 512;
318 }
319 
320 /**
321  * \brief get the size of the file data
322  *
323  * This doesn't reflect how much of the file we have in memory, just the
324  * total size of filedata so far.
325  */
326 uint64_t FileDataSize(const File *file)
327 {
328  if (file != NULL && file->sb != NULL) {
329  const uint64_t size = StreamingBufferGetConsecutiveDataRightEdge(file->sb);
330  SCLogDebug("returning %" PRIu64, size);
331  return size;
332  }
333  SCLogDebug("returning 0 (default)");
334  return 0;
335 }
336 
337 /**
338  * \brief get the size of the file
339  *
340  * This doesn't reflect how much of the file we have in memory, just the
341  * total size of file so far.
342  */
343 uint64_t FileTrackedSize(const File *file)
344 {
345  if (file != NULL) {
346  return file->size;
347  }
348  return 0;
349 }
350 
351 /** \brief test if file is ready to be pruned
352  *
353  * If a file is in the 'CLOSED' state, it means it has been processed
354  * completely by the pipeline in the correct direction. So we can
355  * prune it then.
356  *
357  * For other states, as well as for files we may not need to track
358  * until the close state, more specific checks are done.
359  *
360  * Also does house keeping within the file: move streaming buffer
361  * forward if possible.
362  *
363  * \retval 1 prune (free) this file
364  * \retval 0 file not ready to be freed
365  */
366 static int FilePruneFile(File *file, const StreamingBufferConfig *cfg)
367 {
368  SCEnter();
369 
370  /* file is done when state is closed+, logging/storing is done (if any) */
371  SCLogDebug("file->state %d. Is >= FILE_STATE_CLOSED: %s",
372  file->state, (file->state >= FILE_STATE_CLOSED) ? "yes" : "no");
373  if (file->state >= FILE_STATE_CLOSED) {
374  SCReturnInt(1);
375  }
376 
377 #ifdef HAVE_MAGIC
378  if (!(file->flags & FILE_NOMAGIC)) {
379  /* need magic but haven't set it yet, bail out */
380  if (file->magic == NULL)
381  SCReturnInt(0);
382  else
383  SCLogDebug("file->magic %s", file->magic);
384  } else {
385  SCLogDebug("file->flags & FILE_NOMAGIC == true");
386  }
387 #endif
388  uint64_t left_edge = FileDataSize(file);
389  if (file->flags & FILE_STORE) {
390  left_edge = MIN(left_edge,file->content_stored);
391  }
392 
393  if (!g_detect_disabled) {
394  left_edge = MIN(left_edge, file->content_inspected);
395  /* if file has inspect window and min size set, we
396  * do some house keeping here */
397  if (file->inspect_window != 0 && file->inspect_min_size != 0) {
398  const uint64_t file_offset = StreamingBufferGetOffset(file->sb);
399  uint32_t window = file->inspect_window;
400  if (file_offset == 0)
401  window = MAX(window, file->inspect_min_size);
402 
403  uint64_t file_size = FileDataSize(file);
404  uint64_t data_size = file_size - file_offset;
405 
406  SCLogDebug("window %"PRIu32", file_size %"PRIu64", data_size %"PRIu64,
407  window, file_size, data_size);
408 
409  if (data_size > (window * 3)) {
410  file->content_inspected = MAX(file->content_inspected, file->size - window);
411  SCLogDebug("file->content_inspected now %" PRIu64, file->content_inspected);
412  }
413 
414  if (left_edge > window)
415  left_edge -= window;
416  else
417  left_edge = 0;
418  }
419  }
420 
421  if (left_edge) {
422  SCLogDebug("sliding to %" PRIu64, left_edge);
423  StreamingBufferSlideToOffset(file->sb, cfg, left_edge);
424  }
425 
426  SCReturnInt(0);
427 }
428 
429 #ifdef DEBUG
430 #define P(file, flag) ((file)->flags & (flag)) ? "true" : "false"
431 void FilePrintFlags(const File *file)
432 {
433  SCLogDebug("file %p flags %04x "
434  "FILE_TRUNCATED %s "
435  "FILE_NOMAGIC %s "
436  "FILE_NOMD5 %s "
437  "FILE_MD5 %s "
438  "FILE_NOSHA1 %s "
439  "FILE_SHA1 %s "
440  "FILE_NOSHA256 %s "
441  "FILE_SHA256 %s "
442  "FILE_LOGGED %s "
443  "FILE_NOSTORE %s "
444  "FILE_STORE %s "
445  "FILE_STORED %s "
446  "FILE_NOTRACK %s "
447  "FILE_HAS_GAPS %s",
448  file, file->flags, P(file, FILE_TRUNCATED), P(file, FILE_NOMAGIC), P(file, FILE_NOMD5),
449  P(file, FILE_MD5), P(file, FILE_NOSHA1), P(file, FILE_SHA1), P(file, FILE_NOSHA256),
450  P(file, FILE_SHA256), P(file, FILE_LOGGED), P(file, FILE_NOSTORE), P(file, FILE_STORE),
451  P(file, FILE_STORED), P(file, FILE_NOTRACK), P(file, FILE_HAS_GAPS));
452 }
453 #undef P
454 #endif
455 
456 static void FilePrune(FileContainer *ffc, const StreamingBufferConfig *cfg)
457 {
458  SCEnter();
459  SCLogDebug("ffc %p head %p", ffc, ffc->head);
460  File *file = ffc->head;
461  File *prev = NULL;
462 
463  while (file) {
464 #ifdef DEBUG
465  FilePrintFlags(file);
466 #endif
467  if (FilePruneFile(file, cfg) == 0) {
468  prev = file;
469  file = file->next;
470  continue;
471  }
472 
473  SCLogDebug("removing file %p", file);
474 
475  File *file_next = file->next;
476 
477  if (prev)
478  prev->next = file_next;
479  /* update head and tail */
480  if (file == ffc->head)
481  ffc->head = file_next;
482  if (file == ffc->tail)
483  ffc->tail = prev;
484 
485  FileFree(file, cfg);
486  file = file_next;
487  }
488  SCReturn;
489 }
490 
491 /**
492  * \brief allocate a FileContainer
493  *
494  * \retval new newly allocated FileContainer
495  * \retval NULL error
496  */
498 {
499  FileContainer *new = SCCalloc(1, sizeof(FileContainer));
500  if (unlikely(new == NULL)) {
501  SCLogError("Error allocating mem");
502  return NULL;
503  }
504  new->head = new->tail = NULL;
505  return new;
506 }
507 
508 /**
509  * \brief Recycle a FileContainer
510  *
511  * \param ffc FileContainer
512  */
514 {
515  SCLogDebug("ffc %p", ffc);
516  if (ffc == NULL)
517  return;
518 
519  File *cur = ffc->head;
520  File *next = NULL;
521  for (;cur != NULL; cur = next) {
522  next = cur->next;
523  FileFree(cur, cfg);
524  }
525  ffc->head = ffc->tail = NULL;
526 }
527 
528 /**
529  * \brief Free a FileContainer
530  *
531  * \param ffc FileContainer
532  */
534 {
535  SCLogDebug("ffc %p", ffc);
536  if (ffc == NULL)
537  return;
538 
539  File *ptr = ffc->head;
540  File *next = NULL;
541  for (;ptr != NULL; ptr = next) {
542  next = ptr->next;
543  FileFree(ptr, cfg);
544  }
545  ffc->head = ffc->tail = NULL;
546  SCFree(ffc);
547 }
548 
549 /**
550  * \brief Alloc a new File
551  *
552  * \param name character array containing the name (not a string)
553  * \param name_len length in bytes of the name
554  *
555  * \retval new File object or NULL on error
556  */
557 static File *FileAlloc(const uint8_t *name, uint16_t name_len)
558 {
559  File *new = SCCalloc(1, sizeof(File));
560  if (unlikely(new == NULL)) {
561  SCLogError("Error allocating mem");
562  return NULL;
563  }
564 
565  new->name = SCMalloc(name_len);
566  if (new->name == NULL) {
567  SCFree(new);
568  return NULL;
569  }
570 
571  new->name_len = name_len;
572  memcpy(new->name, name, name_len);
573 
574  new->sid_cnt = 0;
575  new->sid_max = 8;
576  /* SCMalloc() is allowed to fail here because sid well be checked later on */
577  new->sid = SCMalloc(sizeof(uint32_t) * new->sid_max);
578  if (new->sid == NULL)
579  new->sid_max = 0;
580 
581  return new;
582 }
583 
584 static void FileFree(File *ff, const StreamingBufferConfig *sbcfg)
585 {
586  SCLogDebug("ff %p", ff);
587  if (ff == NULL)
588  return;
589 
590  if (ff->name != NULL)
591  SCFree(ff->name);
592  if (ff->sid != NULL)
593  SCFree(ff->sid);
594 #ifdef HAVE_MAGIC
595  /* magic returned by libmagic is strdup'd by MagicLookup. */
596  if (ff->magic != NULL)
597  SCFree(ff->magic);
598 #endif
599  if (ff->sb != NULL) {
600  StreamingBufferFree(ff->sb, sbcfg);
601  }
602 
603  if (ff->md5_ctx)
604  SCMd5Free(ff->md5_ctx);
605  if (ff->sha1_ctx)
606  SCSha1Free(ff->sha1_ctx);
607  if (ff->sha256_ctx)
608  SCSha256Free(ff->sha256_ctx);
609  SCFree(ff);
610 }
611 
613 {
614  SCLogDebug("ffc %p ff %p", ffc, ff);
615  if (ffc->head == NULL || ffc->tail == NULL) {
616  ffc->head = ffc->tail = ff;
617  } else {
618  ffc->tail->next = ff;
619  ffc->tail = ff;
620  }
621 }
622 
623 /**
624  * \brief Tag a file for storing
625  *
626  * \param ff The file to store
627  */
628 int FileStore(File *ff)
629 {
630  SCLogDebug("ff %p", ff);
631  ff->flags |= FILE_STORE;
632  SCReturnInt(0);
633 }
634 
635 /**
636  * \brief check if we have stored enough
637  *
638  * \param ff file
639  *
640  * \retval 0 limit not reached yet
641  * \retval 1 limit reached
642  */
643 static int FileStoreNoStoreCheck(File *ff)
644 {
645  SCEnter();
646 
647  if (ff == NULL) {
648  SCReturnInt(0);
649  }
650 
651  if (ff->flags & FILE_NOSTORE) {
652  if (ff->state == FILE_STATE_OPENED &&
653  FileDataSize(ff) >= (uint64_t)FileMagicSize())
654  {
655  SCReturnInt(1);
656  }
657  }
658 
659  SCReturnInt(0);
660 }
661 
662 static int AppendData(
663  const StreamingBufferConfig *sbcfg, File *file, const uint8_t *data, uint32_t data_len)
664 {
665  SCLogDebug("file %p data_len %u", file, data_len);
666  if (StreamingBufferAppendNoTrack(file->sb, sbcfg, data, data_len) != 0) {
667  SCLogDebug("file %p StreamingBufferAppendNoTrack failed", file);
668  SCReturnInt(-1);
669  }
670 
671  if (file->md5_ctx) {
672  SCMd5Update(file->md5_ctx, data, data_len);
673  }
674  if (file->sha1_ctx) {
675  SCSha1Update(file->sha1_ctx, data, data_len);
676  }
677  if (file->sha256_ctx) {
678  SCLogDebug("SHA256 file %p data %p data_len %u", file, data, data_len);
679  SCSha256Update(file->sha256_ctx, data, data_len);
680  } else {
681  SCLogDebug("NO SHA256 file %p data %p data_len %u", file, data, data_len);
682  }
683  SCReturnInt(0);
684 }
685 
686 /** \internal
687  * \brief Flags a file as having gaps
688  *
689  * \param ff the file
690  */
691 static void FileFlagGap(File *ff) {
692  ff->flags |= FILE_HAS_GAPS;
695 }
696 
697 /** \internal
698  * \brief Store/handle a chunk of file data in the File structure
699  *
700  * \param ff the file
701  * \param data data chunk
702  * \param data_len data chunk len
703  *
704  * \retval 0 ok
705  * \retval -1 error
706  * \retval -2 no store for this file
707  */
708 static int FileAppendDataDo(
709  const StreamingBufferConfig *sbcfg, File *ff, const uint8_t *data, uint32_t data_len)
710 {
711  SCEnter();
712 #ifdef DEBUG_VALIDATION
713  BUG_ON(ff == NULL);
714 #endif
715 
716  ff->size += data_len;
717  if (data == NULL) {
718  FileFlagGap(ff);
719  SCReturnInt(0);
720  }
721 
722  if (ff->state != FILE_STATE_OPENED) {
723  if (ff->flags & FILE_NOSTORE) {
724  SCReturnInt(-2);
725  }
726  SCReturnInt(-1);
727  }
728 
729  if (g_detect_disabled && FileStoreNoStoreCheck(ff) == 1) {
730  int hash_done = 0;
731  /* no storage but forced hashing */
732  if (ff->md5_ctx) {
733  SCMd5Update(ff->md5_ctx, data, data_len);
734  hash_done = 1;
735  }
736  if (ff->sha1_ctx) {
737  SCSha1Update(ff->sha1_ctx, data, data_len);
738  hash_done = 1;
739  }
740  if (ff->sha256_ctx) {
741  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
742  SCSha256Update(ff->sha256_ctx, data, data_len);
743  hash_done = 1;
744  }
745 
746  if (hash_done)
747  SCReturnInt(0);
748 
749  if (g_file_force_tracking || (!(ff->flags & FILE_NOTRACK)))
750  SCReturnInt(0);
751 
753  SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED");
754  SCReturnInt(-2);
755  }
756 
757  SCLogDebug("appending %"PRIu32" bytes", data_len);
758 
759  int r = AppendData(sbcfg, ff, data, data_len);
760  if (r != 0) {
761  ff->state = FILE_STATE_ERROR;
762  SCReturnInt(r);
763  }
764 
765  SCReturnInt(0);
766 }
767 
768 /**
769  * \brief Store/handle a chunk of file data in the File structure
770  * The last file in the FileContainer will be used.
771  *
772  * \param ffc FileContainer used to append to
773  * \param data data chunk
774  * \param data_len data chunk len
775  *
776  * \retval 0 ok
777  * \retval -1 error
778  * \retval -2 no store for this file
779  */
780 int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data,
781  uint32_t data_len)
782 {
783  SCEnter();
784 
785  if (ffc == NULL || ffc->tail == NULL || data_len == 0 || sbcfg == NULL) {
786  SCReturnInt(-1);
787  }
788  int r = FileAppendDataDo(sbcfg, ffc->tail, data, data_len);
789  SCReturnInt(r);
790 }
791 
792 /**
793  * \brief Store/handle a chunk of file data in the File structure
794  * The file with 'track_id' in the FileContainer will be used.
795  *
796  * \param ffc FileContainer used to append to
797  * \param track_id id to lookup the file
798  * \param data data chunk
799  * \param data_len data chunk len
800  *
801  * \retval 0 ok
802  * \retval -1 error
803  * \retval -2 no store for this file
804  */
805 int FileAppendDataById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
806  const uint8_t *data, uint32_t data_len)
807 {
808  SCEnter();
809 
810  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
811  SCReturnInt(-1);
812  }
813  File *ff = ffc->head;
814  for ( ; ff != NULL; ff = ff->next) {
815  if (track_id == ff->file_track_id) {
816  int r = FileAppendDataDo(sbcfg, ff, data, data_len);
817  SCReturnInt(r);
818  }
819  }
820  SCReturnInt(-1);
821 }
822 
823 /**
824  * \brief Store/handle a chunk of file data in the File structure
825  * The file with 'track_id' in the FileContainer will be used.
826  *
827  * \param ffc FileContainer used to append to
828  * \param track_id id to lookup the file
829  * \param data data chunk
830  * \param data_len data chunk len
831  *
832  * \retval 0 ok
833  * \retval -1 error
834  * \retval -2 no store for this file
835  */
836 int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
837  const uint8_t *data, uint32_t data_len)
838 {
839  SCEnter();
840 
841  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
842  SCReturnInt(-1);
843  }
844  File *ff = ffc->head;
845  for ( ; ff != NULL; ff = ff->next) {
846  if (track_id == ff->file_track_id) {
847  FileFlagGap(ff);
848  SCLogDebug("FILE_HAS_GAPS set");
849 
850  int r = FileAppendDataDo(sbcfg, ff, data, data_len);
851  SCReturnInt(r);
852  }
853  }
854  SCReturnInt(-1);
855 }
856 
857 void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
858 {
859  file->inspect_window = win;
860  file->inspect_min_size = min;
861 }
862 
863 /**
864  * \brief Sets the offset range for a file.
865  *
866  * \param ffc the container
867  * \param start start offset
868  * \param end end offset
869  *
870  * \retval 0 ok
871  * \retval -1 error
872  */
873 int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
874 {
875  SCEnter();
876 
877  if (ffc == NULL || ffc->tail == NULL) {
878  SCReturnInt(-1);
879  }
880  ffc->tail->start = start;
881  ffc->tail->end = end;
882  SCReturnInt(0);
883 }
884 
885 /**
886  * \brief Open a new File
887  *
888  * \param ffc flow container
889  * \param sbcfg buffer config
890  * \param name filename character array
891  * \param name_len filename len
892  * \param data initial data
893  * \param data_len initial data len
894  * \param flags open flags
895  *
896  * \retval ff flowfile object
897  *
898  * \note filename is not a string, so it's not nul terminated.
899  */
900 static File *FileOpenFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg,
901  const uint8_t *name, uint16_t name_len,
902  const uint8_t *data, uint32_t data_len, uint16_t flags)
903 {
904  SCEnter();
905 
906  //PrintRawDataFp(stdout, name, name_len);
907 
908  File *ff = FileAlloc(name, name_len);
909  if (ff == NULL) {
910  SCReturnPtr(NULL, "File");
911  }
912 
913  ff->sb = StreamingBufferInit(sbcfg);
914  if (ff->sb == NULL) {
915  FileFree(ff, sbcfg);
916  SCReturnPtr(NULL, "File");
917  }
918  SCLogDebug("ff->sb %p", ff->sb);
919 
920  if (flags & FILE_STORE || g_file_force_filestore) {
921  FileStore(ff);
922  } else if (flags & FILE_NOSTORE) {
923  SCLogDebug("not storing this file");
924  ff->flags |= FILE_NOSTORE;
925  }
926  if (flags & FILE_NOMAGIC) {
927  SCLogDebug("not doing magic for this file");
928  ff->flags |= FILE_NOMAGIC;
929  }
930  if (flags & FILE_NOMD5) {
931  SCLogDebug("not doing md5 for this file");
932  ff->flags |= FILE_NOMD5;
933  }
934  if (flags & FILE_NOSHA1) {
935  SCLogDebug("not doing sha1 for this file");
936  ff->flags |= FILE_NOSHA1;
937  }
938  if (flags & FILE_NOSHA256) {
939  SCLogDebug("not doing sha256 for this file");
940  ff->flags |= FILE_NOSHA256;
941  }
942 
943  if (!(ff->flags & FILE_NOMD5) || g_file_force_md5) {
944  ff->md5_ctx = SCMd5New();
945  }
946  if (!(ff->flags & FILE_NOSHA1) || g_file_force_sha1) {
947  ff->sha1_ctx = SCSha1New();
948  }
949  if (!(ff->flags & FILE_NOSHA256) || g_file_force_sha256) {
950  ff->sha256_ctx = SCSha256New();
951  SCLogDebug("ff %p ff->sha256_ctx %p", ff, ff->sha256_ctx);
952  }
953 
954  ff->state = FILE_STATE_OPENED;
955  SCLogDebug("flowfile state transitioned to FILE_STATE_OPENED");
956 
957  ff->fd = -1;
958 
959  FileContainerAdd(ffc, ff);
960 
961  /* set default window and min inspection size */
963 
964  ff->size += data_len;
965  if (data != NULL) {
966  if (AppendData(sbcfg, ff, data, data_len) != 0) {
967  ff->state = FILE_STATE_ERROR;
968  SCReturnPtr(NULL, "File");
969  }
970  SCLogDebug("file size is now %"PRIu64, FileTrackedSize(ff));
971  } else if (data_len > 0) {
972  FileFlagGap(ff);
973  }
974 
975  SCReturnPtr(ff, "File");
976 }
977 
978 /**
979  * \retval 0 ok
980  * \retval -1 failed */
982  uint32_t track_id, const uint8_t *name, uint16_t name_len,
983  const uint8_t *data, uint32_t data_len, uint16_t flags)
984 {
985  SCLogDebug("ffc %p track_id %u", ffc, track_id);
986  File *ff = FileOpenFile(ffc, sbcfg, name, name_len, data, data_len, flags);
987  if (ff == NULL)
988  return -1;
989 
990  ff->file_track_id = track_id;
991  return 0;
992 }
993 
994 int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data,
995  uint32_t data_len, uint16_t flags)
996 {
997  SCEnter();
998 
999  if (ff == NULL) {
1000  SCReturnInt(-1);
1001  }
1002 
1003  if (ff->state != FILE_STATE_OPENED) {
1004  SCReturnInt(-1);
1005  }
1006 
1007  ff->size += data_len;
1008  if (data != NULL) {
1009  if (ff->flags & FILE_NOSTORE) {
1010  /* no storage but hashing */
1011  if (ff->md5_ctx)
1012  SCMd5Update(ff->md5_ctx, data, data_len);
1013  if (ff->sha1_ctx)
1014  SCSha1Update(ff->sha1_ctx, data, data_len);
1015  if (ff->sha256_ctx) {
1016  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1017  SCSha256Update(ff->sha256_ctx, data, data_len);
1018  }
1019  } else {
1020  if (AppendData(sbcfg, ff, data, data_len) != 0) {
1021  ff->state = FILE_STATE_ERROR;
1022  SCReturnInt(-1);
1023  }
1024  }
1025  }
1026 
1027  if ((flags & FILE_TRUNCATED) || (ff->flags & FILE_HAS_GAPS)) {
1028  SCLogDebug("flags FILE_TRUNCATED %s", (flags & FILE_TRUNCATED) ? "true" : "false");
1029  SCLogDebug("ff->flags FILE_HAS_GAPS %s", (ff->flags & FILE_HAS_GAPS) ? "true" : "false");
1030 
1032  SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED");
1033 
1034  if (flags & FILE_NOSTORE) {
1035  SCLogDebug("not storing this file");
1036  ff->flags |= FILE_NOSTORE;
1037  } else {
1038  if (g_file_force_sha256 && ff->sha256_ctx) {
1039  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1040  FileEndSha256(ff);
1041  }
1042  }
1043  } else {
1044  ff->state = FILE_STATE_CLOSED;
1045  SCLogDebug("flowfile state transitioned to FILE_STATE_CLOSED");
1046 
1047  if (ff->md5_ctx) {
1048  SCMd5Finalize(ff->md5_ctx, ff->md5, sizeof(ff->md5));
1049  ff->md5_ctx = NULL;
1050  ff->flags |= FILE_MD5;
1051  }
1052  if (ff->sha1_ctx) {
1053  SCSha1Finalize(ff->sha1_ctx, ff->sha1, sizeof(ff->sha1));
1054  ff->sha1_ctx = NULL;
1055  ff->flags |= FILE_SHA1;
1056  }
1057  if (ff->sha256_ctx) {
1058  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1059  FileEndSha256(ff);
1060  }
1061  }
1062 
1063  SCReturnInt(0);
1064 }
1065 
1066 /**
1067  * \brief Close a File
1068  *
1069  * \param ffc the container
1070  * \param data final data if any
1071  * \param data_len data len if any
1072  * \param flags flags
1073  *
1074  * \retval 0 ok
1075  * \retval -1 error
1076  */
1077 int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data,
1078  uint32_t data_len, uint16_t flags)
1079 {
1080  SCEnter();
1081 
1082  if (ffc == NULL || ffc->tail == NULL) {
1083  SCReturnInt(-1);
1084  }
1085 
1086  if (FileCloseFilePtr(ffc->tail, sbcfg, data, data_len, flags) == -1) {
1087  SCReturnInt(-1);
1088  }
1089 
1090  SCReturnInt(0);
1091 }
1092 
1093 int FileCloseFileById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
1094  const uint8_t *data, uint32_t data_len, uint16_t flags)
1095 {
1096  SCEnter();
1097 
1098  if (ffc == NULL || ffc->tail == NULL) {
1099  SCReturnInt(-1);
1100  }
1101 
1102  File *ff = ffc->head;
1103  for ( ; ff != NULL; ff = ff->next) {
1104  if (track_id == ff->file_track_id) {
1105  int r = FileCloseFilePtr(ff, sbcfg, data, data_len, flags);
1106  SCReturnInt(r);
1107  }
1108  }
1109  SCReturnInt(-1);
1110 }
1111 
1112 /** \brief set a flow's file flags
1113  * \param set_file_flags flags in both directions that are requested to set
1114  *
1115  * This function will ignore the flags for the irrelevant direction and
1116  * also mask the flags with the global settings.
1117  */
1118 void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
1119 {
1120  SCEnter();
1122 
1123  /* remove flags not in our direction and
1124  don't disable what is globally enabled */
1125  if (direction == STREAM_TOSERVER) {
1126  set_file_flags &= ~(FLOWFILE_NONE_TC|g_file_flow_mask);
1127  } else {
1128  set_file_flags &= ~(FLOWFILE_NONE_TS|g_file_flow_mask);
1129  }
1130  f->file_flags |= set_file_flags;
1131 
1132  SCLogDebug("f->file_flags %04x set_file_flags %04x g_file_flow_mask %04x",
1133  f->file_flags, set_file_flags, g_file_flow_mask);
1134 
1135  if (set_file_flags != 0 && f->alproto != ALPROTO_UNKNOWN && f->alstate != NULL) {
1136  AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
1137  if (sd != NULL) {
1138  if ((sd->file_flags & f->file_flags) != f->file_flags) {
1139  SCLogDebug("state data: updating file_flags %04x with flow file_flags %04x",
1140  sd->file_flags, f->file_flags);
1141  sd->file_flags |= f->file_flags;
1142  }
1143  }
1144  }
1145 }
1146 
1147 /**
1148  * \brief disable file storing for files in a transaction
1149  *
1150  * \param f *LOCKED* flow
1151  * \param direction flow direction
1152  * \param tx_id transaction id
1153  */
1154 void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
1155 {
1156  if (g_file_force_filestore == 0) {
1158  if (txd != NULL) {
1159  if (direction & STREAM_TOSERVER) {
1160  txd->file_flags |= FLOWFILE_NO_STORE_TS;
1161  } else {
1162  txd->file_flags |= FLOWFILE_NO_STORE_TC;
1163  }
1164  }
1165  }
1166 }
1167 
1168 /**
1169  * \brief flag a file with id "file_id" to be stored.
1170  *
1171  * \param fc file store
1172  * \param file_id the file's id
1173  */
1174 void FileStoreFileById(FileContainer *fc, uint32_t file_id)
1175 {
1176  File *ptr = NULL;
1177 
1178  SCEnter();
1179 
1180  if (fc != NULL) {
1181  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1182  if (ptr->file_track_id == file_id) {
1183  FileStore(ptr);
1184  }
1185  }
1186  }
1187 }
1188 
1189 static void FileTruncateAllOpenFiles(FileContainer *fc, const StreamingBufferConfig *sbcfg)
1190 {
1191  File *ptr = NULL;
1192 
1193  SCEnter();
1194 
1195  if (fc != NULL) {
1196  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1197  if (ptr->state == FILE_STATE_OPENED) {
1198  FileCloseFilePtr(ptr, sbcfg, NULL, 0, FILE_TRUNCATED);
1199  }
1200  }
1201  }
1202 }
1203 
1204 void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
1205 {
1206  if (trunc) {
1207  FileTruncateAllOpenFiles(fc, sbcfg);
1208  }
1209  FilePrune(fc, sbcfg);
1210 }
1211 
1212 /**
1213  * \brief Finish the SHA256 calculation.
1214  */
1215 static void FileEndSha256(File *ff)
1216 {
1217  SCLogDebug("ff %p ff->size %" PRIu64, ff, ff->size);
1218  if (!(ff->flags & FILE_SHA256) && ff->sha256_ctx) {
1219  SCSha256Finalize(ff->sha256_ctx, ff->sha256, sizeof(ff->sha256));
1220  ff->sha256_ctx = NULL;
1221  ff->flags |= FILE_SHA256;
1222  }
1223 }
FLOWFILE_NO_MD5_TS
#define FLOWFILE_NO_MD5_TS
Definition: flow.h:130
FLOWFILE_NO_MD5_TC
#define FLOWFILE_NO_MD5_TC
Definition: flow.h:131
FILE_TRUNCATED
#define FILE_TRUNCATED
Definition: util-file.h:45
FileForceFilestore
int FileForceFilestore(void)
Definition: util-file.c:122
StreamingBufferSlideToOffset
void StreamingBufferSlideToOffset(StreamingBuffer *sb, const StreamingBufferConfig *cfg, uint64_t offset)
slide to absolute offset
Definition: util-streaming-buffer.c:1000
FileContainer_
Definition: util-file.h:113
FLOWFILE_NO_SIZE_TS
#define FLOWFILE_NO_SIZE_TS
Definition: flow.h:142
FLOWFILE_NO_SIZE_TC
#define FLOWFILE_NO_SIZE_TC
Definition: flow.h:143
FileContainerAdd
void FileContainerAdd(FileContainer *ffc, File *ff)
Definition: util-file.c:612
FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:497
FileReassemblyDepthEnable
void FileReassemblyDepthEnable(uint32_t size)
Definition: util-file.c:127
ConfNode_::val
char * val
Definition: conf.h:34
stream-tcp.h
FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition: util-file.c:161
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:52
File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:104
FILE_NOSHA1
#define FILE_NOSHA1
Definition: util-file.h:49
File_::size
uint64_t size
Definition: util-file.h:102
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
FILE_NOTRACK
#define FILE_NOTRACK
Definition: util-file.h:57
StreamingBufferFree
void StreamingBufferFree(StreamingBuffer *sb, const StreamingBufferConfig *cfg)
Definition: util-streaming-buffer.c:295
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
FLOWFILE_NONE_TC
#define FLOWFILE_NONE_TC
Definition: flow.h:155
Flow_::proto
uint8_t proto
Definition: flow.h:372
FLOWFILE_NO_MAGIC_TS
#define FLOWFILE_NO_MAGIC_TS
Definition: flow.h:123
FLOWFILE_NONE_TS
#define FLOWFILE_NONE_TS
Definition: flow.h:149
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:70
FileContainerFree
void FileContainerFree(FileContainer *ffc, const StreamingBufferConfig *cfg)
Free a FileContainer.
Definition: util-file.c:533
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:64
Flow_
Flow data structure.
Definition: flow.h:350
File_::state
FileState state
Definition: util-file.h:82
util-hash.h
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
rust.h
FileContainer_::tail
File * tail
Definition: util-file.h:115
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
FileForceMagicEnable
void FileForceMagicEnable(void)
Definition: util-file.c:98
FILE_NOSHA256
#define FILE_NOSHA256
Definition: util-file.h:51
FileAppendGAPById
int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:836
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:73
AppLayerParserGetStateData
AppLayerStateData * AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
Definition: app-layer-parser.c:1202
FLOWFILE_STORE_TS
#define FLOWFILE_STORE_TS
Definition: flow.h:146
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:96
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:115
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
FileForceMd5Enable
void FileForceMd5Enable(void)
Definition: util-file.c:104
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:537
File_::sb
StreamingBuffer * sb
Definition: util-file.h:83
FileForceSha1Enable
void FileForceSha1Enable(void)
Definition: util-file.c:110
util-memcmp.h
FLOWFILE_NO_SHA1_TC
#define FLOWFILE_NO_SHA1_TC
Definition: flow.h:135
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:94
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:84
util-debug.h
FileForceMagic
int FileForceMagic(void)
Definition: util-file.c:141
StreamingBufferInit
StreamingBuffer * StreamingBufferInit(const StreamingBufferConfig *cfg)
Definition: util-streaming-buffer.c:249
File_::end
uint64_t end
Definition: util-file.h:106
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:190
FileFlowToFlags
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition: util-file.c:290
File_::fd
int fd
Definition: util-file.h:86
FLOWFILE_STORE_TC
#define FLOWFILE_STORE_TC
Definition: flow.h:147
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:127
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
FileContainer_::head
File * head
Definition: util-file.h:114
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1174
FLOWFILE_NO_SHA256_TS
#define FLOWFILE_NO_SHA256_TS
Definition: flow.h:138
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:343
FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
Definition: app-layer-smtp.c:65
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1118
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:133
SCReturn
#define SCReturn
Definition: util-debug.h:273
stream.h
File_::sha256_ctx
SCSha256 * sha256_ctx
Definition: util-file.h:97
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:100
FileForceMd5
int FileForceMd5(void)
Definition: util-file.c:146
FileOpenFileWithId
int FileOpenFileWithId(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:981
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
File_::name
uint8_t * name
Definition: util-file.h:88
FileCloseFilePtr
int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:994
FileAppendData
int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The last file in the FileContainer will be us...
Definition: util-file.c:780
File_::sid
uint32_t * sid
Definition: util-file.h:108
runmodes.h
FILE_NOMD5
#define FILE_NOMD5
Definition: util-file.h:47
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:326
FileCloseFileById
int FileCloseFileById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:1093
FileStore
int FileStore(File *ff)
Tag a file for storing.
Definition: util-file.c:628
FLOWFILE_NO_SHA256_TC
#define FLOWFILE_NO_SHA256_TC
Definition: flow.h:139
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:786
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for files in a transaction
Definition: util-file.c:1154
File_::flags
uint16_t flags
Definition: util-file.h:80
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:99
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
File_::content_stored
uint64_t content_stored
Definition: util-file.h:101
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1355
FLOWFILE_NO_MAGIC_TC
#define FLOWFILE_NO_MAGIC_TC
Definition: flow.h:124
flags
uint8_t flags
Definition: decode-gre.h:0
StreamingBufferAppendNoTrack
int StreamingBufferAppendNoTrack(StreamingBuffer *sb, const StreamingBufferConfig *cfg, const uint8_t *data, uint32_t data_len)
add data w/o tracking a segment
Definition: util-streaming-buffer.c:1106
suricata-common.h
FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition: util-file.c:92
FileForceSha256
int FileForceSha256(void)
Definition: util-file.c:156
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
File_::next
struct File_ * next
Definition: util-file.h:92
FileForceHashParseCfg
void FileForceHashParseCfg(ConfNode *conf)
Function to parse forced file hashing configuration.
Definition: util-file.c:170
FileSetInspectSizes
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
Definition: util-file.c:857
FilesPrune
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
Definition: util-file.c:1204
FILE_MD5
#define FILE_MD5
Definition: util-file.h:48
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1195
FileSetRange
int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
Sets the offset range for a file.
Definition: util-file.c:873
FLOWFILE_NO_STORE_TC
#define FLOWFILE_NO_STORE_TC
Definition: flow.h:128
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:98
File_::start
uint64_t start
Definition: util-file.h:105
FilePrintFlags
#define FilePrintFlags(file)
Definition: util-file.h:250
util-validate.h
StreamingBufferConfig_
Definition: util-streaming-buffer.h:65
FileContainerRecycle
void FileContainerRecycle(FileContainer *ffc, const StreamingBufferConfig *cfg)
Recycle a FileContainer.
Definition: util-file.c:513
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
FLOWFILE_NO_SHA1_TS
#define FLOWFILE_NO_SHA1_TS
Definition: flow.h:134
FILE_LOGGED
#define FILE_LOGGED
Definition: util-file.h:53
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
FileForceSha1
int FileForceSha1(void)
Definition: util-file.c:151
FileCloseFile
int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1077
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
FileAppendDataById
int FileAppendDataById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:805
Flow_::alstate
void * alstate
Definition: flow.h:475
FILEDATA_CONTENT_INSPECT_WINDOW
#define FILEDATA_CONTENT_INSPECT_WINDOW
Definition: app-layer-smtp.c:67
File_::md5_ctx
SCMd5 * md5_ctx
Definition: util-file.h:93
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:103
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:50
suricata.h
FILE_NOSTORE
#define FILE_NOSTORE
Definition: util-file.h:54
FileForceSha256Enable
void FileForceSha256Enable(void)
Definition: util-file.c:116
FileFlowFlagsToFlags
uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
Definition: util-file.c:233
flow.h
FILE_NOMAGIC
#define FILE_NOMAGIC
Definition: util-file.h:46
Flow_::file_flags
uint16_t file_flags
Definition: flow.h:422
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:449
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
FileApplyTxFlags
void FileApplyTxFlags(const AppLayerTxData *txd, const uint8_t direction, File *file)
Definition: util-file.c:295
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:75
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:103
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:59
File_::sha1_ctx
SCSha1 * sha1_ctx
Definition: util-file.h:95
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:214
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:814