suricata
util-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "flow.h"
29 #include "stream.h"
30 #include "stream-tcp.h"
31 #include "runmodes.h"
32 #include "util-hash.h"
33 #include "util-debug.h"
34 #include "util-memcmp.h"
35 #include "util-print.h"
36 #include "app-layer-parser.h"
37 #include "util-validate.h"
38 #include "rust.h"
39 
40 extern int g_detect_disabled;
41 
42 /** \brief mask of file flags we'll not set
43  * This mask is set based on global file settings and
44  * cannot be overridden by detection.
45  */
46 static uint16_t g_file_flow_mask = 0;
47 
48 /** \brief switch to force filestore on all files
49  * regardless of the rules.
50  */
51 static int g_file_force_filestore = 0;
52 
53 /** \brief switch to force magic checks on all files
54  * regardless of the rules.
55  */
56 static int g_file_force_magic = 0;
57 
58 /** \brief switch to force md5 calculation on all files
59  * regardless of the rules.
60  */
61 static int g_file_force_md5 = 0;
62 
63 /** \brief switch to force sha1 calculation on all files
64  * regardless of the rules.
65  */
66 static int g_file_force_sha1 = 0;
67 
68 /** \brief switch to force sha256 calculation on all files
69  * regardless of the rules.
70  */
71 static int g_file_force_sha256 = 0;
72 
73 /** \brief switch to force tracking off all files
74  * regardless of the rules.
75  */
76 static int g_file_force_tracking = 0;
77 
78 /** \brief switch to use g_file_store_reassembly_depth
79  * to reassembly files
80  */
81 static int g_file_store_enable = 0;
82 
83 /** \brief stream_config.reassembly_depth equivalent
84  * for files
85  */
86 static uint32_t g_file_store_reassembly_depth = 0;
87 
88 /* prototypes */
89 static void FileFree(File *, const StreamingBufferConfig *cfg);
90 static void FileEndSha256(File *ff);
91 
93 {
94  g_file_force_filestore = 1;
95  g_file_flow_mask |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);
96 }
97 
99 {
100  g_file_force_magic = 1;
101  g_file_flow_mask |= (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC);
102 }
103 
105 {
106  g_file_force_md5 = 1;
107  g_file_flow_mask |= (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC);
108 }
109 
111 {
112  g_file_force_sha1 = 1;
113  g_file_flow_mask |= (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC);
114 }
115 
117 {
118  g_file_force_sha256 = 1;
119  g_file_flow_mask |= (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC);
120 }
121 
123 {
124  return g_file_force_filestore;
125 }
126 
127 void FileReassemblyDepthEnable(uint32_t size)
128 {
129  g_file_store_enable = 1;
130  g_file_store_reassembly_depth = size;
131 }
132 
133 uint32_t FileReassemblyDepth(void)
134 {
135  if (g_file_store_enable == 1)
136  return g_file_store_reassembly_depth;
137  else
139 }
140 
141 int FileForceMagic(void)
142 {
143  return g_file_force_magic;
144 }
145 
146 int FileForceMd5(void)
147 {
148  return g_file_force_md5;
149 }
150 
151 int FileForceSha1(void)
152 {
153  return g_file_force_sha1;
154 }
155 
157 {
158  return g_file_force_sha256;
159 }
160 
162 {
163  g_file_force_tracking = 1;
164 }
165 
166 /**
167  * \brief Function to parse forced file hashing configuration.
168  */
170 {
171  BUG_ON(conf == NULL);
172 
173  SCConfNode *forcehash_node = NULL;
174 
175  if (conf != NULL)
176  forcehash_node = SCConfNodeLookupChild(conf, "force-hash");
177 
178  if (forcehash_node != NULL) {
179  SCConfNode *field = NULL;
180 
181  TAILQ_FOREACH(field, &forcehash_node->head, next) {
182  if (strcasecmp("md5", field->val) == 0) {
183  if (g_disable_hashing) {
184  SCLogInfo("not forcing md5 calculation for logged files: hashing globally "
185  "disabled");
186  } else {
188  SCLogConfig("forcing md5 calculation for logged or stored files");
189  }
190  }
191 
192  if (strcasecmp("sha1", field->val) == 0) {
193  if (g_disable_hashing) {
194  SCLogInfo("not forcing sha1 calculation for logged files: hashing globally "
195  "disabled");
196  } else {
198  SCLogConfig("forcing sha1 calculation for logged or stored files");
199  }
200  }
201 
202  if (strcasecmp("sha256", field->val) == 0) {
203  if (g_disable_hashing) {
204  SCLogInfo("not forcing sha256 calculation for logged files: hashing globally "
205  "disabled");
206  } else {
208  SCLogConfig("forcing sha256 calculation for logged or stored files");
209  }
210  }
211  }
212  }
213 }
214 
215 uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
216 {
217  uint16_t flags = 0;
218 
219  if (direction == STREAM_TOSERVER) {
220  if ((flow_file_flags & (FLOWFILE_NO_STORE_TS | FLOWFILE_STORE_TS)) ==
222  flags |= FILE_NOSTORE;
223  } else if (flow_file_flags & FLOWFILE_STORE_TS) {
224  flags |= FILE_STORE;
225  }
226 
227  if (flow_file_flags & FLOWFILE_NO_MAGIC_TS) {
228  flags |= FILE_NOMAGIC;
229  }
230 
231  if (flow_file_flags & FLOWFILE_NO_MD5_TS) {
232  flags |= FILE_NOMD5;
233  }
234 
235  if (flow_file_flags & FLOWFILE_NO_SHA1_TS) {
236  flags |= FILE_NOSHA1;
237  }
238 
239  if (flow_file_flags & FLOWFILE_NO_SHA256_TS) {
240  flags |= FILE_NOSHA256;
241  }
242  } else {
243  if ((flow_file_flags & (FLOWFILE_NO_STORE_TC | FLOWFILE_STORE_TC)) ==
245  flags |= FILE_NOSTORE;
246  } else if (flow_file_flags & FLOWFILE_STORE_TC) {
247  flags |= FILE_STORE;
248  }
249 
250  if (flow_file_flags & FLOWFILE_NO_MAGIC_TC) {
251  flags |= FILE_NOMAGIC;
252  }
253 
254  if (flow_file_flags & FLOWFILE_NO_MD5_TC) {
255  flags |= FILE_NOMD5;
256  }
257 
258  if (flow_file_flags & FLOWFILE_NO_SHA1_TC) {
259  flags |= FILE_NOSHA1;
260  }
261 
262  if (flow_file_flags & FLOWFILE_NO_SHA256_TC) {
263  flags |= FILE_NOSHA256;
264  }
265  }
267 
268  SCLogDebug("direction %02x flags %02x", direction, flags);
269  return flags;
270 }
271 
272 uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
273 {
274  return FileFlowFlagsToFlags(flow->file_flags, direction);
275 }
276 
277 void FileApplyTxFlags(const AppLayerTxData *txd, const uint8_t direction, File *file)
278 {
279  SCLogDebug("file flags %04x STORE %s NOSTORE %s", file->flags,
280  (file->flags & FILE_STORE) ? "true" : "false",
281  (file->flags & FILE_NOSTORE) ? "true" : "false");
282  uint16_t update_flags = FileFlowFlagsToFlags(txd->file_flags, direction);
284  (file->flags & (FILE_STORE | FILE_NOSTORE)) == (FILE_STORE | FILE_NOSTORE));
285  if (file->flags & FILE_STORE)
286  update_flags &= ~FILE_NOSTORE;
287 
288  file->flags |= update_flags;
289  SCLogDebug("file flags %04x STORE %s NOSTORE %s", file->flags,
290  (file->flags & FILE_STORE) ? "true" : "false",
291  (file->flags & FILE_NOSTORE) ? "true" : "false");
293  (file->flags & (FILE_STORE | FILE_NOSTORE)) == (FILE_STORE | FILE_NOSTORE));
294 }
295 
296 static int FileMagicSize(void)
297 {
298  /** \todo make this size configurable */
299  return 512;
300 }
301 
302 /**
303  * \brief get the size of the file data
304  *
305  * This doesn't reflect how much of the file we have in memory, just the
306  * total size of filedata so far.
307  */
308 uint64_t FileDataSize(const File *file)
309 {
310  if (file != NULL && file->sb != NULL) {
311  const uint64_t size = StreamingBufferGetConsecutiveDataRightEdge(file->sb);
312  SCLogDebug("returning %" PRIu64, size);
313  return size;
314  }
315  SCLogDebug("returning 0 (default)");
316  return 0;
317 }
318 
319 /**
320  * \brief get the size of the file
321  *
322  * This doesn't reflect how much of the file we have in memory, just the
323  * total size of file so far.
324  */
325 uint64_t FileTrackedSize(const File *file)
326 {
327  if (file != NULL) {
328  return file->size;
329  }
330  return 0;
331 }
332 
333 /** \brief test if file is ready to be pruned
334  *
335  * If a file is in the 'CLOSED' state, it means it has been processed
336  * completely by the pipeline in the correct direction. So we can
337  * prune it then.
338  *
339  * For other states, as well as for files we may not need to track
340  * until the close state, more specific checks are done.
341  *
342  * Also does house keeping within the file: move streaming buffer
343  * forward if possible.
344  *
345  * \retval 1 prune (free) this file
346  * \retval 0 file not ready to be freed
347  */
348 static int FilePruneFile(File *file, const StreamingBufferConfig *cfg)
349 {
350  SCEnter();
351 
352  /* file is done when state is closed+, logging/storing is done (if any) */
353  SCLogDebug("file->state %d. Is >= FILE_STATE_CLOSED: %s",
354  file->state, (file->state >= FILE_STATE_CLOSED) ? "yes" : "no");
355  if (file->state >= FILE_STATE_CLOSED) {
356  SCReturnInt(1);
357  }
358 
359 #ifdef HAVE_MAGIC
360  if (!(file->flags & FILE_NOMAGIC)) {
361  /* need magic but haven't set it yet, bail out */
362  if (file->magic == NULL)
363  SCReturnInt(0);
364  else
365  SCLogDebug("file->magic %s", file->magic);
366  } else {
367  SCLogDebug("file->flags & FILE_NOMAGIC == true");
368  }
369 #endif
370  uint64_t left_edge = FileDataSize(file);
371  if (file->flags & FILE_STORE) {
372  left_edge = MIN(left_edge,file->content_stored);
373  }
374 
375  if (!g_detect_disabled) {
376  left_edge = MIN(left_edge, file->content_inspected);
377  /* if file has inspect window and min size set, we
378  * do some house keeping here */
379  if (file->inspect_window != 0 && file->inspect_min_size != 0) {
380  const uint64_t file_offset = StreamingBufferGetOffset(file->sb);
381  uint32_t window = file->inspect_window;
382  if (file_offset == 0)
383  window = MAX(window, file->inspect_min_size);
384 
385  uint64_t file_size = FileDataSize(file);
386  uint64_t data_size = file_size - file_offset;
387 
388  SCLogDebug("window %"PRIu32", file_size %"PRIu64", data_size %"PRIu64,
389  window, file_size, data_size);
390 
391  if (data_size > (window * 3)) {
392  file->content_inspected = MAX(file->content_inspected, file->size - window);
393  SCLogDebug("file->content_inspected now %" PRIu64, file->content_inspected);
394  }
395 
396  if (left_edge > window)
397  left_edge -= window;
398  else
399  left_edge = 0;
400  }
401  }
402 
403  if (left_edge) {
404  SCLogDebug("sliding to %" PRIu64, left_edge);
405  StreamingBufferSlideToOffset(file->sb, cfg, left_edge);
406  }
407 
408  SCReturnInt(0);
409 }
410 
411 #ifdef DEBUG
412 #define P(file, flag) ((file)->flags & (flag)) ? "true" : "false"
413 void FilePrintFlags(const File *file)
414 {
415  SCLogDebug("file %p flags %04x "
416  "FILE_TRUNCATED %s "
417  "FILE_NOMAGIC %s "
418  "FILE_NOMD5 %s "
419  "FILE_MD5 %s "
420  "FILE_NOSHA1 %s "
421  "FILE_SHA1 %s "
422  "FILE_NOSHA256 %s "
423  "FILE_SHA256 %s "
424  "FILE_LOGGED %s "
425  "FILE_NOSTORE %s "
426  "FILE_STORE %s "
427  "FILE_STORED %s "
428  "FILE_NOTRACK %s "
429  "FILE_HAS_GAPS %s",
430  file, file->flags, P(file, FILE_TRUNCATED), P(file, FILE_NOMAGIC), P(file, FILE_NOMD5),
431  P(file, FILE_MD5), P(file, FILE_NOSHA1), P(file, FILE_SHA1), P(file, FILE_NOSHA256),
432  P(file, FILE_SHA256), P(file, FILE_LOGGED), P(file, FILE_NOSTORE), P(file, FILE_STORE),
433  P(file, FILE_STORED), P(file, FILE_NOTRACK), P(file, FILE_HAS_GAPS));
434 }
435 #undef P
436 #endif
437 
438 static void FilePrune(FileContainer *ffc, const StreamingBufferConfig *cfg)
439 {
440  SCEnter();
441  SCLogDebug("ffc %p head %p", ffc, ffc->head);
442  File *file = ffc->head;
443  File *prev = NULL;
444 
445  while (file) {
446 #ifdef DEBUG
447  FilePrintFlags(file);
448 #endif
449  if (FilePruneFile(file, cfg) == 0) {
450  prev = file;
451  file = file->next;
452  continue;
453  }
454 
455  SCLogDebug("removing file %p", file);
456 
457  File *file_next = file->next;
458 
459  if (prev)
460  prev->next = file_next;
461  /* update head and tail */
462  if (file == ffc->head)
463  ffc->head = file_next;
464  if (file == ffc->tail)
465  ffc->tail = prev;
466 
467  FileFree(file, cfg);
468  file = file_next;
469  }
470  SCReturn;
471 }
472 
473 /**
474  * \brief allocate a FileContainer
475  *
476  * \retval new newly allocated FileContainer
477  * \retval NULL error
478  */
480 {
481  FileContainer *new = SCCalloc(1, sizeof(FileContainer));
482  if (unlikely(new == NULL)) {
483  SCLogError("Error allocating mem");
484  return NULL;
485  }
486  new->head = new->tail = NULL;
487  return new;
488 }
489 
490 /**
491  * \brief Recycle a FileContainer
492  *
493  * \param ffc FileContainer
494  */
496 {
497  SCLogDebug("ffc %p", ffc);
498  if (ffc == NULL)
499  return;
500 
501  File *cur = ffc->head;
502  File *next = NULL;
503  for (;cur != NULL; cur = next) {
504  next = cur->next;
505  FileFree(cur, cfg);
506  }
507  ffc->head = ffc->tail = NULL;
508 }
509 
510 /**
511  * \brief Free a FileContainer
512  *
513  * \param ffc FileContainer
514  */
516 {
517  SCLogDebug("ffc %p", ffc);
518  if (ffc == NULL)
519  return;
520 
521  File *ptr = ffc->head;
522  File *next = NULL;
523  for (;ptr != NULL; ptr = next) {
524  next = ptr->next;
525  FileFree(ptr, cfg);
526  }
527  ffc->head = ffc->tail = NULL;
528  SCFree(ffc);
529 }
530 
531 /**
532  * \brief Alloc a new File
533  *
534  * \param name character array containing the name (not a string)
535  * \param name_len length in bytes of the name
536  *
537  * \retval new File object or NULL on error
538  */
539 static File *FileAlloc(const uint8_t *name, uint16_t name_len)
540 {
541  File *new = SCCalloc(1, sizeof(File));
542  if (unlikely(new == NULL)) {
543  SCLogError("Error allocating mem");
544  return NULL;
545  }
546 
547  new->name = SCMalloc(name_len);
548  if (new->name == NULL) {
549  SCFree(new);
550  return NULL;
551  }
552 
553  new->name_len = name_len;
554  memcpy(new->name, name, name_len);
555 
556  new->sid_cnt = 0;
557  new->sid_max = 8;
558  /* SCMalloc() is allowed to fail here because sid well be checked later on */
559  new->sid = SCMalloc(sizeof(uint32_t) * new->sid_max);
560  if (new->sid == NULL)
561  new->sid_max = 0;
562 
563  return new;
564 }
565 
566 static void FileFree(File *ff, const StreamingBufferConfig *sbcfg)
567 {
568  SCLogDebug("ff %p", ff);
569  if (ff == NULL)
570  return;
571 
572  if (ff->name != NULL)
573  SCFree(ff->name);
574  if (ff->sid != NULL)
575  SCFree(ff->sid);
576 #ifdef HAVE_MAGIC
577  /* magic returned by libmagic is strdup'd by MagicLookup. */
578  if (ff->magic != NULL)
579  SCFree(ff->magic);
580 #endif
581  if (ff->sb != NULL) {
582  StreamingBufferFree(ff->sb, sbcfg);
583  }
584 
585  if (ff->md5_ctx)
586  SCMd5Free(ff->md5_ctx);
587  if (ff->sha1_ctx)
588  SCSha1Free(ff->sha1_ctx);
589  if (ff->sha256_ctx)
590  SCSha256Free(ff->sha256_ctx);
591  SCFree(ff);
592 }
593 
595 {
596  SCLogDebug("ffc %p ff %p", ffc, ff);
597  if (ffc->head == NULL || ffc->tail == NULL) {
598  ffc->head = ffc->tail = ff;
599  } else {
600  ffc->tail->next = ff;
601  ffc->tail = ff;
602  }
603 }
604 
605 /**
606  * \brief Tag a file for storing
607  *
608  * \param ff The file to store
609  */
610 int FileStore(File *ff)
611 {
612  SCLogDebug("ff %p", ff);
613  ff->flags |= FILE_STORE;
614  SCReturnInt(0);
615 }
616 
617 /**
618  * \brief check if we have stored enough
619  *
620  * \param ff file
621  *
622  * \retval 0 limit not reached yet
623  * \retval 1 limit reached
624  */
625 static int FileStoreNoStoreCheck(File *ff)
626 {
627  SCEnter();
628 
629  if (ff == NULL) {
630  SCReturnInt(0);
631  }
632 
633  if (ff->flags & FILE_NOSTORE) {
634  if (ff->state == FILE_STATE_OPENED &&
635  FileDataSize(ff) >= (uint64_t)FileMagicSize())
636  {
637  SCReturnInt(1);
638  }
639  }
640 
641  SCReturnInt(0);
642 }
643 
644 static int AppendData(
645  const StreamingBufferConfig *sbcfg, File *file, const uint8_t *data, uint32_t data_len)
646 {
648  data_len > BIT_U32(26)); // 64MiB as a limit per chunk seems already excessive
649 
650  SCLogDebug("file %p data_len %u", file, data_len);
651  if (StreamingBufferAppendNoTrack(file->sb, sbcfg, data, data_len) != 0) {
652  SCLogDebug("file %p StreamingBufferAppendNoTrack failed", file);
653  SCReturnInt(-1);
654  }
655 
656  if (file->md5_ctx) {
657  SCMd5Update(file->md5_ctx, data, data_len);
658  }
659  if (file->sha1_ctx) {
660  SCSha1Update(file->sha1_ctx, data, data_len);
661  }
662  if (file->sha256_ctx) {
663  SCLogDebug("SHA256 file %p data %p data_len %u", file, data, data_len);
664  SCSha256Update(file->sha256_ctx, data, data_len);
665  } else {
666  SCLogDebug("NO SHA256 file %p data %p data_len %u", file, data, data_len);
667  }
668  SCReturnInt(0);
669 }
670 
671 /** \internal
672  * \brief Flags a file as having gaps
673  *
674  * \param ff the file
675  */
676 static void FileFlagGap(File *ff) {
677  ff->flags |= FILE_HAS_GAPS;
680 }
681 
682 /** \internal
683  * \brief Store/handle a chunk of file data in the File structure
684  *
685  * \param ff the file
686  * \param data data chunk
687  * \param data_len data chunk len
688  *
689  * \retval 0 ok
690  * \retval -1 error
691  * \retval -2 no store for this file
692  */
693 static int FileAppendDataDo(
694  const StreamingBufferConfig *sbcfg, File *ff, const uint8_t *data, uint32_t data_len)
695 {
696  SCEnter();
697 #ifdef DEBUG_VALIDATION
698  BUG_ON(ff == NULL);
699 #endif
700 
701  ff->size += data_len;
702  if (data == NULL) {
703  FileFlagGap(ff);
704  SCReturnInt(0);
705  }
706 
707  if (ff->state != FILE_STATE_OPENED) {
708  if (ff->flags & FILE_NOSTORE) {
709  SCReturnInt(-2);
710  }
711  SCReturnInt(-1);
712  }
713 
714  if (g_detect_disabled && FileStoreNoStoreCheck(ff) == 1) {
715  int hash_done = 0;
716  /* no storage but forced hashing */
717  if (ff->md5_ctx) {
718  SCMd5Update(ff->md5_ctx, data, data_len);
719  hash_done = 1;
720  }
721  if (ff->sha1_ctx) {
722  SCSha1Update(ff->sha1_ctx, data, data_len);
723  hash_done = 1;
724  }
725  if (ff->sha256_ctx) {
726  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
727  SCSha256Update(ff->sha256_ctx, data, data_len);
728  hash_done = 1;
729  }
730 
731  if (hash_done)
732  SCReturnInt(0);
733 
734  if (g_file_force_tracking || (!(ff->flags & FILE_NOTRACK)))
735  SCReturnInt(0);
736 
738  SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED");
739  SCReturnInt(-2);
740  }
741 
742  SCLogDebug("appending %"PRIu32" bytes", data_len);
743 
744  int r = AppendData(sbcfg, ff, data, data_len);
745  if (r != 0) {
746  ff->state = FILE_STATE_ERROR;
747  SCReturnInt(r);
748  }
749 
750  SCReturnInt(0);
751 }
752 
753 /**
754  * \brief Store/handle a chunk of file data in the File structure
755  * The last file in the FileContainer will be used.
756  *
757  * \param ffc FileContainer used to append to
758  * \param data data chunk
759  * \param data_len data chunk len
760  *
761  * \retval 0 ok
762  * \retval -1 error
763  * \retval -2 no store for this file
764  */
765 int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data,
766  uint32_t data_len)
767 {
768  SCEnter();
769 
770  if (ffc == NULL || ffc->tail == NULL || data_len == 0 || sbcfg == NULL) {
771  SCReturnInt(-1);
772  }
773  int r = FileAppendDataDo(sbcfg, ffc->tail, data, data_len);
774  SCReturnInt(r);
775 }
776 
777 /**
778  * \brief Store/handle a chunk of file data in the File structure
779  * The file with 'track_id' in the FileContainer will be used.
780  *
781  * \param ffc FileContainer used to append to
782  * \param track_id id to lookup the file
783  * \param data data chunk
784  * \param data_len data chunk len
785  *
786  * \retval 0 ok
787  * \retval -1 error
788  * \retval -2 no store for this file
789  */
790 int FileAppendDataById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
791  const uint8_t *data, uint32_t data_len)
792 {
793  SCEnter();
794 
795  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
796  SCReturnInt(-1);
797  }
798  File *ff = ffc->head;
799  for ( ; ff != NULL; ff = ff->next) {
800  if (track_id == ff->file_track_id) {
801  int r = FileAppendDataDo(sbcfg, ff, data, data_len);
802  SCReturnInt(r);
803  }
804  }
805  SCReturnInt(-1);
806 }
807 
808 /**
809  * \brief Store/handle a chunk of file data in the File structure
810  * The file with 'track_id' in the FileContainer will be used.
811  *
812  * \param ffc FileContainer used to append to
813  * \param track_id id to lookup the file
814  * \param data data chunk
815  * \param data_len data chunk len
816  *
817  * \retval 0 ok
818  * \retval -1 error
819  * \retval -2 no store for this file
820  */
821 int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
822  const uint8_t *data, uint32_t data_len)
823 {
824  SCEnter();
825 
826  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
827  SCReturnInt(-1);
828  }
829  File *ff = ffc->head;
830  for ( ; ff != NULL; ff = ff->next) {
831  if (track_id == ff->file_track_id) {
832  FileFlagGap(ff);
833  SCLogDebug("FILE_HAS_GAPS set");
834 
835  int r = FileAppendDataDo(sbcfg, ff, data, data_len);
836  SCReturnInt(r);
837  }
838  }
839  SCReturnInt(-1);
840 }
841 
842 void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
843 {
844  file->inspect_window = win;
845  file->inspect_min_size = min;
846 }
847 
848 /**
849  * \brief Sets the offset range for a file.
850  *
851  * \param ffc the container
852  * \param start start offset
853  * \param end end offset
854  *
855  * \retval 0 ok
856  * \retval -1 error
857  */
858 int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
859 {
860  SCEnter();
861 
862  if (ffc == NULL || ffc->tail == NULL) {
863  SCReturnInt(-1);
864  }
865  ffc->tail->start = start;
866  ffc->tail->end = end;
867  SCReturnInt(0);
868 }
869 
870 /**
871  * \brief Open a new File
872  *
873  * \param ffc flow container
874  * \param sbcfg buffer config
875  * \param name filename character array
876  * \param name_len filename len
877  * \param data initial data
878  * \param data_len initial data len
879  * \param flags open flags
880  *
881  * \retval ff flowfile object
882  *
883  * \note filename is not a string, so it's not nul terminated.
884  */
885 static File *FileOpenFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg,
886  const uint8_t *name, uint16_t name_len,
887  const uint8_t *data, uint32_t data_len, uint16_t flags)
888 {
889  SCEnter();
890 
891  //PrintRawDataFp(stdout, name, name_len);
892 
893  File *ff = FileAlloc(name, name_len);
894  if (ff == NULL) {
895  SCReturnPtr(NULL, "File");
896  }
897 
898  ff->sb = StreamingBufferInit(sbcfg);
899  if (ff->sb == NULL) {
900  FileFree(ff, sbcfg);
901  SCReturnPtr(NULL, "File");
902  }
903  SCLogDebug("ff->sb %p", ff->sb);
904 
905  if (flags & FILE_STORE || g_file_force_filestore) {
906  FileStore(ff);
907  } else if (flags & FILE_NOSTORE) {
908  SCLogDebug("not storing this file");
909  ff->flags |= FILE_NOSTORE;
910  }
911  if (flags & FILE_NOMAGIC) {
912  SCLogDebug("not doing magic for this file");
913  ff->flags |= FILE_NOMAGIC;
914  }
915  if (flags & FILE_NOMD5) {
916  SCLogDebug("not doing md5 for this file");
917  ff->flags |= FILE_NOMD5;
918  }
919  if (flags & FILE_NOSHA1) {
920  SCLogDebug("not doing sha1 for this file");
921  ff->flags |= FILE_NOSHA1;
922  }
923  if (flags & FILE_NOSHA256) {
924  SCLogDebug("not doing sha256 for this file");
925  ff->flags |= FILE_NOSHA256;
926  }
927 
928  if (!(ff->flags & FILE_NOMD5) || g_file_force_md5) {
929  ff->md5_ctx = SCMd5New();
930  }
931  if (!(ff->flags & FILE_NOSHA1) || g_file_force_sha1) {
932  ff->sha1_ctx = SCSha1New();
933  }
934  if (!(ff->flags & FILE_NOSHA256) || g_file_force_sha256) {
935  ff->sha256_ctx = SCSha256New();
936  SCLogDebug("ff %p ff->sha256_ctx %p", ff, ff->sha256_ctx);
937  }
938 
939  ff->state = FILE_STATE_OPENED;
940  SCLogDebug("flowfile state transitioned to FILE_STATE_OPENED");
941 
942  ff->fd = -1;
943 
944  FileContainerAdd(ffc, ff);
945 
946  /* set default window and min inspection size */
948 
949  ff->size += data_len;
950  if (data != NULL) {
951  if (AppendData(sbcfg, ff, data, data_len) != 0) {
952  ff->state = FILE_STATE_ERROR;
953  SCReturnPtr(NULL, "File");
954  }
955  SCLogDebug("file size is now %"PRIu64, FileTrackedSize(ff));
956  } else if (data_len > 0) {
957  FileFlagGap(ff);
958  }
959 
960  SCReturnPtr(ff, "File");
961 }
962 
963 /**
964  * \retval 0 ok
965  * \retval -1 failed */
967  uint32_t track_id, const uint8_t *name, uint16_t name_len,
968  const uint8_t *data, uint32_t data_len, uint16_t flags)
969 {
970  SCLogDebug("ffc %p track_id %u", ffc, track_id);
971  File *ff = FileOpenFile(ffc, sbcfg, name, name_len, data, data_len, flags);
972  if (ff == NULL)
973  return -1;
974 
975  ff->file_track_id = track_id;
976  return 0;
977 }
978 
979 int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data,
980  uint32_t data_len, uint16_t flags)
981 {
982  SCEnter();
983 
984  if (ff == NULL) {
985  SCReturnInt(-1);
986  }
987 
988  if (ff->state != FILE_STATE_OPENED) {
989  SCReturnInt(-1);
990  }
991 
992  ff->size += data_len;
993  if (data != NULL) {
994  if (ff->flags & FILE_NOSTORE) {
995  /* no storage but hashing */
996  if (ff->md5_ctx)
997  SCMd5Update(ff->md5_ctx, data, data_len);
998  if (ff->sha1_ctx)
999  SCSha1Update(ff->sha1_ctx, data, data_len);
1000  if (ff->sha256_ctx) {
1001  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1002  SCSha256Update(ff->sha256_ctx, data, data_len);
1003  }
1004  }
1005  if (AppendData(sbcfg, ff, data, data_len) != 0) {
1006  ff->state = FILE_STATE_ERROR;
1007  SCReturnInt(-1);
1008  }
1009  }
1010 
1011  if ((flags & FILE_TRUNCATED) || (ff->flags & FILE_HAS_GAPS)) {
1012  SCLogDebug("flags FILE_TRUNCATED %s", (flags & FILE_TRUNCATED) ? "true" : "false");
1013  SCLogDebug("ff->flags FILE_HAS_GAPS %s", (ff->flags & FILE_HAS_GAPS) ? "true" : "false");
1014 
1016  SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED");
1017 
1018  if (flags & FILE_NOSTORE) {
1019  SCLogDebug("not storing this file");
1020  ff->flags |= FILE_NOSTORE;
1021  } else {
1022  if (g_file_force_sha256 && ff->sha256_ctx) {
1023  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1024  FileEndSha256(ff);
1025  }
1026  }
1027  } else {
1028  ff->state = FILE_STATE_CLOSED;
1029  SCLogDebug("flowfile state transitioned to FILE_STATE_CLOSED");
1030 
1031  if (ff->md5_ctx) {
1032  SCMd5Finalize(ff->md5_ctx, ff->md5, sizeof(ff->md5));
1033  ff->md5_ctx = NULL;
1034  ff->flags |= FILE_MD5;
1035  }
1036  if (ff->sha1_ctx) {
1037  SCSha1Finalize(ff->sha1_ctx, ff->sha1, sizeof(ff->sha1));
1038  ff->sha1_ctx = NULL;
1039  ff->flags |= FILE_SHA1;
1040  }
1041  if (ff->sha256_ctx) {
1042  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1043  FileEndSha256(ff);
1044  }
1045  }
1046 
1047  SCReturnInt(0);
1048 }
1049 
1050 /**
1051  * \brief Close a File
1052  *
1053  * \param ffc the container
1054  * \param data final data if any
1055  * \param data_len data len if any
1056  * \param flags flags
1057  *
1058  * \retval 0 ok
1059  * \retval -1 error
1060  */
1061 int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data,
1062  uint32_t data_len, uint16_t flags)
1063 {
1064  SCEnter();
1065 
1066  if (ffc == NULL || ffc->tail == NULL) {
1067  SCReturnInt(-1);
1068  }
1069 
1070  if (FileCloseFilePtr(ffc->tail, sbcfg, data, data_len, flags) == -1) {
1071  SCReturnInt(-1);
1072  }
1073 
1074  SCReturnInt(0);
1075 }
1076 
1077 int FileCloseFileById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
1078  const uint8_t *data, uint32_t data_len, uint16_t flags)
1079 {
1080  SCEnter();
1081 
1082  if (ffc == NULL || ffc->tail == NULL) {
1083  SCReturnInt(-1);
1084  }
1085 
1086  File *ff = ffc->head;
1087  for ( ; ff != NULL; ff = ff->next) {
1088  if (track_id == ff->file_track_id) {
1089  int r = FileCloseFilePtr(ff, sbcfg, data, data_len, flags);
1090  SCReturnInt(r);
1091  }
1092  }
1093  SCReturnInt(-1);
1094 }
1095 
1096 /** \brief set a flow's file flags
1097  * \param set_file_flags flags in both directions that are requested to set
1098  *
1099  * This function will ignore the flags for the irrelevant direction and
1100  * also mask the flags with the global settings.
1101  */
1102 void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
1103 {
1104  SCEnter();
1106 
1107  /* remove flags not in our direction and
1108  don't disable what is globally enabled */
1109  if (direction == STREAM_TOSERVER) {
1110  set_file_flags &= ~(FLOWFILE_NONE_TC|g_file_flow_mask);
1111  } else {
1112  set_file_flags &= ~(FLOWFILE_NONE_TS|g_file_flow_mask);
1113  }
1114  f->file_flags |= set_file_flags;
1115 
1116  SCLogDebug("f->file_flags %04x set_file_flags %04x g_file_flow_mask %04x",
1117  f->file_flags, set_file_flags, g_file_flow_mask);
1118 
1119  if (set_file_flags != 0 && f->alproto != ALPROTO_UNKNOWN && f->alstate != NULL) {
1121  if (sd != NULL) {
1122  if ((sd->file_flags & f->file_flags) != f->file_flags) {
1123  SCLogDebug("state data: updating file_flags %04x with flow file_flags %04x",
1124  sd->file_flags, f->file_flags);
1125  sd->file_flags |= f->file_flags;
1126  }
1127  }
1128  }
1129 }
1130 
1131 /**
1132  * \brief disable file storing for files in a transaction
1133  *
1134  * \param f *LOCKED* flow
1135  * \param direction flow direction
1136  * \param tx_id transaction id
1137  */
1138 void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
1139 {
1140  if (g_file_force_filestore == 0) {
1142  if (direction & STREAM_TOSERVER) {
1143  txd->file_flags |= FLOWFILE_NO_STORE_TS;
1144  } else {
1145  txd->file_flags |= FLOWFILE_NO_STORE_TC;
1146  }
1147  }
1148 }
1149 
1150 /**
1151  * \brief flag a file with id "file_id" to be stored.
1152  *
1153  * \param fc file store
1154  * \param file_id the file's id
1155  */
1156 void FileStoreFileById(FileContainer *fc, uint32_t file_id)
1157 {
1158  File *ptr = NULL;
1159 
1160  SCEnter();
1161 
1162  if (fc != NULL) {
1163  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1164  if (ptr->file_track_id == file_id) {
1165  FileStore(ptr);
1166  }
1167  }
1168  }
1169 }
1170 
1171 static void FileTruncateAllOpenFiles(FileContainer *fc, const StreamingBufferConfig *sbcfg)
1172 {
1173  File *ptr = NULL;
1174 
1175  SCEnter();
1176 
1177  if (fc != NULL) {
1178  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1179  if (ptr->state == FILE_STATE_OPENED) {
1180  FileCloseFilePtr(ptr, sbcfg, NULL, 0, FILE_TRUNCATED);
1181  }
1182  }
1183  }
1184 }
1185 
1186 void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
1187 {
1188  if (trunc) {
1189  FileTruncateAllOpenFiles(fc, sbcfg);
1190  }
1191  FilePrune(fc, sbcfg);
1192 }
1193 
1194 /**
1195  * \brief Finish the SHA256 calculation.
1196  */
1197 static void FileEndSha256(File *ff)
1198 {
1199  SCLogDebug("ff %p ff->size %" PRIu64, ff, ff->size);
1200  if (!(ff->flags & FILE_SHA256) && ff->sha256_ctx) {
1201  SCSha256Finalize(ff->sha256_ctx, ff->sha256, sizeof(ff->sha256));
1202  ff->sha256_ctx = NULL;
1203  ff->flags |= FILE_SHA256;
1204  }
1205 }
FLOWFILE_NO_MD5_TS
#define FLOWFILE_NO_MD5_TS
Definition: flow.h:137
FLOWFILE_NO_MD5_TC
#define FLOWFILE_NO_MD5_TC
Definition: flow.h:138
FILE_TRUNCATED
#define FILE_TRUNCATED
Definition: util-file.h:45
FileForceFilestore
int FileForceFilestore(void)
Definition: util-file.c:122
StreamingBufferSlideToOffset
void StreamingBufferSlideToOffset(StreamingBuffer *sb, const StreamingBufferConfig *cfg, uint64_t offset)
slide to absolute offset
Definition: util-streaming-buffer.c:1022
FileContainer_
Definition: util-file.h:113
FileForceHashParseCfg
void FileForceHashParseCfg(SCConfNode *conf)
Function to parse forced file hashing configuration.
Definition: util-file.c:169
FileContainerAdd
void FileContainerAdd(FileContainer *ffc, File *ff)
Definition: util-file.c:594
FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:479
FileReassemblyDepthEnable
void FileReassemblyDepthEnable(uint32_t size)
Definition: util-file.c:127
stream-tcp.h
FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition: util-file.c:161
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:52
File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:104
FILE_NOSHA1
#define FILE_NOSHA1
Definition: util-file.h:49
File_::size
uint64_t size
Definition: util-file.h:102
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
FILE_NOTRACK
#define FILE_NOTRACK
Definition: util-file.h:57
StreamingBufferFree
void StreamingBufferFree(StreamingBuffer *sb, const StreamingBufferConfig *cfg)
Definition: util-streaming-buffer.c:294
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
FLOWFILE_NONE_TC
#define FLOWFILE_NONE_TC
Definition: flow.h:157
Flow_::proto
uint8_t proto
Definition: flow.h:370
FLOWFILE_NO_MAGIC_TS
#define FLOWFILE_NO_MAGIC_TS
Definition: flow.h:130
FLOWFILE_NONE_TS
#define FLOWFILE_NONE_TS
Definition: flow.h:154
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:70
FileContainerFree
void FileContainerFree(FileContainer *ffc, const StreamingBufferConfig *cfg)
Free a FileContainer.
Definition: util-file.c:515
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
Flow_
Flow data structure.
Definition: flow.h:348
File_::state
FileState state
Definition: util-file.h:82
util-hash.h
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
rust.h
FileContainer_::tail
File * tail
Definition: util-file.h:115
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: app-layer-parser.h:42
FileForceMagicEnable
void FileForceMagicEnable(void)
Definition: util-file.c:98
FILE_NOSHA256
#define FILE_NOSHA256
Definition: util-file.h:51
FileAppendGAPById
int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:821
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:73
AppLayerParserGetStateData
AppLayerStateData * AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
Definition: app-layer-parser.c:1190
FLOWFILE_STORE_TS
#define FLOWFILE_STORE_TS
Definition: flow.h:151
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:96
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:219
MAX
#define MAX(x, y)
Definition: suricata-common.h:412
FileForceMd5Enable
void FileForceMd5Enable(void)
Definition: util-file.c:104
File_::sb
StreamingBuffer * sb
Definition: util-file.h:83
FileForceSha1Enable
void FileForceSha1Enable(void)
Definition: util-file.c:110
util-memcmp.h
FLOWFILE_NO_SHA1_TC
#define FLOWFILE_NO_SHA1_TC
Definition: flow.h:142
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:94
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:84
util-debug.h
FileForceMagic
int FileForceMagic(void)
Definition: util-file.c:141
StreamingBufferInit
StreamingBuffer * StreamingBufferInit(const StreamingBufferConfig *cfg)
Definition: util-streaming-buffer.c:248
File_::end
uint64_t end
Definition: util-file.h:106
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:186
FileFlowToFlags
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition: util-file.c:272
File_::fd
int fd
Definition: util-file.h:86
FLOWFILE_STORE_TC
#define FLOWFILE_STORE_TC
Definition: flow.h:152
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:134
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:417
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:277
FileContainer_::head
File * head
Definition: util-file.h:114
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1156
FLOWFILE_NO_SHA256_TS
#define FLOWFILE_NO_SHA256_TS
Definition: flow.h:145
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:325
FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
Definition: app-layer-smtp.c:61
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1102
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:133
SCReturn
#define SCReturn
Definition: util-debug.h:279
stream.h
File_::sha256_ctx
SCSha256 * sha256_ctx
Definition: util-file.h:97
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
FileForceMd5
int FileForceMd5(void)
Definition: util-file.c:146
FileOpenFileWithId
int FileOpenFileWithId(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:966
name
const char * name
Definition: tm-threads.c:2163
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:293
File_::name
uint8_t * name
Definition: util-file.h:88
FileCloseFilePtr
int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:979
FileAppendData
int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The last file in the FileContainer will be us...
Definition: util-file.c:765
File_::sid
uint32_t * sid
Definition: util-file.h:108
runmodes.h
FILE_NOMD5
#define FILE_NOMD5
Definition: util-file.h:47
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:225
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:308
FileCloseFileById
int FileCloseFileById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:1077
FileStore
int FileStore(File *ff)
Tag a file for storing.
Definition: util-file.c:610
FLOWFILE_NO_SHA256_TC
#define FLOWFILE_NO_SHA256_TC
Definition: flow.h:146
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for files in a transaction
Definition: util-file.c:1138
File_::flags
uint16_t flags
Definition: util-file.h:80
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:99
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
File_::content_stored
uint64_t content_stored
Definition: util-file.h:101
FLOWFILE_NO_MAGIC_TC
#define FLOWFILE_NO_MAGIC_TC
Definition: flow.h:131
flags
uint8_t flags
Definition: decode-gre.h:0
StreamingBufferAppendNoTrack
int StreamingBufferAppendNoTrack(StreamingBuffer *sb, const StreamingBufferConfig *cfg, const uint8_t *data, uint32_t data_len)
add data w/o tracking a segment
Definition: util-streaming-buffer.c:1144
suricata-common.h
FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition: util-file.c:92
FileForceSha256
int FileForceSha256(void)
Definition: util-file.c:156
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
File_::next
struct File_ * next
Definition: util-file.h:92
FileSetInspectSizes
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
Definition: util-file.c:842
FilesPrune
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
Definition: util-file.c:1186
FILE_MD5
#define FILE_MD5
Definition: util-file.h:48
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1183
FileSetRange
int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
Sets the offset range for a file.
Definition: util-file.c:858
FLOWFILE_NO_STORE_TC
#define FLOWFILE_NO_STORE_TC
Definition: flow.h:135
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:98
File_::start
uint64_t start
Definition: util-file.h:105
AppLayerStateData
struct AppLayerStateData AppLayerStateData
Definition: app-layer-parser.h:44
FilePrintFlags
#define FilePrintFlags(file)
Definition: util-file.h:250
util-validate.h
StreamingBufferConfig_
Definition: util-streaming-buffer.h:65
FileContainerRecycle
void FileContainerRecycle(FileContainer *ffc, const StreamingBufferConfig *cfg)
Recycle a FileContainer.
Definition: util-file.c:495
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
FLOWFILE_NO_SHA1_TS
#define FLOWFILE_NO_SHA1_TS
Definition: flow.h:141
FILE_LOGGED
#define FILE_LOGGED
Definition: util-file.h:53
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
FileForceSha1
int FileForceSha1(void)
Definition: util-file.c:151
FileCloseFile
int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1061
SCFree
#define SCFree(p)
Definition: util-mem.h:61
FileAppendDataById
int FileAppendDataById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:790
Flow_::alstate
void * alstate
Definition: flow.h:471
FILEDATA_CONTENT_INSPECT_WINDOW
#define FILEDATA_CONTENT_INSPECT_WINDOW
Definition: app-layer-smtp.c:63
File_::md5_ctx
SCMd5 * md5_ctx
Definition: util-file.h:93
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:103
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:50
suricata.h
FILE_NOSTORE
#define FILE_NOSTORE
Definition: util-file.h:54
FileForceSha256Enable
void FileForceSha256Enable(void)
Definition: util-file.c:116
FileFlowFlagsToFlags
uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
Definition: util-file.c:215
flow.h
FILE_NOMAGIC
#define FILE_NOMAGIC
Definition: util-file.h:46
Flow_::file_flags
uint16_t file_flags
Definition: flow.h:415
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:281
SCConfNode_
Definition: conf.h:37
FileApplyTxFlags
void FileApplyTxFlags(const AppLayerTxData *txd, const uint8_t direction, File *file)
Definition: util-file.c:277
SCConfNode_::val
char * val
Definition: conf.h:39
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:75
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:59
File_::sha1_ctx
SCSha1 * sha1_ctx
Definition: util-file.h:95
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:214