suricata
util-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "debug.h"
29 #include "flow.h"
30 #include "stream.h"
31 #include "stream-tcp.h"
32 #include "runmodes.h"
33 #include "util-hash.h"
34 #include "util-debug.h"
35 #include "util-memcmp.h"
36 #include "util-print.h"
37 #include "app-layer-parser.h"
38 #include "util-validate.h"
39 
40 extern int g_detect_disabled;
41 
42 /** \brief mask of file flags we'll not set
43  * This mask is set based on global file settings and
44  * cannot be overriden by detection.
45  */
46 static uint16_t g_file_flow_mask = 0;
47 
48 /** \brief switch to force filestore on all files
49  * regardless of the rules.
50  */
51 static int g_file_force_filestore = 0;
52 
53 /** \brief switch to force magic checks on all files
54  * regardless of the rules.
55  */
56 static int g_file_force_magic = 0;
57 
58 /** \brief switch to force md5 calculation on all files
59  * regardless of the rules.
60  */
61 static int g_file_force_md5 = 0;
62 
63 /** \brief switch to force sha1 calculation on all files
64  * regardless of the rules.
65  */
66 static int g_file_force_sha1 = 0;
67 
68 /** \brief switch to force sha256 calculation on all files
69  * regardless of the rules.
70  */
71 static int g_file_force_sha256 = 0;
72 
73 /** \brief switch to force tracking off all files
74  * regardless of the rules.
75  */
76 static int g_file_force_tracking = 0;
77 
78 /** \brief switch to use g_file_store_reassembly_depth
79  * to reassembly files
80  */
81 static int g_file_store_enable = 0;
82 
83 /** \brief stream_config.reassembly_depth equivalent
84  * for files
85  */
86 static uint32_t g_file_store_reassembly_depth = 0;
87 
88 /* prototypes */
89 static void FileFree(File *);
90 #ifdef HAVE_NSS
91 static void FileEndSha256(File *ff);
92 #endif
93 
95 {
96  g_file_force_filestore = 1;
97  g_file_flow_mask |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);
98 }
99 
101 {
102  g_file_force_magic = 1;
103  g_file_flow_mask |= (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC);
104 }
105 
107 {
108  g_file_force_md5 = 1;
109  g_file_flow_mask |= (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC);
110 }
111 
113 {
114  g_file_force_sha1 = 1;
115  g_file_flow_mask |= (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC);
116 }
117 
119 {
120  g_file_force_sha256 = 1;
121  g_file_flow_mask |= (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC);
122 }
123 
125 {
126  return g_file_force_filestore;
127 }
128 
129 void FileReassemblyDepthEnable(uint32_t size)
130 {
131  g_file_store_enable = 1;
132  g_file_store_reassembly_depth = size;
133 }
134 
135 uint32_t FileReassemblyDepth(void)
136 {
137  if (g_file_store_enable == 1)
138  return g_file_store_reassembly_depth;
139  else
141 }
142 
143 int FileForceMagic(void)
144 {
145  return g_file_force_magic;
146 }
147 
148 int FileForceMd5(void)
149 {
150  return g_file_force_md5;
151 }
152 
153 int FileForceSha1(void)
154 {
155  return g_file_force_sha1;
156 }
157 
159 {
160  return g_file_force_sha256;
161 }
162 
164 {
165  g_file_force_tracking = 1;
166  g_file_flow_mask |= (FLOWFILE_NO_SIZE_TS|FLOWFILE_NO_SIZE_TC);
167 }
168 
169 /**
170  * \brief Function to parse forced file hashing configuration.
171  */
173 {
174  BUG_ON(conf == NULL);
175 
176  ConfNode *forcehash_node = NULL;
177 
178  /* legacy option */
179  const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
180  if (force_md5 != NULL) {
181  SCLogWarning(SC_ERR_DEPRECATED_CONF, "deprecated 'force-md5' option "
182  "found. Please use 'force-hash: [md5]' instead");
183 
184  if (ConfValIsTrue(force_md5)) {
185 #ifdef HAVE_NSS
187  SCLogInfo("forcing md5 calculation for logged files");
188 #else
189  SCLogInfo("md5 calculation requires linking against libnss");
190 #endif
191  }
192  }
193 
194  if (conf != NULL)
195  forcehash_node = ConfNodeLookupChild(conf, "force-hash");
196 
197  if (forcehash_node != NULL) {
198  ConfNode *field = NULL;
199 
200  TAILQ_FOREACH(field, &forcehash_node->head, next) {
201  if (strcasecmp("md5", field->val) == 0) {
202 #ifdef HAVE_NSS
204  SCLogConfig("forcing md5 calculation for logged or stored files");
205 #else
206  SCLogInfo("md5 calculation requires linking against libnss");
207 #endif
208  }
209 
210  if (strcasecmp("sha1", field->val) == 0) {
211 #ifdef HAVE_NSS
213  SCLogConfig("forcing sha1 calculation for logged or stored files");
214 #else
215  SCLogInfo("sha1 calculation requires linking against libnss");
216 #endif
217  }
218 
219  if (strcasecmp("sha256", field->val) == 0) {
220 #ifdef HAVE_NSS
222  SCLogConfig("forcing sha256 calculation for logged or stored files");
223 #else
224  SCLogInfo("sha256 calculation requires linking against libnss");
225 #endif
226  }
227  }
228  }
229 }
230 
231 uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
232 {
233  uint16_t flags = 0;
234 
235  if (direction == STREAM_TOSERVER) {
236  if (flow->file_flags & FLOWFILE_NO_STORE_TS) {
237  flags |= FILE_NOSTORE;
238  }
239 
240  if (flow->file_flags & FLOWFILE_NO_MAGIC_TS) {
241  flags |= FILE_NOMAGIC;
242  }
243 
244  if (flow->file_flags & FLOWFILE_NO_MD5_TS) {
245  flags |= FILE_NOMD5;
246  }
247 
248  if (flow->file_flags & FLOWFILE_NO_SHA1_TS) {
249  flags |= FILE_NOSHA1;
250  }
251 
252  if (flow->file_flags & FLOWFILE_NO_SHA256_TS) {
253  flags |= FILE_NOSHA256;
254  }
255  } else {
256  if (flow->file_flags & FLOWFILE_NO_STORE_TC) {
257  flags |= FILE_NOSTORE;
258  }
259 
260  if (flow->file_flags & FLOWFILE_NO_MAGIC_TC) {
261  flags |= FILE_NOMAGIC;
262  }
263 
264  if (flow->file_flags & FLOWFILE_NO_MD5_TC) {
265  flags |= FILE_NOMD5;
266  }
267 
268  if (flow->file_flags & FLOWFILE_NO_SHA1_TC) {
269  flags |= FILE_NOSHA1;
270  }
271 
272  if (flow->file_flags & FLOWFILE_NO_SHA256_TC) {
273  flags |= FILE_NOSHA256;
274  }
275  }
276  return flags;
277 }
278 
279 static int FileMagicSize(void)
280 {
281  /** \todo make this size configurable */
282  return 512;
283 }
284 
285 /**
286  * \brief get the size of the file data
287  *
288  * This doesn't reflect how much of the file we have in memory, just the
289  * total size of filedata so far.
290  */
291 uint64_t FileDataSize(const File *file)
292 {
293  if (file != NULL && file->sb != NULL) {
294  SCLogDebug("returning %"PRIu64,
295  file->sb->stream_offset + file->sb->buf_offset);
296  return file->sb->stream_offset + file->sb->buf_offset;
297  }
298  SCLogDebug("returning 0 (default)");
299  return 0;
300 }
301 
302 /**
303  * \brief get the size of the file
304  *
305  * This doesn't reflect how much of the file we have in memory, just the
306  * total size of file so far.
307  */
308 uint64_t FileTrackedSize(const File *file)
309 {
310  if (file != NULL) {
311  return file->size;
312  }
313  return 0;
314 }
315 
316 /** \brief test if file is ready to be pruned
317  *
318  * If a file is in the 'CLOSED' state, it means it has been processed
319  * completely by the pipeline in the correct direction. So we can
320  * prune it then.
321  *
322  * For other states, as well as for files we may not need to track
323  * until the close state, more specific checks are done.
324  *
325  * Also does house keeping within the file: move streaming buffer
326  * forward if possible.
327  *
328  * \retval 1 prune (free) this file
329  * \retval 0 file not ready to be freed
330  */
331 static int FilePruneFile(File *file)
332 {
333  SCEnter();
334 
335  /* file is done when state is closed+, logging/storing is done (if any) */
336  SCLogDebug("file->state %d. Is >= FILE_STATE_CLOSED: %s",
337  file->state, (file->state >= FILE_STATE_CLOSED) ? "yes" : "no");
338  if (file->state >= FILE_STATE_CLOSED) {
339  SCReturnInt(1);
340  }
341 
342 #ifdef HAVE_MAGIC
343  if (!(file->flags & FILE_NOMAGIC)) {
344  /* need magic but haven't set it yet, bail out */
345  if (file->magic == NULL)
346  SCReturnInt(0);
347  else
348  SCLogDebug("file->magic %s", file->magic);
349  } else {
350  SCLogDebug("file->flags & FILE_NOMAGIC == true");
351  }
352 #endif
353  uint64_t left_edge = FileDataSize(file);
354  if (file->flags & FILE_STORE) {
355  left_edge = MIN(left_edge,file->content_stored);
356  }
357  if (file->flags & FILE_USE_DETECT) {
358  left_edge = MIN(left_edge, file->content_inspected);
359 
360  /* if file has inspect window and min size set, we
361  * do some house keeping here */
362  if (file->inspect_window != 0 && file->inspect_min_size != 0) {
363  uint32_t window = file->inspect_window;
364  if (file->sb->stream_offset == 0)
365  window = MAX(window, file->inspect_min_size);
366 
367  uint64_t file_size = FileDataSize(file);
368  uint64_t data_size = file_size - file->sb->stream_offset;
369 
370  SCLogDebug("window %"PRIu32", file_size %"PRIu64", data_size %"PRIu64,
371  window, file_size, data_size);
372 
373  if (data_size > (window * 3)) {
374  left_edge = file_size - window;
375  SCLogDebug("file->content_inspected now %"PRIu64, left_edge);
376  file->content_inspected = left_edge;
377  }
378  }
379  }
380 
381  if (left_edge) {
382  StreamingBufferSlideToOffset(file->sb, left_edge);
383  }
384 
385  SCReturnInt(0);
386 }
387 
389 {
390  File *file = ffc->head;
391  File *prev = NULL;
392 
393  while (file) {
394  if (FilePruneFile(file) == 0) {
395  prev = file;
396  file = file->next;
397  continue;
398  }
399 
400  SCLogDebug("removing file %p", file);
401 
402  File *file_next = file->next;
403 
404  if (prev)
405  prev->next = file_next;
406  /* update head and tail */
407  if (file == ffc->head)
408  ffc->head = file_next;
409  if (file == ffc->tail)
410  ffc->tail = prev;
411 
412  FileFree(file);
413  file = file_next;
414  }
415 }
416 
417 /**
418  * \brief allocate a FileContainer
419  *
420  * \retval new newly allocated FileContainer
421  * \retval NULL error
422  */
424 {
425  FileContainer *new = SCMalloc(sizeof(FileContainer));
426  if (unlikely(new == NULL)) {
427  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating mem");
428  return NULL;
429  }
430  memset(new, 0, sizeof(FileContainer));
431  new->head = new->tail = NULL;
432  return new;
433 }
434 
435 /**
436  * \brief Recycle a FileContainer
437  *
438  * \param ffc FileContainer
439  */
441 {
442  if (ffc == NULL)
443  return;
444 
445  File *cur = ffc->head;
446  File *next = NULL;
447  for (;cur != NULL; cur = next) {
448  next = cur->next;
449  FileFree(cur);
450  }
451  ffc->head = ffc->tail = NULL;
452 }
453 
454 /**
455  * \brief Free a FileContainer
456  *
457  * \param ffc FileContainer
458  */
460 {
461  if (ffc == NULL)
462  return;
463 
464  File *ptr = ffc->head;
465  File *next = NULL;
466  for (;ptr != NULL; ptr = next) {
467  next = ptr->next;
468  FileFree(ptr);
469  }
470  ffc->head = ffc->tail = NULL;
471  SCFree(ffc);
472 }
473 
474 /**
475  * \brief Alloc a new File
476  *
477  * \param name character array containing the name (not a string)
478  * \param name_len length in bytes of the name
479  *
480  * \retval new File object or NULL on error
481  */
482 static File *FileAlloc(const uint8_t *name, uint16_t name_len)
483 {
484  File *new = SCMalloc(sizeof(File));
485  if (unlikely(new == NULL)) {
486  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating mem");
487  return NULL;
488  }
489  memset(new, 0, sizeof(File));
490 
491  new->name = SCMalloc(name_len);
492  if (new->name == NULL) {
493  SCFree(new);
494  return NULL;
495  }
496 
497  new->name_len = name_len;
498  memcpy(new->name, name, name_len);
499 
500  new->sid_cnt = 0;
501  new->sid_max = 8;
502  /* SCMalloc() is allowed to fail here because sid well be checked later on */
503  new->sid = SCMalloc(sizeof(uint32_t) * new->sid_max);
504  if (new->sid == NULL)
505  new->sid_max = 0;
506 
507  return new;
508 }
509 
510 static void FileFree(File *ff)
511 {
512  if (ff == NULL)
513  return;
514 
515  if (ff->name != NULL)
516  SCFree(ff->name);
517  if (ff->sid != NULL)
518  SCFree(ff->sid);
519 #ifdef HAVE_MAGIC
520  /* magic returned by libmagic is strdup'd by MagicLookup. */
521  if (ff->magic != NULL)
522  SCFree(ff->magic);
523 #endif
524  if (ff->sb != NULL) {
525  StreamingBufferFree(ff->sb);
526  }
527 
528 #ifdef HAVE_NSS
529  if (ff->md5_ctx)
530  HASH_Destroy(ff->md5_ctx);
531  if (ff->sha1_ctx)
532  HASH_Destroy(ff->sha1_ctx);
533  if (ff->sha256_ctx)
534  HASH_Destroy(ff->sha256_ctx);
535 #endif
536  SCFree(ff);
537 }
538 
540 {
541  if (ffc->head == NULL || ffc->tail == NULL) {
542  ffc->head = ffc->tail = ff;
543  } else {
544  ffc->tail->next = ff;
545  ffc->tail = ff;
546  }
547 }
548 
549 /**
550  * \brief Tag a file for storing
551  *
552  * \param ff The file to store
553  */
554 int FileStore(File *ff)
555 {
556  ff->flags |= FILE_STORE;
557  SCReturnInt(0);
558 }
559 
560 /**
561  * \brief Set the TX id for a file
562  *
563  * \param ff The file to store
564  * \param txid the tx id
565  */
566 int FileSetTx(File *ff, uint64_t txid)
567 {
568  SCLogDebug("ff %p txid %"PRIu64, ff, txid);
569  if (ff != NULL)
570  ff->txid = txid;
571  SCReturnInt(0);
572 }
573 
574 void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id)
575 {
576  if (ffc && ffc->tail) {
577  (void)FileSetTx(ffc->tail, tx_id);
578  }
579 }
580 
581 /**
582  * \brief check if we have stored enough
583  *
584  * \param ff file
585  *
586  * \retval 0 limit not reached yet
587  * \retval 1 limit reached
588  */
589 static int FileStoreNoStoreCheck(File *ff)
590 {
591  SCEnter();
592 
593  if (ff == NULL) {
594  SCReturnInt(0);
595  }
596 
597  if (ff->flags & FILE_NOSTORE) {
598  if (ff->state == FILE_STATE_OPENED &&
599  FileDataSize(ff) >= (uint64_t)FileMagicSize())
600  {
601  SCReturnInt(1);
602  }
603  }
604 
605  SCReturnInt(0);
606 }
607 
608 static int AppendData(File *file, const uint8_t *data, uint32_t data_len)
609 {
610  if (StreamingBufferAppendNoTrack(file->sb, data, data_len) != 0) {
611  SCReturnInt(-1);
612  }
613 
614 #ifdef HAVE_NSS
615  if (file->md5_ctx) {
616  HASH_Update(file->md5_ctx, data, data_len);
617  }
618  if (file->sha1_ctx) {
619  HASH_Update(file->sha1_ctx, data, data_len);
620  }
621  if (file->sha256_ctx) {
622  HASH_Update(file->sha256_ctx, data, data_len);
623  }
624 #endif
625  SCReturnInt(0);
626 }
627 
628 /** \internal
629  * \brief Store/handle a chunk of file data in the File structure
630  *
631  * \param ff the file
632  * \param data data chunk
633  * \param data_len data chunk len
634  *
635  * \retval 0 ok
636  * \retval -1 error
637  * \retval -2 no store for this file
638  */
639 static int FileAppendDataDo(File *ff, const uint8_t *data, uint32_t data_len)
640 {
641  SCEnter();
642 #ifdef DEBUG_VALIDATION
643  BUG_ON(ff == NULL);
644 #endif
645 
646  ff->size += data_len;
647 
648  if (ff->state != FILE_STATE_OPENED) {
649  if (ff->flags & FILE_NOSTORE) {
650  SCReturnInt(-2);
651  }
652  SCReturnInt(-1);
653  }
654 
655  if ((ff->flags & FILE_USE_DETECT) == 0 &&
656  FileStoreNoStoreCheck(ff) == 1) {
657 #ifdef HAVE_NSS
658  int hash_done = 0;
659  /* no storage but forced hashing */
660  if (ff->md5_ctx) {
661  HASH_Update(ff->md5_ctx, data, data_len);
662  hash_done = 1;
663  }
664  if (ff->sha1_ctx) {
665  HASH_Update(ff->sha1_ctx, data, data_len);
666  hash_done = 1;
667  }
668  if (ff->sha256_ctx) {
669  HASH_Update(ff->sha256_ctx, data, data_len);
670  hash_done = 1;
671  }
672 
673  if (hash_done)
674  SCReturnInt(0);
675 #endif
676  if (g_file_force_tracking || (!(ff->flags & FILE_NOTRACK)))
677  SCReturnInt(0);
678 
680  SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED");
681  SCReturnInt(-2);
682  }
683 
684  SCLogDebug("appending %"PRIu32" bytes", data_len);
685 
686  int r = AppendData(ff, data, data_len);
687  if (r != 0) {
688  ff->state = FILE_STATE_ERROR;
689  SCReturnInt(r);
690  }
691 
692  SCReturnInt(0);
693 }
694 
695 /**
696  * \brief Store/handle a chunk of file data in the File structure
697  * The last file in the FileContainer will be used.
698  *
699  * \param ffc FileContainer used to append to
700  * \param data data chunk
701  * \param data_len data chunk len
702  *
703  * \retval 0 ok
704  * \retval -1 error
705  * \retval -2 no store for this file
706  */
707 int FileAppendData(FileContainer *ffc, const uint8_t *data, uint32_t data_len)
708 {
709  SCEnter();
710 
711  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
712  SCReturnInt(-1);
713  }
714  int r = FileAppendDataDo(ffc->tail, data, data_len);
715  SCReturnInt(r);
716 }
717 
718 /**
719  * \brief Store/handle a chunk of file data in the File structure
720  * The file with 'track_id' in the FileContainer will be used.
721  *
722  * \param ffc FileContainer used to append to
723  * \param track_id id to lookup the file
724  * \param data data chunk
725  * \param data_len data chunk len
726  *
727  * \retval 0 ok
728  * \retval -1 error
729  * \retval -2 no store for this file
730  */
731 int FileAppendDataById(FileContainer *ffc, uint32_t track_id,
732  const uint8_t *data, uint32_t data_len)
733 {
734  SCEnter();
735 
736  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
737  SCReturnInt(-1);
738  }
739  File *ff = ffc->head;
740  for ( ; ff != NULL; ff = ff->next) {
741  if (track_id == ff->file_track_id) {
742  int r = FileAppendDataDo(ff, data, data_len);
743  SCReturnInt(r);
744  }
745  }
746  SCReturnInt(-1);
747 }
748 
749 /**
750  * \brief Store/handle a chunk of file data in the File structure
751  * The file with 'track_id' in the FileContainer will be used.
752  *
753  * \param ffc FileContainer used to append to
754  * \param track_id id to lookup the file
755  * \param data data chunk
756  * \param data_len data chunk len
757  *
758  * \retval 0 ok
759  * \retval -1 error
760  * \retval -2 no store for this file
761  */
762 int FileAppendGAPById(FileContainer *ffc, uint32_t track_id,
763  const uint8_t *data, uint32_t data_len)
764 {
765  SCEnter();
766 
767  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
768  SCReturnInt(-1);
769  }
770  File *ff = ffc->head;
771  for ( ; ff != NULL; ff = ff->next) {
772  if (track_id == ff->file_track_id) {
773  ff->flags |= FILE_HAS_GAPS;
776  SCLogDebug("FILE_HAS_GAPS set");
777 
778  int r = FileAppendDataDo(ff, data, data_len);
779  SCReturnInt(r);
780  }
781  }
782  SCReturnInt(-1);
783 }
784 
785 void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
786 {
787  file->inspect_window = win;
788  file->inspect_min_size = min;
789 }
790 
791 /**
792  * \brief Sets the offset range for a file.
793  *
794  * \param ffc the container
795  * \param start start offset
796  * \param end end offset
797  *
798  * \retval 0 ok
799  * \retval -1 error
800  */
801 int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
802 {
803  SCEnter();
804 
805  if (ffc == NULL || ffc->tail == NULL) {
806  SCReturnInt(-1);
807  }
808  ffc->tail->start = start;
809  ffc->tail->end = end;
810  SCReturnInt(0);
811 }
812 
813 /**
814  * \brief Open a new File
815  *
816  * \param ffc flow container
817  * \param sbcfg buffer config
818  * \param name filename character array
819  * \param name_len filename len
820  * \param data initial data
821  * \param data_len initial data len
822  * \param flags open flags
823  *
824  * \retval ff flowfile object
825  *
826  * \note filename is not a string, so it's not nul terminated.
827  */
828 static File *FileOpenFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg,
829  const uint8_t *name, uint16_t name_len,
830  const uint8_t *data, uint32_t data_len, uint16_t flags)
831 {
832  SCEnter();
833 
834  //PrintRawDataFp(stdout, name, name_len);
835 
836  File *ff = FileAlloc(name, name_len);
837  if (ff == NULL) {
838  SCReturnPtr(NULL, "File");
839  }
840 
841  ff->sb = StreamingBufferInit(sbcfg);
842  if (ff->sb == NULL) {
843  FileFree(ff);
844  SCReturnPtr(NULL, "File");
845  }
846  SCLogDebug("ff->sb %p", ff->sb);
847 
848  if (flags & FILE_STORE || g_file_force_filestore) {
849  FileStore(ff);
850  } else if (flags & FILE_NOSTORE) {
851  SCLogDebug("not storing this file");
852  ff->flags |= FILE_NOSTORE;
853  }
854  if (flags & FILE_NOMAGIC) {
855  SCLogDebug("not doing magic for this file");
856  ff->flags |= FILE_NOMAGIC;
857  }
858  if (flags & FILE_NOMD5) {
859  SCLogDebug("not doing md5 for this file");
860  ff->flags |= FILE_NOMD5;
861  }
862  if (flags & FILE_NOSHA1) {
863  SCLogDebug("not doing sha1 for this file");
864  ff->flags |= FILE_NOSHA1;
865  }
866  if (flags & FILE_NOSHA256) {
867  SCLogDebug("not doing sha256 for this file");
868  ff->flags |= FILE_NOSHA256;
869  }
871  SCLogDebug("considering content_inspect tracker when pruning");
872  ff->flags |= FILE_USE_DETECT;
873  }
874 
875 #ifdef HAVE_NSS
876  if (!(ff->flags & FILE_NOMD5) || g_file_force_md5) {
877  ff->md5_ctx = HASH_Create(HASH_AlgMD5);
878  if (ff->md5_ctx != NULL) {
879  HASH_Begin(ff->md5_ctx);
880  }
881  }
882  if (!(ff->flags & FILE_NOSHA1) || g_file_force_sha1) {
883  ff->sha1_ctx = HASH_Create(HASH_AlgSHA1);
884  if (ff->sha1_ctx != NULL) {
885  HASH_Begin(ff->sha1_ctx);
886  }
887  }
888  if (!(ff->flags & FILE_NOSHA256) || g_file_force_sha256) {
889  ff->sha256_ctx = HASH_Create(HASH_AlgSHA256);
890  if (ff->sha256_ctx != NULL) {
891  HASH_Begin(ff->sha256_ctx);
892  }
893  }
894 #endif
895 
896  ff->state = FILE_STATE_OPENED;
897  SCLogDebug("flowfile state transitioned to FILE_STATE_OPENED");
898 
899  ff->fd = -1;
900 
901  FileContainerAdd(ffc, ff);
902 
903  if (data != NULL) {
904  ff->size += data_len;
905  if (AppendData(ff, data, data_len) != 0) {
906  ff->state = FILE_STATE_ERROR;
907  SCReturnPtr(NULL, "File");
908  }
909  SCLogDebug("file size is now %"PRIu64, FileTrackedSize(ff));
910  }
911 
912  SCReturnPtr(ff, "File");
913 }
914 
915 /**
916  * \retval 0 ok
917  * \retval -1 failed */
919  uint32_t track_id, const uint8_t *name, uint16_t name_len,
920  const uint8_t *data, uint32_t data_len, uint16_t flags)
921 {
922  File *ff = FileOpenFile(ffc, sbcfg, name, name_len, data, data_len, flags);
923  if (ff == NULL)
924  return -1;
925 
926  ff->file_track_id = track_id;
927  return 0;
928 }
929 
930 int FileCloseFilePtr(File *ff, const uint8_t *data,
931  uint32_t data_len, uint16_t flags)
932 {
933  SCEnter();
934 
935  if (ff == NULL) {
936  SCReturnInt(-1);
937  }
938 
939  if (ff->state != FILE_STATE_OPENED) {
940  SCReturnInt(-1);
941  }
942 
943  if (data != NULL) {
944  ff->size += data_len;
945  if (ff->flags & FILE_NOSTORE) {
946 #ifdef HAVE_NSS
947  /* no storage but hashing */
948  if (ff->md5_ctx)
949  HASH_Update(ff->md5_ctx, data, data_len);
950  if (ff->sha1_ctx)
951  HASH_Update(ff->sha1_ctx, data, data_len);
952  if (ff->sha256_ctx)
953  HASH_Update(ff->sha256_ctx, data, data_len);
954 #endif
955  } else {
956  if (AppendData(ff, data, data_len) != 0) {
957  ff->state = FILE_STATE_ERROR;
958  SCReturnInt(-1);
959  }
960  }
961  }
962 
963  if ((flags & FILE_TRUNCATED) || (ff->flags & FILE_HAS_GAPS)) {
965  SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED");
966 
967  if (flags & FILE_NOSTORE) {
968  SCLogDebug("not storing this file");
969  ff->flags |= FILE_NOSTORE;
970  } else {
971 #ifdef HAVE_NSS
972  if (g_file_force_sha256 && ff->sha256_ctx) {
973  FileEndSha256(ff);
974  }
975 #endif
976  }
977  } else {
978  ff->state = FILE_STATE_CLOSED;
979  SCLogDebug("flowfile state transitioned to FILE_STATE_CLOSED");
980 
981 #ifdef HAVE_NSS
982  if (ff->md5_ctx) {
983  unsigned int len = 0;
984  HASH_End(ff->md5_ctx, ff->md5, &len, sizeof(ff->md5));
985  ff->flags |= FILE_MD5;
986  }
987  if (ff->sha1_ctx) {
988  unsigned int len = 0;
989  HASH_End(ff->sha1_ctx, ff->sha1, &len, sizeof(ff->sha1));
990  ff->flags |= FILE_SHA1;
991  }
992  if (ff->sha256_ctx) {
993  FileEndSha256(ff);
994  }
995 #endif
996  }
997 
998  SCReturnInt(0);
999 }
1000 
1001 /**
1002  * \brief Close a File
1003  *
1004  * \param ffc the container
1005  * \param data final data if any
1006  * \param data_len data len if any
1007  * \param flags flags
1008  *
1009  * \retval 0 ok
1010  * \retval -1 error
1011  */
1012 int FileCloseFile(FileContainer *ffc, const uint8_t *data,
1013  uint32_t data_len, uint16_t flags)
1014 {
1015  SCEnter();
1016 
1017  if (ffc == NULL || ffc->tail == NULL) {
1018  SCReturnInt(-1);
1019  }
1020 
1021  if (FileCloseFilePtr(ffc->tail, data, data_len, flags) == -1) {
1022  SCReturnInt(-1);
1023  }
1024 
1025  SCReturnInt(0);
1026 }
1027 
1028 int FileCloseFileById(FileContainer *ffc, uint32_t track_id,
1029  const uint8_t *data, uint32_t data_len, uint16_t flags)
1030 {
1031  SCEnter();
1032 
1033  if (ffc == NULL || ffc->tail == NULL) {
1034  SCReturnInt(-1);
1035  }
1036 
1037  File *ff = ffc->head;
1038  for ( ; ff != NULL; ff = ff->next) {
1039  if (track_id == ff->file_track_id) {
1040  int r = FileCloseFilePtr(ff, data, data_len, flags);
1041  SCReturnInt(r);
1042  }
1043  }
1044  SCReturnInt(-1);
1045 }
1046 
1047 /** \brief set a flow's file flags
1048  * \param set_file_flags flags in both directions that are requested to set
1049  *
1050  * This function will ignore the flags for the irrelevant direction and
1051  * also mask the flags with the global settings.
1052  */
1053 void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
1054 {
1055  SCEnter();
1057 
1058  /* remove flags not in our direction and
1059  don't disable what is globally enabled */
1060  if (direction == STREAM_TOSERVER) {
1061  set_file_flags &= ~(FLOWFILE_NONE_TC|g_file_flow_mask);
1062  } else {
1063  set_file_flags &= ~(FLOWFILE_NONE_TS|g_file_flow_mask);
1064  }
1065  f->file_flags |= set_file_flags;
1066 
1067  SCLogDebug("f->file_flags %04x set_file_flags %04x g_file_flow_mask %04x",
1068  f->file_flags, set_file_flags, g_file_flow_mask);
1069 
1070  if (set_file_flags != 0 && f->alproto != ALPROTO_UNKNOWN && f->alstate != NULL) {
1071  uint16_t per_file_flags = 0;
1072 #ifdef HAVE_MAGIC
1073  if (set_file_flags & (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC))
1074  per_file_flags |= FILE_NOMAGIC;
1075 #endif
1076 #ifdef HAVE_NSS
1077  if (set_file_flags & (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC))
1078  per_file_flags |= FILE_NOMD5;
1079  if (set_file_flags & (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC))
1080  per_file_flags |= FILE_NOSHA1;
1081  if (set_file_flags & (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC))
1082  per_file_flags |= FILE_NOSHA256;
1083 #endif
1084  if (set_file_flags & (FLOWFILE_NO_SIZE_TS|FLOWFILE_NO_SIZE_TC))
1085  per_file_flags |= FILE_NOTRACK;
1086  if (set_file_flags & (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC))
1087  per_file_flags |= FILE_NOSTORE;
1088 
1089  FileContainer *ffc = AppLayerParserGetFiles(f, direction);
1090  if (ffc != NULL) {
1091  for (File *ptr = ffc->head; ptr != NULL; ptr = ptr->next) {
1092  ptr->flags |= per_file_flags;
1093 
1094 #ifdef HAVE_NSS
1095  /* destroy any ctx we may have so far */
1096  if ((per_file_flags & FILE_NOSHA256) &&
1097  ptr->sha256_ctx != NULL)
1098  {
1099  HASH_Destroy(ptr->sha256_ctx);
1100  ptr->sha256_ctx = NULL;
1101  }
1102  if ((per_file_flags & FILE_NOSHA1) &&
1103  ptr->sha1_ctx != NULL)
1104  {
1105  HASH_Destroy(ptr->sha1_ctx);
1106  ptr->sha1_ctx = NULL;
1107  }
1108  if ((per_file_flags & FILE_NOMD5) &&
1109  ptr->md5_ctx != NULL)
1110  {
1111  HASH_Destroy(ptr->md5_ctx);
1112  ptr->md5_ctx = NULL;
1113  }
1114 #endif
1115  }
1116  }
1117  }
1118 }
1119 
1120 
1121 
1122 /**
1123  * \brief set no store flag, close file if needed
1124  *
1125  * \param ff file
1126  */
1127 static void FileDisableStoringForFile(File *ff)
1128 {
1129  SCEnter();
1130 
1131  if (ff == NULL) {
1132  SCReturn;
1133  }
1134 
1135  SCLogDebug("not storing this file");
1136  ff->flags |= FILE_NOSTORE;
1137 
1138  if (ff->state == FILE_STATE_OPENED && FileDataSize(ff) >= (uint64_t)FileMagicSize()) {
1139  if (g_file_force_md5 == 0 && g_file_force_sha1 == 0 && g_file_force_sha256 == 0
1140  && g_file_force_tracking == 0) {
1141  (void)FileCloseFilePtr(ff, NULL, 0,
1143  }
1144  }
1145 }
1146 
1147 /**
1148  * \brief disable file storing for files in a transaction
1149  *
1150  * \param f *LOCKED* flow
1151  * \param direction flow direction
1152  * \param tx_id transaction id
1153  */
1154 void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id)
1155 {
1156  File *ptr = NULL;
1157 
1159 
1160  SCEnter();
1161 
1162  FileContainer *ffc = AppLayerParserGetFiles(f, direction);
1163  if (ffc != NULL) {
1164  for (ptr = ffc->head; ptr != NULL; ptr = ptr->next) {
1165  if (ptr->txid == tx_id) {
1166  if (ptr->flags & FILE_STORE) {
1167  /* weird, already storing -- let it continue*/
1168  SCLogDebug("file is already being stored");
1169  } else {
1170  FileDisableStoringForFile(ptr);
1171  }
1172  }
1173  }
1174  }
1175 
1176  SCReturn;
1177 }
1178 
1179 /**
1180  * \brief flag a file with id "file_id" to be stored.
1181  *
1182  * \param fc file store
1183  * \param file_id the file's id
1184  */
1185 void FileStoreFileById(FileContainer *fc, uint32_t file_id)
1186 {
1187  File *ptr = NULL;
1188 
1189  SCEnter();
1190 
1191  if (fc != NULL) {
1192  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1193  if (ptr->file_track_id == file_id) {
1194  FileStore(ptr);
1195  }
1196  }
1197  }
1198 }
1199 
1200 void FileStoreAllFilesForTx(FileContainer *fc, uint64_t tx_id)
1201 {
1202  File *ptr = NULL;
1203 
1204  SCEnter();
1205 
1206  if (fc != NULL) {
1207  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1208  if (ptr->txid == tx_id) {
1209  FileStore(ptr);
1210  }
1211  }
1212  }
1213 }
1214 
1216 {
1217  File *ptr = NULL;
1218 
1219  SCEnter();
1220 
1221  if (fc != NULL) {
1222  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1223  FileStore(ptr);
1224  }
1225  }
1226 }
1227 
1229 {
1230  File *ptr = NULL;
1231 
1232  SCEnter();
1233 
1234  if (fc != NULL) {
1235  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1236  if (ptr->state == FILE_STATE_OPENED) {
1237  FileCloseFilePtr(ptr, NULL, 0, FILE_TRUNCATED);
1238  }
1239  }
1240  }
1241 }
1242 
1243 /**
1244  * \brief Finish the SHA256 calculation.
1245  */
1246 #ifdef HAVE_NSS
1247 static void FileEndSha256(File *ff)
1248 {
1249  if (!(ff->flags & FILE_SHA256) && ff->sha256_ctx) {
1250  unsigned int len = 0;
1251  HASH_End(ff->sha256_ctx, ff->sha256, &len, sizeof(ff->sha256));
1252  ff->flags |= FILE_SHA256;
1253  }
1254 }
1255 #endif
FileStoreAllFilesForTx
void FileStoreAllFilesForTx(FileContainer *fc, uint64_t tx_id)
Definition: util-file.c:1200
FLOWFILE_NO_MD5_TS
#define FLOWFILE_NO_MD5_TS
Definition: flow.h:122
FLOWFILE_NO_MD5_TC
#define FLOWFILE_NO_MD5_TC
Definition: flow.h:123
FILE_TRUNCATED
#define FILE_TRUNCATED
Definition: util-file.h:36
FileForceFilestore
int FileForceFilestore(void)
Definition: util-file.c:124
StreamingBuffer_::stream_offset
uint64_t stream_offset
Definition: util-streaming-buffer.h:97
FileContainer_
Definition: util-file.h:100
FLOWFILE_NO_SIZE_TS
#define FLOWFILE_NO_SIZE_TS
Definition: flow.h:134
len
uint8_t len
Definition: app-layer-dnp3.h:4
FLOWFILE_NO_SIZE_TC
#define FLOWFILE_NO_SIZE_TC
Definition: flow.h:135
StreamingBuffer_::buf_offset
uint32_t buf_offset
Definition: util-streaming-buffer.h:101
StreamingBufferFree
void StreamingBufferFree(StreamingBuffer *sb)
Definition: util-streaming-buffer.c:145
SC_ERR_DEPRECATED_CONF
@ SC_ERR_DEPRECATED_CONF
Definition: util-error.h:307
FileContainerAdd
void FileContainerAdd(FileContainer *ffc, File *ff)
Definition: util-file.c:539
FileAppendGAPById
int FileAppendGAPById(FileContainer *ffc, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:762
FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:423
FileReassemblyDepthEnable
void FileReassemblyDepthEnable(uint32_t size)
Definition: util-file.c:129
ConfNode_::val
char * val
Definition: conf.h:34
stream-tcp.h
FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition: util-file.c:163
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:43
StreamingBufferAppendNoTrack
int StreamingBufferAppendNoTrack(StreamingBuffer *sb, const uint8_t *data, uint32_t data_len)
add data w/o tracking a segment
Definition: util-streaming-buffer.c:619
File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:91
FILE_NOSHA1
#define FILE_NOSHA1
Definition: util-file.h:40
File_::size
uint64_t size
Definition: util-file.h:89
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
FILE_NOTRACK
#define FILE_NOTRACK
Definition: util-file.h:48
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:2
FLOWFILE_NONE_TC
#define FLOWFILE_NONE_TC
Definition: flow.h:143
FLOWFILE_NO_MAGIC_TS
#define FLOWFILE_NO_MAGIC_TS
Definition: flow.h:115
FLOWFILE_NONE_TS
#define FLOWFILE_NONE_TS
Definition: flow.h:137
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:54
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:60
Flow_
Flow data structure.
Definition: flow.h:342
File_::state
FileState state
Definition: util-file.h:66
util-hash.h
FILE_STORE
#define FILE_STORE
Definition: util-file.h:46
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id)
disable file storing for files in a transaction
Definition: util-file.c:1154
FileSetTx
int FileSetTx(File *ff, uint64_t txid)
Set the TX id for a file.
Definition: util-file.c:566
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
FileContainer_::tail
File * tail
Definition: util-file.h:102
MIN
#define MIN(x, y)
Definition: suricata-common.h:360
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:874
FileForceMagicEnable
void FileForceMagicEnable(void)
Definition: util-file.c:100
FILE_NOSHA256
#define FILE_NOSHA256
Definition: util-file.h:42
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:57
MAX
#define MAX(x, y)
Definition: suricata-common.h:364
FileAppendData
int FileAppendData(FileContainer *ffc, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The last file in the FileContainer will be us...
Definition: util-file.c:707
FileForceMd5Enable
void FileForceMd5Enable(void)
Definition: util-file.c:106
FileContainerSetTx
void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id)
Definition: util-file.c:574
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
File_::sb
StreamingBuffer * sb
Definition: util-file.h:67
FileForceSha1Enable
void FileForceSha1Enable(void)
Definition: util-file.c:112
util-memcmp.h
FileCloseFilePtr
int FileCloseFilePtr(File *ff, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:930
FLOWFILE_NO_SHA1_TC
#define FLOWFILE_NO_SHA1_TC
Definition: flow.h:127
FilePrune
void FilePrune(FileContainer *ffc)
Definition: util-file.c:388
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:69
util-debug.h
FileForceMagic
int FileForceMagic(void)
Definition: util-file.c:143
StreamingBufferInit
StreamingBuffer * StreamingBufferInit(const StreamingBufferConfig *cfg)
Definition: util-streaming-buffer.c:112
File_::end
uint64_t end
Definition: util-file.h:93
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:215
FileFlowToFlags
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition: util-file.c:231
File_::fd
int fd
Definition: util-file.h:71
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:119
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
FileContainer_::head
File * head
Definition: util-file.h:101
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1185
FLOWFILE_NO_SHA256_TS
#define FLOWFILE_NO_SHA256_TS
Definition: flow.h:130
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:308
app-layer-parser.h
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:119
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1053
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:135
SCReturn
#define SCReturn
Definition: util-debug.h:339
stream.h
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
FileForceMd5
int FileForceMd5(void)
Definition: util-file.c:148
FileOpenFileWithId
int FileOpenFileWithId(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:918
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
File_::name
uint8_t * name
Definition: util-file.h:73
File_::sid
uint32_t * sid
Definition: util-file.h:95
runmodes.h
FILE_NOMD5
#define FILE_NOMD5
Definition: util-file.h:38
FileAppendDataById
int FileAppendDataById(FileContainer *ffc, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:731
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:291
FileStore
int FileStore(File *ff)
Tag a file for storing.
Definition: util-file.c:554
FLOWFILE_NO_SHA256_TC
#define FLOWFILE_NO_SHA256_TC
Definition: flow.h:131
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:815
File_::flags
uint16_t flags
Definition: util-file.h:64
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:86
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:55
File_
Definition: util-file.h:63
File_::content_stored
uint64_t content_stored
Definition: util-file.h:88
FLOWFILE_NO_MAGIC_TC
#define FLOWFILE_NO_MAGIC_TC
Definition: flow.h:116
flags
uint8_t flags
Definition: decode-gre.h:2
suricata-common.h
FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition: util-file.c:94
FileForceSha256
int FileForceSha256(void)
Definition: util-file.c:158
File_::next
struct File_ * next
Definition: util-file.h:77
FileForceHashParseCfg
void FileForceHashParseCfg(ConfNode *conf)
Function to parse forced file hashing configuration.
Definition: util-file.c:172
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
FileSetInspectSizes
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
Definition: util-file.c:785
FILE_MD5
#define FILE_MD5
Definition: util-file.h:39
FileSetRange
int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
Sets the offset range for a file.
Definition: util-file.c:801
FLOWFILE_NO_STORE_TC
#define FLOWFILE_NO_STORE_TC
Definition: flow.h:120
File_::start
uint64_t start
Definition: util-file.h:92
util-validate.h
StreamingBufferConfig_
Definition: util-streaming-buffer.h:67
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
FLOWFILE_NO_SHA1_TS
#define FLOWFILE_NO_SHA1_TS
Definition: flow.h:126
StreamingBufferSlideToOffset
void StreamingBufferSlideToOffset(StreamingBuffer *sb, uint64_t offset)
slide to absolute offset
Definition: util-streaming-buffer.c:507
FileForceSha1
int FileForceSha1(void)
Definition: util-file.c:153
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
ConfNode_
Definition: conf.h:32
Flow_::alstate
void * alstate
Definition: flow.h:454
FileTruncateAllOpenFiles
void FileTruncateAllOpenFiles(FileContainer *fc)
Definition: util-file.c:1228
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:90
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:41
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
suricata.h
File_::txid
uint64_t txid
Definition: util-file.h:68
FILE_USE_DETECT
#define FILE_USE_DETECT
Definition: util-file.h:49
FILE_NOSTORE
#define FILE_NOSTORE
Definition: util-file.h:45
FileCloseFileById
int FileCloseFileById(FileContainer *ffc, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:1028
FileForceSha256Enable
void FileForceSha256Enable(void)
Definition: util-file.c:118
FileContainerFree
void FileContainerFree(FileContainer *ffc)
Free a FileContainer.
Definition: util-file.c:459
flow.h
FILE_NOMAGIC
#define FILE_NOMAGIC
Definition: util-file.h:37
FileContainerRecycle
void FileContainerRecycle(FileContainer *ffc)
Recycle a FileContainer.
Definition: util-file.c:440
Flow_::file_flags
uint16_t file_flags
Definition: flow.h:398
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:59
FileCloseFile
int FileCloseFile(FileContainer *ffc, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1012
debug.h
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:50
FileStoreAllFiles
void FileStoreAllFiles(FileContainer *fc)
Definition: util-file.c:1215
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843