Go to the documentation of this file.
46 static uint16_t g_file_flow_mask = 0;
51 static int g_file_force_filestore = 0;
56 static int g_file_force_magic = 0;
61 static int g_file_force_md5 = 0;
66 static int g_file_force_sha1 = 0;
71 static int g_file_force_sha256 = 0;
76 static int g_file_force_tracking = 0;
81 static int g_file_store_enable = 0;
86 static uint32_t g_file_store_reassembly_depth = 0;
90 static void FileEndSha256(
File *ff);
94 g_file_force_filestore = 1;
100 g_file_force_magic = 1;
106 g_file_force_md5 = 1;
112 g_file_force_sha1 = 1;
118 g_file_force_sha256 = 1;
124 return g_file_force_filestore;
129 g_file_store_enable = 1;
130 g_file_store_reassembly_depth = size;
135 if (g_file_store_enable == 1)
136 return g_file_store_reassembly_depth;
143 return g_file_force_magic;
148 return g_file_force_md5;
153 return g_file_force_sha1;
158 return g_file_force_sha256;
163 g_file_force_tracking = 1;
179 if (forcehash_node != NULL) {
183 if (strcasecmp(
"md5", field->
val) == 0) {
185 SCLogInfo(
"not forcing md5 calculation for logged files: hashing globally "
189 SCLogConfig(
"forcing md5 calculation for logged or stored files");
193 if (strcasecmp(
"sha1", field->
val) == 0) {
195 SCLogInfo(
"not forcing sha1 calculation for logged files: hashing globally "
199 SCLogConfig(
"forcing sha1 calculation for logged or stored files");
203 if (strcasecmp(
"sha256", field->
val) == 0) {
205 SCLogInfo(
"not forcing sha256 calculation for logged files: hashing globally "
209 SCLogConfig(
"forcing sha256 calculation for logged or stored files");
220 if (direction == STREAM_TOSERVER) {
289 file->
flags |= update_flags;
297 static int FileMagicSize(
void)
311 if (file != NULL && file->
sb != NULL) {
312 const uint64_t size = StreamingBufferGetConsecutiveDataRightEdge(file->
sb);
354 SCLogDebug(
"file->state %d. Is >= FILE_STATE_CLOSED: %s",
363 if (file->magic == NULL)
368 SCLogDebug(
"file->flags & FILE_NOMAGIC == true");
381 const uint64_t file_offset = StreamingBufferGetOffset(file->
sb);
383 if (file_offset == 0)
387 uint64_t data_size = file_size - file_offset;
389 SCLogDebug(
"window %"PRIu32
", file_size %"PRIu64
", data_size %"PRIu64,
390 window, file_size, data_size);
392 if (data_size > (window * 3)) {
397 if (left_edge > window)
413 #define P(file, flag) ((file)->flags & (flag)) ? "true" : "false"
450 if (FilePruneFile(file, cfg) == 0) {
461 prev->
next = file_next;
463 if (file == ffc->
head)
464 ffc->
head = file_next;
465 if (file == ffc->
tail)
487 new->head =
new->tail = NULL;
504 for (;cur != NULL; cur =
next) {
524 for (;ptr != NULL; ptr =
next) {
540 static File *FileAlloc(
const uint8_t *
name, uint16_t name_len)
549 if (new->name == NULL) {
554 new->name_len = name_len;
555 memcpy(new->name,
name, name_len);
560 new->sid =
SCMalloc(
sizeof(uint32_t) * new->sid_max);
561 if (new->sid == NULL)
573 if (ff->
name != NULL)
579 if (ff->magic != NULL)
582 if (ff->
sb != NULL) {
598 if (ffc->
head == NULL || ffc->
tail == NULL) {
626 static int FileStoreNoStoreCheck(
File *ff)
645 static int AppendData(
651 SCLogDebug(
"file %p data_len %u", file, data_len);
653 SCLogDebug(
"file %p StreamingBufferAppendNoTrack failed", file);
658 SCMd5Update(file->
md5_ctx, data, data_len);
661 SCSha1Update(file->
sha1_ctx, data, data_len);
664 SCLogDebug(
"SHA256 file %p data %p data_len %u", file, data, data_len);
665 SCSha256Update(file->
sha256_ctx, data, data_len);
667 SCLogDebug(
"NO SHA256 file %p data %p data_len %u", file, data, data_len);
677 static void FileFlagGap(
File *ff) {
694 static int FileAppendDataDo(
698 #ifdef DEBUG_VALIDATION
702 ff->
size += data_len;
719 SCMd5Update(ff->
md5_ctx, data, data_len);
723 SCSha1Update(ff->
sha1_ctx, data, data_len);
727 SCLogDebug(
"file %p data %p data_len %u", ff, data, data_len);
728 SCSha256Update(ff->
sha256_ctx, data, data_len);
739 SCLogDebug(
"flowfile state transitioned to FILE_STATE_TRUNCATED");
743 SCLogDebug(
"appending %"PRIu32
" bytes", data_len);
745 int r = AppendData(sbcfg, ff, data, data_len);
771 if (ffc == NULL || ffc->
tail == NULL || data_len == 0 || sbcfg == NULL) {
774 int r = FileAppendDataDo(sbcfg, ffc->
tail, data, data_len);
792 const uint8_t *data, uint32_t data_len)
796 if (ffc == NULL || ffc->
tail == NULL || data == NULL || data_len == 0) {
800 for ( ; ff != NULL; ff = ff->
next) {
802 int r = FileAppendDataDo(sbcfg, ff, data, data_len);
823 const uint8_t *data, uint32_t data_len)
827 if (ffc == NULL || ffc->
tail == NULL || data == NULL || data_len == 0) {
831 for ( ; ff != NULL; ff = ff->
next) {
836 int r = FileAppendDataDo(sbcfg, ff, data, data_len);
863 if (ffc == NULL || ffc->
tail == NULL) {
887 const uint8_t *
name, uint16_t name_len,
888 const uint8_t *data, uint32_t data_len, uint16_t
flags)
894 File *ff = FileAlloc(
name, name_len);
900 if (ff->
sb == NULL) {
941 SCLogDebug(
"flowfile state transitioned to FILE_STATE_OPENED");
950 ff->
size += data_len;
952 if (AppendData(sbcfg, ff, data, data_len) != 0) {
957 }
else if (data_len > 0) {
968 uint32_t track_id,
const uint8_t *
name, uint16_t name_len,
969 const uint8_t *data, uint32_t data_len, uint16_t
flags)
971 SCLogDebug(
"ffc %p track_id %u", ffc, track_id);
972 File *ff = FileOpenFile(ffc, sbcfg,
name, name_len, data, data_len,
flags);
981 uint32_t data_len, uint16_t
flags)
993 ff->
size += data_len;
998 SCMd5Update(ff->
md5_ctx, data, data_len);
1000 SCSha1Update(ff->
sha1_ctx, data, data_len);
1002 SCLogDebug(
"file %p data %p data_len %u", ff, data, data_len);
1003 SCSha256Update(ff->
sha256_ctx, data, data_len);
1006 if (AppendData(sbcfg, ff, data, data_len) != 0) {
1017 SCLogDebug(
"flowfile state transitioned to FILE_STATE_TRUNCATED");
1024 SCLogDebug(
"file %p data %p data_len %u", ff, data, data_len);
1030 SCLogDebug(
"flowfile state transitioned to FILE_STATE_CLOSED");
1043 SCLogDebug(
"file %p data %p data_len %u", ff, data, data_len);
1063 uint32_t data_len, uint16_t
flags)
1067 if (ffc == NULL || ffc->
tail == NULL) {
1079 const uint8_t *data, uint32_t data_len, uint16_t
flags)
1083 if (ffc == NULL || ffc->
tail == NULL) {
1088 for ( ; ff != NULL; ff = ff->
next) {
1110 if (direction == STREAM_TOSERVER) {
1117 SCLogDebug(
"f->file_flags %04x set_file_flags %04x g_file_flow_mask %04x",
1118 f->
file_flags, set_file_flags, g_file_flow_mask);
1124 SCLogDebug(
"state data: updating file_flags %04x with flow file_flags %04x",
1141 if (g_file_force_filestore == 0) {
1143 if (direction & STREAM_TOSERVER) {
1164 for (ptr = fc->
head; ptr != NULL; ptr = ptr->
next) {
1179 for (ptr = fc->
head; ptr != NULL; ptr = ptr->
next) {
1190 FileTruncateAllOpenFiles(fc, sbcfg);
1192 FilePrune(fc, sbcfg);
1198 static void FileEndSha256(
File *ff)
#define FLOWFILE_NO_MD5_TS
#define FLOWFILE_NO_MD5_TC
int FileForceFilestore(void)
void StreamingBufferSlideToOffset(StreamingBuffer *sb, const StreamingBufferConfig *cfg, uint64_t offset)
slide to absolute offset
#define FLOWFILE_NO_SIZE_TS
#define FLOWFILE_NO_SIZE_TC
void FileForceHashParseCfg(SCConfNode *conf)
Function to parse forced file hashing configuration.
void FileContainerAdd(FileContainer *ffc, File *ff)
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
void FileReassemblyDepthEnable(uint32_t size)
void FileForceTrackingEnable(void)
uint32_t inspect_min_size
void StreamingBufferFree(StreamingBuffer *sb, const StreamingBufferConfig *cfg)
struct HtpBodyChunk_ * next
#define FLOWFILE_NO_MAGIC_TS
void FileContainerFree(FileContainer *ffc, const StreamingBufferConfig *cfg)
Free a FileContainer.
uint32_t reassembly_depth
#define TAILQ_FOREACH(var, head, field)
void FileForceMagicEnable(void)
int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
AppLayerStateData * AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
#define FLOWFILE_STORE_TS
uint8_t sha1[SC_SHA1_LEN]
TcpStreamCnf stream_config
void FileForceMd5Enable(void)
void FileForceSha1Enable(void)
#define FLOWFILE_NO_SHA1_TC
StreamingBuffer * StreamingBufferInit(const StreamingBufferConfig *cfg)
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
#define FLOWFILE_STORE_TC
#define FLOWFILE_NO_STORE_TS
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
#define FLOWFILE_NO_SHA256_TS
uint64_t FileTrackedSize(const File *file)
get the size of the file
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
uint32_t FileReassemblyDepth(void)
#define DEBUG_ASSERT_FLOW_LOCKED(f)
int FileOpenFileWithId(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
#define SCReturnPtr(x, type)
int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The last file in the FileContainer will be us...
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
uint64_t FileDataSize(const File *file)
get the size of the file data
int FileCloseFileById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
int FileStore(File *ff)
Tag a file for storing.
#define FLOWFILE_NO_SHA256_TC
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for files in a transaction
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
uint64_t content_inspected
struct AppLayerTxData AppLayerTxData
#define FLOWFILE_NO_MAGIC_TC
int StreamingBufferAppendNoTrack(StreamingBuffer *sb, const StreamingBufferConfig *cfg, const uint8_t *data, uint32_t data_len)
add data w/o tracking a segment
void FileForceFilestoreEnable(void)
int FileForceSha256(void)
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
Sets the offset range for a file.
#define FLOWFILE_NO_STORE_TC
uint8_t sha256[SC_SHA256_LEN]
#define FilePrintFlags(file)
void FileContainerRecycle(FileContainer *ffc, const StreamingBufferConfig *cfg)
Recycle a FileContainer.
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
#define FLOWFILE_NO_SHA1_TS
#define SCLogError(...)
Macro used to log ERROR messages.
int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
int FileAppendDataById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
#define FILEDATA_CONTENT_INSPECT_WINDOW
void FileForceSha256Enable(void)
uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
AppProto alproto
application level protocol
void FileApplyTxFlags(const AppLayerTxData *txd, const uint8_t direction, File *file)
#define DEBUG_VALIDATE_BUG_ON(exp)