suricata
util-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "flow.h"
29 #include "stream.h"
30 #include "stream-tcp.h"
31 #include "runmodes.h"
32 #include "util-hash.h"
33 #include "util-debug.h"
34 #include "util-memcmp.h"
35 #include "util-print.h"
36 #include "app-layer-parser.h"
37 #include "util-validate.h"
38 #include "rust.h"
39 
40 extern int g_detect_disabled;
41 
42 /** \brief mask of file flags we'll not set
43  * This mask is set based on global file settings and
44  * cannot be overridden by detection.
45  */
46 static uint16_t g_file_flow_mask = 0;
47 
48 /** \brief switch to force filestore on all files
49  * regardless of the rules.
50  */
51 static int g_file_force_filestore = 0;
52 
53 /** \brief switch to force magic checks on all files
54  * regardless of the rules.
55  */
56 static int g_file_force_magic = 0;
57 
58 /** \brief switch to force md5 calculation on all files
59  * regardless of the rules.
60  */
61 static int g_file_force_md5 = 0;
62 
63 /** \brief switch to force sha1 calculation on all files
64  * regardless of the rules.
65  */
66 static int g_file_force_sha1 = 0;
67 
68 /** \brief switch to force sha256 calculation on all files
69  * regardless of the rules.
70  */
71 static int g_file_force_sha256 = 0;
72 
73 /** \brief switch to force tracking off all files
74  * regardless of the rules.
75  */
76 static int g_file_force_tracking = 0;
77 
78 /** \brief switch to use g_file_store_reassembly_depth
79  * to reassembly files
80  */
81 static int g_file_store_enable = 0;
82 
83 /** \brief stream_config.reassembly_depth equivalent
84  * for files
85  */
86 static uint32_t g_file_store_reassembly_depth = 0;
87 
88 /* prototypes */
89 static void FileFree(File *, const StreamingBufferConfig *cfg);
90 static void FileEndSha256(File *ff);
91 
93 {
94  g_file_force_filestore = 1;
95  g_file_flow_mask |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);
96 }
97 
99 {
100  g_file_force_magic = 1;
101  g_file_flow_mask |= (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC);
102 }
103 
105 {
106  g_file_force_md5 = 1;
107  g_file_flow_mask |= (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC);
108 }
109 
111 {
112  g_file_force_sha1 = 1;
113  g_file_flow_mask |= (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC);
114 }
115 
117 {
118  g_file_force_sha256 = 1;
119  g_file_flow_mask |= (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC);
120 }
121 
123 {
124  return g_file_force_filestore;
125 }
126 
127 void FileReassemblyDepthEnable(uint32_t size)
128 {
129  g_file_store_enable = 1;
130  g_file_store_reassembly_depth = size;
131 }
132 
133 uint32_t FileReassemblyDepth(void)
134 {
135  if (g_file_store_enable == 1)
136  return g_file_store_reassembly_depth;
137  else
139 }
140 
141 int FileForceMagic(void)
142 {
143  return g_file_force_magic;
144 }
145 
146 int FileForceMd5(void)
147 {
148  return g_file_force_md5;
149 }
150 
151 int FileForceSha1(void)
152 {
153  return g_file_force_sha1;
154 }
155 
157 {
158  return g_file_force_sha256;
159 }
160 
162 {
163  g_file_force_tracking = 1;
164  g_file_flow_mask |= (FLOWFILE_NO_SIZE_TS|FLOWFILE_NO_SIZE_TC);
165 }
166 
167 /**
168  * \brief Function to parse forced file hashing configuration.
169  */
171 {
172  BUG_ON(conf == NULL);
173 
174  ConfNode *forcehash_node = NULL;
175 
176  /* legacy option */
177  const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
178  if (force_md5 != NULL) {
179  SCLogWarning("deprecated 'force-md5' option "
180  "found. Please use 'force-hash: [md5]' instead");
181 
182  if (ConfValIsTrue(force_md5)) {
183  if (g_disable_hashing) {
184  SCLogInfo(
185  "not forcing md5 calculation for logged files: hashing globally disabled");
186  } else {
188  SCLogInfo("forcing md5 calculation for logged files");
189  }
190  }
191  }
192 
193  if (conf != NULL)
194  forcehash_node = ConfNodeLookupChild(conf, "force-hash");
195 
196  if (forcehash_node != NULL) {
197  ConfNode *field = NULL;
198 
199  TAILQ_FOREACH(field, &forcehash_node->head, next) {
200  if (strcasecmp("md5", field->val) == 0) {
201  if (g_disable_hashing) {
202  SCLogInfo("not forcing md5 calculation for logged files: hashing globally "
203  "disabled");
204  } else {
206  SCLogConfig("forcing md5 calculation for logged or stored files");
207  }
208  }
209 
210  if (strcasecmp("sha1", field->val) == 0) {
211  if (g_disable_hashing) {
212  SCLogInfo("not forcing sha1 calculation for logged files: hashing globally "
213  "disabled");
214  } else {
216  SCLogConfig("forcing sha1 calculation for logged or stored files");
217  }
218  }
219 
220  if (strcasecmp("sha256", field->val) == 0) {
221  if (g_disable_hashing) {
222  SCLogInfo("not forcing sha256 calculation for logged files: hashing globally "
223  "disabled");
224  } else {
226  SCLogConfig("forcing sha256 calculation for logged or stored files");
227  }
228  }
229  }
230  }
231 }
232 
233 uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
234 {
235  uint16_t flags = 0;
236 
237  if (direction == STREAM_TOSERVER) {
238  if ((flow_file_flags & (FLOWFILE_NO_STORE_TS | FLOWFILE_STORE_TS)) ==
240  flags |= FILE_NOSTORE;
241  } else if (flow_file_flags & FLOWFILE_STORE_TS) {
242  flags |= FILE_STORE;
243  }
244 
245  if (flow_file_flags & FLOWFILE_NO_MAGIC_TS) {
246  flags |= FILE_NOMAGIC;
247  }
248 
249  if (flow_file_flags & FLOWFILE_NO_MD5_TS) {
250  flags |= FILE_NOMD5;
251  }
252 
253  if (flow_file_flags & FLOWFILE_NO_SHA1_TS) {
254  flags |= FILE_NOSHA1;
255  }
256 
257  if (flow_file_flags & FLOWFILE_NO_SHA256_TS) {
258  flags |= FILE_NOSHA256;
259  }
260  } else {
261  if ((flow_file_flags & (FLOWFILE_NO_STORE_TC | FLOWFILE_STORE_TC)) ==
263  flags |= FILE_NOSTORE;
264  } else if (flow_file_flags & FLOWFILE_STORE_TC) {
265  flags |= FILE_STORE;
266  }
267 
268  if (flow_file_flags & FLOWFILE_NO_MAGIC_TC) {
269  flags |= FILE_NOMAGIC;
270  }
271 
272  if (flow_file_flags & FLOWFILE_NO_MD5_TC) {
273  flags |= FILE_NOMD5;
274  }
275 
276  if (flow_file_flags & FLOWFILE_NO_SHA1_TC) {
277  flags |= FILE_NOSHA1;
278  }
279 
280  if (flow_file_flags & FLOWFILE_NO_SHA256_TC) {
281  flags |= FILE_NOSHA256;
282  }
283  }
285 
286  SCLogDebug("direction %02x flags %02x", direction, flags);
287  return flags;
288 }
289 
290 uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
291 {
292  return FileFlowFlagsToFlags(flow->file_flags, direction);
293 }
294 
295 void FileApplyTxFlags(const AppLayerTxData *txd, const uint8_t direction, File *file)
296 {
297  SCLogDebug("file flags %04x STORE %s NOSTORE %s", file->flags,
298  (file->flags & FILE_STORE) ? "true" : "false",
299  (file->flags & FILE_NOSTORE) ? "true" : "false");
300  uint16_t update_flags = FileFlowFlagsToFlags(txd->file_flags, direction);
302  (file->flags & (FILE_STORE | FILE_NOSTORE)) == (FILE_STORE | FILE_NOSTORE));
303  if (file->flags & FILE_STORE)
304  update_flags &= ~FILE_NOSTORE;
305 
306  file->flags |= update_flags;
307  SCLogDebug("file flags %04x STORE %s NOSTORE %s", file->flags,
308  (file->flags & FILE_STORE) ? "true" : "false",
309  (file->flags & FILE_NOSTORE) ? "true" : "false");
311  (file->flags & (FILE_STORE | FILE_NOSTORE)) == (FILE_STORE | FILE_NOSTORE));
312 }
313 
314 static int FileMagicSize(void)
315 {
316  /** \todo make this size configurable */
317  return 512;
318 }
319 
320 /**
321  * \brief get the size of the file data
322  *
323  * This doesn't reflect how much of the file we have in memory, just the
324  * total size of filedata so far.
325  */
326 uint64_t FileDataSize(const File *file)
327 {
328  if (file != NULL && file->sb != NULL) {
329  const uint64_t size = StreamingBufferGetConsecutiveDataRightEdge(file->sb);
330  SCLogDebug("returning %" PRIu64, size);
331  return size;
332  }
333  SCLogDebug("returning 0 (default)");
334  return 0;
335 }
336 
337 /**
338  * \brief get the size of the file
339  *
340  * This doesn't reflect how much of the file we have in memory, just the
341  * total size of file so far.
342  */
343 uint64_t FileTrackedSize(const File *file)
344 {
345  if (file != NULL) {
346  return file->size;
347  }
348  return 0;
349 }
350 
351 /** \brief test if file is ready to be pruned
352  *
353  * If a file is in the 'CLOSED' state, it means it has been processed
354  * completely by the pipeline in the correct direction. So we can
355  * prune it then.
356  *
357  * For other states, as well as for files we may not need to track
358  * until the close state, more specific checks are done.
359  *
360  * Also does house keeping within the file: move streaming buffer
361  * forward if possible.
362  *
363  * \retval 1 prune (free) this file
364  * \retval 0 file not ready to be freed
365  */
366 static int FilePruneFile(File *file, const StreamingBufferConfig *cfg)
367 {
368  SCEnter();
369 
370  /* file is done when state is closed+, logging/storing is done (if any) */
371  SCLogDebug("file->state %d. Is >= FILE_STATE_CLOSED: %s",
372  file->state, (file->state >= FILE_STATE_CLOSED) ? "yes" : "no");
373  if (file->state >= FILE_STATE_CLOSED) {
374  SCReturnInt(1);
375  }
376 
377 #ifdef HAVE_MAGIC
378  if (!(file->flags & FILE_NOMAGIC)) {
379  /* need magic but haven't set it yet, bail out */
380  if (file->magic == NULL)
381  SCReturnInt(0);
382  else
383  SCLogDebug("file->magic %s", file->magic);
384  } else {
385  SCLogDebug("file->flags & FILE_NOMAGIC == true");
386  }
387 #endif
388  uint64_t left_edge = FileDataSize(file);
389  if (file->flags & FILE_STORE) {
390  left_edge = MIN(left_edge,file->content_stored);
391  }
392 
393  if (!g_detect_disabled) {
394  left_edge = MIN(left_edge, file->content_inspected);
395  /* if file has inspect window and min size set, we
396  * do some house keeping here */
397  if (file->inspect_window != 0 && file->inspect_min_size != 0) {
398  const uint64_t file_offset = StreamingBufferGetOffset(file->sb);
399  uint32_t window = file->inspect_window;
400  if (file_offset == 0)
401  window = MAX(window, file->inspect_min_size);
402 
403  uint64_t file_size = FileDataSize(file);
404  uint64_t data_size = file_size - file_offset;
405 
406  SCLogDebug("window %"PRIu32", file_size %"PRIu64", data_size %"PRIu64,
407  window, file_size, data_size);
408 
409  if (data_size > (window * 3)) {
410  file->content_inspected = MAX(file->content_inspected, file->size - window);
411  SCLogDebug("file->content_inspected now %" PRIu64, file->content_inspected);
412  }
413 
414  if (left_edge > window)
415  left_edge -= window;
416  else
417  left_edge = 0;
418  }
419  }
420 
421  if (left_edge) {
422  SCLogDebug("sliding to %" PRIu64, left_edge);
423  StreamingBufferSlideToOffset(file->sb, cfg, left_edge);
424  }
425 
426  SCReturnInt(0);
427 }
428 
429 #ifdef DEBUG
430 #define P(file, flag) ((file)->flags & (flag)) ? "true" : "false"
431 void FilePrintFlags(const File *file)
432 {
433  SCLogDebug("file %p flags %04x "
434  "FILE_TRUNCATED %s "
435  "FILE_NOMAGIC %s "
436  "FILE_NOMD5 %s "
437  "FILE_MD5 %s "
438  "FILE_NOSHA1 %s "
439  "FILE_SHA1 %s "
440  "FILE_NOSHA256 %s "
441  "FILE_SHA256 %s "
442  "FILE_LOGGED %s "
443  "FILE_NOSTORE %s "
444  "FILE_STORE %s "
445  "FILE_STORED %s "
446  "FILE_NOTRACK %s "
447  "FILE_HAS_GAPS %s",
448  file, file->flags, P(file, FILE_TRUNCATED), P(file, FILE_NOMAGIC), P(file, FILE_NOMD5),
449  P(file, FILE_MD5), P(file, FILE_NOSHA1), P(file, FILE_SHA1), P(file, FILE_NOSHA256),
450  P(file, FILE_SHA256), P(file, FILE_LOGGED), P(file, FILE_NOSTORE), P(file, FILE_STORE),
451  P(file, FILE_STORED), P(file, FILE_NOTRACK), P(file, FILE_HAS_GAPS));
452 }
453 #undef P
454 #endif
455 
456 static void FilePrune(FileContainer *ffc, const StreamingBufferConfig *cfg)
457 {
458  SCEnter();
459  SCLogDebug("ffc %p head %p", ffc, ffc->head);
460  File *file = ffc->head;
461  File *prev = NULL;
462 
463  while (file) {
464 #ifdef DEBUG
465  FilePrintFlags(file);
466 #endif
467  if (FilePruneFile(file, cfg) == 0) {
468  prev = file;
469  file = file->next;
470  continue;
471  }
472 
473  SCLogDebug("removing file %p", file);
474 
475  File *file_next = file->next;
476 
477  if (prev)
478  prev->next = file_next;
479  /* update head and tail */
480  if (file == ffc->head)
481  ffc->head = file_next;
482  if (file == ffc->tail)
483  ffc->tail = prev;
484 
485  FileFree(file, cfg);
486  file = file_next;
487  }
488  SCReturn;
489 }
490 
491 /**
492  * \brief allocate a FileContainer
493  *
494  * \retval new newly allocated FileContainer
495  * \retval NULL error
496  */
498 {
499  FileContainer *new = SCCalloc(1, sizeof(FileContainer));
500  if (unlikely(new == NULL)) {
501  SCLogError("Error allocating mem");
502  return NULL;
503  }
504  new->head = new->tail = NULL;
505  return new;
506 }
507 
508 /**
509  * \brief Recycle a FileContainer
510  *
511  * \param ffc FileContainer
512  */
514 {
515  SCLogDebug("ffc %p", ffc);
516  if (ffc == NULL)
517  return;
518 
519  File *cur = ffc->head;
520  File *next = NULL;
521  for (;cur != NULL; cur = next) {
522  next = cur->next;
523  FileFree(cur, cfg);
524  }
525  ffc->head = ffc->tail = NULL;
526 }
527 
528 /**
529  * \brief Free a FileContainer
530  *
531  * \param ffc FileContainer
532  */
534 {
535  SCLogDebug("ffc %p", ffc);
536  if (ffc == NULL)
537  return;
538 
539  File *ptr = ffc->head;
540  File *next = NULL;
541  for (;ptr != NULL; ptr = next) {
542  next = ptr->next;
543  FileFree(ptr, cfg);
544  }
545  ffc->head = ffc->tail = NULL;
546  SCFree(ffc);
547 }
548 
549 /**
550  * \brief Alloc a new File
551  *
552  * \param name character array containing the name (not a string)
553  * \param name_len length in bytes of the name
554  *
555  * \retval new File object or NULL on error
556  */
557 static File *FileAlloc(const uint8_t *name, uint16_t name_len)
558 {
559  File *new = SCCalloc(1, sizeof(File));
560  if (unlikely(new == NULL)) {
561  SCLogError("Error allocating mem");
562  return NULL;
563  }
564 
565  new->name = SCMalloc(name_len);
566  if (new->name == NULL) {
567  SCFree(new);
568  return NULL;
569  }
570 
571  new->name_len = name_len;
572  memcpy(new->name, name, name_len);
573 
574  new->sid_cnt = 0;
575  new->sid_max = 8;
576  /* SCMalloc() is allowed to fail here because sid well be checked later on */
577  new->sid = SCMalloc(sizeof(uint32_t) * new->sid_max);
578  if (new->sid == NULL)
579  new->sid_max = 0;
580 
581  return new;
582 }
583 
584 static void FileFree(File *ff, const StreamingBufferConfig *sbcfg)
585 {
586  SCLogDebug("ff %p", ff);
587  if (ff == NULL)
588  return;
589 
590  if (ff->name != NULL)
591  SCFree(ff->name);
592  if (ff->sid != NULL)
593  SCFree(ff->sid);
594 #ifdef HAVE_MAGIC
595  /* magic returned by libmagic is strdup'd by MagicLookup. */
596  if (ff->magic != NULL)
597  SCFree(ff->magic);
598 #endif
599  if (ff->sb != NULL) {
600  StreamingBufferFree(ff->sb, sbcfg);
601  }
602 
603  if (ff->md5_ctx)
604  SCMd5Free(ff->md5_ctx);
605  if (ff->sha1_ctx)
606  SCSha1Free(ff->sha1_ctx);
607  if (ff->sha256_ctx)
608  SCSha256Free(ff->sha256_ctx);
609  SCFree(ff);
610 }
611 
613 {
614  SCLogDebug("ffc %p ff %p", ffc, ff);
615  if (ffc->head == NULL || ffc->tail == NULL) {
616  ffc->head = ffc->tail = ff;
617  } else {
618  ffc->tail->next = ff;
619  ffc->tail = ff;
620  }
621 }
622 
623 /**
624  * \brief Tag a file for storing
625  *
626  * \param ff The file to store
627  */
628 int FileStore(File *ff)
629 {
630  SCLogDebug("ff %p", ff);
631  ff->flags |= FILE_STORE;
632  SCReturnInt(0);
633 }
634 
635 /**
636  * \brief check if we have stored enough
637  *
638  * \param ff file
639  *
640  * \retval 0 limit not reached yet
641  * \retval 1 limit reached
642  */
643 static int FileStoreNoStoreCheck(File *ff)
644 {
645  SCEnter();
646 
647  if (ff == NULL) {
648  SCReturnInt(0);
649  }
650 
651  if (ff->flags & FILE_NOSTORE) {
652  if (ff->state == FILE_STATE_OPENED &&
653  FileDataSize(ff) >= (uint64_t)FileMagicSize())
654  {
655  SCReturnInt(1);
656  }
657  }
658 
659  SCReturnInt(0);
660 }
661 
662 static int AppendData(
663  const StreamingBufferConfig *sbcfg, File *file, const uint8_t *data, uint32_t data_len)
664 {
666  data_len > BIT_U32(26)); // 64MiB as a limit per chunk seems already excessive
667 
668  SCLogDebug("file %p data_len %u", file, data_len);
669  if (StreamingBufferAppendNoTrack(file->sb, sbcfg, data, data_len) != 0) {
670  SCLogDebug("file %p StreamingBufferAppendNoTrack failed", file);
671  SCReturnInt(-1);
672  }
673 
674  if (file->md5_ctx) {
675  SCMd5Update(file->md5_ctx, data, data_len);
676  }
677  if (file->sha1_ctx) {
678  SCSha1Update(file->sha1_ctx, data, data_len);
679  }
680  if (file->sha256_ctx) {
681  SCLogDebug("SHA256 file %p data %p data_len %u", file, data, data_len);
682  SCSha256Update(file->sha256_ctx, data, data_len);
683  } else {
684  SCLogDebug("NO SHA256 file %p data %p data_len %u", file, data, data_len);
685  }
686  SCReturnInt(0);
687 }
688 
689 /** \internal
690  * \brief Flags a file as having gaps
691  *
692  * \param ff the file
693  */
694 static void FileFlagGap(File *ff) {
695  ff->flags |= FILE_HAS_GAPS;
698 }
699 
700 /** \internal
701  * \brief Store/handle a chunk of file data in the File structure
702  *
703  * \param ff the file
704  * \param data data chunk
705  * \param data_len data chunk len
706  *
707  * \retval 0 ok
708  * \retval -1 error
709  * \retval -2 no store for this file
710  */
711 static int FileAppendDataDo(
712  const StreamingBufferConfig *sbcfg, File *ff, const uint8_t *data, uint32_t data_len)
713 {
714  SCEnter();
715 #ifdef DEBUG_VALIDATION
716  BUG_ON(ff == NULL);
717 #endif
718 
719  ff->size += data_len;
720  if (data == NULL) {
721  FileFlagGap(ff);
722  SCReturnInt(0);
723  }
724 
725  if (ff->state != FILE_STATE_OPENED) {
726  if (ff->flags & FILE_NOSTORE) {
727  SCReturnInt(-2);
728  }
729  SCReturnInt(-1);
730  }
731 
732  if (g_detect_disabled && FileStoreNoStoreCheck(ff) == 1) {
733  int hash_done = 0;
734  /* no storage but forced hashing */
735  if (ff->md5_ctx) {
736  SCMd5Update(ff->md5_ctx, data, data_len);
737  hash_done = 1;
738  }
739  if (ff->sha1_ctx) {
740  SCSha1Update(ff->sha1_ctx, data, data_len);
741  hash_done = 1;
742  }
743  if (ff->sha256_ctx) {
744  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
745  SCSha256Update(ff->sha256_ctx, data, data_len);
746  hash_done = 1;
747  }
748 
749  if (hash_done)
750  SCReturnInt(0);
751 
752  if (g_file_force_tracking || (!(ff->flags & FILE_NOTRACK)))
753  SCReturnInt(0);
754 
756  SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED");
757  SCReturnInt(-2);
758  }
759 
760  SCLogDebug("appending %"PRIu32" bytes", data_len);
761 
762  int r = AppendData(sbcfg, ff, data, data_len);
763  if (r != 0) {
764  ff->state = FILE_STATE_ERROR;
765  SCReturnInt(r);
766  }
767 
768  SCReturnInt(0);
769 }
770 
771 /**
772  * \brief Store/handle a chunk of file data in the File structure
773  * The last file in the FileContainer will be used.
774  *
775  * \param ffc FileContainer used to append to
776  * \param data data chunk
777  * \param data_len data chunk len
778  *
779  * \retval 0 ok
780  * \retval -1 error
781  * \retval -2 no store for this file
782  */
783 int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data,
784  uint32_t data_len)
785 {
786  SCEnter();
787 
788  if (ffc == NULL || ffc->tail == NULL || data_len == 0 || sbcfg == NULL) {
789  SCReturnInt(-1);
790  }
791  int r = FileAppendDataDo(sbcfg, ffc->tail, data, data_len);
792  SCReturnInt(r);
793 }
794 
795 /**
796  * \brief Store/handle a chunk of file data in the File structure
797  * The file with 'track_id' in the FileContainer will be used.
798  *
799  * \param ffc FileContainer used to append to
800  * \param track_id id to lookup the file
801  * \param data data chunk
802  * \param data_len data chunk len
803  *
804  * \retval 0 ok
805  * \retval -1 error
806  * \retval -2 no store for this file
807  */
808 int FileAppendDataById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
809  const uint8_t *data, uint32_t data_len)
810 {
811  SCEnter();
812 
813  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
814  SCReturnInt(-1);
815  }
816  File *ff = ffc->head;
817  for ( ; ff != NULL; ff = ff->next) {
818  if (track_id == ff->file_track_id) {
819  int r = FileAppendDataDo(sbcfg, ff, data, data_len);
820  SCReturnInt(r);
821  }
822  }
823  SCReturnInt(-1);
824 }
825 
826 /**
827  * \brief Store/handle a chunk of file data in the File structure
828  * The file with 'track_id' in the FileContainer will be used.
829  *
830  * \param ffc FileContainer used to append to
831  * \param track_id id to lookup the file
832  * \param data data chunk
833  * \param data_len data chunk len
834  *
835  * \retval 0 ok
836  * \retval -1 error
837  * \retval -2 no store for this file
838  */
839 int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
840  const uint8_t *data, uint32_t data_len)
841 {
842  SCEnter();
843 
844  if (ffc == NULL || ffc->tail == NULL || data == NULL || data_len == 0) {
845  SCReturnInt(-1);
846  }
847  File *ff = ffc->head;
848  for ( ; ff != NULL; ff = ff->next) {
849  if (track_id == ff->file_track_id) {
850  FileFlagGap(ff);
851  SCLogDebug("FILE_HAS_GAPS set");
852 
853  int r = FileAppendDataDo(sbcfg, ff, data, data_len);
854  SCReturnInt(r);
855  }
856  }
857  SCReturnInt(-1);
858 }
859 
860 void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
861 {
862  file->inspect_window = win;
863  file->inspect_min_size = min;
864 }
865 
866 /**
867  * \brief Sets the offset range for a file.
868  *
869  * \param ffc the container
870  * \param start start offset
871  * \param end end offset
872  *
873  * \retval 0 ok
874  * \retval -1 error
875  */
876 int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
877 {
878  SCEnter();
879 
880  if (ffc == NULL || ffc->tail == NULL) {
881  SCReturnInt(-1);
882  }
883  ffc->tail->start = start;
884  ffc->tail->end = end;
885  SCReturnInt(0);
886 }
887 
888 /**
889  * \brief Open a new File
890  *
891  * \param ffc flow container
892  * \param sbcfg buffer config
893  * \param name filename character array
894  * \param name_len filename len
895  * \param data initial data
896  * \param data_len initial data len
897  * \param flags open flags
898  *
899  * \retval ff flowfile object
900  *
901  * \note filename is not a string, so it's not nul terminated.
902  */
903 static File *FileOpenFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg,
904  const uint8_t *name, uint16_t name_len,
905  const uint8_t *data, uint32_t data_len, uint16_t flags)
906 {
907  SCEnter();
908 
909  //PrintRawDataFp(stdout, name, name_len);
910 
911  File *ff = FileAlloc(name, name_len);
912  if (ff == NULL) {
913  SCReturnPtr(NULL, "File");
914  }
915 
916  ff->sb = StreamingBufferInit(sbcfg);
917  if (ff->sb == NULL) {
918  FileFree(ff, sbcfg);
919  SCReturnPtr(NULL, "File");
920  }
921  SCLogDebug("ff->sb %p", ff->sb);
922 
923  if (flags & FILE_STORE || g_file_force_filestore) {
924  FileStore(ff);
925  } else if (flags & FILE_NOSTORE) {
926  SCLogDebug("not storing this file");
927  ff->flags |= FILE_NOSTORE;
928  }
929  if (flags & FILE_NOMAGIC) {
930  SCLogDebug("not doing magic for this file");
931  ff->flags |= FILE_NOMAGIC;
932  }
933  if (flags & FILE_NOMD5) {
934  SCLogDebug("not doing md5 for this file");
935  ff->flags |= FILE_NOMD5;
936  }
937  if (flags & FILE_NOSHA1) {
938  SCLogDebug("not doing sha1 for this file");
939  ff->flags |= FILE_NOSHA1;
940  }
941  if (flags & FILE_NOSHA256) {
942  SCLogDebug("not doing sha256 for this file");
943  ff->flags |= FILE_NOSHA256;
944  }
945 
946  if (!(ff->flags & FILE_NOMD5) || g_file_force_md5) {
947  ff->md5_ctx = SCMd5New();
948  }
949  if (!(ff->flags & FILE_NOSHA1) || g_file_force_sha1) {
950  ff->sha1_ctx = SCSha1New();
951  }
952  if (!(ff->flags & FILE_NOSHA256) || g_file_force_sha256) {
953  ff->sha256_ctx = SCSha256New();
954  SCLogDebug("ff %p ff->sha256_ctx %p", ff, ff->sha256_ctx);
955  }
956 
957  ff->state = FILE_STATE_OPENED;
958  SCLogDebug("flowfile state transitioned to FILE_STATE_OPENED");
959 
960  ff->fd = -1;
961 
962  FileContainerAdd(ffc, ff);
963 
964  /* set default window and min inspection size */
966 
967  ff->size += data_len;
968  if (data != NULL) {
969  if (AppendData(sbcfg, ff, data, data_len) != 0) {
970  ff->state = FILE_STATE_ERROR;
971  SCReturnPtr(NULL, "File");
972  }
973  SCLogDebug("file size is now %"PRIu64, FileTrackedSize(ff));
974  } else if (data_len > 0) {
975  FileFlagGap(ff);
976  }
977 
978  SCReturnPtr(ff, "File");
979 }
980 
981 /**
982  * \retval 0 ok
983  * \retval -1 failed */
985  uint32_t track_id, const uint8_t *name, uint16_t name_len,
986  const uint8_t *data, uint32_t data_len, uint16_t flags)
987 {
988  SCLogDebug("ffc %p track_id %u", ffc, track_id);
989  File *ff = FileOpenFile(ffc, sbcfg, name, name_len, data, data_len, flags);
990  if (ff == NULL)
991  return -1;
992 
993  ff->file_track_id = track_id;
994  return 0;
995 }
996 
997 int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data,
998  uint32_t data_len, uint16_t flags)
999 {
1000  SCEnter();
1001 
1002  if (ff == NULL) {
1003  SCReturnInt(-1);
1004  }
1005 
1006  if (ff->state != FILE_STATE_OPENED) {
1007  SCReturnInt(-1);
1008  }
1009 
1010  ff->size += data_len;
1011  if (data != NULL) {
1012  if (ff->flags & FILE_NOSTORE) {
1013  /* no storage but hashing */
1014  if (ff->md5_ctx)
1015  SCMd5Update(ff->md5_ctx, data, data_len);
1016  if (ff->sha1_ctx)
1017  SCSha1Update(ff->sha1_ctx, data, data_len);
1018  if (ff->sha256_ctx) {
1019  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1020  SCSha256Update(ff->sha256_ctx, data, data_len);
1021  }
1022  } else {
1023  if (AppendData(sbcfg, ff, data, data_len) != 0) {
1024  ff->state = FILE_STATE_ERROR;
1025  SCReturnInt(-1);
1026  }
1027  }
1028  }
1029 
1030  if ((flags & FILE_TRUNCATED) || (ff->flags & FILE_HAS_GAPS)) {
1031  SCLogDebug("flags FILE_TRUNCATED %s", (flags & FILE_TRUNCATED) ? "true" : "false");
1032  SCLogDebug("ff->flags FILE_HAS_GAPS %s", (ff->flags & FILE_HAS_GAPS) ? "true" : "false");
1033 
1035  SCLogDebug("flowfile state transitioned to FILE_STATE_TRUNCATED");
1036 
1037  if (flags & FILE_NOSTORE) {
1038  SCLogDebug("not storing this file");
1039  ff->flags |= FILE_NOSTORE;
1040  } else {
1041  if (g_file_force_sha256 && ff->sha256_ctx) {
1042  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1043  FileEndSha256(ff);
1044  }
1045  }
1046  } else {
1047  ff->state = FILE_STATE_CLOSED;
1048  SCLogDebug("flowfile state transitioned to FILE_STATE_CLOSED");
1049 
1050  if (ff->md5_ctx) {
1051  SCMd5Finalize(ff->md5_ctx, ff->md5, sizeof(ff->md5));
1052  ff->md5_ctx = NULL;
1053  ff->flags |= FILE_MD5;
1054  }
1055  if (ff->sha1_ctx) {
1056  SCSha1Finalize(ff->sha1_ctx, ff->sha1, sizeof(ff->sha1));
1057  ff->sha1_ctx = NULL;
1058  ff->flags |= FILE_SHA1;
1059  }
1060  if (ff->sha256_ctx) {
1061  SCLogDebug("file %p data %p data_len %u", ff, data, data_len);
1062  FileEndSha256(ff);
1063  }
1064  }
1065 
1066  SCReturnInt(0);
1067 }
1068 
1069 /**
1070  * \brief Close a File
1071  *
1072  * \param ffc the container
1073  * \param data final data if any
1074  * \param data_len data len if any
1075  * \param flags flags
1076  *
1077  * \retval 0 ok
1078  * \retval -1 error
1079  */
1080 int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data,
1081  uint32_t data_len, uint16_t flags)
1082 {
1083  SCEnter();
1084 
1085  if (ffc == NULL || ffc->tail == NULL) {
1086  SCReturnInt(-1);
1087  }
1088 
1089  if (FileCloseFilePtr(ffc->tail, sbcfg, data, data_len, flags) == -1) {
1090  SCReturnInt(-1);
1091  }
1092 
1093  SCReturnInt(0);
1094 }
1095 
1096 int FileCloseFileById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
1097  const uint8_t *data, uint32_t data_len, uint16_t flags)
1098 {
1099  SCEnter();
1100 
1101  if (ffc == NULL || ffc->tail == NULL) {
1102  SCReturnInt(-1);
1103  }
1104 
1105  File *ff = ffc->head;
1106  for ( ; ff != NULL; ff = ff->next) {
1107  if (track_id == ff->file_track_id) {
1108  int r = FileCloseFilePtr(ff, sbcfg, data, data_len, flags);
1109  SCReturnInt(r);
1110  }
1111  }
1112  SCReturnInt(-1);
1113 }
1114 
1115 /** \brief set a flow's file flags
1116  * \param set_file_flags flags in both directions that are requested to set
1117  *
1118  * This function will ignore the flags for the irrelevant direction and
1119  * also mask the flags with the global settings.
1120  */
1121 void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
1122 {
1123  SCEnter();
1125 
1126  /* remove flags not in our direction and
1127  don't disable what is globally enabled */
1128  if (direction == STREAM_TOSERVER) {
1129  set_file_flags &= ~(FLOWFILE_NONE_TC|g_file_flow_mask);
1130  } else {
1131  set_file_flags &= ~(FLOWFILE_NONE_TS|g_file_flow_mask);
1132  }
1133  f->file_flags |= set_file_flags;
1134 
1135  SCLogDebug("f->file_flags %04x set_file_flags %04x g_file_flow_mask %04x",
1136  f->file_flags, set_file_flags, g_file_flow_mask);
1137 
1138  if (set_file_flags != 0 && f->alproto != ALPROTO_UNKNOWN && f->alstate != NULL) {
1139  AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
1140  if (sd != NULL) {
1141  if ((sd->file_flags & f->file_flags) != f->file_flags) {
1142  SCLogDebug("state data: updating file_flags %04x with flow file_flags %04x",
1143  sd->file_flags, f->file_flags);
1144  sd->file_flags |= f->file_flags;
1145  }
1146  }
1147  }
1148 }
1149 
1150 /**
1151  * \brief disable file storing for files in a transaction
1152  *
1153  * \param f *LOCKED* flow
1154  * \param direction flow direction
1155  * \param tx_id transaction id
1156  */
1157 void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
1158 {
1159  if (g_file_force_filestore == 0) {
1161  if (txd != NULL) {
1162  if (direction & STREAM_TOSERVER) {
1163  txd->file_flags |= FLOWFILE_NO_STORE_TS;
1164  } else {
1165  txd->file_flags |= FLOWFILE_NO_STORE_TC;
1166  }
1167  }
1168  }
1169 }
1170 
1171 /**
1172  * \brief flag a file with id "file_id" to be stored.
1173  *
1174  * \param fc file store
1175  * \param file_id the file's id
1176  */
1177 void FileStoreFileById(FileContainer *fc, uint32_t file_id)
1178 {
1179  File *ptr = NULL;
1180 
1181  SCEnter();
1182 
1183  if (fc != NULL) {
1184  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1185  if (ptr->file_track_id == file_id) {
1186  FileStore(ptr);
1187  }
1188  }
1189  }
1190 }
1191 
1192 static void FileTruncateAllOpenFiles(FileContainer *fc, const StreamingBufferConfig *sbcfg)
1193 {
1194  File *ptr = NULL;
1195 
1196  SCEnter();
1197 
1198  if (fc != NULL) {
1199  for (ptr = fc->head; ptr != NULL; ptr = ptr->next) {
1200  if (ptr->state == FILE_STATE_OPENED) {
1201  FileCloseFilePtr(ptr, sbcfg, NULL, 0, FILE_TRUNCATED);
1202  }
1203  }
1204  }
1205 }
1206 
1207 void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
1208 {
1209  if (trunc) {
1210  FileTruncateAllOpenFiles(fc, sbcfg);
1211  }
1212  FilePrune(fc, sbcfg);
1213 }
1214 
1215 /**
1216  * \brief Finish the SHA256 calculation.
1217  */
1218 static void FileEndSha256(File *ff)
1219 {
1220  SCLogDebug("ff %p ff->size %" PRIu64, ff, ff->size);
1221  if (!(ff->flags & FILE_SHA256) && ff->sha256_ctx) {
1222  SCSha256Finalize(ff->sha256_ctx, ff->sha256, sizeof(ff->sha256));
1223  ff->sha256_ctx = NULL;
1224  ff->flags |= FILE_SHA256;
1225  }
1226 }
FLOWFILE_NO_MD5_TS
#define FLOWFILE_NO_MD5_TS
Definition: flow.h:136
FLOWFILE_NO_MD5_TC
#define FLOWFILE_NO_MD5_TC
Definition: flow.h:137
FILE_TRUNCATED
#define FILE_TRUNCATED
Definition: util-file.h:45
FileForceFilestore
int FileForceFilestore(void)
Definition: util-file.c:122
StreamingBufferSlideToOffset
void StreamingBufferSlideToOffset(StreamingBuffer *sb, const StreamingBufferConfig *cfg, uint64_t offset)
slide to absolute offset
Definition: util-streaming-buffer.c:1009
FileContainer_
Definition: util-file.h:113
FLOWFILE_NO_SIZE_TS
#define FLOWFILE_NO_SIZE_TS
Definition: flow.h:148
FLOWFILE_NO_SIZE_TC
#define FLOWFILE_NO_SIZE_TC
Definition: flow.h:149
FileContainerAdd
void FileContainerAdd(FileContainer *ffc, File *ff)
Definition: util-file.c:612
FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:497
FileReassemblyDepthEnable
void FileReassemblyDepthEnable(uint32_t size)
Definition: util-file.c:127
ConfNode_::val
char * val
Definition: conf.h:34
stream-tcp.h
FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition: util-file.c:161
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:52
File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:104
FILE_NOSHA1
#define FILE_NOSHA1
Definition: util-file.h:49
File_::size
uint64_t size
Definition: util-file.h:102
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
FILE_NOTRACK
#define FILE_NOTRACK
Definition: util-file.h:57
StreamingBufferFree
void StreamingBufferFree(StreamingBuffer *sb, const StreamingBufferConfig *cfg)
Definition: util-streaming-buffer.c:294
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
FLOWFILE_NONE_TC
#define FLOWFILE_NONE_TC
Definition: flow.h:161
Flow_::proto
uint8_t proto
Definition: flow.h:378
FLOWFILE_NO_MAGIC_TS
#define FLOWFILE_NO_MAGIC_TS
Definition: flow.h:129
FLOWFILE_NONE_TS
#define FLOWFILE_NONE_TS
Definition: flow.h:155
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:70
FileContainerFree
void FileContainerFree(FileContainer *ffc, const StreamingBufferConfig *cfg)
Free a FileContainer.
Definition: util-file.c:533
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
Flow_
Flow data structure.
Definition: flow.h:356
File_::state
FileState state
Definition: util-file.h:82
util-hash.h
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
rust.h
FileContainer_::tail
File * tail
Definition: util-file.h:115
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
FileForceMagicEnable
void FileForceMagicEnable(void)
Definition: util-file.c:98
FILE_NOSHA256
#define FILE_NOSHA256
Definition: util-file.h:51
FileAppendGAPById
int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:839
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:73
AppLayerParserGetStateData
AppLayerStateData * AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
Definition: app-layer-parser.c:1171
FLOWFILE_STORE_TS
#define FLOWFILE_STORE_TS
Definition: flow.h:152
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:96
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:219
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
FileForceMd5Enable
void FileForceMd5Enable(void)
Definition: util-file.c:104
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:536
File_::sb
StreamingBuffer * sb
Definition: util-file.h:83
FileForceSha1Enable
void FileForceSha1Enable(void)
Definition: util-file.c:110
util-memcmp.h
FLOWFILE_NO_SHA1_TC
#define FLOWFILE_NO_SHA1_TC
Definition: flow.h:141
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:94
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:84
util-debug.h
FileForceMagic
int FileForceMagic(void)
Definition: util-file.c:141
StreamingBufferInit
StreamingBuffer * StreamingBufferInit(const StreamingBufferConfig *cfg)
Definition: util-streaming-buffer.c:248
File_::end
uint64_t end
Definition: util-file.h:106
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:183
FileFlowToFlags
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition: util-file.c:290
File_::fd
int fd
Definition: util-file.h:86
FLOWFILE_STORE_TC
#define FLOWFILE_STORE_TC
Definition: flow.h:153
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:133
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:400
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
FileContainer_::head
File * head
Definition: util-file.h:114
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1177
FLOWFILE_NO_SHA256_TS
#define FLOWFILE_NO_SHA256_TS
Definition: flow.h:144
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:343
FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
Definition: app-layer-smtp.c:60
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1121
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:133
SCReturn
#define SCReturn
Definition: util-debug.h:273
stream.h
File_::sha256_ctx
SCSha256 * sha256_ctx
Definition: util-file.h:97
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
FileForceMd5
int FileForceMd5(void)
Definition: util-file.c:146
FileOpenFileWithId
int FileOpenFileWithId(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:984
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
File_::name
uint8_t * name
Definition: util-file.h:88
FileCloseFilePtr
int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:997
FileAppendData
int FileAppendData(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The last file in the FileContainer will be us...
Definition: util-file.c:783
File_::sid
uint32_t * sid
Definition: util-file.h:108
runmodes.h
FILE_NOMD5
#define FILE_NOMD5
Definition: util-file.h:47
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:326
FileCloseFileById
int FileCloseFileById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:1096
FileStore
int FileStore(File *ff)
Tag a file for storing.
Definition: util-file.c:628
FLOWFILE_NO_SHA256_TC
#define FLOWFILE_NO_SHA256_TC
Definition: flow.h:145
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:781
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for files in a transaction
Definition: util-file.c:1157
File_::flags
uint16_t flags
Definition: util-file.h:80
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:99
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
File_::content_stored
uint64_t content_stored
Definition: util-file.h:101
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1372
FLOWFILE_NO_MAGIC_TC
#define FLOWFILE_NO_MAGIC_TC
Definition: flow.h:130
flags
uint8_t flags
Definition: decode-gre.h:0
StreamingBufferAppendNoTrack
int StreamingBufferAppendNoTrack(StreamingBuffer *sb, const StreamingBufferConfig *cfg, const uint8_t *data, uint32_t data_len)
add data w/o tracking a segment
Definition: util-streaming-buffer.c:1130
suricata-common.h
FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition: util-file.c:92
FileForceSha256
int FileForceSha256(void)
Definition: util-file.c:156
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
File_::next
struct File_ * next
Definition: util-file.h:92
FileForceHashParseCfg
void FileForceHashParseCfg(ConfNode *conf)
Function to parse forced file hashing configuration.
Definition: util-file.c:170
FileSetInspectSizes
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
Definition: util-file.c:860
FilesPrune
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
Definition: util-file.c:1207
FILE_MD5
#define FILE_MD5
Definition: util-file.h:48
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1164
FileSetRange
int FileSetRange(FileContainer *ffc, uint64_t start, uint64_t end)
Sets the offset range for a file.
Definition: util-file.c:876
FLOWFILE_NO_STORE_TC
#define FLOWFILE_NO_STORE_TC
Definition: flow.h:134
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:98
File_::start
uint64_t start
Definition: util-file.h:105
FilePrintFlags
#define FilePrintFlags(file)
Definition: util-file.h:250
util-validate.h
StreamingBufferConfig_
Definition: util-streaming-buffer.h:65
FileContainerRecycle
void FileContainerRecycle(FileContainer *ffc, const StreamingBufferConfig *cfg)
Recycle a FileContainer.
Definition: util-file.c:513
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
FLOWFILE_NO_SHA1_TS
#define FLOWFILE_NO_SHA1_TS
Definition: flow.h:140
FILE_LOGGED
#define FILE_LOGGED
Definition: util-file.h:53
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
FileForceSha1
int FileForceSha1(void)
Definition: util-file.c:151
FileCloseFile
int FileCloseFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1080
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
FileAppendDataById
int FileAppendDataById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:808
Flow_::alstate
void * alstate
Definition: flow.h:481
FILEDATA_CONTENT_INSPECT_WINDOW
#define FILEDATA_CONTENT_INSPECT_WINDOW
Definition: app-layer-smtp.c:62
File_::md5_ctx
SCMd5 * md5_ctx
Definition: util-file.h:93
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:103
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:50
suricata.h
FILE_NOSTORE
#define FILE_NOSTORE
Definition: util-file.h:54
FileForceSha256Enable
void FileForceSha256Enable(void)
Definition: util-file.c:116
FileFlowFlagsToFlags
uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
Definition: util-file.c:233
flow.h
FILE_NOMAGIC
#define FILE_NOMAGIC
Definition: util-file.h:46
Flow_::file_flags
uint16_t file_flags
Definition: flow.h:428
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
FileApplyTxFlags
void FileApplyTxFlags(const AppLayerTxData *txd, const uint8_t direction, File *file)
Definition: util-file.c:295
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:75
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:59
File_::sha1_ctx
SCSha1 * sha1_ctx
Definition: util-file.h:95
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:207
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:809