suricata
util-file.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #ifndef SURICATA_UTIL_FILE_H
26 #define SURICATA_UTIL_FILE_H
27 
28 // only bindgen this function as struct File_ defined here in C
29 // uses some structrues from rust
30 uint16_t SCFileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction);
31 
32 #include "conf.h"
33 #include "util-streaming-buffer.h"
34 
35 typedef struct File_ File;
36 
37 typedef struct FileContainer_ {
38  File *head;
39  File *tail;
40 } FileContainer;
41 
42 /**
43  * \brief Store a chunk of file data in the flow. The open "flowfile"
44  * will be used.
45  *
46  * \param ffc the container
47  * \param data data chunk
48  * \param data_len data chunk len
49  *
50  * \retval 0 ok
51  * \retval -1 error
52  */
53 int FileAppendData(FileContainer *, const StreamingBufferConfig *sbcfg, const uint8_t *data,
54  uint32_t data_len);
55 
56 #ifndef SURICATA_BINDGEN_H
57 
58 #include "flow.h"
59 
60 /* Hack: Pulling rust.h to get the SCSha256 causes all sorts of problems with
61  * header include orders, which is something we'll have to resolve as we provide
62  * more functionality via Rust. But this lets me continue with replacing nss
63  * without fighting the headers at this time. */
64 typedef struct SCSha256 SCSha256;
65 #define SC_SHA256_LEN 32
66 
67 typedef struct SCSha1 SCSha1;
68 #define SC_SHA1_LEN 20
69 
70 typedef struct SCMd5 SCMd5;
71 #define SC_MD5_LEN 16
72 
73 #define FILE_TRUNCATED BIT_U16(0)
74 #define FILE_NOMAGIC BIT_U16(1)
75 #define FILE_NOMD5 BIT_U16(2)
76 #define FILE_MD5 BIT_U16(3)
77 #define FILE_NOSHA1 BIT_U16(4)
78 #define FILE_SHA1 BIT_U16(5)
79 #define FILE_NOSHA256 BIT_U16(6)
80 #define FILE_SHA256 BIT_U16(7)
81 #define FILE_LOGGED BIT_U16(8)
82 #define FILE_NOSTORE BIT_U16(9)
83 #define FILE_STORE BIT_U16(10)
84 #define FILE_STORED BIT_U16(11)
85 #define FILE_NOTRACK BIT_U16(12) /**< track size of file */
86 #define FILE_USE_DETECT BIT_U16(13) /**< use content_inspected tracker */
87 #define FILE_HAS_GAPS BIT_U16(15)
88 
89 // to be used instead of PATH_MAX which depends on the OS
90 #define SC_FILENAME_MAX 4096
91 
92 #define FILEDATA_CONTENT_LIMIT 100000
93 #define FILEDATA_CONTENT_INSPECT_MIN_SIZE 32768
94 #define FILEDATA_CONTENT_INSPECT_WINDOW 4096
95 
96 typedef enum FileState_ {
97  FILE_STATE_NONE = 0, /**< no state */
98  FILE_STATE_OPENED, /**< flow file is opened */
99  FILE_STATE_CLOSED, /**< flow file is completed,
100  there will be no more data. */
101  FILE_STATE_TRUNCATED, /**< flow file is not complete, but
102  there will be no more data. */
103  FILE_STATE_ERROR, /**< file is in an error state */
104  FILE_STATE_MAX
105 } FileState;
106 
107 typedef struct File_ {
108  uint16_t flags;
109  uint16_t name_len;
110  FileState state;
111  StreamingBuffer *sb;
112  uint32_t file_track_id; /**< id used by protocol parser */
113  uint32_t file_store_id; /**< id used in store file name file.<id> */
114  int fd; /**< file descriptor for filestore, not
115  open if equal to -1 */
116  uint8_t *name;
117 #ifdef HAVE_MAGIC
118  char *magic;
119 #endif
120  struct File_ *next;
121  SCMd5 *md5_ctx;
122  uint8_t md5[SC_MD5_LEN];
123  SCSha1 *sha1_ctx;
124  uint8_t sha1[SC_SHA1_LEN];
125  SCSha256 *sha256_ctx;
126  uint8_t sha256[SC_SHA256_LEN];
127  uint64_t content_inspected; /**< used in pruning if FILE_USE_DETECT
128  * flag is set */
129  uint64_t content_stored;
130  uint64_t size;
131  uint32_t inspect_window;
132  uint32_t inspect_min_size;
133  uint64_t start;
134  uint64_t end;
135 
136  uint32_t *sid; /* signature id of a rule that triggered the filestore event */
137  uint32_t sid_cnt;
138  uint32_t sid_max;
139 } File;
140 
141 FileContainer *FileContainerAlloc(void);
142 void FileContainerFree(FileContainer *, const StreamingBufferConfig *cfg);
143 
144 void FileContainerRecycle(FileContainer *, const StreamingBufferConfig *cfg);
145 
146 void FileContainerAdd(FileContainer *, File *);
147 
148 /**
149  * \brief Open a new File
150  *
151  * \param ffc flow container
152  * \param sbcfg buffer config
153  * \param name filename character array
154  * \param name_len filename len
155  * \param data initial data
156  * \param data_len initial data len
157  * \param flags open flags
158  *
159  * \retval ff flowfile object
160  *
161  * \note filename is not a string, so it's not nul terminated.
162  *
163  * If flags contains the FILE_USE_DETECT bit, the pruning code will
164  * consider not just the content_stored tracker, but also content_inspected.
165  * It's the responsibility of the API user to make sure this tracker is
166  * properly updated.
167  */
168 int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *,
169  uint32_t track_id, const uint8_t *name, uint16_t name_len,
170  const uint8_t *data, uint32_t data_len, uint16_t flags);
171 
172 /**
173  * \brief Close a File
174  *
175  * \param ffc the container
176  * \param data final data if any
177  * \param data_len data len if any
178  * \param flags flags
179  *
180  * \retval 0 ok
181  * \retval -1 error
182  */
183 int FileCloseFile(FileContainer *, const StreamingBufferConfig *sbcfg, const uint8_t *data,
184  uint32_t data_len, uint16_t flags);
185 int FileCloseFileById(FileContainer *, const StreamingBufferConfig *sbcfg, uint32_t track_id,
186  const uint8_t *data, uint32_t data_len, uint16_t flags);
187 int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data,
188  uint32_t data_len, uint16_t flags);
189 
190 int FileAppendDataById(FileContainer *, const StreamingBufferConfig *sbcfg, uint32_t track_id,
191  const uint8_t *data, uint32_t data_len);
192 int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,
193  const uint8_t *data, uint32_t data_len);
194 
195 void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min);
196 
197 /**
198  * \brief Sets the offset range for a file.
199  *
200  * \param ffc the container
201  * \param start start offset
202  * \param end end offset
203  *
204  * \retval 0 ok
205  * \retval -1 error
206  */
207 int FileSetRange(FileContainer *, uint64_t start, uint64_t end);
208 
209 /**
210  * \brief Tag a file for storing
211  *
212  * \param ff The file to store
213  */
214 int FileStore(File *);
215 
216 /**
217  * \brief disable file storing for a transaction
218  *
219  * \param f flow
220  * \param direction STREAM_TOSERVER or STREAM_TOCLIENT
221  * \param tx transaction pointer
222  * \param tx_id transaction id
223  */
224 void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id);
225 
226 void FileForceFilestoreEnable(void);
227 int FileForceFilestore(void);
228 void FileReassemblyDepthEnable(uint32_t size);
229 uint32_t FileReassemblyDepth(void);
230 
231 void FileForceMagicEnable(void);
232 int FileForceMagic(void);
233 
234 void FileForceMd5Enable(void);
235 int FileForceMd5(void);
236 
237 void FileForceSha1Enable(void);
238 int FileForceSha1(void);
239 
240 void FileForceSha256Enable(void);
241 int FileForceSha256(void);
242 
243 void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction);
244 
245 void FileForceHashParseCfg(SCConfNode *);
246 
247 void FileForceTrackingEnable(void);
248 
249 void FileStoreFileById(FileContainer *fc, uint32_t);
250 
251 uint64_t FileDataSize(const File *file);
252 uint64_t FileTrackedSize(const File *file);
253 
254 uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction);
255 
256 #ifdef DEBUG
257 void FilePrintFlags(const File *file);
258 #else
259 #define FilePrintFlags(file)
260 #endif
261 
262 void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc);
263 
264 #endif // SURICATA_BINDGEN_H
265 
266 #endif /* SURICATA_UTIL_FILE_H */
FileFlowToFlags
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition: util-file.c:272
FileContainerRecycle
void FileContainerRecycle(FileContainer *, const StreamingBufferConfig *cfg)
Recycle a FileContainer.
Definition: util-file.c:495
SCSha1
struct SCSha1 SCSha1
Definition: util-file.h:67
FileForceMagicEnable
void FileForceMagicEnable(void)
Definition: util-file.c:98
FileCloseFile
int FileCloseFile(FileContainer *, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1061
FileContainer_
Definition: util-file.h:37
FileState_
FileState_
Definition: util-file.h:96
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:133
File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:132
SCFileFlowFlagsToFlags
uint16_t SCFileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
Definition: util-file.c:215
File_::size
uint64_t size
Definition: util-file.h:130
SC_SHA256_LEN
#define SC_SHA256_LEN
Definition: util-file.h:65
FileOpenFileWithId
int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:966
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:98
Flow_
Flow data structure.
Definition: flow.h:348
File_::state
FileState state
Definition: util-file.h:110
FileStore
int FileStore(File *)
Tag a file for storing.
Definition: util-file.c:610
SC_SHA1_LEN
#define SC_SHA1_LEN
Definition: util-file.h:68
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:113
FileForceSha1Enable
void FileForceSha1Enable(void)
Definition: util-file.c:110
FileReassemblyDepthEnable
void FileReassemblyDepthEnable(uint32_t size)
Definition: util-file.c:127
FileContainer_::tail
File * tail
Definition: util-file.h:39
FileContainer
struct FileContainer_ FileContainer
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:101
FileForceMagic
int FileForceMagic(void)
Definition: util-file.c:141
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:124
SCSha256
struct SCSha256 SCSha256
Definition: util-file.h:64
FileCloseFileById
int FileCloseFileById(FileContainer *, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:1077
FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition: util-file.c:161
File_::sb
StreamingBuffer * sb
Definition: util-file.h:111
File_::name_len
uint16_t name_len
Definition: util-file.h:109
FileForceSha1
int FileForceSha1(void)
Definition: util-file.c:151
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:122
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:112
FileForceHashParseCfg
void FileForceHashParseCfg(SCConfNode *)
Function to parse forced file hashing configuration.
Definition: util-file.c:169
File_::end
uint64_t end
Definition: util-file.h:134
File_::fd
int fd
Definition: util-file.h:114
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:325
FileForceMd5Enable
void FileForceMd5Enable(void)
Definition: util-file.c:104
FileForceFilestore
int FileForceFilestore(void)
Definition: util-file.c:122
FileSetRange
int FileSetRange(FileContainer *, uint64_t start, uint64_t end)
Sets the offset range for a file.
Definition: util-file.c:858
File_::sid_max
uint32_t sid_max
Definition: util-file.h:138
FileContainer_::head
File * head
Definition: util-file.h:38
FileAppendGAPById
int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:821
File_::sha256_ctx
SCSha256 * sha256_ctx
Definition: util-file.h:125
conf.h
name
const char * name
Definition: tm-threads.c:2163
FILE_STATE_MAX
@ FILE_STATE_MAX
Definition: util-file.h:104
File_::name
uint8_t * name
Definition: util-file.h:116
FileSetInspectSizes
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
Definition: util-file.c:842
FileAppendData
int FileAppendData(FileContainer *, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len)
Store a chunk of file data in the flow. The open "flowfile" will be used.
Definition: util-file.c:765
File_::sid
uint32_t * sid
Definition: util-file.h:136
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:137
StreamingBuffer_
Definition: util-streaming-buffer.h:108
FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition: util-file.c:92
File_::flags
uint16_t flags
Definition: util-file.h:108
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:127
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:99
File_
Definition: util-file.h:107
File_::content_stored
uint64_t content_stored
Definition: util-file.h:129
flags
uint8_t flags
Definition: decode-gre.h:0
util-streaming-buffer.h
FileForceMd5
int FileForceMd5(void)
Definition: util-file.c:146
File_::next
struct File_ * next
Definition: util-file.h:120
FileContainerFree
void FileContainerFree(FileContainer *, const StreamingBufferConfig *cfg)
Free a FileContainer.
Definition: util-file.c:515
FileContainerAdd
void FileContainerAdd(FileContainer *, File *)
Definition: util-file.c:594
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:126
File_::start
uint64_t start
Definition: util-file.h:133
FilePrintFlags
#define FilePrintFlags(file)
Definition: util-file.h:259
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:308
StreamingBufferConfig_
Definition: util-streaming-buffer.h:65
FilesPrune
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
Definition: util-file.c:1186
FileForceSha256Enable
void FileForceSha256Enable(void)
Definition: util-file.c:116
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for a transaction
Definition: util-file.c:1138
File
struct File_ File
Definition: util-file.h:35
FileCloseFilePtr
int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:979
File_::md5_ctx
SCMd5 * md5_ctx
Definition: util-file.h:121
FileForceSha256
int FileForceSha256(void)
Definition: util-file.c:156
File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:131
FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:479
FileState
enum FileState_ FileState
FileAppendDataById
int FileAppendDataById(FileContainer *, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:790
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1156
SC_MD5_LEN
#define SC_MD5_LEN
Definition: util-file.h:71
flow.h
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1102
SCConfNode_
Definition: conf.h:37
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:103
SCMd5
struct SCMd5 SCMd5
Definition: util-file.h:70
FILE_STATE_NONE
@ FILE_STATE_NONE
Definition: util-file.h:97
File_::sha1_ctx
SCSha1 * sha1_ctx
Definition: util-file.h:123