suricata
util-file.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #ifndef __UTIL_FILE_H__
26 #define __UTIL_FILE_H__
27 
28 #ifdef HAVE_NSS
29 #include <sechash.h>
30 #endif
31 
32 #include "conf.h"
33 
34 #include "util-streaming-buffer.h"
35 
36 #define FILE_TRUNCATED BIT_U16(0)
37 #define FILE_NOMAGIC BIT_U16(1)
38 #define FILE_NOMD5 BIT_U16(2)
39 #define FILE_MD5 BIT_U16(3)
40 #define FILE_NOSHA1 BIT_U16(4)
41 #define FILE_SHA1 BIT_U16(5)
42 #define FILE_NOSHA256 BIT_U16(6)
43 #define FILE_SHA256 BIT_U16(7)
44 #define FILE_LOGGED BIT_U16(8)
45 #define FILE_NOSTORE BIT_U16(9)
46 #define FILE_STORE BIT_U16(10)
47 #define FILE_STORED BIT_U16(11)
48 #define FILE_NOTRACK BIT_U16(12) /**< track size of file */
49 #define FILE_USE_DETECT BIT_U16(13) /**< use content_inspected tracker */
50 #define FILE_HAS_GAPS BIT_U16(15)
51 
52 typedef enum FileState_ {
53  FILE_STATE_NONE = 0, /**< no state */
54  FILE_STATE_OPENED, /**< flow file is opened */
55  FILE_STATE_CLOSED, /**< flow file is completed,
56  there will be no more data. */
57  FILE_STATE_TRUNCATED, /**< flow file is not complete, but
58  there will be no more data. */
59  FILE_STATE_ERROR, /**< file is in an error state */
60  FILE_STATE_MAX
61 } FileState;
62 
63 typedef struct File_ {
64  uint16_t flags;
65  uint16_t name_len;
66  FileState state;
67  StreamingBuffer *sb;
68  uint64_t txid; /**< tx this file is part of */
69  uint32_t file_track_id; /**< id used by protocol parser */
70  uint32_t file_store_id; /**< id used in store file name file.<id> */
71  int fd; /**< file descriptor for filestore, not
72  open if equal to -1 */
73  uint8_t *name;
74 #ifdef HAVE_MAGIC
75  char *magic;
76 #endif
77  struct File_ *next;
78 #ifdef HAVE_NSS
79  HASHContext *md5_ctx;
80  uint8_t md5[MD5_LENGTH];
81  HASHContext *sha1_ctx;
82  uint8_t sha1[SHA1_LENGTH];
83  HASHContext *sha256_ctx;
84  uint8_t sha256[SHA256_LENGTH];
85 #endif
86  uint64_t content_inspected; /**< used in pruning if FILE_USE_DETECT
87  * flag is set */
88  uint64_t content_stored;
89  uint64_t size;
90  uint32_t inspect_window;
91  uint32_t inspect_min_size;
92  uint64_t start;
93  uint64_t end;
94 
95  uint32_t *sid; /* signature id of a rule that triggered the filestore event */
96  uint32_t sid_cnt;
97  uint32_t sid_max;
98 } File;
99 
100 typedef struct FileContainer_ {
101  File *head;
102  File *tail;
103 } FileContainer;
104 
105 FileContainer *FileContainerAlloc(void);
106 void FileContainerFree(FileContainer *);
107 
108 void FileContainerRecycle(FileContainer *);
109 
110 void FileContainerAdd(FileContainer *, File *);
111 
112 /**
113  * \brief Open a new File
114  *
115  * \param ffc flow container
116  * \param sbcfg buffer config
117  * \param name filename character array
118  * \param name_len filename len
119  * \param data initial data
120  * \param data_len initial data len
121  * \param flags open flags
122  *
123  * \retval ff flowfile object
124  *
125  * \note filename is not a string, so it's not nul terminated.
126  *
127  * If flags contains the FILE_USE_DETECT bit, the pruning code will
128  * consider not just the content_stored tracker, but also content_inspected.
129  * It's the responsibility of the API user to make sure this tracker is
130  * properly updated.
131  */
132 int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *,
133  uint32_t track_id, const uint8_t *name, uint16_t name_len,
134  const uint8_t *data, uint32_t data_len, uint16_t flags);
135 
136 /**
137  * \brief Close a File
138  *
139  * \param ffc the container
140  * \param data final data if any
141  * \param data_len data len if any
142  * \param flags flags
143  *
144  * \retval 0 ok
145  * \retval -1 error
146  */
147 int FileCloseFile(FileContainer *, const uint8_t *data, uint32_t data_len,
148  uint16_t flags);
149 int FileCloseFileById(FileContainer *, uint32_t track_id,
150  const uint8_t *data, uint32_t data_len, uint16_t flags);
151 int FileCloseFilePtr(File *ff, const uint8_t *data,
152  uint32_t data_len, uint16_t flags);
153 
154 /**
155  * \brief Store a chunk of file data in the flow. The open "flowfile"
156  * will be used.
157  *
158  * \param ffc the container
159  * \param data data chunk
160  * \param data_len data chunk len
161  *
162  * \retval 0 ok
163  * \retval -1 error
164  */
165 int FileAppendData(FileContainer *, const uint8_t *data, uint32_t data_len);
166 int FileAppendDataById(FileContainer *, uint32_t track_id,
167  const uint8_t *data, uint32_t data_len);
168 int FileAppendGAPById(FileContainer *ffc, uint32_t track_id,
169  const uint8_t *data, uint32_t data_len);
170 
171 void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min);
172 
173 /**
174  * \brief Sets the offset range for a file.
175  *
176  * \param ffc the container
177  * \param start start offset
178  * \param end end offset
179  *
180  * \retval 0 ok
181  * \retval -1 error
182  */
183 int FileSetRange(FileContainer *, uint64_t start, uint64_t end);
184 
185 /**
186  * \brief Tag a file for storing
187  *
188  * \param ff The file to store
189  */
190 int FileStore(File *);
191 
192 /**
193  * \brief Set the TX id for a file
194  *
195  * \param ff The file to store
196  * \param txid the tx id
197  */
198 int FileSetTx(File *, uint64_t txid);
199 void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id);
200 
201 /**
202  * \brief disable file storing for a transaction
203  *
204  * \param f flow
205  * \param tx_id transaction id
206  */
207 void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id);
208 
209 void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id);
210 void FilePrune(FileContainer *ffc);
211 
212 void FileForceFilestoreEnable(void);
213 int FileForceFilestore(void);
214 void FileReassemblyDepthEnable(uint32_t size);
215 uint32_t FileReassemblyDepth(void);
216 
217 void FileForceMagicEnable(void);
218 int FileForceMagic(void);
219 
220 void FileForceMd5Enable(void);
221 int FileForceMd5(void);
222 
223 void FileForceSha1Enable(void);
224 int FileForceSha1(void);
225 
226 void FileForceSha256Enable(void);
227 int FileForceSha256(void);
228 
229 void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction);
230 
231 void FileForceHashParseCfg(ConfNode *);
232 
233 void FileForceTrackingEnable(void);
234 
235 void FileStoreAllFiles(FileContainer *);
236 void FileStoreAllFilesForTx(FileContainer *, uint64_t);
237 void FileStoreFileById(FileContainer *fc, uint32_t);
238 
239 void FileTruncateAllOpenFiles(FileContainer *);
240 
241 uint64_t FileDataSize(const File *file);
242 uint64_t FileTrackedSize(const File *file);
243 
244 uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction);
245 
246 #endif /* __UTIL_FILE_H__ */
FileFlowToFlags
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition: util-file.c:231
FileForceMagicEnable
void FileForceMagicEnable(void)
Definition: util-file.c:100
FileContainer_
Definition: util-file.h:100
FileCloseFile
int FileCloseFile(FileContainer *, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1027
FileState_
FileState_
Definition: util-file.h:52
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:135
File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:91
File_::size
uint64_t size
Definition: util-file.h:89
FileCloseFileById
int FileCloseFileById(FileContainer *, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:1043
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id)
disable file storing for a transaction
Definition: util-file.c:1169
FileOpenFileWithId
int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:933
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:54
Flow_
Flow data structure.
Definition: flow.h:347
File_::state
FileState state
Definition: util-file.h:66
FileStore
int FileStore(File *)
Tag a file for storing.
Definition: util-file.c:554
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:70
FileTruncateAllOpenFiles
void FileTruncateAllOpenFiles(FileContainer *)
Definition: util-file.c:1243
FileForceSha1Enable
void FileForceSha1Enable(void)
Definition: util-file.c:112
FileAppendData
int FileAppendData(FileContainer *, const uint8_t *data, uint32_t data_len)
Store a chunk of file data in the flow. The open "flowfile" will be used.
Definition: util-file.c:722
FileReassemblyDepthEnable
void FileReassemblyDepthEnable(uint32_t size)
Definition: util-file.c:129
FileContainer_::tail
File * tail
Definition: util-file.h:102
FileContainer
struct FileContainer_ FileContainer
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:57
FileForceMagic
int FileForceMagic(void)
Definition: util-file.c:143
SHA1_LENGTH
#define SHA1_LENGTH
Definition: util-crypt.h:45
FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition: util-file.c:163
File_::sb
StreamingBuffer * sb
Definition: util-file.h:67
File_::name_len
uint16_t name_len
Definition: util-file.h:65
FileForceSha1
int FileForceSha1(void)
Definition: util-file.c:153
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:69
File_::end
uint64_t end
Definition: util-file.h:93
File_::fd
int fd
Definition: util-file.h:71
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:308
FileContainerFree
void FileContainerFree(FileContainer *)
Free a FileContainer.
Definition: util-file.c:459
FileForceMd5Enable
void FileForceMd5Enable(void)
Definition: util-file.c:106
FileForceFilestore
int FileForceFilestore(void)
Definition: util-file.c:124
FileSetRange
int FileSetRange(FileContainer *, uint64_t start, uint64_t end)
Sets the offset range for a file.
Definition: util-file.c:814
FileContainerSetTx
void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id)
Definition: util-file.c:574
File_::sid_max
uint32_t sid_max
Definition: util-file.h:97
FileContainer_::head
File * head
Definition: util-file.h:101
FileAppendDataById
int FileAppendDataById(FileContainer *, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:746
FileAppendGAPById
int FileAppendGAPById(FileContainer *ffc, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition: util-file.c:777
FilePrune
void FilePrune(FileContainer *ffc)
Definition: util-file.c:388
conf.h
FILE_STATE_MAX
@ FILE_STATE_MAX
Definition: util-file.h:60
File_::name
uint8_t * name
Definition: util-file.h:73
FileSetInspectSizes
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
Definition: util-file.c:798
File_::sid
uint32_t * sid
Definition: util-file.h:95
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:96
StreamingBuffer_
Definition: util-streaming-buffer.h:95
FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition: util-file.c:94
FileStoreAllFilesForTx
void FileStoreAllFilesForTx(FileContainer *, uint64_t)
Definition: util-file.c:1215
File_::flags
uint16_t flags
Definition: util-file.h:64
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:86
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:55
File_
Definition: util-file.h:63
File_::content_stored
uint64_t content_stored
Definition: util-file.h:88
flags
uint8_t flags
Definition: decode-gre.h:0
util-streaming-buffer.h
FileForceMd5
int FileForceMd5(void)
Definition: util-file.c:148
File_::next
struct File_ * next
Definition: util-file.h:77
FileStoreAllFiles
void FileStoreAllFiles(FileContainer *)
Definition: util-file.c:1230
FileContainerAdd
void FileContainerAdd(FileContainer *, File *)
Definition: util-file.c:539
File_::start
uint64_t start
Definition: util-file.h:92
FlowFileDisableStoringForTransaction
void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id)
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:291
StreamingBufferConfig_
Definition: util-streaming-buffer.h:67
FileForceSha256Enable
void FileForceSha256Enable(void)
Definition: util-file.c:118
FileCloseFilePtr
int FileCloseFilePtr(File *ff, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:945
FileSetTx
int FileSetTx(File *, uint64_t txid)
Set the TX id for a file.
Definition: util-file.c:566
ConfNode_
Definition: conf.h:32
File
struct File_ File
FileContainerRecycle
void FileContainerRecycle(FileContainer *)
Recycle a FileContainer.
Definition: util-file.c:440
FileForceSha256
int FileForceSha256(void)
Definition: util-file.c:158
File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:90
FileForceHashParseCfg
void FileForceHashParseCfg(ConfNode *)
Function to parse forced file hashing configuration.
Definition: util-file.c:172
FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:423
FileState
enum FileState_ FileState
File_::txid
uint64_t txid
Definition: util-file.h:68
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1200
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1068
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:59
FILE_STATE_NONE
@ FILE_STATE_NONE
Definition: util-file.h:53