util-file_8h_source.html

 /* Copyright (C) 2007-2011 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
  * Software Foundation.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * version 2 along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  */

 /**
  * \file
  *
  * \author Victor Julien <victor@inliniac.net>
  *
  */

 #ifndef __UTIL_FILE_H__
 #define __UTIL_FILE_H__

 #ifdef HAVE_NSS
 #include <sechash.h>
 #endif

 #include "conf.h"

 #include "util-streaming-buffer.h"

 #define FILE_TRUNCATED  BIT_U16(0)
 #define FILE_NOMAGIC    BIT_U16(1)
 #define FILE_NOMD5      BIT_U16(2)
 #define FILE_MD5        BIT_U16(3)
 #define FILE_NOSHA1     BIT_U16(4)
 #define FILE_SHA1       BIT_U16(5)
 #define FILE_NOSHA256   BIT_U16(6)
 #define FILE_SHA256     BIT_U16(7)
 #define FILE_LOGGED     BIT_U16(8)
 #define FILE_NOSTORE    BIT_U16(9)
 #define FILE_STORE      BIT_U16(10)
 #define FILE_STORED     BIT_U16(11)
 #define FILE_NOTRACK    BIT_U16(12) /**< track size of file */
 #define FILE_USE_DETECT BIT_U16(13) /**< use content_inspected tracker */
 #define FILE_HAS_GAPS   BIT_U16(15)

 typedef enum FileState_ {
     FILE_STATE_NONE = 0,    /**< no state */
     FILE_STATE_OPENED,      /**< flow file is opened */
     FILE_STATE_CLOSED,      /**< flow file is completed,
                                      there will be no more data. */
     FILE_STATE_TRUNCATED,   /**< flow file is not complete, but
                                      there will be no more data. */
     FILE_STATE_ERROR,       /**< file is in an error state */
     FILE_STATE_MAX
 } FileState;

 typedef struct File_ {
     uint16_t flags;
     uint16_t name_len;
     FileState state;
     StreamingBuffer *sb;
     uint64_t txid;                  /**< tx this file is part of */
     uint32_t file_track_id;         /**< id used by protocol parser */
     uint32_t file_store_id;         /**< id used in store file name file.<id> */
     int fd;                         /**< file descriptor for filestore, not
                                         open if equal to -1 */
     uint8_t *name;
 #ifdef HAVE_MAGIC
     char *magic;
 #endif
     struct File_ *next;
 #ifdef HAVE_NSS
     HASHContext *md5_ctx;
     uint8_t md5[MD5_LENGTH];
     HASHContext *sha1_ctx;
     uint8_t sha1[SHA1_LENGTH];
     HASHContext *sha256_ctx;
     uint8_t sha256[SHA256_LENGTH];
 #endif
     uint64_t content_inspected;     /**< used in pruning if FILE_USE_DETECT
                                      *   flag is set */
     uint64_t content_stored;
     uint64_t size;
     uint32_t inspect_window;
     uint32_t inspect_min_size;
     uint64_t start;
     uint64_t end;

     uint32_t *sid; /* signature id of a rule that triggered the filestore event */
     uint32_t sid_cnt;
     uint32_t sid_max;
 } File;

 typedef struct FileContainer_ {
     File *head;
     File *tail;
 } FileContainer;

 FileContainer *FileContainerAlloc(void);
 void FileContainerFree(FileContainer *);

 void FileContainerRecycle(FileContainer *);

 void FileContainerAdd(FileContainer *, File *);

 /**
  *  \brief Open a new File
  *
  *  \param ffc flow container
  *  \param sbcfg buffer config
  *  \param name filename character array
  *  \param name_len filename len
  *  \param data initial data
  *  \param data_len initial data len
  *  \param flags open flags
  *
  *  \retval ff flowfile object
  *
  *  \note filename is not a string, so it's not nul terminated.
  *
  *  If flags contains the FILE_USE_DETECT bit, the pruning code will
  *  consider not just the content_stored tracker, but also content_inspected.
  *  It's the responsibility of the API user to make sure this tracker is
  *  properly updated.
  */
 int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *,
         uint32_t track_id, const uint8_t *name, uint16_t name_len,
         const uint8_t *data, uint32_t data_len, uint16_t flags);

 /**
  *  \brief Close a File
  *
  *  \param ffc the container
  *  \param data final data if any
  *  \param data_len data len if any
  *  \param flags flags
  *
  *  \retval 0 ok
  *  \retval -1 error
  */
 int FileCloseFile(FileContainer *, const uint8_t *data, uint32_t data_len,
         uint16_t flags);
 int FileCloseFileById(FileContainer *, uint32_t track_id,
         const uint8_t *data, uint32_t data_len, uint16_t flags);
 int FileCloseFilePtr(File *ff, const uint8_t *data,
         uint32_t data_len, uint16_t flags);

 /**
  *  \brief Store a chunk of file data in the flow. The open "flowfile"
  *         will be used.
  *
  *  \param ffc the container
  *  \param data data chunk
  *  \param data_len data chunk len
  *
  *  \retval 0 ok
  *  \retval -1 error
  */
 int FileAppendData(FileContainer *, const uint8_t *data, uint32_t data_len);
 int FileAppendDataById(FileContainer *, uint32_t track_id,
         const uint8_t *data, uint32_t data_len);
 int FileAppendGAPById(FileContainer *ffc, uint32_t track_id,
         const uint8_t *data, uint32_t data_len);

 void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min);

 /**
  *  \brief Sets the offset range for a file.
  *
  *  \param ffc the container
  *  \param start start offset
  *  \param end end offset
  *
  *  \retval 0 ok
  *  \retval -1 error
  */
 int FileSetRange(FileContainer *, uint64_t start, uint64_t end);

 /**
  *  \brief Tag a file for storing
  *
  *  \param ff The file to store
  */
 int FileStore(File *);

 /**
  *  \brief Set the TX id for a file
  *
  *  \param ff The file to store
  *  \param txid the tx id
  */
 int FileSetTx(File *, uint64_t txid);
 void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id);

 /**
  *  \brief disable file storage for a flow
  *
  *  \param f *LOCKED* flow
  */
 void FileDisableStoring(struct Flow_ *, uint8_t);

 void FileDisableFilesize(Flow *f, uint8_t direction);

 /**
  *  \brief disable file storing for a transaction
  *
  *  \param f flow
  *  \param tx_id transaction id
  */
 void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id);

 void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id);
 void FilePrune(FileContainer *ffc);

 void FileForceFilestoreEnable(void);
 int FileForceFilestore(void);
 void FileReassemblyDepthEnable(uint32_t size);
 uint32_t FileReassemblyDepth(void);

 void FileDisableMagic(Flow *f, uint8_t);
 void FileForceMagicEnable(void);
 int FileForceMagic(void);

 void FileDisableMd5(Flow *f, uint8_t);
 void FileForceMd5Enable(void);
 int FileForceMd5(void);

 void FileDisableSha1(Flow *f, uint8_t);
 void FileForceSha1Enable(void);
 int FileForceSha1(void);

 void FileDisableSha256(Flow *f, uint8_t);
 void FileForceSha256Enable(void);
 int FileForceSha256(void);

 void FileForceHashParseCfg(ConfNode *);

 void FileForceTrackingEnable(void);

 void FileStoreAllFiles(FileContainer *);
 void FileStoreAllFilesForTx(FileContainer *, uint64_t);
 void FileStoreFileById(FileContainer *fc, uint32_t);

 void FileTruncateAllOpenFiles(FileContainer *);

 uint64_t FileDataSize(const File *file);
 uint64_t FileTrackedSize(const File *file);

 uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction);

 #endif /* __UTIL_FILE_H__ */
FILE_STATE_CLOSED
Definition: util-file.h:55

FileOpenFileWithId
int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition: util-file.c:906

FileForceMagic
int FileForceMagic(void)
Definition: util-file.c:132

FileContainerAdd
void FileContainerAdd(FileContainer *, File *)
Definition: util-file.c:527

FileForceSha256Enable
void FileForceSha256Enable(void)
Definition: util-file.c:108

FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition: util-file.c:152

FileStoreAllFiles
void FileStoreAllFiles(FileContainer *)
Definition: util-file.c:1340

StreamingBufferConfig_
Definition: util-streaming-buffer.h:67

File_::size
uint64_t size
Definition: util-file.h:89

FileContainer_
Definition: util-file.h:100

FilePrune
void FilePrune(FileContainer *ffc)
Definition: util-file.c:376

File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:96

FileFlowToFlags
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition: util-file.c:219

FileForceSha1
int FileForceSha1(void)
Definition: util-file.c:142

FileForceFilestore
int FileForceFilestore(void)
Definition: util-file.c:113

FileAppendGAPById
int FileAppendGAPById(FileContainer *ffc, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with &#39;track_id&#39; in the FileContainer...
Definition: util-file.c:750

FileDisableSha256
void FileDisableSha256(Flow *f, uint8_t)
disable file sha256 calc for this flow
Definition: util-file.c:1182

FileTruncateAllOpenFiles
void FileTruncateAllOpenFiles(FileContainer *)
Definition: util-file.c:1353

File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:86

File_::fd
int fd
Definition: util-file.h:71

FileState_
FileState_
Definition: util-file.h:52

File_::next
struct File_ * next
Definition: util-file.h:77

FileContainerFree
void FileContainerFree(FileContainer *)
Free a FileContainer.
Definition: util-file.c:447

FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition: util-file.c:88

File
struct File_ File

FileSetRange
int FileSetRange(FileContainer *, uint64_t start, uint64_t end)
Sets the offset range for a file.
Definition: util-file.c:789

FileContainer
struct FileContainer_ FileContainer

File_::sb
StreamingBuffer * sb
Definition: util-file.h:67

File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:91

FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition: util-file.c:411

File_::start
uint64_t start
Definition: util-file.h:92

util-streaming-buffer.h

File_::flags
uint16_t flags
Definition: util-file.h:64

StreamingBuffer_
Definition: util-streaming-buffer.h:95

File_
Definition: util-file.h:63

FileContainerRecycle
void FileContainerRecycle(FileContainer *)
Recycle a FileContainer.
Definition: util-file.c:428

File_::end
uint64_t end
Definition: util-file.h:93

File_::sid
uint32_t * sid
Definition: util-file.h:95

FileForceMd5Enable
void FileForceMd5Enable(void)
Definition: util-file.c:98

FileContainer_::tail
File * tail
Definition: util-file.h:102

File_::sid_max
uint32_t sid_max
Definition: util-file.h:97

File_::txid
uint64_t txid
Definition: util-file.h:68

FileStoreAllFilesForTx
void FileStoreAllFilesForTx(FileContainer *, uint64_t)
Definition: util-file.c:1325

FileForceHashParseCfg
void FileForceHashParseCfg(ConfNode *)
Function to parse forced file hashing configuration.
Definition: util-file.c:160

File_::name_len
uint16_t name_len
Definition: util-file.h:65

FileStore
int FileStore(File *)
Tag a file for storing.
Definition: util-file.c:542

FileContainer_::head
File * head
Definition: util-file.h:101

FileDisableStoring
void FileDisableStoring(struct Flow_ *, uint8_t)
disable file storage for a flow
Definition: util-file.c:1041

FileCloseFilePtr
int FileCloseFilePtr(File *ff, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:918

FileCloseFileById
int FileCloseFileById(FileContainer *, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition: util-file.c:1016

FILE_STATE_ERROR
Definition: util-file.h:59

FileDisableFilesize
void FileDisableFilesize(Flow *f, uint8_t direction)
disable file size tracking for this flow
Definition: util-file.c:1221

FILE_STATE_MAX
Definition: util-file.h:60

File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:90

FILE_STATE_NONE
Definition: util-file.h:53

FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:296

ConfNode_
Definition: conf.h:32

FileAppendDataById
int FileAppendDataById(FileContainer *, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with &#39;track_id&#39; in the FileContainer...
Definition: util-file.c:719

FlowFileDisableStoringForTransaction
void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id)

FileDisableSha1
void FileDisableSha1(Flow *f, uint8_t)
disable file sha1 calc for this flow
Definition: util-file.c:1143

FileForceSha256
int FileForceSha256(void)
Definition: util-file.c:147

FileForceMagicEnable
void FileForceMagicEnable(void)
Definition: util-file.c:93

FileDisableMd5
void FileDisableMd5(Flow *f, uint8_t)
disable file md5 calc for this flow
Definition: util-file.c:1104

tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:268

FileForceSha1Enable
void FileForceSha1Enable(void)
Definition: util-file.c:103

FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:124

FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:279

File_::state
FileState state
Definition: util-file.h:66

File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:70

File_::content_stored
uint64_t content_stored
Definition: util-file.h:88

File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:69

FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id)
disable file storing for a transaction
Definition: util-file.c:1279

FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1310

FileContainerSetTx
void FileContainerSetTx(FileContainer *ffc, uint64_t tx_id)
Definition: util-file.c:562

FileDisableMagic
void FileDisableMagic(Flow *f, uint8_t)
disable file magic lookups for this flow
Definition: util-file.c:1073

FileAppendData
int FileAppendData(FileContainer *, const uint8_t *data, uint32_t data_len)
Store a chunk of file data in the flow. The open "flowfile" will be used.
Definition: util-file.c:695

FileReassemblyDepthEnable
void FileReassemblyDepthEnable(uint32_t size)
Definition: util-file.c:118

FILE_STATE_TRUNCATED
Definition: util-file.h:57

FILE_STATE_OPENED
Definition: util-file.h:54

FileForceMd5
int FileForceMd5(void)
Definition: util-file.c:137

FileCloseFile
int FileCloseFile(FileContainer *, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition: util-file.c:1000

FileState
enum FileState_ FileState

SHA1_LENGTH
#define SHA1_LENGTH
Definition: util-crypt.h:45

Flow_
Flow data structure.
Definition: flow.h:325

File_::name
uint8_t * name
Definition: util-file.h:73

FileSetInspectSizes
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
Definition: util-file.c:773

conf.h

FileSetTx
int FileSetTx(File *, uint64_t txid)
Set the TX id for a file.
Definition: util-file.c:554