Adding upstream version 1:7.0.3.upstream/1%7.0.3

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 216 insertions, 0 deletions

diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c
new file mode 100644
index 0000000..e7fd9e0
--- /dev/null
+++ b/src/detect-engine-file.c
@@ -0,0 +1,216 @@
+/* Copyright (C) 2007-2021 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Victor Julien <victor@inliniac.net>
+ */
+
+#include "suricata-common.h"
+
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-engine.h"
+#include "detect-parse.h"
+#include "detect-engine-state.h"
+
+#include "detect-filestore.h"
+
+#include "detect-engine-dcepayload.h"
+#include "detect-engine-file.h"
+
+#include "stream-tcp.h"
+#include "stream-tcp-private.h"
+#include "stream-tcp-reassemble.h"
+
+#include "app-layer-parser.h"
+#include "app-layer-protos.h"
+#include "app-layer-htp.h"
+#include "app-layer-smtp.h"
+
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+#include "util-profiling.h"
+#include "util-validate.h"
+
+/**
+ *  \brief Inspect the file inspecting keywords.
+ *
+ *  \param tv thread vars
+ *  \param det_ctx detection engine thread ctx
+ *  \param f flow
+ *  \param s signature to inspect
+ *
+ *  \retval 0 no match
+ *  \retval 1 match
+ *  \retval 2 can't match
+ *  \retval 3 can't match filestore signature
+ */
+static uint8_t DetectFileInspect(DetectEngineThreadCtx *det_ctx, Flow *f, const Signature *s,
+        const SigMatchData *smd, uint8_t flags, FileContainer *ffc)
+{
+    uint8_t r = 0;
+    int match = 0;
+    int store_r = 0;
+
+    SCLogDebug("file inspection... %p", ffc);
+
+    for (File *file = ffc->head; file != NULL; file = file->next) {
+        SCLogDebug("file");
+
+        if (file->state == FILE_STATE_NONE) {
+            SCLogDebug("file state FILE_STATE_NONE");
+            continue;
+        }
+
+        if ((s->file_flags & FILE_SIG_NEED_FILENAME) && file->name == NULL) {
+            SCLogDebug("sig needs filename, but we don't have any");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
+        uint64_t file_size = FileDataSize(file);
+        if ((s->file_flags & FILE_SIG_NEED_MAGIC) && file_size == 0) {
+            SCLogDebug("sig needs file content, but we don't have any");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
+        if ((s->file_flags & FILE_SIG_NEED_FILECONTENT) && file_size == 0) {
+            SCLogDebug("sig needs file content, but we don't have any");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
+        if ((s->file_flags & FILE_SIG_NEED_MD5) && (!(file->flags & FILE_MD5))) {
+            SCLogDebug("sig needs file md5, but we don't have any");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
+        if ((s->file_flags & FILE_SIG_NEED_SHA1) && (!(file->flags & FILE_SHA1))) {
+            SCLogDebug("sig needs file sha1, but we don't have any");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
+        if ((s->file_flags & FILE_SIG_NEED_SHA256) && (!(file->flags & FILE_SHA256))) {
+            SCLogDebug("sig needs file sha256, but we don't have any");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
+        if ((s->file_flags & FILE_SIG_NEED_SIZE) && file->state < FILE_STATE_CLOSED) {
+            SCLogDebug("sig needs filesize, but state < FILE_STATE_CLOSED");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
+        /* run the file match functions. */
+        while (1) {
+            SCLogDebug("smd %p", smd);
+
+            if (sigmatch_table[smd->type].FileMatch != NULL) {
+                KEYWORD_PROFILING_START;
+                match = sigmatch_table[smd->type].FileMatch(det_ctx, f, flags, file, s, smd->ctx);
+                KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
+                if (match == 0) {
+                    r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
+                    break;
+                } else if (smd->is_last) {
+                    r = DETECT_ENGINE_INSPECT_SIG_MATCH;
+                    break;
+                }
+            }
+            if (smd->is_last)
+                break;
+            smd++;
+        }
+
+        /* continue inspection for other files as we may want to store
+         * those as well. We'll return 1 (match) regardless of their
+         * results though */
+        if (r == DETECT_ENGINE_INSPECT_SIG_MATCH)
+            store_r = DETECT_ENGINE_INSPECT_SIG_MATCH;
+
+        /* continue, this file may (or may not) be unable to match
+         * maybe we have more that can :) */
+    }
+
+    if (r == DETECT_ENGINE_INSPECT_SIG_NO_MATCH && store_r == DETECT_ENGINE_INSPECT_SIG_MATCH) {
+        SCLogDebug("stored MATCH, current file NOMATCH");
+        SCReturnInt(DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES);
+    }
+
+    if (store_r == DETECT_ENGINE_INSPECT_SIG_MATCH)
+        r = DETECT_ENGINE_INSPECT_SIG_MATCH;
+    SCReturnInt(r);
+}
+
+/**
+ *  \brief Inspect the file inspecting keywords against the state
+ *
+ *  \param det_ctx detection engine thread ctx
+ *  \param f flow
+ *  \param s signature to inspect
+ *  \param alstate state
+ *  \param flags direction flag
+ *
+ *  \retval 0 no match
+ *  \retval 1 match
+ *  \retval 2 can't match
+ *  \retval 3 can't match filestore signature
+ *
+ *  \note flow is not locked at this time
+ */
+uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+        const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
+        uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
+{
+    SCEnter();
+    DEBUG_VALIDATE_BUG_ON(f->alstate != alstate);
+
+    const uint8_t direction = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
+    AppLayerGetFileState files = AppLayerParserGetTxFiles(f, alstate, tx, direction);
+    FileContainer *ffc = files.fc;
+    SCLogDebug("tx %p tx_id %" PRIu64 " ffc %p ffc->head %p sid %u", tx, tx_id, ffc,
+            ffc ? ffc->head : NULL, s->id);
+    if (ffc == NULL) {
+        SCReturnInt(DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES);
+    } else if (ffc->head == NULL) {
+        SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
+    }
+
+    uint8_t r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+    uint8_t match = DetectFileInspect(det_ctx, f, s, engine->smd, flags, ffc);
+    if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
+        r = DETECT_ENGINE_INSPECT_SIG_MATCH;
+    } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
+        SCLogDebug("sid %u can't match on this transaction", s->id);
+        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
+    } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
+        SCLogDebug("sid %u can't match on this transaction (file sig)", s->id);
+        r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
+    } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
+        SCLogDebug("match with more files ahead");
+        r = match;
+    }
+
+    SCReturnInt(r);
+}