1 files changed, 376 insertions, 0 deletions

diff --git a/src/detect-file-hash-common.c b/src/detect-file-hash-common.c
new file mode 100644
index 0000000..3d35c9d
--- /dev/null
+++ b/src/detect-file-hash-common.c
@@ -0,0 +1,376 @@
+/* Copyright (C) 2007-2016 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Victor Julien <victor@inliniac.net>
+ * \author Duarte Silva <duarte.silva@serializing.me>
+ *
+ */
+
+#include "suricata-common.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-file-hash-common.h"
+
+#include "app-layer-htp.h"
+
+/**
+ * \brief Read the bytes of a hash from an hexadecimal string
+ *
+ * \param hash buffer to store the resulting bytes
+ * \param string hexadecimal string representing the hash
+ * \param filename file name from where the string was read
+ * \param line_no file line number from where the string was read
+ * \param expected_len the expected length of the string that was read
+ *
+ * \retval -1 the hexadecimal string is invalid
+ * \retval 1 the hexadecimal string was read successfully
+ */
+int ReadHashString(uint8_t *hash, const char *string, const char *filename, int line_no,
+        uint16_t expected_len)
+{
+    if (strlen(string) != expected_len) {
+        SCLogError("%s:%d hash string not %d characters", filename, line_no, expected_len);
+        return -1;
+    }
+
+    int i, x;
+    for (x = 0, i = 0; i < expected_len; i+=2, x++) {
+        char buf[3] = { 0, 0, 0 };
+        buf[0] = string[i];
+        buf[1] = string[i+1];
+
+        long value = strtol(buf, NULL, 16);
+        if (value >= 0 && value <= 255)
+            hash[x] = (uint8_t)value;
+        else {
+            SCLogError("%s:%d hash byte out of range %ld", filename, line_no, value);
+            return -1;
+        }
+    }
+
+    return 1;
+}
+
+/**
+ * \brief Store a hash into the hash table
+ *
+ * \param hash_table hash table that will hold the hash
+ * \param string hexadecimal string representing the hash
+ * \param filename file name from where the string was read
+ * \param line_no file line number from where the string was read
+ * \param type the hash algorithm
+ *
+ * \retval -1 failed to load the hash into the hash table
+ * \retval 1 successfully loaded the has into the hash table
+ */
+int LoadHashTable(ROHashTable *hash_table, const char *string, const char *filename,
+        int line_no, uint32_t type)
+{
+    /* allocate the maximum size a hash can have (in this case is SHA256, 32 bytes) */
+    uint8_t hash[32];
+    /* specify the actual size that should be read depending on the hash algorithm */
+    uint16_t size = 32;
+
+    if (type == DETECT_FILEMD5) {
+        size = 16;
+    }
+    else if (type == DETECT_FILESHA1) {
+        size = 20;
+    }
+
+    /* every byte represented with hexadecimal digits is two characters */
+    uint16_t expected_len = (size * 2);
+
+    if (ReadHashString(hash, string, filename, line_no, expected_len) == 1) {
+        if (ROHashInitQueueValue(hash_table, &hash, size) != 1)
+            return -1;
+    }
+
+    return 1;
+}
+
+/**
+ * \brief Match a hash stored in a hash table
+ *
+ * \param hash_table hash table that will hold the hash
+ * \param hash buffer containing the bytes of the has
+ * \param hash_len length of the hash buffer
+ *
+ * \retval 0 didn't find the specified hash
+ * \retval 1 the hash matched a stored value
+ */
+static int HashMatchHashTable(ROHashTable *hash_table, uint8_t *hash,
+        size_t hash_len)
+{
+    void *ptr = ROHashLookup(hash_table, hash, (uint16_t)hash_len);
+    if (ptr == NULL)
+        return 0;
+    else
+        return 1;
+}
+
+/**
+ * \brief Match the specified file hash
+ *
+ * \param det_ctx pattern matcher thread local data
+ * \param f *LOCKED* flow
+ * \param flags direction flags
+ * \param file file being inspected
+ * \param s signature being inspected
+ * \param m sigmatch that we will cast into DetectFileHashData
+ *
+ * \retval 0 no match
+ * \retval 1 match
+ */
+int DetectFileHashMatch (DetectEngineThreadCtx *det_ctx,
+        Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
+{
+    SCEnter();
+    int ret = 0;
+    DetectFileHashData *filehash = (DetectFileHashData *)m;
+
+    if (file->state != FILE_STATE_CLOSED) {
+        SCReturnInt(0);
+    }
+
+    int match = -1;
+
+    if (s->file_flags & FILE_SIG_NEED_MD5 && file->flags & FILE_MD5) {
+        match = HashMatchHashTable(filehash->hash, file->md5, sizeof(file->md5));
+    }
+    else if (s->file_flags & FILE_SIG_NEED_SHA1 && file->flags & FILE_SHA1) {
+        match = HashMatchHashTable(filehash->hash, file->sha1, sizeof(file->sha1));
+    }
+    else if (s->file_flags & FILE_SIG_NEED_SHA256 && file->flags & FILE_SHA256) {
+        match = HashMatchHashTable(filehash->hash, file->sha256, sizeof(file->sha256));
+    }
+
+    if (match == 1) {
+        if (filehash->negated == 0)
+            ret = 1;
+        else
+            ret = 0;
+    }
+    else if (match == 0) {
+        if (filehash->negated == 0)
+            ret = 0;
+        else
+            ret = 1;
+    }
+
+    SCReturnInt(ret);
+}
+
+static const char *hexcodes = "ABCDEFabcdef0123456789";
+
+/**
+ * \brief Parse the filemd5, filesha1 or filesha256 keyword
+ *
+ * \param det_ctx pattern matcher thread local data
+ * \param str Pointer to the user provided option
+ * \param type the hash algorithm
+ *
+ * \retval hash pointer to DetectFileHashData on success
+ * \retval NULL on failure
+ */
+static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
+        const char *str, uint32_t type)
+{
+    DetectFileHashData *filehash = NULL;
+    FILE *fp = NULL;
+    char *filename = NULL;
+    char *rule_filename = NULL;
+
+    /* We have a correct hash algorithm option */
+    filehash = SCMalloc(sizeof(DetectFileHashData));
+    if (unlikely(filehash == NULL))
+        goto error;
+
+    memset(filehash, 0x00, sizeof(DetectFileHashData));
+
+    if (strlen(str) && str[0] == '!') {
+        filehash->negated = 1;
+        str++;
+    }
+
+    if (type == DETECT_FILEMD5) {
+        filehash->hash = ROHashInit(18, 16);
+    }
+    else if (type == DETECT_FILESHA1) {
+        filehash->hash = ROHashInit(18, 20);
+    }
+    else if (type == DETECT_FILESHA256) {
+        filehash->hash = ROHashInit(18, 32);
+    }
+
+    if (filehash->hash == NULL) {
+        goto error;
+    }
+
+    /* get full filename */
+    filename = DetectLoadCompleteSigPath(de_ctx, str);
+    if (filename == NULL) {
+        goto error;
+    }
+
+    rule_filename = SCStrdup(de_ctx->rule_file);
+    if (rule_filename == NULL) {
+        goto error;
+    }
+
+    char line[8192] = "";
+    fp = fopen(filename, "r");
+    if (fp == NULL) {
+#ifdef HAVE_LIBGEN_H
+        if (de_ctx->rule_file != NULL) {
+            char *dir = dirname(rule_filename);
+            if (dir != NULL) {
+                char path[PATH_MAX];
+                snprintf(path, sizeof(path), "%s/%s", dir, str);
+                fp = fopen(path, "r");
+                if (fp == NULL) {
+                    SCLogError("opening hash file %s: %s", path, strerror(errno));
+                    goto error;
+                }
+            }
+        }
+        if (fp == NULL) {
+#endif
+            SCLogError("opening hash file %s: %s", filename, strerror(errno));
+            goto error;
+#ifdef HAVE_LIBGEN_H
+        }
+#endif
+    }
+
+    int line_no = 0;
+    while(fgets(line, (int)sizeof(line), fp) != NULL) {
+        size_t valid = 0, len = strlen(line);
+        line_no++;
+
+        while (strchr(hexcodes, line[valid]) != NULL && valid++ < len);
+
+        /* lines that do not contain sequentially any valid character are ignored */
+        if (valid == 0)
+            continue;
+
+        /* ignore anything after the sequence of valid characters */
+        line[valid] = '\0';
+
+        if (LoadHashTable(filehash->hash, line, filename, line_no, type) != 1) {
+            goto error;
+        }
+    }
+    fclose(fp);
+    fp = NULL;
+
+    if (ROHashInitFinalize(filehash->hash) != 1) {
+        goto error;
+    }
+    SCLogInfo("Hash hash table size %u bytes%s", ROHashMemorySize(filehash->hash), filehash->negated ? ", negated match" : "");
+
+    SCFree(rule_filename);
+    SCFree(filename);
+    return filehash;
+
+error:
+    if (filehash != NULL)
+        DetectFileHashFree((DetectEngineCtx *) de_ctx, filehash);
+    if (fp != NULL)
+        fclose(fp);
+    if (filename != NULL)
+        SCFree(filename);
+    if (rule_filename != NULL) {
+        SCFree(rule_filename);
+    }
+    return NULL;
+}
+
+/**
+ * \brief this function is used to parse filemd5, filesha1 and filesha256 options
+ * \brief into the current signature
+ *
+ * \param de_ctx pointer to the Detection Engine Context
+ * \param s pointer to the Current Signature
+ * \param str pointer to the user provided "filemd5", "filesha1" or "filesha256" option
+ * \param type type of file hash to setup
+ *
+ * \retval 0 on Success
+ * \retval -1 on Failure
+ */
+int DetectFileHashSetup(
+        DetectEngineCtx *de_ctx, Signature *s, const char *str, uint16_t type, int list)
+{
+    DetectFileHashData *filehash = NULL;
+    SigMatch *sm = NULL;
+
+    filehash = DetectFileHashParse(de_ctx, str, type);
+    if (filehash == NULL)
+        goto error;
+
+    /* Okay so far so good, lets get this into a SigMatch
+     * and put it in the Signature. */
+    sm = SigMatchAlloc();
+    if (sm == NULL)
+        goto error;
+
+    sm->type = type;
+    sm->ctx = (void *)filehash;
+
+    SigMatchAppendSMToList(s, sm, list);
+
+    s->file_flags |= FILE_SIG_NEED_FILE;
+
+    // Setup the file flags depending on the hashing algorithm
+    if (type == DETECT_FILEMD5) {
+        s->file_flags |= FILE_SIG_NEED_MD5;
+    }
+    if (type == DETECT_FILESHA1) {
+        s->file_flags |= FILE_SIG_NEED_SHA1;
+    }
+    if (type == DETECT_FILESHA256) {
+        s->file_flags |= FILE_SIG_NEED_SHA256;
+    }
+    return 0;
+
+error:
+    if (filehash != NULL)
+        DetectFileHashFree(de_ctx, filehash);
+    if (sm != NULL)
+        SCFree(sm);
+    return -1;
+}
+
+/**
+ * \brief this function will free memory associated with DetectFileHashData
+ *
+ * \param filehash pointer to DetectFileHashData
+ */
+void DetectFileHashFree(DetectEngineCtx *de_ctx, void *ptr)
+{
+    if (ptr != NULL) {
+        DetectFileHashData *filehash = (DetectFileHashData *)ptr;
+        if (filehash->hash != NULL)
+            ROHashFree(filehash->hash);
+        SCFree(filehash);
+    }
+}