Skip to content

Commit

Permalink
detect/file: Filehandler registration logic
Browse files Browse the repository at this point in the history
Add file handler registration functions for consolidated file handling.

Issue: 4145
  • Loading branch information
jlucovsky authored and victorjulien committed Jul 14, 2023
1 parent f2e2576 commit 2fd0025
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 1 deletion.
10 changes: 10 additions & 0 deletions src/detect-engine-register.c
Original file line number Diff line number Diff line change
Expand Up @@ -447,6 +447,14 @@ int SigTableList(const char *keyword)
return TM_ECODE_DONE;
}

static void DetectFileHandlerRegister(void)
{
for (int i = 0; i < DETECT_TBLSIZE; i++) {
if (filehandler_table[i].name)
DetectFileRegisterFileProtocols(&filehandler_table[i]);
}
}

void SigTableSetup(void)
{
memset(sigmatch_table, 0, sizeof(sigmatch_table));
Expand Down Expand Up @@ -689,6 +697,8 @@ void SigTableSetup(void)
DetectTransformUrlDecodeRegister();
DetectTransformXorRegister();

DetectFileHandlerRegister();

/* close keyword registration */
DetectBufferTypeCloseRegistration();
}
Expand Down
55 changes: 55 additions & 0 deletions src/detect-parse.c
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,58 @@
#include "action-globals.h"
#include "util-validate.h"

/* Table with all filehandler registrations */
DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];

void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg)
{
// file protocols with common file handling
typedef struct {
AppProto al_proto;
int direction;
int to_client_progress;
int to_server_progress;
} DetectFileHandlerProtocol_t;
static DetectFileHandlerProtocol_t al_protocols[] = {
{ .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
{ .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
{ .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
{ .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT },
{ .al_proto = ALPROTO_HTTP1,
.direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
.to_client_progress = HTP_RESPONSE_BODY,
.to_server_progress = HTP_REQUEST_BODY },
{ .al_proto = ALPROTO_HTTP2,
.direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
.to_client_progress = HTTP2StateDataServer,
.to_server_progress = HTTP2StateDataClient },
{ .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }
};

for (size_t i = 0; i < ARRAY_SIZE(al_protocols); i++) {
int direction = al_protocols[i].direction == 0
? (int)(SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)
: al_protocols[i].direction;

if (direction & SIG_FLAG_TOCLIENT) {
DetectAppLayerMpmRegister2(reg->name, SIG_FLAG_TOCLIENT, reg->priority,
reg->PrefilterFn, reg->GetData, al_protocols[i].al_proto,
al_protocols[i].to_client_progress);
DetectAppLayerInspectEngineRegister2(reg->name, al_protocols[i].al_proto,
SIG_FLAG_TOCLIENT, al_protocols[i].to_client_progress, reg->Callback,
reg->GetData);
}
if (direction & SIG_FLAG_TOSERVER) {
DetectAppLayerMpmRegister2(reg->name, SIG_FLAG_TOSERVER, reg->priority,
reg->PrefilterFn, reg->GetData, al_protocols[i].al_proto,
al_protocols[i].to_server_progress);
DetectAppLayerInspectEngineRegister2(reg->name, al_protocols[i].al_proto,
SIG_FLAG_TOSERVER, al_protocols[i].to_server_progress, reg->Callback,
reg->GetData);
}
}
}

/* Table with all SigMatch registrations */
SigTableElmt sigmatch_table[DETECT_TBLSIZE];

Expand All @@ -82,6 +134,9 @@ static void SigMatchTransferSigMatchAcrossLists(SigMatch *sm,
SigMatch **src_sm_list, SigMatch **src_sm_list_tail,
SigMatch **dst_sm_list, SigMatch **dst_sm_list_tail);

/**
* \brief Registration table for file handlers
*/
/**
* \brief We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
*/
Expand Down
19 changes: 18 additions & 1 deletion src/detect-parse.h
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,24 @@
#define __DETECT_PARSE_H__

#include "detect.h"
#include "detect-engine-mpm.h"

/* File handler registration */
#define MAX_DETECT_ALPROTO_CNT 10
typedef struct DetectFileHandlerTableElmt_ {
const char *name;
int priority;
PrefilterRegisterFunc PrefilterFn;
InspectEngineFuncPtr2 Callback;
InspectionBufferGetDataPtr GetData;
int al_protocols[MAX_DETECT_ALPROTO_CNT];
int tx_progress;
int progress;
} DetectFileHandlerTableElmt;
void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *entry);

/* File registration table */
extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];

/** Flags to indicate if the Signature parsing must be done
* switching the source and dest (for ip addresses and ports)
Expand Down Expand Up @@ -104,4 +122,3 @@ int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UC
PCRE2_SIZE *bufflen);

#endif /* __DETECT_PARSE_H__ */

0 comments on commit 2fd0025

Please sign in to comment.