suricata.8.0.0/util-file_8h_source.html

/* Copyright (C) 2007-2021 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 * \file

 *

 * \author Victor Julien <victor@inliniac.net>

 *

 */


#ifndef SURICATA_UTIL_FILE_H

#define SURICATA_UTIL_FILE_H


#include "conf.h"

#include "util-streaming-buffer.h"

#include "flow.h"


/* Hack: Pulling rust.h to get the SCSha256 causes all sorts of problems with

 *   header include orders, which is something we'll have to resolve as we provide

 *   more functionality via Rust. But this lets me continue with replacing nss

 *   without fighting the headers at this time. */

typedef struct SCSha256 SCSha256;

#define SC_SHA256_LEN 32


typedef struct SCSha1 SCSha1;

#define SC_SHA1_LEN 20


typedef struct SCMd5 SCMd5;

#define SC_MD5_LEN 16


#define FILE_TRUNCATED  BIT_U16(0)

#define FILE_NOMAGIC    BIT_U16(1)

#define FILE_NOMD5      BIT_U16(2)

#define FILE_MD5        BIT_U16(3)

#define FILE_NOSHA1     BIT_U16(4)

#define FILE_SHA1       BIT_U16(5)

#define FILE_NOSHA256   BIT_U16(6)

#define FILE_SHA256     BIT_U16(7)

#define FILE_LOGGED     BIT_U16(8)

#define FILE_NOSTORE    BIT_U16(9)

#define FILE_STORE      BIT_U16(10)

#define FILE_STORED     BIT_U16(11)

#define FILE_NOTRACK    BIT_U16(12) /**< track size of file */

#define FILE_USE_DETECT BIT_U16(13) /**< use content_inspected tracker */

#define FILE_HAS_GAPS   BIT_U16(15)


// to be used instead of PATH_MAX which depends on the OS

#define SC_FILENAME_MAX 4096


#define FILEDATA_CONTENT_LIMIT            100000

#define FILEDATA_CONTENT_INSPECT_MIN_SIZE 32768

#define FILEDATA_CONTENT_INSPECT_WINDOW   4096


typedef enum FileState_ {

    FILE_STATE_NONE = 0,    /**< no state */

    FILE_STATE_OPENED,      /**< flow file is opened */

    FILE_STATE_CLOSED,      /**< flow file is completed,

                                     there will be no more data. */

    FILE_STATE_TRUNCATED,   /**< flow file is not complete, but

                                     there will be no more data. */

    FILE_STATE_ERROR,       /**< file is in an error state */

    FILE_STATE_MAX

} FileState;


typedef struct File_ {

    uint16_t flags;

    uint16_t name_len;

    FileState state;

    StreamingBuffer *sb;

    uint32_t file_track_id;         /**< id used by protocol parser */

    uint32_t file_store_id;         /**< id used in store file name file.<id> */

    int fd;                         /**< file descriptor for filestore, not

                                        open if equal to -1 */

    uint8_t *name;

#ifdef HAVE_MAGIC

    char *magic;

#endif

    struct File_ *next;

    SCMd5 *md5_ctx;

    uint8_t md5[SC_MD5_LEN];

    SCSha1 *sha1_ctx;

    uint8_t sha1[SC_SHA1_LEN];

    SCSha256 *sha256_ctx;

    uint8_t sha256[SC_SHA256_LEN];

    uint64_t content_inspected;     /**< used in pruning if FILE_USE_DETECT

                                     *   flag is set */

    uint64_t content_stored;

    uint64_t size;

    uint32_t inspect_window;

    uint32_t inspect_min_size;

    uint64_t start;

    uint64_t end;


    uint32_t *sid; /* signature id of a rule that triggered the filestore event */

    uint32_t sid_cnt;

    uint32_t sid_max;

} File;


typedef struct FileContainer_ {

    File *head;

    File *tail;

} FileContainer;


FileContainer *FileContainerAlloc(void);

void FileContainerFree(FileContainer *, const StreamingBufferConfig *cfg);


void FileContainerRecycle(FileContainer *, const StreamingBufferConfig *cfg);


void FileContainerAdd(FileContainer *, File *);


/**

 *  \brief Open a new File

 *

 *  \param ffc flow container

 *  \param sbcfg buffer config

 *  \param name filename character array

 *  \param name_len filename len

 *  \param data initial data

 *  \param data_len initial data len

 *  \param flags open flags

 *

 *  \retval ff flowfile object

 *

 *  \note filename is not a string, so it's not nul terminated.

 *

 *  If flags contains the FILE_USE_DETECT bit, the pruning code will

 *  consider not just the content_stored tracker, but also content_inspected.

 *  It's the responsibility of the API user to make sure this tracker is

 *  properly updated.

 */

int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *,

        uint32_t track_id, const uint8_t *name, uint16_t name_len,

        const uint8_t *data, uint32_t data_len, uint16_t flags);


/**

 *  \brief Close a File

 *

 *  \param ffc the container

 *  \param data final data if any

 *  \param data_len data len if any

 *  \param flags flags

 *

 *  \retval 0 ok

 *  \retval -1 error

 */

int FileCloseFile(FileContainer *, const StreamingBufferConfig *sbcfg, const uint8_t *data,

        uint32_t data_len, uint16_t flags);

int FileCloseFileById(FileContainer *, const StreamingBufferConfig *sbcfg, uint32_t track_id,

        const uint8_t *data, uint32_t data_len, uint16_t flags);

int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data,

        uint32_t data_len, uint16_t flags);


/**

 *  \brief Store a chunk of file data in the flow. The open "flowfile"

 *         will be used.

 *

 *  \param ffc the container

 *  \param data data chunk

 *  \param data_len data chunk len

 *

 *  \retval 0 ok

 *  \retval -1 error

 */

int FileAppendData(FileContainer *, const StreamingBufferConfig *sbcfg, const uint8_t *data,

        uint32_t data_len);

int FileAppendDataById(FileContainer *, const StreamingBufferConfig *sbcfg, uint32_t track_id,

        const uint8_t *data, uint32_t data_len);

int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id,

        const uint8_t *data, uint32_t data_len);


void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min);


/**

 *  \brief Sets the offset range for a file.

 *

 *  \param ffc the container

 *  \param start start offset

 *  \param end end offset

 *

 *  \retval 0 ok

 *  \retval -1 error

 */

int FileSetRange(FileContainer *, uint64_t start, uint64_t end);


/**

 *  \brief Tag a file for storing

 *

 *  \param ff The file to store

 */

int FileStore(File *);


/**

 *  \brief disable file storing for a transaction

 *

 *  \param f flow

 *  \param direction STREAM_TOSERVER or STREAM_TOCLIENT

 *  \param tx transaction pointer

 *  \param tx_id transaction id

 */

void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id);


void FileForceFilestoreEnable(void);

int FileForceFilestore(void);

void FileReassemblyDepthEnable(uint32_t size);

uint32_t FileReassemblyDepth(void);


void FileForceMagicEnable(void);

int FileForceMagic(void);


void FileForceMd5Enable(void);

int FileForceMd5(void);


void FileForceSha1Enable(void);

int FileForceSha1(void);


void FileForceSha256Enable(void);

int FileForceSha256(void);


void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction);


void FileForceHashParseCfg(SCConfNode *);


void FileForceTrackingEnable(void);


void FileStoreFileById(FileContainer *fc, uint32_t);


uint64_t FileDataSize(const File *file);

uint64_t FileTrackedSize(const File *file);


uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction);

uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction);


#ifdef DEBUG

void FilePrintFlags(const File *file);

#else

#define FilePrintFlags(file)

#endif


void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc);


#endif /* SURICATA_UTIL_FILE_H */

conf.h

flags
uint8_t flags
Definition decode-gre.h:0

flow.h

FileContainer_
Definition util-file.h:113

FileContainer_::tail
File * tail
Definition util-file.h:115

FileContainer_::head
File * head
Definition util-file.h:114

File_
Definition util-file.h:79

File_::name
uint8_t * name
Definition util-file.h:88

File_::name_len
uint16_t name_len
Definition util-file.h:81

File_::inspect_window
uint32_t inspect_window
Definition util-file.h:103

File_::sid_max
uint32_t sid_max
Definition util-file.h:110

File_::sb
StreamingBuffer * sb
Definition util-file.h:83

File_::size
uint64_t size
Definition util-file.h:102

File_::md5
uint8_t md5[SC_MD5_LEN]
Definition util-file.h:94

File_::end
uint64_t end
Definition util-file.h:106

File_::sid_cnt
uint32_t sid_cnt
Definition util-file.h:109

File_::flags
uint16_t flags
Definition util-file.h:80

File_::state
FileState state
Definition util-file.h:82

File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition util-file.h:98

File_::md5_ctx
SCMd5 * md5_ctx
Definition util-file.h:93

File_::inspect_min_size
uint32_t inspect_min_size
Definition util-file.h:104

File_::sid
uint32_t * sid
Definition util-file.h:108

File_::sha1_ctx
SCSha1 * sha1_ctx
Definition util-file.h:95

File_::fd
int fd
Definition util-file.h:86

File_::next
struct File_ * next
Definition util-file.h:92

File_::sha256_ctx
SCSha256 * sha256_ctx
Definition util-file.h:97

File_::file_track_id
uint32_t file_track_id
Definition util-file.h:84

File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition util-file.h:96

File_::content_stored
uint64_t content_stored
Definition util-file.h:101

File_::file_store_id
uint32_t file_store_id
Definition util-file.h:85

File_::content_inspected
uint64_t content_inspected
Definition util-file.h:99

File_::start
uint64_t start
Definition util-file.h:105

Flow_
Flow data structure.
Definition flow.h:356

SCConfNode_
Definition conf.h:37

StreamingBufferConfig_
Definition util-streaming-buffer.h:65

StreamingBuffer_
Definition util-streaming-buffer.h:108

name
const char * name
Definition tm-threads.c:2163

FilesPrune
void FilesPrune(FileContainer *fc, const StreamingBufferConfig *sbcfg, const bool trunc)
Definition util-file.c:1187

FileContainerAlloc
FileContainer * FileContainerAlloc(void)
allocate a FileContainer
Definition util-file.c:480

FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition util-file.c:309

FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition util-file.c:326

FilePrintFlags
#define FilePrintFlags(file)
Definition util-file.h:250

FileForceSha256Enable
void FileForceSha256Enable(void)
Definition util-file.c:116

SCSha1
struct SCSha1 SCSha1
Definition util-file.h:39

File
struct File_ File

FileForceHashParseCfg
void FileForceHashParseCfg(SCConfNode *)
Function to parse forced file hashing configuration.
Definition util-file.c:170

FileForceFilestore
int FileForceFilestore(void)
Definition util-file.c:122

FileFlowFlagsToFlags
uint16_t FileFlowFlagsToFlags(const uint16_t flow_file_flags, uint8_t direction)
Definition util-file.c:216

FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for a transaction
Definition util-file.c:1139

SC_SHA1_LEN
#define SC_SHA1_LEN
Definition util-file.h:40

FileCloseFilePtr
int FileCloseFilePtr(File *ff, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition util-file.c:980

FileAppendGAPById
int FileAppendGAPById(FileContainer *ffc, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition util-file.c:822

FileForceMagicEnable
void FileForceMagicEnable(void)
Definition util-file.c:98

FileCloseFileById
int FileCloseFileById(FileContainer *, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len, uint16_t flags)
Definition util-file.c:1078

FileForceSha256
int FileForceSha256(void)
Definition util-file.c:156

FileAppendData
int FileAppendData(FileContainer *, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len)
Store a chunk of file data in the flow. The open "flowfile" will be used.
Definition util-file.c:766

FileCloseFile
int FileCloseFile(FileContainer *, const StreamingBufferConfig *sbcfg, const uint8_t *data, uint32_t data_len, uint16_t flags)
Close a File.
Definition util-file.c:1062

FileSetInspectSizes
void FileSetInspectSizes(File *file, const uint32_t win, const uint32_t min)
Definition util-file.c:843

FileContainerRecycle
void FileContainerRecycle(FileContainer *, const StreamingBufferConfig *cfg)
Recycle a FileContainer.
Definition util-file.c:496

FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition util-file.c:133

FileContainer
struct FileContainer_ FileContainer

FileForceMd5
int FileForceMd5(void)
Definition util-file.c:146

SCSha256
struct SCSha256 SCSha256
Definition util-file.h:36

FileReassemblyDepthEnable
void FileReassemblyDepthEnable(uint32_t size)
Definition util-file.c:127

FileContainerFree
void FileContainerFree(FileContainer *, const StreamingBufferConfig *cfg)
Free a FileContainer.
Definition util-file.c:516

FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition util-file.c:92

FileAppendDataById
int FileAppendDataById(FileContainer *, const StreamingBufferConfig *sbcfg, uint32_t track_id, const uint8_t *data, uint32_t data_len)
Store/handle a chunk of file data in the File structure The file with 'track_id' in the FileContainer...
Definition util-file.c:791

FileState
enum FileState_ FileState

SCMd5
struct SCMd5 SCMd5
Definition util-file.h:42

FileForceMagic
int FileForceMagic(void)
Definition util-file.c:141

FileFlowToFlags
uint16_t FileFlowToFlags(const Flow *flow, uint8_t direction)
Definition util-file.c:273

FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t)
flag a file with id "file_id" to be stored.
Definition util-file.c:1157

FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition util-file.c:161

FileContainerAdd
void FileContainerAdd(FileContainer *, File *)
Definition util-file.c:595

FileForceSha1
int FileForceSha1(void)
Definition util-file.c:151

FileSetRange
int FileSetRange(FileContainer *, uint64_t start, uint64_t end)
Sets the offset range for a file.
Definition util-file.c:859

FileForceSha1Enable
void FileForceSha1Enable(void)
Definition util-file.c:110

SC_MD5_LEN
#define SC_MD5_LEN
Definition util-file.h:43

FileState_
FileState_
Definition util-file.h:68

FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition util-file.h:70

FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition util-file.h:73

FILE_STATE_MAX
@ FILE_STATE_MAX
Definition util-file.h:76

FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition util-file.h:75

FILE_STATE_NONE
@ FILE_STATE_NONE
Definition util-file.h:69

FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition util-file.h:71

FileOpenFileWithId
int FileOpenFileWithId(FileContainer *, const StreamingBufferConfig *, uint32_t track_id, const uint8_t *name, uint16_t name_len, const uint8_t *data, uint32_t data_len, uint16_t flags)
Open a new File.
Definition util-file.c:967

FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition util-file.c:1103

SC_SHA256_LEN
#define SC_SHA256_LEN
Definition util-file.h:37

FileStore
int FileStore(File *)
Tag a file for storing.
Definition util-file.c:611

FileForceMd5Enable
void FileForceMd5Enable(void)
Definition util-file.c:104

util-streaming-buffer.h