/** \internal
* \brief Get a flow from the hash directly.
*
* Called in conditions where the spare queue is empty and memcap is reached.
*
* Walks the hash until a flow can be freed. Timeouts are disregarded, use_cnt
* is adhered to. "flow_prune_idx" atomic int makes sure we don't start at the
* top each time since that would clear the top of the hash leading to longer
* and longer search times under high pressure (observed).
*
* \retval f flow or NULL
*/
static Flow *FlowGetUsedFlow(void)
{
uint32_t idx = SC_ATOMIC_GET(flow_prune_idx) % flow_config.hash_size;
uint32_t cnt = flow_config.hash_size;
while (cnt--) {
if (++idx >= flow_config.hash_size)
idx = 0;
FlowBucket *fb = &flow_hash[idx];
if (FBLOCK_TRYLOCK(fb) != 0)
continue;
Flow *f = fb->tail;
if (f == NULL) {
FBLOCK_UNLOCK(fb);
continue;
}
if (FLOWLOCK_TRYWRLOCK(f) != 0) {
FBLOCK_UNLOCK(fb);
continue;
}
/** never prune a flow that is used by a packet or stream msg
* we are currently processing in one of the threads */
if (SC_ATOMIC_GET(f->use_cnt) > 0) {
FBLOCK_UNLOCK(fb);
FLOWLOCK_UNLOCK(f);
continue;
}
/* remove from the hash */
if (f->hprev != NULL)
f->hprev->hnext = f->hnext;
if (f->hnext != NULL)
f->hnext->hprev = f->hprev;
if (fb->head == f)
fb->head = f->hnext;
if (fb->tail == f)
fb->tail = f->hprev;
f->hnext = NULL;
f->hprev = NULL;
f->fb = NULL;
FBLOCK_UNLOCK(fb);
FlowClearMemory(f, f->protomap);
FLOWLOCK_UNLOCK(f);
(void) SC_ATOMIC_ADD(flow_prune_idx, (flow_config.hash_size - cnt));
return f;
}
return NULL;
}
/**
* \test Test the deallocation of app layer parser memory on occurance of
* error in the parsing process.
*/
static int AppLayerParserTest01(void)
{
AppLayerParserBackupParserTable();
int result = 0;
Flow *f = NULL;
uint8_t testbuf[] = { 0x11 };
uint32_t testlen = sizeof(testbuf);
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&ssn, 0, sizeof(ssn));
/* Register the Test protocol state and parser functions */
AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TEST, STREAM_TOSERVER,
TestProtocolParser);
AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TEST,
TestProtocolStateAlloc, TestProtocolStateFree);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
if (f == NULL)
goto end;
f->protoctx = &ssn;
f->alproto = ALPROTO_TEST;
f->proto = IPPROTO_TCP;
StreamTcpInitConfig(TRUE);
FLOWLOCK_WRLOCK(f);
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,
STREAM_TOSERVER | STREAM_EOF, testbuf,
testlen);
if (r != -1) {
printf("returned %" PRId32 ", expected -1: ", r);
FLOWLOCK_UNLOCK(f);
goto end;
}
FLOWLOCK_UNLOCK(f);
if (!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)) {
printf("flag should have been set, but is not: ");
goto end;
}
result = 1;
end:
AppLayerParserRestoreParserTable();
StreamTcpFreeConfig(TRUE);
UTHFreeFlow(f);
return result;
}
/**
* \brief Check if we need to drop-log this packet
*
* \param tv Pointer the current thread variables
* \param p Pointer the packet which is tested
*
* \retval bool TRUE or FALSE
*/
static int LogDropCondition(ThreadVars *tv, const Packet *p)
{
if (!EngineModeIsIPS()) {
SCLogDebug("engine is not running in inline mode, so returning");
return FALSE;
}
if (PKT_IS_PSEUDOPKT(p)) {
SCLogDebug("drop log doesn't log pseudo packets");
return FALSE;
}
if (p->flow != NULL) {
int ret = FALSE;
FLOWLOCK_RDLOCK(p->flow);
if (p->flow->flags & FLOW_ACTION_DROP) {
if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))
ret = TRUE;
else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
ret = TRUE;
}
FLOWLOCK_UNLOCK(p->flow);
return ret;
} else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
return TRUE;
}
return FALSE;
}
static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p) {
JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
MemBuffer *buffer = (MemBuffer *)aft->buffer;
OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
if (unlikely(p->flow == NULL)) {
return 0;
}
/* check if we have TLS state or not */
FLOWLOCK_WRLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_TLS)
goto end;
SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
if (unlikely(ssl_state == NULL)) {
goto end;
}
if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL)
goto end;
json_t *js = CreateJSONHeader((Packet *)p, 0, "tls");//TODO
if (unlikely(js == NULL))
goto end;
json_t *tjs = json_object();
if (tjs == NULL) {
free(js);
goto end;
}
/* reset */
MemBufferReset(buffer);
/* tls.subject */
json_object_set_new(tjs, "subject",
json_string(ssl_state->server_connp.cert0_subject));
/* tls.issuerdn */
json_object_set_new(tjs, "issuerdn",
json_string(ssl_state->server_connp.cert0_issuerdn));
if (tls_ctx->flags & LOG_TLS_EXTENDED) {
LogTlsLogExtendedJSON(tjs, ssl_state);
}
json_object_set_new(js, "tls", tjs);
OutputJSONBuffer(js, tls_ctx->file_ctx, buffer);
json_object_clear(js);
json_decref(js);
/* we only log the state once */
ssl_state->flags |= SSL_AL_FLAG_STATE_LOGGED;
end:
FLOWLOCK_UNLOCK(p->flow);
return 0;
}
/**
* \brief Search tags for src and dst. Update entries of the tag, remove if necessary
*
* \param de_ctx Detect context
* \param det_ctx Detect thread context
* \param p packet
*
*/
void TagHandlePacket(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Packet *p)
{
/* If there's no tag, get out of here */
unsigned int current_tags = SC_ATOMIC_GET(num_tags);
if (current_tags == 0)
return;
/* First update and get session tags */
if (p->flow != NULL) {
FLOWLOCK_WRLOCK(p->flow);
TagHandlePacketFlow(p->flow, p);
FLOWLOCK_UNLOCK(p->flow);
}
Host *src = HostLookupHostFromHash(&p->src);
if (src) {
if (src->tag != NULL) {
TagHandlePacketHost(src,p);
}
HostRelease(src);
}
Host *dst = HostLookupHostFromHash(&p->dst);
if (dst) {
if (dst->tag != NULL) {
TagHandlePacketHost(dst,p);
}
HostRelease(dst);
}
}
static TmEcode OutputStreamingLog(ThreadVars *tv, Packet *p, void *thread_data, PacketQueue *pq, PacketQueue *postpq)
{
BUG_ON(thread_data == NULL);
BUG_ON(list == NULL);
OutputLoggerThreadData *op_thread_data = (OutputLoggerThreadData *)thread_data;
OutputStreamingLogger *logger = list;
OutputLoggerThreadStore *store = op_thread_data->store;
StreamerCallbackData streamer_cbdata = { logger, store, tv, p , 0};
BUG_ON(logger == NULL && store != NULL);
BUG_ON(logger != NULL && store == NULL);
BUG_ON(logger == NULL && store == NULL);
uint8_t flags = 0;
Flow * const f = p->flow;
/* no flow, no streaming */
if (f == NULL) {
SCReturnInt(TM_ECODE_OK);
}
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= OUTPUT_STREAMING_FLAG_TOCLIENT;
else
flags |= OUTPUT_STREAMING_FLAG_TOSERVER;
FLOWLOCK_WRLOCK(f);
if (op_thread_data->loggers & (1<<STREAMING_TCP_DATA)) {
TcpSession *ssn = f->protoctx;
if (ssn) {
int close = (ssn->state >= TCP_CLOSED);
close |= ((p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0);
SCLogDebug("close ? %s", close ? "yes" : "no");
TcpStream *stream = flags & OUTPUT_STREAMING_FLAG_TOSERVER ? &ssn->client : &ssn->server;
streamer_cbdata.type = STREAMING_TCP_DATA;
StreamIterator(p->flow, stream, close, (void *)&streamer_cbdata, flags);
}
}
if (op_thread_data->loggers & (1<<STREAMING_HTTP_BODIES)) {
if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
int close = 0;
TcpSession *ssn = f->protoctx;
if (ssn) {
close = (ssn->state >= TCP_CLOSED);
close |= ((p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0);
}
SCLogDebug("close ? %s", close ? "yes" : "no");
streamer_cbdata.type = STREAMING_HTTP_BODIES;
HttpBodyIterator(f, close, (void *)&streamer_cbdata, flags);
}
}
FLOWLOCK_UNLOCK(f);
return TM_ECODE_OK;
}
/**
* \brief Check if we need to drop-log this packet
*
* \param tv Pointer the current thread variables
* \param p Pointer the packet which is tested
*
* \retval bool TRUE or FALSE
*/
static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
{
if (!EngineModeIsIPS()) {
SCLogDebug("engine is not running in inline mode, so returning");
return FALSE;
}
if (PKT_IS_PSEUDOPKT(p)) {
SCLogDebug("drop log doesn't log pseudo packets");
return FALSE;
}
if (p->flow != NULL) {
int ret = FALSE;
/* for a flow that will be dropped fully, log just once per direction */
FLOWLOCK_RDLOCK(p->flow);
if (p->flow->flags & FLOW_ACTION_DROP) {
if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))
ret = TRUE;
else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
ret = TRUE;
}
FLOWLOCK_UNLOCK(p->flow);
/* if drop is caused by signature, log anyway */
if (p->alerts.drop.action != 0)
ret = TRUE;
return ret;
} else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
return TRUE;
}
return FALSE;
}
uint32_t UTHBuildPacketOfFlows(uint32_t start, uint32_t end, uint8_t dir)
{
uint32_t i = start;
uint8_t payload[] = "Payload";
for (; i < end; i++) {
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
if (dir == 0) {
p->src.addr_data32[0] = i;
p->dst.addr_data32[0] = i + 1;
} else {
p->src.addr_data32[0] = i + 1;
p->dst.addr_data32[0] = i;
}
FlowHandlePacket(NULL, NULL, p);
if (p->flow != NULL) {
SC_ATOMIC_RESET(p->flow->use_cnt);
FLOWLOCK_UNLOCK(p->flow);
}
/* Now the queues shoul be updated */
UTHFreePacket(p);
}
return i;
}
/**
* \brief match the specified version on a tls session
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectTlsVersionData
*
* \retval 0 no match
* \retval 1 match
*/
int DetectTlsVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
DetectTlsVersionData *tls_data = (DetectTlsVersionData *)m->ctx;
SSLState *ssl_state = (SSLState *)state;
if (ssl_state == NULL) {
SCLogDebug("no tls state, no match");
SCReturnInt(0);
}
int ret = 0;
FLOWLOCK_RDLOCK(f);
SCLogDebug("looking for tls_data->ver 0x%02X (flags 0x%02X)", tls_data->ver, flags);
if (flags & STREAM_TOCLIENT) {
SCLogDebug("server (toclient) version is 0x%02X", ssl_state->server_connp.version);
if (tls_data->ver == ssl_state->server_connp.version)
ret = 1;
} else if (flags & STREAM_TOSERVER) {
SCLogDebug("client (toserver) version is 0x%02X", ssl_state->client_connp.version);
if (tls_data->ver == ssl_state->client_connp.version)
ret = 1;
}
FLOWLOCK_UNLOCK(f);
SCReturnInt(ret);
}
static Flow *TcpReuseReplace(ThreadVars *tv, DecodeThreadVars *dtv,
FlowBucket *fb, Flow *old_f,
const uint32_t hash, const Packet *p)
{
/* tag flow as reused so future lookups won't find it */
old_f->flags |= FLOW_TCP_REUSED;
/* get some settings that we move over to the new flow */
FlowThreadId thread_id = old_f->thread_id;
/* since fb lock is still held this flow won't be found until we are done */
FLOWLOCK_UNLOCK(old_f);
/* Get a new flow. It will be either a locked flow or NULL */
Flow *f = FlowGetNew(tv, dtv, p);
if (f == NULL) {
return NULL;
}
/* flow is locked */
/* put at the start of the list */
f->hnext = fb->head;
fb->head->hprev = f;
fb->head = f;
/* initialize and return */
FlowInit(f, p);
f->flow_hash = hash;
f->fb = fb;
f->thread_id = thread_id;
return f;
}
/**
* \internal
* \brief Forces reassembly for flows that need it.
*
* When this function is called we're running in virtually dead engine,
* so locking the flows is not strictly required. The reasons it is still
* done are:
* - code consistency
* - silence complaining profilers
* - allow us to aggressively check using debug valdation assertions
* - be robust in case of future changes
* - locking overhead if neglectable when no other thread fights us
*
* \param q The queue to process flows from.
*/
static inline void FlowForceReassemblyForHash(void)
{
Flow *f;
TcpSession *ssn;
int client_ok = 0;
int server_ok = 0;
uint32_t idx = 0;
for (idx = 0; idx < flow_config.hash_size; idx++) {
FlowBucket *fb = &flow_hash[idx];
PacketPoolWaitForN(9);
FBLOCK_LOCK(fb);
/* get the topmost flow from the QUEUE */
f = fb->head;
/* we need to loop through all the flows in the queue */
while (f != NULL) {
PacketPoolWaitForN(3);
FLOWLOCK_WRLOCK(f);
/* Get the tcp session for the flow */
ssn = (TcpSession *)f->protoctx;
/* \todo Also skip flows that shouldn't be inspected */
if (ssn == NULL) {
FLOWLOCK_UNLOCK(f);
f = f->hnext;
continue;
}
if (FlowForceReassemblyNeedReassembly(f, &server_ok, &client_ok) == 1) {
FlowForceReassemblyForFlow(f, server_ok, client_ok);
}
FLOWLOCK_UNLOCK(f);
/* next flow in the queue */
f = f->hnext;
}
FBLOCK_UNLOCK(fb);
}
return;
}
/**
* \brief Do the http_method content inspection for a signature.
*
* \param de_ctx Detection engine context.
* \param det_ctx Detection engine thread context.
* \param s Signature to inspect.
* \param f Flow.
* \param flags App layer flags.
* \param state App layer state.
*
* \retval 0 No match.
* \retval 1 Match.
*/
int DetectEngineInspectHttpMethod(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate)
{
SCEnter();
int r = 0;
HtpState *htp_state = NULL;
htp_tx_t *tx = NULL;
int idx;
FLOWLOCK_RDLOCK(f);
htp_state = (HtpState *)alstate;
if (htp_state == NULL) {
SCLogDebug("no HTTP state");
goto end;
}
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
SCLogDebug("HTP state has no conn(p)");
goto end;
}
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++) {
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL || tx->request_method == NULL)
continue;
det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],
f,
(uint8_t *)bstr_ptr(tx->request_method),
bstr_len(tx->request_method),
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, NULL);
//r = DoInspectHttpMethod(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],
//(uint8_t *)bstr_ptr(tx->request_method),
//bstr_len(tx->request_method));
if (r == 1) {
break;
}
}
end:
FLOWLOCK_UNLOCK(f);
SCReturnInt(r);
}
static TmEcode LogFileLogWrap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq, int ipver)
{
SCEnter();
LogFileLogThread *aft = (LogFileLogThread *)data;
uint8_t flags = 0;
/* no flow, no htp state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_OK);
}
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= STREAM_TOCLIENT;
else
flags |= STREAM_TOSERVER;
int file_close = (p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0;
int file_trunc = 0;
FLOWLOCK_WRLOCK(p->flow);
file_trunc = StreamTcpReassembleDepthReached(p);
FileContainer *ffc = AppLayerParserGetFiles(IPPROTO_TCP, p->flow->alproto,
p->flow->alstate, flags);
SCLogDebug("ffc %p", ffc);
if (ffc != NULL) {
File *ff;
for (ff = ffc->head; ff != NULL; ff = ff->next) {
if (ff->flags & FILE_LOGGED)
continue;
if (FileForceMagic() && ff->magic == NULL) {
FilemagicGlobalLookup(ff);
}
SCLogDebug("ff %p", ff);
if (file_trunc && ff->state < FILE_STATE_CLOSED)
ff->state = FILE_STATE_TRUNCATED;
if (ff->state == FILE_STATE_CLOSED ||
ff->state == FILE_STATE_TRUNCATED || ff->state == FILE_STATE_ERROR ||
(file_close == 1 && ff->state < FILE_STATE_CLOSED))
{
LogFileWriteJsonRecord(aft, p, ff, ipver);
ff->flags |= FILE_LOGGED;
aft->file_cnt++;
}
}
FilePrune(ffc);
}
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_OK);
}
void FlowAlertSidUnset(Flow *f, uint32_t sid) {
FLOWLOCK_WRLOCK(f);
FlowAlertSid *fb = FlowAlertSidGet(f, sid);
if (fb != NULL) {
FlowAlertSidRemove(f, sid);
}
FLOWLOCK_UNLOCK(f);
}
void FlowBitUnset(Flow *f, uint16_t idx) {
FLOWLOCK_WRLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb != NULL) {
FlowBitRemove(f, idx);
}
FLOWLOCK_UNLOCK(f);
}
/**
* \test Test the deallocation of app layer parser memory on occurance of
* error in the parsing process for UDP.
*/
static int AppLayerParserTest02(void)
{
AppLayerParserBackupParserTable();
int result = 1;
Flow *f = NULL;
uint8_t testbuf[] = { 0x11 };
uint32_t testlen = sizeof(testbuf);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
/* Register the Test protocol state and parser functions */
AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TEST, STREAM_TOSERVER,
TestProtocolParser);
AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TEST,
TestProtocolStateAlloc, TestProtocolStateFree);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
if (f == NULL)
goto end;
f->alproto = ALPROTO_TEST;
f->proto = IPPROTO_UDP;
f->protomap = FlowGetProtoMapping(f->proto);
StreamTcpInitConfig(TRUE);
FLOWLOCK_WRLOCK(f);
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,
STREAM_TOSERVER | STREAM_EOF, testbuf,
testlen);
if (r != -1) {
printf("returned %" PRId32 ", expected -1: \n", r);
result = 0;
FLOWLOCK_UNLOCK(f);
goto end;
}
FLOWLOCK_UNLOCK(f);
end:
AppLayerParserRestoreParserTable();
StreamTcpFreeConfig(TRUE);
UTHFreeFlow(f);
return result;
}
void FlowBitSet(Flow *f, uint16_t idx) {
FLOWLOCK_WRLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb == NULL) {
FlowBitAdd(f, idx);
}
FLOWLOCK_UNLOCK(f);
}
void FlowAlertSidSet(Flow *f, uint32_t sid) {
FLOWLOCK_WRLOCK(f);
FlowAlertSid *fb = FlowAlertSidGet(f, sid);
if (fb == NULL) {
FlowAlertSidAdd(f, sid);
}
FLOWLOCK_UNLOCK(f);
}
int FlowBitIsnotset(Flow *f, uint16_t idx) {
int r = 0;
FLOWLOCK_RDLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb == NULL) {
r = 1;
}
FLOWLOCK_UNLOCK(f);
return r;
}
void FlowBitToggle(Flow *f, uint16_t idx) {
FLOWLOCK_WRLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb != NULL) {
FlowBitRemove(f, idx);
} else {
FlowBitAdd(f, idx);
}
FLOWLOCK_UNLOCK(f);
}
void FlowAlertSidToggle(Flow *f, uint32_t sid) {
FLOWLOCK_WRLOCK(f);
FlowAlertSid *fb = FlowAlertSidGet(f, sid);
if (fb != NULL) {
FlowAlertSidRemove(f, sid);
} else {
FlowAlertSidAdd(f, sid);
}
FLOWLOCK_UNLOCK(f);
}
/**
* \brief This function is used to match urilen rule option with the HTTP
* uricontent.
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectUrilenData
*
* \retval 0 no match
* \retval 1 match
*/
int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
int ret = 0;
int idx = 0;
DetectUrilenData *urilend = (DetectUrilenData *) m->ctx;
HtpState *htp_state = (HtpState *)state;
if (htp_state == NULL) {
SCLogDebug("no HTP state, no need to match further");
SCReturnInt(ret);
}
FLOWLOCK_RDLOCK(f);
htp_tx_t *tx = NULL;
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL || tx->request_uri_normalized == NULL)
goto end;
switch (urilend->mode) {
case DETECT_URILEN_EQ:
if (bstr_len(tx->request_uri_normalized) == urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_LT:
if (bstr_len(tx->request_uri_normalized) < urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_GT:
if (bstr_len(tx->request_uri_normalized) > urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_RA:
if (bstr_len(tx->request_uri_normalized) > urilend->urilen1 &&
bstr_len(tx->request_uri_normalized) < urilend->urilen2)
ret = 1;
break;
}
}
end:
FLOWLOCK_UNLOCK(f);
SCReturnInt(ret);
}
int FlowAlertSidIsnotset(Flow *f, uint32_t sid) {
int r = 0;
FLOWLOCK_RDLOCK(f);
FlowAlertSid *fb = FlowAlertSidGet(f, sid);
if (fb == NULL) {
r = 1;
}
FLOWLOCK_UNLOCK(f);
return r;
}
/** \internal
* \brief Condition function for TLS logger
* \retval bool true or false -- log now?
*/
static int LogTlsCondition(ThreadVars *tv, const Packet *p)
{
if (p->flow == NULL) {
return FALSE;
}
if (!(PKT_IS_TCP(p))) {
return FALSE;
}
FLOWLOCK_RDLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_TLS)
goto dontlog;
SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
if (ssl_state == NULL) {
SCLogDebug("no tls state, so no request logging");
goto dontlog;
}
/* we only log the state once if we don't have to write
* the cert due to tls.store keyword. */
if (!(ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) &&
(ssl_state->flags & SSL_AL_FLAG_STATE_LOGGED))
goto dontlog;
if (ssl_state->server_connp.cert0_issuerdn == NULL ||
ssl_state->server_connp.cert0_subject == NULL)
goto dontlog;
/* todo: logic to log once */
FLOWLOCK_UNLOCK(p->flow);
return TRUE;
dontlog:
FLOWLOCK_UNLOCK(p->flow);
return FALSE;
}
int DetectAppLayerProtocolMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state,
Signature *s, SigMatch *m)
{
int r = 0;
DetectAppLayerProtocolData *data = (DetectAppLayerProtocolData *)m->ctx;
FLOWLOCK_RDLOCK(f);
r = (data->negated) ? (f->alproto != data->alproto) :
(f->alproto == data->alproto);
FLOWLOCK_UNLOCK(f);
return r;
}
/**
* \brief post-match function for filestore
*
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param p packet
*
* The match function for filestore records store candidates in the det_ctx.
* When we are sure all parts of the signature matched, we run this function
* to finalize the filestore.
*/
int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s)
{
uint8_t flags = 0;
SCEnter();
if (det_ctx->filestore_cnt == 0) {
SCReturnInt(0);
}
if (s->filestore_sm == NULL || p->flow == NULL) {
#ifndef DEBUG
SCReturnInt(0);
#else
BUG_ON(1);
#endif
}
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= STREAM_TOCLIENT;
else
flags |= STREAM_TOSERVER;
if (det_ctx->flow_locked == 0)
FLOWLOCK_WRLOCK(p->flow);
FileContainer *ffc = AppLayerParserGetFiles(p->flow->proto, p->flow->alproto,
p->flow->alstate, flags);
/* filestore for single files only */
if (s->filestore_sm->ctx == NULL) {
uint16_t u;
for (u = 0; u < det_ctx->filestore_cnt; u++) {
FileStoreFileById(ffc, det_ctx->filestore[u].file_id);
}
} else {
DetectFilestoreData *filestore = (DetectFilestoreData *)s->filestore_sm->ctx;
uint16_t u;
for (u = 0; u < det_ctx->filestore_cnt; u++) {
FilestorePostMatchWithOptions(p, p->flow, filestore, ffc,
det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
}
}
if (det_ctx->flow_locked == 0)
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(0);
}
/** \internal
* \brief Condition function for SSH logger
* \retval bool true or false -- log now?
*/
static int JsonSshCondition(ThreadVars *tv, const Packet *p)
{
if (p->flow == NULL) {
return FALSE;
}
if (!(PKT_IS_TCP(p))) {
return FALSE;
}
FLOWLOCK_RDLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_SSH)
goto dontlog;
SshState *ssh_state = (SshState *)FlowGetAppState(p->flow);
if (ssh_state == NULL) {
SCLogDebug("no ssh state, so no logging");
goto dontlog;
}
/* we only log the state once */
if (ssh_state->cli_hdr.flags & SSH_FLAG_STATE_LOGGED)
goto dontlog;
if (ssh_state->cli_hdr.software_version == NULL ||
ssh_state->srv_hdr.software_version == NULL)
goto dontlog;
/* todo: logic to log once */
FLOWLOCK_UNLOCK(p->flow);
return TRUE;
dontlog:
FLOWLOCK_UNLOCK(p->flow);
return FALSE;
}
int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{
htp_tx_t *tx = NULL;
uint32_t cnt = 0;
int idx;
/* we need to lock because the buffers are not actually true buffers
* but are ones that point to a buffer given by libhtp */
FLOWLOCK_RDLOCK(f);
if (htp_state == NULL) {
SCLogDebug("no HTTP state");
goto end;
}
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
SCLogDebug("HTP state has no conn(p)");
goto end;
}
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++) {
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL)
continue;
htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers,
"User-Agent");
if (h == NULL) {
SCLogDebug("HTTP user agent header not present in this request");
continue;
}
cnt += HttpUAPatternSearch(det_ctx,
(uint8_t *)bstr_ptr(h->value),
bstr_len(h->value), flags);
}
end:
FLOWLOCK_UNLOCK(f);
return cnt;
}
/**
* \brief This function is used to add a tag to a session (type session)
* or update it if it's already installed. The number of times to
* allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way
* repetitive matches to the same rule are limited of setting tags,
* to avoid DOS attacks
*
* \param p pointer to the current packet
* \param tde pointer to the new DetectTagDataEntry
*
* \retval 0 if the tde was added succesfuly
* \retval 1 if an entry of this sid/gid already exist and was updated
*/
int TagFlowAdd(Packet *p, DetectTagDataEntry *tde) {
uint8_t updated = 0;
uint16_t num_tags = 0;
DetectTagDataEntry *iter = NULL;
if (p->flow == NULL)
return 1;
FLOWLOCK_WRLOCK(p->flow);
if (p->flow->tag_list != NULL) {
iter = p->flow->tag_list;
/* First iterate installed entries searching a duplicated sid/gid */
for (; iter != NULL; iter = iter->next) {
num_tags++;
if (iter->sid == tde->sid && iter->gid == tde->gid) {
iter->cnt_match++;
/* If so, update data, unless the maximum MATCH limit is
* reached. This prevents possible DOS attacks */
if (iter->cnt_match < DETECT_TAG_MATCH_LIMIT) {
/* Reset time and counters */
iter->first_ts = iter->last_ts = tde->first_ts;
iter->packets = 0;
iter->bytes = 0;
}
updated = 1;
break;
}
}
}
/* If there was no entry of this rule, prepend the new tde */
if (updated == 0 && num_tags < DETECT_TAG_MAX_TAGS) {
DetectTagDataEntry *new_tde = DetectTagDataCopy(tde);
if (new_tde != NULL) {
new_tde->next = p->flow->tag_list;
p->flow->tag_list = new_tde;
(void) SC_ATOMIC_ADD(num_tags, 1);
}
} else if (num_tags == DETECT_TAG_MAX_TAGS) {
SCLogDebug("Max tags for sessions reached (%"PRIu16")", num_tags);
}
FLOWLOCK_UNLOCK(p->flow);
return updated;
}
static int DetectTlsStoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
SSLState *ssl_state = (SSLState *)state;
if (ssl_state == NULL) {
SCLogDebug("no tls state, no match");
SCReturnInt(1);
}
FLOWLOCK_WRLOCK(f);
if (s->flags & SIG_FLAG_TLSSTORE) {
ssl_state->server_connp.cert_log_flag |= SSL_TLS_LOG_PEM;
}
FLOWLOCK_UNLOCK(f);
SCReturnInt(1);
}
