static int MD5MatchTest01(void)
{
ROHashTable *hash = ROHashInit(4, 16);
if (hash == NULL) {
return 0;
}
if (MD5LoadHash(hash, "d80f93a93dc5f3ee945704754d6e0a36", "file", 1) != 1)
return 0;
if (MD5LoadHash(hash, "92a49985b384f0d993a36e4c2d45e206", "file", 2) != 1)
return 0;
if (MD5LoadHash(hash, "11adeaacc8c309815f7bc3e33888f281", "file", 3) != 1)
return 0;
if (MD5LoadHash(hash, "22e10a8fe02344ade0bea8836a1714af", "file", 4) != 1)
return 0;
if (MD5LoadHash(hash, "c3db2cbf02c68f073afcaee5634677bc", "file", 5) != 1)
return 0;
if (MD5LoadHash(hash, "7ed095da259638f42402fb9e74287a17", "file", 6) != 1)
return 0;
if (ROHashInitFinalize(hash) != 1) {
return 0;
}
if (MD5MatchLookupString(hash, "d80f93a93dc5f3ee945704754d6e0a36") != 1)
return 0;
if (MD5MatchLookupString(hash, "92a49985b384f0d993a36e4c2d45e206") != 1)
return 0;
if (MD5MatchLookupString(hash, "11adeaacc8c309815f7bc3e33888f281") != 1)
return 0;
if (MD5MatchLookupString(hash, "22e10a8fe02344ade0bea8836a1714af") != 1)
return 0;
if (MD5MatchLookupString(hash, "c3db2cbf02c68f073afcaee5634677bc") != 1)
return 0;
if (MD5MatchLookupString(hash, "7ed095da259638f42402fb9e74287a17") != 1)
return 0;
/* shouldnt match */
if (MD5MatchLookupString(hash, "33333333333333333333333333333333") == 1)
return 0;
ROHashFree(hash);
return 1;
}
/**
* \brief Parse the filemd5 keyword
*
* \param idstr Pointer to the user provided option
*
* \retval filemd5 pointer to DetectFileMd5Data on success
* \retval NULL on failure
*/
static DetectFileMd5Data *DetectFileMd5Parse (const DetectEngineCtx *de_ctx, char *str)
{
DetectFileMd5Data *filemd5 = NULL;
FILE *fp = NULL;
char *filename = NULL;
/* We have a correct filemd5 option */
filemd5 = SCMalloc(sizeof(DetectFileMd5Data));
if (unlikely(filemd5 == NULL))
goto error;
memset(filemd5, 0x00, sizeof(DetectFileMd5Data));
if (strlen(str) && str[0] == '!') {
filemd5->negated = 1;
str++;
}
filemd5->hash = ROHashInit(18, 16);
if (filemd5->hash == NULL) {
goto error;
}
/* get full filename */
filename = DetectLoadCompleteSigPath(de_ctx, str);
if (filename == NULL) {
goto error;
}
char line[8192] = "";
fp = fopen(filename, "r");
if (fp == NULL) {
SCLogError(SC_ERR_OPENING_RULE_FILE, "opening md5 file %s: %s", filename, strerror(errno));
goto error;
}
int line_no = 0;
while(fgets(line, (int)sizeof(line), fp) != NULL) {
size_t len = strlen(line);
line_no++;
/* ignore comments and empty lines */
if (line[0] == '\n' || line [0] == '\r' || line[0] == ' ' || line[0] == '#' || line[0] == '\t')
continue;
while (isspace(line[--len]));
/* Check if we have a trailing newline, and remove it */
len = strlen(line);
if (len > 0 && (line[len - 1] == '\n' || line[len - 1] == '\r')) {
line[len - 1] = '\0';
}
/* cut off longer lines */
if (strlen(line) > 32)
line[32] = 0x00;
if (MD5LoadHash(filemd5->hash, line, filename, line_no) != 1) {
goto error;
}
}
fclose(fp);
fp = NULL;
if (ROHashInitFinalize(filemd5->hash) != 1) {
goto error;
}
SCLogInfo("MD5 hash size %u bytes%s", ROHashMemorySize(filemd5->hash), filemd5->negated ? ", negated match" : "");
SCFree(filename);
return filemd5;
error:
if (filemd5 != NULL)
DetectFileMd5Free(filemd5);
if (fp != NULL)
fclose(fp);
if (filename != NULL)
SCFree(filename);
return NULL;
}
/**
* \brief Parse the filemd5, filesha1 or filesha256 keyword
*
* \param det_ctx pattern matcher thread local data
* \param str Pointer to the user provided option
* \param type the hash algorithm
*
* \retval hash pointer to DetectFileHashData on success
* \retval NULL on failure
*/
static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
char *str, uint32_t type)
{
DetectFileHashData *filehash = NULL;
FILE *fp = NULL;
char *filename = NULL;
/* We have a correct hash algorithm option */
filehash = SCMalloc(sizeof(DetectFileHashData));
if (unlikely(filehash == NULL))
goto error;
memset(filehash, 0x00, sizeof(DetectFileHashData));
if (strlen(str) && str[0] == '!') {
filehash->negated = 1;
str++;
}
if (type == DETECT_FILEMD5) {
filehash->hash = ROHashInit(18, 16);
}
else if (type == DETECT_FILESHA1) {
filehash->hash = ROHashInit(18, 20);
}
else if (type == DETECT_FILESHA256) {
filehash->hash = ROHashInit(18, 32);
}
if (filehash->hash == NULL) {
goto error;
}
/* get full filename */
filename = DetectLoadCompleteSigPath(de_ctx, str);
if (filename == NULL) {
goto error;
}
char line[8192] = "";
fp = fopen(filename, "r");
if (fp == NULL) {
SCLogError(SC_ERR_OPENING_RULE_FILE, "opening hash file %s: %s", filename, strerror(errno));
goto error;
}
int line_no = 0;
while(fgets(line, (int)sizeof(line), fp) != NULL) {
size_t valid = 0, len = strlen(line);
line_no++;
while (strchr(hexcodes, line[valid]) != NULL && valid++ < len);
/* lines that do not contain sequentially any valid character are ignored */
if (valid == 0)
continue;
/* ignore anything after the sequence of valid characters */
line[valid] = '\0';
if (LoadHashTable(filehash->hash, line, filename, line_no, type) != 1) {
goto error;
}
}
fclose(fp);
fp = NULL;
if (ROHashInitFinalize(filehash->hash) != 1) {
goto error;
}
SCLogInfo("Hash hash table size %u bytes%s", ROHashMemorySize(filehash->hash), filehash->negated ? ", negated match" : "");
SCFree(filename);
return filehash;
error:
if (filehash != NULL)
DetectFileHashFree(filehash);
if (fp != NULL)
fclose(fp);
if (filename != NULL)
SCFree(filename);
return NULL;
}