static const uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Flow *f, File *curr_file,
uint8_t flags,
uint32_t *buffer_len,
uint32_t *stream_start_offset)
{
SCEnter();
int index = 0;
const uint8_t *buffer = NULL;
*buffer_len = 0;
*stream_start_offset = 0;
uint64_t file_size = FileDataSize(curr_file);
if (det_ctx->smtp_buffers_list_len == 0) {
if (SMTPCreateSpace(det_ctx, 1) < 0)
goto end;
index = 0;
if (det_ctx->smtp_buffers_list_len == 0) {
det_ctx->smtp_start_tx_id = tx_id;
}
det_ctx->smtp_buffers_list_len++;
} else {
if ((tx_id - det_ctx->smtp_start_tx_id) < det_ctx->smtp_buffers_list_len) {
if (det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer_len != 0) {
*buffer_len = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer_len;
*stream_start_offset = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].offset;
buffer = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer;
SCReturnPtr(buffer, "uint8_t");
}
} else {
if (SMTPCreateSpace(det_ctx, (tx_id - det_ctx->smtp_start_tx_id) + 1) < 0)
goto end;
if (det_ctx->smtp_buffers_list_len == 0) {
det_ctx->smtp_start_tx_id = tx_id;
}
det_ctx->smtp_buffers_list_len++;
}
index = (tx_id - det_ctx->smtp_start_tx_id);
}
SCLogDebug("smtp_config.content_limit %u, smtp_config.content_inspect_min_size %u",
smtp_config.content_limit, smtp_config.content_inspect_min_size);
SCLogDebug("file %p size %"PRIu64", state %d", curr_file, file_size, curr_file->state);
/* no new data */
if (curr_file->content_inspected == file_size) {
SCLogDebug("no new data");
goto end;
}
if (file_size == 0) {
SCLogDebug("no data to inspect for this transaction");
goto end;
}
if ((smtp_config.content_limit == 0 || file_size < smtp_config.content_limit) &&
file_size < smtp_config.content_inspect_min_size &&
!(flags & STREAM_EOF) && !(curr_file->state > FILE_STATE_OPENED)) {
SCLogDebug("we still haven't seen the entire content. "
"Let's defer content inspection till we see the "
"entire content.");
goto end;
}
StreamingBufferGetDataAtOffset(curr_file->sb,
&det_ctx->smtp[index].buffer, &det_ctx->smtp[index].buffer_len,
curr_file->content_inspected);
det_ctx->smtp[index].offset = curr_file->content_inspected;
/* updat inspected tracker */
curr_file->content_inspected = FileDataSize(curr_file);
SCLogDebug("content_inspected %"PRIu64", offset %"PRIu64,
curr_file->content_inspected, det_ctx->smtp[index].offset);
buffer = det_ctx->smtp[index].buffer;
*buffer_len = det_ctx->smtp[index].buffer_len;
*stream_start_offset = det_ctx->smtp[index].offset;
end:
SCLogDebug("buffer %p, len %u", buffer, *buffer_len);
SCReturnPtr(buffer, "uint8_t");
}
/**
* \brief Inspect the file inspecting keywords.
*
* \param tv thread vars
* \param det_ctx detection engine thread ctx
* \param f flow
* \param s signature to inspect
*
* \retval 0 no match
* \retval 1 match
* \retval 2 can't match
* \retval 3 can't match filestore signature
*/
static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
Flow *f, const Signature *s, const SigMatchData *smd,
uint8_t flags, FileContainer *ffc)
{
int r = 0;
int match = 0;
int store_r = 0;
SCLogDebug("file inspection... %p", ffc);
if (ffc != NULL) {
File *file = ffc->head;
for (; file != NULL; file = file->next) {
SCLogDebug("file");
if (file->state == FILE_STATE_NONE) {
SCLogDebug("file state FILE_STATE_NONE");
continue;
}
if (file->txid < det_ctx->tx_id) {
SCLogDebug("file->txid < det_ctx->tx_id == %"PRIu64" < %"PRIu64, file->txid, det_ctx->tx_id);
continue;
}
if (file->txid > det_ctx->tx_id) {
SCLogDebug("file->txid > det_ctx->tx_id == %"PRIu64" > %"PRIu64, file->txid, det_ctx->tx_id);
break;
}
if ((s->file_flags & FILE_SIG_NEED_FILENAME) && file->name == NULL) {
SCLogDebug("sig needs filename, but we don't have any");
r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
continue;
}
uint64_t file_size = FileDataSize(file);
if ((s->file_flags & FILE_SIG_NEED_MAGIC) && file_size == 0) {
SCLogDebug("sig needs file content, but we don't have any");
r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
continue;
}
if ((s->file_flags & FILE_SIG_NEED_FILECONTENT) && file_size == 0) {
SCLogDebug("sig needs file content, but we don't have any");
r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
continue;
}
if ((s->file_flags & FILE_SIG_NEED_MD5) && (!(file->flags & FILE_MD5))) {
SCLogDebug("sig needs file md5, but we don't have any");
r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
continue;
}
if ((s->file_flags & FILE_SIG_NEED_SHA1) && (!(file->flags & FILE_SHA1))) {
SCLogDebug("sig needs file sha1, but we don't have any");
r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
continue;
}
if ((s->file_flags & FILE_SIG_NEED_SHA256) && (!(file->flags & FILE_SHA256))) {
SCLogDebug("sig needs file sha256, but we don't have any");
r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
continue;
}
if ((s->file_flags & FILE_SIG_NEED_SIZE) && file->state < FILE_STATE_CLOSED) {
SCLogDebug("sig needs filesize, but state < FILE_STATE_CLOSED");
r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
continue;
}
/* run the file match functions. */
while (1) {
SCLogDebug("smd %p", smd);
if (sigmatch_table[smd->type].FileMatch != NULL) {
KEYWORD_PROFILING_START;
match = sigmatch_table[smd->type].
FileMatch(tv, det_ctx, f, flags, file, s, smd->ctx);
KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
if (match == 0) {
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
break;
} else if (smd->is_last) {
r = DETECT_ENGINE_INSPECT_SIG_MATCH;
break;
}
}
if (smd->is_last)
break;
smd++;
}
/* continue inspection for other files as we may want to store
* those as well. We'll return 1 (match) regardless of their
* results though */
if (r == DETECT_ENGINE_INSPECT_SIG_MATCH)
store_r = DETECT_ENGINE_INSPECT_SIG_MATCH;
/* continue, this file may (or may not) be unable to match
* maybe we have more that can :) */
}
} else {
/* if we have a filestore sm with a scope > file (so tx, ssn) we
* run it here */
if (smd != NULL && smd->is_last && smd->type == DETECT_FILESTORE &&
smd->ctx != NULL)
{
DetectFilestoreData *fd = (DetectFilestoreData *)smd->ctx;
if (fd->scope > FILESTORE_SCOPE_DEFAULT) {
KEYWORD_PROFILING_START;
match = sigmatch_table[smd->type].
FileMatch(tv, det_ctx, f, flags, /* no file */NULL, s, smd->ctx);
KEYWORD_PROFILING_END(det_ctx, smd->type, (match > 0));
if (match == 1) {
r = DETECT_ENGINE_INSPECT_SIG_MATCH;
}
}
}
}
if (r == DETECT_ENGINE_INSPECT_SIG_NO_MATCH && store_r == DETECT_ENGINE_INSPECT_SIG_MATCH) {
SCLogDebug("stored MATCH, current file NOMATCH");
SCReturnInt(DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES);
}
if (store_r == DETECT_ENGINE_INSPECT_SIG_MATCH)
r = DETECT_ENGINE_INSPECT_SIG_MATCH;
SCReturnInt(r);
}
