/**
* \brief Inspect the file inspecting keywords against the state
*
* \param tv thread vars
* \param det_ctx detection engine thread ctx
* \param f flow
* \param s signature to inspect
* \param alstate state
* \param flags direction flag
*
* \retval 0 no match
* \retval 1 match
* \retval 2 can't match
* \retval 3 can't match filestore signature
*
* \note flow is not locked at this time
*/
int DetectFileInspectGeneric(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
{
SCEnter();
if (alstate == NULL) {
SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
}
const uint8_t direction = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
FileContainer *ffc = AppLayerParserGetFiles(f->proto, f->alproto, alstate, direction);
if (ffc == NULL || ffc->head == NULL) {
SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
}
int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
int match = DetectFileInspect(tv, det_ctx, f, s, smd, flags, ffc);
if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
r = DETECT_ENGINE_INSPECT_SIG_MATCH;
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
SCLogDebug("sid %u can't match on this transaction", s->id);
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
SCLogDebug("sid %u can't match on this transaction (file sig)", s->id);
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
} else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
SCLogDebug("match with more files ahead");
r = match;
}
SCReturnInt(r);
}
/**
* \brief Inspect the file inspecting keywords against the HTTP transactions.
*
* \param tv thread vars
* \param det_ctx detection engine thread ctx
* \param f flow
* \param s signature to inspect
* \param alstate state
* \param flags direction flag
*
* \retval 0 no match
* \retval 1 match
* \retval 2 can't match
* \retval 3 can't match filestore signature
*
* \note flow should be locked when this function's called.
*/
int DetectFileInspectHttp(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags, void *alstate,
void *tx, uint64_t tx_id)
{
int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
FileContainer *ffc;
HtpState *htp_state = (HtpState *)alstate;
if (flags & STREAM_TOCLIENT)
ffc = htp_state->files_tc;
else
ffc = htp_state->files_ts;
int match = DetectFileInspect(tv, det_ctx, f, s, flags, ffc);
if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
r = DETECT_ENGINE_INSPECT_SIG_MATCH;
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
SCLogDebug("sid %u can't match on this transaction", s->id);
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id);
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE;
}
return r;
}
/**
* \brief Inspect the file inspecting keywords against the HTTP transactions.
*
* \param tv thread vars
* \param det_ctx detection engine thread ctx
* \param f flow
* \param s signature to inspect
* \param alstate state
* \param flags direction flag
*
* \retval 0 no match
* \retval 1 match
* \retval 2 can't match
* \retval 3 can't match filestore signature
*
* \note flow should be locked when this function's called.
*/
int DetectFileInspectHttp(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) {
int r = 0;
FileContainer *ffc;
HtpState *htp_state = (HtpState *)alstate;
if (flags & STREAM_TOCLIENT)
ffc = htp_state->files_tc;
else
ffc = htp_state->files_ts;
/* inspect files for this transaction */
det_ctx->tx_id = (uint16_t)tx_id;
int match = DetectFileInspect(tv, det_ctx, f, s, flags, ffc);
if (match == 1) {
r = 1;
} else if (match == 2) {
if (r != 1) {
SCLogDebug("sid %u can't match on this transaction", s->id);
r = 2;
}
} else if (match == 3) {
if (r != 1) {
SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id);
r = 3;
}
}
return r;
}
/**
* \brief Inspect the file inspecting keywords against the SMTP transactions.
*
* \param tv thread vars
* \param det_ctx detection engine thread ctx
* \param f flow
* \param s signature to inspect
* \param alstate state
* \param flags direction flag
*
* \retval 0 no match
* \retval 1 match
* \retval 2 can't match
* \retval 3 can't match filestore signature
*
* \note flow is not locked at this time
*/
int DetectFileInspectSmtp(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags, void *alstate,
void *tx, uint64_t tx_id)
{
SCEnter();
int r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
SMTPState *smtp_state = NULL;
FileContainer *ffc;
smtp_state = (SMTPState *)alstate;
if (smtp_state == NULL) {
SCLogDebug("no SMTP state");
goto end;
}
if (flags & STREAM_TOSERVER)
ffc = smtp_state->files_ts;
else
goto end;
int match = DetectFileInspect(tv, det_ctx, f, s, flags, ffc);
if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
r = DETECT_ENGINE_INSPECT_SIG_MATCH;
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
SCLogDebug("sid %u can't match on this transaction", s->id);
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
} else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE) {
SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id);
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE;
} else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
SCLogDebug("match with more files ahead");
r = match;
}
end:
SCReturnInt(r);
}