"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/file-process/file_service.c" between
snort-2.9.16.1.tar.gz and snort-2.9.17.tar.gz

About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

file_service.c  (snort-2.9.16.1):file_service.c  (snort-2.9.17)
skipping to change at line 395 skipping to change at line 395
static void init_file_context(void *ssnptr, bool upload, FileContext *context) static void init_file_context(void *ssnptr, bool upload, FileContext *context)
{ {
context->file_type_enabled = cur_config.file_type_id_enabled; context->file_type_enabled = cur_config.file_type_id_enabled;
context->file_signature_enabled = cur_config.file_signature_enabled; context->file_signature_enabled = cur_config.file_signature_enabled;
context->file_capture_enabled = cur_config.file_capture_enabled; context->file_capture_enabled = cur_config.file_capture_enabled;
context->file_config = snort_conf->file_config; context->file_config = snort_conf->file_config;
context->file_config_version = file_config_version; context->file_config_version = file_config_version;
context->smb_unknown_file_size = false; context->smb_unknown_file_size = false;
context->partial_file = false; context->partial_file = false;
context->attached_file_entry = NULL;
file_direction_set(context,upload); file_direction_set(context,upload);
file_stats.files_total++; file_stats.files_total++;
#ifdef TARGET_BASED #ifdef TARGET_BASED
/* Check file policy to see whether we want to do either file type, file /* Check file policy to see whether we want to do either file type, file
* signature, or file capture * signature, or file capture
* Note: this happen only on the start of session*/ * Note: this happen only on the start of session*/
if (cur_config.file_policy_cb) if (cur_config.file_policy_cb)
{ {
uint32_t policy_flags = 0; uint32_t policy_flags = 0;
context->app_id = session_api->get_application_protocol_id(ssnptr); context->app_id = session_api->get_application_protocol_id(ssnptr);
skipping to change at line 517 skipping to change at line 518
{ {
FILE_ERROR("Failed to add event: no rtn"); FILE_ERROR("Failed to add event: no rtn");
return 0; return 0;
} }
rtn->type = type; rtn->type = type;
return SnortEventqAdd(gid, sid, 1, 0, 3, msg, otn); return SnortEventqAdd(gid, sid, 1, 0, 3, msg, otn);
} }
static inline void add_file_to_block(Packet *p, File_Verdict verdict, static inline void add_file_to_block(Packet *p, FileContext* context,
uint32_t file_type_id, uint8_t *signature) bool signature_available)
{ {
uint8_t *buf = NULL; uint8_t *buf = NULL;
uint32_t len = 0; uint32_t len = 0;
uint32_t type = 0; uint32_t type = 0;
uint32_t file_sig; uint32_t file_sig = 0;
uint8_t* signature = signature_available ? context->sha256 : NULL;
Packet *pkt = (Packet *)p; Packet *pkt = (Packet *)p;
FileConfig *file_config = (FileConfig *)(snort_conf->file_config); FileConfig *file_config = (FileConfig *)(snort_conf->file_config);
Active_ForceDropPacket(); Active_ForceDropPacket();
DisableAllDetect( p ); DisableAllDetect( p );
pkt->packet_flags |= PKT_FILE_EVENT_SET; pkt->packet_flags |= PKT_FILE_EVENT_SET;
/*Use URI as the identifier for file*/ /*Use URI as the identifier for file*/
if (GetHttpUriData(p->ssnptr, &buf, &len, &type)) if (GetHttpUriData(p->ssnptr, &buf, &len, &type))
{ {
file_sig = str_to_hash(buf, len); file_sig = str_to_hash(buf, len);
file_resume_block_add_file(p, file_sig, file_resume_block_add_file(p, file_sig,
(uint32_t)file_config->file_block_timeout, (uint32_t)file_config->file_block_timeout, context->verdict,
verdict, file_type_id, signature, 0, 0, true, 0); context->file_type_id, signature, 0, 0, true, 0);
} }
/*use the file name for smb2*/
else if(context->attached_file_entry && context->file_name_size > 0)
{
file_sig = str_to_hash(context->file_name, context->file_name_size);
file_resume_block_add_file(p, file_sig,
(uint32_t)file_config->file_block_timeout, context->verdict,
context->file_type_id, signature, 0, 0, true, 0);
/*We cant call file_entry_free directly as that will delete the context,
but we still may be using it.
So we are unlinking the context from the file entry. this way the cont
ext will not be deleted now,
but it will be deleted as part of tcp cleanup. As no context is linked
to the file entry now, it will
be set to do resume check. */
((FileEntry*)(context->attached_file_entry))->context = NULL;
context->attached_file_entry = NULL;
}
FILE_INFO("File blocked"); FILE_INFO("File blocked");
if (pkt_trace_enabled) if (pkt_trace_enabled)
addPktTraceData(VERDICT_REASON_FILE, snprintf(trace_line, MAX_TRACE_LINE , addPktTraceData(VERDICT_REASON_FILE, snprintf(trace_line, MAX_TRACE_LINE ,
"File Process: %s %s\n", getPktTraceActMsg(), (buf && len)? (char *) buf : "")); "File Process: %s %s\n", getPktTraceActMsg(), (buf && len)? (char *) buf : ""));
else addPktTraceData(VERDICT_REASON_FILE, 0); else addPktTraceData(VERDICT_REASON_FILE, 0);
} }
/* /*
* Check HTTP partial content header * Check HTTP partial content header
* Return: 1: partial content header * Return: 1: partial content header
* 0: not http partial content header * 0: not http partial content header
*/ */
static inline int check_http_partial_content(Packet *p) static inline int check_http_partial_content(Packet *p)
{ {
uint8_t *buf = NULL; uint8_t *buf = NULL;
uint32_t len = 0; uint32_t len = 0;
uint32_t type = 0; uint32_t type = 0;
uint32_t file_sig; uint32_t file_sig;
const HttpBuffer* hb = GetHttpBuffer(HTTP_BUFFER_STAT_CODE); const HttpBuffer* hb = GetHttpBuffer(HTTP_BUFFER_STAT_CODE);
bool partial_cont = isHttpRespPartialCont(p->ssnptr); uint8_t partial_cont = isHttpRespPartialCont(p->ssnptr);
int is_not_partial_ret_code = 0;
/*Not partial content, return*/ /* Not partial content, return */
if (hb) if (hb)
{ {
if (((hb->length != 3) || strncmp((const char*)hb->buf, "206", 3)) && !p if (hb->length != 3)
artial_cont) {
is_not_partial_ret_code = 1;
}
else
{
is_not_partial_ret_code = strncmp((const char*)hb->buf, "206", 3);
}
if (((is_not_partial_ret_code) && (partial_cont != PARTIAL_CONTENT)) ||
((!is_not_partial_ret_code) && (partial_cont == FULL_CONTENT)))
{
return 0; return 0;
}
} }
else if (!partial_cont) else if (partial_cont != PARTIAL_CONTENT)
{
return 0; return 0;
}
/*Use URI as the identifier for file*/ /*Use URI as the identifier for file*/
if (GetHttpUriData(p->ssnptr, &buf, &len, &type)) if (GetHttpUriData(p->ssnptr, &buf, &len, &type))
{ {
file_sig = str_to_hash(buf, len); file_sig = str_to_hash(buf, len);
file_resume_block_check(p, file_sig); file_resume_block_check(p, file_sig);
} }
FILE_DEBUG("HTTP partial content header found"); FILE_DEBUG("HTTP partial content header found");
return 1; return 1;
skipping to change at line 664 skipping to change at line 695
context->expires = (time_t)(file_config->file_lookup_timeout + p kt->pkth->ts.tv_sec); context->expires = (time_t)(file_config->file_lookup_timeout + p kt->pkth->ts.tv_sec);
if( !Active_DAQRetryPacket(pkt) ) if( !Active_DAQRetryPacket(pkt) )
Active_ForceDropPacket(); Active_ForceDropPacket();
if (pkt_trace_enabled) if (pkt_trace_enabled)
{ {
addPktTraceData(VERDICT_REASON_FILE, snprintf(trace_line, MAX_TR ACE_LINE, addPktTraceData(VERDICT_REASON_FILE, snprintf(trace_line, MAX_TR ACE_LINE,
"File Process: can't decide verdict and waiting, %s\n", getP ktTraceActMsg())); "File Process: can't decide verdict and waiting, %s\n", getP ktTraceActMsg()));
} }
else addPktTraceData(VERDICT_REASON_FILE, 0); else addPktTraceData(VERDICT_REASON_FILE, 0);
stream_api->set_event_handler(ssnptr, s_cb_id, SE_REXMIT); if (!context->suspend_block_verdict)
stream_api->set_event_handler(ssnptr, s_cb_id, SE_REXMIT);
save_to_pending_context(ssnptr); save_to_pending_context(ssnptr);
return; return;
} }
} }
else if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT) ) else if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT) )
{ {
if (!context->suspend_block_verdict) if (!context->suspend_block_verdict)
render_block_verdict(context, p); render_block_verdict(context, p);
context->file_signature_enabled = false; context->file_signature_enabled = false;
return; return;
skipping to change at line 724 skipping to change at line 757
{ {
context = get_current_file_context(pkt->ssnptr); context = get_current_file_context(pkt->ssnptr);
if (context == NULL) if (context == NULL)
return; return;
} }
if (context->verdict == FILE_VERDICT_BLOCK) if (context->verdict == FILE_VERDICT_BLOCK)
{ {
file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256, file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256,
FILE_SIGNATURE_SHA256_STR, RULE_TYPE__DROP); FILE_SIGNATURE_SHA256_STR, RULE_TYPE__DROP);
add_file_to_block(p, context->verdict, context->file_type_id, add_file_to_block(p, context, true);
context->sha256);
} }
else if (context->verdict == FILE_VERDICT_REJECT) else if (context->verdict == FILE_VERDICT_REJECT)
{ {
file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256, file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256,
FILE_SIGNATURE_SHA256_STR, RULE_TYPE__REJECT); FILE_SIGNATURE_SHA256_STR, RULE_TYPE__REJECT);
add_file_to_block(p, context->verdict, context->file_type_id, add_file_to_block(p, context, true);
context->sha256);
} }
finish_signature_lookup(context); finish_signature_lookup(context);
} }
static uint32_t get_file_type_id(void *ssnptr) static uint32_t get_file_type_id(void *ssnptr)
{ {
// NOTE: 'ssnptr' NULL checked in get_application_data // NOTE: 'ssnptr' NULL checked in get_application_data
FileContext *context = get_current_file_context(ssnptr); FileContext *context = get_current_file_context(ssnptr);
skipping to change at line 921 skipping to change at line 952
context->file_signature_enabled = false; context->file_signature_enabled = false;
pkt->packet_flags |= PKT_FILE_EVENT_SET; pkt->packet_flags |= PKT_FILE_EVENT_SET;
} }
else if (verdict == FILE_VERDICT_BLOCK) else if (verdict == FILE_VERDICT_BLOCK)
{ {
file_eventq_add(GENERATOR_FILE_TYPE, context->file_type_id, file_eventq_add(GENERATOR_FILE_TYPE, context->file_type_id,
file_type_name(context->file_config, context->file_type_id), file_type_name(context->file_config, context->file_type_id),
RULE_TYPE__DROP); RULE_TYPE__DROP);
updateFileSize(context, data_size, position); updateFileSize(context, data_size, position);
context->file_signature_enabled = false; context->file_signature_enabled = false;
add_file_to_block(p, verdict, context->file_type_id, NULL); add_file_to_block(p, context, false);
return 1; return 1;
} }
else if (verdict == FILE_VERDICT_REJECT) else if (verdict == FILE_VERDICT_REJECT)
{ {
file_eventq_add(GENERATOR_FILE_TYPE, context->file_type_id, file_eventq_add(GENERATOR_FILE_TYPE, context->file_type_id,
file_type_name(context->file_config, context->file_type_id), file_type_name(context->file_config, context->file_type_id),
RULE_TYPE__REJECT); RULE_TYPE__REJECT);
updateFileSize(context, data_size, position); updateFileSize(context, data_size, position);
context->file_signature_enabled = false; context->file_signature_enabled = false;
add_file_to_block(p, verdict, context->file_type_id, NULL); add_file_to_block(p, context, false);
return 1; return 1;
} }
else if (verdict == FILE_VERDICT_STOP) else if (verdict == FILE_VERDICT_STOP)
{ {
context->file_signature_enabled = false; context->file_signature_enabled = false;
} }
else if (verdict == FILE_VERDICT_STOP_CAPTURE) else if (verdict == FILE_VERDICT_STOP_CAPTURE)
{ {
file_capture_stop(context); file_capture_stop(context);
} }
skipping to change at line 1392 skipping to change at line 1423
static void file_signature_reset (void *ssnptr) static void file_signature_reset (void *ssnptr)
{ {
FileContext* context = NULL; FileContext* context = NULL;
FileSession *file_session = get_file_session (ssnptr); FileSession *file_session = get_file_session (ssnptr);
if (file_session) if (file_session)
context = file_session->main_context; context = file_session->main_context;
if (!context) if (!context)
{ {
FILE_ERROR("Faild to reset signature state: context not found."); LogMessage("Failed to reset signature state: context not found.\n");
return; return;
} }
if (context->file_state.sig_state == FILE_SIG_FLUSH) if (context->file_state.sig_state == FILE_SIG_FLUSH)
{ {
context->file_signature_enabled = true; context->file_signature_enabled = true;
context->file_state.sig_state = FILE_SIG_PROCESSING; context->file_state.sig_state = FILE_SIG_PROCESSING;
context->verdict = FILE_VERDICT_UNKNOWN; context->verdict = FILE_VERDICT_UNKNOWN;
if (context->sha256) if (context->sha256)
{ {
free(context->sha256); free(context->sha256);
context->sha256 = NULL; context->sha256 = NULL;
} }
} }
else
{
FILE_DEBUG("Did not reset signature state: current state %d",context->fi
le_state.sig_state);
}
return; return;
} }
static char* file_get_filetype (void *ssnptr) static char* file_get_filetype (void *ssnptr)
{ {
FileContext *context = get_current_file_context(ssnptr); FileContext *context = get_current_file_context(ssnptr);
if (!context) if (!context)
{ {
return NULL; return NULL;
 End of changes. 18 change blocks. 
23 lines changed or deleted 51 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)