detect/filestore: fix options handling and filestore impact

The filestore keyword had an influence on the signature matching when it should not. Also the options of filestore were not honored correctly. This patch updates the logic in filestore keyword handling to fix the problems. Tickets: 7356 7357
regit · Nov 1, 2024 · 7fb3307 · 7fb3307
1 parent 3a7eef8
commit 7fb3307
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 16 deletions.
diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c
@@ -194,7 +194,15 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
     if (ffc == NULL) {
         SCReturnInt(DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES);
     } else if (ffc->head == NULL) {
-        SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
+        if (s->flags & SIG_FLAG_FILESTORE) {
+            if (s->filestore_ctx && (s->filestore_ctx->scope == FILESTORE_SCOPE_TX)) {
+                det_ctx->filestore[det_ctx->filestore_cnt].file_id = 0;
+                det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id;
+                det_ctx->filestore_cnt++;
+            }
+            SCReturnInt(DETECT_ENGINE_INSPECT_SIG_MATCH);
+        } else
+            SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
     }
 
     uint8_t r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

diff --git a/src/detect-filestore.c b/src/detect-filestore.c
@@ -98,6 +98,45 @@ void DetectFilestoreRegister(void)
     g_file_match_list_id = DetectBufferTypeRegister("files");
 }
 
+static void FilestoreTriggerFlowStorage(Flow *f, int toserver_dir, int toclient_dir)
+{
+    /* set in flow and AppLayerStateData */
+    AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
+    if (toclient_dir) {
+        f->file_flags |= FLOWFILE_STORE_TC;
+        if (sd != NULL) {
+            sd->file_flags |= FLOWFILE_STORE_TC;
+        }
+    }
+    if (toserver_dir) {
+        f->file_flags |= FLOWFILE_STORE_TS;
+        if (sd != NULL) {
+            sd->file_flags |= FLOWFILE_STORE_TS;
+        }
+    }
+    /* Start storage for all existing files attached to the flow in correct direction */
+    void *alstate = FlowGetAppState(f);
+    if (alstate != NULL) {
+        uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
+        for (uint64_t tx_id = 0; tx_id < total_txs; tx_id++) {
+            void *txv = AppLayerParserGetTx(f->proto, f->alproto, alstate, tx_id);
+            DEBUG_VALIDATE_BUG_ON(txv == NULL);
+            if (txv != NULL) {
+                AppLayerTxData *txd = AppLayerParserGetTxData(f->proto, f->alproto, txv);
+                DEBUG_VALIDATE_BUG_ON(txd == NULL);
+                if (txd != NULL) {
+                    if (toclient_dir) {
+                        txd->file_flags |= FLOWFILE_STORE_TC;
+                    }
+                    if (toserver_dir) {
+                        txd->file_flags |= FLOWFILE_STORE_TS;
+                    }
+                }
+            }
+        }
+    }
+}
+
 /**
  *  \brief apply the post match filestore with options
  */
@@ -170,20 +209,7 @@ static int FilestorePostMatchWithOptions(Packet *p, Flow *f, const DetectFilesto
             }
         }
     } else if (this_flow) {
-        /* set in flow and AppLayerStateData */
-        AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
-        if (toclient_dir) {
-            f->file_flags |= FLOWFILE_STORE_TC;
-            if (sd != NULL) {
-                sd->file_flags |= FLOWFILE_STORE_TC;
-            }
-        }
-        if (toserver_dir) {
-            f->file_flags |= FLOWFILE_STORE_TS;
-            if (sd != NULL) {
-                sd->file_flags |= FLOWFILE_STORE_TS;
-            }
-        }
+        FilestoreTriggerFlowStorage(f, toserver_dir, toclient_dir);
     } else {
         FileStoreFileById(fc, file_id);
     }
@@ -207,11 +233,36 @@ static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
 {
     SCEnter();
 
+    if (p->flow == NULL) {
+#ifndef DEBUG
+        SCReturnInt(0);
+#else
+        BUG_ON(1);
+#endif
+    }
+
     if (det_ctx->filestore_cnt == 0) {
+        if (s->filestore_ctx && (s->filestore_ctx->scope == FILESTORE_SCOPE_SSN)) {
+            int toserver_dir = 0;
+            int toclient_dir = 0;
+            switch (s->filestore_ctx->direction) {
+                case FILESTORE_DIR_BOTH:
+                    toserver_dir = 1;
+                    toclient_dir = 1;
+                    break;
+                case FILESTORE_DIR_TOSERVER:
+                    toserver_dir = 1;
+                    break;
+                case FILESTORE_DIR_TOCLIENT:
+                    toclient_dir = 1;
+                    break;
+            }
+            FilestoreTriggerFlowStorage(p->flow, toserver_dir, toclient_dir);
+        }
         SCReturnInt(0);
     }
 
-    if ((s->filestore_ctx == NULL && !(s->flags & SIG_FLAG_FILESTORE)) || p->flow == NULL) {
+    if (s->filestore_ctx == NULL && !(s->flags & SIG_FLAG_FILESTORE)) {
 #ifndef DEBUG
         SCReturnInt(0);
 #else