/src/suricata7/src/detect-file-hash-common.c
Line | Count | Source |
1 | | /* Copyright (C) 2007-2016 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Victor Julien <victor@inliniac.net> |
22 | | * \author Duarte Silva <duarte.silva@serializing.me> |
23 | | * |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | |
28 | | #include "detect.h" |
29 | | #include "detect-parse.h" |
30 | | |
31 | | #include "detect-file-hash-common.h" |
32 | | |
33 | | #include "app-layer-htp.h" |
34 | | |
35 | | /** |
36 | | * \brief Read the bytes of a hash from an hexadecimal string |
37 | | * |
38 | | * \param hash buffer to store the resulting bytes |
39 | | * \param string hexadecimal string representing the hash |
40 | | * \param filename file name from where the string was read |
41 | | * \param line_no file line number from where the string was read |
42 | | * \param expected_len the expected length of the string that was read |
43 | | * |
44 | | * \retval -1 the hexadecimal string is invalid |
45 | | * \retval 1 the hexadecimal string was read successfully |
46 | | */ |
47 | | int ReadHashString(uint8_t *hash, const char *string, const char *filename, int line_no, |
48 | | uint16_t expected_len) |
49 | 0 | { |
50 | 0 | if (strlen(string) != expected_len) { |
51 | 0 | SCLogError("%s:%d hash string not %d characters", filename, line_no, expected_len); |
52 | 0 | return -1; |
53 | 0 | } |
54 | | |
55 | 0 | int i, x; |
56 | 0 | for (x = 0, i = 0; i < expected_len; i+=2, x++) { |
57 | 0 | char buf[3] = { 0, 0, 0 }; |
58 | 0 | buf[0] = string[i]; |
59 | 0 | buf[1] = string[i+1]; |
60 | |
|
61 | 0 | long value = strtol(buf, NULL, 16); |
62 | 0 | if (value >= 0 && value <= 255) |
63 | 0 | hash[x] = (uint8_t)value; |
64 | 0 | else { |
65 | 0 | SCLogError("%s:%d hash byte out of range %ld", filename, line_no, value); |
66 | 0 | return -1; |
67 | 0 | } |
68 | 0 | } |
69 | | |
70 | 0 | return 1; |
71 | 0 | } |
72 | | |
73 | | /** |
74 | | * \brief Store a hash into the hash table |
75 | | * |
76 | | * \param hash_table hash table that will hold the hash |
77 | | * \param string hexadecimal string representing the hash |
78 | | * \param filename file name from where the string was read |
79 | | * \param line_no file line number from where the string was read |
80 | | * \param type the hash algorithm |
81 | | * |
82 | | * \retval -1 failed to load the hash into the hash table |
83 | | * \retval 1 successfully loaded the has into the hash table |
84 | | */ |
85 | | int LoadHashTable(ROHashTable *hash_table, const char *string, const char *filename, |
86 | | int line_no, uint32_t type) |
87 | 0 | { |
88 | | /* allocate the maximum size a hash can have (in this case is SHA256, 32 bytes) */ |
89 | 0 | uint8_t hash[32]; |
90 | | /* specify the actual size that should be read depending on the hash algorithm */ |
91 | 0 | uint16_t size = 32; |
92 | |
|
93 | 0 | if (type == DETECT_FILEMD5) { |
94 | 0 | size = 16; |
95 | 0 | } |
96 | 0 | else if (type == DETECT_FILESHA1) { |
97 | 0 | size = 20; |
98 | 0 | } |
99 | | |
100 | | /* every byte represented with hexadecimal digits is two characters */ |
101 | 0 | uint16_t expected_len = (size * 2); |
102 | |
|
103 | 0 | if (ReadHashString(hash, string, filename, line_no, expected_len) == 1) { |
104 | 0 | if (ROHashInitQueueValue(hash_table, &hash, size) != 1) |
105 | 0 | return -1; |
106 | 0 | } |
107 | | |
108 | 0 | return 1; |
109 | 0 | } |
110 | | |
111 | | /** |
112 | | * \brief Match a hash stored in a hash table |
113 | | * |
114 | | * \param hash_table hash table that will hold the hash |
115 | | * \param hash buffer containing the bytes of the has |
116 | | * \param hash_len length of the hash buffer |
117 | | * |
118 | | * \retval 0 didn't find the specified hash |
119 | | * \retval 1 the hash matched a stored value |
120 | | */ |
121 | | static int HashMatchHashTable(ROHashTable *hash_table, uint8_t *hash, |
122 | | size_t hash_len) |
123 | 0 | { |
124 | 0 | void *ptr = ROHashLookup(hash_table, hash, (uint16_t)hash_len); |
125 | 0 | if (ptr == NULL) |
126 | 0 | return 0; |
127 | 0 | else |
128 | 0 | return 1; |
129 | 0 | } |
130 | | |
131 | | /** |
132 | | * \brief Match the specified file hash |
133 | | * |
134 | | * \param det_ctx pattern matcher thread local data |
135 | | * \param f *LOCKED* flow |
136 | | * \param flags direction flags |
137 | | * \param file file being inspected |
138 | | * \param s signature being inspected |
139 | | * \param m sigmatch that we will cast into DetectFileHashData |
140 | | * |
141 | | * \retval 0 no match |
142 | | * \retval 1 match |
143 | | */ |
144 | | int DetectFileHashMatch (DetectEngineThreadCtx *det_ctx, |
145 | | Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m) |
146 | 0 | { |
147 | 0 | SCEnter(); |
148 | 0 | int ret = 0; |
149 | 0 | DetectFileHashData *filehash = (DetectFileHashData *)m; |
150 | |
|
151 | 0 | if (file->state != FILE_STATE_CLOSED) { |
152 | 0 | SCReturnInt(0); |
153 | 0 | } |
154 | | |
155 | 0 | int match = -1; |
156 | |
|
157 | 0 | if (s->file_flags & FILE_SIG_NEED_MD5 && file->flags & FILE_MD5) { |
158 | 0 | match = HashMatchHashTable(filehash->hash, file->md5, sizeof(file->md5)); |
159 | 0 | } |
160 | 0 | else if (s->file_flags & FILE_SIG_NEED_SHA1 && file->flags & FILE_SHA1) { |
161 | 0 | match = HashMatchHashTable(filehash->hash, file->sha1, sizeof(file->sha1)); |
162 | 0 | } |
163 | 0 | else if (s->file_flags & FILE_SIG_NEED_SHA256 && file->flags & FILE_SHA256) { |
164 | 0 | match = HashMatchHashTable(filehash->hash, file->sha256, sizeof(file->sha256)); |
165 | 0 | } |
166 | |
|
167 | 0 | if (match == 1) { |
168 | 0 | if (filehash->negated == 0) |
169 | 0 | ret = 1; |
170 | 0 | else |
171 | 0 | ret = 0; |
172 | 0 | } |
173 | 0 | else if (match == 0) { |
174 | 0 | if (filehash->negated == 0) |
175 | 0 | ret = 0; |
176 | 0 | else |
177 | 0 | ret = 1; |
178 | 0 | } |
179 | |
|
180 | 0 | SCReturnInt(ret); |
181 | 0 | } |
182 | | |
183 | | static const char *hexcodes = "ABCDEFabcdef0123456789"; |
184 | | |
185 | | /** |
186 | | * \brief Parse the filemd5, filesha1 or filesha256 keyword |
187 | | * |
188 | | * \param det_ctx pattern matcher thread local data |
189 | | * \param str Pointer to the user provided option |
190 | | * \param type the hash algorithm |
191 | | * |
192 | | * \retval hash pointer to DetectFileHashData on success |
193 | | * \retval NULL on failure |
194 | | */ |
195 | | static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx, |
196 | | const char *str, uint32_t type) |
197 | 832 | { |
198 | 832 | DetectFileHashData *filehash = NULL; |
199 | 832 | FILE *fp = NULL; |
200 | 832 | char *filename = NULL; |
201 | 832 | char *rule_filename = NULL; |
202 | | |
203 | | /* We have a correct hash algorithm option */ |
204 | 832 | filehash = SCMalloc(sizeof(DetectFileHashData)); |
205 | 832 | if (unlikely(filehash == NULL)) |
206 | 0 | goto error; |
207 | | |
208 | 832 | memset(filehash, 0x00, sizeof(DetectFileHashData)); |
209 | | |
210 | 832 | if (strlen(str) && str[0] == '!') { |
211 | 329 | filehash->negated = 1; |
212 | 329 | str++; |
213 | 329 | } |
214 | | |
215 | 832 | if (type == DETECT_FILEMD5) { |
216 | 373 | filehash->hash = ROHashInit(18, 16); |
217 | 373 | } |
218 | 459 | else if (type == DETECT_FILESHA1) { |
219 | 9 | filehash->hash = ROHashInit(18, 20); |
220 | 9 | } |
221 | 450 | else if (type == DETECT_FILESHA256) { |
222 | 450 | filehash->hash = ROHashInit(18, 32); |
223 | 450 | } |
224 | | |
225 | 832 | if (filehash->hash == NULL) { |
226 | 0 | goto error; |
227 | 0 | } |
228 | | |
229 | | /* get full filename */ |
230 | 832 | filename = DetectLoadCompleteSigPath(de_ctx, str); |
231 | 832 | if (filename == NULL) { |
232 | 0 | goto error; |
233 | 0 | } |
234 | | |
235 | 832 | rule_filename = SCStrdup(de_ctx->rule_file); |
236 | 832 | if (rule_filename == NULL) { |
237 | 0 | goto error; |
238 | 0 | } |
239 | | |
240 | 832 | char line[8192] = ""; |
241 | 832 | fp = fopen(filename, "r"); |
242 | 832 | if (fp == NULL) { |
243 | 831 | #ifdef HAVE_LIBGEN_H |
244 | 831 | if (de_ctx->rule_file != NULL) { |
245 | 831 | char *dir = dirname(rule_filename); |
246 | 831 | if (dir != NULL) { |
247 | 831 | char path[PATH_MAX]; |
248 | 831 | snprintf(path, sizeof(path), "%s/%s", dir, str); |
249 | 831 | fp = fopen(path, "r"); |
250 | 831 | if (fp == NULL) { |
251 | 816 | SCLogError("opening hash file %s: %s", path, strerror(errno)); |
252 | 816 | goto error; |
253 | 816 | } |
254 | 831 | } |
255 | 831 | } |
256 | 15 | if (fp == NULL) { |
257 | 0 | #endif |
258 | 0 | SCLogError("opening hash file %s: %s", filename, strerror(errno)); |
259 | 0 | goto error; |
260 | 0 | #ifdef HAVE_LIBGEN_H |
261 | 0 | } |
262 | 15 | #endif |
263 | 15 | } |
264 | | |
265 | 16 | int line_no = 0; |
266 | 16 | while(fgets(line, (int)sizeof(line), fp) != NULL) { |
267 | 0 | size_t valid = 0, len = strlen(line); |
268 | 0 | line_no++; |
269 | |
|
270 | 0 | while (strchr(hexcodes, line[valid]) != NULL && valid++ < len); |
271 | | |
272 | | /* lines that do not contain sequentially any valid character are ignored */ |
273 | 0 | if (valid == 0) |
274 | 0 | continue; |
275 | | |
276 | | /* ignore anything after the sequence of valid characters */ |
277 | 0 | line[valid] = '\0'; |
278 | |
|
279 | 0 | if (LoadHashTable(filehash->hash, line, filename, line_no, type) != 1) { |
280 | 0 | goto error; |
281 | 0 | } |
282 | 0 | } |
283 | 16 | fclose(fp); |
284 | 16 | fp = NULL; |
285 | | |
286 | 16 | if (ROHashInitFinalize(filehash->hash) != 1) { |
287 | 16 | goto error; |
288 | 16 | } |
289 | 0 | SCLogInfo("Hash hash table size %u bytes%s", ROHashMemorySize(filehash->hash), filehash->negated ? ", negated match" : ""); |
290 | |
|
291 | 0 | SCFree(rule_filename); |
292 | 0 | SCFree(filename); |
293 | 0 | return filehash; |
294 | | |
295 | 832 | error: |
296 | 832 | if (filehash != NULL) |
297 | 832 | DetectFileHashFree((DetectEngineCtx *) de_ctx, filehash); |
298 | 832 | if (fp != NULL) |
299 | 0 | fclose(fp); |
300 | 832 | if (filename != NULL) |
301 | 832 | SCFree(filename); |
302 | 832 | if (rule_filename != NULL) { |
303 | 832 | SCFree(rule_filename); |
304 | 832 | } |
305 | 832 | return NULL; |
306 | 16 | } |
307 | | |
308 | | /** |
309 | | * \brief this function is used to parse filemd5, filesha1 and filesha256 options |
310 | | * \brief into the current signature |
311 | | * |
312 | | * \param de_ctx pointer to the Detection Engine Context |
313 | | * \param s pointer to the Current Signature |
314 | | * \param str pointer to the user provided "filemd5", "filesha1" or "filesha256" option |
315 | | * \param type type of file hash to setup |
316 | | * |
317 | | * \retval 0 on Success |
318 | | * \retval -1 on Failure |
319 | | */ |
320 | | int DetectFileHashSetup( |
321 | | DetectEngineCtx *de_ctx, Signature *s, const char *str, uint16_t type, int list) |
322 | 832 | { |
323 | 832 | DetectFileHashData *filehash = NULL; |
324 | 832 | SigMatch *sm = NULL; |
325 | | |
326 | 832 | filehash = DetectFileHashParse(de_ctx, str, type); |
327 | 832 | if (filehash == NULL) |
328 | 832 | goto error; |
329 | | |
330 | | /* Okay so far so good, lets get this into a SigMatch |
331 | | * and put it in the Signature. */ |
332 | 0 | sm = SigMatchAlloc(); |
333 | 0 | if (sm == NULL) |
334 | 0 | goto error; |
335 | | |
336 | 0 | sm->type = type; |
337 | 0 | sm->ctx = (void *)filehash; |
338 | |
|
339 | 0 | SigMatchAppendSMToList(s, sm, list); |
340 | |
|
341 | 0 | s->file_flags |= FILE_SIG_NEED_FILE; |
342 | | |
343 | | // Setup the file flags depending on the hashing algorithm |
344 | 0 | if (type == DETECT_FILEMD5) { |
345 | 0 | s->file_flags |= FILE_SIG_NEED_MD5; |
346 | 0 | } |
347 | 0 | if (type == DETECT_FILESHA1) { |
348 | 0 | s->file_flags |= FILE_SIG_NEED_SHA1; |
349 | 0 | } |
350 | 0 | if (type == DETECT_FILESHA256) { |
351 | 0 | s->file_flags |= FILE_SIG_NEED_SHA256; |
352 | 0 | } |
353 | 0 | return 0; |
354 | | |
355 | 832 | error: |
356 | 832 | if (filehash != NULL) |
357 | 0 | DetectFileHashFree(de_ctx, filehash); |
358 | 832 | if (sm != NULL) |
359 | 0 | SCFree(sm); |
360 | 832 | return -1; |
361 | 0 | } |
362 | | |
363 | | /** |
364 | | * \brief this function will free memory associated with DetectFileHashData |
365 | | * |
366 | | * \param filehash pointer to DetectFileHashData |
367 | | */ |
368 | | void DetectFileHashFree(DetectEngineCtx *de_ctx, void *ptr) |
369 | 2.51k | { |
370 | 2.51k | if (ptr != NULL) { |
371 | 2.51k | DetectFileHashData *filehash = (DetectFileHashData *)ptr; |
372 | 2.51k | if (filehash->hash != NULL) |
373 | 2.51k | ROHashFree(filehash->hash); |
374 | 2.51k | SCFree(filehash); |
375 | 2.51k | } |
376 | 2.51k | } |