detect/file: correct registration for HTTP

Register file.name and file.magic at correct progress values. In HTTP1, the files are (part of) the body, so make sure the file detection logic only runs when the parser has started processing the body.
jmtaylor90 · Aug 8, 2023 · 9c90d01 · 9c90d01
1 parent 21c9874
commit 9c90d01
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 7 deletions.
diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c
@@ -112,10 +112,19 @@ void DetectFilemagicRegister(void)
     sigmatch_table[DETECT_FILE_MAGIC].Setup = DetectFilemagicSetupSticky;
     sigmatch_table[DETECT_FILE_MAGIC].flags = SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
 
-    AppProto protos_ts[] = {
-        ALPROTO_HTTP, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
-    AppProto protos_tc[] = {
-        ALPROTO_HTTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
+    AppProto protos_ts[] = { ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2,
+        0 };
+    AppProto protos_tc[] = { ALPROTO_FTP, ALPROTO_SMB, ALPROTO_NFS, ALPROTO_HTTP2, 0 };
+
+    DetectAppLayerInspectEngineRegister2("file.magic", ALPROTO_HTTP, SIG_FLAG_TOSERVER,
+            HTP_REQUEST_BODY, DetectEngineInspectFilemagic, NULL);
+    DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilemagicRegister,
+            NULL, ALPROTO_HTTP, HTP_REQUEST_BODY);
+
+    DetectAppLayerInspectEngineRegister2("file.magic", ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
+            HTP_RESPONSE_BODY, DetectEngineInspectFilemagic, NULL);
+    DetectAppLayerMpmRegister2("file.magic", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilemagicRegister,
+            NULL, ALPROTO_HTTP, HTP_RESPONSE_BODY);
 
     for (int i = 0; protos_ts[i] != 0; i++) {
         DetectAppLayerInspectEngineRegister2("file.magic", protos_ts[i],

diff --git a/src/detect-filename.c b/src/detect-filename.c
@@ -142,10 +142,19 @@ void DetectFilenameRegister(void)
 
     g_file_match_list_id = DetectBufferTypeGetByName("files");
 
-    AppProto protos_ts[] = { ALPROTO_HTTP, ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB,
-        ALPROTO_NFS, 0 };
-    AppProto protos_tc[] = { ALPROTO_HTTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS,
+    AppProto protos_ts[] = { ALPROTO_SMTP, ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS,
         0 };
+    AppProto protos_tc[] = { ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_SMB, ALPROTO_NFS, 0 };
+
+    DetectAppLayerInspectEngineRegister2("file.name", ALPROTO_HTTP, SIG_FLAG_TOSERVER,
+            HTP_REQUEST_BODY, DetectEngineInspectFilename, NULL);
+    DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOSERVER, 2, PrefilterMpmFilenameRegister,
+            NULL, ALPROTO_HTTP, HTP_REQUEST_BODY);
+
+    DetectAppLayerInspectEngineRegister2("file.name", ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
+            HTP_RESPONSE_BODY, DetectEngineInspectFilename, NULL);
+    DetectAppLayerMpmRegister2("file.name", SIG_FLAG_TOCLIENT, 2, PrefilterMpmFilenameRegister,
+            NULL, ALPROTO_HTTP, HTP_RESPONSE_BODY);
 
     for (int i = 0; protos_ts[i] != 0; i++) {
         DetectAppLayerInspectEngineRegister2("file.name", protos_ts[i],