Skip to content

Commit

Permalink
detect/filestore: add some comments
Browse files Browse the repository at this point in the history
  • Loading branch information
regit committed Nov 28, 2024
1 parent 9bb0bb7 commit 5a1ba8c
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 8 deletions.
7 changes: 7 additions & 0 deletions src/detect-engine-file.c
Original file line number Diff line number Diff line change
Expand Up @@ -195,11 +195,18 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
SCReturnInt(DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES);
} else if (ffc->head == NULL) {
if (s->flags & SIG_FLAG_FILESTORE) {
/* If the signature has filestore, we need to check if we are in
a scope of capture where we need to prepare the capture for
an upcoming file. */
if (s->filestore_ctx && (s->filestore_ctx->scope == FILESTORE_SCOPE_TX)) {
/* In scope TX, we need to prepare file storage for file that could
appear on the transaction so we store the transaction */
det_ctx->filestore[det_ctx->filestore_cnt].file_id = 0;
det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id;
det_ctx->filestore_cnt++;
}
/* Other scopes than TX are going to be handled in post match without
any setup needed here so we can just return a match for them. */
SCReturnInt(DETECT_ENGINE_INSPECT_SIG_MATCH);
} else
SCReturnInt(DETECT_ENGINE_INSPECT_SIG_NO_MATCH);
Expand Down
13 changes: 5 additions & 8 deletions src/detect-filestore.c
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ void DetectFilestoreRegister(void)

static void FilestoreTriggerFlowStorage(Flow *f, int toserver_dir, int toclient_dir)
{
/* set in flow and AppLayerStateData */
/* set flags in Flow and AppLayerStateData */
AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
if (toclient_dir) {
f->file_flags |= FLOWFILE_STORE_TC;
Expand Down Expand Up @@ -233,15 +233,12 @@ static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
{
SCEnter();

if (p->flow == NULL) {
#ifndef DEBUG
SCReturnInt(0);
#else
BUG_ON(1);
#endif
}
DEBUG_VALIDATE_BUG_ON(p->flow == NULL);

if (det_ctx->filestore_cnt == 0) {
/* here we have no file but the signature is fully matched and
filestore option indicate we need to extract for file for the session
so we trigger flow storage. */
if (s->filestore_ctx && (s->filestore_ctx->scope == FILESTORE_SCOPE_SSN)) {
int toserver_dir = 0;
int toclient_dir = 0;
Expand Down

0 comments on commit 5a1ba8c

Please sign in to comment.