... | ... |
@@ -114,23 +114,22 @@ LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) |
114 | 114 |
@ENABLE_LLVM_FALSE@am__DEPENDENCIES_2 = libclamav_nocxx.la |
115 | 115 |
@ENABLE_LLVM_TRUE@am__DEPENDENCIES_2 = c++/libclamavcxx.la |
116 | 116 |
am__libclamav_la_SOURCES_DIST = clamav.h matcher-ac.c matcher-ac.h \ |
117 |
- matcher-bm.c matcher-bm.h matcher-md5.c matcher-md5.h \ |
|
118 |
- matcher-hash.c matcher-hash.h matcher.c matcher.h others.c \ |
|
119 |
- others.h readdb.c readdb.h cvd.c cvd.h dsig.c dsig.h \ |
|
120 |
- scanners.c scanners.h textdet.c textdet.h filetypes.c \ |
|
121 |
- filetypes.h filetypes_int.h rtf.c rtf.h blob.c blob.h mbox.c \ |
|
122 |
- mbox.h message.c message.h table.c table.h text.c text.h \ |
|
123 |
- ole2_extract.c ole2_extract.h vba_extract.c vba_extract.h \ |
|
124 |
- cltypes.h msexpand.c msexpand.h pe.c pe.h pe_icons.c \ |
|
125 |
- pe_icons.h disasm.c disasm.h disasm-common.h disasmpriv.h \ |
|
126 |
- upx.c upx.h htmlnorm.c htmlnorm.h chmunpack.c chmunpack.h \ |
|
127 |
- rebuildpe.c rebuildpe.h petite.c petite.h wwunpack.c \ |
|
128 |
- wwunpack.h unsp.c unsp.h aspack.c aspack.h packlibs.c \ |
|
129 |
- packlibs.h fsg.c fsg.h mew.c mew.h upack.c upack.h line.c \ |
|
130 |
- line.h untar.c untar.h unzip.c unzip.h inflate64.c inflate64.h \ |
|
131 |
- inffixed64.h inflate64_priv.h special.c special.h binhex.c \ |
|
132 |
- binhex.h is_tar.c is_tar.h tnef.c tnef.h autoit.c autoit.h \ |
|
133 |
- unarj.c unarj.h nsis/bzlib.c nsis/bzlib_private.h \ |
|
117 |
+ matcher-bm.c matcher-bm.h matcher-hash.c matcher-hash.h \ |
|
118 |
+ matcher.c matcher.h others.c others.h readdb.c readdb.h cvd.c \ |
|
119 |
+ cvd.h dsig.c dsig.h scanners.c scanners.h textdet.c textdet.h \ |
|
120 |
+ filetypes.c filetypes.h filetypes_int.h rtf.c rtf.h blob.c \ |
|
121 |
+ blob.h mbox.c mbox.h message.c message.h table.c table.h \ |
|
122 |
+ text.c text.h ole2_extract.c ole2_extract.h vba_extract.c \ |
|
123 |
+ vba_extract.h cltypes.h msexpand.c msexpand.h pe.c pe.h \ |
|
124 |
+ pe_icons.c pe_icons.h disasm.c disasm.h disasm-common.h \ |
|
125 |
+ disasmpriv.h upx.c upx.h htmlnorm.c htmlnorm.h chmunpack.c \ |
|
126 |
+ chmunpack.h rebuildpe.c rebuildpe.h petite.c petite.h \ |
|
127 |
+ wwunpack.c wwunpack.h unsp.c unsp.h aspack.c aspack.h \ |
|
128 |
+ packlibs.c packlibs.h fsg.c fsg.h mew.c mew.h upack.c upack.h \ |
|
129 |
+ line.c line.h untar.c untar.h unzip.c unzip.h inflate64.c \ |
|
130 |
+ inflate64.h inffixed64.h inflate64_priv.h special.c special.h \ |
|
131 |
+ binhex.c binhex.h is_tar.c is_tar.h tnef.c tnef.h autoit.c \ |
|
132 |
+ autoit.h unarj.c unarj.h nsis/bzlib.c nsis/bzlib_private.h \ |
|
134 | 133 |
nsis/nsis_bzlib.h nsis/nulsft.c nsis/nulsft.h nsis/infblock.c \ |
135 | 134 |
nsis/nsis_zconf.h nsis/nsis_zlib.h nsis/nsis_zutil.h pdf.c \ |
136 | 135 |
pdf.h spin.c spin.h yc.c yc.h elf.c elf.h execs.h sis.c sis.h \ |
... | ... |
@@ -162,13 +161,12 @@ am__libclamav_la_SOURCES_DIST = clamav.h matcher-ac.c matcher-ac.h \ |
162 | 162 |
bignum.c bignum_class.h |
163 | 163 |
@LINK_TOMMATH_FALSE@am__objects_1 = libclamav_la-bignum.lo |
164 | 164 |
am_libclamav_la_OBJECTS = libclamav_la-matcher-ac.lo \ |
165 |
- libclamav_la-matcher-bm.lo libclamav_la-matcher-md5.lo \ |
|
166 |
- libclamav_la-matcher-hash.lo libclamav_la-matcher.lo \ |
|
167 |
- libclamav_la-others.lo libclamav_la-readdb.lo \ |
|
168 |
- libclamav_la-cvd.lo libclamav_la-dsig.lo \ |
|
169 |
- libclamav_la-scanners.lo libclamav_la-textdet.lo \ |
|
170 |
- libclamav_la-filetypes.lo libclamav_la-rtf.lo \ |
|
171 |
- libclamav_la-blob.lo libclamav_la-mbox.lo \ |
|
165 |
+ libclamav_la-matcher-bm.lo libclamav_la-matcher-hash.lo \ |
|
166 |
+ libclamav_la-matcher.lo libclamav_la-others.lo \ |
|
167 |
+ libclamav_la-readdb.lo libclamav_la-cvd.lo \ |
|
168 |
+ libclamav_la-dsig.lo libclamav_la-scanners.lo \ |
|
169 |
+ libclamav_la-textdet.lo libclamav_la-filetypes.lo \ |
|
170 |
+ libclamav_la-rtf.lo libclamav_la-blob.lo libclamav_la-mbox.lo \ |
|
172 | 171 |
libclamav_la-message.lo libclamav_la-table.lo \ |
173 | 172 |
libclamav_la-text.lo libclamav_la-ole2_extract.lo \ |
174 | 173 |
libclamav_la-vba_extract.lo libclamav_la-msexpand.lo \ |
... | ... |
@@ -621,22 +619,22 @@ libclamav_la_LDFLAGS = @TH_SAFE@ -version-info @LIBCLAMAV_VERSION@ \ |
621 | 621 |
-no-undefined $(am__append_6) |
622 | 622 |
include_HEADERS = clamav.h |
623 | 623 |
libclamav_la_SOURCES = clamav.h matcher-ac.c matcher-ac.h matcher-bm.c \ |
624 |
- matcher-bm.h matcher-md5.c matcher-md5.h matcher-hash.c \ |
|
625 |
- matcher-hash.h matcher.c matcher.h others.c others.h readdb.c \ |
|
626 |
- readdb.h cvd.c cvd.h dsig.c dsig.h scanners.c scanners.h \ |
|
627 |
- textdet.c textdet.h filetypes.c filetypes.h filetypes_int.h \ |
|
628 |
- rtf.c rtf.h blob.c blob.h mbox.c mbox.h message.c message.h \ |
|
629 |
- table.c table.h text.c text.h ole2_extract.c ole2_extract.h \ |
|
630 |
- vba_extract.c vba_extract.h cltypes.h msexpand.c msexpand.h \ |
|
631 |
- pe.c pe.h pe_icons.c pe_icons.h disasm.c disasm.h \ |
|
632 |
- disasm-common.h disasmpriv.h upx.c upx.h htmlnorm.c htmlnorm.h \ |
|
633 |
- chmunpack.c chmunpack.h rebuildpe.c rebuildpe.h petite.c \ |
|
634 |
- petite.h wwunpack.c wwunpack.h unsp.c unsp.h aspack.c aspack.h \ |
|
635 |
- packlibs.c packlibs.h fsg.c fsg.h mew.c mew.h upack.c upack.h \ |
|
636 |
- line.c line.h untar.c untar.h unzip.c unzip.h inflate64.c \ |
|
637 |
- inflate64.h inffixed64.h inflate64_priv.h special.c special.h \ |
|
638 |
- binhex.c binhex.h is_tar.c is_tar.h tnef.c tnef.h autoit.c \ |
|
639 |
- autoit.h unarj.c unarj.h nsis/bzlib.c nsis/bzlib_private.h \ |
|
624 |
+ matcher-bm.h matcher-hash.c matcher-hash.h matcher.c matcher.h \ |
|
625 |
+ others.c others.h readdb.c readdb.h cvd.c cvd.h dsig.c dsig.h \ |
|
626 |
+ scanners.c scanners.h textdet.c textdet.h filetypes.c \ |
|
627 |
+ filetypes.h filetypes_int.h rtf.c rtf.h blob.c blob.h mbox.c \ |
|
628 |
+ mbox.h message.c message.h table.c table.h text.c text.h \ |
|
629 |
+ ole2_extract.c ole2_extract.h vba_extract.c vba_extract.h \ |
|
630 |
+ cltypes.h msexpand.c msexpand.h pe.c pe.h pe_icons.c \ |
|
631 |
+ pe_icons.h disasm.c disasm.h disasm-common.h disasmpriv.h \ |
|
632 |
+ upx.c upx.h htmlnorm.c htmlnorm.h chmunpack.c chmunpack.h \ |
|
633 |
+ rebuildpe.c rebuildpe.h petite.c petite.h wwunpack.c \ |
|
634 |
+ wwunpack.h unsp.c unsp.h aspack.c aspack.h packlibs.c \ |
|
635 |
+ packlibs.h fsg.c fsg.h mew.c mew.h upack.c upack.h line.c \ |
|
636 |
+ line.h untar.c untar.h unzip.c unzip.h inflate64.c inflate64.h \ |
|
637 |
+ inffixed64.h inflate64_priv.h special.c special.h binhex.c \ |
|
638 |
+ binhex.h is_tar.c is_tar.h tnef.c tnef.h autoit.c autoit.h \ |
|
639 |
+ unarj.c unarj.h nsis/bzlib.c nsis/bzlib_private.h \ |
|
640 | 640 |
nsis/nsis_bzlib.h nsis/nulsft.c nsis/nulsft.h nsis/infblock.c \ |
641 | 641 |
nsis/nsis_zconf.h nsis/nsis_zlib.h nsis/nsis_zutil.h pdf.c \ |
642 | 642 |
pdf.h spin.c spin.h yc.c yc.h elf.c elf.h execs.h sis.c sis.h \ |
... | ... |
@@ -840,7 +838,6 @@ distclean-compile: |
840 | 840 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-ac.Plo@am__quote@ |
841 | 841 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-bm.Plo@am__quote@ |
842 | 842 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-hash.Plo@am__quote@ |
843 |
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-md5.Plo@am__quote@ |
|
844 | 843 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher.Plo@am__quote@ |
845 | 844 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-mbox.Plo@am__quote@ |
846 | 845 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-message.Plo@am__quote@ |
... | ... |
@@ -938,14 +935,6 @@ libclamav_la-matcher-bm.lo: matcher-bm.c |
938 | 938 |
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ |
939 | 939 |
@am__fastdepCC_FALSE@ $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-matcher-bm.lo `test -f 'matcher-bm.c' || echo '$(srcdir)/'`matcher-bm.c |
940 | 940 |
|
941 |
-libclamav_la-matcher-md5.lo: matcher-md5.c |
|
942 |
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-matcher-md5.lo -MD -MP -MF $(DEPDIR)/libclamav_la-matcher-md5.Tpo -c -o libclamav_la-matcher-md5.lo `test -f 'matcher-md5.c' || echo '$(srcdir)/'`matcher-md5.c |
|
943 |
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-matcher-md5.Tpo $(DEPDIR)/libclamav_la-matcher-md5.Plo |
|
944 |
-@am__fastdepCC_FALSE@ $(AM_V_CC) @AM_BACKSLASH@ |
|
945 |
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='matcher-md5.c' object='libclamav_la-matcher-md5.lo' libtool=yes @AMDEPBACKSLASH@ |
|
946 |
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ |
|
947 |
-@am__fastdepCC_FALSE@ $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-matcher-md5.lo `test -f 'matcher-md5.c' || echo '$(srcdir)/'`matcher-md5.c |
|
948 |
- |
|
949 | 941 |
libclamav_la-matcher-hash.lo: matcher-hash.c |
950 | 942 |
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-matcher-hash.lo -MD -MP -MF $(DEPDIR)/libclamav_la-matcher-hash.Tpo -c -o libclamav_la-matcher-hash.lo `test -f 'matcher-hash.c' || echo '$(srcdir)/'`matcher-hash.c |
951 | 943 |
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-matcher-hash.Tpo $(DEPDIR)/libclamav_la-matcher-hash.Plo |
... | ... |
@@ -66,10 +66,9 @@ int hm_addhash(struct cli_matcher *root, const char *hash, uint32_t size, const |
66 | 66 |
|
67 | 67 |
hashlen /= 2; |
68 | 68 |
ht = &root->hm.sizehashes[type]; |
69 |
- if(!root->hm.htinint[type]) { |
|
69 |
+ if(!root->hm.sizehashes[type].capacity) { |
|
70 | 70 |
i = cli_htu32_init(ht, 64, root->mempool); |
71 | 71 |
if(i) return i; |
72 |
- root->hm.htinint[type] = 1; |
|
73 | 72 |
} |
74 | 73 |
|
75 | 74 |
item = cli_htu32_find(ht, size); |
... | ... |
@@ -99,6 +98,7 @@ int hm_addhash(struct cli_matcher *root, const char *hash, uint32_t size, const |
99 | 99 |
cli_errmsg("ht_add: failed to grow hash array to %u entries\n", szh->items); |
100 | 100 |
szh->items=0; |
101 | 101 |
mpool_free(root->mempool, szh->virusnames); |
102 |
+ szh->virusnames = NULL; |
|
102 | 103 |
return CL_EMEM; |
103 | 104 |
} |
104 | 105 |
|
... | ... |
@@ -107,6 +107,7 @@ int hm_addhash(struct cli_matcher *root, const char *hash, uint32_t size, const |
107 | 107 |
cli_errmsg("ht_add: failed to grow virusname array to %u entries\n", szh->items); |
108 | 108 |
szh->items=0; |
109 | 109 |
mpool_free(root->mempool, szh->hash_array); |
110 |
+ szh->hash_array = NULL; |
|
110 | 111 |
return CL_EMEM; |
111 | 112 |
} |
112 | 113 |
|
... | ... |
@@ -182,7 +183,7 @@ void hm_flush(struct cli_matcher *root) { |
182 | 182 |
struct cli_htu32 *ht = &root->hm.sizehashes[type]; |
183 | 183 |
const struct cli_htu32_element *item = NULL; |
184 | 184 |
|
185 |
- if(!root->hm.htinint[type]) |
|
185 |
+ if(!root->hm.sizehashes[type].capacity) |
|
186 | 186 |
continue; |
187 | 187 |
|
188 | 188 |
while((item = cli_htu32_next(ht, item))) { |
... | ... |
@@ -197,7 +198,7 @@ void hm_flush(struct cli_matcher *root) { |
197 | 197 |
|
198 | 198 |
|
199 | 199 |
int cli_hm_have_size(const struct cli_matcher *root, enum CLI_HASH_TYPE type, uint32_t size) { |
200 |
- return (size && size != 0xffffffff && root && root->hm.htinint[type] && cli_htu32_find(&root->hm.sizehashes[type], size)); |
|
200 |
+ return (size && size != 0xffffffff && root && root->hm.sizehashes[type].capacity && cli_htu32_find(&root->hm.sizehashes[type], size)); |
|
201 | 201 |
} |
202 | 202 |
|
203 | 203 |
int cli_hm_scan(const unsigned char *digest, uint32_t size, const char **virname, const struct cli_matcher *root, enum CLI_HASH_TYPE type) { |
... | ... |
@@ -206,7 +207,7 @@ int cli_hm_scan(const unsigned char *digest, uint32_t size, const char **virname |
206 | 206 |
struct cli_sz_hash *szh; |
207 | 207 |
size_t l, r; |
208 | 208 |
|
209 |
- if(!digest || !size || size == 0xffffffff || !root || !root->hm.htinint[type]) |
|
209 |
+ if(!digest || !size || size == 0xffffffff || !root || !root->hm.sizehashes[type].capacity) |
|
210 | 210 |
return CL_CLEAN; |
211 | 211 |
|
212 | 212 |
item = cli_htu32_find(&root->hm.sizehashes[type], size); |
... | ... |
@@ -236,3 +237,29 @@ int cli_hm_scan(const unsigned char *digest, uint32_t size, const char **virname |
236 | 236 |
} |
237 | 237 |
return CL_CLEAN; |
238 | 238 |
} |
239 |
+ |
|
240 |
+void hm_free(struct cli_matcher *root) { |
|
241 |
+ enum CLI_HASH_TYPE type; |
|
242 |
+ |
|
243 |
+ if(!root) |
|
244 |
+ return; |
|
245 |
+ |
|
246 |
+ for(type = CLI_HASH_MD5; type < CLI_HASH_AVAIL_TYPES; type++) { |
|
247 |
+ struct cli_htu32 *ht = &root->hm.sizehashes[type]; |
|
248 |
+ const struct cli_htu32_element *item = NULL; |
|
249 |
+ |
|
250 |
+ if(!root->hm.sizehashes[type].capacity) |
|
251 |
+ continue; |
|
252 |
+ |
|
253 |
+ while((item = cli_htu32_next(ht, item))) { |
|
254 |
+ struct cli_sz_hash *szh = (struct cli_sz_hash *)item->data.as_ptr; |
|
255 |
+ unsigned int keylen = hashlen[type]; |
|
256 |
+ |
|
257 |
+ mpool_free(root->mempool, szh->hash_array); |
|
258 |
+ mpool_free(root->mempool, szh->virusnames); |
|
259 |
+ mpool_free(root->mempool, szh); |
|
260 |
+ } |
|
261 |
+ cli_htu32_free(ht, root->mempool); |
|
262 |
+ } |
|
263 |
+} |
|
264 |
+ |
... | ... |
@@ -38,7 +38,7 @@ enum CLI_HASH_TYPE { |
38 | 38 |
}; |
39 | 39 |
|
40 | 40 |
struct cli_sz_hash { |
41 |
- uint8_t *hash_array; /* FIXME: make 256 entries? */ |
|
41 |
+ uint8_t *hash_array; |
|
42 | 42 |
const char **virusnames; |
43 | 43 |
uint32_t items; |
44 | 44 |
}; |
... | ... |
@@ -46,7 +46,6 @@ struct cli_sz_hash { |
46 | 46 |
|
47 | 47 |
struct cli_hash_patt { |
48 | 48 |
struct cli_htu32 sizehashes[CLI_HASH_AVAIL_TYPES]; |
49 |
- int htinint[CLI_HASH_AVAIL_TYPES]; |
|
50 | 49 |
}; |
51 | 50 |
|
52 | 51 |
|
... | ... |
@@ -54,5 +53,6 @@ int hm_addhash(struct cli_matcher *root, const char *hash, uint32_t size, const |
54 | 54 |
void hm_flush(struct cli_matcher *root); |
55 | 55 |
int cli_hm_scan(const unsigned char *digest, uint32_t size, const char **virname, const struct cli_matcher *root, enum CLI_HASH_TYPE type); |
56 | 56 |
int cli_hm_have_size(const struct cli_matcher *root, enum CLI_HASH_TYPE type, uint32_t size); |
57 |
+void hm_free(struct cli_matcher *root); |
|
57 | 58 |
|
58 | 59 |
#endif |
59 | 60 |
deleted file mode 100644 |
... | ... |
@@ -1,135 +0,0 @@ |
1 |
-/* |
|
2 |
- * Copyright (C) 2007-2010 Sourcefire, Inc. |
|
3 |
- * |
|
4 |
- * Authors: Tomasz Kojm |
|
5 |
- * |
|
6 |
- * This program is free software; you can redistribute it and/or modify |
|
7 |
- * it under the terms of the GNU General Public License version 2 as |
|
8 |
- * published by the Free Software Foundation. |
|
9 |
- * |
|
10 |
- * This program is distributed in the hope that it will be useful, |
|
11 |
- * but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
12 |
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
13 |
- * GNU General Public License for more details. |
|
14 |
- * |
|
15 |
- * You should have received a copy of the GNU General Public License |
|
16 |
- * along with this program; if not, write to the Free Software |
|
17 |
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, |
|
18 |
- * MA 02110-1301, USA. |
|
19 |
- */ |
|
20 |
- |
|
21 |
-#if HAVE_CONFIG_H |
|
22 |
-#include "clamav-config.h" |
|
23 |
-#endif |
|
24 |
- |
|
25 |
-#include <stdio.h> |
|
26 |
- |
|
27 |
-#include "clamav.h" |
|
28 |
-#include "memory.h" |
|
29 |
-#include "mpool.h" |
|
30 |
-#include "others.h" |
|
31 |
-#include "cltypes.h" |
|
32 |
-#include "matcher.h" |
|
33 |
-#include "matcher-md5.h" |
|
34 |
- |
|
35 |
-#define HASH(a,b,c) (211 * a + 37 * b + c) |
|
36 |
- |
|
37 |
-int cli_md5m_addpatt(struct cli_matcher *root, struct cli_md5m_patt *patt) |
|
38 |
-{ |
|
39 |
- unsigned int idx; |
|
40 |
- struct cli_md5m_patt *prev, *next = NULL; |
|
41 |
- |
|
42 |
- idx = HASH(patt->md5[0], patt->md5[1], patt->md5[2]); |
|
43 |
- prev = next = root->md5tab[idx]; |
|
44 |
- while(next) { |
|
45 |
- if(patt->md5[0] >= next->md5[0]) |
|
46 |
- break; |
|
47 |
- prev = next; |
|
48 |
- next = next->next; |
|
49 |
- } |
|
50 |
- |
|
51 |
- if(next == root->md5tab[idx]) { |
|
52 |
- patt->next = root->md5tab[idx]; |
|
53 |
- root->md5tab[idx] = patt; |
|
54 |
- } else { |
|
55 |
- patt->next = prev->next; |
|
56 |
- prev->next = patt; |
|
57 |
- } |
|
58 |
- |
|
59 |
- root->md5_patterns++; |
|
60 |
- return CL_SUCCESS; |
|
61 |
-} |
|
62 |
- |
|
63 |
-int cli_md5m_init(struct cli_matcher *root) |
|
64 |
-{ |
|
65 |
-#ifdef USE_MPOOL |
|
66 |
- if(!root->mempool) { |
|
67 |
- cli_errmsg("cli_md5m_init: mempool must be initialized\n"); |
|
68 |
- return CL_EMEM; |
|
69 |
- } |
|
70 |
-#endif |
|
71 |
- |
|
72 |
- if(!(root->md5tab = (struct cli_md5m_patt **) mpool_calloc(root->mempool, HASH(255, 255, 255) + 1, sizeof(struct cli_md5m_patt *)))) { |
|
73 |
- mpool_free(root->mempool, root->bm_shift); |
|
74 |
- return CL_EMEM; |
|
75 |
- } |
|
76 |
- |
|
77 |
- return CL_SUCCESS; |
|
78 |
-} |
|
79 |
- |
|
80 |
-void cli_md5m_free(struct cli_matcher *root) |
|
81 |
-{ |
|
82 |
- struct cli_md5m_patt *patt, *prev; |
|
83 |
- unsigned int i, size = HASH(255, 255, 255) + 1; |
|
84 |
- |
|
85 |
- if(root->md5tab) { |
|
86 |
- for(i = 0; i < size; i++) { |
|
87 |
- patt = root->md5tab[i]; |
|
88 |
- while(patt) { |
|
89 |
- prev = patt; |
|
90 |
- patt = patt->next; |
|
91 |
- if(prev->virname) |
|
92 |
- mpool_free(root->mempool, prev->virname); |
|
93 |
- mpool_free(root->mempool, prev); |
|
94 |
- } |
|
95 |
- } |
|
96 |
- mpool_free(root->mempool, root->md5tab); |
|
97 |
- } |
|
98 |
-} |
|
99 |
- |
|
100 |
-int cli_md5m_scan(const unsigned char *md5, uint32_t filesize, const char **virname, const struct cli_matcher *root) |
|
101 |
-{ |
|
102 |
- unsigned int pchain = 0, idx; |
|
103 |
- struct cli_md5m_patt *p; |
|
104 |
- |
|
105 |
- if(!root) |
|
106 |
- return CL_CLEAN; |
|
107 |
- |
|
108 |
- idx = HASH(md5[0], md5[1], md5[2]); |
|
109 |
- p = root->md5tab[idx]; |
|
110 |
- if(!p || (!p->next && p->filesize != filesize)) |
|
111 |
- return CL_CLEAN; |
|
112 |
- |
|
113 |
- while(p) { |
|
114 |
- if(p->md5[0] != md5[0]) { |
|
115 |
- if(pchain) |
|
116 |
- break; |
|
117 |
- p = p->next; |
|
118 |
- continue; |
|
119 |
- } else pchain = 1; |
|
120 |
- |
|
121 |
- if(p->filesize != filesize) { |
|
122 |
- p = p->next; |
|
123 |
- continue; |
|
124 |
- } |
|
125 |
- |
|
126 |
- if(!memcmp(p->md5, md5, 16)) { |
|
127 |
- if(virname) |
|
128 |
- *virname = p->virname; |
|
129 |
- return CL_VIRUS; |
|
130 |
- } |
|
131 |
- p = p->next; |
|
132 |
- } |
|
133 |
- |
|
134 |
- return CL_CLEAN; |
|
135 |
-} |
136 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,39 +0,0 @@ |
1 |
-/* |
|
2 |
- * Copyright (C) 2007-2010 Sourcefire, Inc. |
|
3 |
- * |
|
4 |
- * Authors: Tomasz Kojm |
|
5 |
- * |
|
6 |
- * This program is free software; you can redistribute it and/or modify |
|
7 |
- * it under the terms of the GNU General Public License version 2 as |
|
8 |
- * published by the Free Software Foundation. |
|
9 |
- * |
|
10 |
- * This program is distributed in the hope that it will be useful, |
|
11 |
- * but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
12 |
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
13 |
- * GNU General Public License for more details. |
|
14 |
- * |
|
15 |
- * You should have received a copy of the GNU General Public License |
|
16 |
- * along with this program; if not, write to the Free Software |
|
17 |
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, |
|
18 |
- * MA 02110-1301, USA. |
|
19 |
- */ |
|
20 |
- |
|
21 |
-#ifndef __MATCHER_MD5_H |
|
22 |
-#define __MATCHER_MD5_H |
|
23 |
- |
|
24 |
-#include "matcher.h" |
|
25 |
-#include "cltypes.h" |
|
26 |
- |
|
27 |
-struct cli_md5m_patt { |
|
28 |
- unsigned char md5[16]; |
|
29 |
- uint32_t filesize; |
|
30 |
- char *virname; |
|
31 |
- struct cli_md5m_patt *next; |
|
32 |
-}; |
|
33 |
- |
|
34 |
-int cli_md5m_addpatt(struct cli_matcher *root, struct cli_md5m_patt *patt); |
|
35 |
-int cli_md5m_init(struct cli_matcher *root); |
|
36 |
-int cli_md5m_scan(const unsigned char *md5, uint32_t filesize, const char **virname, const struct cli_matcher *root); |
|
37 |
-void cli_md5m_free(struct cli_matcher *root); |
|
38 |
- |
|
39 |
-#endif |
... | ... |
@@ -34,7 +34,6 @@ |
34 | 34 |
#include "others.h" |
35 | 35 |
#include "matcher-ac.h" |
36 | 36 |
#include "matcher-bm.h" |
37 |
-#include "matcher-md5.h" |
|
38 | 37 |
#include "md5.h" |
39 | 38 |
#include "filetypes.h" |
40 | 39 |
#include "matcher.h" |
... | ... |
@@ -383,11 +382,6 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx) |
383 | 383 |
unsigned int i; |
384 | 384 |
const char *virname; |
385 | 385 |
|
386 |
- if(ctx->engine->md5_fp && cli_md5m_scan(digest, size, &virname, ctx->engine->md5_fp) == CL_VIRUS) { |
|
387 |
- cli_dbgmsg("cli_checkfp(): Found false positive detection (fp sig: %s)\n", virname); |
|
388 |
- return CL_CLEAN; |
|
389 |
- } |
|
390 |
- |
|
391 | 386 |
if(ctx->engine->hm_fp && cli_hm_scan(digest, size, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) { |
392 | 387 |
cli_dbgmsg("cli_checkfp(): Found false positive detection (fp sig: %s)\n", virname); |
393 | 388 |
return CL_CLEAN; |
... | ... |
@@ -651,7 +645,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli |
651 | 651 |
} |
652 | 652 |
} |
653 | 653 |
|
654 |
- if(!refhash && !ftonly && (ctx->engine->md5_hdb || ctx->engine->hm_hdb)) |
|
654 |
+ if(!refhash && !ftonly && ctx->engine->hm_hdb) |
|
655 | 655 |
cli_md5_init(&md5ctx); |
656 | 656 |
|
657 | 657 |
while(offset < map->len) { |
... | ... |
@@ -696,7 +690,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli |
696 | 696 |
type = ret; |
697 | 697 |
} |
698 | 698 |
|
699 |
- if(!refhash && (ctx->engine->md5_hdb || ctx->engine->hm_hdb)) |
|
699 |
+ if(!refhash && ctx->engine->hm_hdb) |
|
700 | 700 |
cli_md5_update(&md5ctx, buff + maxpatlen * (offset!=0), bytes - maxpatlen * (offset!=0)); |
701 | 701 |
} |
702 | 702 |
|
... | ... |
@@ -704,13 +698,11 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli |
704 | 704 |
offset += bytes - maxpatlen; |
705 | 705 |
} |
706 | 706 |
|
707 |
- if(!ftonly && (ctx->engine->md5_hdb || ctx->engine->hm_hdb)) { |
|
707 |
+ if(!ftonly && ctx->engine->hm_hdb) { |
|
708 | 708 |
if(!refhash) { |
709 | 709 |
cli_md5_final(digest, &md5ctx); |
710 | 710 |
refhash = digest; |
711 | 711 |
} |
712 |
- if(ctx->engine->md5_hdb && cli_md5m_scan(refhash, map->len, ctx->virname, ctx->engine->md5_hdb) == CL_VIRUS && cli_md5m_scan(refhash, map->len, NULL, ctx->engine->md5_fp) != CL_VIRUS) |
|
713 |
- ret = CL_VIRUS; |
|
714 | 712 |
if(ctx->engine->hm_hdb && cli_hm_scan(refhash, map->len, ctx->virname, ctx->engine->hm_hdb, CLI_HASH_MD5) == CL_VIRUS && cli_hm_scan(refhash, map->len, NULL, ctx->engine->hm_fp, CLI_HASH_MD5) != CL_VIRUS) |
715 | 713 |
ret = CL_VIRUS; |
716 | 714 |
} |
... | ... |
@@ -28,7 +28,6 @@ |
28 | 28 |
#include "others.h" |
29 | 29 |
#include "execs.h" |
30 | 30 |
#include "cltypes.h" |
31 |
-#include "md5.h" |
|
32 | 31 |
|
33 | 32 |
struct cli_target_info { |
34 | 33 |
off_t fsize; |
... | ... |
@@ -39,7 +38,6 @@ struct cli_target_info { |
39 | 39 |
#include "matcher-ac.h" |
40 | 40 |
#include "matcher-bm.h" |
41 | 41 |
#include "matcher-hash.h" |
42 |
-#include "hashtab.h" |
|
43 | 42 |
#include "fmap.h" |
44 | 43 |
#include "mpool.h" |
45 | 44 |
|
... | ... |
@@ -90,14 +88,10 @@ struct cli_matcher { |
90 | 90 |
/* Extended Boyer-Moore */ |
91 | 91 |
uint8_t *bm_shift; |
92 | 92 |
struct cli_bm_patt **bm_suffix, **bm_pattab; |
93 |
- struct cli_hashset md5_sizes_hs; |
|
94 | 93 |
uint32_t *soff, soff_len; /* for PE section sigs */ |
95 | 94 |
uint32_t bm_offmode, bm_patterns, bm_reloff_num, bm_absoff_num; |
96 | 95 |
|
97 |
- /* MD5 */ |
|
98 |
- struct cli_md5m_patt **md5tab; |
|
99 |
- uint32_t md5_patterns; |
|
100 |
- |
|
96 |
+ /* HASH */ |
|
101 | 97 |
struct cli_hash_patt hm; |
102 | 98 |
|
103 | 99 |
/* Extended Aho-Corasick */ |
... | ... |
@@ -208,16 +208,6 @@ struct cl_engine { |
208 | 208 |
/* Roots table */ |
209 | 209 |
struct cli_matcher **root; |
210 | 210 |
|
211 |
- /* B-M matcher for standard MD5 sigs */ |
|
212 |
- struct cli_matcher *md5_hdb; |
|
213 |
- |
|
214 |
- /* B-M matcher for MD5 sigs for PE sections */ |
|
215 |
- struct cli_matcher *md5_mdb; |
|
216 |
- |
|
217 |
- /* B-M matcher for whitelist db */ |
|
218 |
- struct cli_matcher *md5_fp; |
|
219 |
- |
|
220 |
- |
|
221 | 211 |
/* hash matcher for standard MD5 sigs */ |
222 | 212 |
struct cli_matcher *hm_hdb; |
223 | 213 |
/* hash matcher for MD5 sigs for PE sections */ |
... | ... |
@@ -54,7 +54,7 @@ |
54 | 54 |
#include "mew.h" |
55 | 55 |
#include "upack.h" |
56 | 56 |
#include "matcher.h" |
57 |
-#include "matcher-md5.h" |
|
57 |
+#include "matcher-hash.h" |
|
58 | 58 |
#include "disasm.h" |
59 | 59 |
#include "special.h" |
60 | 60 |
#include "ishield.h" |
... | ... |
@@ -1000,23 +1000,6 @@ int cli_scanpe(cli_ctx *ctx) |
1000 | 1000 |
if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !*sname && exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000 && exe_sections[i].chr == 0xe0000060) polipos = i; |
1001 | 1001 |
|
1002 | 1002 |
/* check MD5 section sigs */ |
1003 |
- md5_sect = ctx->engine->md5_mdb; |
|
1004 |
- if((DCONF & PE_CONF_MD5SECT) && md5_sect) { |
|
1005 |
- for(j = 0; j < md5_sect->soff_len && md5_sect->soff[j] <= exe_sections[i].rsz; j++) { |
|
1006 |
- if(md5_sect->soff[j] == exe_sections[i].rsz) { |
|
1007 |
- unsigned char md5_dig[16]; |
|
1008 |
- if(cli_md5sect(map, &exe_sections[i], md5_dig) && cli_md5m_scan(md5_dig, exe_sections[i].rsz, ctx->virname, ctx->engine->md5_mdb) == CL_VIRUS) { |
|
1009 |
- if(cli_md5m_scan(md5_dig, fsize, NULL, ctx->engine->md5_fp) != CL_VIRUS) { |
|
1010 |
- free(section_hdr); |
|
1011 |
- free(exe_sections); |
|
1012 |
- return CL_VIRUS; |
|
1013 |
- } |
|
1014 |
- } |
|
1015 |
- break; |
|
1016 |
- } |
|
1017 |
- } |
|
1018 |
- } |
|
1019 |
- |
|
1020 | 1003 |
md5_sect = ctx->engine->hm_mdb; |
1021 | 1004 |
if((DCONF & PE_CONF_MD5SECT) && md5_sect) { |
1022 | 1005 |
unsigned char md5_dig[16]; |
... | ... |
@@ -46,7 +46,6 @@ |
46 | 46 |
#endif |
47 | 47 |
#include "matcher-ac.h" |
48 | 48 |
#include "matcher-bm.h" |
49 |
-#include "matcher-md5.h" |
|
50 | 49 |
#include "matcher-hash.h" |
51 | 50 |
#include "matcher.h" |
52 | 51 |
#include "others.h" |
... | ... |
@@ -1861,171 +1860,6 @@ static int cli_loadign(FILE *fs, struct cl_engine *engine, unsigned int options, |
1861 | 1861 |
#define MD5_MDB 1 |
1862 | 1862 |
#define MD5_FP 2 |
1863 | 1863 |
|
1864 |
-static int cli_md5db_init(struct cl_engine *engine, unsigned int mode) |
|
1865 |
-{ |
|
1866 |
- struct cli_matcher *bm = NULL; |
|
1867 |
- int ret; |
|
1868 |
- |
|
1869 |
- |
|
1870 |
- if(mode == MD5_HDB) { |
|
1871 |
- bm = engine->md5_hdb = (struct cli_matcher *) mpool_calloc(engine->mempool, sizeof(struct cli_matcher), 1); |
|
1872 |
- } else if(mode == MD5_MDB) { |
|
1873 |
- bm = engine->md5_mdb = (struct cli_matcher *) mpool_calloc(engine->mempool, sizeof(struct cli_matcher), 1); |
|
1874 |
- } else { |
|
1875 |
- bm = engine->md5_fp = (struct cli_matcher *) mpool_calloc(engine->mempool, sizeof(struct cli_matcher), 1); |
|
1876 |
- } |
|
1877 |
- |
|
1878 |
- if(!bm) |
|
1879 |
- return CL_EMEM; |
|
1880 |
-#ifdef USE_MPOOL |
|
1881 |
- bm->mempool = engine->mempool; |
|
1882 |
-#endif |
|
1883 |
- if((ret = cli_md5m_init(bm))) { |
|
1884 |
- cli_errmsg("cli_md5db_init: Failed to initialize MD5 matcher\n"); |
|
1885 |
- return ret; |
|
1886 |
- } |
|
1887 |
- |
|
1888 |
- return CL_SUCCESS; |
|
1889 |
-} |
|
1890 |
- |
|
1891 |
-#define MD5_DB \ |
|
1892 |
- if(mode == MD5_HDB) \ |
|
1893 |
- db = engine->md5_hdb; \ |
|
1894 |
- else if(mode == MD5_MDB) \ |
|
1895 |
- db = engine->md5_mdb; \ |
|
1896 |
- else \ |
|
1897 |
- db = engine->md5_fp; |
|
1898 |
- |
|
1899 |
-#define MD5_TOKENS 3 |
|
1900 |
-static int cli_loadmd5(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int mode, unsigned int options, struct cli_dbio *dbio, const char *dbname) |
|
1901 |
-{ |
|
1902 |
- const char *tokens[MD5_TOKENS + 1]; |
|
1903 |
- char buffer[FILEBUFF], *buffer_cpy = NULL; |
|
1904 |
- const char *pt; |
|
1905 |
- unsigned char *md5; |
|
1906 |
- int ret = CL_SUCCESS; |
|
1907 |
- unsigned int size_field = 1, md5_field = 0, line = 0, sigs = 0, tokens_count; |
|
1908 |
- struct cli_md5m_patt *new; |
|
1909 |
- struct cli_matcher *db = NULL; |
|
1910 |
- |
|
1911 |
- |
|
1912 |
- if(mode == MD5_MDB) { |
|
1913 |
- size_field = 0; |
|
1914 |
- md5_field = 1; |
|
1915 |
- } |
|
1916 |
- |
|
1917 |
- if(engine->ignored) |
|
1918 |
- if(!(buffer_cpy = cli_malloc(FILEBUFF))) |
|
1919 |
- return CL_EMEM; |
|
1920 |
- |
|
1921 |
- while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) { |
|
1922 |
- line++; |
|
1923 |
- cli_chomp(buffer); |
|
1924 |
- if(engine->ignored) |
|
1925 |
- strcpy(buffer_cpy, buffer); |
|
1926 |
- |
|
1927 |
- tokens_count = cli_strtokenize(buffer, ':', MD5_TOKENS + 1, tokens); |
|
1928 |
- if(tokens_count != MD5_TOKENS) { |
|
1929 |
- ret = CL_EMALFDB; |
|
1930 |
- break; |
|
1931 |
- } |
|
1932 |
- if(!cli_isnumber(tokens[size_field])) { |
|
1933 |
- cli_errmsg("cli_loadmd5: Invalid value for the size field\n"); |
|
1934 |
- ret = CL_EMALFDB; |
|
1935 |
- break; |
|
1936 |
- } |
|
1937 |
- |
|
1938 |
- pt = tokens[2]; /* virname */ |
|
1939 |
- if(engine->pua_cats && (options & CL_DB_PUA_MODE) && (options & (CL_DB_PUA_INCLUDE | CL_DB_PUA_EXCLUDE))) |
|
1940 |
- if(cli_chkpua(pt, engine->pua_cats, options)) |
|
1941 |
- continue; |
|
1942 |
- |
|
1943 |
- if(engine->ignored && cli_chkign(engine->ignored, pt, buffer_cpy)) |
|
1944 |
- continue; |
|
1945 |
- |
|
1946 |
- if(engine->cb_sigload) { |
|
1947 |
- const char *dot = strchr(dbname, '.'); |
|
1948 |
- if(!dot) |
|
1949 |
- dot = dbname; |
|
1950 |
- else |
|
1951 |
- dot++; |
|
1952 |
- if(engine->cb_sigload(dot, pt, engine->cb_sigload_ctx)) { |
|
1953 |
- cli_dbgmsg("cli_loadmd5: skipping %s due to callback\n", pt); |
|
1954 |
- continue; |
|
1955 |
- } |
|
1956 |
- } |
|
1957 |
- |
|
1958 |
- new = (struct cli_md5m_patt *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_md5m_patt)); |
|
1959 |
- if(!new) { |
|
1960 |
- ret = CL_EMEM; |
|
1961 |
- break; |
|
1962 |
- } |
|
1963 |
- |
|
1964 |
- pt = tokens[md5_field]; /* md5 */ |
|
1965 |
- if(strlen(pt) != 32 || !(md5 = (unsigned char *) cli_mpool_hex2str(engine->mempool, pt))) { |
|
1966 |
- cli_errmsg("cli_loadmd5: Malformed MD5 string at line %u\n", line); |
|
1967 |
- mpool_free(engine->mempool, new); |
|
1968 |
- ret = CL_EMALFDB; |
|
1969 |
- break; |
|
1970 |
- } |
|
1971 |
- memcpy(new->md5, md5, 16); |
|
1972 |
- mpool_free(engine->mempool, md5); |
|
1973 |
- |
|
1974 |
- new->filesize = atoi(tokens[size_field]); |
|
1975 |
- |
|
1976 |
- new->virname = cli_mpool_virname(engine->mempool, tokens[2], options & CL_DB_OFFICIAL); |
|
1977 |
- if(!new->virname) { |
|
1978 |
- mpool_free(engine->mempool, new); |
|
1979 |
- ret = CL_EMALFDB; |
|
1980 |
- break; |
|
1981 |
- } |
|
1982 |
- |
|
1983 |
- MD5_DB; |
|
1984 |
- if(!db && (ret = cli_md5db_init(engine, mode))) { |
|
1985 |
- mpool_free(engine->mempool, new->virname); |
|
1986 |
- mpool_free(engine->mempool, new); |
|
1987 |
- break; |
|
1988 |
- } else { |
|
1989 |
- MD5_DB; |
|
1990 |
- } |
|
1991 |
- |
|
1992 |
- if((ret = cli_md5m_addpatt(db, new))) { |
|
1993 |
- cli_errmsg("cli_loadmd5: Error adding BM pattern\n"); |
|
1994 |
- mpool_free(engine->mempool, new->virname); |
|
1995 |
- mpool_free(engine->mempool, new); |
|
1996 |
- break; |
|
1997 |
- } |
|
1998 |
- |
|
1999 |
- if(mode == MD5_MDB) { /* section MD5 */ |
|
2000 |
- if(!db->md5_sizes_hs.capacity) { |
|
2001 |
- cli_hashset_init_pool(&db->md5_sizes_hs, 65536, 80, engine->mempool); |
|
2002 |
- } |
|
2003 |
- cli_hashset_addkey(&db->md5_sizes_hs, new->filesize); |
|
2004 |
- } |
|
2005 |
- |
|
2006 |
- sigs++; |
|
2007 |
- } |
|
2008 |
- if(engine->ignored) |
|
2009 |
- free(buffer_cpy); |
|
2010 |
- |
|
2011 |
- if(!line) { |
|
2012 |
- cli_errmsg("cli_loadmd5: Empty database file\n"); |
|
2013 |
- return CL_EMALFDB; |
|
2014 |
- } |
|
2015 |
- |
|
2016 |
- if(ret) { |
|
2017 |
- cli_errmsg("cli_loadmd5: Problem parsing database at line %u\n", line); |
|
2018 |
- return ret; |
|
2019 |
- } |
|
2020 |
- |
|
2021 |
- if(signo) |
|
2022 |
- *signo += sigs; |
|
2023 |
- |
|
2024 |
- return CL_SUCCESS; |
|
2025 |
-} |
|
2026 |
- |
|
2027 |
- |
|
2028 |
- |
|
2029 | 1864 |
#define MD5_TOKENS 3 |
2030 | 1865 |
static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int mode, unsigned int options, struct cli_dbio *dbio, const char *dbname) |
2031 | 1866 |
{ |
... | ... |
@@ -2506,24 +2340,22 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo |
2506 | 2506 |
} else if(cli_strbcasestr(dbname, ".cld")) { |
2507 | 2507 |
ret = cli_cvdload(fs, engine, signo, options, 1, filename); |
2508 | 2508 |
|
2509 |
- } else if(cli_strbcasestr(dbname, ".hdb")) { |
|
2510 |
- ret = cli_loadmd5(fs, engine, signo, MD5_HDB, options, dbio, dbname); |
|
2511 |
- |
|
2512 |
- } else if(cli_strbcasestr(dbname, ".hdu")) { |
|
2509 |
+ } else if(cli_strbcasestr(dbname, ".hdb") || cli_strbcasestr(dbname, ".hsb")) { |
|
2510 |
+ ret = cli_loadhash(fs, engine, signo, MD5_HDB, options, dbio, dbname); |
|
2511 |
+ } else if(cli_strbcasestr(dbname, ".hdu") || cli_strbcasestr(dbname, ".hsu")) { |
|
2513 | 2512 |
if(options & CL_DB_PUA) |
2514 |
- ret = cli_loadmd5(fs, engine, signo, MD5_HDB, options | CL_DB_PUA_MODE, dbio, dbname); |
|
2513 |
+ ret = cli_loadhash(fs, engine, signo, MD5_HDB, options | CL_DB_PUA_MODE, dbio, dbname); |
|
2515 | 2514 |
else |
2516 | 2515 |
skipped = 1; |
2517 | 2516 |
|
2518 |
- } else if(cli_strbcasestr(dbname, ".fp")) { |
|
2519 |
- ret = cli_loadmd5(fs, engine, signo, MD5_FP, options, dbio, dbname); |
|
2520 |
- |
|
2521 |
- } else if(cli_strbcasestr(dbname, ".mdb")) { |
|
2522 |
- ret = cli_loadmd5(fs, engine, signo, MD5_MDB, options, dbio, dbname); |
|
2517 |
+ } else if(cli_strbcasestr(dbname, ".fp") || cli_strbcasestr(dbname, ".sfp")) { |
|
2518 |
+ ret = cli_loadhash(fs, engine, signo, MD5_FP, options, dbio, dbname); |
|
2519 |
+ } else if(cli_strbcasestr(dbname, ".mdb") || cli_strbcasestr(dbname, ".msb")) { |
|
2520 |
+ ret = cli_loadhash(fs, engine, signo, MD5_MDB, options, dbio, dbname); |
|
2523 | 2521 |
|
2524 |
- } else if(cli_strbcasestr(dbname, ".mdu")) { |
|
2522 |
+ } else if(cli_strbcasestr(dbname, ".mdu") || cli_strbcasestr(dbname, ".msu")) { |
|
2525 | 2523 |
if(options & CL_DB_PUA) |
2526 |
- ret = cli_loadmd5(fs, engine, signo, MD5_MDB, options | CL_DB_PUA_MODE, dbio, dbname); |
|
2524 |
+ ret = cli_loadhash(fs, engine, signo, MD5_MDB, options | CL_DB_PUA_MODE, dbio, dbname); |
|
2527 | 2525 |
else |
2528 | 2526 |
skipped = 1; |
2529 | 2527 |
|
... | ... |
@@ -2585,24 +2417,6 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo |
2585 | 2585 |
|
2586 | 2586 |
} else if(cli_strbcasestr(dbname, ".cdb")) { |
2587 | 2587 |
ret = cli_loadcdb(fs, engine, signo, options, dbio); |
2588 |
- } else if(cli_strbcasestr(dbname, ".hsb")) { |
|
2589 |
- ret = cli_loadhash(fs, engine, signo, MD5_HDB, options, dbio, dbname); |
|
2590 |
- } else if(cli_strbcasestr(dbname, ".hsu")) { |
|
2591 |
- if(options & CL_DB_PUA) |
|
2592 |
- ret = cli_loadhash(fs, engine, signo, MD5_HDB, options | CL_DB_PUA_MODE, dbio, dbname); |
|
2593 |
- else |
|
2594 |
- skipped = 1; |
|
2595 |
- } else if(cli_strbcasestr(dbname, ".sfp")) { |
|
2596 |
- ret = cli_loadhash(fs, engine, signo, MD5_FP, options, dbio, dbname); |
|
2597 |
- |
|
2598 |
- } else if(cli_strbcasestr(dbname, ".msb")) { |
|
2599 |
- ret = cli_loadhash(fs, engine, signo, MD5_MDB, options, dbio, dbname); |
|
2600 |
- |
|
2601 |
- } else if(cli_strbcasestr(dbname, ".msu")) { |
|
2602 |
- if(options & CL_DB_PUA) |
|
2603 |
- ret = cli_loadhash(fs, engine, signo, MD5_MDB, options | CL_DB_PUA_MODE, dbio, dbname); |
|
2604 |
- else |
|
2605 |
- skipped = 1; |
|
2606 | 2588 |
} else { |
2607 | 2589 |
cli_dbgmsg("cli_load: unknown extension - assuming old database format\n"); |
2608 | 2590 |
ret = cli_loaddb(fs, engine, signo, options, dbio, dbname); |
... | ... |
@@ -3079,22 +2893,18 @@ int cl_engine_free(struct cl_engine *engine) |
3079 | 3079 |
mpool_free(engine->mempool, engine->root); |
3080 | 3080 |
} |
3081 | 3081 |
|
3082 |
- if((root = engine->md5_hdb)) { |
|
3083 |
- cli_md5m_free(root); |
|
3082 |
+ if((root = engine->hm_hdb)) { |
|
3083 |
+ hm_free(root); |
|
3084 | 3084 |
mpool_free(engine->mempool, root); |
3085 | 3085 |
} |
3086 | 3086 |
|
3087 |
- if((root = engine->md5_mdb)) { |
|
3088 |
- cli_md5m_free(root); |
|
3089 |
- mpool_free(engine->mempool, root->soff); |
|
3090 |
- if(root->md5_sizes_hs.capacity) { |
|
3091 |
- cli_hashset_destroy(&root->md5_sizes_hs); |
|
3092 |
- } |
|
3087 |
+ if((root = engine->hm_mdb)) { |
|
3088 |
+ hm_free(root); |
|
3093 | 3089 |
mpool_free(engine->mempool, root); |
3094 | 3090 |
} |
3095 | 3091 |
|
3096 |
- if((root = engine->md5_fp)) { |
|
3097 |
- cli_md5m_free(root); |
|
3092 |
+ if((root = engine->hm_fp)) { |
|
3093 |
+ hm_free(root); |
|
3098 | 3094 |
mpool_free(engine->mempool, root); |
3099 | 3095 |
} |
3100 | 3096 |
|
... | ... |
@@ -3179,29 +2989,6 @@ int cl_engine_free(struct cl_engine *engine) |
3179 | 3179 |
return CL_SUCCESS; |
3180 | 3180 |
} |
3181 | 3181 |
|
3182 |
-static void cli_md5db_build(struct cli_matcher* root) |
|
3183 |
-{ |
|
3184 |
- if(root && root->md5_sizes_hs.capacity) { |
|
3185 |
- /* TODO: use hashset directly, instead of the array when matching*/ |
|
3186 |
- cli_dbgmsg("Converting hashset to array: %u entries\n", root->md5_sizes_hs.count); |
|
3187 |
- |
|
3188 |
-#ifdef USE_MPOOL |
|
3189 |
- { |
|
3190 |
- uint32_t *mpoolht; |
|
3191 |
- unsigned int mpoolhtsz = root->md5_sizes_hs.count * sizeof(*mpoolht); |
|
3192 |
- root->soff = mpool_malloc(root->mempool, mpoolhtsz); |
|
3193 |
- root->soff_len = cli_hashset_toarray(&root->md5_sizes_hs, &mpoolht); |
|
3194 |
- memcpy(root->soff, mpoolht, mpoolhtsz); |
|
3195 |
- free(mpoolht); |
|
3196 |
- } |
|
3197 |
-#else |
|
3198 |
- root->soff_len = cli_hashset_toarray(&root->md5_sizes_hs, &root->soff); |
|
3199 |
-#endif |
|
3200 |
- cli_hashset_destroy(&root->md5_sizes_hs); |
|
3201 |
- cli_qsort(root->soff, root->soff_len, sizeof(uint32_t), NULL); |
|
3202 |
- } |
|
3203 |
-} |
|
3204 |
- |
|
3205 | 3182 |
int cl_engine_compile(struct cl_engine *engine) |
3206 | 3183 |
{ |
3207 | 3184 |
unsigned int i; |
... | ... |
@@ -3223,12 +3010,6 @@ int cl_engine_compile(struct cl_engine *engine) |
3223 | 3223 |
cli_dbgmsg("Matcher[%u]: %s: AC sigs: %u (reloff: %u, absoff: %u) BM sigs: %u (reloff: %u, absoff: %u) maxpatlen %u %s\n", i, cli_mtargets[i].name, root->ac_patterns, root->ac_reloff_num, root->ac_absoff_num, root->bm_patterns, root->bm_reloff_num, root->bm_absoff_num, root->maxpatlen, root->ac_only ? "(ac_only mode)" : ""); |
3224 | 3224 |
} |
3225 | 3225 |
} |
3226 |
- if(engine->md5_hdb) |
|
3227 |
- cli_dbgmsg("MD5 sigs (files): %u\n", engine->md5_hdb->md5_patterns); |
|
3228 |
- |
|
3229 |
- if(engine->md5_mdb) |
|
3230 |
- cli_dbgmsg("MD5 sigs (PE sections): %u\n", engine->md5_mdb->md5_patterns); |
|
3231 |
- |
|
3232 | 3226 |
if(engine->hm_hdb) |
3233 | 3227 |
hm_flush(engine->hm_hdb); |
3234 | 3228 |
|
... | ... |
@@ -3244,7 +3025,6 @@ int cl_engine_compile(struct cl_engine *engine) |
3244 | 3244 |
if((ret = cli_build_regex_list(engine->domainlist_matcher))) { |
3245 | 3245 |
return ret; |
3246 | 3246 |
} |
3247 |
- cli_md5db_build(engine->md5_mdb); |
|
3248 | 3247 |
if(engine->ignored) { |
3249 | 3248 |
cli_bm_free(engine->ignored); |
3250 | 3249 |
mpool_free(engine->mempool, engine->ignored); |