[people/ms/suricata.git] / src / app-layer-htp.h

/* Copyright (C) 2007-2011 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \defgroup httplayer HTTP layer support
 *
 * @{
 */

/**
 * \file
 *
 * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
 * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
 *
 * This file provides a HTTP protocol support for the engine using HTP library.
 */

#ifndef __APP_LAYER_HTP_H__
#define __APP_LAYER_HTP_H__

#include "util-radix-tree.h"
#include "util-file.h"

#include <htp/htp.h>

/* default request body limit */
#define HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT       4096U

/** a boundary should be smaller in size */
#define HTP_BOUNDARY_MAX                            200U

#define HTP_FLAG_STATE_OPEN         0x01    /**< Flag to indicate that HTTP
                                             connection is open */
#define HTP_FLAG_STATE_CLOSED       0x02    /**< Flag to indicate that HTTP
                                             connection is closed */
#define HTP_FLAG_STATE_DATA         0x04    /**< Flag to indicate that HTTP
                                             connection needs more data */
#define HTP_FLAG_STATE_ERROR        0x08    /**< Flag to indicate that an error
                                             has been occured on HTTP
                                             connection */
#define HTP_FLAG_NEW_BODY_SET       0x10    /**< Flag to indicate that HTTP
                                             has parsed a new body (for
                                             pcre) */
enum {
    HTP_BODY_NONE = 0,                  /**< Flag to indicate the current
                                             operation */
    HTP_BODY_REQUEST,                   /**< Flag to indicate that the
                                             current operation is a request */
    HTP_BODY_RESPONSE                   /**< Flag to indicate that the current
                                          * operation is a response */
};

enum {
    HTP_BODY_REQUEST_NONE = 0,
    HTP_BODY_REQUEST_MULTIPART,
    HTP_BODY_REQUEST_PUT,
};

#define HTP_PCRE_NONE           0x00    /**< No pcre executed yet */
#define HTP_PCRE_DONE           0x01    /**< Flag to indicate that pcre has
                                             done some inspection in the
                                             chunks */
#define HTP_PCRE_HAS_MATCH      0x02    /**< Flag to indicate that the chunks
                                             matched on some rule */

/** Struct used to hold chunks of a body on a request */
typedef struct HtpBodyChunk_ {
    uint8_t *data;              /**< Pointer to the data of the chunk */
    uint32_t len;               /**< Length of the chunk */
    uint32_t id;                /**< number of chunk of the current body */
    struct HtpBodyChunk_ *next; /**< Pointer to the next chunk */
    uint64_t stream_offset;
} HtpBodyChunk;

/** Struct used to hold all the chunks of a body on a request */
typedef struct HtpBody_ {
    HtpBodyChunk *first; /**< Pointer to the first chunk */
    HtpBodyChunk *last;  /**< Pointer to the last chunk */
    uint32_t nchunks;    /**< Number of chunks in the current operation */
    uint8_t operation;   /**< This flag indicate if it's a request
                              or a response */
    uint8_t type;

    /* pahole: padding: 3 */
} HtpBody;

#define HTP_BODY_COMPLETE       0x01    /**< body is complete or limit is reached,
                                             either way, this is it. */
#define HTP_CONTENTTYPE_SET     0x02    /**< We have the content type */
#define HTP_BOUNDARY_SET        0x04    /**< We have a boundary string */
#define HTP_BOUNDARY_OPEN       0x08    /**< We have a boundary string */
#define HTP_FILENAME_SET        0x10    /**< filename is registered in the flow */
#define HTP_DONTSTORE           0x20    /**< not storing this file */

#define HTP_TX_HAS_FILE             0x01
#define HTP_TX_HAS_FILENAME         0x02    /**< filename is known at this time */
#define HTP_TX_HAS_TYPE             0x04
#define HTP_TX_HAS_FILECONTENT      0x08    /**< file has content so we can do type detect */

#define HTP_RULE_NEED_FILE          HTP_TX_HAS_FILE
#define HTP_RULE_NEED_FILENAME      HTP_TX_HAS_FILENAME
#define HTP_RULE_NEED_TYPE          HTP_TX_HAS_TYPE
#define HTP_RULE_NEED_FILECONTENT   HTP_TX_HAS_FILECONTENT

/** Now the Body Chunks will be stored per transaction, at
  * the tx user data */
typedef struct SCHtpTxUserData_ {
    /* Body of the request (if any) */
    HtpBody body;

    /* Holds the length of the htp request body */
    uint64_t content_len;
    /* Holds the length of the htp request body seen so far */
    uint64_t content_len_so_far;

    uint64_t body_parsed;

    /** Holds the boundary identificator string if any (used on
     *  multipart/form-data only)
     */
    uint8_t *boundary;
    uint8_t boundary_len;

    uint8_t flags;
} SCHtpTxUserData;

typedef struct HtpState_ {

    htp_connp_t *connp;     /**< Connection parser structure for
                                 each connection */
    Flow *f;                /**< Needed to retrieve the original flow when usin HTPLib callbacks */
    uint8_t flags;
    uint16_t transaction_cnt;
    uint16_t transaction_done;
    uint32_t request_body_limit;
    FileContainer *files;
} HtpState;

void RegisterHTPParsers(void);
void HTPParserRegisterTests(void);
void HTPAtExitPrintStats(void);
void HTPFreeConfig(void);

htp_tx_t *HTPTransactionMain(const HtpState *);

int HTPCallbackRequestBodyData(htp_tx_data_t *);
int HtpTransactionGetLoggableId(Flow *);
void HtpBodyPrint(HtpBody *);
void HtpBodyFree(HtpBody *);
void AppLayerHtpRegisterExtraCallbacks(void);
/* To free the state from unittests using app-layer-htp */
void HTPStateFree(void *);
void AppLayerHtpEnableRequestBodyCallback(void);
void AppLayerHtpNeedFileInspection(void);
void AppLayerHtpPrintStats(void);

#endif	/* __APP_LAYER_HTP_H__ */

/**
 * @}
 */
Commit	Line	Data
a0ee6ade	1	/* Copyright (C) 2007-2011 Open Information Security Foundation
ce019275 WM	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
0165b3f0	11	*
ce019275 WM	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
60a99915 EL	18	/**
	19	* \defgroup httplayer HTTP layer support
	20	*
	21	* @{
	22	*/
	23
ce019275 WM	24	/**
ce019275 WM	25	* \file
0165b3f0	26	*
07f7ba55	27	* \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
0165b3f0	28	* \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
07f7ba55	29	*
ce019275	30	* This file provides a HTTP protocol support for the engine using HTP library.
07f7ba55 GS	31	*/
07f7ba55 GS	32
48248687 VJ	33	#ifndef __APP_LAYER_HTP_H__
48248687 VJ	34	#define __APP_LAYER_HTP_H__
07f7ba55	35
a9cdd2bb	36	#include "util-radix-tree.h"
e1022ee5	37	#include "util-file.h"
a9cdd2bb	38
07f7ba55 GS	39	#include <htp/htp.h>
07f7ba55 GS	40
6ebe7b7c	41	/* default request body limit */
a0ee6ade VJ	42	#define HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT 4096U
	43
	44	/** a boundary should be smaller in size */
	45	#define HTP_BOUNDARY_MAX 200U
6ebe7b7c	46
50f7d0a8	47	#define HTP_FLAG_STATE_OPEN 0x01 /**< Flag to indicate that HTTP
0165b3f0	48	connection is open */
50f7d0a8	49	#define HTP_FLAG_STATE_CLOSED 0x02 /**< Flag to indicate that HTTP
0165b3f0	50	connection is closed */
50f7d0a8	51	#define HTP_FLAG_STATE_DATA 0x04 /**< Flag to indicate that HTTP
0165b3f0	52	connection needs more data */
50f7d0a8	53	#define HTP_FLAG_STATE_ERROR 0x08 /**< Flag to indicate that an error
0165b3f0 PR	54	has been occured on HTTP
0165b3f0 PR	55	connection */
50f7d0a8	56	#define HTP_FLAG_NEW_BODY_SET 0x10 /**< Flag to indicate that HTTP
0165b3f0 PR	57	has parsed a new body (for
0165b3f0 PR	58	pcre) */
0165b3f0	59	enum {
23e01d23	60	HTP_BODY_NONE = 0, /**< Flag to indicate the current
0165b3f0 PR	61	operation */
	62	HTP_BODY_REQUEST, /**< Flag to indicate that the
	63	current operation is a request */
	64	HTP_BODY_RESPONSE /**< Flag to indicate that the current
	65	* operation is a response */
	66	};
	67
23e01d23 VJ	68	enum {
	69	HTP_BODY_REQUEST_NONE = 0,
	70	HTP_BODY_REQUEST_MULTIPART,
	71	HTP_BODY_REQUEST_PUT,
	72	};
	73
0165b3f0 PR	74	#define HTP_PCRE_NONE 0x00 /*< No pcre executed yet /
	75	#define HTP_PCRE_DONE 0x01 /**< Flag to indicate that pcre has
	76	done some inspection in the
	77	chunks */
	78	#define HTP_PCRE_HAS_MATCH 0x02 /**< Flag to indicate that the chunks
	79	matched on some rule */
	80
	81	/** Struct used to hold chunks of a body on a request */
7a8cd61f	82	typedef struct HtpBodyChunk_ {
0165b3f0 PR	83	uint8_t data; /< Pointer to the data of the chunk /
0165b3f0 PR	84	uint32_t len; /*< Length of the chunk /
0165b3f0	85	uint32_t id; /*< number of chunk of the current body /
a0ee6ade VJ	86	struct HtpBodyChunk_ next; /< Pointer to the next chunk /
a0ee6ade VJ	87	uint64_t stream_offset;
7a8cd61f	88	} HtpBodyChunk;
0165b3f0 PR	89
0165b3f0 PR	90	/** Struct used to hold all the chunks of a body on a request */
7a8cd61f VJ	91	typedef struct HtpBody_ {
	92	HtpBodyChunk first; /< Pointer to the first chunk /
	93	HtpBodyChunk last; /< Pointer to the last chunk /
0165b3f0 PR	94	uint32_t nchunks; /*< Number of chunks in the current operation /
	95	uint8_t operation; /**< This flag indicate if it's a request
	96	or a response */
23e01d23	97	uint8_t type;
a0ee6ade VJ	98
a0ee6ade VJ	99	/* pahole: padding: 3 */
0165b3f0	100	} HtpBody;
fc2f7f29	101
a0ee6ade VJ	102	#define HTP_BODY_COMPLETE 0x01 /**< body is complete or limit is reached,
	103	either way, this is it. */
	104	#define HTP_CONTENTTYPE_SET 0x02 /*< We have the content type /
	105	#define HTP_BOUNDARY_SET 0x04 /*< We have a boundary string /
	106	#define HTP_BOUNDARY_OPEN 0x08 /*< We have a boundary string /
	107	#define HTP_FILENAME_SET 0x10 /*< filename is registered in the flow /
23e01d23 VJ	108	#define HTP_DONTSTORE 0x20 /*< not storing this file /
	109
	110	#define HTP_TX_HAS_FILE 0x01
	111	#define HTP_TX_HAS_FILENAME 0x02 /*< filename is known at this time /
	112	#define HTP_TX_HAS_TYPE 0x04
	113	#define HTP_TX_HAS_FILECONTENT 0x08 /*< file has content so we can do type detect /
	114
	115	#define HTP_RULE_NEED_FILE HTP_TX_HAS_FILE
	116	#define HTP_RULE_NEED_FILENAME HTP_TX_HAS_FILENAME
	117	#define HTP_RULE_NEED_TYPE HTP_TX_HAS_TYPE
	118	#define HTP_RULE_NEED_FILECONTENT HTP_TX_HAS_FILECONTENT
6ebe7b7c	119
06a65cb4 PR	120	/** Now the Body Chunks will be stored per transaction, at
	121	* the tx user data */
	122	typedef struct SCHtpTxUserData_ {
5c6a65dc AS	123	/* Body of the request (if any) */
5c6a65dc AS	124	HtpBody body;
a0ee6ade	125
5c6a65dc	126	/* Holds the length of the htp request body */
a0ee6ade	127	uint64_t content_len;
5c6a65dc	128	/* Holds the length of the htp request body seen so far */
a0ee6ade VJ	129	uint64_t content_len_so_far;
	130
	131	uint64_t body_parsed;
	132
	133	/** Holds the boundary identificator string if any (used on
	134	* multipart/form-data only)
	135	*/
6d60b3a7	136	uint8_t *boundary;
a0ee6ade	137	uint8_t boundary_len;
6d60b3a7	138
6ebe7b7c	139	uint8_t flags;
06a65cb4 PR	140	} SCHtpTxUserData;
06a65cb4 PR	141
07f7ba55	142	typedef struct HtpState_ {
07f7ba55	143
7a8cd61f VJ	144	htp_connp_t connp; /*< Connection parser structure for
7a8cd61f VJ	145	each connection */
6d60b3a7	146	Flow f; /< Needed to retrieve the original flow when usin HTPLib callbacks /
fc2f7f29	147	uint8_t flags;
70b32f73 VJ	148	uint16_t transaction_cnt;
70b32f73 VJ	149	uint16_t transaction_done;
6ebe7b7c	150	uint32_t request_body_limit;
e1022ee5	151	FileContainer *files;
07f7ba55 GS	152	} HtpState;
07f7ba55 GS	153
07f7ba55 GS	154	void RegisterHTPParsers(void);
07f7ba55 GS	155	void HTPParserRegisterTests(void);
fc2f7f29 GS	156	void HTPAtExitPrintStats(void);
fc2f7f29 GS	157	void HTPFreeConfig(void);
48248687	158
0165b3f0 PR	159	htp_tx_t HTPTransactionMain(const HtpState );
	160
	161	int HTPCallbackRequestBodyData(htp_tx_data_t *);
4e44073c	162	int HtpTransactionGetLoggableId(Flow *);
0165b3f0 PR	163	void HtpBodyPrint(HtpBody *);
	164	void HtpBodyFree(HtpBody *);
	165	void AppLayerHtpRegisterExtraCallbacks(void);
25a3a5c6 PR	166	/* To free the state from unittests using app-layer-htp */
25a3a5c6 PR	167	void HTPStateFree(void *);
97d49d8f	168	void AppLayerHtpEnableRequestBodyCallback(void);
6d60b3a7	169	void AppLayerHtpNeedFileInspection(void);
6fca55e0	170	void AppLayerHtpPrintStats(void);
0165b3f0	171
48248687	172	#endif /* __APP_LAYER_HTP_H__ */
07f7ba55	173
60a99915 EL	174	/**
	175	* @}
	176	*/