]>
Commit | Line | Data |
---|---|---|
36535efa VJ |
1 | /* Copyright (C) 2007-2017 Open Information Security Foundation |
2 | * | |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
18 | /** | |
19 | * \ingroup httplayer | |
20 | * | |
21 | * @{ | |
22 | */ | |
23 | ||
24 | ||
25 | /** | |
26 | * \file | |
27 | * | |
28 | * \author Victor Julien <victor@inliniac.net> | |
29 | * | |
30 | * Implements support http_protocol sticky buffer | |
31 | */ | |
32 | ||
33 | #include "suricata-common.h" | |
34 | #include "threads.h" | |
35 | #include "decode.h" | |
36 | ||
37 | #include "detect.h" | |
38 | #include "detect-parse.h" | |
39 | #include "detect-engine.h" | |
40 | #include "detect-engine-mpm.h" | |
41 | #include "detect-engine-state.h" | |
42 | #include "detect-engine-prefilter.h" | |
43 | #include "detect-engine-content-inspection.h" | |
44 | #include "detect-content.h" | |
45 | #include "detect-pcre.h" | |
46 | #include "detect-http-header-common.h" | |
ab1200fb | 47 | #include "detect-http-protocol.h" |
36535efa VJ |
48 | |
49 | #include "flow.h" | |
50 | #include "flow-var.h" | |
51 | #include "flow-util.h" | |
52 | ||
53 | #include "util-debug.h" | |
54 | #include "util-unittest.h" | |
55 | #include "util-unittest-helper.h" | |
56 | #include "util-spm.h" | |
57 | #include "util-print.h" | |
58 | ||
59 | #include "app-layer.h" | |
60 | #include "app-layer-parser.h" | |
61 | ||
62 | #include "app-layer-htp.h" | |
63 | #include "detect-http-header.h" | |
64 | #include "stream-tcp.h" | |
65 | ||
66 | #include "util-print.h" | |
67 | ||
af9399f2 GL |
68 | #define KEYWORD_NAME "http.protocol" |
69 | #define KEYWORD_NAME_LEGACY "http_protocol" | |
39183f7a | 70 | #define KEYWORD_DOC "http-keywords.html#http-protocol" |
36535efa VJ |
71 | #define BUFFER_NAME "http_protocol" |
72 | #define BUFFER_DESC "http protocol" | |
73 | static int g_buffer_id = 0; | |
74 | ||
af9399f2 | 75 | static int DetectHttpProtocolSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) |
36535efa | 76 | { |
af9399f2 GL |
77 | if (DetectBufferSetActiveList(s, g_buffer_id) < 0) |
78 | return -1; | |
36535efa | 79 | |
707f0272 | 80 | if (DetectSignatureSetAppProto(s, ALPROTO_HTTP1) < 0) |
af9399f2 | 81 | return -1; |
36535efa | 82 | |
af9399f2 | 83 | return 0; |
36535efa VJ |
84 | } |
85 | ||
af9399f2 GL |
86 | static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, |
87 | const DetectEngineTransforms *transforms, Flow *_f, | |
88 | const uint8_t flow_flags, void *txv, const int list_id) | |
36535efa | 89 | { |
af9399f2 GL |
90 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
91 | if (buffer->inspect == NULL) { | |
92 | bstr *str = NULL; | |
93 | htp_tx_t *tx = (htp_tx_t *)txv; | |
94 | ||
95 | if (flow_flags & STREAM_TOSERVER) | |
96 | str = tx->request_protocol; | |
97 | else if (flow_flags & STREAM_TOCLIENT) | |
98 | str = tx->response_protocol; | |
99 | ||
100 | if (str == NULL) { | |
101 | SCLogDebug("HTTP protocol not set"); | |
102 | return NULL; | |
103 | } | |
104 | ||
105 | uint32_t data_len = bstr_size(str); | |
106 | uint8_t *data = bstr_ptr(str); | |
107 | if (data == NULL || data_len == 0) { | |
108 | SCLogDebug("HTTP protocol not present"); | |
109 | return NULL; | |
110 | } | |
111 | ||
13cebb18 | 112 | InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); |
af9399f2 | 113 | InspectionBufferApplyTransforms(buffer, transforms); |
36535efa | 114 | } |
36535efa | 115 | |
af9399f2 | 116 | return buffer; |
36535efa VJ |
117 | } |
118 | ||
36535efa | 119 | /** |
af9399f2 | 120 | * \brief Registers the keyword handlers for the "http.protocol" keyword. |
36535efa VJ |
121 | */ |
122 | void DetectHttpProtocolRegister(void) | |
123 | { | |
124 | sigmatch_table[DETECT_AL_HTTP_PROTOCOL].name = KEYWORD_NAME; | |
af9399f2 | 125 | sigmatch_table[DETECT_AL_HTTP_PROTOCOL].alias = KEYWORD_NAME_LEGACY; |
36535efa | 126 | sigmatch_table[DETECT_AL_HTTP_PROTOCOL].desc = BUFFER_NAME " sticky buffer"; |
26bcc975 | 127 | sigmatch_table[DETECT_AL_HTTP_PROTOCOL].url = "/rules/" KEYWORD_DOC; |
36535efa | 128 | sigmatch_table[DETECT_AL_HTTP_PROTOCOL].Setup = DetectHttpProtocolSetup; |
af9399f2 GL |
129 | sigmatch_table[DETECT_AL_HTTP_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; |
130 | ||
707f0272 PA |
131 | DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, |
132 | GetData, ALPROTO_HTTP1, HTP_REQUEST_LINE); | |
133 | DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, | |
134 | GetData, ALPROTO_HTTP1, HTP_RESPONSE_LINE); | |
135 | DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_HTTP1, SIG_FLAG_TOSERVER, | |
136 | HTP_REQUEST_LINE, DetectEngineInspectBufferGeneric, GetData); | |
137 | DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_HTTP1, SIG_FLAG_TOCLIENT, | |
138 | HTP_RESPONSE_LINE, DetectEngineInspectBufferGeneric, GetData); | |
36535efa VJ |
139 | |
140 | DetectBufferTypeSetDescriptionByName(BUFFER_NAME, | |
141 | BUFFER_DESC); | |
142 | ||
36535efa VJ |
143 | g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); |
144 | } |