[people/ms/suricata.git] / src / detect-http-protocol.c

/* Copyright (C) 2007-2017 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \ingroup httplayer
 *
 * @{
 */


/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 *
 * Implements support http_protocol sticky buffer
 */

#include "suricata-common.h"
#include "threads.h"
#include "decode.h"

#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-content-inspection.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-http-header-common.h"
#include "detect-http-protocol.h"

#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"

#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-spm.h"
#include "util-print.h"

#include "app-layer.h"
#include "app-layer-parser.h"

#include "app-layer-htp.h"
#include "detect-http-header.h"
#include "stream-tcp.h"

#include "util-print.h"

#define KEYWORD_NAME "http.protocol"
#define KEYWORD_NAME_LEGACY "http_protocol"
#define KEYWORD_DOC "http-keywords.html#http-protocol"
#define BUFFER_NAME "http_protocol"
#define BUFFER_DESC "http protocol"
static int g_buffer_id = 0;

static int DetectHttpProtocolSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
    if (DetectBufferSetActiveList(s, g_buffer_id) < 0)
        return -1;

    if (DetectSignatureSetAppProto(s, ALPROTO_HTTP1) < 0)
        return -1;

    return 0;
}

static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t flow_flags, void *txv, const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        bstr *str = NULL;
        htp_tx_t *tx = (htp_tx_t *)txv;

        if (flow_flags & STREAM_TOSERVER)
            str = tx->request_protocol;
        else if (flow_flags & STREAM_TOCLIENT)
            str = tx->response_protocol;

        if (str == NULL) {
            SCLogDebug("HTTP protocol not set");
            return NULL;
        }

        uint32_t data_len = bstr_size(str);
        uint8_t *data = bstr_ptr(str);
        if (data == NULL || data_len == 0) {
            SCLogDebug("HTTP protocol not present");
            return NULL;
        }

        InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
        InspectionBufferApplyTransforms(buffer, transforms);
    }

    return buffer;
}

/**
 * \brief Registers the keyword handlers for the "http.protocol" keyword.
 */
void DetectHttpProtocolRegister(void)
{
    sigmatch_table[DETECT_AL_HTTP_PROTOCOL].name = KEYWORD_NAME;
    sigmatch_table[DETECT_AL_HTTP_PROTOCOL].alias = KEYWORD_NAME_LEGACY;
    sigmatch_table[DETECT_AL_HTTP_PROTOCOL].desc = BUFFER_NAME " sticky buffer";
    sigmatch_table[DETECT_AL_HTTP_PROTOCOL].url = "/rules/" KEYWORD_DOC;
    sigmatch_table[DETECT_AL_HTTP_PROTOCOL].Setup = DetectHttpProtocolSetup;
    sigmatch_table[DETECT_AL_HTTP_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;

    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetData, ALPROTO_HTTP1, HTP_REQUEST_LINE);
    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
            GetData, ALPROTO_HTTP1, HTP_RESPONSE_LINE);
    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
            HTP_REQUEST_LINE, DetectEngineInspectBufferGeneric, GetData);
    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
            HTP_RESPONSE_LINE, DetectEngineInspectBufferGeneric, GetData);

    DetectBufferTypeSetDescriptionByName(BUFFER_NAME,
            BUFFER_DESC);

    g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
}
Commit	Line	Data
36535efa VJ	1	/* Copyright (C) 2007-2017 Open Information Security Foundation
	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \ingroup httplayer
	20	*
	21	* @{
	22	*/
	23
	24
	25	/**
	26	* \file
	27	*
	28	* \author Victor Julien <victor@inliniac.net>
	29	*
	30	* Implements support http_protocol sticky buffer
	31	*/
	32
	33	#include "suricata-common.h"
	34	#include "threads.h"
	35	#include "decode.h"
	36
	37	#include "detect.h"
	38	#include "detect-parse.h"
	39	#include "detect-engine.h"
	40	#include "detect-engine-mpm.h"
	41	#include "detect-engine-state.h"
	42	#include "detect-engine-prefilter.h"
	43	#include "detect-engine-content-inspection.h"
	44	#include "detect-content.h"
	45	#include "detect-pcre.h"
	46	#include "detect-http-header-common.h"
ab1200fb	47	#include "detect-http-protocol.h"
36535efa VJ	48
	49	#include "flow.h"
	50	#include "flow-var.h"
	51	#include "flow-util.h"
	52
	53	#include "util-debug.h"
	54	#include "util-unittest.h"
	55	#include "util-unittest-helper.h"
	56	#include "util-spm.h"
	57	#include "util-print.h"
	58
	59	#include "app-layer.h"
	60	#include "app-layer-parser.h"
	61
	62	#include "app-layer-htp.h"
	63	#include "detect-http-header.h"
	64	#include "stream-tcp.h"
	65
	66	#include "util-print.h"
	67
af9399f2 GL	68	#define KEYWORD_NAME "http.protocol"
af9399f2 GL	69	#define KEYWORD_NAME_LEGACY "http_protocol"
39183f7a	70	#define KEYWORD_DOC "http-keywords.html#http-protocol"
36535efa VJ	71	#define BUFFER_NAME "http_protocol"
	72	#define BUFFER_DESC "http protocol"
	73	static int g_buffer_id = 0;
	74
af9399f2	75	static int DetectHttpProtocolSetup(DetectEngineCtx de_ctx, Signature s, const char *arg)
36535efa	76	{
af9399f2 GL	77	if (DetectBufferSetActiveList(s, g_buffer_id) < 0)
af9399f2 GL	78	return -1;
36535efa	79
707f0272	80	if (DetectSignatureSetAppProto(s, ALPROTO_HTTP1) < 0)
af9399f2	81	return -1;
36535efa	82
af9399f2	83	return 0;
36535efa VJ	84	}
36535efa VJ	85
af9399f2 GL	86	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
	87	const DetectEngineTransforms transforms, Flow _f,
	88	const uint8_t flow_flags, void *txv, const int list_id)
36535efa	89	{
af9399f2 GL	90	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
	91	if (buffer->inspect == NULL) {
	92	bstr *str = NULL;
	93	htp_tx_t tx = (htp_tx_t )txv;
	94
	95	if (flow_flags & STREAM_TOSERVER)
	96	str = tx->request_protocol;
	97	else if (flow_flags & STREAM_TOCLIENT)
	98	str = tx->response_protocol;
	99
	100	if (str == NULL) {
	101	SCLogDebug("HTTP protocol not set");
	102	return NULL;
	103	}
	104
	105	uint32_t data_len = bstr_size(str);
	106	uint8_t *data = bstr_ptr(str);
	107	if (data == NULL \|\| data_len == 0) {
	108	SCLogDebug("HTTP protocol not present");
	109	return NULL;
	110	}
	111
13cebb18	112	InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
af9399f2	113	InspectionBufferApplyTransforms(buffer, transforms);
36535efa	114	}
36535efa	115
af9399f2	116	return buffer;
36535efa VJ	117	}
36535efa VJ	118
36535efa	119	/**
af9399f2	120	* \brief Registers the keyword handlers for the "http.protocol" keyword.
36535efa VJ	121	*/
	122	void DetectHttpProtocolRegister(void)
	123	{
	124	sigmatch_table[DETECT_AL_HTTP_PROTOCOL].name = KEYWORD_NAME;
af9399f2	125	sigmatch_table[DETECT_AL_HTTP_PROTOCOL].alias = KEYWORD_NAME_LEGACY;
36535efa	126	sigmatch_table[DETECT_AL_HTTP_PROTOCOL].desc = BUFFER_NAME " sticky buffer";
26bcc975	127	sigmatch_table[DETECT_AL_HTTP_PROTOCOL].url = "/rules/" KEYWORD_DOC;
36535efa	128	sigmatch_table[DETECT_AL_HTTP_PROTOCOL].Setup = DetectHttpProtocolSetup;
af9399f2 GL	129	sigmatch_table[DETECT_AL_HTTP_PROTOCOL].flags \|= SIGMATCH_INFO_STICKY_BUFFER \| SIGMATCH_NOOPT;
af9399f2 GL	130
707f0272 PA	131	DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
	132	GetData, ALPROTO_HTTP1, HTP_REQUEST_LINE);
	133	DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
	134	GetData, ALPROTO_HTTP1, HTP_RESPONSE_LINE);
	135	DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
	136	HTP_REQUEST_LINE, DetectEngineInspectBufferGeneric, GetData);
	137	DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
	138	HTP_RESPONSE_LINE, DetectEngineInspectBufferGeneric, GetData);
36535efa VJ	139
	140	DetectBufferTypeSetDescriptionByName(BUFFER_NAME,
	141	BUFFER_DESC);
	142
36535efa VJ	143	g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
36535efa VJ	144	}