http_host: dynamic buffer

author Victor Julien <victor@inliniac.net>

Fri, 9 Dec 2016 11:07:03 +0000 (12:07 +0100)

committer Victor Julien <victor@inliniac.net>

Thu, 16 Feb 2017 09:35:39 +0000 (10:35 +0100)
author Victor Julien <victor@inliniac.net>
Fri, 9 Dec 2016 11:07:03 +0000 (12:07 +0100)
committer Victor Julien <victor@inliniac.net>
Thu, 16 Feb 2017 09:35:39 +0000 (10:35 +0100)
diff --git a/src/detect-engine.c b/src/detect-engine.c

index 76fe02137df3a02d743914d794a02112ec66cced..3870cd165044e6497b609b9645aa898955bbb956 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -2810,8 +2810,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
              return "http stat msg";
          case DETECT_SM_LIST_HSCDMATCH:
              return "http stat code";
-        case DETECT_SM_LIST_HHHDMATCH:
-            return "http host";
          case DETECT_SM_LIST_HRHHDMATCH:
              return "http raw host header";
          case DETECT_SM_LIST_APP_EVENT:
diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c

index 2d8e701b3bc9a52382abb9618d013f9637991126..2cb1d8b39d2a0082dccbf9fbe1ddac7510868275 100644 (file)
--- a/src/detect-fast-pattern.c
+++ b/src/detect-fast-pattern.c
@@ -326,6 +326,7 @@ static int g_http_method_buffer_id = 0;
  static int g_http_uri_buffer_id = 0;
  static int g_http_ua_buffer_id = 0;
  static int g_http_cookie_buffer_id = 0;
+static int g_http_host_buffer_id = 0;
  
  /**
   * \test Checks if a fast_pattern is registered in a Signature
@@ -16410,7 +16411,7 @@ int DetectFastPatternTest589(void)
                                 "content:\"three\"; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          ud->flags & DETECT_CONTENT_NEGATED &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -16448,7 +16449,7 @@ int DetectFastPatternTest590(void)
          goto end;
  
      result = 0;
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH];
+    sm = de_ctx->sig_list->sm_lists[g_http_host_buffer_id];
      if (sm != NULL) {
          if ( (((DetectContentData *)sm->ctx)->flags &
                DETECT_CONTENT_FAST_PATTERN)) {
@@ -16485,7 +16486,7 @@ int DetectFastPatternTest591(void)
          goto end;
  
      result = 0;
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH];
+    sm = de_ctx->sig_list->sm_lists[g_http_host_buffer_id];
      if (sm != NULL) {
          if ( (((DetectContentData *)sm->ctx)->flags &
                DETECT_CONTENT_FAST_PATTERN)) {
@@ -16516,7 +16517,7 @@ int DetectFastPatternTest592(void)
      if (de_ctx->sig_list == NULL)
          goto end;
  
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH];
+    sm = de_ctx->sig_list->sm_lists[g_http_host_buffer_id];
      if (sm == NULL) {
          goto end;
      }
@@ -16552,7 +16553,7 @@ int DetectFastPatternTest593(void)
      if (de_ctx->sig_list == NULL)
          goto end;
  
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH];
+    sm = de_ctx->sig_list->sm_lists[g_http_host_buffer_id];
      if (sm == NULL) {
          goto end;
      }
@@ -16797,7 +16798,7 @@ int DetectFastPatternTest603(void)
      if (de_ctx->sig_list == NULL)
          goto end;
  
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@@ -16829,7 +16830,7 @@ int DetectFastPatternTest604(void)
                                 "content:\"two\"; fast_pattern:only; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@@ -16861,7 +16862,7 @@ int DetectFastPatternTest605(void)
                                 "content:\"two\"; fast_pattern:only; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@@ -16893,7 +16894,7 @@ int DetectFastPatternTest606(void)
                                 "content:\"two\"; fast_pattern:only; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@@ -16924,7 +16925,7 @@ int DetectFastPatternTest607(void)
                                 "content:\"two\"; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          ud->flags & DETECT_CONTENT_NEGATED &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -17049,7 +17050,7 @@ int DetectFastPatternTest612(void)
                                 "content:\"three\"; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17081,7 +17082,7 @@ int DetectFastPatternTest613(void)
                                 "content:\"three\"; http_host; distance:30; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17113,7 +17114,7 @@ int DetectFastPatternTest614(void)
                                 "content:\"three\"; http_host; within:30; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17145,7 +17146,7 @@ int DetectFastPatternTest615(void)
                                 "content:\"three\"; http_host; offset:30; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17177,7 +17178,7 @@ int DetectFastPatternTest616(void)
                                 "content:\"three\"; http_host; depth:30; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17209,7 +17210,7 @@ int DetectFastPatternTest617(void)
                                 "content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17241,7 +17242,7 @@ int DetectFastPatternTest618(void)
                                 "content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17273,7 +17274,7 @@ int DetectFastPatternTest619(void)
                                 "content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17305,7 +17306,7 @@ int DetectFastPatternTest620(void)
                                 "content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
          ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -17412,7 +17413,7 @@ int DetectFastPatternTest624(void)
                                 "content:\"three\"; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          ud->flags & DETECT_CONTENT_NEGATED &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -17541,7 +17542,7 @@ int DetectFastPatternTest629(void)
                                 "content:\"three\"; http_host; sid:1;)");
      if (de_ctx->sig_list == NULL)
          goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
      if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
          ud->flags & DETECT_CONTENT_NEGATED &&
          !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -18831,6 +18832,7 @@ void DetectFastPatternRegisterTests(void)
      g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
      g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent");
      g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie");
+    g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");
  
      UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
      UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);
diff --git a/src/detect-http-hh.c b/src/detect-http-hh.c

index fbe0db94353b946ee0708a8dc9d6645b79aea319..1abaf8a8c2e016f94d132b829ba835b398f5182e 100644 (file)
--- a/src/detect-http-hh.c
+++ b/src/detect-http-hh.c
@@ -59,9 +59,12 @@
  #include "detect-http-hh.h"
  #include "detect-engine-hhhd.h"
  
-int DetectHttpHHSetup(DetectEngineCtx *, Signature *, char *);
-void DetectHttpHHRegisterTests(void);
-void DetectHttpHHFree(void *);
+static int DetectHttpHHSetup(DetectEngineCtx *, Signature *, char *);
+static void DetectHttpHHRegisterTests(void);
+static void DetectHttpHHFree(void *);
+static void DetectHttpHostSetupCallback(Signature *s);
+static _Bool DetectHttpHostValidateCallback(const Signature *s);
+static int g_http_host_buffer_id = 0;
  
  /**
   * \brief Registers the keyword handlers for the "http_host" keyword.
@@ -79,15 +82,23 @@ void DetectHttpHHRegister(void)
      sigmatch_table[DETECT_AL_HTTP_HOST].flags |= SIGMATCH_NOOPT ;
      sigmatch_table[DETECT_AL_HTTP_HOST].flags |= SIGMATCH_PAYLOAD ;
  
-    DetectMpmAppLayerRegister("http_host", SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_HHHDMATCH, 2,
+    DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2,
              PrefilterTxHostnameRegister);
  
-    DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_HHHDMATCH,
+    DetectAppLayerInspectEngineRegister2("http_host",
+            ALPROTO_HTTP, SIG_FLAG_TOSERVER,
              DetectEngineInspectHttpHH);
  
-    return;
+    DetectBufferTypeSetDescriptionByName("http_host",
+            "http host header");
+
+    DetectBufferTypeRegisterSetupCallback("http_host",
+            DetectHttpHostSetupCallback);
+
+    DetectBufferTypeRegisterValidateCallback("http_host",
+            DetectHttpHostValidateCallback);
+
+    g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");
  }
  
  /**
@@ -107,11 +118,50 @@ int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
  {
      return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
                                                    DETECT_AL_HTTP_HOST,
-                                                  DETECT_SM_LIST_HHHDMATCH,
+                                                  g_http_host_buffer_id,
                                                    ALPROTO_HTTP,
                                                    NULL);
  }
  
+static void DetectHttpHostSetupCallback(Signature *s)
+{
+    SCLogDebug("callback invoked by %u", s->id);
+    s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+}
+
+static _Bool DetectHttpHostValidateCallback(const Signature *s)
+{
+    const SigMatch *sm = s->init_data->smlists[g_http_host_buffer_id];
+    for ( ; sm != NULL; sm = sm->next) {
+        if (sm->type == DETECT_CONTENT) {
+            DetectContentData *cd = (DetectContentData *)sm->ctx;
+            if (cd->flags & DETECT_CONTENT_NOCASE) {
+                SCLogWarning(SC_ERR_INVALID_SIGNATURE, "http_host keyword "
+                        "specified along with \"nocase\". "
+                        "Since the hostname buffer we match against "
+                        "is actually lowercase.  So having a "
+                        "nocase is redundant.");
+            } else {
+                uint32_t u;
+                for (u = 0; u < cd->content_len; u++) {
+                    if (isupper(cd->content[u]))
+                        break;
+                }
+                if (u != cd->content_len) {
+                    SCLogWarning(SC_ERR_INVALID_SIGNATURE, "A pattern with "
+                            "uppercase chars detected for http_host.  "
+                            "Since the hostname buffer we match against "
+                            "is lowercase only, please specify a "
+                            "lowercase pattern.");
+                    return FALSE;
+                }
+            }
+        }
+    }
+
+    return TRUE;
+}
+
  /**
   * \brief The function to free the http_host data.
   *
@@ -280,6 +330,22 @@ static int DetectHttpHHTest05(void)
      return result;
  }
  
+/** \test invalid sig: uppercase content */
+static int DetectHttpHHTest05a(void)
+{
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    FAIL_IF_NULL(de_ctx);
+    de_ctx->flags |= DE_QUIET;
+
+    Signature *s = DetectEngineAppendSig(de_ctx,
+            "alert tcp any any -> any any "
+            "(content:\"ABC\"; http_host; sid:1;)");
+    FAIL_IF_NOT_NULL(s);
+
+    DetectEngineCtxFree(de_ctx);
+    PASS;
+}
+
  /**
   *\test Test that the http_host content matches against a http request
   *      which holds the content.
@@ -1407,16 +1473,6 @@ end:
      return result;
  }
  
-
-
-
-
-
-
-
-
-
-
  int DetectHttpHHTest22(void)
  {
      DetectEngineCtx *de_ctx = NULL;
@@ -1439,15 +1495,15 @@ int DetectHttpHHTest22(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
      DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
      DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
          cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
          hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
@@ -1494,15 +1550,15 @@ int DetectHttpHHTest23(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
      DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
      DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (pd1->flags != 0 ||
          cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
          hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
@@ -1548,15 +1604,15 @@ int DetectHttpHHTest24(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
      DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
      DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (pd1->flags != 0 ||
          cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
          hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
@@ -1603,15 +1659,15 @@ int DetectHttpHHTest25(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
      DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
      DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
          cd2->flags != DETECT_CONTENT_DISTANCE ||
          memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@@ -1659,15 +1715,15 @@ int DetectHttpHHTest26(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
      DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
      DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
          cd2->flags != DETECT_CONTENT_DISTANCE ||
          memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@@ -1742,15 +1798,15 @@ int DetectHttpHHTest28(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
      DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
      DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
          cd2->flags != DETECT_CONTENT_DISTANCE ||
          memcmp(cd2->content, "four", cd2->content_len) != 0 ||
@@ -1797,13 +1853,13 @@ int DetectHttpHHTest29(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
          memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
          hhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
@@ -1841,13 +1897,13 @@ int DetectHttpHHTest30(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
          memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 ||
          hhhd2->flags != (DETECT_CONTENT_WITHIN) ||
@@ -1957,21 +2013,21 @@ int DetectHttpHHTest34(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->type != DETECT_CONTENT ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->type != DETECT_PCRE) {
+    if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_CONTENT ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_PCRE) {
  
          goto end;
      }
  
-    DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
          hhhd2->flags != (DETECT_CONTENT_WITHIN) ||
          memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) {
@@ -2008,21 +2064,21 @@ int DetectHttpHHTest35(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->type != DETECT_PCRE ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->type != DETECT_CONTENT) {
+    if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_PCRE ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_CONTENT) {
  
          goto end;
      }
  
-    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
          hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) ||
          memcmp(hhhd1->content, "two", hhhd1->content_len) != 0) {
@@ -2059,21 +2115,21 @@ int DetectHttpHHTest36(void)
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n");
+    if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n");
          goto end;
      }
  
-    if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->type != DETECT_CONTENT ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev == NULL ||
-        de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->type != DETECT_PCRE) {
+    if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_CONTENT ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL ||
+        de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_PCRE) {
  
          goto end;
      }
  
-    DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
-    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
+    DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx;
+    DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx;
      if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
          hhhd2->flags != (DETECT_CONTENT_DISTANCE) ||
          memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) {
@@ -2098,6 +2154,7 @@ void DetectHttpHHRegisterTests(void)
      UtRegisterTest("DetectHttpHHTest03", DetectHttpHHTest03);
      UtRegisterTest("DetectHttpHHTest04", DetectHttpHHTest04);
      UtRegisterTest("DetectHttpHHTest05", DetectHttpHHTest05);
+    UtRegisterTest("DetectHttpHHTest05a", DetectHttpHHTest05a);
      UtRegisterTest("DetectHttpHHTest06", DetectHttpHHTest06);
      UtRegisterTest("DetectHttpHHTest07", DetectHttpHHTest07);
      UtRegisterTest("DetectHttpHHTest08", DetectHttpHHTest08);
diff --git a/src/detect-parse.c b/src/detect-parse.c

index 4dd800b124be5d16ad1c2be3eff3a4d4f98599f3..ec9e4bce84208e6c6fdee996b5b3b838f1b1f26b 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -147,7 +147,6 @@ const char *DetectListToHumanString(int list)
          CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header");
          CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg");
          CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code");
-        CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host");
          CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host");
          CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
          CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
@@ -185,7 +184,6 @@ const char *DetectListToString(int list)
          CASE_CODE(DETECT_SM_LIST_HRHDMATCH);
          CASE_CODE(DETECT_SM_LIST_HSMDMATCH);
          CASE_CODE(DETECT_SM_LIST_HSCDMATCH);
-        CASE_CODE(DETECT_SM_LIST_HHHDMATCH);
          CASE_CODE(DETECT_SM_LIST_HRHHDMATCH);
          CASE_CODE(DETECT_SM_LIST_APP_EVENT);
          CASE_CODE(DETECT_SM_LIST_AMATCH);
@@ -1391,7 +1389,6 @@ SigMatchData* SigMatchList2DataArray(SigMatch *head)
   */
  int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
  {
-    uint32_t u = 0;
      uint32_t sig_flags = 0;
      SigMatch *sm, *pm;
      const int nlists = DetectBufferTypeMaxId();
@@ -1478,35 +1475,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
          }
      }
  
-    if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
-        for (sm = s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH];
-             sm != NULL; sm = sm->next) {
-            if (sm->type == DETECT_CONTENT) {
-                DetectContentData *cd = (DetectContentData *)sm->ctx;
-                if (cd->flags & DETECT_CONTENT_NOCASE) {
-                    SCLogWarning(SC_ERR_INVALID_SIGNATURE, "http_host keyword "
-                                 "specified along with \"nocase\". "
-                                 "Since the hostname buffer we match against "
-                                 "is actually lowercase.  So having a "
-                                 "nocase is redundant.");
-                } else {
-                    for (u = 0; u < cd->content_len; u++) {
-                        if (isupper(cd->content[u]))
-                            break;
-                    }
-                    if (u != cd->content_len) {
-                        SCLogWarning(SC_ERR_INVALID_SIGNATURE, "A pattern with "
-                                     "uppercase chars detected for http_host.  "
-                                     "Since the hostname buffer we match against "
-                                     "is lowercase only, please specify a "
-                                     "lowercase pattern.");
-                        SCReturnInt(0);
-                    }
-                }
-            }
-        }
-    }
-
      //if (s->alproto != ALPROTO_UNKNOWN) {
      //    if (s->flags & SIG_FLAG_STATE_MATCH) {
      //        if (s->alproto == ALPROTO_DNS) {
@@ -1576,7 +1544,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
                  s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||
                  s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] ||
                  s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] ||
-                s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] ||
                  s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH])
          {
              SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
diff --git a/src/detect-pcre.c b/src/detect-pcre.c

index 13164d25decf75854eb0352a1bfb8e365b687b68..433c590c04d97c2230a20ddcc4f51f7b65ba2052 100644 (file)
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -297,6 +297,7 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
  #define MAX_SUBSTRINGS 30
      int ret = 0, res = 0;
      int ov[MAX_SUBSTRINGS];
+    int check_host_header = 0;
  
      /* take the size of the whole input as buffer size for the regex we will
       * extract below. Add 1 to please Coverity's alloc_strlen test. */
@@ -413,13 +414,16 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
                      *sm_list = DetectPcreSetList(*sm_list, list);
                      break;
                  }
-                case 'W':
+                case 'W': {
                      if (pd->flags & DETECT_PCRE_RAWBYTES) {
                          SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'W' inconsistent with 'B'");
                          goto error;
                      }
-                    *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HHHDMATCH);
+                    int list = DetectBufferTypeGetByName("http_host");
+                    *sm_list = DetectPcreSetList(*sm_list, list);
+                    check_host_header = 1;
                      break;
+                }
                  case 'Z':
                      if (pd->flags & DETECT_PCRE_RAWBYTES) {
                          SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'Z' inconsistent with 'B'");
@@ -493,7 +497,7 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
      SCLogDebug("DetectPcreParse: \"%s\"", re);
  
      /* host header */
-    if (*sm_list == DETECT_SM_LIST_HHHDMATCH) {
+    if (check_host_header) {
          if (pd->flags & DETECT_PCRE_CASELESS) {
              SCLogWarning(SC_ERR_INVALID_SIGNATURE, "http host pcre(\"W\") "
                           "specified along with \"i(caseless)\" modifier.  "
@@ -679,7 +683,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
          parsed_sm_list == DETECT_SM_LIST_HRHDMATCH ||
          parsed_sm_list == DETECT_SM_LIST_HSMDMATCH ||
          parsed_sm_list == DETECT_SM_LIST_HSCDMATCH ||
-        parsed_sm_list == DETECT_SM_LIST_HHHDMATCH ||
          parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH)
      {
          if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
@@ -713,7 +716,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
              case DETECT_SM_LIST_HRUDMATCH:
              case DETECT_SM_LIST_HHDMATCH:
              case DETECT_SM_LIST_HRHDMATCH:
-            case DETECT_SM_LIST_HHHDMATCH:
              case DETECT_SM_LIST_HRHHDMATCH:
              case DETECT_SM_LIST_HSMDMATCH:
              case DETECT_SM_LIST_HSCDMATCH:
diff --git a/src/detect.c b/src/detect.c

index 1846fe11494ccb0f64ec2efd71f6f553c5d2a4f2..2f39e7a259540a12796d3d15b9b721918bc31e6b 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1930,9 +1930,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
      if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL)
          return 0;
  
-    if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL)
-        return 0;
-
      if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL)
          return 0;
  
@@ -2026,9 +2023,6 @@ static int SignatureIsPDOnly(const Signature *s)
      if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL)
          return 0;
  
-    if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL)
-        return 0;
-
      if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL)
          return 0;
  
@@ -2138,7 +2132,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
          s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
          s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
          s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
-        s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL ||
          s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL)
      {
          SCReturnInt(0);
@@ -2322,11 +2315,6 @@ static int SignatureCreateMask(Signature *s)
          SCLogDebug("sig requires http app state");
      }
  
-    if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
-        s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
-        SCLogDebug("sig requires http app state");
-    }
-
      if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL) {
          s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
          SCLogDebug("sig requires http app state");
diff --git a/src/detect.h b/src/detect.h

index 4683aee0f99ef7059d9f679f89858e4e6304568d..a50d0935fd996d3e4c7a75350055ef61ffc1f69a 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -127,8 +127,6 @@ enum DetectSigmatchListEnum {
      DETECT_SM_LIST_HSMDMATCH,
      /* list for http_stat_code keyword and the ones relative to it */
      DETECT_SM_LIST_HSCDMATCH,
-    /* list for http_host keyword and the ones relative to it */
-    DETECT_SM_LIST_HHHDMATCH,
      /* list for http_raw_host keyword and the ones relative to it */
      DETECT_SM_LIST_HRHHDMATCH,
      /* app event engine sm list */
author	Victor Julien <victor@inliniac.net>
	Fri, 9 Dec 2016 11:07:03 +0000 (12:07 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 16 Feb 2017 09:35:39 +0000 (10:35 +0100)
src/detect-engine.c		patch \| blob \| blame \| history
src/detect-fast-pattern.c		patch \| blob \| blame \| history
src/detect-http-hh.c		patch \| blob \| blame \| history
src/detect-parse.c		patch \| blob \| blame \| history
src/detect-pcre.c		patch \| blob \| blame \| history
src/detect.c		patch \| blob \| blame \| history
src/detect.h		patch \| blob \| blame \| history