alert http any any -> any any (msg:"HTTP with xor"; http.uri; \
xor:"0d0ac8ff"; content:"password="; sid:1;)
+header_lowercase
+----------------
+
+This transform is meant for HTTP/1 HTTP/2 header names normalization.
+It lowercases the header names, while keeping untouched the header values.
+
+The implementation uses a state machine :
+- it lowercases until it finds ``:```
+- it does not change until it finds a new line and switch back to first state
+
+This example alerts for both HTTP/1 and HTTP/2 with a authorization header
+Example::
+
+ alert http any any -> any any (msg:"HTTP authorization"; http.header_names; \
+ header_lowercase; content:"authorization:"; sid:1;)
detect-transform-casechange.h \
detect-transform-compress-whitespace.h \
detect-transform-dotprefix.h \
+ detect-transform-header-lowercase.h \
detect-transform-md5.h \
detect-transform-pcrexform.h \
detect-transform-sha1.h \
detect-transform-casechange.c \
detect-transform-compress-whitespace.c \
detect-transform-dotprefix.c \
+ detect-transform-header-lowercase.c \
detect-transform-md5.c \
detect-transform-pcrexform.c \
detect-transform-sha1.c \
#include "detect-transform-urldecode.h"
#include "detect-transform-xor.h"
#include "detect-transform-casechange.h"
+#include "detect-transform-header-lowercase.h"
#include "util-rule-vars.h"
DetectTransformXorRegister();
DetectTransformToLowerRegister();
DetectTransformToUpperRegister();
+ DetectTransformHeaderLowercaseRegister();
DetectFileHandlerRegister();
DETECT_TRANSFORM_XOR,
DETECT_TRANSFORM_TOLOWER,
DETECT_TRANSFORM_TOUPPER,
+ DETECT_TRANSFORM_HEADER_LOWERCASE,
DETECT_AL_IKE_EXCH_TYPE,
DETECT_AL_IKE_SPI_INITIATOR,
--- /dev/null
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Philippe Antoine <contact@catenacyber.fr>
+ *
+ * Implements the header_lowercase transform keyword with option support
+ */
+
+#include "suricata-common.h"
+#include "detect.h"
+#include "detect-engine.h"
+#include "detect-parse.h"
+#include "detect-transform-header-lowercase.h"
+
+/**
+ * \internal
+ * \brief Apply the header_lowercase keyword to the last pattern match
+ * \param det_ctx detection engine ctx
+ * \param s signature
+ * \param optstr options string
+ * \retval 0 ok
+ * \retval -1 failure
+ */
+static int DetectTransformHeaderLowercaseSetup(
+ DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
+{
+ SCEnter();
+ int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_HEADER_LOWERCASE, NULL);
+ SCReturnInt(r);
+}
+
+static void DetectTransformHeaderLowercase(InspectionBuffer *buffer, void *options)
+{
+ const uint8_t *input = buffer->inspect;
+ const uint32_t input_len = buffer->inspect_len;
+ if (input_len == 0) {
+ return;
+ }
+ uint8_t output[input_len];
+
+ // state 0 is header name, 1 is header value
+ int state = 0;
+ for (uint32_t i = 0; i < input_len; i++) {
+ if (state == 0) {
+ if (input[i] == ':') {
+ output[i] = input[i];
+ state = 1;
+ } else {
+ output[i] = u8_tolower(input[i]);
+ }
+ } else {
+ output[i] = input[i];
+ if (input[i] == '\n') {
+ state = 0;
+ }
+ }
+ }
+ InspectionBufferCopy(buffer, output, input_len);
+}
+
+void DetectTransformHeaderLowercaseRegister(void)
+{
+ sigmatch_table[DETECT_TRANSFORM_HEADER_LOWERCASE].name = "header_lowercase";
+ sigmatch_table[DETECT_TRANSFORM_HEADER_LOWERCASE].desc =
+ "modify buffer via lowercaseing header names";
+ sigmatch_table[DETECT_TRANSFORM_HEADER_LOWERCASE].url =
+ "/rules/transforms.html#header_lowercase";
+ sigmatch_table[DETECT_TRANSFORM_HEADER_LOWERCASE].Transform = DetectTransformHeaderLowercase;
+ sigmatch_table[DETECT_TRANSFORM_HEADER_LOWERCASE].Setup = DetectTransformHeaderLowercaseSetup;
+ sigmatch_table[DETECT_TRANSFORM_HEADER_LOWERCASE].flags |= SIGMATCH_NOOPT;
+}
--- /dev/null
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Philippe Antoine <contact@catenacyber.fr>
+ */
+
+#ifndef __DETECT_TRANSFORM_HEADER_LOWERCASE_H__
+#define __DETECT_TRANSFORM_HEADER_LOWERCASE_H__
+
+/* prototypes */
+void DetectTransformHeaderLowercaseRegister(void);
+
+#endif /* __DETECT_TRANSFORM_HEADER_LOWERCASE_H__ */
projects / thirdparty / suricata.git / commitdiff
