http body inspection: force body inspection on stream eof.

diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c
index 50d0d0f01f81d840c5ff37c34015ed81ee033271..75106135d22b5b04fa8b58fba1b097bf354c5458 100644 (file)
--- a/src/detect-engine-hcbd.c
+++ b/src/detect-engine-hcbd.c
@@ -70,7 +70,7 @@
  * \warning Make sure flow is locked -- flow is modified, WRITE lock needed
  */
 static void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx,
-        DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state)
+        DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags)
 {
     int idx = 0;
     htp_tx_t *tx = NULL;
@@ -169,6 +169,10 @@ static void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx,
             }
         }
 
+        if (flags & STREAM_EOF) {
+            htud->flags |= HTP_REQ_BODY_COMPLETE;
+        }
+
         /* inspect the body if the transfer is complete or we have hit
          * our body size limit */
         if (htud->request_body.content_len_so_far < BODY_MINIMAL_SIZE &&
@@ -232,7 +236,7 @@ int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx,
     uint32_t cnt = 0;
 
     FLOWLOCK_WRLOCK(f);
-    DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state);
+    DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state, flags);
     FLOWLOCK_UNLOCK(f);
 
     if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) {
@@ -273,7 +277,7 @@ int DetectEngineInspectHttpClientBody(DetectEngineCtx *de_ctx,
     int i = 0;
 
     FLOWLOCK_WRLOCK(f);
-    DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, alstate);
+    DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, alstate, flags);
     FLOWLOCK_UNLOCK(f);
 
     if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) {

diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c
index ec9c4464b9771cb1ef6af5907071bd715f325c69..0e2670ac33bd4931894fa9b359463aad8e9ad91e 100644 (file)
--- a/src/detect-engine-hsbd.c
+++ b/src/detect-engine-hsbd.c
@@ -71,7 +71,7 @@
  * \warning Make sure flow is locked. Flow is modified, WRITE lock needed.
  */
 static void DetectEngineBufferHttpServerBodies(DetectEngineCtx *de_ctx,
-        DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state)
+        DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags)
 {
     int idx = 0;
     htp_tx_t *tx = NULL;
@@ -163,6 +163,10 @@ static void DetectEngineBufferHttpServerBodies(DetectEngineCtx *de_ctx,
             }
         }
 
+        if (flags & STREAM_EOF) {
+            htud->flags |= HTP_RES_BODY_COMPLETE;
+        }
+
         /* inspect the body if the transfer is complete or we have hit
          * our body size limit */
         if (htud->response_body.content_len_so_far < BODY_MINIMAL_SIZE &&
@@ -228,7 +232,7 @@ int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx,
     uint32_t cnt = 0;
 
     FLOWLOCK_WRLOCK(f);
-    DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, htp_state);
+    DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, htp_state, flags);
     FLOWLOCK_UNLOCK(f);
 
     if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) {
@@ -269,7 +273,7 @@ int DetectEngineInspectHttpServerBody(DetectEngineCtx *de_ctx,
     int i = 0;
 
     FLOWLOCK_WRLOCK(f);
-    DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, alstate);
+    DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, alstate, flags);
     FLOWLOCK_UNLOCK(f);
 
     if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) {

diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c
index 32e1e435b08ccaa41e67a5df6087069b434c2ff6..3982426345d4358c78e81ec57ac24f30a077750e 100644 (file)
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@@ -584,7 +584,7 @@ static int DetectHttpServerBodyTest07(void)
     SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
 
     if ((PacketAlertCheck(p1, 1))) {
-        printf("sid 1 matched on chunk2 but should have: ");
+        printf("sid 1 matched on chunk2 but shouldn't have: ");
         goto end;
     }