Additionally, it performs normalization of JavaScript identifiers making a
substitution of unique names with unified names representation: a0 -> z9999.
The identifiers are variables and function names.
-The normalized data is available through the script_data rule option.
+The normalized data is available through the js_data rule option.
This is currently experimental and still under development.
===== js_norm_identifier_depth
===== trace.module.http_inspect.js_dump
-Script data dump and verbosity levels:
+JavaScript data dump and verbosity levels:
-1. script_data buffer as it is passed to detection.
+1. js_data buffer as it is passed to detection.
2. Current script in normalized form.
described above under gzip, normalize_utf, decompress_pdf, decompress_swf, and
normalize_javascript.
-===== script_data
+===== js_data
-The script_data contains normalized JavaScript text collected from the whole PDU
+The js_data contains normalized JavaScript text collected from the whole PDU
(inline or external scripts). It requires the Enhanced Normalizer enabled:
http_inspect = { js_normalization_depth = N },
js_normalization_depth option is described above.
-Despite what script_data has, file_data still contains the whole HTTP body
+Despite what js_data has, file_data still contains the whole HTTP body
with an original JavaScript in it.
==== Timing issues and combining rule options
context = Analyzer::get_switcher()->interrupt();
context->file_data = DataPointer(nullptr, 0);
- context->script_data = DataPointer(nullptr, 0);
+ context->js_data = DataPointer(nullptr, 0);
reset();
}
DataPointer& DetectionEngine::get_file_data(IpsContext* c)
{ return c->file_data; }
-void DetectionEngine::set_script_data(const DataPointer& dp)
-{ Analyzer::get_switcher()->get_context()->script_data = dp; }
+void DetectionEngine::set_js_data(const DataPointer& dp)
+{ Analyzer::get_switcher()->get_context()->js_data = dp; }
-DataPointer& DetectionEngine::get_script_data(IpsContext* c)
-{ return c->script_data; }
+DataPointer& DetectionEngine::get_js_data(IpsContext* c)
+{ return c->js_data; }
void DetectionEngine::set_data(unsigned id, IpsContextData* p)
{ Analyzer::get_switcher()->get_context()->set_context_data(id, p); }
static void set_file_data(const DataPointer& dp);
static DataPointer& get_file_data(IpsContext*);
- static void set_script_data(const DataPointer& dp);
- static DataPointer& get_script_data(IpsContext*);
+ static void set_js_data(const DataPointer& dp);
+ static DataPointer& get_js_data(IpsContext*);
static uint8_t* get_buffer(unsigned& max);
static struct DataBuffer& get_alt_buffer(Packet*);
static inline void clear_file_data()
{ set_file_data(nullptr, 0); }
-static inline void set_script_data(const uint8_t* data, unsigned len)
+static inline void set_js_data(const uint8_t* data, unsigned len)
{
DataPointer dp { data, len };
- DetectionEngine::set_script_data(dp);
+ DetectionEngine::set_js_data(dp);
}
-static inline void clear_script_data()
-{ set_script_data(nullptr, 0); }
+static inline void clear_js_data()
+{ set_js_data(nullptr, 0); }
} // namespace snort
#endif
if ( MpseGroup* so = port_group->mpsegrp[PM_TYPE_SCRIPT] )
{
- // FIXIT-M script data should be obtained from
+ // FIXIT-M js data should be obtained from
// inspector gadget as is done with search_buffer
- DataPointer script_data = p->context->script_data;
+ DataPointer js_data = p->context->js_data;
- if ( script_data.len )
+ if ( js_data.len )
{
debug_logf(detection_trace, TRACE_FP_SEARCH, p,
"%" PRIu64 " fp search %s[%d]\n", p->context->packet_number,
- pm_type_strings[PM_TYPE_SCRIPT], script_data.len);
+ pm_type_strings[PM_TYPE_SCRIPT], js_data.len);
- batch_search(so, p, script_data.data, script_data.len, pc.script_searches);
+ batch_search(so, p, js_data.data, js_data.len, pc.script_searches);
}
}
continue;
}
- if ( !strcmp(s, "script_data") )
+ if ( !strcmp(s, "js_data") )
{
script = true;
continue;
}
if ( otn->sigInfo.services.empty() and script )
{
- ParseWarning(WARN_RULES, "%u:%u:%u has no service with script_data",
+ ParseWarning(WARN_RULES, "%u:%u:%u has no service with js_data",
otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev);
add_service_to_otn(sc, otn, "http");
}
SF_EVENTQ* equeue;
DataPointer file_data = DataPointer(nullptr, 0);
- DataPointer script_data = DataPointer(nullptr, 0);
+ DataPointer js_data = DataPointer(nullptr, 0);
DataBuffer alt_data = {};
uint64_t context_num;
ips_rem.cc
ips_rev.cc
ips_rpc.cc
- ips_script_data.cc
+ ips_js_data.cc
ips_seq.cc
ips_sid.cc
ips_soid.cc
ips_pkt_data.cc
ips_reference.cc
ips_replace.cc
- ips_script_data.cc
+ ips_js_data.cc
ips_service.cc
ips_so.cc
)
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// ips_script_data.cc author Serhii Vlasiuk <svlasiuk@cisco.com>
+// ips_js_data.cc author Serhii Vlasiuk <svlasiuk@cisco.com>
#ifdef HAVE_CONFIG_H
#include "config.h"
using namespace snort;
-#define s_name "script_data"
+#define s_name "js_data"
#define s_help \
- "rule option to set detection cursor to normalized script data"
+ "rule option to set detection cursor to normalized JavaScript data"
static THREAD_LOCAL ProfileStats scriptDataPerfStats;
{
RuleProfile profile(scriptDataPerfStats);
- DataPointer dp = DetectionEngine::get_script_data(p->context);
+ DataPointer dp = DetectionEngine::get_js_data(p->context);
if ( !dp.data or !dp.len )
return NO_MATCH;
delete m;
}
-static IpsOption* script_data_ctor(Module*, OptTreeNode*)
+static IpsOption* js_data_ctor(Module*, OptTreeNode*)
{
return new ScriptDataOption;
}
-static void script_data_dtor(IpsOption* p)
+static void js_data_dtor(IpsOption* p)
{
delete p;
}
-static const IpsApi script_data_api =
+static const IpsApi js_data_api =
{
{
PT_IPS_OPTION,
nullptr,
nullptr,
nullptr,
- script_data_ctor,
- script_data_dtor,
+ js_data_ctor,
+ js_data_dtor,
nullptr
};
#ifdef BUILDING_SO
SO_PUBLIC const BaseApi* snort_plugins[] =
#else
-const BaseApi* ips_script_data[] =
+const BaseApi* ips_js_data[] =
#endif
{
- &script_data_api.base,
+ &js_data_api.base,
nullptr
};
extern const BaseApi* ips_pkt_data;
extern const BaseApi* ips_reference;
extern const BaseApi* ips_replace;
-extern const BaseApi* ips_script_data;
+extern const BaseApi* ips_js_data;
extern const BaseApi* ips_service;
extern const BaseApi* ips_sha256;
extern const BaseApi* ips_sha512;
ips_pkt_data,
ips_reference,
ips_replace,
- ips_script_data,
+ ips_js_data,
ips_service,
ips_sha256,
ips_sha512,
if ( !(p->packet_flags & PKT_IGNORE) )
{
clear_file_data();
- clear_script_data();
+ clear_js_data();
// return incomplete status if the main hook indicates not all work was done
if (!main_hook(p))
return false;
void DetectionEngine::reset() { }
void DetectionEngine::wait_for_context() { }
void DetectionEngine::set_file_data(const DataPointer&) { }
-void DetectionEngine::set_script_data(const DataPointer&) { }
+void DetectionEngine::set_js_data(const DataPointer&) { }
void DetectionEngine::clear_replacement() { }
void DetectionEngine::disable_all(Packet*) { }
unsigned get_instance_id() { return 0; }
5. Parser states (debug build only)
6. Input stream states (debug build only)
-* trace.module.http_inspect.js_dump dumps script data from processing layers.
+* trace.module.http_inspect.js_dump dumps JavaScript data from processing layers.
+
Verbosity levels:
+
-1. script_data buffer as it is being passed to detection (available in release build)
+1. js_data buffer as it is being passed to detection (available in release build)
2. Current normalized script (available in release build)
3. Payload passed to Normalizer (available in release build)
4. Temporary buffer (debug build only)
output.set(dst - buffer, (const uint8_t*)buffer, true);
trace_logf(1, http_trace, TRACE_JS_DUMP, nullptr,
- "script_data[%zu]: %.*s\n", dst - buffer, static_cast<int>(dst - buffer), buffer);
+ "js_data[%zu]: %.*s\n", dst - buffer, static_cast<int>(dst - buffer), buffer);
}
}
output.set(dst - buffer, (const uint8_t*)buffer, true);
trace_logf(1, http_trace, TRACE_JS_DUMP, nullptr,
- "script_data[%zu]: %.*s\n", dst - buffer, static_cast<int>(dst - buffer), buffer);
+ "js_data[%zu]: %.*s\n", dst - buffer, static_cast<int>(dst - buffer), buffer);
}
}
if ( norm_length > 0 )
{
- set_script_data(enhanced_js_norm_body.start(), (unsigned int)norm_length);
+ set_js_data(enhanced_js_norm_body.start(), (unsigned int)norm_length);
if (partial_detect)
return;
projects / thirdparty / snort3.git / commitdiff
