fprintf(fp_engine_analysis_FD, "http header content\n");
else if (list_type == DETECT_SM_LIST_HRHDMATCH)
fprintf(fp_engine_analysis_FD, "http raw header content\n");
- else if (list_type == DETECT_SM_LIST_HCDMATCH)
- fprintf(fp_engine_analysis_FD, "http cookie content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(fp_engine_analysis_FD, "http client body content\n");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
fprintf(rule_engine_analysis_FD, "http header content");
else if (list_type == DETECT_SM_LIST_HRHDMATCH)
fprintf(rule_engine_analysis_FD, "http raw header content");
- else if (list_type == DETECT_SM_LIST_HCDMATCH)
- fprintf(rule_engine_analysis_FD, "http cookie content");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(rule_engine_analysis_FD, "http client body content");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
const int httpmethod_id = DetectBufferTypeGetByName("http_method");
const int httpuri_id = DetectBufferTypeGetByName("http_uri");
const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent");
+ const int httpcookie_id = DetectBufferTypeGetByName("http_cookie");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
norm_http_buf += 1;
http_header_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HCDMATCH) {
+ else if (list_id == httpcookie_id) {
rule_pcre_http += 1;
norm_http_buf += 1;
http_cookie_buf += 1;
if (list_id == httpuri_id
|| list_id == DETECT_SM_LIST_HHDMATCH
- || list_id == DETECT_SM_LIST_HCDMATCH) {
+ || list_id == httpcookie_id) {
rule_content_http += 1;
norm_http_buf += 1;
DetectContentData *cd = (DetectContentData *)sm->ctx;
else if (list_id == DETECT_SM_LIST_HHDMATCH) {
http_header_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HCDMATCH) {
+ else if (list_id == httpcookie_id) {
http_cookie_buf += 1;
}
}
return "http host";
case DETECT_SM_LIST_HRHHDMATCH:
return "http raw host header";
- case DETECT_SM_LIST_HCDMATCH:
- return "http cookie";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";
static int g_http_method_buffer_id = 0;
static int g_http_uri_buffer_id = 0;
static int g_http_ua_buffer_id = 0;
+static int g_http_cookie_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
"content:\"three\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; within:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; offset:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; depth:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(content:!\"one\"; fast_pattern; http_cookie; content:\"two\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_cookie; content:!\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"(content:\"one\"; http_cookie; content:!\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent");
+ g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);
#include "stream-tcp.h"
static int DetectHttpCookieSetup (DetectEngineCtx *, Signature *, char *);
-void DetectHttpCookieRegisterTests(void);
-void DetectHttpCookieFree(void *);
+static void DetectHttpCookieRegisterTests(void);
+static void DetectHttpCookieFree(void *);
+static void DetectHttpCookieSetupCallback(Signature *s);
+static int g_http_cookie_buffer_id = 0;
/**
* \brief Registration function for keyword: http_cookie
sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_PAYLOAD;
- DetectMpmAppLayerRegister("http_cookie", SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HCDMATCH, 2,
+ DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOSERVER, 2,
PrefilterTxRequestCookieRegister);
- DetectMpmAppLayerRegister("http_cookie", SIG_FLAG_TOCLIENT,
- DETECT_SM_LIST_HCDMATCH, 2,
+ DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOCLIENT, 2,
PrefilterTxResponseCookieRegister);
- DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HCDMATCH,
+ DetectAppLayerInspectEngineRegister2("http_cookie",
+ ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpCookie);
- DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
- DETECT_SM_LIST_HCDMATCH,
+ DetectAppLayerInspectEngineRegister2("http_cookie",
+ ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DetectEngineInspectHttpCookie);
+
+ DetectBufferTypeSetDescriptionByName("http_cookie",
+ "http cookie header");
+
+ DetectBufferTypeRegisterSetupCallback("http_cookie",
+ DetectHttpCookieSetupCallback);
+
+ g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie");
}
/**
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_HTTP_COOKIE,
- DETECT_SM_LIST_HCDMATCH,
+ g_http_cookie_buffer_id,
ALPROTO_HTTP,
NULL);
}
+static void DetectHttpCookieSetupCallback(Signature *s)
+{
+ SCLogDebug("callback invoked by %u", s->id);
+ s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+}
+
+
/******************************** UNITESTS **********************************/
#ifdef UNITTESTS
+#include "detect-isdataat.h"
#include "stream-tcp-reassemble.h"
static int g_http_uri_buffer_id = 0;
}
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
if (sm == NULL) {
printf("no sigmatch(es): ");
goto end;
Signature *s = de_ctx->sig_list;
- BUG_ON(s->sm_lists[DETECT_SM_LIST_HCDMATCH] == NULL);
+ BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL);
- if (s->sm_lists[DETECT_SM_LIST_HCDMATCH]->type != DETECT_CONTENT)
+ if (s->sm_lists[g_http_cookie_buffer_id]->type != DETECT_CONTENT)
goto end;
if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
return result;
}
+static int DetectHttpCookieIsdataatParseTest(void)
+{
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ FAIL_IF_NULL(de_ctx);
+ de_ctx->flags |= DE_QUIET;
+
+ Signature *s = DetectEngineAppendSig(de_ctx,
+ "alert tcp any any -> any any ("
+ "content:\"one\"; http_cookie; "
+ "isdataat:!4,relative; sid:1;)");
+ FAIL_IF_NULL(s);
+
+ SigMatch *sm = s->init_data->smlists_tail[g_http_cookie_buffer_id];
+ FAIL_IF_NULL(sm);
+ FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
+
+ DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
+ FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
+ FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
+ FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
+
+ DetectEngineCtxFree(de_ctx);
+ PASS;
+}
+
#endif /* UNITTESTS */
/**
UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
+ UtRegisterTest("DetectHttpCookieIsdataatParseTest",
+ DetectHttpCookieIsdataatParseTest);
#endif /* UNITTESTS */
}
return result;
}
-int DetectIsdataatTestParse13(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- Signature *s = NULL;
- DetectIsdataatData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "content:\"one\"; http_cookie; "
- "isdataat:!4,relative; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- goto end;
- }
-
- s = de_ctx->sig_list;
- if (s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH] == NULL) {
- goto end;
- }
-
- result = 1;
-
- result &= (s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->type == DETECT_ISDATAAT);
- data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
- if ( !(data->flags & ISDATAAT_RELATIVE) ||
- (data->flags & ISDATAAT_RAWBYTES) ||
- !(data->flags & ISDATAAT_NEGATED) ) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
/**
* \test dns_query with isdataat relative to it
*/
UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09);
UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10);
UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11);
- UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13);
UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_URI_RAW)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
- else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE)
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);
- else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) {
+ else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE ||
+ lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE)
+ {
+ int list = DetectBufferTypeGetByName("http_cookie");
+ SigMatchAppendSMToList(s, sm, list);
+ } else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) {
int list = DetectBufferTypeGetByName("http_user_agent");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS))
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH);
else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW))
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH);
- else if (lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE)
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);
else {
int list = DetectBufferTypeGetByName("http_request_line");
SigMatchAppendSMToList(s, sm, list);
CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code");
CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host");
CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host");
- CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
CASE_CODE(DETECT_SM_LIST_HSCDMATCH);
CASE_CODE(DETECT_SM_LIST_HHHDMATCH);
CASE_CODE(DETECT_SM_LIST_HRHHDMATCH);
- CASE_CODE(DETECT_SM_LIST_HCDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] ||
- s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH])
{
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
- case 'C': /* snort's option */
+ case 'C': { /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'C' inconsistent with 'B'");
goto error;
}
- *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCDMATCH);
+ int list = DetectBufferTypeGetByName("http_cookie");
+ *sm_list = DetectPcreSetList(*sm_list, list);
break;
+ }
case 'P':
/* snort's option (http request body inspection) */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCBDMATCH);
parsed_sm_list == DETECT_SM_LIST_HSMDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSCDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HHHDMATCH ||
- parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH ||
-// parsed_sm_list == DETECT_SM_LIST_HMDMATCH ||
- parsed_sm_list == DETECT_SM_LIST_HCDMATCH)
+ parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
case DETECT_SM_LIST_HRHHDMATCH:
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
- case DETECT_SM_LIST_HCDMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
return 0;
- if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL)
- return 0;
-
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
return 0;
- if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL)
- return 0;
-
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
- s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
SCLogDebug("sig requires http app state");
}
- if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) {
- s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
- SCLogDebug("sig requires http app state");
- }
-
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
DETECT_SM_LIST_HHHDMATCH,
/* list for http_raw_host keyword and the ones relative to it */
DETECT_SM_LIST_HRHHDMATCH,
- /* list for http_cookie keyword and the ones relative to it */
- DETECT_SM_LIST_HCDMATCH,
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT,
projects / thirdparty / suricata.git / commitdiff
