int list_type = SigMatchListSMBelongsTo(s, mpm_sm);
if (list_type == DETECT_SM_LIST_PMATCH)
fprintf(fp_engine_analysis_FD, "content\n");
- else if (list_type == DETECT_SM_LIST_HRUDMATCH)
- fprintf(fp_engine_analysis_FD, "http raw uri content\n");
else {
const char *desc = DetectBufferTypeGetDescriptionById(list_type);
const char *name = DetectBufferTypeGetNameById(list_type);
fprintf(rule_engine_analysis_FD, "%s",
payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream");
}
- else if (list_type == DETECT_SM_LIST_HRUDMATCH)
- fprintf(rule_engine_analysis_FD, "http raw uri content");
else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
fprintf(rule_engine_analysis_FD, "dns query name content");
else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH)
const int httpheader_id = DetectBufferTypeGetByName("http_header");
const int httprawheader_id = DetectBufferTypeGetByName("http_raw_header");
const int httpclientbody_id = DetectBufferTypeGetByName("http_client_body");
+ const int httprawuri_id = DetectBufferTypeGetByName("http_raw_uri");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
raw_http_buf += 1;
http_method_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HRUDMATCH) {
+ else if (list_id == httprawuri_id) {
rule_pcre_http += 1;
raw_http_buf += 1;
http_raw_uri_buf += 1;
raw_http_buf += 1;
http_raw_header_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HRUDMATCH) {
+ else if (list_id == httprawuri_id) {
rule_content_http += 1;
raw_http_buf += 1;
http_raw_uri_buf += 1;
case DETECT_SM_LIST_PMATCH:
return "packet/stream payload";
- case DETECT_SM_LIST_HRUDMATCH:
- return "http raw uri";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";
static int g_http_raw_header_buffer_id = 0;
static int g_http_header_buffer_id = 0;
static int g_http_client_body_buffer_id = 0;
+static int g_http_raw_uri_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
"content:\"three\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"content:\"two\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"content:\"three\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_raw_uri; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_raw_uri; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_raw_uri; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_raw_uri; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"content:\"three\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"content:\"three\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
g_http_client_body_buffer_id = DetectBufferTypeGetByName("http_client_body");
+ g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);
static int DetectHttpRawUriSetup(DetectEngineCtx *, Signature *, char *);
static void DetectHttpRawUriRegisterTests(void);
+static void DetectHttpRawUriSetupCallback(Signature *s);
+static int g_http_raw_uri_buffer_id = 0;
/**
* \brief Registration function for keyword http_raw_uri.
sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_PAYLOAD;
- DetectMpmAppLayerRegister("http_raw_uri", SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HRUDMATCH, 2,
+ DetectAppLayerMpmRegister("http_raw_uri", SIG_FLAG_TOSERVER, 2,
PrefilterTxRawUriRegister);
- DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HRUDMATCH,
+ DetectAppLayerInspectEngineRegister2("http_raw_uri",
+ ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpRawUri);
- return;
+ DetectBufferTypeSetDescriptionByName("http_raw_uri",
+ "raw http uri");
+
+ DetectBufferTypeRegisterSetupCallback("http_raw_uri",
+ DetectHttpRawUriSetupCallback);
+
+ g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri");
}
/**
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_RAW_URI,
- DETECT_SM_LIST_HRUDMATCH,
+ g_http_raw_uri_buffer_id,
ALPROTO_HTTP,
NULL);
}
+static void DetectHttpRawUriSetupCallback(Signature *s)
+{
+ SCLogDebug("callback invoked by %u", s->id);
+ s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+}
/******************************** UNITESTS **********************************/
goto end;
}
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
if (sm == NULL) {
printf("no sigmatch(es): ");
goto end;
printf("sig failed to parse\n");
goto end;
}
- if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL)
+ if (s->sm_lists[g_http_raw_uri_buffer_id] == NULL)
goto end;
- if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH]->type != DETECT_CONTENT) {
+ if (s->sm_lists[g_http_raw_uri_buffer_id]->type != DETECT_CONTENT) {
printf("wrong type\n");
goto end;
}
char *str = "we are testing http_raw_uri keyword";
int uricomp = memcmp((const char *)
- ((DetectContentData*)s->sm_lists[DETECT_SM_LIST_HRUDMATCH]->ctx)->content,
+ ((DetectContentData*)s->sm_lists[g_http_raw_uri_buffer_id]->ctx)->content,
str,
strlen(str) - 1);
- int urilen = ((DetectContentData*)s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx)->content_len;
+ int urilen = ((DetectContentData*)s->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx)->content_len;
if (uricomp != 0 ||
urilen != strlen("we are testing http_raw_uri keyword")) {
printf("sig failed to parse, content not setup properly\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 =
- (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 =
- (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_DISTANCE ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 =
- (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 =
- (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_WITHIN ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 =
- (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 =
- (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_DISTANCE ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 =
- (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
+ (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 =
- (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
+ (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_WITHIN ||
} else if (lua->flags & DATATYPE_HTTP_URI) {
int list = DetectBufferTypeGetByName("http_uri");
SigMatchAppendSMToList(s, sm, list);
- } else if (lua->flags & DATATYPE_HTTP_URI_RAW)
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
- else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE ||
+ } else if (lua->flags & DATATYPE_HTTP_URI_RAW) {
+ int list = DetectBufferTypeGetByName("http_raw_uri");
+ SigMatchAppendSMToList(s, sm, list);
+ } else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE ||
lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE)
{
int list = DetectBufferTypeGetByName("http_cookie");
switch (list) {
CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet");
CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload");
- CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
switch (list) {
CASE_CODE(DETECT_SM_LIST_MATCH);
CASE_CODE(DETECT_SM_LIST_PMATCH);
- CASE_CODE(DETECT_SM_LIST_HRUDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
SCReturnInt(0);
}
- for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; sm != NULL; sm = sm->next) {
- if (sm->type == DETECT_FLOW) {
- DetectFlowData *fd = (DetectFlowData *)sm->ctx;
- if (fd == NULL)
- continue;
-
- if (fd->flags & FLOW_PKT_TOCLIENT) {
- /* check for request + from_server/to_client */
- if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent "
- "/http_uri , raw_uri, http_client_body, "
- "http_method, http_user_agent keywords "
- "with flow:to_client or flow:from_server");
- SCReturnInt(0);
- }
- }
- }
- }
#if 0 // TODO figure out why this is even necessary
if ((s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_SMTP) ||
s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
SCReturnInt(0);
}
}
-
- if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH])
- {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
- "specific matches (like dsize, flags, ttl) with stream / "
- "state matching by matching on app layer proto (like using "
- "http_* keywords).");
- SCReturnInt(0);
- }
}
for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH]; sm != NULL; sm = sm->next) {
int list = DetectBufferTypeGetByName("http_header");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
- } case 'I': /* snort's option */
+ } case 'I': { /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'B'");
goto error;
}
- *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRUDMATCH);
+ int list = DetectBufferTypeGetByName("http_raw_uri");
+ *sm_list = DetectPcreSetList(*sm_list, list);
break;
+ }
case 'D': { /* snort's option */
int list = DetectBufferTypeGetByName("http_raw_header");
*sm_list = DetectPcreSetList(*sm_list, list);
if (DetectPcreParseCapture(regexstr, de_ctx, pd) < 0)
goto error;
- if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH)
- {
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
- "Conflicting alprotos detected for this rule. Http "
- "pcre modifier found along with a different protocol "
- "for the rule.");
- goto error;
- }
- if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with http "
- "modifier set, with file_data/dce_stub_data sticky "
- "option set.");
- goto error;
- }
- }
-
int sm_list = -1;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
s->flags |= SIG_FLAG_APPLAYER;
sm_list = s->init_data->list;
} else {
switch(parsed_sm_list) {
- case DETECT_SM_LIST_HRUDMATCH:
- s->flags |= SIG_FLAG_APPLAYER;
- s->alproto = ALPROTO_HTTP;
- sm_list = parsed_sm_list;
- break;
case DETECT_SM_LIST_NOTSET:
sm_list = DETECT_SM_LIST_PMATCH;
break;
void DetectUrilenRegisterTests (void);
static int g_http_uri_buffer_id = 0;
+static int g_http_raw_uri_buffer_id = 0;
/**
* \brief Registration function for urilen: keyword
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
+ g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri");
}
/**
sm->ctx = (void *)urilend;
if (urilend->raw_buffer)
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
+ SigMatchAppendSMToList(s, sm, g_http_raw_uri_buffer_id);
else
SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
return 0;
- if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
- return 0;
-
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
return 0;
- if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
- return 0;
-
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
SCReturnInt(0);
}
- if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL ||
- s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL ||
- s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
+ if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL ||
+ s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
{
SCReturnInt(0);
}
SCLogDebug("sig requires dce state");
}
- if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
- s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
- SCLogDebug("sig requires http app state");
- }
-
SigMatch *sm;
for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
switch(sm->type) {
DETECT_SM_LIST_BUILTIN_MAX,
- /* list for http_raw_uri keyword and the ones relative to it */
- DETECT_SM_LIST_HRUDMATCH = DETECT_SM_LIST_BUILTIN_MAX,
/* app event engine sm list */
- DETECT_SM_LIST_APP_EVENT,
+ DETECT_SM_LIST_APP_EVENT = DETECT_SM_LIST_BUILTIN_MAX,
DETECT_SM_LIST_FILEMATCH,
projects / thirdparty / suricata.git / commitdiff
