detect: implement http {location,server} sticky buffer

This implements inspection of the Server and Location buffer as a
content sticky buffer.

diff --git a/src/Makefile.am b/src/Makefile.am
index 28eb33f4456e7a0b349eda9254e53c8ec811279b..85486cf1faff0d0031a2aaf637e685ee50943f9d 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -179,12 +179,14 @@ detect-http-headers.c detect-http-headers.h detect-http-headers-stub.h \
 detect-http-header-common.c detect-http-header-common.h \
 detect-http-header-names.c detect-http-header-names.h \
 detect-http-hh.c detect-http-hh.h \
+detect-http-location.c detect-http-location.h \
 detect-http-method.c detect-http-method.h \
 detect-http-protocol.c detect-http-protocol.h \
 detect-http-raw-header.c detect-http-raw-header.h \
 detect-http-referer.c detect-http-referer.h \
 detect-http-request-line.c detect-http-request-line.h \
 detect-http-response-line.c detect-http-response-line.h \
+detect-http-server.c detect-http-server.h \
 detect-http-server-body.c detect-http-server-body.h \
 detect-http-start.c detect-http-start.h \
 detect-http-stat-code.c detect-http-stat-code.h \

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
index 89d44bee6a53ef601c68e800b8df7d2209c97079..b788d52ae36d094d4ee7823c339da8fdd4d5db5a 100644 (file)
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -131,6 +131,8 @@ enum {
     DETECT_AL_HTTP_HEADER_CONNECTION,
     DETECT_AL_HTTP_HEADER_CONTENT_LEN,
     DETECT_AL_HTTP_HEADER_CONTENT_TYPE,
+    DETECT_AL_HTTP_HEADER_LOCATION,
+    DETECT_AL_HTTP_HEADER_SERVER,
     DETECT_AL_HTTP_HEADER_REFERER,
     DETECT_AL_HTTP_RAW_HEADER,
     DETECT_HTTP_RAW_HEADER,

diff --git a/src/detect-http-headers.c b/src/detect-http-headers.c
index 8bcef4b5bf128d5ea39bb8cec89c81beab0b002f..f9e8580606bb33f376e7d6995d1605ebd75e9851 100644 (file)
--- a/src/detect-http-headers.c
+++ b/src/detect-http-headers.c
@@ -21,6 +21,8 @@
 #include "detect-http-connection.h"
 #include "detect-http-content-len.h"
 #include "detect-http-content-type.h"
+#include "detect-http-location.h"
+#include "detect-http-server.h"
 #include "detect-http-referer.h"
 #include "detect-http-headers.h"
 
@@ -33,5 +35,7 @@ void DetectHttpHeadersRegister(void)
     RegisterHttpHeadersConnection();
     RegisterHttpHeadersContentLen();
     RegisterHttpHeadersContentType();
+    RegisterHttpHeadersServer();
+    RegisterHttpHeadersLocation();
 }
 

diff --git a/src/detect-http-location.c b/src/detect-http-location.c
new file mode 100644 (file)
index 0000000..bd4eb15
--- /dev/null
+++ b/src/detect-http-location.c
@@ -0,0 +1,50 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \ingroup httplayer
+ *
+ * @{
+ */
+
+
+/**
+ * \file
+ *
+ * \author Jeff Lucovsky <jeff@lucovsky.org>
+ *
+ * Implements http.location sticky buffer
+ *
+ * "Location" is an HTTP response-header field used to redirect the recipient to
+ * a location other than the Request-URI for request completion.
+ */
+
+#define KEYWORD_NAME "http.location"
+#define KEYWORD_DOC "http-keywords.html#http-location"
+#define BUFFER_NAME "http.location"
+#define BUFFER_DESC "http location header"
+#define HEADER_NAME "Location"
+#define KEYWORD_ID DETECT_AL_HTTP_HEADER_LOCATION
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-http-headers-stub.h"
+#include "detect-http-location.h"
+
+void RegisterHttpHeadersLocation(void)
+{
+    DetectHttpHeadersRegisterStub();
+}

diff --git a/src/detect-http-location.h b/src/detect-http-location.h
new file mode 100644 (file)
index 0000000..de55a70
--- /dev/null
+++ b/src/detect-http-location.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_HTTP_LOCATION_H__
+#define __DETECT_HTTP_LOCATION_H__
+
+void RegisterHttpHeadersLocation(void);
+
+#endif /* __DETECT_HTTP_LOCATION_H__ */

diff --git a/src/detect-http-server.c b/src/detect-http-server.c
new file mode 100644 (file)
index 0000000..d0d5984
--- /dev/null
+++ b/src/detect-http-server.c
@@ -0,0 +1,50 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \ingroup httplayer
+ *
+ * @{
+ */
+
+
+/**
+ * \file
+ *
+ * \author Jeff Lucovsky <jeff@lucovsky.org>
+ *
+ * Implements http.server sticky buffer
+ *
+ * "Server" is an HTTP response-header field containing information about the software
+ * used by the origin server to handle the request.
+ */
+
+#define KEYWORD_NAME "http.server"
+#define KEYWORD_DOC "http-keywords.html#http-server"
+#define BUFFER_NAME "http.server"
+#define BUFFER_DESC "http server header"
+#define HEADER_NAME "Server"
+#define KEYWORD_ID DETECT_AL_HTTP_HEADER_SERVER
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-http-headers-stub.h"
+#include "detect-http-server.h"
+
+void RegisterHttpHeadersServer(void)
+{
+    DetectHttpHeadersRegisterStub();
+}

diff --git a/src/detect-http-server.h b/src/detect-http-server.h
new file mode 100644 (file)
index 0000000..c741372
--- /dev/null
+++ b/src/detect-http-server.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_HTTP_SERVER_H__
+#define __DETECT_HTTP_SERVER_H__
+
+void RegisterHttpHeadersServer(void);
+
+#endif /* __DETECT_HTTP_SERVER_H__ */