DETECT_AL_HTTP_CLIENT_BODY,
DETECT_AL_HTTP_SERVER_BODY,
DETECT_AL_HTTP_HEADER,
+ DETECT_HTTP_HEADER,
DETECT_AL_HTTP_HEADER_NAMES,
DETECT_AL_HTTP_HEADER_ACCEPT,
DETECT_AL_HTTP_HEADER_ACCEPT_LANG,
ALPROTO_HTTP);
}
+/**
+ * \brief this function setup the http.header keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s Pointer to the Signature to which the current keyword belongs
+ * \param str Should hold an empty string always
+ *
+ * \retval 0 On success
+ */
+static int DetectHttpHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+ if (DetectBufferSetActiveList(s, g_http_header_buffer_id) < 0)
+ return -1;
+ if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
+ return -1;
+ return 0;
+}
+
/**
* \brief Registers the keyword handlers for the "http_header" keyword.
*/
void DetectHttpHeaderRegister(void)
{
+ /* http_header content modifier */
sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
sigmatch_table[DETECT_AL_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header-and-http-raw-header";
sigmatch_table[DETECT_AL_HTTP_HEADER].RegisterTests = DetectHttpHeaderRegisterTests;
#endif
sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_NOOPT ;
+ sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_AL_HTTP_HEADER].alternative = DETECT_HTTP_HEADER;
+
+ /* http.header sticky buffer */
+ sigmatch_table[DETECT_HTTP_HEADER].name = "http.header";
+ sigmatch_table[DETECT_HTTP_HEADER].desc = "sticky buffer to match on the normalized HTTP header-buffer";
+ sigmatch_table[DETECT_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header";
+ sigmatch_table[DETECT_HTTP_HEADER].Setup = DetectHttpHeaderSetupSticky;
+ sigmatch_table[DETECT_HTTP_HEADER].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_HTTP_HEADER].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister2("http_header", ALPROTO_HTTP,
SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS,
PASS;
}
+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectHttpHeaderParserTest02(void)
+{
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; nocase; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; endswith; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; endswith; sid:1;)", true));
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; bsize:10; sid:1;)", true));
+
+ FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; rawbytes; sid:1;)", false));
+ FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http.header; sid:1;)", false));
+ FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (http.header; content:\"abc\"; sid:1;)", false));
+ PASS;
+}
+
/**
* \test Test that a signature containting a http_header is correctly parsed
* and the keyword is registered.
void DetectHttpHeaderRegisterTests(void)
{
UtRegisterTest("DetectHttpHeaderParserTest01", DetectHttpHeaderParserTest01);
+ UtRegisterTest("DetectHttpHeaderParserTest02", DetectHttpHeaderParserTest02);
+
UtRegisterTest("DetectHttpHeaderTest01", DetectHttpHeaderTest01);
UtRegisterTest("DetectHttpHeaderTest06", DetectHttpHeaderTest06);
UtRegisterTest("DetectHttpHeaderTest07", DetectHttpHeaderTest07);
projects / thirdparty / suricata.git / commitdiff
