here is intended to conflict with the technical language of the HTTP RFCs
and the implementation follows the RFCs.
-===== http_header, http_raw_header, and http_raw_header_complete
+===== http_header and http_raw_header
These cover all the header lines except the first one. You may specify an
individual header by name using the field option as shown in this earlier
With http_header the individual header value is normalized in a way that is
appropriate for that header.
-Specifying an individual header is not available for http_raw_header_complete, use
-http_raw_header instead.
-
-If you don't specify a header you get all of the headers. http_raw_header_complete
-includes cookie headers Cookie and Set-Cookie. http_header and http_raw_header don't.
-http_raw_header and http_raw_header_complete include the unmodified header names
-and values as they appeared in the original message. http_header is the same except
-percent encodings are removed and paths are simplified exactly as if the headers
-were a URI.
+If you don't specify a header you get all of the headers. http_raw_header
+includes the unmodified header names and values as they appeared in the
+original message. http_header is the same except percent encodings and cookies
+are removed and paths are simplified exactly as if the headers were a URI.
In most cases specifying individual headers creates a more efficient and
accurate rule. It is recommended that new rules be written using individual
"http_raw_body",
"http_raw_cookie",
"http_raw_header",
- "http_raw_header_complete",
"http_raw_request",
"http_raw_status",
"http_raw_trailer",
extern const BaseApi* ips_http_raw_body;
extern const BaseApi* ips_http_raw_cookie;
extern const BaseApi* ips_http_raw_header;
-extern const BaseApi* ips_http_raw_header_complete;
extern const BaseApi* ips_http_raw_request;
extern const BaseApi* ips_http_raw_status;
extern const BaseApi* ips_http_raw_trailer;
ips_http_raw_body,
ips_http_raw_cookie,
ips_http_raw_header,
- ips_http_raw_header_complete,
ips_http_raw_request,
ips_http_raw_status,
ips_http_raw_trailer,
// This enum must remain synchronized with HttpApi::classic_buffer_names[]
enum HTTP_BUFFER { HTTP_BUFFER_CLIENT_BODY = 1, HTTP_BUFFER_COOKIE, HTTP_BUFFER_HEADER,
HTTP_BUFFER_METHOD, HTTP_BUFFER_PARAM, HTTP_BUFFER_RAW_BODY, HTTP_BUFFER_RAW_COOKIE,
- HTTP_BUFFER_RAW_HEADER, HTTP_BUFFER_RAW_HEADER_COMPLETE, HTTP_BUFFER_RAW_REQUEST, HTTP_BUFFER_RAW_STATUS,
+ HTTP_BUFFER_RAW_HEADER, HTTP_BUFFER_RAW_REQUEST, HTTP_BUFFER_RAW_STATUS,
HTTP_BUFFER_RAW_TRAILER, HTTP_BUFFER_RAW_URI, HTTP_BUFFER_STAT_CODE, HTTP_BUFFER_STAT_MSG,
HTTP_BUFFER_TRAILER, HTTP_BUFFER_TRUE_IP, HTTP_BUFFER_URI, HTTP_BUFFER_VERSION,
HTTP_BUFFER_MAX };
public:
void analyze() override;
- const Field& get_classic_raw_header();
const Field& get_classic_raw_cookie();
const Field& get_classic_norm_header();
const Field& get_classic_norm_cookie();
void parse_header_lines();
void create_norm_head_list();
void derive_header_name_id(int index);
+ const Field& get_classic_raw_header();
Field classic_raw_header; // raw headers with cookies spliced out
Field classic_norm_header; // URI normalization applied
HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_COOKIE-1]);
get_classic_buffer(HTTP_BUFFER_RAW_HEADER, 0, 0).print(output,
HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_HEADER-1]);
- get_classic_buffer(HTTP_BUFFER_RAW_HEADER_COMPLETE, 0, 0).print(output,
- HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_HEADER_COMPLETE-1]);
HttpMsgSection::print_section_wrapup(output);
}
#endif
if (head == nullptr)
return Field::FIELD_NULL;
if (buf.sub_id == 0)
- return head->get_classic_raw_header();
+ return head->msg_text;
return head->get_all_header_values_raw((HeaderId)buf.sub_id);
}
- case HTTP_BUFFER_RAW_HEADER_COMPLETE:
- {
- return (header[buffer_side] != nullptr) ? header[buffer_side]->msg_text :
- Field::FIELD_NULL;
- }
case HTTP_BUFFER_RAW_REQUEST:
{
return (request != nullptr) ? request->msg_text : Field::FIELD_NULL;
case HTTP_BUFFER_PARAM:
case HTTP_BUFFER_RAW_COOKIE:
case HTTP_BUFFER_RAW_HEADER:
- case HTTP_BUFFER_RAW_HEADER_COMPLETE:
case HTTP_BUFFER_RAW_REQUEST:
case HTTP_BUFFER_RAW_URI:
case HTTP_BUFFER_TRUE_IP:
nullptr
};
-//-------------------------------------------------------------------------
-// http_raw_header_complete
-//-------------------------------------------------------------------------
-
-static const Parameter http_raw_header_complete_params[] =
-{
- { "request", Parameter::PT_IMPLIED, nullptr, nullptr,
- "match against the headers from the request message even when examining the response" },
- { "with_header", Parameter::PT_IMPLIED, nullptr, nullptr,
- "this rule is limited to examining HTTP message headers" },
- { "with_body", Parameter::PT_IMPLIED, nullptr, nullptr,
- "parts of this rule examine HTTP message body" },
- { "with_trailer", Parameter::PT_IMPLIED, nullptr, nullptr,
- "parts of this rule examine HTTP message trailers" },
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-#undef IPS_OPT
-#define IPS_OPT "http_raw_header_complete"
-#undef IPS_HELP
-#define IPS_HELP "rule option to set the detection cursor to the unnormalized headers including cookies"
-
-static Module* raw_header_complete_mod_ctor()
-{
- return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_RAW_HEADER_COMPLETE,
- CAT_SET_OTHER, PSI_RAW_HEADER_COMPLETE, http_raw_header_complete_params);
-}
-
-static const IpsApi raw_header_complete_api =
-{
- {
- PT_IPS_OPTION,
- sizeof(IpsApi),
- IPSAPI_VERSION,
- 1,
- API_RESERVED,
- API_OPTIONS,
- IPS_OPT,
- IPS_HELP,
- raw_header_complete_mod_ctor,
- HttpCursorModule::mod_dtor
- },
- OPT_TYPE_DETECTION,
- 0, PROTO_BIT__TCP,
- nullptr,
- nullptr,
- nullptr,
- nullptr,
- HttpIpsOption::opt_ctor,
- HttpIpsOption::opt_dtor,
- nullptr
-};
-
//-------------------------------------------------------------------------
// http_raw_request
//-------------------------------------------------------------------------
const BaseApi* ips_http_raw_body = &raw_body_api.base;
const BaseApi* ips_http_raw_cookie = &raw_cookie_api.base;
const BaseApi* ips_http_raw_header = &raw_header_api.base;
-const BaseApi* ips_http_raw_header_complete = &raw_header_complete_api.base;
const BaseApi* ips_http_raw_request = &raw_request_api.base;
const BaseApi* ips_http_raw_status = &raw_status_api.base;
const BaseApi* ips_http_raw_trailer = &raw_trailer_api.base;
#include "http_enum.h"
enum PsIdx { PSI_CLIENT_BODY, PSI_COOKIE, PSI_HEADER, PSI_METHOD, PSI_PARAM,
- PSI_RAW_BODY, PSI_RAW_COOKIE, PSI_RAW_HEADER, PSI_RAW_HEADER_COMPLETE, PSI_RAW_REQUEST,
- PSI_RAW_STATUS, PSI_RAW_TRAILER, PSI_RAW_URI, PSI_STAT_CODE, PSI_STAT_MSG, PSI_TRAILER,
+ PSI_RAW_BODY, PSI_RAW_COOKIE, PSI_RAW_HEADER, PSI_RAW_REQUEST, PSI_RAW_STATUS,
+ PSI_RAW_TRAILER, PSI_RAW_URI, PSI_STAT_CODE, PSI_STAT_MSG, PSI_TRAILER,
PSI_TRUE_IP, PSI_URI, PSI_VERSION, PSI_MAX };
class HttpCursorModule : public snort::Module
projects / thirdparty / snort3.git / commitdiff
