detect: add http.response_body sticky buffer

author Victor Julien <victor@inliniac.net>

Sat, 15 Dec 2018 09:13:17 +0000 (10:13 +0100)

committer Victor Julien <victor@inliniac.net>

Tue, 29 Jan 2019 12:27:57 +0000 (13:27 +0100)
author Victor Julien <victor@inliniac.net>
Sat, 15 Dec 2018 09:13:17 +0000 (10:13 +0100)
committer Victor Julien <victor@inliniac.net>
Tue, 29 Jan 2019 12:27:57 +0000 (13:27 +0100)
diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h

index bf8eee114a3991a42ecd3fe83595d2c98c049ef6..3fa2e4ad0ca71fc873f020e840ff9565a9e37333 100644 (file)
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -121,6 +121,7 @@ enum {
      DETECT_AL_HTTP_CLIENT_BODY,
      DETECT_HTTP_REQUEST_BODY,
      DETECT_AL_HTTP_SERVER_BODY,
+    DETECT_HTTP_RESPONSE_BODY,
      DETECT_AL_HTTP_HEADER,
      DETECT_HTTP_HEADER,
      DETECT_AL_HTTP_HEADER_NAMES,
diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c

index 230565c2ce80b3d1a7249f588415ed24ff43a70c..bae9a11a70c7eb3b159c72416a5097393b757ddf 100644 (file)
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@@ -60,6 +60,7 @@
  #include "stream-tcp.h"
  
  static int DetectHttpServerBodySetup(DetectEngineCtx *, Signature *, const char *);
+static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
  #ifdef UNITTESTS
  static void DetectHttpServerBodyRegisterTests(void);
  #endif
@@ -70,14 +71,25 @@ static int g_file_data_buffer_id = 0;
   */
  void DetectHttpServerBodyRegister(void)
  {
+    /* http_server_body content modifier */
      sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].name = "http_server_body";
-    sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match only on the HTTP response-body";
+    sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match on the HTTP response-body";
      sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-server-body";
      sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup;
  #ifdef UNITTESTS
      sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests;
  #endif
      sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+    sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].alternative = DETECT_HTTP_RESPONSE_BODY;
+
+    /* http.request_body sticky buffer */
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].name = "http.response_body";
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].desc = "sticky buffer to match the HTTP response body buffer";
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-server-body";
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].Setup = DetectHttpServerBodySetupSticky;
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
  
      g_file_data_buffer_id = DetectBufferTypeRegister("file_data");
  }
@@ -103,6 +115,24 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char
                                                    ALPROTO_HTTP);
  }
  
+/**
+ * \brief this function setup the http.response_body keyword used in the rule
+ *
+ * \param de_ctx   Pointer to the Detection Engine Context
+ * \param s        Pointer to the Signature to which the current keyword belongs
+ * \param str      Should hold an empty string always
+ *
+ * \retval 0       On success
+ */
+static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    if (DetectBufferSetActiveList(s, g_file_data_buffer_id) < 0)
+        return -1;
+    if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
+        return -1;
+    return 0;
+}
+
  /************************************Unittests*********************************/
  
  #ifdef UNITTESTS
diff --git a/src/tests/detect-http-server-body.c b/src/tests/detect-http-server-body.c

index ae842edf0e0007ecfe93059ecbfaf66fb21bf58d..7ea6d018c2569442ca048b1fce638c52b26f4688 100644 (file)
--- a/src/tests/detect-http-server-body.c
+++ b/src/tests/detect-http-server-body.c
@@ -29,6 +29,40 @@
  #include "../flow.h"
  #include "../detect.h"
  
+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectHttpServerBodyParserTest01(void)
+{
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
+
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
+    PASS;
+}
+
+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectHttpServerBodyParserTest02(void)
+{
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
+
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
+    PASS;
+}
  struct TestSteps {
      const uint8_t *input;
      size_t input_size;      /**< if 0 strlen will be used */
@@ -9059,6 +9093,9 @@ end:
  
  void DetectHttpServerBodyRegisterTests(void)
  {
+    UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
+    UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
+
      UtRegisterTest("DetectHttpServerBodyTest01", DetectHttpServerBodyTest01);
      UtRegisterTest("DetectHttpServerBodyTest02", DetectHttpServerBodyTest02);
      UtRegisterTest("DetectHttpServerBodyTest03", DetectHttpServerBodyTest03);
author	Victor Julien <victor@inliniac.net>
	Sat, 15 Dec 2018 09:13:17 +0000 (10:13 +0100)
committer	Victor Julien <victor@inliniac.net>
	Tue, 29 Jan 2019 12:27:57 +0000 (13:27 +0100)
src/detect-engine-register.h		patch \| blob \| blame \| history
src/detect-http-server-body.c		patch \| blob \| blame \| history
src/tests/detect-http-server-body.c		patch \| blob \| blame \| history