detect: add http.cookie sticky buffer keyword

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
index e0a5d9d394467dd808bb42b107ab0a152a4c0a25..763e0c4bebf1912a3717af8ab3bbebcf0ca0eaad 100644 (file)
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -112,6 +112,7 @@ enum {
     DETECT_AL_TLS_STORE,
 
     DETECT_AL_HTTP_COOKIE,
+    DETECT_HTTP_COOKIE,
     DETECT_AL_HTTP_METHOD,
     DETECT_HTTP_METHOD,
     DETECT_AL_HTTP_PROTOCOL,

diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c
index f85609aae41fc50df6161c8a99063f80801b4d38..84030b0ddbb8dd79d30ca8a4d1f5a7690894b925 100644 (file)
--- a/src/detect-http-cookie.c
+++ b/src/detect-http-cookie.c
@@ -62,6 +62,7 @@
 #include "stream-tcp.h"
 
 static int DetectHttpCookieSetup (DetectEngineCtx *, Signature *, const char *);
+static int DetectHttpCookieSetupSticky (DetectEngineCtx *, Signature *, const char *);
 #ifdef UNITTESTS
 static void DetectHttpCookieRegisterTests(void);
 #endif
@@ -81,6 +82,7 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx,
  */
 void DetectHttpCookieRegister(void)
 {
+    /* http_cookie content modifier */
     sigmatch_table[DETECT_AL_HTTP_COOKIE].name = "http_cookie";
     sigmatch_table[DETECT_AL_HTTP_COOKIE].desc = "content modifier to match only on the HTTP cookie-buffer";
     sigmatch_table[DETECT_AL_HTTP_COOKIE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-cookie";
@@ -89,6 +91,16 @@ void DetectHttpCookieRegister(void)
     sigmatch_table[DETECT_AL_HTTP_COOKIE].RegisterTests = DetectHttpCookieRegisterTests;
 #endif
     sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+    sigmatch_table[DETECT_AL_HTTP_COOKIE].alternative = DETECT_HTTP_COOKIE;
+
+    /* http.cookie sticky buffer */
+    sigmatch_table[DETECT_HTTP_COOKIE].name = "http.cookie";
+    sigmatch_table[DETECT_HTTP_COOKIE].desc = "sticky buffer to match on the HTTP Cookie/Set-Cookie buffers";
+    sigmatch_table[DETECT_HTTP_COOKIE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-cookie";
+    sigmatch_table[DETECT_HTTP_COOKIE].Setup = DetectHttpCookieSetupSticky;
+    sigmatch_table[DETECT_HTTP_COOKIE].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_HTTP_COOKIE].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
     DetectAppLayerInspectEngineRegister2("http_cookie", ALPROTO_HTTP,
             SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS,
@@ -129,6 +141,22 @@ static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, const ch
                                                   ALPROTO_HTTP);
 }
 
+/**
+ * \brief this function setup the http.user_agent keyword used in the rule
+ *
+ * \param de_ctx   Pointer to the Detection Engine Context
+ * \param s        Pointer to the Signature to which the current keyword belongs
+ * \param str      Should hold an empty string always
+ *
+ * \retval 0       On success
+ */
+static int DetectHttpCookieSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    DetectBufferSetActiveList(s, g_http_cookie_buffer_id);
+    s->alproto = ALPROTO_HTTP;
+    return 0;
+}
+
 static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms, Flow *_f,
         const uint8_t _flow_flags, void *txv, const int list_id)