{
buffer_map[bufs[i]].push_back(svc);
if ( !strcmp(svc, "http") )
+ {
buffer_map[bufs[i]].push_back("http2");
+ buffer_map[bufs[i]].push_back("http3");
+ }
}
if ( !strcmp(svc, "http") )
{
buffer_map["file_data"].push_back("http");
buffer_map["file_data"].push_back("http2");
+ buffer_map["file_data"].push_back("http3");
}
}
flow_key.h
flow_stash.h
ha.h
+ session.h
stash_item.h
)
ha_module.cc
ha_module.h
prune_stats.h
- session.h
stash_item.h
)
#include "framework/data_bus.h"
#include "framework/decode_data.h"
#include "framework/inspector.h"
+#include "network_inspectors/appid/application_ids.h"
#include "protocols/layer.h"
#include "sfip/sf_ip.h"
#include "target_based/snort_protocols.h"
char ignore_direction;
};
+class SO_PUBLIC StreamFlowIntf
+{
+public:
+ virtual FlowData* get_stream_flow_data(const Flow* flow) = 0;
+ virtual void set_stream_flow_data(Flow* flow, FlowData* flow_data) = 0;
+ virtual void get_stream_id(const Flow* flow, int64_t& stream_id) = 0;
+ virtual AppId get_appid_from_stream(const Flow*) { return APP_ID_NONE; }
+};
+
// this struct is organized by member size for compactness
class SO_PUBLIC Flow
{
IpsContextChain context_chain;
FlowData* flow_data;
FlowStats flowstats;
+ StreamFlowIntf* stream_intf;
SfIp client_ip;
SfIp server_ip;
AppidChangeBits change_bits;
if ((asd->get_tp_appid_ctxt() or ThirdPartyAppIdContext::get_tp_reload_in_progress()) and
- !http_event->get_is_http2())
+ !http_event->get_is_httpx())
return;
if (appidDebug->is_enabled() and !is_debug_active)
appidDebug->activate(flow, asd, inspector.get_ctxt().config.log_all_sessions);
if (appidDebug->is_active())
- LogMessage("AppIdDbg %s Processing HTTP metadata from HTTP Inspector for stream %u\n",
- appidDebug->get_debug_session(), http_event->get_http2_stream_id());
+ LogMessage("AppIdDbg %s Processing HTTP metadata from HTTP Inspector for stream %" PRId64 "\n",
+ appidDebug->get_debug_session(), http_event->get_httpx_stream_id());
asd->set_session_flags(APPID_SESSION_HTTP_SESSION);
AppIdHttpSession* hsession;
- if (http_event->get_is_http2())
+ if (http_event->get_is_httpx())
{
if (direction == APP_ID_FROM_INITIATOR)
{
asd->delete_all_http_sessions();
asd->set_prev_http2_raw_packet(asd->session_packet_count);
}
- hsession = asd->create_http_session(http_event->get_http2_stream_id());
+ hsession = asd->create_http_session(http_event->get_httpx_stream_id());
}
else
{
- hsession = asd->get_matching_http_session(http_event->get_http2_stream_id());
+ hsession = asd->get_matching_http_session(http_event->get_httpx_stream_id());
if (!hsession)
- hsession = asd->create_http_session(http_event->get_http2_stream_id());
+ hsession = asd->create_http_session(http_event->get_httpx_stream_id());
}
}
else
if (header_length > 0)
hsession->set_field(MISC_VIA_FID, header_start, header_length, change_bits);
- if (http_event->get_is_http2())
+ if (http_event->get_is_httpx())
{
- asd->set_service_id(APP_ID_HTTP2, asd->get_odp_ctxt());
+ AppId http_app_id = flow->stream_intf->get_appid_from_stream(flow);
+ assert((http_app_id == APP_ID_HTTP2) || (http_app_id == APP_ID_HTTP3));
+ asd->set_service_id(http_app_id, asd->get_odp_ctxt());
}
hsession->process_http_packet(direction, change_bits,
else
asd->set_application_ids_service(APP_ID_HTTP2, change_bits);
- asd->publish_appid_event(change_bits, *p, http_event->get_is_http2(),
+ asd->publish_appid_event(change_bits, *p, http_event->get_is_httpx(),
asd->get_api().get_hsessions_size() - 1);
}
using namespace snort;
-AppIdHttpSession::AppIdHttpSession(AppIdSession& asd, uint32_t http2_stream_id)
- : asd(asd), http2_stream_id(http2_stream_id)
+AppIdHttpSession::AppIdHttpSession(AppIdSession& asd, int64_t stream_id)
+ : asd(asd), httpx_stream_id(stream_id)
{ }
AppIdHttpSession::~AppIdHttpSession()
return;
}
- if (http2_stream_id > 0)
- LogMessage("AppIdDbg %s stream %u: %s is %s\n", appidDebug->get_debug_session(),
- http2_stream_id, field_name.c_str(), field->c_str());
+ if (httpx_stream_id >= 0)
+ LogMessage("AppIdDbg %s stream %" PRId64 ": %s is %s\n", appidDebug->get_debug_session(),
+ httpx_stream_id, field_name.c_str(), field->c_str());
else
LogMessage("AppIdDbg %s %s is %s\n", appidDebug->get_debug_session(),
field_name.c_str(), field->c_str());
public:
typedef std::pair<uint16_t,uint16_t> pair_t;
- AppIdHttpSession(AppIdSession&, uint32_t);
+ AppIdHttpSession(AppIdSession&, int64_t);
virtual ~AppIdHttpSession();
ClientAppDescriptor client;
PayloadAppDescriptor payload;
const char* version = nullptr);
void set_referred_payload(AppId, AppidChangeBits&);
- uint32_t get_http2_stream_id() const
+ int64_t get_httpx_stream_id() const
{
- return http2_stream_id;
+ return httpx_stream_id;
}
void set_rcvd_full_req_body(bool req_full_body)
{
#if RESPONSE_CODE_PACKET_THRESHHOLD
unsigned response_code_packets = 0;
#endif
- uint32_t http2_stream_id = 0;
+ int64_t httpx_stream_id = -1;
bool is_payload_processed = false;
bool rcvd_full_req_body = false;
bool is_tunnel = false;
return nullptr;
}
-AppIdHttpSession* AppIdSession::create_http_session(uint32_t stream_id)
+AppIdHttpSession* AppIdSession::create_http_session(int64_t stream_id)
{
AppIdHttpSession* hsession = new AppIdHttpSession(*this, stream_id);
api.hsessions.push_back(hsession);
return hsession;
}
-AppIdHttpSession* AppIdSession::get_matching_http_session(uint32_t stream_id) const
+AppIdHttpSession* AppIdSession::get_matching_http_session(int64_t stream_id) const
{
for (uint32_t stream_index=0; stream_index < api.hsessions.size(); stream_index++)
{
- if(stream_id == api.hsessions[stream_index]->get_http2_stream_id())
+ if(stream_id == api.hsessions[stream_index]->get_httpx_stream_id())
return api.hsessions[stream_index];
}
return nullptr;
}
void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packet& p,
- bool is_http2, uint32_t http2_stream_index)
+ bool is_httpx, uint32_t httpx_stream_index)
{
if (!api.stored_in_stash)
{
if (change_bits.none())
return;
- AppidEvent app_event(change_bits, is_http2, http2_stream_index, api, p);
+ AppidEvent app_event(change_bits, is_httpx, httpx_stream_index, api, p);
DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, p.flow);
if (appidDebug->is_active())
{
std::string str;
change_bits_to_string(change_bits, str);
- if (is_http2)
- LogMessage("AppIdDbg %s Published event for changes: %s for HTTP2 stream index %u\n",
- appidDebug->get_debug_session(), str.c_str(), http2_stream_index);
+ if (is_httpx)
+ LogMessage("AppIdDbg %s Published event for changes: %s for HTTPX stream index %u\n",
+ appidDebug->get_debug_session(), str.c_str(), httpx_stream_index);
else
LogMessage("AppIdDbg %s Published event for changes: %s\n",
appidDebug->get_debug_session(), str.c_str());
void reset_session_data(AppidChangeBits& change_bits);
AppIdHttpSession* get_http_session(uint32_t stream_index = 0) const;
- AppIdHttpSession* create_http_session(uint32_t stream_id = 0);
- AppIdHttpSession* get_matching_http_session(uint32_t stream_id) const;
+ AppIdHttpSession* create_http_session(int64_t stream_id = -1);
+ AppIdHttpSession* get_matching_http_session(int64_t stream_id) const;
void delete_all_http_sessions();
AppIdDnsSession* create_dns_session();
AppidChangeBits& change_bits);
void set_tp_payload_app_id(const snort::Packet& p, AppidSessionDirection dir, AppId app_id,
AppidChangeBits& change_bits);
- void publish_appid_event(AppidChangeBits&, const snort::Packet&, bool is_http2 = false,
- uint32_t http2_stream_index = 0);
+ void publish_appid_event(AppidChangeBits&, const snort::Packet&, bool is_httpx = false,
+ uint32_t httpx_stream_index = 0);
bool need_to_delete_tp_conn(ThirdPartyAppIdContext*) const;
this->set_session_flags(APPID_SESSION_DISCOVER_APP);
}
AppIdSession::~AppIdSession() { delete &api; }
-AppIdHttpSession::AppIdHttpSession(AppIdSession& asd, uint32_t http2_stream_id)
- : asd(asd), http2_stream_id(http2_stream_id)
+AppIdHttpSession::AppIdHttpSession(AppIdSession& asd, int64_t http2_stream_id)
+ : asd(asd), httpx_stream_id(http2_stream_id)
{
for ( int i = 0; i < NUM_METADATA_FIELDS; i++)
meta_data[i] = nullptr;
return true;
}
-bool HttpEvent::get_is_http2() const
+bool HttpEvent::get_is_httpx() const
{
return false;
}
-uint32_t HttpEvent::get_http2_stream_id() const
+int64_t HttpEvent::get_httpx_stream_id() const
{
return 0;
}
typedef AppIdHttpSession::pair_t pair_t;
-AppIdHttpSession::AppIdHttpSession(AppIdSession& session, uint32_t http2_stream_id)
- : asd(session), http2_stream_id(http2_stream_id)
+AppIdHttpSession::AppIdHttpSession(AppIdSession& session, int64_t http2_stream_id)
+ : asd(session), httpx_stream_id(http2_stream_id)
{
for ( int i = 0; i < NUM_METADATA_FIELDS; i++)
meta_data[i] = nullptr;
return APPID_UT_ID;
}
-AppIdHttpSession* AppIdSession::create_http_session(uint32_t)
+AppIdHttpSession* AppIdSession::create_http_session(int64_t)
{
AppIdHttpSession* hsession = new MockAppIdHttpSession(*this);
AppidChangeBits change_bits;
return hsession;
}
-AppIdHttpSession* AppIdSession::get_matching_http_session(uint32_t stream_id) const
+AppIdHttpSession* AppIdSession::get_matching_http_session(int64_t stream_id) const
{
- for (uint32_t stream_index=0; stream_index < api.hsessions.size(); stream_index++)
+ for (uint64_t stream_index=0; stream_index < api.hsessions.size(); stream_index++)
{
- if (stream_id == api.hsessions[stream_index]->get_http2_stream_id())
+ if (stream_id == api.hsessions[stream_index]->get_httpx_stream_id())
return api.hsessions[stream_index];
}
return nullptr;
{
const AppIdHttpSession* hsession;
- if ( appid_event->get_is_http2() )
+ if ( appid_event->get_is_httpx() )
hsession = appid_session_api.get_http_session(
- appid_event->get_http2_stream_index());
+ appid_event->get_httpx_stream_index());
else
hsession = appid_session_api.get_http_session();
{
int ret;
IpsPolicy* p = get_ips_policy();
- DisallowCrossTableDuplicateVars(var, VAR_TYPE__IPVAR);
+ DisallowCrossTableDuplicateVars(var, VAR_TYPE__IPVAR);
// FIXIT-M: ip checked for duplicates twice: in the function above and in sfvt_add_str
if ((ret = sfvt_define(p->ip_vartable, var, value)) != SFIP_SUCCESS)
}
if ( !strcmp(svc_name, "http") )
+ {
add_service_to_otn(sc, otn, "http2");
+ add_service_to_otn(sc, otn, "http3");
+ }
SnortProtocolId svc_id = sc->proto_ref->add(svc_name);
{
const uint8_t* http_page = nullptr;
uint32_t http_page_len = 0;
- uint32_t stream_id = 0;
+ int64_t stream_id = 0;
};
class SO_PUBLIC PayloadInjector
class AppidEvent : public snort::DataEvent
{
public:
- AppidEvent(const AppidChangeBits& ac, bool is_http2, uint32_t http2_stream_index,
+ AppidEvent(const AppidChangeBits& ac, bool is_httpx, uint32_t httpx_stream_index,
const snort::AppIdSessionApi& api, const snort::Packet& p) :
- ac_bits(ac), is_http2(is_http2), http2_stream_index(http2_stream_index), api(api), p(p) {}
+ ac_bits(ac), is_httpx(is_httpx), httpx_stream_index(httpx_stream_index), api(api), p(p) {}
const AppidChangeBits& get_change_bitset() const
{ return ac_bits; }
- bool get_is_http2() const
- { return is_http2; }
+ bool get_is_httpx() const
+ { return is_httpx; }
- uint32_t get_http2_stream_index() const
- { return http2_stream_index; }
+ uint32_t get_httpx_stream_index() const
+ { return httpx_stream_index; }
const snort::AppIdSessionApi& get_appid_session_api() const
{ return api; }
private:
const AppidChangeBits& ac_bits;
- bool is_http2;
- uint32_t http2_stream_index;
+ bool is_httpx;
+ uint32_t httpx_stream_index;
const snort::AppIdSessionApi& api;
const snort::Packet& p;
};
return HttpMsgRequest::is_webdav(method);
}
-bool HttpEvent::get_is_http2() const
+bool HttpEvent::get_is_httpx() const
{
- return is_http2;
+ return is_httpx;
}
-uint32_t HttpEvent::get_http2_stream_id() const
+int64_t HttpEvent::get_httpx_stream_id() const
{
- return http2_stream_id;
+ return httpx_stream_id;
}
class SO_PUBLIC HttpEvent : public snort::DataEvent
{
public:
- HttpEvent(HttpMsgHeader* http_msg_header_, bool http2, uint32_t stream_id) :
- http_msg_header(http_msg_header_), is_http2(http2), http2_stream_id(stream_id) { }
+ HttpEvent(HttpMsgHeader* http_msg_header_, bool httpx, int64_t stream_id) :
+ http_msg_header(http_msg_header_), is_httpx(httpx), httpx_stream_id(stream_id) { }
const uint8_t* get_content_type(int32_t &length);
const uint8_t* get_x_working_with(int32_t &length);
int32_t get_response_code();
bool contains_webdav_method();
- bool get_is_http2() const;
- uint32_t get_http2_stream_id() const;
+ bool get_is_httpx() const;
+ int64_t get_httpx_stream_id() const;
private:
HttpMsgHeader* const http_msg_header;
- bool is_http2 = false;
- uint32_t http2_stream_id = 0;
+ bool is_httpx = false;
+ int64_t httpx_stream_id = -1;
const uint8_t* get_header(unsigned, uint64_t, int32_t&);
uint32_t HttpRequestBodyEvent::get_http2_stream_id() const
{
- return http_flow_data->get_h2_stream_id();
+ return http_flow_data->get_hx_stream_id();
}
TEST(pub_sub_http_event_test, http_traffic)
{
- uint32_t stream_id = 0;
+ int64_t stream_id = 0;
HttpEvent event(nullptr, false, stream_id);
- CHECK_FALSE(event.get_is_http2());
- CHECK(event.get_http2_stream_id() == stream_id);
+ CHECK_FALSE(event.get_is_httpx());
+ CHECK(event.get_httpx_stream_id() == stream_id);
}
-TEST(pub_sub_http_event_test, http2_traffic)
+TEST(pub_sub_http_event_test, httpx_traffic)
{
- uint32_t stream_id = 3;
+ int64_t stream_id = 3;
HttpEvent event(nullptr, true, stream_id);
- CHECK(event.get_is_http2());
- CHECK(event.get_http2_stream_id() == stream_id);
+ CHECK(event.get_is_httpx());
+ CHECK(event.get_httpx_stream_id() == stream_id);
}
TEST(pub_sub_http_event_test, no_true_ip_addr)
return mock().getData("pub_length").getIntValue();
}
-uint32_t HttpFlowData::get_h2_stream_id() const
+int64_t HttpFlowData::get_hx_stream_id() const
{
- return mock().getData("stream_id").getUnsignedIntValue();
+ return mock().getData("stream_id").getLongLongIntValue();
}
+set(HTTP2_INCLUDES
+ http2_huffman_state_machine.h
+ http2_varlen_int_decode.h
+ http2_varlen_int_decode_impl.h
+ http2_varlen_string_decode.h
+ http2_varlen_string_decode_impl.h
+)
set (FILE_LIST
+ ${HTTP2_INCLUDES}
http2_api.cc
http2_api.h
http2_data_frame.cc
http2_hpack.h
http2_hpack_dynamic_table.cc
http2_hpack_dynamic_table.h
- http2_varlen_int_decode.h
- http2_varlen_int_decode_impl.h
- http2_varlen_string_decode.h
- http2_varlen_string_decode_impl.h
http2_hpack_int_decode.h
http2_hpack_string_decode.h
http2_hpack_table.cc
http2_hpack_table.h
http2_huffman_state_machine.cc
- http2_huffman_state_machine.h
http2_inspect.cc
http2_inspect.h
http2_module.cc
#add_dynamic_module(http2_inspect inspectors ${FILE_LIST})
#endif(STATIC_INSPECTORS)
-
+install(FILES ${HTTP2_INCLUDES}
+ DESTINATION "${INCLUDE_INSTALL_PATH}/service_inspectors/http2_inspect"
+)
add_subdirectory ( test )
bool Http2DataCutter::check_http_state(Http2Stream* const stream)
{
HttpFlowData* const http_flow = stream->get_hi_flow_data();
- if ((http_flow->get_type_expected(source_id) != SEC_BODY_H2))
+ if ((http_flow->get_type_expected(source_id) != SEC_BODY_HX))
{
stream->set_state(source_id, STREAM_ERROR);
if (data_len > 0)
if ((data_bytes_read == data_len) && (frame_flags & FLAG_END_STREAM))
{
HttpFlowData* const hi_flow = stream->get_hi_flow_data();
- hi_flow->set_h2_body_state(source_id, H2_BODY_LAST_SEG);
+ hi_flow->set_hx_body_state(source_id, HX_BODY_LAST_SEG);
}
scan_result = session_data->hi_ss[source_id]->scan(session_data->flow, data + cur_data_offset, cur_data,
&http_flush_offset);
infractions[SRC_SERVER]) },
data_cutter { Http2DataCutter(this, SRC_CLIENT), Http2DataCutter(this, SRC_SERVER) }
{
+ static Http2FlowStreamIntf h2_stream;
if (hi != nullptr)
{
hi_ss[SRC_CLIENT] = hi->get_splitter(true);
if (Http2Module::get_peg_counts(PEG_MAX_CONCURRENT_SESSIONS) <
Http2Module::get_peg_counts(PEG_CONCURRENT_SESSIONS))
Http2Module::increment_peg_counts(PEG_MAX_CONCURRENT_SESSIONS);
+
+ flow->stream_intf = &h2_stream;
}
Http2FlowData::~Http2FlowData()
continuation_expected[SRC_SERVER];
}
+FlowData* Http2FlowStreamIntf::get_stream_flow_data(const Flow* flow)
+{
+ Http2FlowData* h2i_flow_data = nullptr;
+
+ h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ assert(h2i_flow_data);
+
+ return h2i_flow_data->get_hi_flow_data();
+}
+
+void Http2FlowStreamIntf::set_stream_flow_data(Flow* flow, FlowData* flow_data)
+{
+ Http2FlowData* h2i_flow_data =
+ (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ assert(h2i_flow_data);
+ h2i_flow_data->set_hi_flow_data((HttpFlowData*)flow_data);
+}
+
+void Http2FlowStreamIntf::get_stream_id(const Flow* flow, int64_t& stream_id)
+{
+ Http2FlowData* h2i_flow_data = nullptr;
+
+ h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ assert(h2i_flow_data);
+ stream_id = h2i_flow_data->get_processing_stream_id();
+}
+
+AppId Http2FlowStreamIntf::get_appid_from_stream(const Flow* flow)
+{
+ Http2FlowData* h2i_flow_data = nullptr;
+
+ h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ assert(h2i_flow_data);
+
+ return APP_ID_HTTP2;
+}
// frame into the S2C direction of an HTTP/2 flow.
bool is_mid_frame() const;
- // Used by payload injection to determine whether we should inject S2C settings frame
+ // Used by payload injection to determine whether we should inject S2C settings frame
// before injecting payload
bool was_server_settings_received() const
{ return server_settings_frame_received; }
void delete_processing_stream();
};
+class Http2FlowStreamIntf : public snort::StreamFlowIntf
+{
+public:
+ snort::FlowData* get_stream_flow_data(const snort::Flow* flow) override;
+ void set_stream_flow_data(snort::Flow* flow, snort::FlowData* flow_data) override;
+ void get_stream_id(const snort::Flow* flow, int64_t& stream_id) override;
+ AppId get_appid_from_stream(const snort::Flow* flow) override;
+};
+
#endif
// if END_STREAM flag set on headers, tell http_inspect not to expect a message body
if (get_flags() & FLAG_END_STREAM)
- stream->get_hi_flow_data()->finish_h2_body(source_id, H2_BODY_NO_BODY, false);
+ stream->get_hi_flow_data()->finish_hx_body(source_id, HX_BODY_NO_BODY, false);
process_decoded_headers(http_flow, source_id, p);
}
{
// http_inspect is not yet expecting trailers. Flush empty buffer through scan, reassemble,
// and eval to prepare http_inspect for trailers.
- assert(http_flow->get_type_expected(source_id) == SEC_BODY_H2);
+ assert(http_flow->get_type_expected(source_id) == SEC_BODY_HX);
stream->finish_msg_body(source_id, valid_headers, true); // calls http_inspect scan()
unsigned copied;
HpackDynamicTable& get_dynamic_table() { return dynamic_table; }
const static uint8_t STATIC_MAX_INDEX = 61;
- const static uint8_t PSEUDO_HEADER_MAX_STATIC_INDEX = 14;
private:
const static HpackTableEntry static_table[STATIC_MAX_INDEX + 1];
HuffmanState state;
};
-extern const HuffmanEntry huffman_decode[][UINT8_MAX+1];
+SO_PUBLIC extern const HuffmanEntry huffman_decode[][UINT8_MAX+1];
#endif
// Push promise cannot have a message body
// FIXIT-E handle bad request lines and cases where a message body is implied
- stream->get_hi_flow_data()->finish_h2_body(SRC_CLIENT, H2_BODY_NO_BODY, false);
+ stream->get_hi_flow_data()->finish_hx_body(SRC_CLIENT, HX_BODY_NO_BODY, false);
process_decoded_headers(http_flow, SRC_CLIENT, p);
}
bool clear_partial_buffer)
{
uint32_t http_flush_offset = 0;
- const H2BodyState body_state = expect_trailers ?
- H2_BODY_COMPLETE_EXPECT_TRAILERS : H2_BODY_COMPLETE;
- get_hi_flow_data()->finish_h2_body(source_id, body_state, clear_partial_buffer);
+ const HXBodyState body_state = expect_trailers ?
+ HX_BODY_COMPLETE_EXPECT_TRAILERS : HX_BODY_COMPLETE;
+ get_hi_flow_data()->finish_hx_body(source_id, body_state, clear_partial_buffer);
if (clear_partial_buffer)
{
const StreamSplitter::Status scan_result = session_data->hi_ss[source_id]->scan(
(stream->get_state(source_id) >= STREAM_COMPLETE) ||
(stream->get_hi_flow_data() == nullptr) ||
(stream->get_hi_flow_data()->get_type_expected(source_id)
- != SEC_BODY_H2) ||
+ != SEC_BODY_HX) ||
(session_data->processing_partial_header &&
(stream->get_stream_id() == session_data->current_stream[source_id])))
{
#ifndef HTTP2_VARLEN_STRING_DECODE_IMPL_H
#define HTTP2_VARLEN_STRING_DECODE_IMPL_H
-
-#include "http2_enum.h"
#include "http2_huffman_state_machine.h"
#include "http2_varlen_string_decode.h"
http_common.h
http_inspect_base.h
http_stream_splitter_base.h
+ http_test_manager.h
)
set (FILE_LIST
${HTTP_INCLUDES}
http_msg_body_chunk.h
http_msg_body_cl.cc
http_msg_body_cl.h
- http_msg_body_h2.cc
- http_msg_body_h2.h
+ http_msg_body_hx.cc
+ http_msg_body_hx.h
http_msg_body_old.cc
http_msg_body_old.h
http_msg_trailer.cc
http_transaction.h
http_test_manager.cc
http_test_manager.h
+ http_enum.h
http_field.cc
http_stream_splitter_finish.cc
http_stream_splitter_reassemble.cc
5. Chunked message body (same but from a chunked body)
6. Old message body (same but from a body with no Content-Length header that runs to connection
close)
-7. HTTP/2 message body (same but content taken from an HTTP/2 Data frame)
+7. HTTP/X message body (same but content taken from an HTTP/2 or HTTP/3 Data frame)
8. Trailers (all header lines following a chunked body as a group)
Message sections are represented by message section objects that contain and process them. There
9. HttpMsgBodyCl : HttpMsgBody
10. HttpMsgBodyChunk : HttpMsgBody
11. HttpMsgBodyOld : HttpMsgBody
-12. HttpMsgBodyH2 : HttpMsgBody
+12. HttpMsgBodyHX : HttpMsgBody
An HttpTransaction is a container that keeps all the sections of a message together and associates
the request message with the response message. Transactions may be organized into pipelines when an
// Type of message section
enum SectionType { SEC_DISCARD = -19, SEC_ABORT = -18, SEC__NOT_COMPUTE=-14, SEC__NOT_PRESENT=-11,
SEC_REQUEST = 2, SEC_STATUS, SEC_HEADER, SEC_BODY_CL, SEC_BODY_CHUNK, SEC_TRAILER,
- SEC_BODY_OLD, SEC_BODY_H2 };
+ SEC_BODY_OLD, SEC_BODY_HX };
-enum H2BodyState { H2_BODY_NOT_COMPLETE, H2_BODY_LAST_SEG, H2_BODY_COMPLETE,
- H2_BODY_COMPLETE_EXPECT_TRAILERS, H2_BODY_NO_BODY };
+// Caters to all extended versions of HTTP, i.e. HTTP/2, HTTP/3
+enum HXBodyState { HX_BODY_NOT_COMPLETE, HX_BODY_LAST_SEG, HX_BODY_COMPLETE,
+ HX_BODY_COMPLETE_EXPECT_TRAILERS, HX_BODY_NO_BODY };
} // end namespace HttpCommon
using namespace HttpCommon;
ScanResult HttpStartCutter::cut(const uint8_t* buffer, uint32_t length,
- HttpInfractions* infractions, HttpEventGen* events, uint32_t, bool, H2BodyState)
+ HttpInfractions* infractions, HttpEventGen* events, uint32_t, bool, HXBodyState)
{
for (uint32_t k = 0; k < length; k++)
{
}
ScanResult HttpHeaderCutter::cut(const uint8_t* buffer, uint32_t length,
- HttpInfractions* infractions, HttpEventGen* events, uint32_t, bool, H2BodyState)
+ HttpInfractions* infractions, HttpEventGen* events, uint32_t, bool, HXBodyState)
{
// Header separators: leading \r\n, leading \n, leading \r\r\n, nonleading \r\n\r\n, nonleading
// \n\r\n, nonleading \r\r\n, nonleading \r\n\n, and nonleading \n\n. The separator itself
}
ScanResult HttpBodyClCutter::cut(const uint8_t* buffer, uint32_t length, HttpInfractions*,
- HttpEventGen*, uint32_t flow_target, bool stretch, H2BodyState)
+ HttpEventGen*, uint32_t flow_target, bool stretch, HXBodyState)
{
assert(remaining > octets_seen);
}
ScanResult HttpBodyOldCutter::cut(const uint8_t* buffer, uint32_t length, HttpInfractions*,
- HttpEventGen*, uint32_t flow_target, bool stretch, H2BodyState)
+ HttpEventGen*, uint32_t flow_target, bool stretch, HXBodyState)
{
if (flow_target == 0)
{
ScanResult HttpBodyChunkCutter::cut(const uint8_t* buffer, uint32_t length,
HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch,
- H2BodyState)
+ HXBodyState)
{
// Are we skipping through the rest of this chunked body to the trailers and the next message?
const bool discard_mode = (flow_target == 0);
return SCAN_NOT_FOUND;
}
-ScanResult HttpBodyH2Cutter::cut(const uint8_t* buffer, uint32_t length,
+ScanResult HttpBodyHXCutter::cut(const uint8_t* buffer, uint32_t length,
HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch,
- H2BodyState state)
+ HXBodyState state)
{
// If the headers included a content length header (expected length >= 0), check it against the
// actual message body length. Alert if it does not match at the end of the message body or if
events->create_event(EVENT_H2_DATA_OVERRUNS_CL);
expected_body_length = STAT_NOT_COMPUTE;
}
- else if (state != H2_BODY_NOT_COMPLETE and
+ else if (state != HX_BODY_NOT_COMPLETE and
((total_octets_scanned + length) < expected_body_length))
{
*infractions += INF_H2_DATA_UNDERRUNS_CL;
{
num_flush = length;
total_octets_scanned += length;
- if (state != H2_BODY_NOT_COMPLETE)
+ if (state != HX_BODY_NOT_COMPLETE)
return SCAN_DISCARD;
return SCAN_DISCARD_PIECE;
}
- if (state == H2_BODY_NOT_COMPLETE)
+ if (state == HX_BODY_NOT_COMPLETE)
{
if (octets_seen + length < flow_target)
{
return SCAN_FOUND_PIECE;
}
}
- else if (state == H2_BODY_LAST_SEG)
+ else if (state == HX_BODY_LAST_SEG)
{
const uint32_t adjusted_target = stretch ? MAX_SECTION_STRETCH + flow_target : flow_target;
if (octets_seen + length <= adjusted_target)
virtual ~HttpCutter() = default;
virtual HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch,
- HttpCommon::H2BodyState state) = 0;
+ HttpCommon::HXBodyState state) = 0;
uint32_t get_num_flush() const { return num_flush; }
uint32_t get_octets_seen() const { return octets_seen; }
uint32_t get_num_excess() const { return num_crlf; }
{
public:
HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
- HttpInfractions* infractions, HttpEventGen* events, uint32_t, bool, HttpCommon::H2BodyState)
+ HttpInfractions* infractions, HttpEventGen* events, uint32_t, bool, HttpCommon::HXBodyState)
override;
protected:
{
public:
HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
- HttpInfractions* infractions, HttpEventGen* events, uint32_t, bool, HttpCommon::H2BodyState)
+ HttpInfractions* infractions, HttpEventGen* events, uint32_t, bool, HttpCommon::HXBodyState)
override;
uint32_t get_num_head_lines() const override { return num_head_lines; }
remaining(expected_length)
{ assert(remaining > 0); }
HttpEnums::ScanResult cut(const uint8_t*, uint32_t length, HttpInfractions*, HttpEventGen*,
- uint32_t flow_target, bool stretch, HttpCommon::H2BodyState) override;
+ uint32_t flow_target, bool stretch, HttpCommon::HXBodyState) override;
private:
int64_t remaining;
HttpBodyCutter(accelerated_blocking, finder, compression)
{}
HttpEnums::ScanResult cut(const uint8_t*, uint32_t, HttpInfractions*, HttpEventGen*,
- uint32_t flow_target, bool stretch, HttpCommon::H2BodyState) override;
+ uint32_t flow_target, bool stretch, HttpCommon::HXBodyState) override;
};
class HttpBodyChunkCutter : public HttpBodyCutter
{}
HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch,
- HttpCommon::H2BodyState) override;
+ HttpCommon::HXBodyState) override;
bool get_is_broken_chunk() const override { return curr_state == HttpEnums::CHUNK_BAD; }
uint32_t get_num_good_chunks() const override { return num_good_chunks; }
void soft_reset() override { num_good_chunks = 0; HttpBodyCutter::soft_reset(); }
bool zero_chunk = true;
};
-class HttpBodyH2Cutter : public HttpBodyCutter
+class HttpBodyHXCutter : public HttpBodyCutter
{
public:
- HttpBodyH2Cutter(int64_t expected_length, bool accelerated_blocking, ScriptFinder* finder,
+ HttpBodyHXCutter(int64_t expected_length, bool accelerated_blocking, ScriptFinder* finder,
HttpEnums::CompressId compression) :
HttpBodyCutter(accelerated_blocking, finder, compression),
expected_body_length(expected_length)
{}
HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length, HttpInfractions*,
- HttpEventGen*, uint32_t flow_target, bool stretch, HttpCommon::H2BodyState state) override;
+ HttpEventGen*, uint32_t flow_target, bool stretch, HttpCommon::HXBodyState state) override;
private:
int64_t expected_body_length;
uint32_t total_octets_scanned = 0;
// List of possible HTTP versions.
enum VersionId { VERS__PROBLEMATIC=-12, VERS__NOT_PRESENT=-11, VERS__OTHER=1,
- VERS_1_0, VERS_1_1, VERS_2_0, VERS_0_9, VERS__MIN = VERS__PROBLEMATIC,
+ VERS_1_0, VERS_1_1, VERS_2_0, VERS_3_0, VERS_0_9, VERS__MIN = VERS__PROBLEMATIC,
VERS__MAX = VERS_0_9};
// Every request method we have ever heard of
#include <cstdio>
#include <cassert>
+#include "main/snort_types.h"
+
#include "http_common.h"
-#include "http_enum.h"
// Individual pieces of the message found during parsing.
// Length values <= 0 are StatusCode values and imply that the start pointer is meaningless.
// Never use the start pointer without verifying that length > 0.
-class Field
+class SO_PUBLIC Field
{
public:
static const Field FIELD_NULL;
HttpFlowData::HttpFlowData(Flow* flow) : FlowData(inspector_id)
{
+ static HttpFlowStreamIntf h1_stream;
#ifdef REG_TEST
if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP))
{
HttpModule::get_peg_counts(PEG_CONCURRENT_SESSIONS))
HttpModule::increment_peg_counts(PEG_MAX_CONCURRENT_SESSIONS);
- Http2FlowData* h2i_flow_data = nullptr;
- if (Http2FlowData::inspector_id != 0)
- h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
- if (h2i_flow_data != nullptr)
+ if (flow->stream_intf)
+ flow->stream_intf->get_stream_id(flow, hx_stream_id);
+
+ if (valid_hx_stream_id())
{
- for_http2 = true;
- h2_stream_id = h2i_flow_data->get_processing_stream_id();
+ for_httpx = true;
events[0]->suppress_event(HttpEnums::EVENT_LOSS_OF_SYNC);
events[1]->suppress_event(HttpEnums::EVENT_LOSS_OF_SYNC);
}
+ else
+ flow->stream_intf = &h1_stream;
}
HttpFlowData::~HttpFlowData()
if (!js_ident_ctx)
{
- js_ident_ctx = new JSIdentifierCtx(js_norm_param.js_identifier_depth,
+ js_ident_ctx = new JSIdentifierCtx(js_norm_param.js_identifier_depth,
js_norm_param.max_scope_depth, js_norm_param.ignored_ids, js_norm_param.ignored_props);
debug_logf(4, http_trace, TRACE_JS_PROC, nullptr,
return transaction[source_id]->get_infractions(source_id);
}
-void HttpFlowData::finish_h2_body(HttpCommon::SourceId source_id, HttpCommon::H2BodyState state,
+void HttpFlowData::finish_hx_body(HttpCommon::SourceId source_id, HttpCommon::HXBodyState state,
bool clear_partial_buffer)
{
- assert((h2_body_state[source_id] == H2_BODY_NOT_COMPLETE) ||
- (h2_body_state[source_id] == H2_BODY_LAST_SEG));
- h2_body_state[source_id] = state;
+ assert((hx_body_state[source_id] == HX_BODY_NOT_COMPLETE) ||
+ (hx_body_state[source_id] == HX_BODY_LAST_SEG));
+ hx_body_state[source_id] = state;
partial_flush[source_id] = false;
if (clear_partial_buffer)
{
}
}
-uint32_t HttpFlowData::get_h2_stream_id() const
+int64_t HttpFlowData::get_hx_stream_id() const
+{
+ return hx_stream_id;
+}
+
+bool HttpFlowData::valid_hx_stream_id() const
+{
+ return (hx_stream_id >= 0);
+}
+
+FlowData* HttpFlowStreamIntf::get_stream_flow_data(const Flow* flow)
{
- return h2_stream_id;
+ return (HttpFlowData*)flow->get_flow_data(HttpFlowData::inspector_id);
}
+void HttpFlowStreamIntf::set_stream_flow_data(Flow* flow, FlowData* flow_data)
+{
+ flow->set_flow_data(flow_data);
+}
+
+void HttpFlowStreamIntf::get_stream_id(const Flow*, int64_t& stream_id)
+{
+ // HTTP Flows by itself doesn't have any stream id, thus assigning -1 to
+ // indicate invalid value
+ stream_id = -1;
+}
+
+
#ifdef REG_TEST
void HttpFlowData::show(FILE* out_file) const
{
friend class HttpMsgBody;
friend class HttpMsgBodyChunk;
friend class HttpMsgBodyCl;
- friend class HttpMsgBodyH2;
+ friend class HttpMsgBodyHX;
friend class HttpMsgBodyOld;
friend class HttpQueryParser;
friend class HttpStreamSplitter;
HttpCommon::SectionType get_type_expected(HttpCommon::SourceId source_id) const
{ return type_expected[source_id]; }
- void finish_h2_body(HttpCommon::SourceId source_id, HttpCommon::H2BodyState state,
+ void finish_hx_body(HttpCommon::SourceId source_id, HttpCommon::HXBodyState state,
bool clear_partial_buffer);
- void set_h2_body_state(HttpCommon::SourceId source_id, HttpCommon::H2BodyState state)
- { h2_body_state[source_id] = state; }
+ void set_hx_body_state(HttpCommon::SourceId source_id, HttpCommon::HXBodyState state)
+ { hx_body_state[source_id] = state; }
- uint32_t get_h2_stream_id() const;
+ bool valid_hx_stream_id() const;
+ int64_t get_hx_stream_id() const;
+ bool is_for_httpx() const { return for_httpx; }
private:
// Convenience routines
bool cutover_on_clear = false;
bool ssl_search_abandoned = false;
- // *** HTTP/2 handling
- bool for_http2 = false;
- uint32_t h2_stream_id = 0;
- HttpCommon::H2BodyState h2_body_state[2] = { HttpCommon::H2_BODY_NOT_COMPLETE,
- HttpCommon::H2_BODY_NOT_COMPLETE };
+ // *** HTTP/X handling
+ bool for_httpx = false;
+ int64_t hx_stream_id = -1;
+ HttpCommon::HXBodyState hx_body_state[2] = { HttpCommon::HX_BODY_NOT_COMPLETE,
+ HttpCommon::HX_BODY_NOT_COMPLETE };
#ifdef REG_TEST
static uint64_t instance_count;
#endif
};
+class HttpFlowStreamIntf : public snort::StreamFlowIntf
+{
+public:
+ snort::FlowData* get_stream_flow_data(const snort::Flow* flow) override;
+ void set_stream_flow_data(snort::Flow* flow, snort::FlowData* flow_data) override;
+ void get_stream_id(const snort::Flow* flow, int64_t& stream_id) override;
+};
+
#endif
#include "http_msg_body.h"
#include "http_msg_body_chunk.h"
#include "http_msg_body_cl.h"
-#include "http_msg_body_h2.h"
+#include "http_msg_body_hx.h"
#include "http_msg_body_old.h"
#include "http_msg_header.h"
#include "http_msg_request.h"
return session_data->get_type_expected(source_id);
}
-void HttpInspect::finish_h2_body(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::H2BodyState state,
+void HttpInspect::finish_hx_body(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::HXBodyState state,
bool clear_partial_buffer) const
{
HttpFlowData* session_data = http_get_flow_data(flow);
- session_data->finish_h2_body(source_id, state, clear_partial_buffer);
+ session_data->finish_hx_body(source_id, state, clear_partial_buffer);
}
-void HttpInspect::set_h2_body_state(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::H2BodyState state) const
+void HttpInspect::set_hx_body_state(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::HXBodyState state) const
{
HttpFlowData* session_data = http_get_flow_data(flow);
- session_data->set_h2_body_state(source_id, state);
+ session_data->set_hx_body_state(source_id, state);
}
bool HttpInspect::get_fp_buf(InspectionBuffer::Type ibt, Packet* p, InspectionBuffer& b)
void HttpInspect::disable_detection(Packet* p)
{
HttpFlowData* session_data = http_get_flow_data(p->flow);
- if (!session_data->for_http2)
+ if (!session_data->for_httpx)
{
assert(p->context);
DetectionEngine::disable_all(p);
HttpFlowData* HttpInspect::http_get_flow_data(const Flow* flow)
{
- Http2FlowData* h2i_flow_data = nullptr;
- if (Http2FlowData::inspector_id != 0)
- h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
- if (h2i_flow_data == nullptr)
- return (HttpFlowData*)flow->get_flow_data(HttpFlowData::inspector_id);
+ if (flow->stream_intf)
+ return (HttpFlowData*)flow->stream_intf->get_stream_flow_data(flow);
else
- return h2i_flow_data->get_hi_flow_data();
+ return nullptr;
}
void HttpInspect::http_set_flow_data(Flow* flow, HttpFlowData* flow_data)
{
- // for_http2 set in HttpFlowData constructor after checking for h2i_flow_data
- if (!flow_data->for_http2)
- flow->set_flow_data(flow_data);
- else
- {
- Http2FlowData* h2i_flow_data =
- (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
- assert(h2i_flow_data);
- h2i_flow_data->set_hi_flow_data(flow_data);
- }
+ flow->stream_intf->set_stream_flow_data(flow, flow_data);
}
void HttpInspect::eval(Packet* p)
return;
}
- if (!session_data->for_http2)
+ if (!session_data->for_httpx)
HttpModule::increment_peg_counts(PEG_TOTAL_BYTES, dsize);
session_data->octets_reassembled[source_id] = STAT_NOT_PRESENT;
process(data, dsize, p->flow, source_id, true, p);
// Detection was done in process()
- if (!session_data->for_http2)
+ if (!session_data->for_httpx)
disable_detection(p);
// If current transaction is complete then we are done with it. This is strictly a memory
current_section = new HttpMsgBodyChunk(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
- case SEC_BODY_H2:
- current_section = new HttpMsgBodyH2(
+ case SEC_BODY_HX:
+ current_section = new HttpMsgBodyHX(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
case SEC_TRAILER:
HttpEnums::VersionId http_get_version_id(snort::Packet* p,
const HttpBufferInfo& buffer_info) const;
HttpCommon::SectionType get_type_expected(snort::Flow* flow, HttpCommon::SourceId source_id) const override;
- void finish_h2_body(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::H2BodyState state,
+ void finish_hx_body(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::HXBodyState state,
bool clear_partial_buffer) const override;
- void set_h2_body_state(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::H2BodyState state) const override;
+ void set_hx_body_state(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::HXBodyState state) const override;
bool get_fp_buf(snort::InspectionBuffer::Type ibt, snort::Packet* p,
snort::InspectionBuffer& b) override;
bool configure(snort::SnortConfig*) override;
void show(const snort::SnortConfig*) const override;
void eval(snort::Packet* p) override;
- void eval(snort::Packet* p, HttpCommon::SourceId source_id, const uint8_t* data, uint16_t dsize);
+ void eval(snort::Packet* p, HttpCommon::SourceId source_id, const uint8_t* data, uint16_t dsize) override;
void clear(snort::Packet* p) override;
HttpStreamSplitter* get_splitter(bool is_client_to_server) override
{
public:
virtual ~HttpInspectBase() override = default;
-
+
virtual HttpCommon::SectionType get_type_expected(snort::Flow* flow, HttpCommon::SourceId source_id) const = 0;
- virtual void finish_h2_body(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::H2BodyState state,
+ virtual void finish_hx_body(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::HXBodyState state,
bool clear_partial_buffer) const = 0;
- virtual void set_h2_body_state(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::H2BodyState state) const = 0;
+ virtual void set_hx_body_state(snort::Flow* flow, HttpCommon::SourceId source_id, HttpCommon::HXBodyState state) const = 0;
+ virtual void eval(snort::Packet* p, HttpCommon::SourceId source_id, const uint8_t* data, uint16_t dsize) = 0;
+private:
+ using snort::Inspector::eval;
};
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// http_msg_body_h2.cc author Katura Harvey <katharve@cisco.com>
+// http_msg_body_hx.cc author Katura Harvey <katharve@cisco.com>
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
-#include "http_msg_body_h2.h"
+#include "http_msg_body_hx.h"
using namespace HttpCommon;
-void HttpMsgBodyH2::update_flow()
+void HttpMsgBodyHX::update_flow()
{
session_data->body_octets[source_id] = body_octets;
- if (session_data->h2_body_state[source_id] == H2_BODY_NOT_COMPLETE ||
- session_data->h2_body_state[source_id] == H2_BODY_LAST_SEG)
+ if (session_data->hx_body_state[source_id] == HX_BODY_NOT_COMPLETE ||
+ session_data->hx_body_state[source_id] == HX_BODY_LAST_SEG)
update_depth();
- else if (session_data->h2_body_state[source_id] == H2_BODY_COMPLETE_EXPECT_TRAILERS)
+ else if (session_data->hx_body_state[source_id] == HX_BODY_COMPLETE_EXPECT_TRAILERS)
session_data->trailer_prep(source_id);
}
#ifdef REG_TEST
-void HttpMsgBodyH2::print_section(FILE* output)
+void HttpMsgBodyHX::print_section(FILE* output)
{
print_body_section(output, "HTTP/2 body");
}
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// http_msg_body_h2.h author Katura Harvey <katharve@cisco.com>
+// http_msg_body_hx.h author Katura Harvey <katharve@cisco.com>
-#ifndef HTTP_MSG_BODY_H2_H
-#define HTTP_MSG_BODY_H2_H
+#ifndef HTTP_MSG_BODY_HX_H
+#define HTTP_MSG_BODY_HX_H
#include "http_common.h"
#include "http_msg_body.h"
//-------------------------------------------------------------------------
-// HttpMsgBodyH2 class
+// HttpMsgBodyHX class
//-------------------------------------------------------------------------
-class HttpMsgBodyH2 : public HttpMsgBody
+class HttpMsgBodyHX : public HttpMsgBody
{
public:
- HttpMsgBodyH2(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpMsgBodyHX(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
HttpCommon::SourceId source_id_, bool buf_owner, snort::Flow* flow_,
const HttpParaList* params_)
: HttpMsgBody(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_) {}
void HttpMsgHeader::publish()
{
- const uint32_t stream_id = session_data->get_h2_stream_id();
+ const int64_t stream_id = session_data->get_hx_stream_id();
- HttpEvent http_header_event(this, session_data->for_http2, stream_id);
+ HttpEvent http_header_event(this, session_data->for_httpx, stream_id);
const char* key = (source_id == SRC_CLIENT) ?
HTTP_REQUEST_HEADER_EVENT_KEY : HTTP_RESPONSE_HEADER_EVENT_KEY;
void HttpMsgHeader::gen_events()
{
if ((get_header_count(HEAD_CONTENT_LENGTH) > 0) &&
- (get_header_count(HEAD_TRANSFER_ENCODING) > 0) && !session_data->for_http2)
+ (get_header_count(HEAD_TRANSFER_ENCODING) > 0) && !session_data->for_httpx)
{
add_infraction(INF_BOTH_CL_AND_TE);
create_event(EVENT_BOTH_CL_AND_TE);
{
const int32_t upgrade = get_code_from_token_list(up_header.start(), up_header.length(),
consumed, upgrade_list);
- if ((upgrade == UP_H2C) || (upgrade == UP_H2) || (upgrade == UP_HTTP20))
+ if ((upgrade == UP_H2C) || (upgrade == UP_H2) || (upgrade == UP_HTTP20)) //FIXIT-E: Handle upgrade for h3
{
add_infraction(INF_UPGRADE_HEADER_HTTP2);
if (source_id == SRC_CLIENT)
}
if ((source_id == SRC_SERVER) && request && (request->get_method_id() == METH_CONNECT) &&
- !session_data->for_http2)
+ !session_data->for_httpx)
{
// Successful CONNECT responses (2XX) switch to tunneled traffic immediately following the
// header. Transfer-Encoding and Content-Length headers are not allowed in successful
const Field& te_header = get_header_value_norm(HEAD_TRANSFER_ENCODING);
- if (session_data->for_http2)
+ if (session_data->for_httpx)
{
// The only transfer-encoding header we should see for HTTP/2 traffic is "identity"
if (te_header.length() > 0)
create_event(EVENT_BAD_CONTENT_LENGTH);
}
}
- if (session_data->h2_body_state[source_id] == H2_BODY_NO_BODY)
+ if (session_data->hx_body_state[source_id] == HX_BODY_NO_BODY)
session_data->half_reset(source_id);
else
{
- session_data->type_expected[source_id] = SEC_BODY_H2;
+ session_data->type_expected[source_id] = SEC_BODY_HX;
prepare_body();
}
return;
// body
session_data->detect_depth_remaining[source_id] = INT64_MAX;
}
- if ((source_id == SRC_CLIENT) and params->publish_request_body and session_data->for_http2)
+ if ((source_id == SRC_CLIENT) and params->publish_request_body and session_data->for_httpx)
{
session_data->publish_octets[source_id] = 0;
session_data->publish_depth_remaining[source_id] = REQUEST_PUBLISH_DEPTH;
HttpModule::increment_peg_counts(PEG_REQUEST_BODY);
// Message bodies for CONNECT requests have no defined semantics
- if ((method_id == METH_CONNECT) && !session_data->for_http2)
+ if ((method_id == METH_CONNECT) && !session_data->for_httpx)
{
add_infraction(INF_CONNECT_REQUEST_BODY);
create_event(EVENT_CONNECT_REQUEST_BODY);
if (boundary_present(content_type))
{
// Generate the unique file id for multi file processing
- set_multi_file_processing_id(get_transaction_id(), session_data->get_h2_stream_id());
+ set_multi_file_processing_id(get_transaction_id(), session_data->get_hx_stream_id());
Packet* p = DetectionEngine::get_current_packet();
const Field& uri = request->get_uri_norm_classic();
}
// Generate the unique file id for multi file processing
- set_multi_file_processing_id(get_transaction_id(), session_data->get_h2_stream_id());
+ set_multi_file_processing_id(get_transaction_id(), session_data->get_hx_stream_id());
session_data->file_depth_remaining[source_id] = max_file_depth;
FileFlows* file_flows = FileFlows::get_file_flows(flow);
#include "http_msg_start.h"
+#include "service_inspectors/http2_inspect/http2_flow_data.h"
+
#include "http_enum.h"
using namespace HttpEnums;
}
else if ((version.start()[5] == '1') && (version.start()[7] == '1'))
{
- if (session_data->for_http2)
- version_id = VERS_2_0;
+ if (session_data->for_httpx)
+ {
+ const Http2FlowData* const h2i_flow_data =
+ (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+
+ version_id = (h2i_flow_data) ? VERS_2_0 : VERS_3_0;
+ }
else
version_id = VERS_1_1;
}
source_id(is_client_to_server ? HttpCommon::SRC_CLIENT : HttpCommon::SRC_SERVER) {}
Status scan(snort::Packet* pkt, const uint8_t* data, uint32_t length, uint32_t not_used,
uint32_t* flush_offset) override;
- Status scan(snort::Flow* flow, const uint8_t* data, uint32_t length, uint32_t* flush_offset);
+ Status scan(snort::Flow* flow, const uint8_t* data, uint32_t length, uint32_t* flush_offset) override;
const snort::StreamBuffer reassemble(snort::Flow* flow, unsigned total, unsigned, const
uint8_t* data, unsigned len, uint32_t flags, unsigned& copied) override;
bool finish(snort::Flow* flow) override;
virtual ~HttpStreamSplitterBase() override = default;
virtual void prep_partial_flush(snort::Flow* flow, uint32_t num_flush) = 0;
-
+
+ virtual Status scan(snort::Flow* flow, const uint8_t* data, uint32_t length, uint32_t* flush_offset) = 0;
protected:
HttpStreamSplitterBase(bool c2s) : StreamSplitter(c2s) { }
+private:
+ using snort::StreamSplitter::scan;
};
#endif
(magic_length - header_bytes_processed) : length;
if (memcmp(data, gzip_magic + header_bytes_processed, magic_cmp_len))
- session_data->gzip_state[source_id] = GZIP_MAGIC_BAD;
+ session_data->gzip_state[source_id] = GZIP_MAGIC_BAD;
else if (header_bytes_processed + length >= magic_length)
session_data->gzip_state[source_id] = GZIP_MAGIC_GOOD;
header_bytes_processed += magic_cmp_len;
}
bool HttpStreamSplitter::gzip_header_check_done(HttpFlowData* session_data) const
-{
+{
return session_data->gzip_state[source_id] == HttpEnums::GZIP_MAGIC_BAD or
session_data->gzip_state[source_id] == HttpEnums::GZIP_FLAGS_PROCESSED;
}
if ((session_data->section_offset[source_id] == 0) &&
(session_data->octets_expected[source_id] != partial_raw_bytes + total))
{
- assert(!session_data->for_http2);
+ assert(!session_data->for_httpx);
assert(total == 0); // FIXIT-L this special exception for total of zero is needed for now
session_data->type_expected[source_id] = SEC_ABORT;
return { nullptr, 0 };
session_data->half_reset(source_id);
}
else if (session_data->type_expected[source_id] == SEC_BODY_CHUNK ||
- (session_data->type_expected[source_id] == SEC_BODY_H2 &&
- session_data->h2_body_state[source_id] == H2_BODY_COMPLETE_EXPECT_TRAILERS))
+ (session_data->type_expected[source_id] == SEC_BODY_HX &&
+ session_data->hx_body_state[source_id] == HX_BODY_COMPLETE_EXPECT_TRAILERS))
{
session_data->trailer_prep(source_id);
}
(session_data->section_type[source_id] == SEC_BODY_CHUNK) ||
(session_data->section_type[source_id] == SEC_BODY_CL) ||
(session_data->section_type[source_id] == SEC_BODY_OLD) ||
- (session_data->section_type[source_id] == SEC_BODY_H2);
+ (session_data->section_type[source_id] == SEC_BODY_HX);
uint8_t*& buffer = session_data->section_buffer[source_id];
if (buffer == nullptr)
session_data->accelerated_blocking[source_id],
my_inspector->script_finder,
session_data->compression[source_id]);
- case SEC_BODY_H2:
- return (HttpCutter*)new HttpBodyH2Cutter(
+ case SEC_BODY_HX:
+ return (HttpCutter*)new HttpBodyHXCutter(
session_data->data_length[source_id],
session_data->accelerated_blocking[source_id],
my_inspector->script_finder,
// This is the session state information we share with HttpInspect and store with stream. A
// session is defined by a TCP connection. Since scan() is the first to see a new TCP
// connection the new flow data object is created here.
- HttpFlowData* session_data = HttpInspect::http_get_flow_data(flow);
+ HttpFlowData* session_data = nullptr;
+ if (flow->stream_intf)
+ session_data = (HttpFlowData*)flow->stream_intf->get_stream_flow_data(flow);
if (session_data == nullptr)
{
// If the last request was a CONNECT and we have not yet seen the response, this is early C2S
// traffic. If there has been a pipeline overflow or underflow we cannot match requests to
// responses, so there is no attempt to track early C2S traffic.
- if ((source_id == SRC_CLIENT) && (type == SEC_REQUEST) && !session_data->for_http2 &&
+ if ((source_id == SRC_CLIENT) && (type == SEC_REQUEST) && !session_data->for_httpx &&
session_data->last_request_was_connect)
{
const uint64_t last_request_trans_num = session_data->expected_trans_num[SRC_CLIENT] - 1;
max_length, session_data->get_infractions(source_id), session_data->events[source_id],
session_data->section_size_target[source_id],
session_data->stretch_section_to_packet[source_id],
- session_data->h2_body_state[source_id]);
+ session_data->hx_body_state[source_id]);
switch (cut_result)
{
case SCAN_NOT_FOUND:
#include <sys/types.h>
#include <cstdio>
+#include <main/snort_types.h>
//-------------------------------------------------------------------------
// HttpTestManager class
//-------------------------------------------------------------------------
class HttpTestInput;
-class HttpTestManager
+class SO_PUBLIC HttpTestManager
{
public:
// Bitmap: 1, 2, 4, 8, ...
- enum INPUT_TYPE { IN_NONE = 0, IN_HTTP = 0x1, IN_HTTP2 = 0x2 };
+ enum INPUT_TYPE { IN_NONE = 0, IN_HTTP = 0x1, IN_HTTP2 = 0x2, IN_HTTP3 = 0x3 };
static bool use_test_input(INPUT_TYPE type) { return (type & test_input) != 0; }
static void activate_test_input(INPUT_TYPE type);
#include "log/messages.h"
#include "parser/parse_utils.h"
#include "protocols/packet.h"
-#include "service_inspectors/http2_inspect/http2_flow_data.h"
#include "http_common.h"
#include "http_enum.h"
if (!section_match)
return nullptr;
- const Http2FlowData* const h2i_flow_data =
- (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
+ assert(p->flow->stream_intf);
+ const HttpFlowData* const hi_flow_data =
+ (HttpFlowData*)p->flow->stream_intf->get_stream_flow_data(p->flow);
- const HttpInspect* const hi = (h2i_flow_data != nullptr) ?
+ const HttpInspect* const hi = (hi_flow_data->is_for_httpx()) ?
(HttpInspect*)(p->flow->assistant_gadget) : (HttpInspect*)(p->flow->gadget);
return hi;
{ "1.0", VERS_1_0 },
{ "1.1", VERS_1_1 },
{ "2.0", VERS_2_0 },
+ { "3.0", VERS_3_0 },
{ "0.9", VERS_0_9 }
};
fd_status_t File_Decomp_StopFree(fd_session_t*) { return File_Decomp_OK; }
uint32_t str_to_hash(const uint8_t *, size_t) { return 0; }
FlowData* Flow::get_flow_data(uint32_t) const { return nullptr; }
+int Flow::set_flow_data(FlowData*) { return 0;}
+Flow::Flow() { stream_intf = nullptr; }
+Flow::~Flow() = default;
}
unsigned Http2FlowData::inspector_id = 0;
TEST_GROUP(http_transaction_test)
{
- HttpFlowData* const flow_data = new HttpFlowData(nullptr);
+ Flow* const flow = new Flow();
+ HttpFlowData* const flow_data = new HttpFlowData(flow);
SectionType* const section_type = HttpUnitTestSetup::get_section_type(flow_data);
SectionType* const type_expected = HttpUnitTestSetup::get_type_expected(flow_data);
void teardown() override
{
delete flow_data;
+ delete flow;
}
};
+set(UDP_STREAM_INCLUDES
+ stream_udp.h
+ udp_ha.h
+ udp_module.h
+ udp_session.h
+)
add_library( stream_udp OBJECT
stream_udp.cc
- stream_udp.h
udp_ha.cc
- udp_ha.h
udp_module.cc
- udp_module.h
udp_session.cc
- udp_session.h
)
+
+install(FILES ${UDP_STREAM_INCLUDES}
+ DESTINATION "${INCLUDE_INSTALL_PATH}/stream/udp"
+)
\ No newline at end of file
#include <sys/time.h>
#include "flow/session.h"
+#include "main/snort_types.h"
-class UdpSession : public Session
+class SO_PUBLIC UdpSession : public Session
{
public:
UdpSession(snort::Flow*);
projects / thirdparty / snort3.git / commitdiff
