]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6bd3761)
http_method: make list dynamic
authorVictor Julien <victor@inliniac.net>
Wed, 7 Dec 2016 17:02:37 +0000 (18:02 +0100)
committerVictor Julien <victor@inliniac.net>
Thu, 16 Feb 2017 09:35:38 +0000 (10:35 +0100)
src/detect-engine-analyzer.c patch | blob | blame | history
src/detect-engine.c patch | blob | blame | history
src/detect-fast-pattern.c patch | blob | blame | history
src/detect-http-method.c patch | blob | blame | history
src/detect-http-method.h patch | blob | blame | history
src/detect-isdataat.c patch | blob | blame | history
src/detect-parse.c patch | blob | blame | history
src/detect-pcre.c patch | blob | blame | history
src/detect.c patch | blob | blame | history
src/detect.h patch | blob | blame | history

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index a13f405282561df98c5f530814e401616c95ee9e..223a3b1c0feda391671079045d6eff4709bc85c0 100644 (file)
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -120,8 +120,6 @@ void EngineAnalysisFP(Signature *s, char *line)
         fprintf(fp_engine_analysis_FD, "http header content\n");
     else if (list_type == DETECT_SM_LIST_HRHDMATCH)
         fprintf(fp_engine_analysis_FD, "http raw header content\n");
-    else if (list_type == DETECT_SM_LIST_HMDMATCH)
-        fprintf(fp_engine_analysis_FD, "http method content\n");
     else if (list_type == DETECT_SM_LIST_HCDMATCH)
         fprintf(fp_engine_analysis_FD, "http cookie content\n");
     else if (list_type == DETECT_SM_LIST_HCBDMATCH)
@@ -474,8 +472,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
         fprintf(rule_engine_analysis_FD, "http header content");
     else if (list_type == DETECT_SM_LIST_HRHDMATCH)
         fprintf(rule_engine_analysis_FD, "http raw header content");
-    else if (list_type == DETECT_SM_LIST_HMDMATCH)
-        fprintf(rule_engine_analysis_FD, "http method content");
     else if (list_type == DETECT_SM_LIST_HCDMATCH)
         fprintf(rule_engine_analysis_FD, "http cookie content");
     else if (list_type == DETECT_SM_LIST_HCBDMATCH)
@@ -586,6 +582,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
 
     const int nlists = DetectBufferTypeMaxId();
     const int filedata_id = DetectBufferTypeGetByName("file_data");
+    const int httpmethod_id = DetectBufferTypeGetByName("http_method");
 
     if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
         rule_bidirectional = 1;
@@ -639,7 +636,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
                     raw_http_buf += 1;
                     http_raw_header_buf += 1;
                 }
-                else if (list_id == DETECT_SM_LIST_HMDMATCH) {
+                else if (list_id == httpmethod_id) {
                     rule_pcre_http += 1;
                     raw_http_buf += 1;
                     http_method_buf += 1;
@@ -720,7 +717,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
                     raw_http_buf += 1;
                     http_stat_code_buf += 1;
                 }
-                else if (list_id == DETECT_SM_LIST_HMDMATCH) {
+                else if (list_id == httpmethod_id) {
                     rule_content_http += 1;
                     raw_http_buf += 1;
                     http_method_buf += 1;
diff --git a/src/detect-engine.c b/src/detect-engine.c
index cbaef3ed9ec7aa7739ae10a2948682a143109c69..5bf07207f72d8c94fd8e1cd3af27c80fcba7f48e 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -2816,8 +2816,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
             return "http host";
         case DETECT_SM_LIST_HRHHDMATCH:
             return "http raw host header";
-        case DETECT_SM_LIST_HMDMATCH:
-            return "http method";
         case DETECT_SM_LIST_HCDMATCH:
             return "http cookie";
         case DETECT_SM_LIST_HUADMATCH:
diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c
index e4d415c3829636ff6dd06ee5e2998f3512f5683f..4179b5eac6af68f6f288ee23ed58f52fa482aea3 100644 (file)
--- a/src/detect-fast-pattern.c
+++ b/src/detect-fast-pattern.c
@@ -322,6 +322,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
 
 #ifdef UNITTESTS
 static int g_file_data_buffer_id = 0;
+static int g_http_method_buffer_id = 0;
 
 /**
  * \test Checks if a fast_pattern is registered in a Signature
@@ -7168,7 +7169,7 @@ int DetectFastPatternTest261(void)
                                "content:\"three\"; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         ud->flags & DETECT_CONTENT_NEGATED &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -7206,7 +7207,7 @@ int DetectFastPatternTest262(void)
         goto end;
 
     result = 0;
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH];
+    sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id];
     if (sm != NULL) {
         if ( ((DetectContentData *)sm->ctx)->flags &
              DETECT_CONTENT_FAST_PATTERN) {
@@ -7243,7 +7244,7 @@ int DetectFastPatternTest263(void)
         goto end;
 
     result = 0;
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH];
+    sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id];
     if (sm != NULL) {
         if ( ((DetectContentData *)sm->ctx)->flags &
              DETECT_CONTENT_FAST_PATTERN) {
@@ -7275,7 +7276,7 @@ int DetectFastPatternTest264(void)
         goto end;
 
     result = 0;
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH];
+    sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id];
     DetectContentData *ud = (DetectContentData *)sm->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
             ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@@ -7309,7 +7310,7 @@ int DetectFastPatternTest265(void)
         goto end;
 
     result = 0;
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH];
+    sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id];
     DetectContentData *ud = (DetectContentData *)sm->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
             !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -7539,7 +7540,7 @@ int DetectFastPatternTest275(void)
     if (de_ctx->sig_list == NULL)
         goto end;
 
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@@ -7569,7 +7570,7 @@ int DetectFastPatternTest276(void)
                                "(content:\"one\"; http_method; content:\"two\"; http_method; within:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@@ -7599,7 +7600,7 @@ int DetectFastPatternTest277(void)
                                "(content:\"one\"; http_method; content:\"two\"; http_method; offset:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@@ -7629,7 +7630,7 @@ int DetectFastPatternTest278(void)
                                "(content:\"one\"; http_method; content:\"two\"; http_method; depth:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@@ -7659,7 +7660,7 @@ int DetectFastPatternTest279(void)
                                "(content:!\"one\"; fast_pattern; http_method; content:\"two\"; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         ud->flags & DETECT_CONTENT_NEGATED &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -7778,7 +7779,7 @@ int DetectFastPatternTest284(void)
                                "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -7808,7 +7809,7 @@ int DetectFastPatternTest285(void)
                                "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; distance:30; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -7838,7 +7839,7 @@ int DetectFastPatternTest286(void)
                                "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; within:30; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -7868,7 +7869,7 @@ int DetectFastPatternTest287(void)
                                "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; offset:30; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -7898,7 +7899,7 @@ int DetectFastPatternTest288(void)
                                "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; depth:30; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -7928,7 +7929,7 @@ int DetectFastPatternTest289(void)
                                "(content:\"one\"; http_method; content:\"two\"; http_method; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -7958,7 +7959,7 @@ int DetectFastPatternTest290(void)
                                "(content:\"one\"; http_method; content:\"two\"; http_method; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -7988,7 +7989,7 @@ int DetectFastPatternTest291(void)
                                "(content:\"one\"; http_method; content:\"two\"; http_method; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -8018,7 +8019,7 @@ int DetectFastPatternTest292(void)
                                "(content:\"one\"; http_method; content:\"two\"; http_method; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
         ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@@ -8117,7 +8118,7 @@ int DetectFastPatternTest296(void)
                                "(content:\"one\"; http_method; content:!\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         ud->flags & DETECT_CONTENT_NEGATED &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -8236,7 +8237,7 @@ int DetectFastPatternTest301(void)
                                "(content:\"one\"; http_method; content:!\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)");
     if (de_ctx->sig_list == NULL)
         goto end;
-    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
+    DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
     if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
         ud->flags & DETECT_CONTENT_NEGATED &&
         !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@@ -18823,6 +18824,7 @@ void DetectFastPatternRegisterTests(void)
 {
 #ifdef UNITTESTS
     g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
+    g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
 
     UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
     UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);
diff --git a/src/detect-http-method.c b/src/detect-http-method.c
index 5371b97b2e8375708a7a6f178c894fe259bf041d..af703c9a0f2183b433da356353d158edffffef42 100644 (file)
--- a/src/detect-http-method.c
+++ b/src/detect-http-method.c
@@ -60,10 +60,12 @@
 #include "detect-engine-hmd.h"
 #include "stream-tcp.h"
 
-
+static int g_http_method_buffer_id = 0;
 static int DetectHttpMethodSetup(DetectEngineCtx *, Signature *, char *);
 void DetectHttpMethodRegisterTests(void);
 void DetectHttpMethodFree(void *);
+static void DetectHttpMethodSetupCallback(Signature *s);
+static _Bool DetectHttpMethodValidateCallback(const Signature *s);
 
 /**
  * \brief Registration function for keyword: http_method
@@ -81,14 +83,23 @@ void DetectHttpMethodRegister(void)
     sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_PAYLOAD;
 
-    DetectMpmAppLayerRegister("http_method", SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_HMDMATCH, 4,
+    DetectAppLayerMpmRegister("http_method", SIG_FLAG_TOSERVER, 4,
             PrefilterTxMethodRegister);
 
-    DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_HMDMATCH,
+    DetectAppLayerInspectEngineRegister2("http_method",
+            ALPROTO_HTTP, SIG_FLAG_TOSERVER,
             DetectEngineInspectHttpMethod);
 
+    DetectBufferTypeSetDescriptionByName("http_method",
+            "http request method");
+
+    DetectBufferTypeRegisterSetupCallback("http_method",
+            DetectHttpMethodSetupCallback);
+    DetectBufferTypeRegisterValidateCallback("http_method",
+            DetectHttpMethodValidateCallback);
+
+    g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
+
     SCLogDebug("registering http_method rule option");
 }
 
@@ -107,7 +118,7 @@ static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *st
 {
     return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
                                                   DETECT_AL_HTTP_METHOD,
-                                                  DETECT_SM_LIST_HMDMATCH,
+                                                  g_http_method_buffer_id,
                                                   ALPROTO_HTTP,
                                                   NULL);
 }
@@ -126,43 +137,45 @@ void DetectHttpMethodFree(void *ptr)
     SCFree(data);
 }
 
+static void DetectHttpMethodSetupCallback(Signature *s)
+{
+    SCLogDebug("callback invoked by %u", s->id);
+    s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+}
+
 /**
  *  \retval 1 valid
  *  \retval 0 invalid
  */
-int DetectHttpMethodValidateRule(const Signature *s)
+static _Bool DetectHttpMethodValidateCallback(const Signature *s)
 {
-    if (s->alproto != ALPROTO_HTTP)
-        return 1;
-
-    if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL) {
-        const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_HMDMATCH];
-        for ( ; sm != NULL; sm = sm->next) {
-            if (sm->type != DETECT_CONTENT)
-                continue;
-            const DetectContentData *cd = (const DetectContentData *)sm->ctx;
-            if (cd->content && cd->content_len) {
-                if (cd->content[cd->content_len-1] == 0x20) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space");
-                    return 0;
-                } else if (cd->content[0] == 0x20) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space");
-                    return 0;
-                } else if (cd->content[cd->content_len-1] == 0x09) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab");
-                    return 0;
-                } else if (cd->content[0] == 0x09) {
-                    SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab");
-                    return 0;
-                }
+    const SigMatch *sm = s->init_data->smlists[g_http_method_buffer_id];
+    for ( ; sm != NULL; sm = sm->next) {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+        const DetectContentData *cd = (const DetectContentData *)sm->ctx;
+        if (cd->content && cd->content_len) {
+            if (cd->content[cd->content_len-1] == 0x20) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space");
+                return FALSE;
+            } else if (cd->content[0] == 0x20) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space");
+                return FALSE;
+            } else if (cd->content[cd->content_len-1] == 0x09) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab");
+                return FALSE;
+            } else if (cd->content[0] == 0x09) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab");
+                return FALSE;
             }
         }
     }
-    return 1;
+    return TRUE;
 }
 
 #ifdef UNITTESTS /* UNITTESTS */
 
+#include "detect-isdataat.h"
 #include "stream-tcp-reassemble.h"
 
 /** \test Check a signature with content */
@@ -330,13 +343,13 @@ static int DetectHttpMethodTest12(void)
         goto end;
     }
 
-    if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH] == NULL) {
-        printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH] == NULL: ");
+    if (de_ctx->sig_list->sm_lists[g_http_method_buffer_id] == NULL) {
+        printf("de_ctx->sig_list->sm_lists[g_http_method_buffer_id] == NULL: ");
         goto end;
     }
 
-    DetectContentData *hmd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
-    DetectContentData *hmd2 = (DetectContentData *)de_ctx->sig_list->next->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
+    DetectContentData *hmd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
+    DetectContentData *hmd2 = (DetectContentData *)de_ctx->sig_list->next->sm_lists_tail[g_http_method_buffer_id]->ctx;
 
     if (!(hmd1->flags & DETECT_CONTENT_NOCASE)) {
         printf("nocase flag not set on sig 1: ");
@@ -850,6 +863,31 @@ end:
     return result;
 }
 
+static int DetectHttpMethodIsdataatParseTest(void)
+{
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    FAIL_IF_NULL(de_ctx);
+    de_ctx->flags |= DE_QUIET;
+
+    Signature *s = DetectEngineAppendSig(de_ctx,
+            "alert tcp any any -> any any ("
+            "content:\"one\"; http_method; "
+            "isdataat:!4,relative; sid:1;)");
+    FAIL_IF_NULL(s);
+
+    SigMatch *sm = s->init_data->smlists_tail[g_http_method_buffer_id];
+    FAIL_IF_NULL(sm);
+    FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
+
+    DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
+    FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
+    FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
+    FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
+
+    DetectEngineCtxFree(de_ctx);
+    PASS;
+}
+
 #endif /* UNITTESTS */
 
 /**
@@ -873,6 +911,9 @@ void DetectHttpMethodRegisterTests(void)
     UtRegisterTest("DetectHttpMethodSigTest02", DetectHttpMethodSigTest02);
     UtRegisterTest("DetectHttpMethodSigTest03", DetectHttpMethodSigTest03);
     UtRegisterTest("DetectHttpMethodSigTest04", DetectHttpMethodSigTest04);
+
+    UtRegisterTest("DetectHttpMethodIsdataatParseTest",
+            DetectHttpMethodIsdataatParseTest);
 #endif /* UNITTESTS */
 }
 
diff --git a/src/detect-http-method.h b/src/detect-http-method.h
index d1593aed7603827d12c678fbe523c8ece7e6ba36..871177b58749087c194f1e6e25ac8b5bf8eb4cca 100644 (file)
--- a/src/detect-http-method.h
+++ b/src/detect-http-method.h
@@ -26,9 +26,6 @@
 
 /* prototypes */
 void DetectHttpMethodRegister(void);
-int DetectHttpMethodDoMatch(DetectEngineThreadCtx *, Signature *, SigMatch *,
-                            Flow *, uint8_t, void *);
-int DetectHttpMethodValidateRule(const Signature *s);
 
 #endif /* __DETECT_HTTP_METHOD_H__ */
 
diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c
index 407b0a6e70de6039d2072c9cc67618ad74b129f8..d2e01b35d3f424f5c9842ec4f5465646e03d2deb 100644 (file)
--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@@ -736,50 +736,6 @@ int DetectIsdataatTestParse11(void)
     return result;
 }
 
-int DetectIsdataatTestParse12(void)
-{
-    DetectEngineCtx *de_ctx = NULL;
-    int result = 0;
-    Signature *s = NULL;
-    DetectIsdataatData *data = NULL;
-
-    de_ctx = DetectEngineCtxInit();
-    if (de_ctx == NULL)
-        goto end;
-
-    de_ctx->flags |= DE_QUIET;
-    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
-                               "(msg:\"Testing bytejump_body\"; "
-                               "content:\"one\"; http_method; "
-                               "isdataat:!4,relative; sid:1;)");
-    if (de_ctx->sig_list == NULL) {
-        goto end;
-    }
-
-    s = de_ctx->sig_list;
-    if (s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH] == NULL) {
-        goto end;
-    }
-
-    result = 1;
-
-    result &= (s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->type == DETECT_ISDATAAT);
-    data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
-    if ( !(data->flags & ISDATAAT_RELATIVE) ||
-         (data->flags & ISDATAAT_RAWBYTES) ||
-         !(data->flags & ISDATAAT_NEGATED) ) {
-        result = 0;
-        goto end;
-    }
-
- end:
-    SigGroupCleanup(de_ctx);
-    SigCleanSignatures(de_ctx);
-    DetectEngineCtxFree(de_ctx);
-
-    return result;
-}
-
 int DetectIsdataatTestParse13(void)
 {
     DetectEngineCtx *de_ctx = NULL;
@@ -997,7 +953,6 @@ void DetectIsdataatRegisterTests(void)
     UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09);
     UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10);
     UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11);
-    UtRegisterTest("DetectIsdataatTestParse12", DetectIsdataatTestParse12);
     UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13);
     UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);
 
diff --git a/src/detect-parse.c b/src/detect-parse.c
index 98c3bf1d14782544423897502ac3342815a8f124..7b8670b325f570338575a183d579e9220ea60e0c 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -150,7 +150,6 @@ const char *DetectListToHumanString(int list)
         CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code");
         CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host");
         CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host");
-        CASE_CODE_STRING(DETECT_SM_LIST_HMDMATCH, "http_method");
         CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie");
         CASE_CODE_STRING(DETECT_SM_LIST_HUADMATCH, "http_user_agent");
         CASE_CODE_STRING(DETECT_SM_LIST_HTTP_RESLINEMATCH, "http_response_line");
@@ -193,7 +192,6 @@ const char *DetectListToString(int list)
         CASE_CODE(DETECT_SM_LIST_HSCDMATCH);
         CASE_CODE(DETECT_SM_LIST_HHHDMATCH);
         CASE_CODE(DETECT_SM_LIST_HRHHDMATCH);
-        CASE_CODE(DETECT_SM_LIST_HMDMATCH);
         CASE_CODE(DETECT_SM_LIST_HCDMATCH);
         CASE_CODE(DETECT_SM_LIST_HUADMATCH);
         CASE_CODE(DETECT_SM_LIST_HTTP_RESLINEMATCH);
@@ -1436,7 +1434,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
                 if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
                     s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
                     s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
-                    s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL ||
                     s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) {
                     SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent "
                                "/http_uri , raw_uri, http_client_body, "
@@ -1461,7 +1458,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
         s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
         s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
         s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
-        s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL ||
         s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) {
         sig_flags |= SIG_FLAG_TOSERVER;
         s->flags |= SIG_FLAG_TOSERVER;
@@ -1521,9 +1517,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
         }
     }
 
-    if (!DetectHttpMethodValidateRule(s))
-        SCReturnInt(0);
-
     //if (s->alproto != ALPROTO_UNKNOWN) {
     //    if (s->flags & SIG_FLAG_STATE_MATCH) {
     //        if (s->alproto == ALPROTO_DNS) {
@@ -1592,7 +1585,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
                 s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] ||
                 s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH]  ||
                 s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||
-                s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH]  ||
                 s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] ||
                 s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] ||
                 s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] ||
diff --git a/src/detect-pcre.c b/src/detect-pcre.c
index 6be08703aaea46fb34056c83bdc6df760119800d..c7477d8d9241e7efeb29bc7156891b588ddc999a 100644 (file)
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -445,7 +445,8 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
                         SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'");
                         goto error;
                     }
-                    *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HMDMATCH);
+                    int list = DetectBufferTypeGetByName("http_method");
+                    *sm_list = DetectPcreSetList(*sm_list, list);
                     break;
                 case 'C': /* snort's option */
                     if (pd->flags & DETECT_PCRE_RAWBYTES) {
@@ -674,7 +675,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
         parsed_sm_list == DETECT_SM_LIST_HSCDMATCH ||
         parsed_sm_list == DETECT_SM_LIST_HHHDMATCH ||
         parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH ||
-        parsed_sm_list == DETECT_SM_LIST_HMDMATCH ||
+//        parsed_sm_list == DETECT_SM_LIST_HMDMATCH ||
         parsed_sm_list == DETECT_SM_LIST_HCDMATCH ||
         parsed_sm_list == DETECT_SM_LIST_HUADMATCH)
     {
@@ -715,7 +716,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
             case DETECT_SM_LIST_HSMDMATCH:
             case DETECT_SM_LIST_HSCDMATCH:
             case DETECT_SM_LIST_HCDMATCH:
-            case DETECT_SM_LIST_HMDMATCH:
             case DETECT_SM_LIST_HUADMATCH:
                 s->flags |= SIG_FLAG_APPLAYER;
                 s->alproto = ALPROTO_HTTP;
diff --git a/src/detect.c b/src/detect.c
index 11aecad95172f7583cfea9f8c0ad5eec1e37d08e..321d21af1702f8079e765001db6989fa6a9e4483 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1924,9 +1924,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
     if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
         return 0;
 
-    if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL)
-        return 0;
-
     if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL)
         return 0;
 
@@ -2032,9 +2029,6 @@ static int SignatureIsPDOnly(const Signature *s)
     if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
         return 0;
 
-    if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL)
-        return 0;
-
     if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL)
         return 0;
 
@@ -2160,7 +2154,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
         s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
         s->init_data->smlists[DETECT_SM_LIST_HHDMATCH]  != NULL ||
         s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
-        s->init_data->smlists[DETECT_SM_LIST_HMDMATCH]  != NULL ||
         s->init_data->smlists[DETECT_SM_LIST_HCDMATCH]  != NULL ||
         s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
         s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
@@ -2340,11 +2333,6 @@ static int SignatureCreateMask(Signature *s)
         SCLogDebug("sig requires http app state");
     }
 
-    if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL) {
-        s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
-        SCLogDebug("sig requires http app state");
-    }
-
     if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) {
         s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
         SCLogDebug("sig requires http app state");
diff --git a/src/detect.h b/src/detect.h
index 330b918f4b10be27424db3c1bdf45c0694aa6de0..976d75b20d21fb3fccd104ed69d8a11f4ac19d1d 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -133,8 +133,6 @@ enum DetectSigmatchListEnum {
     DETECT_SM_LIST_HHHDMATCH,
     /* list for http_raw_host keyword and the ones relative to it */
     DETECT_SM_LIST_HRHHDMATCH,
-    /* list for http_method keyword and the ones relative to it */
-    DETECT_SM_LIST_HMDMATCH,
     /* list for http_cookie keyword and the ones relative to it */
     DETECT_SM_LIST_HCDMATCH,
     /* list for http_user_agent keyword and the ones relative to it */
Mirror of https://github.com/OISF/suricata.git