Pull request #3852: http_inspect: rebuild start line

author Steven Baigal (sbaigal) <sbaigal@cisco.com>

Tue, 23 May 2023 15:23:59 +0000 (15:23 +0000)

committer Steven Baigal (sbaigal) <sbaigal@cisco.com>

Tue, 23 May 2023 15:23:59 +0000 (15:23 +0000)
author Steven Baigal (sbaigal) <sbaigal@cisco.com>
Tue, 23 May 2023 15:23:59 +0000 (15:23 +0000)
committer Steven Baigal (sbaigal) <sbaigal@cisco.com>
Tue, 23 May 2023 15:23:59 +0000 (15:23 +0000)
diff --git a/src/detection/detect.cc b/src/detection/detect.cc

index 686e93e882848037bb47acbceefaae8d1a752599..a655cd4728209ca7b1d4be61ebee2d622e55ce43 100644 (file)
--- a/src/detection/detect.cc
+++ b/src/detection/detect.cc
@@ -89,8 +89,31 @@ void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head)
      DetectionEngine::set_check_tags(false);
      pc.log_pkts++;
  
+    const uint8_t* data = nullptr;
+    uint16_t dsize = 0;
+
+    if (p->flow && p->flow->gadget)
+        data = p->flow->gadget->adjust_log_packet(p, dsize);
+
+    uint16_t old_dsize = 0;
+    const uint8_t* old_data = nullptr;
+    if (data)
+    {
+        old_dsize = p->dsize;
+        old_data = p->data;
+        p->data = data;
+        p->dsize = dsize;
+    }
+
      OutputSet* idx = head ? head->LogList : nullptr;
      EventManager::call_loggers(idx, p, otn->sigInfo.message.c_str(), &event);
+
+    if (data)
+    {
+        p->data = old_data;
+        p->dsize = old_dsize;
+        delete[] data;
+    }
  }
  
  void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head)
diff --git a/src/framework/inspector.h b/src/framework/inspector.h

index c65e00e2a53a826aebe20879af526be7e6fc37d5..41c2bbac42554a460ad0e1c6bdfaa0465d2f716b 100644 (file)
--- a/src/framework/inspector.h
+++ b/src/framework/inspector.h
@@ -193,6 +193,9 @@ public:
      virtual void install_reload_handler(SnortConfig*)
      { }
  
+    virtual const uint8_t* adjust_log_packet(Packet*, uint16_t&)
+    { return nullptr; }
+
  public:
      static THREAD_LOCAL unsigned slot;
  
diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc

index 37373f57a459d8d393a717043f6d1443f5b35faf..ae4f3e6b3a5c5f5eb2fbf88608693b4dfb62bf2f 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_inspect.cc
+++ b/src/service_inspectors/http_inspect/http_inspect.cc
@@ -679,3 +679,58 @@ void HttpInspect::clear(Packet* p)
      }
  }
  
+const uint8_t* HttpInspect::adjust_log_packet(Packet* p, uint16_t& length)
+{
+    HttpMsgSection*  current_section = HttpContextData::get_snapshot(p);
+    if (current_section == nullptr ||
+        current_section->get_inspection_section() != PS_HEADER)
+        return nullptr;
+
+    HttpMsgSection* other_section = nullptr;
+    unsigned id;
+    if ((HttpMsgHeader*)current_section == current_section->get_header(SRC_CLIENT))
+    {
+        other_section = current_section->get_request();
+        id = HTTP_BUFFER_RAW_REQUEST;
+    }
+    else if ((HttpMsgHeader*)current_section == current_section->get_header(SRC_SERVER))
+    {
+        other_section = current_section->get_status();
+        id = HTTP_BUFFER_RAW_STATUS;
+    }
+    else
+        return nullptr;
+
+    const Field& start_line = other_section->get_classic_buffer(id, 0, 0);
+    if (start_line.length() > 0)
+    {
+        static const uint8_t END_HEADERS[] = "\r\n\r\n";
+        static const size_t END_HEADERS_LEN = 4;
+        static const uint8_t* END_START_LINE = END_HEADERS;
+        static const size_t END_START_LINE_LEN = 2;
+
+        const struct { const uint8_t* data; const size_t len; } frags[] =
+        {
+            { start_line.start(), (size_t) start_line.length() },
+            { END_START_LINE, END_START_LINE_LEN },
+            { p->data, p->dsize },
+            { END_HEADERS, END_HEADERS_LEN }
+        };
+        const uint frags_cnt = sizeof(frags)/sizeof(frags[0]);
+
+        uint8_t* data = new uint8_t[start_line.length() + END_START_LINE_LEN +
+                                    p->dsize + END_HEADERS_LEN];
+
+        uint8_t* dst = data;
+        for (uint i = 0; i < frags_cnt; i++)
+        {
+            memcpy(dst, frags[i].data, frags[i].len);
+            dst += frags[i].len;
+        }
+
+        length = dst - data;
+        return data;
+    }
+
+    return nullptr;
+}
diff --git a/src/service_inspectors/http_inspect/http_inspect.h b/src/service_inspectors/http_inspect/http_inspect.h

index fb9a8343236f21ed6f7c6b3cf74eae720e16c3ec..3b7dd770af5bd11cf6cb36895ee9370ee48cb047 100644 (file)
--- a/src/service_inspectors/http_inspect/http_inspect.h
+++ b/src/service_inspectors/http_inspect/http_inspect.h
@@ -91,6 +91,8 @@ public:
      unsigned get_pub_id()
      { return pub_id; }
  
+    const uint8_t* adjust_log_packet(snort::Packet* p, uint16_t& length) override;
+
  private:
      friend HttpApi;
      friend HttpStreamSplitter;
author	Steven Baigal (sbaigal) <sbaigal@cisco.com>
	Tue, 23 May 2023 15:23:59 +0000 (15:23 +0000)
committer	Steven Baigal (sbaigal) <sbaigal@cisco.com>
	Tue, 23 May 2023 15:23:59 +0000 (15:23 +0000)
src/detection/detect.cc		patch \| blob \| blame \| history
src/framework/inspector.h		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_inspect.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_inspect.h		patch \| blob \| blame \| history