#include "flow-util.h"
#include "stream-tcp.h"
+static int g_http_header_buffer_id = 0;
+
static int DetectBase64TestDecodeParse(void)
{
int retval = 0;
}
/* Test that the http header list is not NULL. */
- if (s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL) {
+ if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) {
goto end;
}
static void DetectBase64DecodeRegisterTests(void)
{
#ifdef UNITTESTS
+ g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
+
UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
UtRegisterTest("DetectBase64DecodeHttpHeaderTestSetup",
fprintf(fp_engine_analysis_FD, "content\n");
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(fp_engine_analysis_FD, "http raw uri content\n");
- else if (list_type == DETECT_SM_LIST_HHDMATCH)
- fprintf(fp_engine_analysis_FD, "http header content\n");
- else if (list_type == DETECT_SM_LIST_HRHDMATCH)
- fprintf(fp_engine_analysis_FD, "http raw header content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(fp_engine_analysis_FD, "http client body content\n");
else {
}
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(rule_engine_analysis_FD, "http raw uri content");
- else if (list_type == DETECT_SM_LIST_HHDMATCH)
- fprintf(rule_engine_analysis_FD, "http header content");
- else if (list_type == DETECT_SM_LIST_HRHDMATCH)
- fprintf(rule_engine_analysis_FD, "http raw header content");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(rule_engine_analysis_FD, "http client body content");
else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
const int httpcookie_id = DetectBufferTypeGetByName("http_cookie");
const int httpstatcode_id = DetectBufferTypeGetByName("http_stat_code");
const int httpstatmsg_id = DetectBufferTypeGetByName("http_stat_msg");
+ const int httpheader_id = DetectBufferTypeGetByName("http_header");
+ const int httprawheader_id = DetectBufferTypeGetByName("http_raw_header");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
norm_http_buf += 1;
http_uri_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HHDMATCH) {
+ else if (list_id == httpheader_id) {
rule_pcre_http += 1;
norm_http_buf += 1;
http_header_buf += 1;
http_server_body_buf += 1;
raw_http_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HRHDMATCH) {
+ else if (list_id == httprawheader_id) {
rule_pcre_http += 1;
raw_http_buf += 1;
http_raw_header_buf += 1;
else if (sm->type == DETECT_CONTENT) {
if (list_id == httpuri_id
- || list_id == DETECT_SM_LIST_HHDMATCH
+ || list_id == httpheader_id
|| list_id == httpcookie_id) {
rule_content_http += 1;
norm_http_buf += 1;
if (list_id == httpuri_id) {
http_uri_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HHDMATCH) {
+ else if (list_id == httpheader_id) {
http_header_buf += 1;
}
else if (list_id == httpcookie_id) {
raw_http_buf += 1;
http_server_body_buf += 1;
}
- else if (list_id == DETECT_SM_LIST_HRHDMATCH) {
+ else if (list_id == httprawheader_id) {
rule_content_http += 1;
raw_http_buf += 1;
http_raw_header_buf += 1;
return "http raw uri";
case DETECT_SM_LIST_HCBDMATCH:
return "http client body";
- case DETECT_SM_LIST_HHDMATCH:
- return "http headers";
- case DETECT_SM_LIST_HRHDMATCH:
- return "http raw headers";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";
static int g_http_raw_host_buffer_id = 0;
static int g_http_stat_code_buffer_id = 0;
static int g_http_stat_msg_buffer_id = 0;
+static int g_http_raw_header_buffer_id = 0;
+static int g_http_header_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
"content:\"three\"; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(content:\"one\"; http_header; content:\"two\"; http_header; within:30; content:\"two\"; fast_pattern:only; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(content:\"one\"; http_header; content:\"two\"; http_header; offset:30; content:\"two\"; fast_pattern:only; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(content:\"one\"; http_header; content:\"two\"; http_header; depth:30; content:\"two\"; fast_pattern:only; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(content:!\"one\"; fast_pattern; http_header; content:\"two\"; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:\"two\"; http_header; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:\"two\"; http_header; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:\"two\"; http_header; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:\"two\"; http_header; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(content:\"one\"; http_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"(content:\"one\"; http_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
goto end;
result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
"(flow:to_server; content:!\"one\"; fast_pattern; http_raw_header; content:\"two\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
"(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
- DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
+ DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code");
g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg");
+ g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
+ g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);
#include "detect-engine-hhd.h"
#include "stream-tcp.h"
-int DetectHttpHeaderSetup(DetectEngineCtx *, Signature *, char *);
-void DetectHttpHeaderRegisterTests(void);
-void DetectHttpHeaderFree(void *);
+static int DetectHttpHeaderSetup(DetectEngineCtx *, Signature *, char *);
+static void DetectHttpHeaderRegisterTests(void);
+static void DetectHttpHeaderFree(void *);
+static void DetectHttpHeaderSetupCallback(Signature *);
+static int g_http_header_buffer_id = 0;
/**
* \brief Registers the keyword handlers for the "http_header" keyword.
sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_NOOPT ;
sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_PAYLOAD ;
- DetectMpmAppLayerRegister("http_header", SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HHDMATCH, 2,
+ DetectAppLayerMpmRegister("http_header", SIG_FLAG_TOSERVER, 2,
PrefilterTxHttpRequestHeadersRegister);
- DetectMpmAppLayerRegister("http_header", SIG_FLAG_TOCLIENT,
- DETECT_SM_LIST_HHDMATCH, 2,
+ DetectAppLayerMpmRegister("http_header", SIG_FLAG_TOCLIENT, 2,
PrefilterTxHttpResponseHeadersRegister);
- DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HHDMATCH,
+ DetectAppLayerInspectEngineRegister2("http_header",
+ ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpHeader);
- DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
- DETECT_SM_LIST_HHDMATCH,
+ DetectAppLayerInspectEngineRegister2("http_header",
+ ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DetectEngineInspectHttpHeader);
- return;
+ DetectBufferTypeSetDescriptionByName("http_header",
+ "http headers");
+
+ DetectBufferTypeRegisterSetupCallback("http_header",
+ DetectHttpHeaderSetupCallback);
+
+ g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
}
/**
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_HEADER,
- DETECT_SM_LIST_HHDMATCH,
+ g_http_header_buffer_id,
ALPROTO_HTTP,
NULL);
}
+static void DetectHttpHeaderSetupCallback(Signature *s)
+{
+ SCLogDebug("callback invoked by %u", s->id);
+ s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+}
+
/************************************Unittests*********************************/
#ifdef UNITTESTS
+#include "detect-isdataat.h"
#include "stream-tcp-reassemble.h"
/**
goto end;
}
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id];
if (sm != NULL) {
result &= (sm->type == DETECT_CONTENT);
result &= (sm->next == NULL);
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n");
goto end;
}
- DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
- DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
+ DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hhd1->content, "one", hhd1->content_len) != 0 ||
hhd2->flags != DETECT_CONTENT_DISTANCE ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n");
goto end;
}
- DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
- DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
+ DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hhd1->content, "one", hhd1->content_len) != 0 ||
hhd2->flags != DETECT_CONTENT_WITHIN ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_CONTENT ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_PCRE) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->type != DETECT_CONTENT ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
- DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
- DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
+ DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_PCRE ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_CONTENT) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->type != DETECT_PCRE ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->type != DETECT_CONTENT) {
goto end;
}
- DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
- DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
+ DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hhd1->content, "two", hhd1->content_len) != 0) {
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_CONTENT ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_PCRE) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->type != DETECT_CONTENT ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
- DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx;
- DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
+ DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx;
+ DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
return result;
}
+static int DetectHttpHeaderIsdataatParseTest(void)
+{
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ FAIL_IF_NULL(de_ctx);
+ de_ctx->flags |= DE_QUIET;
+
+ Signature *s = DetectEngineAppendSig(de_ctx,
+ "alert tcp any any -> any any ("
+ "flow:to_server; "
+ "content:\"one\"; http_header; "
+ "isdataat:!4,relative; sid:1;)");
+ FAIL_IF_NULL(s);
+
+ SigMatch *sm = s->init_data->smlists_tail[g_http_header_buffer_id];
+ FAIL_IF_NULL(sm);
+ FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
+
+ DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
+ FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
+ FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
+ FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
+
+ DetectEngineCtxFree(de_ctx);
+ PASS;
+}
+
#endif /* UNITTESTS */
void DetectHttpHeaderRegisterTests(void)
UtRegisterTest("DetectHttpHeaderTest28", DetectHttpHeaderTest28);
UtRegisterTest("DetectHttpHeaderTest29", DetectHttpHeaderTest29);
UtRegisterTest("DetectHttpHeaderTest30", DetectHttpHeaderTest30);
+
+ UtRegisterTest("DetectHttpHeaderIsdataatParseTest",
+ DetectHttpHeaderIsdataatParseTest);
+
#endif /* UNITTESTS */
return;
#include "detect-engine-hrhd.h"
#include "stream-tcp.h"
-int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, char *);
-void DetectHttpRawHeaderRegisterTests(void);
-void DetectHttpRawHeaderFree(void *);
+static int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, char *);
+static void DetectHttpRawHeaderRegisterTests(void);
+static void DetectHttpRawHeaderFree(void *);
+static _Bool DetectHttpRawHeaderValidateCallback(const Signature *s);
+static void DetectHttpRawHeaderSetupCallback(Signature *s);
+static int g_http_raw_header_buffer_id = 0;
/**
* \brief Registers the keyword handlers for the "http_raw_header" keyword.
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_PAYLOAD;
- DetectMpmAppLayerRegister("http_raw_header", SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HRHDMATCH, 2,
+ DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOSERVER, 2,
PrefilterTxRequestHeadersRawRegister);
- DetectMpmAppLayerRegister("http_raw_header", SIG_FLAG_TOCLIENT,
- DETECT_SM_LIST_HRHDMATCH, 2,
+ DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOCLIENT, 2,
PrefilterTxResponseHeadersRawRegister);
- DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_HRHDMATCH,
+ DetectAppLayerInspectEngineRegister2("http_raw_header",
+ ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpRawHeader);
- DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
- DETECT_SM_LIST_HRHDMATCH,
+ DetectAppLayerInspectEngineRegister2("http_raw_header",
+ ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DetectEngineInspectHttpRawHeader);
- return;
+
+ DetectBufferTypeSetDescriptionByName("http_raw_header",
+ "raw http headers");
+
+ DetectBufferTypeRegisterValidateCallback("http_raw_header",
+ DetectHttpRawHeaderValidateCallback);
+ DetectBufferTypeRegisterSetupCallback("http_raw_header",
+ DetectHttpRawHeaderSetupCallback);
+
+ g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
}
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_RAW_HEADER,
- DETECT_SM_LIST_HRHDMATCH,
+ g_http_raw_header_buffer_id,
ALPROTO_HTTP,
NULL);
}
+static _Bool DetectHttpRawHeaderValidateCallback(const Signature *s)
+{
+ if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature "
+ "without a flow direction. Use flow:to_server for "
+ "inspecting request headers or flow:to_client for "
+ "inspecting response headers.");
+ SCReturnInt(FALSE);
+ }
+ return TRUE;
+}
+
+static void DetectHttpRawHeaderSetupCallback(Signature *s)
+{
+ SCLogDebug("callback invoked by %u", s->id);
+ s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
+}
+
/************************************Unittests*********************************/
#ifdef UNITTESTS
+#include "detect-isdataat.h"
#include "stream-tcp-reassemble.h"
/**
goto end;
}
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH];
+ sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id];
if (sm != NULL) {
result &= (sm->type == DETECT_CONTENT);
result &= (sm->next == NULL);
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
goto end;
}
- DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
- DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
+ DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 ||
hrhd2->flags != DETECT_CONTENT_DISTANCE ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
goto end;
}
- DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
- DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
+ DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 ||
hrhd2->flags != DETECT_CONTENT_WITHIN ||
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_CONTENT ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_PCRE) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
- DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
- DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
+ DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_PCRE ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_CONTENT) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_PCRE ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_CONTENT) {
goto end;
}
- DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
- DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
+ DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hhd1->content, "two", hhd1->content_len) != 0) {
goto end;
}
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n");
+ if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
+ printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
goto end;
}
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_CONTENT ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_PCRE) {
+ if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
+ de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) {
goto end;
}
- DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx;
- DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
+ DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
+ DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hhd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
return result;
}
+static int DetectHttpRawHeaderIsdataatParseTest(void)
+{
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ FAIL_IF_NULL(de_ctx);
+ de_ctx->flags |= DE_QUIET;
+
+ Signature *s = DetectEngineAppendSig(de_ctx,
+ "alert tcp any any -> any any ("
+ "flow:to_server; "
+ "content:\"one\"; http_raw_header; "
+ "isdataat:!4,relative; sid:1;)");
+ FAIL_IF_NULL(s);
+
+ SigMatch *sm = s->init_data->smlists_tail[g_http_raw_header_buffer_id];
+ FAIL_IF_NULL(sm);
+ FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
+
+ DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
+ FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
+ FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
+ FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
+
+ DetectEngineCtxFree(de_ctx);
+ PASS;
+}
+
#endif /* UNITTESTS */
void DetectHttpRawHeaderRegisterTests(void)
UtRegisterTest("DetectHttpRawHeaderTest25", DetectHttpRawHeaderTest25);
UtRegisterTest("DetectHttpRawHeaderTest26", DetectHttpRawHeaderTest26);
UtRegisterTest("DetectHttpRawHeaderTest27", DetectHttpRawHeaderTest27);
+
+ UtRegisterTest("DetectHttpRawHeaderIsdataatParseTest",
+ DetectHttpRawHeaderIsdataatParseTest);
#endif /* UNITTESTS */
return;
return result;
}
-int DetectIsdataatTestParse10(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- Signature *s = NULL;
- DetectIsdataatData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "content:\"one\"; http_header; "
- "isdataat:!4,relative; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- goto end;
- }
-
- s = de_ctx->sig_list;
- if (s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL) {
- goto end;
- }
-
- result = 1;
-
- result &= (s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type == DETECT_ISDATAAT);
- data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx;
- if ( !(data->flags & ISDATAAT_RELATIVE) ||
- (data->flags & ISDATAAT_RAWBYTES) ||
- !(data->flags & ISDATAAT_NEGATED) ) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-int DetectIsdataatTestParse11(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- Signature *s = NULL;
- DetectIsdataatData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "flow:to_server; content:\"one\"; http_raw_header; "
- "isdataat:!4,relative; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- goto end;
- }
-
- s = de_ctx->sig_list;
- if (s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL) {
- goto end;
- }
-
- result = 1;
-
- result &= (s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type == DETECT_ISDATAAT);
- data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx;
- if ( !(data->flags & ISDATAAT_RELATIVE) ||
- (data->flags & ISDATAAT_RAWBYTES) ||
- !(data->flags & ISDATAAT_NEGATED) ) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
/**
* \test dns_query with isdataat relative to it
*/
UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05);
UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06);
UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09);
- UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10);
- UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11);
UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
} else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) {
int list = DetectBufferTypeGetByName("http_user_agent");
SigMatchAppendSMToList(s, sm, list);
- } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS))
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH);
- else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW))
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH);
- else {
+ } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS)) {
+ int list = DetectBufferTypeGetByName("http_header");
+ SigMatchAppendSMToList(s, sm, list);
+ } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW)) {
+ int list = DetectBufferTypeGetByName("http_raw_header");
+ SigMatchAppendSMToList(s, sm, list);
+ } else {
int list = DetectBufferTypeGetByName("http_request_line");
SigMatchAppendSMToList(s, sm, list);
}
CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload");
CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri");
CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body");
- CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header");
- CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
CASE_CODE(DETECT_SM_LIST_PMATCH);
CASE_CODE(DETECT_SM_LIST_HRUDMATCH);
CASE_CODE(DETECT_SM_LIST_HCBDMATCH);
- CASE_CODE(DETECT_SM_LIST_HHDMATCH);
- CASE_CODE(DETECT_SM_LIST_HRHDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
SCReturnInt(0);
}
- if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
- if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) {
- SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature "
- "without a flow direction. Use flow:to_server for "
- "inspecting request headers or flow:to_client for "
- "inspecting response headers.");
- SCReturnInt(0);
- }
- }
-
//if (s->alproto != ALPROTO_UNKNOWN) {
// if (s->flags & SIG_FLAG_STATE_MATCH) {
// if (s->alproto == ALPROTO_DNS) {
}
if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] ||
- s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] ||
- s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] ||
- s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH])
+ s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH])
{
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / "
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
- case 'H': /* snort's option */
+ case 'H': { /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'B'");
goto error;
}
- *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HHDMATCH);
+ int list = DetectBufferTypeGetByName("http_header");
+ *sm_list = DetectPcreSetList(*sm_list, list);
break;
- case 'I': /* snort's option */
+ } case 'I': /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'B'");
goto error;
}
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRUDMATCH);
break;
- case 'D': /* snort's option */
- *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHDMATCH);
+ case 'D': { /* snort's option */
+ int list = DetectBufferTypeGetByName("http_raw_header");
+ *sm_list = DetectPcreSetList(*sm_list, list);
break;
+ }
case 'M': { /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'");
goto error;
if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH ||
- parsed_sm_list == DETECT_SM_LIST_HCBDMATCH ||
- parsed_sm_list == DETECT_SM_LIST_HHDMATCH ||
- parsed_sm_list == DETECT_SM_LIST_HRHDMATCH)
+ parsed_sm_list == DETECT_SM_LIST_HCBDMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
break;
case DETECT_SM_LIST_HRUDMATCH:
- case DETECT_SM_LIST_HHDMATCH:
- case DETECT_SM_LIST_HRHDMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
#ifdef UNITTESTS /* UNITTESTS */
static int g_file_data_buffer_id = 0;
+static int g_http_header_buffer_id = 0;
/**
* \test DetectPcreParseTest01 make sure we don't allow invalid opts 7.
s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; sid:1;)");
FAIL_IF(s == NULL);
- FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE);
- DetectPcreData *pd = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx;
+ FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
+ DetectPcreData *pd = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; priority:1; sid:1;)");
FAIL_IF(s == NULL);
- FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE);
- DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx;
+ FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
+ DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; priority:3; sid:2;)");
FAIL_IF(s == NULL);
- FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE);
- DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx;
+ FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
+ DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
FAIL_IF(pd1->capidx != pd2->capidx);
s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:1; sid:1;)");
FAIL_IF(s == NULL);
- FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE);
- DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx;
+ FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
+ DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:3; sid:2;)");
FAIL_IF(s == NULL);
- FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL ||
- s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE);
- DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx;
+ FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next == NULL ||
+ s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
+ DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
FAIL_IF(pd1->capidx != pd2->capidx);
{
#ifdef UNITTESTS /* UNITTESTS */
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
+ g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01);
UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02);
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL)
return 0;
- if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL)
- return 0;
-
- if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
- return 0;
-
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL)
return 0;
- if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL)
- return 0;
-
- if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
- return 0;
-
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
- s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL ||
- s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
{
SCReturnInt(0);
SCLogDebug("sig requires http app state");
}
- if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL) {
- s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
- SCLogDebug("sig requires http app state");
- }
-
- if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
- s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
- SCLogDebug("sig requires http app state");
- }
-
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
DETECT_SM_LIST_HRUDMATCH = DETECT_SM_LIST_BUILTIN_MAX,
/* list for http_client_body keyword and the ones relative to it */
DETECT_SM_LIST_HCBDMATCH,
- /* list for http_header keyword and the ones relative to it */
- DETECT_SM_LIST_HHDMATCH,
- /* list for http_raw_header keyword and the ones relative to it */
- DETECT_SM_LIST_HRHDMATCH,
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT,
projects / thirdparty / suricata.git / commitdiff
