return SCAN_NOT_FOUND;
}
-HttpBodyCutter::HttpBodyCutter(bool accelerated_blocking_, CompressId compression_)
- : accelerated_blocking(accelerated_blocking_), compression(compression_)
+HttpBodyCutter::HttpBodyCutter(bool accelerated_blocking_, ScriptFinder* finder_,
+ CompressId compression_)
+ : accelerated_blocking(accelerated_blocking_), compression(compression_), finder(finder_)
{
if (accelerated_blocking)
{
match_string = inspect_string;
match_string_upper = inspect_upper;
string_length = sizeof(inspect_string);
- HttpModule::get_script_finder(finder, handle);
}
}
if ( partial_match and find_partial(input_buf, input_length, true) )
return true;
- if ( finder->search(handle, input_buf, input_length) >= 0 )
+ if ( finder->search(input_buf, input_length) >= 0 )
return true;
uint32_t delta = input_length - string_length + 1;
#include <cassert>
#include <zlib.h>
-#include "helpers/literal_search.h"
-
#include "http_enum.h"
#include "http_event.h"
+#include "http_module.h"
//-------------------------------------------------------------------------
// HttpCutter class and subclasses
class HttpBodyCutter : public HttpCutter
{
public:
- HttpBodyCutter(bool accelerated_blocking_, HttpEnums::CompressId compression_);
+ HttpBodyCutter(bool accelerated_blocking_, ScriptFinder* finder,
+ HttpEnums::CompressId compression_);
~HttpBodyCutter() override;
void soft_reset() override { octets_seen = 0; }
HttpEnums::CompressId compression;
z_stream* compress_stream = nullptr;
bool decompress_failed = false;
- snort::LiteralSearch* finder = nullptr;
- snort::LiteralSearch::Handle* handle = nullptr;
+ ScriptFinder* const finder;
const uint8_t* match_string;
const uint8_t* match_string_upper;
uint8_t string_length;
public:
HttpBodyClCutter(int64_t expected_length,
bool accelerated_blocking,
+ ScriptFinder* finder,
HttpEnums::CompressId compression) :
- HttpBodyCutter(accelerated_blocking, compression), remaining(expected_length)
+ HttpBodyCutter(accelerated_blocking, finder, compression), remaining(expected_length)
{ assert(remaining > 0); }
HttpEnums::ScanResult cut(const uint8_t*, uint32_t length, HttpInfractions*, HttpEventGen*,
uint32_t flow_target, bool stretch, HttpEnums::H2BodyState) override;
class HttpBodyOldCutter : public HttpBodyCutter
{
public:
- HttpBodyOldCutter(bool accelerated_blocking, HttpEnums::CompressId compression) :
- HttpBodyCutter(accelerated_blocking, compression)
+ HttpBodyOldCutter(bool accelerated_blocking, ScriptFinder* finder,
+ HttpEnums::CompressId compression) :
+ HttpBodyCutter(accelerated_blocking, finder, compression)
{}
HttpEnums::ScanResult cut(const uint8_t*, uint32_t, HttpInfractions*, HttpEventGen*,
uint32_t flow_target, bool stretch, HttpEnums::H2BodyState) override;
class HttpBodyChunkCutter : public HttpBodyCutter
{
public:
- HttpBodyChunkCutter(bool accelerated_blocking, HttpEnums::CompressId compression) :
- HttpBodyCutter(accelerated_blocking, compression)
+ HttpBodyChunkCutter(bool accelerated_blocking, ScriptFinder* finder,
+ HttpEnums::CompressId compression) :
+ HttpBodyCutter(accelerated_blocking, finder, compression)
{}
HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch,
public:
HttpBodyH2Cutter(int64_t expected_length,
bool accelerated_blocking,
+ ScriptFinder* finder,
HttpEnums::CompressId compression) :
- HttpBodyCutter(accelerated_blocking, compression), expected_body_length(expected_length)
+ HttpBodyCutter(accelerated_blocking, finder, compression),
+ expected_body_length(expected_length)
{}
HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length, HttpInfractions*,
HttpEventGen*, uint32_t flow_target, bool stretch, HttpEnums::H2BodyState state) override;
HttpTestManager::set_show_scan(params->show_scan);
}
#endif
+
+ if (params->script_detection)
+ {
+ script_finder = new ScriptFinder(params->script_detection_handle);
+ }
}
bool HttpInspect::configure(SnortConfig* )
//-------------------------------------------------------------------------
#include "framework/cursor.h"
+#include "helpers/literal_search.h"
#include "log/messages.h"
#include "http_buffer_info.h"
{
public:
HttpInspect(const HttpParaList* params_);
- ~HttpInspect() override { delete params; }
+ ~HttpInspect() override { delete params; delete script_finder; }
bool get_buf(snort::InspectionBuffer::Type ibt, snort::Packet* p,
snort::InspectionBuffer& b) override;
static void http_set_flow_data(snort::Flow* flow, HttpFlowData* flow_data);
const HttpParaList* const params;
+ snort::LiteralSearch::Handle* s_handle = nullptr;
+ ScriptFinder* script_finder = nullptr;
// Registrations for "extra data"
const uint32_t xtra_trueip_id;
#include "http_module.h"
-#include "helpers/literal_search.h"
#include "log/messages.h"
#include "http_enum.h"
using namespace snort;
using namespace HttpEnums;
-LiteralSearch::Handle* s_handle = nullptr;
-LiteralSearch* s_script = nullptr;
-
-HttpModule::HttpModule() : Module(HTTP_NAME, HTTP_HELP, http_params)
+HttpModule::HttpModule() : Module(HTTP_NAME, HTTP_HELP, http_params),
+ script_detection_handle(LiteralSearch::setup())
{
- s_handle = LiteralSearch::setup();
- s_script = LiteralSearch::instantiate(s_handle, (const uint8_t*)"</SCRIPT>", 9, true, true);
}
HttpModule::~HttpModule()
{
delete params;
- delete s_script;
- LiteralSearch::cleanup(s_handle);
-}
-
-void HttpModule::get_script_finder(LiteralSearch*& finder, LiteralSearch::Handle*& handle)
-{
- finder = s_script;
- handle = s_handle;
+ LiteralSearch::cleanup(script_detection_handle);
}
const Parameter HttpModule::http_params[] =
if ( params->js_norm_param.is_javascript_normalization )
params->js_norm_param.js_norm = new HttpJsNorm(params->uri_param);
- prepare_http_header_list(params);
+ params->script_detection_handle = script_detection_handle;
+ prepare_http_header_list(params);
return true;
}
bool decompress_swf = false;
bool decompress_zip = false;
bool script_detection = false;
+ snort::LiteralSearch::Handle* script_detection_handle = nullptr;
struct JsNormParam
{
#endif
};
+class ScriptFinder
+{
+public:
+ ScriptFinder(snort::LiteralSearch::Handle* h) : handle(h),
+ finder(snort::LiteralSearch::instantiate(h, (const uint8_t*)"</SCRIPT>", 9, true, true))
+ {}
+
+ ~ScriptFinder() { delete finder; }
+
+ int search(const uint8_t* buf, unsigned len) const
+ { return finder->search(handle, buf, len); }
+
+private:
+ snort::LiteralSearch::Handle* const handle;
+ const snort::LiteralSearch* const finder;
+};
+
class HttpModule : public snort::Module
{
public:
bool set(const char*, snort::Value&, snort::SnortConfig*) override;
unsigned get_gid() const override { return HttpEnums::HTTP_GID; }
const snort::RuleMap* get_rules() const override { return http_events; }
+
const HttpParaList* get_once_params()
{
HttpParaList* ret_val = params;
static PegCount get_peg_counts(HttpEnums::PEG_COUNT counter)
{ return peg_counts[counter]; }
- static void get_script_finder(snort::LiteralSearch*&, snort::LiteralSearch::Handle*&);
-
snort::ProfileStats* get_profile() const override;
static snort::ProfileStats& get_profile_stats()
static const PegInfo peg_names[];
static THREAD_LOCAL snort::ProfileStats http_profile;
static THREAD_LOCAL PegCount peg_counts[];
+ snort::LiteralSearch::Handle* const script_detection_handle;
};
#endif
return (HttpCutter*)new HttpBodyClCutter(
session_data->data_length[source_id],
session_data->accelerated_blocking[source_id],
+ my_inspector->script_finder,
session_data->compression[source_id]);
case SEC_BODY_CHUNK:
return (HttpCutter*)new HttpBodyChunkCutter(
session_data->accelerated_blocking[source_id],
+ my_inspector->script_finder,
session_data->compression[source_id]);
case SEC_BODY_OLD:
return (HttpCutter*)new HttpBodyOldCutter(
session_data->accelerated_blocking[source_id],
+ my_inspector->script_finder,
session_data->compression[source_id]);
case SEC_BODY_H2:
return (HttpCutter*)new HttpBodyH2Cutter(
session_data->data_length[source_id],
session_data->accelerated_blocking[source_id],
+ my_inspector->script_finder,
session_data->compression[source_id]);
default:
assert(false);