SCFree(data);
}
+/**
+ * \retval 1 valid
+ * \retval 0 invalid
+ */
+int DetectHttpMethodValidateRule(const Signature *s)
+{
+ if (s->alproto != ALPROTO_HTTP)
+ return 1;
+
+ if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
+ const SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HMDMATCH];
+ for ( ; sm != NULL; sm = sm->next) {
+ if (sm->type != DETECT_CONTENT)
+ continue;
+ const DetectContentData *cd = (const DetectContentData *)sm->ctx;
+ if (cd->content && cd->content_len) {
+ if (cd->content[cd->content_len-1] == 0x20) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space");
+ return 0;
+ } else if (cd->content[0] == 0x20) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space");
+ return 0;
+ } else if (cd->content[cd->content_len-1] == 0x09) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab");
+ return 0;
+ } else if (cd->content[0] == 0x09) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab");
+ return 0;
+ }
+ }
+ }
+ }
+ return 1;
+}
+
#ifdef UNITTESTS /* UNITTESTS */
#include "stream-tcp-reassemble.h"
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
- "content:\" \"; "
+ "content:\"GET\"; "
"http_method; sid:1;)");
if (s == NULL) {
SCLogDebug("Bad signature");
void DetectHttpMethodRegister(void);
int DetectHttpMethodDoMatch(DetectEngineThreadCtx *, Signature *, SigMatch *,
Flow *, uint8_t, void *);
+int DetectHttpMethodValidateRule(const Signature *s);
#endif /* __DETECT_HTTP_METHOD_H__ */
#include "detect-engine-apt-event.h"
#include "detect-lua.h"
#include "detect-app-layer-event.h"
+#include "detect-http-method.h"
#include "pkt-var.h"
#include "host.h"
}
}
+ if (!DetectHttpMethodValidateRule(s))
+ SCReturnInt(0);
+
//if (s->alproto != ALPROTO_UNKNOWN) {
// if (s->flags & SIG_FLAG_STATE_MATCH) {
// if (s->alproto == ALPROTO_DNS) {
projects / thirdparty / suricata.git / commitdiff
