From: Anoop Saldanha Date: Sun, 14 Oct 2012 10:49:53 +0000 (+0530) Subject: Engine cleanup. Remove all old engine inspection and mpm functions. X-Git-Tag: suricata-1.4beta3~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10a6e6a3eb9fd4b17130e385062aa6bf3eb247b9;p=thirdparty%2Fsuricata.git Engine cleanup. Remove all old engine inspection and mpm functions. --- diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index de326f21e5..9fd09ec88b 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -213,163 +213,6 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(int tx_id, return buffer; } -/** - * \brief Helps buffer request bodies for different transactions and stores them - * away in detection code. - * - * \param de_ctx Detection Engine ctx. - * \param det_ctx Detection engine thread ctx. - * \param f Pointer to the flow. - * \param htp_state http state. - * - * \warning Make sure flow is locked -- flow is modified, WRITE lock needed - */ -static void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags) -{ - int idx = 0; - htp_tx_t *tx = NULL; - int i = 0; - - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - /* get the transaction id */ - int tmp_idx = AppLayerTransactionGetInspectId(f); - /* error! get out of here */ - if (tmp_idx == -1) - goto end; - - /* let's get the transaction count. We need this to hold the client body - * buffer for each transaction */ - size_t txs = list_size(htp_state->connp->conn->transactions) - tmp_idx; - /* no transactions?! cool. get out of here */ - if (txs == 0) { - det_ctx->hcbd_buffers_list_len = 0; - goto end; - } else if (txs > det_ctx->hcbd_buffers_list_len) { - det_ctx->hcbd = SCRealloc(det_ctx->hcbd, txs * sizeof(HttpReassembledBody)); - if (det_ctx->hcbd == NULL) { - det_ctx->hcbd_buffers_list_len = 0; - goto end; - } - - memset(det_ctx->hcbd + det_ctx->hcbd_buffers_list_len, 0, - (txs - det_ctx->hcbd_buffers_list_len) * sizeof(HttpReassembledBody)); - det_ctx->hcbd_buffers_list_len = txs; - } - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++, i++) { - /* already set up */ - if (det_ctx->hcbd[i].buffer_len > 0) { - SCLogDebug("set up already"); - continue; - } - - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) { - SCLogDebug("no tx"); - continue; - } - - HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx); - if (htud == NULL) { - SCLogDebug("no htud"); - continue; - } - - /* no new data */ - if (htud->request_body.body_inspected == htud->request_body.content_len_so_far) { - SCLogDebug("no new data"); - continue; - } - - HtpBodyChunk *cur = htud->request_body.first; - if (cur == NULL) { - SCLogDebug("No http chunks to inspect for this transacation"); - continue; - } - - /* irrespective of chunked encoding or not, we rely on the tx state - * to decide if we have seen the whole body or not */ - if ((htud->request_body.content_len_so_far > 0) && - tx->progress != TX_PROGRESS_REQ_BODY) { - /* final length of the body */ - htud->tsflags |= HTP_REQ_BODY_COMPLETE; - } - - if (flags & STREAM_EOF) { - htud->tsflags |= HTP_REQ_BODY_COMPLETE; - } - - /* inspect the body if the transfer is complete or we have hit - * our body size limit */ - if (htud->request_body.content_len_so_far < BODY_MINIMAL_SIZE && - !(htud->tsflags & HTP_REQ_BODY_COMPLETE)) { - SCLogDebug("we still haven't seen the entire request body. " - "Let's defer body inspection till we see the " - "entire body."); - continue; - } - - int first = 1; - while (cur != NULL) { - /* see if we can filter out chunks */ - if (htud->request_body.body_inspected > 0) { - if (cur->stream_offset < htud->request_body.body_inspected) { - if (htud->request_body.body_inspected - cur->stream_offset > BODY_SCAN_WINDOW) { - cur = cur->next; - continue; - } else { - /* include this one */ - } - } else { - /* include this one */ - } - } - - if (first) { - det_ctx->hcbd[i].offset = cur->stream_offset; - first = 0; - } - - /* see if we need to grow the buffer */ - if (det_ctx->hcbd[i].buffer == NULL || det_ctx->hcbd[i].buffer_len + cur->len > det_ctx->hcbd[i].buffer_size) { - det_ctx->hcbd[i].buffer_size += cur->len * 2; - - if ((det_ctx->hcbd[i].buffer = SCRealloc(det_ctx->hcbd[i].buffer, det_ctx->hcbd[i].buffer_size)) == NULL) { - goto end; - } - } - memcpy(det_ctx->hcbd[i].buffer + det_ctx->hcbd[i].buffer_len, cur->data, cur->len); - det_ctx->hcbd[i].buffer_len += cur->len; - - cur = cur->next; - } - - /* update inspected tracker */ - htud->request_body.body_inspected = - htud->request_body.last->stream_offset + - htud->request_body.last->len; - } /* for (idx = AppLayerTransactionGetInspectId(f); .. */ - -end: - return; -} - int DetectEngineRunHttpClientBodyMpmV2(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags) @@ -413,32 +256,6 @@ int DetectEngineRunHttpClientBodyMpmV2(DetectEngineCtx *de_ctx, return cnt; } -int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags) -{ - int i; - uint32_t cnt = 0; - - FLOWLOCK_WRLOCK(f); - DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state, flags); - FLOWLOCK_UNLOCK(f); - - if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) { - for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { - if (det_ctx->hcbd[i].buffer_len == 0) - continue; - - cnt += HttpClientBodyPatternSearch(det_ctx, - det_ctx->hcbd[i].buffer, - det_ctx->hcbd[i].buffer_len, - flags); - } - } - - return cnt; -} - int DetectEngineInspectHttpClientBodyV2(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, @@ -496,57 +313,6 @@ int DetectEngineInspectHttpClientBodyV2(DetectEngineCtx *de_ctx, return r; } -/** - * \brief Do the http_client_body content inspection for a signature. - * - * \param de_ctx Detection engine context. - * \param det_ctx Detection engine thread context. - * \param s Signature to inspect. - * \param f Flow. - * \param flags App layer flags. - * \param state App layer state. - * - * \retval 0 No match. - * \retval 1 Match. - */ -int DetectEngineInspectHttpClientBody(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, - void *alstate) -{ - SCEnter(); - int r = 0; - int i = 0; - - FLOWLOCK_WRLOCK(f); - DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, alstate, flags); - FLOWLOCK_UNLOCK(f); - - if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) { - for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { - uint8_t *hcbd_buffer = det_ctx->hcbd[i].buffer; - uint32_t hcbd_buffer_len = det_ctx->hcbd[i].buffer_len; - - if (hcbd_buffer == NULL || hcbd_buffer_len == 0) - continue; - - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCBDMATCH], - f, - hcbd_buffer, - hcbd_buffer_len, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_HCBD, NULL); - if (r == 1) { - break; - } - } - } - - SCReturnInt(r); -} - void DetectEngineCleanHCBDBuffersV2(DetectEngineThreadCtx *det_ctx) { if (det_ctx->hcbd_buffers_list_len > 0) { @@ -561,23 +327,6 @@ void DetectEngineCleanHCBDBuffersV2(DetectEngineThreadCtx *det_ctx) return; } -/** - * \brief Clean the hcbd buffers. - * - * \param det_ctx Pointer to the detection engine thread ctx. - */ -void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *det_ctx) -{ - int i; - if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) { - for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { - det_ctx->hcbd[i].buffer_len = 0; - } - } - return; -} - - /***********************************Unittests**********************************/ #ifdef UNITTESTS diff --git a/src/detect-engine-hcbd.h b/src/detect-engine-hcbd.h index e8034feacb..d0c200613f 100644 --- a/src/detect-engine-hcbd.h +++ b/src/detect-engine-hcbd.h @@ -27,16 +27,6 @@ #include "app-layer-htp.h" -int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *, - DetectEngineThreadCtx *, Flow *f, - HtpState *, uint8_t); -int DetectEngineInspectHttpClientBody(DetectEngineCtx *, - DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); - -void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *); -void DetectEngineHttpClientBodyRegisterTests(void); - - int DetectEngineRunHttpClientBodyMpmV2(DetectEngineCtx *, DetectEngineThreadCtx *, Flow *f, HtpState *, uint8_t); @@ -46,6 +36,7 @@ int DetectEngineInspectHttpClientBodyV2(DetectEngineCtx *, uint8_t, void *); void DetectEngineCleanHCBDBuffersV2(DetectEngineThreadCtx *); +void DetectEngineHttpClientBodyRegisterTests(void); #endif /* __DETECT_ENGINE_HCBD_H__ */ diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index e04e746a4b..2ee1b81f4c 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -173,133 +173,6 @@ static uint8_t *DetectEngineHHDGetBufferForTX(int tx_id, return headers_buffer; } -/** - * \brief Helps buffer http normalized headers from different transactions and - * stores them away in detection context. - * - * \param de_ctx Detection engine ctx. - * \param det_ctx Detection engine thread ctx. - * \param f Pointer to the locked flow. - * \param htp_state http state. - * - * \warning Make sure flow is locked. - */ -static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags) -{ - int idx = 0; - htp_tx_t *tx = NULL; - int i = 0; - - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - /* get the transaction id */ - int tmp_idx = AppLayerTransactionGetInspectId(f); - /* error! get out of here */ - if (tmp_idx == -1) - goto end; - - /* let's get the transaction count. We need this to hold the header - * buffer for each transaction */ - det_ctx->hhd_buffers_list_len = list_size(htp_state->connp->conn->transactions) - tmp_idx; - /* no transactions?! cool. get out of here */ - if (det_ctx->hhd_buffers_list_len == 0) - goto end; - - /* assign space to hold buffers. Each per transaction */ - det_ctx->hhd_buffers = SCMalloc(det_ctx->hhd_buffers_list_len * sizeof(uint8_t *)); - if (det_ctx->hhd_buffers == NULL) { - det_ctx->hhd_buffers_list_len = 0; - goto end; - } - memset(det_ctx->hhd_buffers, 0, det_ctx->hhd_buffers_list_len * sizeof(uint8_t *)); - - det_ctx->hhd_buffers_len = SCMalloc(det_ctx->hhd_buffers_list_len * sizeof(uint32_t)); - if (det_ctx->hhd_buffers_len == NULL) { - det_ctx->hhd_buffers_list_len = 0; - goto end; - } - memset(det_ctx->hhd_buffers_len, 0, det_ctx->hhd_buffers_list_len * sizeof(uint32_t)); - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - det_ctx->hhd_buffers_list_len = 0; - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++, i++) { - - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - table_t *headers; - if (flags & STREAM_TOSERVER) { - headers = tx->request_headers; - } else { - headers = tx->response_headers; - } - - htp_header_t *h = NULL; - uint8_t *headers_buffer = NULL; - size_t headers_buffer_len = 0; - - table_iterator_reset(headers); - while (table_iterator_next(headers, (void **)&h) != NULL) { - size_t size1 = bstr_size(h->name); - size_t size2 = bstr_size(h->value); - - if (flags & STREAM_TOSERVER) { - if (size1 == 6 && - SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6)) { - continue; - } - } else { - if (size1 == 10 && - SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) { - continue; - } - } - - /* the extra 4 bytes if for ": " and "\r\n" */ - headers_buffer = SCRealloc(headers_buffer, headers_buffer_len + size1 + size2 + 4); - if (headers_buffer == NULL) { - headers_buffer_len = 0; - continue; - } - - memcpy(headers_buffer + headers_buffer_len, bstr_ptr(h->name), size1); - headers_buffer_len += size1; - headers_buffer[headers_buffer_len] = ':'; - headers_buffer[headers_buffer_len + 1] = ' '; - headers_buffer_len += 2; - memcpy(headers_buffer + headers_buffer_len, bstr_ptr(h->value), size2); - headers_buffer_len += size2 + 2; - /* \r */ - headers_buffer[headers_buffer_len - 2] = '\r'; - /* \n */ - headers_buffer[headers_buffer_len - 1] = '\n'; - } - - /* store the buffers. We will need it for further inspection */ - det_ctx->hhd_buffers[i] = headers_buffer; - det_ctx->hhd_buffers_len[i] = headers_buffer_len; - - } /* for (idx = AppLayerTransactionGetInspectId(f); .. */ - -end: - return; -} - int DetectEngineRunHttpHeaderMpmV2(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags) { @@ -342,39 +215,6 @@ int DetectEngineRunHttpHeaderMpmV2(DetectEngineThreadCtx *det_ctx, Flow *f, return cnt; } -/** - * \brief run the mpm against the assembled http header buffer(s) - * \retval cnt Number of matches reported by the mpm algo. - */ -int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags) -{ - int i; - uint32_t cnt = 0; - - if (det_ctx->hhd_buffers_list_len == 0) { - FLOWLOCK_RDLOCK(f); - DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags); - FLOWLOCK_UNLOCK(f); - - for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { - cnt += HttpHeaderPatternSearch(det_ctx, - det_ctx->hhd_buffers[i], - det_ctx->hhd_buffers_len[i], - flags); - } - } else { - for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { - cnt += HttpHeaderPatternSearch(det_ctx, - det_ctx->hhd_buffers[i], - det_ctx->hhd_buffers_len[i], - flags); - } - } - - return cnt; -} - int DetectEngineInspectHttpHeaderV2(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, @@ -432,60 +272,6 @@ int DetectEngineInspectHttpHeaderV2(DetectEngineCtx *de_ctx, return r; } -/** - * \brief Do the http_header content inspection for a signature. - * - * \param de_ctx Detection engine context. - * \param det_ctx Detection engine thread context. - * \param s Signature to inspect. - * \param f Flow. - * \param flags App layer flags. - * \param state App layer state. - * - * \retval 0 No match. - * \retval 1 Match. - */ -int DetectEngineInspectHttpHeader(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Signature *s, Flow *f, uint8_t flags, - void *alstate) -{ - SCEnter(); - int r = 0; - int i = 0; - - if (det_ctx->hhd_buffers_list_len == 0) { - FLOWLOCK_RDLOCK(f); - DetectEngineBufferHttpHeaders(det_ctx, f, alstate, flags); - FLOWLOCK_UNLOCK(f); - } - - for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { - uint8_t *hhd_buffer = det_ctx->hhd_buffers[i]; - uint32_t hhd_buffer_len = det_ctx->hhd_buffers_len[i]; - - if (hhd_buffer == NULL) - continue; - - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHDMATCH], - f, - hhd_buffer, - hhd_buffer_len, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_HHD, NULL); - //r = DoInspectHttpHeader(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHDMATCH], - //hhd_buffer, hhd_buffer_len); - if (r == 1) { - break; - } - } - - SCReturnInt(r); -} - void DetectEngineCleanHHDBuffersV2(DetectEngineThreadCtx *det_ctx) { if (det_ctx->hhd_buffers_list_len != 0) { @@ -500,33 +286,6 @@ void DetectEngineCleanHHDBuffersV2(DetectEngineThreadCtx *det_ctx) return; } -/** - * \brief Clean the hhd buffers. - * - * \param det_ctx Pointer to the detection engine thread ctx. - */ -void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *det_ctx) -{ - if (det_ctx->hhd_buffers_list_len != 0) { - int i; - for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { - if (det_ctx->hhd_buffers[i] != NULL) - SCFree(det_ctx->hhd_buffers[i]); - } - } - if (det_ctx->hhd_buffers != NULL) { - SCFree(det_ctx->hhd_buffers); - det_ctx->hhd_buffers = NULL; - } - if (det_ctx->hhd_buffers_len != NULL) { - SCFree(det_ctx->hhd_buffers_len); - det_ctx->hhd_buffers_len = NULL; - } - det_ctx->hhd_buffers_list_len = 0; - - return; -} - /***********************************Unittests**********************************/ #ifdef UNITTESTS diff --git a/src/detect-engine-hhd.h b/src/detect-engine-hhd.h index b86c41bdad..738dc02bd9 100644 --- a/src/detect-engine-hhd.h +++ b/src/detect-engine-hhd.h @@ -25,13 +25,6 @@ #include "app-layer-htp.h" -int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *, - uint8_t); -int DetectEngineInspectHttpHeader(DetectEngineCtx *, DetectEngineThreadCtx *, - Signature *, Flow *, uint8_t, void *); -void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *); -void DetectEngineHttpHeaderRegisterTests(void); - int DetectEngineInspectHttpHeaderV2(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, @@ -40,5 +33,6 @@ int DetectEngineRunHttpHeaderMpmV2(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags); void DetectEngineCleanHHDBuffersV2(DetectEngineThreadCtx *det_ctx); -#endif /* __DETECT_ENGINE_HHD_H__ */ +void DetectEngineHttpHeaderRegisterTests(void); +#endif /* __DETECT_ENGINE_HHD_H__ */ diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index 4c47e7546d..6f27e0e9d3 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -214,158 +214,6 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(int tx_id, return buffer; } -/** - * \brief Helps buffer response bodies for different transactions and stores them - * away in detection code. - * - * \param de_ctx Detection Engine ctx. - * \param det_ctx Detection engine thread ctx. - * \param f Pointer to the flow. - * \param htp_state http state. - * - * \warning Make sure flow is locked. Flow is modified, WRITE lock needed. - */ -static void DetectEngineBufferHttpServerBodies(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags) -{ - int idx = 0; - htp_tx_t *tx = NULL; - int i = 0; - - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - /* get the transaction id */ - int tmp_idx = AppLayerTransactionGetInspectId(f); - /* error! get out of here */ - if (tmp_idx == -1) - goto end; - - /* let's get the transaction count. We need this to hold the server body - * buffer for each transaction */ - size_t txs = list_size(htp_state->connp->conn->transactions) - tmp_idx; - /* no transactions?! cool. get out of here */ - if (txs == 0) { - det_ctx->hsbd_buffers_list_len = 0; - goto end; - } else if (txs > det_ctx->hsbd_buffers_list_len) { - det_ctx->hsbd = SCRealloc(det_ctx->hsbd, txs * sizeof(HttpReassembledBody)); - if (det_ctx->hsbd == NULL) { - det_ctx->hsbd_buffers_list_len = 0; - goto end; - } - - memset(det_ctx->hsbd + det_ctx->hsbd_buffers_list_len, 0, - (txs - det_ctx->hsbd_buffers_list_len) * sizeof(HttpReassembledBody)); - det_ctx->hsbd_buffers_list_len = txs; - } - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++, i++) { - /* already set up */ - if (det_ctx->hsbd[i].buffer_len > 0) - continue; - - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx); - if (htud == NULL) - continue; - - /* no new data */ - if (htud->response_body.body_inspected == htud->response_body.content_len_so_far) { - continue; - } - - HtpBodyChunk *cur = htud->response_body.first; - if (cur == NULL) { - SCLogDebug("No http chunks to inspect for this transacation"); - continue; - } - - /* irrespective of chunked encoding or not, we rely on the tx state - * to decide if we have seen the whole body or not */ - if ((htud->response_body.content_len_so_far > 0) && - tx->progress != TX_PROGRESS_RES_BODY) { - /* final length of the body */ - htud->tcflags |= HTP_RES_BODY_COMPLETE; - } - - if (flags & STREAM_EOF) { - htud->tcflags |= HTP_RES_BODY_COMPLETE; - } - - /* inspect the body if the transfer is complete or we have hit - * our body size limit */ - if (htud->response_body.content_len_so_far < BODY_MINIMAL_SIZE && - !(htud->tcflags & HTP_RES_BODY_COMPLETE)) { - SCLogDebug("we still haven't seen the entire response body. " - "Let's defer body inspection till we see the " - "entire body."); - continue; - } - - //SCLogInfo("now we inspect! %"PRIu64, htud->response_body.content_len_so_far); - - int first = 1; - while (cur != NULL) { - /* see if we can filter out chunks */ - if (htud->response_body.body_inspected > 0) { - if (cur->stream_offset < htud->response_body.body_inspected) { - if (htud->response_body.body_inspected - cur->stream_offset > BODY_SCAN_WINDOW) { - cur = cur->next; - continue; - } else { - /* include this one */ - } - } else { - /* include this one */ - } - } - - if (first) { - det_ctx->hsbd[i].offset = cur->stream_offset; - first = 0; - } - - /* see if we need to grow the buffer */ - if (det_ctx->hsbd[i].buffer == NULL || det_ctx->hsbd[i].buffer_len + cur->len > det_ctx->hsbd[i].buffer_size) { - det_ctx->hsbd[i].buffer_size += cur->len * 2; - - if ((det_ctx->hsbd[i].buffer = SCRealloc(det_ctx->hsbd[i].buffer, det_ctx->hsbd[i].buffer_size)) == NULL) { - goto end; - } - } - memcpy(det_ctx->hsbd[i].buffer + det_ctx->hsbd[i].buffer_len, cur->data, cur->len); - det_ctx->hsbd[i].buffer_len += cur->len; - - cur = cur->next; - } - - /* update inspected tracker */ - htud->response_body.body_inspected = - htud->response_body.last->stream_offset + - htud->response_body.last->len; - } /* for (idx = AppLayerTransactionGetInspectId(f); .. */ - -end: - return; -} - int DetectEngineRunHttpServerBodyMpmV2(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags) @@ -409,32 +257,6 @@ int DetectEngineRunHttpServerBodyMpmV2(DetectEngineCtx *de_ctx, return cnt; } -int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags) -{ - int i; - uint32_t cnt = 0; - - FLOWLOCK_WRLOCK(f); - DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, htp_state, flags); - FLOWLOCK_UNLOCK(f); - - if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) { - for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) { - if (det_ctx->hsbd[i].buffer_len == 0) - continue; - - cnt += HttpServerBodyPatternSearch(det_ctx, - det_ctx->hsbd[i].buffer, - det_ctx->hsbd[i].buffer_len, - flags); - } - } - - return cnt; -} - int DetectEngineInspectHttpServerBodyV2(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, @@ -492,58 +314,6 @@ int DetectEngineInspectHttpServerBodyV2(DetectEngineCtx *de_ctx, return r; } - -/** - * \brief Do the http_server_body content inspection for a signature. - * - * \param de_ctx Detection engine context. - * \param det_ctx Detection engine thread context. - * \param s Signature to inspect. - * \param f Flow. - * \param flags App layer flags. - * \param state App layer state. - * - * \retval 0 No match. - * \retval 1 Match. - */ -int DetectEngineInspectHttpServerBody(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, - void *alstate) -{ - SCEnter(); - int r = 0; - int i = 0; - - FLOWLOCK_WRLOCK(f); - DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, alstate, flags); - FLOWLOCK_UNLOCK(f); - - if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) { - for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) { - uint8_t *hsbd_buffer = det_ctx->hsbd[i].buffer; - uint32_t hsbd_buffer_len = det_ctx->hsbd[i].buffer_len; - - if (hsbd_buffer == NULL || hsbd_buffer_len == 0) - continue; - - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HSBDMATCH], - f, - hsbd_buffer, - hsbd_buffer_len, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSBD, NULL); - if (r == 1) { - break; - } - } - } - - SCReturnInt(r); -} - void DetectEngineCleanHSBDBuffersV2(DetectEngineThreadCtx *det_ctx) { if (det_ctx->hsbd_buffers_list_len > 0) { @@ -558,23 +328,6 @@ void DetectEngineCleanHSBDBuffersV2(DetectEngineThreadCtx *det_ctx) return; } -/** - * \brief Clean the hsbd buffers. - * - * \param det_ctx Pointer to the detection engine thread ctx. - */ -void DetectEngineCleanHSBDBuffers(DetectEngineThreadCtx *det_ctx) -{ - int i; - if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) { - for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) { - det_ctx->hsbd[i].buffer_len = 0; - } - } - return; -} - - /***********************************Unittests**********************************/ #ifdef UNITTESTS diff --git a/src/detect-engine-hsbd.h b/src/detect-engine-hsbd.h index b9760a6165..f1801f07de 100644 --- a/src/detect-engine-hsbd.h +++ b/src/detect-engine-hsbd.h @@ -27,15 +27,6 @@ #include "app-layer-htp.h" -int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *, - DetectEngineThreadCtx *, Flow *f, - HtpState *, uint8_t); -int DetectEngineInspectHttpServerBody(DetectEngineCtx *, - DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *); - -void DetectEngineCleanHSBDBuffers(DetectEngineThreadCtx *); -void DetectEngineHttpServerBodyRegisterTests(void); - int DetectEngineRunHttpServerBodyMpmV2(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags); @@ -45,5 +36,7 @@ int DetectEngineInspectHttpServerBodyV2(DetectEngineCtx *de_ctx, void *alstate); void DetectEngineCleanHSBDBuffersV2(DetectEngineThreadCtx *det_ctx); +void DetectEngineHttpServerBodyRegisterTests(void); + #endif /* __DETECT_ENGINE_HSBD_H__ */ diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 1d7134fb9c..7ea8486c21 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -428,8 +428,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; if (DetectEngineInspectHttpClientBodyV2(de_ctx, det_ctx, s, f, flags, alstate) == 1) { - //if (DetectEngineInspectHttpClientBody(de_ctx, det_ctx, s, f, - //flags, alstate) == 1) { match_flags |= DE_STATE_FLAG_HCBD_MATCH; } SCLogDebug("inspecting http client body"); @@ -442,8 +440,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; if (DetectEngineInspectHttpHeaderV2(de_ctx, det_ctx, s, f, flags, alstate) == 1) { - //if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, - //flags, alstate) == 1) { match_flags |= DE_STATE_FLAG_HHD_MATCH; } SCLogDebug("inspecting http header"); @@ -538,8 +534,6 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; if (DetectEngineInspectHttpHeaderV2(de_ctx, det_ctx, s, f, flags, alstate) == 1) { - //if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, - //flags, alstate) == 1) { match_flags |= DE_STATE_FLAG_HHD_MATCH; } SCLogDebug("inspecting http header"); @@ -840,8 +834,6 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete if (DetectEngineInspectHttpClientBodyV2(de_ctx, det_ctx, s, f, flags, alstate) == 1) { - //if (DetectEngineInspectHttpClientBody(de_ctx, det_ctx, s, f, - // flags, alstate) == 1) { SCLogDebug("http client body matched"); match_flags |= DE_STATE_FLAG_HCBD_MATCH; } @@ -860,8 +852,6 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete if (DetectEngineInspectHttpHeaderV2(de_ctx, det_ctx, s, f, flags, alstate) == 1) { - //if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, - // flags, alstate) == 1) { SCLogDebug("http header matched"); match_flags |= DE_STATE_FLAG_HHD_MATCH; } @@ -993,8 +983,6 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; if (DetectEngineInspectHttpHeaderV2(de_ctx, det_ctx, s, f, flags, alstate) == 1) { - //if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, - //flags, alstate) == 1) { match_flags |= DE_STATE_FLAG_HHD_MATCH; } } diff --git a/src/detect.c b/src/detect.c index 9b8728518e..dfec2f4c77 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1262,7 +1262,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD); DetectEngineRunHttpClientBodyMpmV2(de_ctx, det_ctx, p->flow, alstate, flags); - //DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) { @@ -1294,7 +1293,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD); - //DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate, flags); DetectEngineRunHttpHeaderMpmV2(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD); }