From: Victor Julien Date: Fri, 9 Dec 2016 11:07:03 +0000 (+0100) Subject: http_host: dynamic buffer X-Git-Tag: suricata-4.0.0-beta1~389 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=296c275e23a6110216178cba6a67057a495a9aca;p=thirdparty%2Fsuricata.git http_host: dynamic buffer --- diff --git a/src/detect-engine.c b/src/detect-engine.c index 76fe02137d..3870cd1650 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2810,8 +2810,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http stat msg"; case DETECT_SM_LIST_HSCDMATCH: return "http stat code"; - case DETECT_SM_LIST_HHHDMATCH: - return "http host"; case DETECT_SM_LIST_HRHHDMATCH: return "http raw host header"; case DETECT_SM_LIST_APP_EVENT: diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 2d8e701b3b..2cb1d8b39d 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -326,6 +326,7 @@ static int g_http_method_buffer_id = 0; static int g_http_uri_buffer_id = 0; static int g_http_ua_buffer_id = 0; static int g_http_cookie_buffer_id = 0; +static int g_http_host_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -16410,7 +16411,7 @@ int DetectFastPatternTest589(void) "content:\"three\"; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -16448,7 +16449,7 @@ int DetectFastPatternTest590(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_host_buffer_id]; if (sm != NULL) { if ( (((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN)) { @@ -16485,7 +16486,7 @@ int DetectFastPatternTest591(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_host_buffer_id]; if (sm != NULL) { if ( (((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN)) { @@ -16516,7 +16517,7 @@ int DetectFastPatternTest592(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_host_buffer_id]; if (sm == NULL) { goto end; } @@ -16552,7 +16553,7 @@ int DetectFastPatternTest593(void) if (de_ctx->sig_list == NULL) goto end; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_host_buffer_id]; if (sm == NULL) { goto end; } @@ -16797,7 +16798,7 @@ int DetectFastPatternTest603(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -16829,7 +16830,7 @@ int DetectFastPatternTest604(void) "content:\"two\"; fast_pattern:only; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -16861,7 +16862,7 @@ int DetectFastPatternTest605(void) "content:\"two\"; fast_pattern:only; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -16893,7 +16894,7 @@ int DetectFastPatternTest606(void) "content:\"two\"; fast_pattern:only; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -16924,7 +16925,7 @@ int DetectFastPatternTest607(void) "content:\"two\"; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -17049,7 +17050,7 @@ int DetectFastPatternTest612(void) "content:\"three\"; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17081,7 +17082,7 @@ int DetectFastPatternTest613(void) "content:\"three\"; http_host; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17113,7 +17114,7 @@ int DetectFastPatternTest614(void) "content:\"three\"; http_host; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17145,7 +17146,7 @@ int DetectFastPatternTest615(void) "content:\"three\"; http_host; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17177,7 +17178,7 @@ int DetectFastPatternTest616(void) "content:\"three\"; http_host; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17209,7 +17210,7 @@ int DetectFastPatternTest617(void) "content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17241,7 +17242,7 @@ int DetectFastPatternTest618(void) "content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17273,7 +17274,7 @@ int DetectFastPatternTest619(void) "content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17305,7 +17306,7 @@ int DetectFastPatternTest620(void) "content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -17412,7 +17413,7 @@ int DetectFastPatternTest624(void) "content:\"three\"; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -17541,7 +17542,7 @@ int DetectFastPatternTest629(void) "content:\"three\"; http_host; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18831,6 +18832,7 @@ void DetectFastPatternRegisterTests(void) g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent"); g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie"); + g_http_host_buffer_id = DetectBufferTypeGetByName("http_host"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-hh.c b/src/detect-http-hh.c index fbe0db9435..1abaf8a8c2 100644 --- a/src/detect-http-hh.c +++ b/src/detect-http-hh.c @@ -59,9 +59,12 @@ #include "detect-http-hh.h" #include "detect-engine-hhhd.h" -int DetectHttpHHSetup(DetectEngineCtx *, Signature *, char *); -void DetectHttpHHRegisterTests(void); -void DetectHttpHHFree(void *); +static int DetectHttpHHSetup(DetectEngineCtx *, Signature *, char *); +static void DetectHttpHHRegisterTests(void); +static void DetectHttpHHFree(void *); +static void DetectHttpHostSetupCallback(Signature *s); +static _Bool DetectHttpHostValidateCallback(const Signature *s); +static int g_http_host_buffer_id = 0; /** * \brief Registers the keyword handlers for the "http_host" keyword. @@ -79,15 +82,23 @@ void DetectHttpHHRegister(void) sigmatch_table[DETECT_AL_HTTP_HOST].flags |= SIGMATCH_NOOPT ; sigmatch_table[DETECT_AL_HTTP_HOST].flags |= SIGMATCH_PAYLOAD ; - DetectMpmAppLayerRegister("http_host", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HHHDMATCH, 2, + DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterTxHostnameRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HHHDMATCH, + DetectAppLayerInspectEngineRegister2("http_host", + ALPROTO_HTTP, SIG_FLAG_TOSERVER, DetectEngineInspectHttpHH); - return; + DetectBufferTypeSetDescriptionByName("http_host", + "http host header"); + + DetectBufferTypeRegisterSetupCallback("http_host", + DetectHttpHostSetupCallback); + + DetectBufferTypeRegisterValidateCallback("http_host", + DetectHttpHostValidateCallback); + + g_http_host_buffer_id = DetectBufferTypeGetByName("http_host"); } /** @@ -107,11 +118,50 @@ int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_HOST, - DETECT_SM_LIST_HHHDMATCH, + g_http_host_buffer_id, ALPROTO_HTTP, NULL); } +static void DetectHttpHostSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} + +static _Bool DetectHttpHostValidateCallback(const Signature *s) +{ + const SigMatch *sm = s->init_data->smlists[g_http_host_buffer_id]; + for ( ; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_CONTENT) { + DetectContentData *cd = (DetectContentData *)sm->ctx; + if (cd->flags & DETECT_CONTENT_NOCASE) { + SCLogWarning(SC_ERR_INVALID_SIGNATURE, "http_host keyword " + "specified along with \"nocase\". " + "Since the hostname buffer we match against " + "is actually lowercase. So having a " + "nocase is redundant."); + } else { + uint32_t u; + for (u = 0; u < cd->content_len; u++) { + if (isupper(cd->content[u])) + break; + } + if (u != cd->content_len) { + SCLogWarning(SC_ERR_INVALID_SIGNATURE, "A pattern with " + "uppercase chars detected for http_host. " + "Since the hostname buffer we match against " + "is lowercase only, please specify a " + "lowercase pattern."); + return FALSE; + } + } + } + } + + return TRUE; +} + /** * \brief The function to free the http_host data. * @@ -280,6 +330,22 @@ static int DetectHttpHHTest05(void) return result; } +/** \test invalid sig: uppercase content */ +static int DetectHttpHHTest05a(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any " + "(content:\"ABC\"; http_host; sid:1;)"); + FAIL_IF_NOT_NULL(s); + + DetectEngineCtxFree(de_ctx); + PASS; +} + /** *\test Test that the http_host content matches against a http request * which holds the content. @@ -1407,16 +1473,6 @@ end: return result; } - - - - - - - - - - int DetectHttpHHTest22(void) { DetectEngineCtx *de_ctx = NULL; @@ -1439,15 +1495,15 @@ int DetectHttpHHTest22(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) || @@ -1494,15 +1550,15 @@ int DetectHttpHHTest23(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (pd1->flags != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) || @@ -1548,15 +1604,15 @@ int DetectHttpHHTest24(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (pd1->flags != 0 || cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 || hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) || @@ -1603,15 +1659,15 @@ int DetectHttpHHTest25(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -1659,15 +1715,15 @@ int DetectHttpHHTest26(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -1742,15 +1798,15 @@ int DetectHttpHHTest28(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx; DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx; - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || cd2->flags != DETECT_CONTENT_DISTANCE || memcmp(cd2->content, "four", cd2->content_len) != 0 || @@ -1797,13 +1853,13 @@ int DetectHttpHHTest29(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) || memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 || hhhd2->flags != (DETECT_CONTENT_DISTANCE) || @@ -1841,13 +1897,13 @@ int DetectHttpHHTest30(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) || memcmp(hhhd1->content, "one", hhhd1->content_len) != 0 || hhhd2->flags != (DETECT_CONTENT_WITHIN) || @@ -1957,21 +2013,21 @@ int DetectHttpHHTest34(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhhd2->flags != (DETECT_CONTENT_WITHIN) || memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) { @@ -2008,21 +2064,21 @@ int DetectHttpHHTest35(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->type != DETECT_PCRE || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->type != DETECT_CONTENT) { + if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_PCRE || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_CONTENT) { goto end; } - DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectContentData *hhhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (pd2->flags != (DETECT_PCRE_RELATIVE) || hhhd1->flags != (DETECT_CONTENT_RELATIVE_NEXT) || memcmp(hhhd1->content, "two", hhhd1->content_len) != 0) { @@ -2059,21 +2115,21 @@ int DetectHttpHHTest36(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_host_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx; - DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->prev->ctx; + DetectContentData *hhhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_host_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhhd2->flags != (DETECT_CONTENT_DISTANCE) || memcmp(hhhd2->content, "two", hhhd2->content_len) != 0) { @@ -2098,6 +2154,7 @@ void DetectHttpHHRegisterTests(void) UtRegisterTest("DetectHttpHHTest03", DetectHttpHHTest03); UtRegisterTest("DetectHttpHHTest04", DetectHttpHHTest04); UtRegisterTest("DetectHttpHHTest05", DetectHttpHHTest05); + UtRegisterTest("DetectHttpHHTest05a", DetectHttpHHTest05a); UtRegisterTest("DetectHttpHHTest06", DetectHttpHHTest06); UtRegisterTest("DetectHttpHHTest07", DetectHttpHHTest07); UtRegisterTest("DetectHttpHHTest08", DetectHttpHHTest08); diff --git a/src/detect-parse.c b/src/detect-parse.c index 4dd800b124..ec9e4bce84 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -147,7 +147,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header"); CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg"); CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code"); - CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host"); CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); @@ -185,7 +184,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_HRHDMATCH); CASE_CODE(DETECT_SM_LIST_HSMDMATCH); CASE_CODE(DETECT_SM_LIST_HSCDMATCH); - CASE_CODE(DETECT_SM_LIST_HHHDMATCH); CASE_CODE(DETECT_SM_LIST_HRHHDMATCH); CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); @@ -1391,7 +1389,6 @@ SigMatchData* SigMatchList2DataArray(SigMatch *head) */ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) { - uint32_t u = 0; uint32_t sig_flags = 0; SigMatch *sm, *pm; const int nlists = DetectBufferTypeMaxId(); @@ -1478,35 +1475,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) } } - if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) { - for (sm = s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH]; - sm != NULL; sm = sm->next) { - if (sm->type == DETECT_CONTENT) { - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_NOCASE) { - SCLogWarning(SC_ERR_INVALID_SIGNATURE, "http_host keyword " - "specified along with \"nocase\". " - "Since the hostname buffer we match against " - "is actually lowercase. So having a " - "nocase is redundant."); - } else { - for (u = 0; u < cd->content_len; u++) { - if (isupper(cd->content[u])) - break; - } - if (u != cd->content_len) { - SCLogWarning(SC_ERR_INVALID_SIGNATURE, "A pattern with " - "uppercase chars detected for http_host. " - "Since the hostname buffer we match against " - "is lowercase only, please specify a " - "lowercase pattern."); - SCReturnInt(0); - } - } - } - } - } - //if (s->alproto != ALPROTO_UNKNOWN) { // if (s->flags & SIG_FLAG_STATE_MATCH) { // if (s->alproto == ALPROTO_DNS) { @@ -1576,7 +1544,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet " diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 13164d25de..433c590c04 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -297,6 +297,7 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, #define MAX_SUBSTRINGS 30 int ret = 0, res = 0; int ov[MAX_SUBSTRINGS]; + int check_host_header = 0; /* take the size of the whole input as buffer size for the regex we will * extract below. Add 1 to please Coverity's alloc_strlen test. */ @@ -413,13 +414,16 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, *sm_list = DetectPcreSetList(*sm_list, list); break; } - case 'W': + case 'W': { if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'W' inconsistent with 'B'"); goto error; } - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HHHDMATCH); + int list = DetectBufferTypeGetByName("http_host"); + *sm_list = DetectPcreSetList(*sm_list, list); + check_host_header = 1; break; + } case 'Z': if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'Z' inconsistent with 'B'"); @@ -493,7 +497,7 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, SCLogDebug("DetectPcreParse: \"%s\"", re); /* host header */ - if (*sm_list == DETECT_SM_LIST_HHHDMATCH) { + if (check_host_header) { if (pd->flags & DETECT_PCRE_CASELESS) { SCLogWarning(SC_ERR_INVALID_SIGNATURE, "http host pcre(\"W\") " "specified along with \"i(caseless)\" modifier. " @@ -679,7 +683,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst parsed_sm_list == DETECT_SM_LIST_HRHDMATCH || parsed_sm_list == DETECT_SM_LIST_HSMDMATCH || parsed_sm_list == DETECT_SM_LIST_HSCDMATCH || - parsed_sm_list == DETECT_SM_LIST_HHHDMATCH || parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH) { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { @@ -713,7 +716,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_SM_LIST_HRUDMATCH: case DETECT_SM_LIST_HHDMATCH: case DETECT_SM_LIST_HRHDMATCH: - case DETECT_SM_LIST_HHHDMATCH: case DETECT_SM_LIST_HRHHDMATCH: case DETECT_SM_LIST_HSMDMATCH: case DETECT_SM_LIST_HSCDMATCH: diff --git a/src/detect.c b/src/detect.c index 1846fe1149..2f39e7a259 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1930,9 +1930,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL) return 0; @@ -2026,9 +2023,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL) return 0; @@ -2138,7 +2132,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL) { SCReturnInt(0); @@ -2322,11 +2315,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires http app state"); } - if (s->init_data->smlists[DETECT_SM_LIST_HHHDMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - if (s->init_data->smlists[DETECT_SM_LIST_HRHHDMATCH] != NULL) { s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires http app state"); diff --git a/src/detect.h b/src/detect.h index 4683aee0f9..a50d0935fd 100644 --- a/src/detect.h +++ b/src/detect.h @@ -127,8 +127,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HSMDMATCH, /* list for http_stat_code keyword and the ones relative to it */ DETECT_SM_LIST_HSCDMATCH, - /* list for http_host keyword and the ones relative to it */ - DETECT_SM_LIST_HHHDMATCH, /* list for http_raw_host keyword and the ones relative to it */ DETECT_SM_LIST_HRHHDMATCH, /* app event engine sm list */