From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 26 Apr 2021 12:39:24 +0000 (+0200)
Subject: http2: http.stat_code keyword now works for HTTP2
X-Git-Tag: suricata-6.0.3~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4be3d140847608155a5dd0c18d39fab24da22e44;p=thirdparty%2Fsuricata.git

http2: http.stat_code keyword now works for HTTP2

(cherry picked from commit 1e96272576cc6cd734f973e16594dbc1a1e383f6)
---

diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c
index bd0405508e..9ad1d85c8f 100644
--- a/src/detect-http-stat-code.c
+++ b/src/detect-http-stat-code.c
@@ -72,6 +72,9 @@ static int g_http_stat_code_buffer_id = 0;
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms, Flow *_f,
         const uint8_t _flow_flags, void *txv, const int list_id);
+static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id);
 
 /**
  * \brief Registration function for keyword: http_stat_code
@@ -104,6 +107,12 @@ void DetectHttpStatCodeRegister (void)
             PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP,
             HTP_RESPONSE_LINE);
 
+    DetectAppLayerInspectEngineRegister2("http_stat_code", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT,
+            HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetData2);
+
+    DetectAppLayerMpmRegister2("http_stat_code", SIG_FLAG_TOCLIENT, 4, PrefilterGenericMpmRegister,
+            GetData2, ALPROTO_HTTP2, HTTP2StateDataServer);
+
     DetectBufferTypeSetDescriptionByName("http_stat_code",
             "http response status code");
 
@@ -170,6 +179,29 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
     return buffer;
 }
 
+static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    SCEnter();
+
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        uint32_t b_len = 0;
+        const uint8_t *b = NULL;
+
+        if (rs_http2_tx_get_status(txv, &b, &b_len) != 1)
+            return NULL;
+        if (b == NULL || b_len == 0)
+            return NULL;
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+
+    return buffer;
+}
+
 #ifdef UNITTESTS
 #include "tests/detect-http-stat-code.c"
 #endif /* UNITTESTS */