From: Victor Julien Date: Fri, 29 Jun 2012 11:02:34 +0000 (+0200) Subject: http body inspection: force body inspection on stream eof. X-Git-Tag: suricata-1.3rc1~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59ec493f7c08e60861cc5d1ba45dcbddfabc846c;p=thirdparty%2Fsuricata.git http body inspection: force body inspection on stream eof. --- diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index 50d0d0f01f..75106135d2 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -70,7 +70,7 @@ * \warning Make sure flow is locked -- flow is modified, WRITE lock needed */ static void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) + DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags) { int idx = 0; htp_tx_t *tx = NULL; @@ -169,6 +169,10 @@ static void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx, } } + if (flags & STREAM_EOF) { + htud->flags |= HTP_REQ_BODY_COMPLETE; + } + /* inspect the body if the transfer is complete or we have hit * our body size limit */ if (htud->request_body.content_len_so_far < BODY_MINIMAL_SIZE && @@ -232,7 +236,7 @@ int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx, uint32_t cnt = 0; FLOWLOCK_WRLOCK(f); - DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state); + DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state, flags); FLOWLOCK_UNLOCK(f); if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) { @@ -273,7 +277,7 @@ int DetectEngineInspectHttpClientBody(DetectEngineCtx *de_ctx, int i = 0; FLOWLOCK_WRLOCK(f); - DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, alstate); + DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, alstate, flags); FLOWLOCK_UNLOCK(f); if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) { diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index ec9c4464b9..0e2670ac33 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -71,7 +71,7 @@ * \warning Make sure flow is locked. Flow is modified, WRITE lock needed. */ static void DetectEngineBufferHttpServerBodies(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) + DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags) { int idx = 0; htp_tx_t *tx = NULL; @@ -163,6 +163,10 @@ static void DetectEngineBufferHttpServerBodies(DetectEngineCtx *de_ctx, } } + if (flags & STREAM_EOF) { + htud->flags |= HTP_RES_BODY_COMPLETE; + } + /* inspect the body if the transfer is complete or we have hit * our body size limit */ if (htud->response_body.content_len_so_far < BODY_MINIMAL_SIZE && @@ -228,7 +232,7 @@ int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, uint32_t cnt = 0; FLOWLOCK_WRLOCK(f); - DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, htp_state); + DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, htp_state, flags); FLOWLOCK_UNLOCK(f); if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) { @@ -269,7 +273,7 @@ int DetectEngineInspectHttpServerBody(DetectEngineCtx *de_ctx, int i = 0; FLOWLOCK_WRLOCK(f); - DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, alstate); + DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, alstate, flags); FLOWLOCK_UNLOCK(f); if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) { diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index 32e1e435b0..3982426345 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -584,7 +584,7 @@ static int DetectHttpServerBodyTest07(void) SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); if ((PacketAlertCheck(p1, 1))) { - printf("sid 1 matched on chunk2 but should have: "); + printf("sid 1 matched on chunk2 but shouldn't have: "); goto end; }