From: Mike Stepanek (mstepane) Date: Fri, 24 Sep 2021 10:42:11 +0000 (+0000) Subject: Merge pull request #3074 in SNORT/snort3 from ~VHORBATO/snort3:script_data_renaming... X-Git-Tag: 3.1.14.0~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=61ab6d348874a4b56d26affbf4c47a8e2e3043ba;p=thirdparty%2Fsnort3.git Merge pull request #3074 in SNORT/snort3 from ~VHORBATO/snort3:script_data_renaming to master Squashed commit of the following: commit b0d5e3b51f77e38937e040229cd92487c76499ad Author: Vitalii Date: Wed Sep 22 14:12:42 2021 +0300 ips_options: rename script_data buffer to js_data --- diff --git a/doc/user/http_inspect.txt b/doc/user/http_inspect.txt index 53a913b8a..994541056 100755 --- a/doc/user/http_inspect.txt +++ b/doc/user/http_inspect.txt @@ -165,7 +165,7 @@ operator, etc.) according to ECMAScript 5.1 standard. Additionally, it performs normalization of JavaScript identifiers making a substitution of unique names with unified names representation: a0 -> z9999. The identifiers are variables and function names. -The normalized data is available through the script_data rule option. +The normalized data is available through the js_data rule option. This is currently experimental and still under development. ===== js_norm_identifier_depth @@ -356,9 +356,9 @@ Messages from script processing flow and their verbosity levels: ===== trace.module.http_inspect.js_dump -Script data dump and verbosity levels: +JavaScript data dump and verbosity levels: -1. script_data buffer as it is passed to detection. +1. js_data buffer as it is passed to detection. 2. Current script in normalized form. @@ -592,13 +592,13 @@ The file_data contains the normalized message body. This is the normalization described above under gzip, normalize_utf, decompress_pdf, decompress_swf, and normalize_javascript. -===== script_data +===== js_data -The script_data contains normalized JavaScript text collected from the whole PDU +The js_data contains normalized JavaScript text collected from the whole PDU (inline or external scripts). It requires the Enhanced Normalizer enabled: http_inspect = { js_normalization_depth = N }, js_normalization_depth option is described above. -Despite what script_data has, file_data still contains the whole HTTP body +Despite what js_data has, file_data still contains the whole HTTP body with an original JavaScript in it. ==== Timing issues and combining rule options diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 1598582fb..4b5daca44 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -104,7 +104,7 @@ DetectionEngine::DetectionEngine() context = Analyzer::get_switcher()->interrupt(); context->file_data = DataPointer(nullptr, 0); - context->script_data = DataPointer(nullptr, 0); + context->js_data = DataPointer(nullptr, 0); reset(); } @@ -300,11 +300,11 @@ void DetectionEngine::set_file_data(const DataPointer& dp) DataPointer& DetectionEngine::get_file_data(IpsContext* c) { return c->file_data; } -void DetectionEngine::set_script_data(const DataPointer& dp) -{ Analyzer::get_switcher()->get_context()->script_data = dp; } +void DetectionEngine::set_js_data(const DataPointer& dp) +{ Analyzer::get_switcher()->get_context()->js_data = dp; } -DataPointer& DetectionEngine::get_script_data(IpsContext* c) -{ return c->script_data; } +DataPointer& DetectionEngine::get_js_data(IpsContext* c) +{ return c->js_data; } void DetectionEngine::set_data(unsigned id, IpsContextData* p) { Analyzer::get_switcher()->get_context()->set_context_data(id, p); } diff --git a/src/detection/detection_engine.h b/src/detection/detection_engine.h index 3129f9395..b3940d278 100644 --- a/src/detection/detection_engine.h +++ b/src/detection/detection_engine.h @@ -71,8 +71,8 @@ public: static void set_file_data(const DataPointer& dp); static DataPointer& get_file_data(IpsContext*); - static void set_script_data(const DataPointer& dp); - static DataPointer& get_script_data(IpsContext*); + static void set_js_data(const DataPointer& dp); + static DataPointer& get_js_data(IpsContext*); static uint8_t* get_buffer(unsigned& max); static struct DataBuffer& get_alt_buffer(Packet*); @@ -133,14 +133,14 @@ static inline void set_file_data(const uint8_t* p, unsigned n) static inline void clear_file_data() { set_file_data(nullptr, 0); } -static inline void set_script_data(const uint8_t* data, unsigned len) +static inline void set_js_data(const uint8_t* data, unsigned len) { DataPointer dp { data, len }; - DetectionEngine::set_script_data(dp); + DetectionEngine::set_js_data(dp); } -static inline void clear_script_data() -{ set_script_data(nullptr, 0); } +static inline void clear_js_data() +{ set_js_data(nullptr, 0); } } // namespace snort #endif diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index fc24bbbb0..5b96e3a05 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -961,17 +961,17 @@ static int fp_search(PortGroup* port_group, Packet* p, bool srvc) if ( MpseGroup* so = port_group->mpsegrp[PM_TYPE_SCRIPT] ) { - // FIXIT-M script data should be obtained from + // FIXIT-M js data should be obtained from // inspector gadget as is done with search_buffer - DataPointer script_data = p->context->script_data; + DataPointer js_data = p->context->js_data; - if ( script_data.len ) + if ( js_data.len ) { debug_logf(detection_trace, TRACE_FP_SEARCH, p, "%" PRIu64 " fp search %s[%d]\n", p->context->packet_number, - pm_type_strings[PM_TYPE_SCRIPT], script_data.len); + pm_type_strings[PM_TYPE_SCRIPT], js_data.len); - batch_search(so, p, script_data.data, script_data.len, pc.script_searches); + batch_search(so, p, js_data.data, js_data.len, pc.script_searches); } } diff --git a/src/detection/fp_utils.cc b/src/detection/fp_utils.cc index 89a8bcb13..90989638a 100644 --- a/src/detection/fp_utils.cc +++ b/src/detection/fp_utils.cc @@ -250,7 +250,7 @@ void validate_services(SnortConfig* sc, OptTreeNode* otn) continue; } - if ( !strcmp(s, "script_data") ) + if ( !strcmp(s, "js_data") ) { script = true; continue; @@ -289,7 +289,7 @@ void validate_services(SnortConfig* sc, OptTreeNode* otn) } if ( otn->sigInfo.services.empty() and script ) { - ParseWarning(WARN_RULES, "%u:%u:%u has no service with script_data", + ParseWarning(WARN_RULES, "%u:%u:%u has no service with js_data", otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev); add_service_to_otn(sc, otn, "http"); } diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h index 2b04a928d..caa02bf3f 100644 --- a/src/detection/ips_context.h +++ b/src/detection/ips_context.h @@ -153,7 +153,7 @@ public: SF_EVENTQ* equeue; DataPointer file_data = DataPointer(nullptr, 0); - DataPointer script_data = DataPointer(nullptr, 0); + DataPointer js_data = DataPointer(nullptr, 0); DataBuffer alt_data = {}; uint64_t context_num; diff --git a/src/ips_options/CMakeLists.txt b/src/ips_options/CMakeLists.txt index bc482d8b0..1d4e81d1a 100644 --- a/src/ips_options/CMakeLists.txt +++ b/src/ips_options/CMakeLists.txt @@ -36,7 +36,7 @@ SET( PLUGIN_LIST ips_rem.cc ips_rev.cc ips_rpc.cc - ips_script_data.cc + ips_js_data.cc ips_seq.cc ips_sid.cc ips_soid.cc @@ -67,7 +67,7 @@ set (IPS_SOURCES ips_pkt_data.cc ips_reference.cc ips_replace.cc - ips_script_data.cc + ips_js_data.cc ips_service.cc ips_so.cc ) diff --git a/src/ips_options/ips_script_data.cc b/src/ips_options/ips_js_data.cc similarity index 86% rename from src/ips_options/ips_script_data.cc rename to src/ips_options/ips_js_data.cc index 54be7820e..49955d38c 100644 --- a/src/ips_options/ips_script_data.cc +++ b/src/ips_options/ips_js_data.cc @@ -15,7 +15,7 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// ips_script_data.cc author Serhii Vlasiuk +// ips_js_data.cc author Serhii Vlasiuk #ifdef HAVE_CONFIG_H #include "config.h" @@ -29,9 +29,9 @@ using namespace snort; -#define s_name "script_data" +#define s_name "js_data" #define s_help \ - "rule option to set detection cursor to normalized script data" + "rule option to set detection cursor to normalized JavaScript data" static THREAD_LOCAL ProfileStats scriptDataPerfStats; @@ -50,7 +50,7 @@ IpsOption::EvalStatus ScriptDataOption::eval(Cursor& c, Packet* p) { RuleProfile profile(scriptDataPerfStats); - DataPointer dp = DetectionEngine::get_script_data(p->context); + DataPointer dp = DetectionEngine::get_js_data(p->context); if ( !dp.data or !dp.len ) return NO_MATCH; @@ -90,17 +90,17 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* script_data_ctor(Module*, OptTreeNode*) +static IpsOption* js_data_ctor(Module*, OptTreeNode*) { return new ScriptDataOption; } -static void script_data_dtor(IpsOption* p) +static void js_data_dtor(IpsOption* p) { delete p; } -static const IpsApi script_data_api = +static const IpsApi js_data_api = { { PT_IPS_OPTION, @@ -120,18 +120,18 @@ static const IpsApi script_data_api = nullptr, nullptr, nullptr, - script_data_ctor, - script_data_dtor, + js_data_ctor, + js_data_dtor, nullptr }; #ifdef BUILDING_SO SO_PUBLIC const BaseApi* snort_plugins[] = #else -const BaseApi* ips_script_data[] = +const BaseApi* ips_js_data[] = #endif { - &script_data_api.base, + &js_data_api.base, nullptr }; diff --git a/src/ips_options/ips_options.cc b/src/ips_options/ips_options.cc index 2e6cd8877..b46344da8 100644 --- a/src/ips_options/ips_options.cc +++ b/src/ips_options/ips_options.cc @@ -39,7 +39,7 @@ extern const BaseApi* ips_metadata; extern const BaseApi* ips_pkt_data; extern const BaseApi* ips_reference; extern const BaseApi* ips_replace; -extern const BaseApi* ips_script_data; +extern const BaseApi* ips_js_data; extern const BaseApi* ips_service; extern const BaseApi* ips_sha256; extern const BaseApi* ips_sha512; @@ -106,7 +106,7 @@ static const BaseApi* ips_options[] = ips_pkt_data, ips_reference, ips_replace, - ips_script_data, + ips_js_data, ips_service, ips_sha256, ips_sha512, diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc index 3ea25c509..95cbd243e 100644 --- a/src/main/analyzer.cc +++ b/src/main/analyzer.cc @@ -203,7 +203,7 @@ static bool process_packet(Packet* p) if ( !(p->packet_flags & PKT_IGNORE) ) { clear_file_data(); - clear_script_data(); + clear_js_data(); // return incomplete status if the main hook indicates not all work was done if (!main_hook(p)) return false; diff --git a/src/main/test/stubs.h b/src/main/test/stubs.h index 156393b6e..136c79944 100644 --- a/src/main/test/stubs.h +++ b/src/main/test/stubs.h @@ -163,7 +163,7 @@ void DetectionEngine::idle() { } void DetectionEngine::reset() { } void DetectionEngine::wait_for_context() { } void DetectionEngine::set_file_data(const DataPointer&) { } -void DetectionEngine::set_script_data(const DataPointer&) { } +void DetectionEngine::set_js_data(const DataPointer&) { } void DetectionEngine::clear_replacement() { } void DetectionEngine::disable_all(Packet*) { } unsigned get_instance_id() { return 0; } diff --git a/src/service_inspectors/http_inspect/dev_notes.txt b/src/service_inspectors/http_inspect/dev_notes.txt index f19f0a0d4..b21548bb4 100755 --- a/src/service_inspectors/http_inspect/dev_notes.txt +++ b/src/service_inspectors/http_inspect/dev_notes.txt @@ -427,11 +427,11 @@ Verbosity levels: 5. Parser states (debug build only) 6. Input stream states (debug build only) -* trace.module.http_inspect.js_dump dumps script data from processing layers. +* trace.module.http_inspect.js_dump dumps JavaScript data from processing layers. + Verbosity levels: + -1. script_data buffer as it is being passed to detection (available in release build) +1. js_data buffer as it is being passed to detection (available in release build) 2. Current normalized script (available in release build) 3. Payload passed to Normalizer (available in release build) 4. Temporary buffer (debug build only) diff --git a/src/service_inspectors/http_inspect/http_js_norm.cc b/src/service_inspectors/http_inspect/http_js_norm.cc index 3b110bdfa..b46465670 100644 --- a/src/service_inspectors/http_inspect/http_js_norm.cc +++ b/src/service_inspectors/http_inspect/http_js_norm.cc @@ -216,7 +216,7 @@ void HttpJsNorm::enhanced_external_normalize(const Field& input, Field& output, output.set(dst - buffer, (const uint8_t*)buffer, true); trace_logf(1, http_trace, TRACE_JS_DUMP, nullptr, - "script_data[%zu]: %.*s\n", dst - buffer, static_cast(dst - buffer), buffer); + "js_data[%zu]: %.*s\n", dst - buffer, static_cast(dst - buffer), buffer); } } @@ -357,7 +357,7 @@ void HttpJsNorm::enhanced_inline_normalize(const Field& input, Field& output, output.set(dst - buffer, (const uint8_t*)buffer, true); trace_logf(1, http_trace, TRACE_JS_DUMP, nullptr, - "script_data[%zu]: %.*s\n", dst - buffer, static_cast(dst - buffer), buffer); + "js_data[%zu]: %.*s\n", dst - buffer, static_cast(dst - buffer), buffer); } } diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc index 8443da2b6..1ec84a0fe 100644 --- a/src/service_inspectors/http_inspect/http_msg_body.cc +++ b/src/service_inspectors/http_inspect/http_msg_body.cc @@ -356,7 +356,7 @@ void HttpMsgBody::do_js_normalization(const Field& input, Field& output, bool pa if ( norm_length > 0 ) { - set_script_data(enhanced_js_norm_body.start(), (unsigned int)norm_length); + set_js_data(enhanced_js_norm_body.start(), (unsigned int)norm_length); if (partial_detect) return;