From: Victor Julien Date: Thu, 8 Dec 2016 08:19:34 +0000 (+0100) Subject: http_uri: dynamic buffer X-Git-Tag: suricata-4.0.0-beta1~393 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6346a074a7b828952e094b2efd54dc12a6149b2d;p=thirdparty%2Fsuricata.git http_uri: dynamic buffer Clean up tests --- diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 64a512458f..1a7a0268cd 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -672,6 +672,7 @@ SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s) #ifdef UNITTESTS static int g_file_data_buffer_id = 0; +static int g_http_uri_buffer_id = 0; static int DetectByteExtractTest01(void) { @@ -1691,7 +1692,7 @@ static int DetectByteExtractTest37(void) goto end; } - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -1804,7 +1805,7 @@ static int DetectByteExtractTest38(void) goto end; } - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -1892,7 +1893,7 @@ static int DetectByteExtractTest39(void) goto end; } - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -2005,7 +2006,7 @@ static int DetectByteExtractTest40(void) goto end; } - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -2237,7 +2238,7 @@ static int DetectByteExtractTest42(void) if (sm->next != NULL) goto end; - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -3776,7 +3777,7 @@ static int DetectByteExtractTest56(void) goto end; } - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -3948,7 +3949,7 @@ static int DetectByteExtractTest57(void) if (sm->next != NULL) goto end; - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -4411,12 +4412,12 @@ static int DetectByteExtractTest60(void) if (sm->next != NULL) goto end; - if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) { + if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) { result = 0; goto end; } - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -4541,12 +4542,12 @@ static int DetectByteExtractTest61(void) if (sm->next != NULL) goto end; - if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) { + if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) { result = 0; goto end; } - sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = s->sm_lists[g_http_uri_buffer_id]; if (sm->type != DETECT_CONTENT) { result = 0; goto end; @@ -4731,6 +4732,7 @@ static void DetectByteExtractRegisterTests(void) { #ifdef UNITTESTS g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01); UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02); diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 223a3b1c0f..19f153b03f 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -112,8 +112,6 @@ void EngineAnalysisFP(Signature *s, char *line) int list_type = SigMatchListSMBelongsTo(s, mpm_sm); if (list_type == DETECT_SM_LIST_PMATCH) fprintf(fp_engine_analysis_FD, "content\n"); - else if (list_type == DETECT_SM_LIST_UMATCH) - fprintf(fp_engine_analysis_FD, "http uri content\n"); else if (list_type == DETECT_SM_LIST_HRUDMATCH) fprintf(fp_engine_analysis_FD, "http raw uri content\n"); else if (list_type == DETECT_SM_LIST_HHDMATCH) @@ -464,8 +462,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "%s", payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream"); } - else if (list_type == DETECT_SM_LIST_UMATCH) - fprintf(rule_engine_analysis_FD, "http uri content"); else if (list_type == DETECT_SM_LIST_HRUDMATCH) fprintf(rule_engine_analysis_FD, "http raw uri content"); else if (list_type == DETECT_SM_LIST_HHDMATCH) @@ -583,6 +579,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) const int nlists = DetectBufferTypeMaxId(); const int filedata_id = DetectBufferTypeGetByName("file_data"); const int httpmethod_id = DetectBufferTypeGetByName("http_method"); + const int httpuri_id = DetectBufferTypeGetByName("http_uri"); if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; @@ -611,7 +608,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) http_client_body_buf += 1; raw_http_buf += 1; } - else if (list_id == DETECT_SM_LIST_UMATCH) { + else if (list_id == httpuri_id) { rule_pcre_http += 1; norm_http_buf += 1; http_uri_buf += 1; @@ -667,7 +664,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) } else if (sm->type == DETECT_CONTENT) { - if (list_id == DETECT_SM_LIST_UMATCH + if (list_id == httpuri_id || list_id == DETECT_SM_LIST_HHDMATCH || list_id == DETECT_SM_LIST_HCDMATCH) { rule_content_http += 1; @@ -677,7 +674,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) warn_encoding_norm_http_buf += 1; rule_warning += 1; } - if (list_id == DETECT_SM_LIST_UMATCH) { + if (list_id == httpuri_id) { http_uri_buf += 1; } else if (list_id == DETECT_SM_LIST_HHDMATCH) { diff --git a/src/detect-engine.c b/src/detect-engine.c index 5bf07207f7..c9244e904f 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2798,8 +2798,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) case DETECT_SM_LIST_PMATCH: return "packet/stream payload"; - case DETECT_SM_LIST_UMATCH: - return "http uri"; case DETECT_SM_LIST_HRUDMATCH: return "http raw uri"; case DETECT_SM_LIST_HCBDMATCH: diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 4179b5eac6..239c0bc8b1 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -323,6 +323,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a #ifdef UNITTESTS static int g_file_data_buffer_id = 0; static int g_http_method_buffer_id = 0; +static int g_http_uri_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -1594,7 +1595,7 @@ int DetectFastPatternTest54(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; while (sm != NULL) { if (sm->type == DETECT_CONTENT) { if ( ((DetectContentData *)sm->ctx)->flags & @@ -1635,7 +1636,7 @@ int DetectFastPatternTest55(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; while (sm != NULL) { if (sm->type == DETECT_CONTENT) { if ( ((DetectContentData *)sm->ctx)->flags & @@ -1672,7 +1673,7 @@ int DetectFastPatternTest56(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (sm->type == DETECT_CONTENT) { if (ud->flags & DETECT_CONTENT_FAST_PATTERN && @@ -1708,7 +1709,7 @@ int DetectFastPatternTest57(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (sm->type == DETECT_CONTENT) { if (ud->flags & DETECT_CONTENT_FAST_PATTERN && @@ -1940,7 +1941,7 @@ int DetectFastPatternTest67(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -1970,7 +1971,7 @@ int DetectFastPatternTest68(void) "(uricontent:\"one\"; uricontent:\"two\"; within:30; uricontent:\"two\"; fast_pattern:only; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -2000,7 +2001,7 @@ int DetectFastPatternTest69(void) "(uricontent:\"one\"; uricontent:\"two\"; offset:30; uricontent:\"two\"; fast_pattern:only; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -2030,7 +2031,7 @@ int DetectFastPatternTest70(void) "(uricontent:\"one\"; uricontent:\"two\"; depth:30; uricontent:\"two\"; fast_pattern:only; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -2060,7 +2061,7 @@ int DetectFastPatternTest71(void) "(uricontent:!\"one\"; fast_pattern; uricontent:\"two\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -2179,7 +2180,7 @@ int DetectFastPatternTest76(void) "(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2209,7 +2210,7 @@ int DetectFastPatternTest77(void) "(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2239,7 +2240,7 @@ int DetectFastPatternTest78(void) "(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2269,7 +2270,7 @@ int DetectFastPatternTest79(void) "(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2299,7 +2300,7 @@ int DetectFastPatternTest80(void) "(uricontent:\"one\"; uricontent:\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2329,7 +2330,7 @@ int DetectFastPatternTest81(void) "(uricontent:\"one\"; uricontent:\"two\"; distance:10; uricontent:\"oneonethree\"; fast_pattern:3,4; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2359,7 +2360,7 @@ int DetectFastPatternTest82(void) "(uricontent:\"one\"; uricontent:\"two\"; within:10; uricontent:\"oneonethree\"; fast_pattern:3,4; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2389,7 +2390,7 @@ int DetectFastPatternTest83(void) "(uricontent:\"one\"; uricontent:\"two\"; offset:10; uricontent:\"oneonethree\"; fast_pattern:3,4; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2419,7 +2420,7 @@ int DetectFastPatternTest84(void) "(uricontent:\"one\"; uricontent:\"two\"; depth:10; uricontent:\"oneonethree\"; fast_pattern:3,4; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -2518,7 +2519,7 @@ int DetectFastPatternTest88(void) "(uricontent:\"one\"; uricontent:!\"oneonetwo\"; fast_pattern:3,4; uricontent:\"three\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -2642,7 +2643,7 @@ int DetectFastPatternTest93(void) "(uricontent:\"one\"; content:!\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -2680,7 +2681,7 @@ int DetectFastPatternTest94(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; while (sm != NULL) { if (sm->type == DETECT_CONTENT) { if ( ((DetectContentData *)sm->ctx)->flags & @@ -2721,7 +2722,7 @@ int DetectFastPatternTest95(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; while (sm != NULL) { if (sm->type == DETECT_CONTENT) { if ( ((DetectContentData *)sm->ctx)->flags & @@ -2758,7 +2759,7 @@ int DetectFastPatternTest96(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (sm->type == DETECT_CONTENT) { if (ud->flags & DETECT_CONTENT_FAST_PATTERN && @@ -2794,7 +2795,7 @@ int DetectFastPatternTest97(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (sm->type == DETECT_CONTENT) { if (ud->flags & DETECT_CONTENT_FAST_PATTERN && @@ -3026,7 +3027,7 @@ int DetectFastPatternTest107(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -3056,7 +3057,7 @@ int DetectFastPatternTest108(void) "(uricontent:\"one\"; uricontent:\"two\"; within:30; content:\"two\"; fast_pattern:only; http_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -3086,7 +3087,7 @@ int DetectFastPatternTest109(void) "(uricontent:\"one\"; uricontent:\"two\"; offset:30; content:\"two\"; fast_pattern:only; http_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -3116,7 +3117,7 @@ int DetectFastPatternTest110(void) "(uricontent:\"one\"; uricontent:\"two\"; depth:30; content:\"two\"; fast_pattern:only; http_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -3146,7 +3147,7 @@ int DetectFastPatternTest111(void) "(content:!\"one\"; fast_pattern; http_uri; uricontent:\"two\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -3265,7 +3266,7 @@ int DetectFastPatternTest116(void) "(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3295,7 +3296,7 @@ int DetectFastPatternTest117(void) "(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3325,7 +3326,7 @@ int DetectFastPatternTest118(void) "(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3355,7 +3356,7 @@ int DetectFastPatternTest119(void) "(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3385,7 +3386,7 @@ int DetectFastPatternTest120(void) "(uricontent:\"one\"; content:\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3415,7 +3416,7 @@ int DetectFastPatternTest121(void) "(uricontent:\"one\"; uricontent:\"two\"; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3445,7 +3446,7 @@ int DetectFastPatternTest122(void) "(uricontent:\"one\"; uricontent:\"two\"; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3475,7 +3476,7 @@ int DetectFastPatternTest123(void) "(uricontent:\"one\"; uricontent:\"two\"; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3505,7 +3506,7 @@ int DetectFastPatternTest124(void) "(uricontent:\"one\"; uricontent:\"two\"; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -3604,7 +3605,7 @@ int DetectFastPatternTest128(void) "(uricontent:\"one\"; content:!\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -3723,7 +3724,7 @@ int DetectFastPatternTest133(void) "(uricontent:\"one\"; content:!\"oneonetwo\"; fast_pattern:3,4; http_uri; uricontent:\"three\"; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18825,6 +18826,7 @@ void DetectFastPatternRegisterTests(void) #ifdef UNITTESTS g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); g_http_method_buffer_id = DetectBufferTypeGetByName("http_method"); + g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 104d39d9a7..2bb0e6d460 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -138,11 +138,13 @@ static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, char *st #include "stream-tcp-reassemble.h" +static int g_http_uri_buffer_id = 0; + /** * \test Checks if a http_cookie is registered in a Signature, if content is not * specified in the signature */ -int DetectHttpCookieTest01(void) +static int DetectHttpCookieTest01(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -166,7 +168,7 @@ end: * \test Checks if a http_cookie is registered in a Signature, if some parameter * is specified with http_cookie in the signature */ -int DetectHttpCookieTest02(void) +static int DetectHttpCookieTest02(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -190,7 +192,7 @@ end: /** * \test Checks if a http_cookie is registered in a Signature */ -int DetectHttpCookieTest03(void) +static int DetectHttpCookieTest03(void) { SigMatch *sm = NULL; DetectEngineCtx *de_ctx = NULL; @@ -237,7 +239,7 @@ end: * \test Checks if a http_cookie is registered in a Signature, when fast_pattern * is also specified in the signature (now it should) */ -int DetectHttpCookieTest04(void) +static int DetectHttpCookieTest04(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -262,7 +264,7 @@ end: * \test Checks if a http_cookie is registered in a Signature, when rawbytes is * also specified in the signature */ -int DetectHttpCookieTest05(void) +static int DetectHttpCookieTest05(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -287,7 +289,7 @@ int DetectHttpCookieTest05(void) * \test Checks if a http_cookie is registered in a Signature, when rawbytes is * also specified in the signature */ -int DetectHttpCookieTest06(void) +static int DetectHttpCookieTest06(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -309,12 +311,12 @@ int DetectHttpCookieTest06(void) if (s->sm_lists[DETECT_SM_LIST_HCDMATCH]->type != DETECT_CONTENT) goto end; - if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) { + if (s->sm_lists[g_http_uri_buffer_id] == NULL) { printf("expected another SigMatch, got NULL: "); goto end; } - if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_CONTENT) { + if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) { goto end; } @@ -1279,6 +1281,8 @@ end: void DetectHttpCookieRegisterTests (void) { #ifdef UNITTESTS /* UNITTESTS */ + g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); + UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01); UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02); UtRegisterTest("DetectHttpCookieTest03", DetectHttpCookieTest03); diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 11d8f2c3d0..1d6b102785 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -56,8 +56,10 @@ #include "detect-engine-uri.h" #include "stream-tcp.h" -int DetectHttpUriSetup (DetectEngineCtx *, Signature *, char *); -void DetectHttpUriRegisterTests(void); +static void DetectHttpUriRegisterTests(void); +static void DetectHttpUriSetupCallback(Signature *s); + +static int g_http_uri_buffer_id = 0; /** * \brief Registration function for keyword: http_uri @@ -76,13 +78,19 @@ void DetectHttpUriRegister (void) sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("http_uri", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_UMATCH, 2, + DetectAppLayerMpmRegister("http_uri", SIG_FLAG_TOSERVER, 2, PrefilterTxUriRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_UMATCH, + DetectAppLayerInspectEngineRegister2("http_uri", ALPROTO_HTTP, SIG_FLAG_TOSERVER, DetectEngineInspectHttpUri); + + DetectBufferTypeSetDescriptionByName("http_uri", + "http request uri"); + + DetectBufferTypeRegisterSetupCallback("http_uri", + DetectHttpUriSetupCallback); + + g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); } @@ -101,23 +109,29 @@ int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { return DetectEngineContentModifierBufferSetup(de_ctx, s, str, DETECT_AL_HTTP_URI, - DETECT_SM_LIST_UMATCH, + g_http_uri_buffer_id, ALPROTO_HTTP, NULL); } +static void DetectHttpUriSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} /******************************** UNITESTS **********************************/ #ifdef UNITTESTS +#include "detect-isdataat.h" #include "stream-tcp-reassemble.h" /** * \test Checks if a http_uri is registered in a Signature, if content is not * specified in the signature */ -int DetectHttpUriTest01(void) +static int DetectHttpUriTest01(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -141,7 +155,7 @@ end: * \test Checks if a http_uri is registered in a Signature, if some parameter * is specified with http_uri in the signature */ -int DetectHttpUriTest02(void) +static int DetectHttpUriTest02(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -165,7 +179,7 @@ end: /** * \test Checks if a http_uri is registered in a Signature */ -int DetectHttpUriTest03(void) +static int DetectHttpUriTest03(void) { SigMatch *sm = NULL; DetectEngineCtx *de_ctx = NULL; @@ -186,7 +200,7 @@ int DetectHttpUriTest03(void) goto end; } - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; if (sm == NULL) { printf("no sigmatch(es): "); goto end; @@ -212,7 +226,7 @@ end: * \test Checks if a http_uri is registered in a Signature, when rawbytes is * also specified in the signature */ -int DetectHttpUriTest04(void) +static int DetectHttpUriTest04(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -237,7 +251,7 @@ int DetectHttpUriTest04(void) * \test Checks if a http_uri is successfully converted to a uricontent * */ -int DetectHttpUriTest05(void) +static int DetectHttpUriTest05(void) { DetectEngineCtx *de_ctx = NULL; Signature *s = NULL; @@ -254,16 +268,16 @@ int DetectHttpUriTest05(void) printf("sig failed to parse\n"); goto end; } - if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) + if (s->sm_lists[g_http_uri_buffer_id] == NULL) goto end; - if (s->sm_lists[DETECT_SM_LIST_UMATCH]->type != DETECT_CONTENT) { + if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) { printf("wrong type\n"); goto end; } char *str = "we are testing http_uri keyword"; - int uricomp = memcmp((const char *)((DetectContentData*) s->sm_lists[DETECT_SM_LIST_UMATCH]->ctx)->content, str, strlen(str)-1); - int urilen = ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->content_len; + int uricomp = memcmp((const char *)((DetectContentData*) s->sm_lists[g_http_uri_buffer_id]->ctx)->content, str, strlen(str)-1); + int urilen = ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->content_len; if (uricomp != 0 || urilen != strlen("we are testing http_uri keyword")) { printf("sig failed to parse, content not setup properly\n"); @@ -277,7 +291,7 @@ end: return result; } -int DetectHttpUriTest12(void) +static int DetectHttpUriTest12(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -299,13 +313,13 @@ int DetectHttpUriTest12(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); goto end; } - DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; - DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; + DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(ud1->content, "one", ud1->content_len) != 0 || ud2->flags != DETECT_CONTENT_DISTANCE || @@ -321,7 +335,7 @@ int DetectHttpUriTest12(void) return result; } -int DetectHttpUriTest13(void) +static int DetectHttpUriTest13(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -343,13 +357,13 @@ int DetectHttpUriTest13(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); goto end; } - DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; - DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; + DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(ud1->content, "one", ud1->content_len) != 0 || ud2->flags != DETECT_CONTENT_WITHIN || @@ -365,7 +379,7 @@ int DetectHttpUriTest13(void) return result; } -int DetectHttpUriTest14(void) +static int DetectHttpUriTest14(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -389,7 +403,7 @@ int DetectHttpUriTest14(void) return result; } -int DetectHttpUriTest15(void) +static int DetectHttpUriTest15(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -405,12 +419,12 @@ int DetectHttpUriTest15(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); goto end; } - DetectContentData *cd = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *cd = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (memcmp(cd->content, "one", cd->content_len) != 0 || cd->flags != DETECT_CONTENT_WITHIN) { goto end; @@ -424,7 +438,7 @@ int DetectHttpUriTest15(void) return result; } -int DetectHttpUriTest16(void) +static int DetectHttpUriTest16(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -448,7 +462,7 @@ int DetectHttpUriTest16(void) return result; } -int DetectHttpUriTest17(void) +static int DetectHttpUriTest17(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -470,13 +484,13 @@ int DetectHttpUriTest17(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); goto end; } - DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; - DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; + DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(ud1->content, "one", ud1->content_len) != 0 || ud2->flags != DETECT_CONTENT_DISTANCE || @@ -492,7 +506,7 @@ int DetectHttpUriTest17(void) return result; } -int DetectHttpUriTest18(void) +static int DetectHttpUriTest18(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; @@ -514,13 +528,13 @@ int DetectHttpUriTest18(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); goto end; } - DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; - DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; + DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(ud1->content, "one", ud1->content_len) != 0 || ud2->flags != DETECT_CONTENT_WITHIN || @@ -536,12 +550,37 @@ int DetectHttpUriTest18(void) return result; } +static int DetectHttpUriIsdataatParseTest(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "content:\"one\"; http_uri; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + #endif /* UNITTESTS */ /** * \brief Register the UNITTESTS for the http_uri keyword */ -void DetectHttpUriRegisterTests (void) +static void DetectHttpUriRegisterTests (void) { #ifdef UNITTESTS /* UNITTESTS */ UtRegisterTest("DetectHttpUriTest01", DetectHttpUriTest01); @@ -556,6 +595,9 @@ void DetectHttpUriRegisterTests (void) UtRegisterTest("DetectHttpUriTest16", DetectHttpUriTest16); UtRegisterTest("DetectHttpUriTest17", DetectHttpUriTest17); UtRegisterTest("DetectHttpUriTest18", DetectHttpUriTest18); + + UtRegisterTest("DetectHttpUriIsdataatParseTest", + DetectHttpUriIsdataatParseTest); #endif /* UNITTESTS */ } diff --git a/src/detect-http-uri.h b/src/detect-http-uri.h index cb327804ea..b55df07e33 100644 --- a/src/detect-http-uri.h +++ b/src/detect-http-uri.h @@ -25,10 +25,7 @@ #define _DETECT_HTTP_URI_H /* prototypes */ +int DetectHttpUriSetup (DetectEngineCtx *, Signature *, char *); void DetectHttpUriRegister (void); -int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *str); -int DetectHttpUriDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, - SigMatch *sm, Flow *f, uint8_t flags, void *state); - #endif /* _DETECT_HTTP_URI_H */ diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index d2e01b35d3..5e99354713 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -516,94 +516,6 @@ int DetectIsdataatTestParse06(void) return result; } -int DetectIsdataatTestParse07(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing bytejump_body\"; " - "uricontent:\"one\"; " - "isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) { - goto end; - } - - result = 1; - - result &= (s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - result = 0; - goto end; - } - - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - -int DetectIsdataatTestParse08(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing bytejump_body\"; " - "content:\"one\"; http_uri; " - "isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) { - goto end; - } - - result = 1; - - result &= (s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - result = 0; - goto end; - } - - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - int DetectIsdataatTestParse09(void) { DetectEngineCtx *de_ctx = NULL; @@ -948,8 +860,6 @@ void DetectIsdataatRegisterTests(void) UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04); UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05); UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06); - UtRegisterTest("DetectIsdataatTestParse07", DetectIsdataatTestParse07); - UtRegisterTest("DetectIsdataatTestParse08", DetectIsdataatTestParse08); UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09); UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10); UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11); diff --git a/src/detect-lua.c b/src/detect-lua.c index 6a60482c3f..81d9668411 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -996,9 +996,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) SigMatchAppendSMToList(s, sm, list); } else if (lua->flags & DATATYPE_HTTP_REQUEST_BODY) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCBDMATCH); - else if (lua->flags & DATATYPE_HTTP_URI) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH); - else if (lua->flags & DATATYPE_HTTP_URI_RAW) + else if (lua->flags & DATATYPE_HTTP_URI) { + int list = DetectBufferTypeGetByName("http_uri"); + SigMatchAppendSMToList(s, sm, list); + } else if (lua->flags & DATATYPE_HTTP_URI_RAW) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH); else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH); diff --git a/src/detect-parse.c b/src/detect-parse.c index 7b8670b325..f2ba0413fd 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list) switch (list) { CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet"); CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload"); - CASE_CODE_STRING(DETECT_SM_LIST_UMATCH, "http_uri"); CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri"); CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body"); CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header"); @@ -183,7 +182,6 @@ const char *DetectListToString(int list) switch (list) { CASE_CODE(DETECT_SM_LIST_MATCH); CASE_CODE(DETECT_SM_LIST_PMATCH); - CASE_CODE(DETECT_SM_LIST_UMATCH); CASE_CODE(DETECT_SM_LIST_HRUDMATCH); CASE_CODE(DETECT_SM_LIST_HCBDMATCH); CASE_CODE(DETECT_SM_LIST_HHDMATCH); @@ -1430,9 +1428,8 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) continue; if (fd->flags & FLOW_PKT_TOCLIENT) { - /* check for uricontent + from_server/to_client */ - if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL || + /* check for request + from_server/to_client */ + if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent " @@ -1580,8 +1577,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) } } - if (s->init_data->smlists_tail[DETECT_SM_LIST_UMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] || + if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] || diff --git a/src/detect-pcre.c b/src/detect-pcre.c index c7477d8d92..515ec7096a 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -395,13 +395,15 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, /* buffer selection */ - case 'U': /* snort's option */ + case 'U': { /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'U' inconsistent with 'B'"); goto error; } - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_UMATCH); + int list = DetectBufferTypeGetByName("http_uri"); + *sm_list = DetectPcreSetList(*sm_list, list); break; + } case 'V': if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'V' inconsistent with 'B'"); @@ -440,7 +442,7 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, case 'D': /* snort's option */ *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHDMATCH); break; - case 'M': /* snort's option */ + case 'M': { /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'"); goto error; @@ -448,6 +450,7 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, int list = DetectBufferTypeGetByName("http_method"); *sm_list = DetectPcreSetList(*sm_list, list); break; + } case 'C': /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'C' inconsistent with 'B'"); @@ -666,8 +669,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst if (DetectPcreParseCapture(regexstr, de_ctx, pd) < 0) goto error; - if (parsed_sm_list == DETECT_SM_LIST_UMATCH || - parsed_sm_list == DETECT_SM_LIST_HRUDMATCH || + if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH || parsed_sm_list == DETECT_SM_LIST_HCBDMATCH || parsed_sm_list == DETECT_SM_LIST_HHDMATCH || parsed_sm_list == DETECT_SM_LIST_HRHDMATCH || @@ -707,7 +709,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst sm_list = parsed_sm_list; break; - case DETECT_SM_LIST_UMATCH: case DETECT_SM_LIST_HRUDMATCH: case DETECT_SM_LIST_HHDMATCH: case DETECT_SM_LIST_HRHDMATCH: diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 4e66237129..719340e753 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -58,12 +58,10 @@ /* prototypes */ static int DetectUricontentSetup (DetectEngineCtx *, Signature *, char *); -void HttpUriRegisterTests(void); +static void DetectUricontentRegisterTests(void); +static void DetectUricontentFree(void *); -int DetectAppLayerUricontentMatch (ThreadVars *, DetectEngineThreadCtx *, - Flow *, uint8_t , void *, - Signature *, SigMatch *); -void DetectUricontentFree(void *); +static int g_http_uri_buffer_id = 0; /** * \brief Registration function for uricontent: keyword @@ -75,9 +73,11 @@ void DetectUricontentRegister (void) sigmatch_table[DETECT_URICONTENT].Match = NULL; sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup; sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree; - sigmatch_table[DETECT_URICONTENT].RegisterTests = HttpUriRegisterTests; + sigmatch_table[DETECT_URICONTENT].RegisterTests = DetectUricontentRegisterTests; sigmatch_table[DETECT_URICONTENT].flags |= SIGMATCH_PAYLOAD; + + g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri"); } /** @@ -194,6 +194,7 @@ error: #ifdef UNITTESTS +#include "detect-isdataat.h" #include "stream-tcp-reassemble.h" /** \test Test case where path traversal has been sent as a path string in the @@ -499,8 +500,8 @@ int DetectUriSigTest01(void) "\" Test uricontent\"; content:\"me\"; uricontent:\"me\"; sid:1;)"); FAIL_IF_NULL(s); - BUG_ON(s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL); - FAIL_IF_NOT(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]->type == DETECT_CONTENT); + BUG_ON(s->sm_lists[g_http_uri_buffer_id] == NULL); + FAIL_IF_NOT(de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]->type == DETECT_CONTENT); DetectEngineCtxFree(de_ctx); PASS; @@ -777,7 +778,7 @@ static int DetectUriSigTest04(void) "\" Test uricontent\"; " "uricontent:\"foo\"; sid:1;)"); if (s == NULL || - s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || + s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) { @@ -789,7 +790,7 @@ static int DetectUriSigTest04(void) "\" Test uricontent and content\"; " "uricontent:\"foo\"; content:\"bar\";sid:1;)"); if (s == NULL || - s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || + s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL || s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) { @@ -802,7 +803,7 @@ static int DetectUriSigTest04(void) "uricontent:\"foo\"; content:\"bar\";" " depth:10; offset: 5; sid:1;)"); if (s == NULL || - s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || + s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL || ((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 || ((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 || @@ -817,10 +818,10 @@ static int DetectUriSigTest04(void) "content:\"foo\"; uricontent:\"bar\";" " depth:10; offset: 5; sid:1;)"); if (s == NULL || - s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || + s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL || - ((DetectContentData *)s->sm_lists[DETECT_SM_LIST_UMATCH]->ctx)->depth != 15 || - ((DetectContentData *)s->sm_lists[DETECT_SM_LIST_UMATCH]->ctx)->offset != 5 || + ((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->depth != 15 || + ((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->offset != 5 || s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) { printf("sig 4 failed to parse: "); @@ -852,7 +853,7 @@ static int DetectUriSigTest04(void) "\"two_contents\"; within:30; sid:1;)"); if (s == NULL) { goto end; - } else if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || + } else if (s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 || @@ -871,15 +872,15 @@ static int DetectUriSigTest04(void) "\"two_uricontents\"; within:30; sid:1;)"); if (s == NULL) { goto end; - } else if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || + } else if (s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 || - ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->within != 30 || + ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within != 30 || s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) { printf("sig 8 failed to parse: "); - DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx); + DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx); goto end; } @@ -891,7 +892,7 @@ static int DetectUriSigTest04(void) if (s == NULL) { goto end; } else if ( - s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || + s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 || @@ -911,15 +912,15 @@ static int DetectUriSigTest04(void) if (s == NULL) { goto end; } else if ( - s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || + s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 || - ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->distance != 30 || + ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance != 30 || s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) { printf("sig 10 failed to parse: "); - DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx); + DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx); goto end; } @@ -935,21 +936,21 @@ static int DetectUriSigTest04(void) goto end; } - if (s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) { - printf("umatch %p or pmatch %p: ", s->sm_lists[DETECT_SM_LIST_UMATCH], s->sm_lists[DETECT_SM_LIST_PMATCH]); + if (s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) { + printf("umatch %p or pmatch %p: ", s->sm_lists[g_http_uri_buffer_id], s->sm_lists[DETECT_SM_LIST_PMATCH]); goto end; } if ( ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 || ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 || - ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->distance != 30 || - ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx)->within != 60 || + ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance != 30 || + ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within != 60 || ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance != 45 || ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within != 70 || s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) { printf("sig 10 failed to parse, content not setup properly: "); DetectContentPrint((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx); - DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx); + DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx); DetectContentPrint((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx); goto end; } @@ -1490,12 +1491,12 @@ int DetectUriSigTest12(void) goto end; } - if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL || s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx == NULL) { + if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL || s->sm_lists_tail[g_http_uri_buffer_id]->ctx == NULL) { printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: "); goto end; } - ud = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + ud = (DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx; result = (strncmp("boo", (char *)ud->content, ud->content_len) == 0); end: @@ -1855,9 +1856,34 @@ int DetectUriContentParseTest24(void) return result; } +static int DetectUricontentIsdataatParseTest(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "uricontent:\"one\"; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + #endif /* UNITTESTS */ -void HttpUriRegisterTests(void) +static void DetectUricontentRegisterTests(void) { #ifdef UNITTESTS UtRegisterTest("HTTPUriTest01", HTTPUriTest01); @@ -1890,5 +1916,8 @@ void HttpUriRegisterTests(void) UtRegisterTest("DetectUriContentParseTest22", DetectUriContentParseTest22); UtRegisterTest("DetectUriContentParseTest23", DetectUriContentParseTest23); UtRegisterTest("DetectUriContentParseTest24", DetectUriContentParseTest24); + + UtRegisterTest("DetectUricontentIsdataatParseTest", + DetectUricontentIsdataatParseTest); #endif /* UNITTESTS */ } diff --git a/src/detect-urilen.c b/src/detect-urilen.c index 860bb92917..c853efc315 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -32,6 +32,7 @@ #include "detect.h" #include "detect-parse.h" +#include "detect-engine.h" #include "detect-engine-state.h" #include "detect-urilen.h" @@ -53,6 +54,8 @@ static int DetectUrilenSetup (DetectEngineCtx *, Signature *, char *); void DetectUrilenFree (void *); void DetectUrilenRegisterTests (void); +static int g_http_uri_buffer_id = 0; + /** * \brief Registration function for urilen: keyword */ @@ -70,6 +73,8 @@ void DetectUrilenRegister(void) sigmatch_table[DETECT_AL_URILEN].flags |= SIGMATCH_PAYLOAD; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); + + g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri"); } /** @@ -260,7 +265,7 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile if (urilend->raw_buffer) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH); else - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_UMATCH); + SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id); /* Flagged the signature as to inspect the app layer data */ s->flags |= SIG_FLAG_APPLAYER; diff --git a/src/detect.c b/src/detect.c index 321d21af17..b4247cc4df 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1912,9 +1912,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) return 0; @@ -2017,9 +2014,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) return 0; @@ -2149,7 +2143,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) } if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL || @@ -2313,11 +2306,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires dce state"); } - if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http state"); - } - if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) { s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires http app state"); diff --git a/src/detect.h b/src/detect.h index 976d75b20d..bb51b6345a 100644 --- a/src/detect.h +++ b/src/detect.h @@ -115,10 +115,8 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_BUILTIN_MAX, - /* list for http_uri keyword and the ones relative to it */ - DETECT_SM_LIST_UMATCH = DETECT_SM_LIST_BUILTIN_MAX, /* list for http_raw_uri keyword and the ones relative to it */ - DETECT_SM_LIST_HRUDMATCH, + DETECT_SM_LIST_HRUDMATCH = DETECT_SM_LIST_BUILTIN_MAX, /* list for http_client_body keyword and the ones relative to it */ DETECT_SM_LIST_HCBDMATCH, /* list for http_header keyword and the ones relative to it */