From: Victor Julien Date: Thu, 8 Dec 2016 10:40:08 +0000 (+0100) Subject: http_cookie: dynamic buffer X-Git-Tag: suricata-4.0.0-beta1~390 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67b7d9734e1c17eecaebd71ca3efc6b262bd1b95;p=thirdparty%2Fsuricata.git http_cookie: dynamic buffer --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index af9b049c9a..5f1320589e 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -118,8 +118,6 @@ void EngineAnalysisFP(Signature *s, char *line) fprintf(fp_engine_analysis_FD, "http header content\n"); else if (list_type == DETECT_SM_LIST_HRHDMATCH) fprintf(fp_engine_analysis_FD, "http raw header content\n"); - else if (list_type == DETECT_SM_LIST_HCDMATCH) - fprintf(fp_engine_analysis_FD, "http cookie content\n"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(fp_engine_analysis_FD, "http client body content\n"); else if (list_type == DETECT_SM_LIST_HSCDMATCH) @@ -466,8 +464,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "http header content"); else if (list_type == DETECT_SM_LIST_HRHDMATCH) fprintf(rule_engine_analysis_FD, "http raw header content"); - else if (list_type == DETECT_SM_LIST_HCDMATCH) - fprintf(rule_engine_analysis_FD, "http cookie content"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(rule_engine_analysis_FD, "http client body content"); else if (list_type == DETECT_SM_LIST_HSCDMATCH) @@ -577,6 +573,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) const int httpmethod_id = DetectBufferTypeGetByName("http_method"); const int httpuri_id = DetectBufferTypeGetByName("http_uri"); const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent"); + const int httpcookie_id = DetectBufferTypeGetByName("http_cookie"); if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; @@ -615,7 +612,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) norm_http_buf += 1; http_header_buf += 1; } - else if (list_id == DETECT_SM_LIST_HCDMATCH) { + else if (list_id == httpcookie_id) { rule_pcre_http += 1; norm_http_buf += 1; http_cookie_buf += 1; @@ -663,7 +660,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) if (list_id == httpuri_id || list_id == DETECT_SM_LIST_HHDMATCH - || list_id == DETECT_SM_LIST_HCDMATCH) { + || list_id == httpcookie_id) { rule_content_http += 1; norm_http_buf += 1; DetectContentData *cd = (DetectContentData *)sm->ctx; @@ -677,7 +674,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) else if (list_id == DETECT_SM_LIST_HHDMATCH) { http_header_buf += 1; } - else if (list_id == DETECT_SM_LIST_HCDMATCH) { + else if (list_id == httpcookie_id) { http_cookie_buf += 1; } } diff --git a/src/detect-engine.c b/src/detect-engine.c index 113ad1f692..76fe02137d 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2814,8 +2814,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http host"; case DETECT_SM_LIST_HRHHDMATCH: return "http raw host header"; - case DETECT_SM_LIST_HCDMATCH: - return "http cookie"; case DETECT_SM_LIST_APP_EVENT: return "app layer events"; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 42589e13b3..2d8e701b3b 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -325,6 +325,7 @@ static int g_file_data_buffer_id = 0; static int g_http_method_buffer_id = 0; static int g_http_uri_buffer_id = 0; static int g_http_ua_buffer_id = 0; +static int g_http_cookie_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -8277,7 +8278,7 @@ int DetectFastPatternTest302(void) "content:\"three\"; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -8315,7 +8316,7 @@ int DetectFastPatternTest303(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -8352,7 +8353,7 @@ int DetectFastPatternTest304(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -8384,7 +8385,7 @@ int DetectFastPatternTest305(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && @@ -8418,7 +8419,7 @@ int DetectFastPatternTest306(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -8648,7 +8649,7 @@ int DetectFastPatternTest316(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -8678,7 +8679,7 @@ int DetectFastPatternTest317(void) "(content:\"one\"; http_cookie; content:\"two\"; http_cookie; within:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -8708,7 +8709,7 @@ int DetectFastPatternTest318(void) "(content:\"one\"; http_cookie; content:\"two\"; http_cookie; offset:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -8738,7 +8739,7 @@ int DetectFastPatternTest319(void) "(content:\"one\"; http_cookie; content:\"two\"; http_cookie; depth:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -8768,7 +8769,7 @@ int DetectFastPatternTest320(void) "(content:!\"one\"; fast_pattern; http_cookie; content:\"two\"; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -8887,7 +8888,7 @@ int DetectFastPatternTest325(void) "(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -8917,7 +8918,7 @@ int DetectFastPatternTest326(void) "(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -8947,7 +8948,7 @@ int DetectFastPatternTest327(void) "(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -8977,7 +8978,7 @@ int DetectFastPatternTest328(void) "(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -9007,7 +9008,7 @@ int DetectFastPatternTest329(void) "(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -9037,7 +9038,7 @@ int DetectFastPatternTest330(void) "(content:\"one\"; http_cookie; content:\"two\"; http_cookie; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -9067,7 +9068,7 @@ int DetectFastPatternTest331(void) "(content:\"one\"; http_cookie; content:\"two\"; http_cookie; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -9097,7 +9098,7 @@ int DetectFastPatternTest332(void) "(content:\"one\"; http_cookie; content:\"two\"; http_cookie; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -9127,7 +9128,7 @@ int DetectFastPatternTest333(void) "(content:\"one\"; http_cookie; content:\"two\"; http_cookie; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -9226,7 +9227,7 @@ int DetectFastPatternTest337(void) "(content:\"one\"; http_cookie; content:!\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -9345,7 +9346,7 @@ int DetectFastPatternTest342(void) "(content:\"one\"; http_cookie; content:!\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18829,6 +18830,7 @@ void DetectFastPatternRegisterTests(void) g_http_method_buffer_id = DetectBufferTypeGetByName("http_method"); g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent"); + g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 2bb0e6d460..56f38e7bf4 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -62,8 +62,10 @@ #include "stream-tcp.h" static int DetectHttpCookieSetup (DetectEngineCtx *, Signature *, char *); -void DetectHttpCookieRegisterTests(void); -void DetectHttpCookieFree(void *); +static void DetectHttpCookieRegisterTests(void); +static void DetectHttpCookieFree(void *); +static void DetectHttpCookieSetupCallback(Signature *s); +static int g_http_cookie_buffer_id = 0; /** * \brief Registration function for keyword: http_cookie @@ -82,19 +84,25 @@ void DetectHttpCookieRegister(void) sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("http_cookie", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HCDMATCH, 2, + DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOSERVER, 2, PrefilterTxRequestCookieRegister); - DetectMpmAppLayerRegister("http_cookie", SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HCDMATCH, 2, + DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOCLIENT, 2, PrefilterTxResponseCookieRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HCDMATCH, + DetectAppLayerInspectEngineRegister2("http_cookie", + ALPROTO_HTTP, SIG_FLAG_TOSERVER, DetectEngineInspectHttpCookie); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HCDMATCH, + DetectAppLayerInspectEngineRegister2("http_cookie", + ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DetectEngineInspectHttpCookie); + + DetectBufferTypeSetDescriptionByName("http_cookie", + "http cookie header"); + + DetectBufferTypeRegisterSetupCallback("http_cookie", + DetectHttpCookieSetupCallback); + + g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie"); } /** @@ -127,15 +135,23 @@ static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, char *st { return DetectEngineContentModifierBufferSetup(de_ctx, s, str, DETECT_AL_HTTP_COOKIE, - DETECT_SM_LIST_HCDMATCH, + g_http_cookie_buffer_id, ALPROTO_HTTP, NULL); } +static void DetectHttpCookieSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} + + /******************************** UNITESTS **********************************/ #ifdef UNITTESTS +#include "detect-isdataat.h" #include "stream-tcp-reassemble.h" static int g_http_uri_buffer_id = 0; @@ -213,7 +229,7 @@ static int DetectHttpCookieTest03(void) } result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id]; if (sm == NULL) { printf("no sigmatch(es): "); goto end; @@ -306,9 +322,9 @@ static int DetectHttpCookieTest06(void) Signature *s = de_ctx->sig_list; - BUG_ON(s->sm_lists[DETECT_SM_LIST_HCDMATCH] == NULL); + BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL); - if (s->sm_lists[DETECT_SM_LIST_HCDMATCH]->type != DETECT_CONTENT) + if (s->sm_lists[g_http_cookie_buffer_id]->type != DETECT_CONTENT) goto end; if (s->sm_lists[g_http_uri_buffer_id] == NULL) { @@ -1273,6 +1289,31 @@ end: return result; } +static int DetectHttpCookieIsdataatParseTest(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "content:\"one\"; http_cookie; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_http_cookie_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + #endif /* UNITTESTS */ /** @@ -1298,6 +1339,8 @@ void DetectHttpCookieRegisterTests (void) UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07); UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08); UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09); + UtRegisterTest("DetectHttpCookieIsdataatParseTest", + DetectHttpCookieIsdataatParseTest); #endif /* UNITTESTS */ } diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 5e99354713..3b9e087efb 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -648,50 +648,6 @@ int DetectIsdataatTestParse11(void) return result; } -int DetectIsdataatTestParse13(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing bytejump_body\"; " - "content:\"one\"; http_cookie; " - "isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH] == NULL) { - goto end; - } - - result = 1; - - result &= (s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - result = 0; - goto end; - } - - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - /** * \test dns_query with isdataat relative to it */ @@ -863,7 +819,6 @@ void DetectIsdataatRegisterTests(void) UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09); UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10); UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11); - UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13); UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16); UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01); diff --git a/src/detect-lua.c b/src/detect-lua.c index 886dfd7f61..e349d66f6e 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -1001,17 +1001,18 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) SigMatchAppendSMToList(s, sm, list); } else if (lua->flags & DATATYPE_HTTP_URI_RAW) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH); - else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH); - else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) { + else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE || + lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE) + { + int list = DetectBufferTypeGetByName("http_cookie"); + SigMatchAppendSMToList(s, sm, list); + } else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) { int list = DetectBufferTypeGetByName("http_user_agent"); SigMatchAppendSMToList(s, sm, list); } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS)) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH); else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW)) SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH); - else if (lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH); else { int list = DetectBufferTypeGetByName("http_request_line"); SigMatchAppendSMToList(s, sm, list); diff --git a/src/detect-parse.c b/src/detect-parse.c index 11735db18c..4dd800b124 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -149,7 +149,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code"); CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host"); CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host"); - CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); @@ -188,7 +187,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_HSCDMATCH); CASE_CODE(DETECT_SM_LIST_HHHDMATCH); CASE_CODE(DETECT_SM_LIST_HRHHDMATCH); - CASE_CODE(DETECT_SM_LIST_HCDMATCH); CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH); @@ -1578,7 +1576,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH]) { diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 302983dc52..13164d25de 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -453,13 +453,15 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, *sm_list = DetectPcreSetList(*sm_list, list); break; } - case 'C': /* snort's option */ + case 'C': { /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'C' inconsistent with 'B'"); goto error; } - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCDMATCH); + int list = DetectBufferTypeGetByName("http_cookie"); + *sm_list = DetectPcreSetList(*sm_list, list); break; + } case 'P': /* snort's option (http request body inspection) */ *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCBDMATCH); @@ -678,9 +680,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst parsed_sm_list == DETECT_SM_LIST_HSMDMATCH || parsed_sm_list == DETECT_SM_LIST_HSCDMATCH || parsed_sm_list == DETECT_SM_LIST_HHHDMATCH || - parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH || -// parsed_sm_list == DETECT_SM_LIST_HMDMATCH || - parsed_sm_list == DETECT_SM_LIST_HCDMATCH) + parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH) { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " @@ -717,7 +717,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_SM_LIST_HRHHDMATCH: case DETECT_SM_LIST_HSMDMATCH: case DETECT_SM_LIST_HSCDMATCH: - case DETECT_SM_LIST_HCDMATCH: s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; sm_list = parsed_sm_list; diff --git a/src/detect.c b/src/detect.c index 1a53d399c4..1846fe1149 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1921,9 +1921,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) return 0; @@ -2020,9 +2017,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) return 0; @@ -2141,7 +2135,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL || @@ -2314,11 +2307,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires http app state"); } - if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) { s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires http app state"); diff --git a/src/detect.h b/src/detect.h index e9190b539e..4683aee0f9 100644 --- a/src/detect.h +++ b/src/detect.h @@ -131,8 +131,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HHHDMATCH, /* list for http_raw_host keyword and the ones relative to it */ DETECT_SM_LIST_HRHHDMATCH, - /* list for http_cookie keyword and the ones relative to it */ - DETECT_SM_LIST_HCDMATCH, /* app event engine sm list */ DETECT_SM_LIST_APP_EVENT,