From: Victor Julien Date: Fri, 9 Dec 2016 17:29:44 +0000 (+0100) Subject: http_raw_uri: dynamic buffer X-Git-Tag: suricata-4.0.0-beta1~383 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f867c3c737dc510d671aaae4e86057a7c72f3f1;p=thirdparty%2Fsuricata.git http_raw_uri: dynamic buffer --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index ec5504d500..68de322fb5 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -112,8 +112,6 @@ void EngineAnalysisFP(Signature *s, char *line) int list_type = SigMatchListSMBelongsTo(s, mpm_sm); if (list_type == DETECT_SM_LIST_PMATCH) fprintf(fp_engine_analysis_FD, "content\n"); - else if (list_type == DETECT_SM_LIST_HRUDMATCH) - fprintf(fp_engine_analysis_FD, "http raw uri content\n"); else { const char *desc = DetectBufferTypeGetDescriptionById(list_type); const char *name = DetectBufferTypeGetNameById(list_type); @@ -448,8 +446,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "%s", payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream"); } - else if (list_type == DETECT_SM_LIST_HRUDMATCH) - fprintf(rule_engine_analysis_FD, "http raw uri content"); else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH) fprintf(rule_engine_analysis_FD, "dns query name content"); else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH) @@ -559,6 +555,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) const int httpheader_id = DetectBufferTypeGetByName("http_header"); const int httprawheader_id = DetectBufferTypeGetByName("http_raw_header"); const int httpclientbody_id = DetectBufferTypeGetByName("http_client_body"); + const int httprawuri_id = DetectBufferTypeGetByName("http_raw_uri"); if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; @@ -617,7 +614,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_method_buf += 1; } - else if (list_id == DETECT_SM_LIST_HRUDMATCH) { + else if (list_id == httprawuri_id) { rule_pcre_http += 1; raw_http_buf += 1; http_raw_uri_buf += 1; @@ -678,7 +675,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_raw_header_buf += 1; } - else if (list_id == DETECT_SM_LIST_HRUDMATCH) { + else if (list_id == httprawuri_id) { rule_content_http += 1; raw_http_buf += 1; http_raw_uri_buf += 1; diff --git a/src/detect-engine.c b/src/detect-engine.c index 3ffcd8cc7c..3343448802 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2798,8 +2798,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) case DETECT_SM_LIST_PMATCH: return "packet/stream payload"; - case DETECT_SM_LIST_HRUDMATCH: - return "http raw uri"; case DETECT_SM_LIST_APP_EVENT: return "app layer events"; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index cc42066b0f..c2ae8166e9 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -333,6 +333,7 @@ static int g_http_stat_msg_buffer_id = 0; static int g_http_raw_header_buffer_id = 0; static int g_http_header_buffer_id = 0; static int g_http_client_body_buffer_id = 0; +static int g_http_raw_uri_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -9391,7 +9392,7 @@ int DetectFastPatternTest343(void) "content:\"three\"; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -9429,7 +9430,7 @@ int DetectFastPatternTest344(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -9466,7 +9467,7 @@ int DetectFastPatternTest345(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -9498,7 +9499,7 @@ int DetectFastPatternTest346(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && @@ -9532,7 +9533,7 @@ int DetectFastPatternTest347(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -9773,7 +9774,7 @@ int DetectFastPatternTest357(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -9805,7 +9806,7 @@ int DetectFastPatternTest358(void) "content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -9837,7 +9838,7 @@ int DetectFastPatternTest359(void) "content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -9869,7 +9870,7 @@ int DetectFastPatternTest360(void) "content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -9900,7 +9901,7 @@ int DetectFastPatternTest361(void) "content:\"two\"; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -10025,7 +10026,7 @@ int DetectFastPatternTest366(void) "content:\"three\"; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10057,7 +10058,7 @@ int DetectFastPatternTest367(void) "content:\"three\"; http_raw_uri; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10089,7 +10090,7 @@ int DetectFastPatternTest368(void) "content:\"three\"; http_raw_uri; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10121,7 +10122,7 @@ int DetectFastPatternTest369(void) "content:\"three\"; http_raw_uri; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10153,7 +10154,7 @@ int DetectFastPatternTest370(void) "content:\"three\"; http_raw_uri; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10185,7 +10186,7 @@ int DetectFastPatternTest371(void) "content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10217,7 +10218,7 @@ int DetectFastPatternTest372(void) "content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10249,7 +10250,7 @@ int DetectFastPatternTest373(void) "content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10281,7 +10282,7 @@ int DetectFastPatternTest374(void) "content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -10388,7 +10389,7 @@ int DetectFastPatternTest378(void) "content:\"three\"; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -10517,7 +10518,7 @@ int DetectFastPatternTest383(void) "content:\"three\"; http_raw_uri; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18845,6 +18846,7 @@ void DetectFastPatternRegisterTests(void) g_http_header_buffer_id = DetectBufferTypeGetByName("http_header"); g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header"); g_http_client_body_buffer_id = DetectBufferTypeGetByName("http_client_body"); + g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-raw-uri.c b/src/detect-http-raw-uri.c index 2ef9a1a72f..3079f2e878 100644 --- a/src/detect-http-raw-uri.c +++ b/src/detect-http-raw-uri.c @@ -57,6 +57,8 @@ static int DetectHttpRawUriSetup(DetectEngineCtx *, Signature *, char *); static void DetectHttpRawUriRegisterTests(void); +static void DetectHttpRawUriSetupCallback(Signature *s); +static int g_http_raw_uri_buffer_id = 0; /** * \brief Registration function for keyword http_raw_uri. @@ -74,15 +76,20 @@ void DetectHttpRawUriRegister(void) sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("http_raw_uri", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HRUDMATCH, 2, + DetectAppLayerMpmRegister("http_raw_uri", SIG_FLAG_TOSERVER, 2, PrefilterTxRawUriRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HRUDMATCH, + DetectAppLayerInspectEngineRegister2("http_raw_uri", + ALPROTO_HTTP, SIG_FLAG_TOSERVER, DetectEngineInspectHttpRawUri); - return; + DetectBufferTypeSetDescriptionByName("http_raw_uri", + "raw http uri"); + + DetectBufferTypeRegisterSetupCallback("http_raw_uri", + DetectHttpRawUriSetupCallback); + + g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri"); } /** @@ -99,11 +106,16 @@ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *ar { return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_RAW_URI, - DETECT_SM_LIST_HRUDMATCH, + g_http_raw_uri_buffer_id, ALPROTO_HTTP, NULL); } +static void DetectHttpRawUriSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} /******************************** UNITESTS **********************************/ @@ -184,7 +196,7 @@ int DetectHttpRawUriTest03(void) goto end; } - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id]; if (sm == NULL) { printf("no sigmatch(es): "); goto end; @@ -256,19 +268,19 @@ int DetectHttpRawUriTest05(void) printf("sig failed to parse\n"); goto end; } - if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) + if (s->sm_lists[g_http_raw_uri_buffer_id] == NULL) goto end; - if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH]->type != DETECT_CONTENT) { + if (s->sm_lists[g_http_raw_uri_buffer_id]->type != DETECT_CONTENT) { printf("wrong type\n"); goto end; } char *str = "we are testing http_raw_uri keyword"; int uricomp = memcmp((const char *) - ((DetectContentData*)s->sm_lists[DETECT_SM_LIST_HRUDMATCH]->ctx)->content, + ((DetectContentData*)s->sm_lists[g_http_raw_uri_buffer_id]->ctx)->content, str, strlen(str) - 1); - int urilen = ((DetectContentData*)s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx)->content_len; + int urilen = ((DetectContentData*)s->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx)->content_len; if (uricomp != 0 || urilen != strlen("we are testing http_raw_uri keyword")) { printf("sig failed to parse, content not setup properly\n"); @@ -306,15 +318,15 @@ int DetectHttpRawUriTest12(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n"); goto end; } DetectContentData *ud1 = - (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; DetectContentData *ud2 = - (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(ud1->content, "one", ud1->content_len) != 0 || ud2->flags != DETECT_CONTENT_DISTANCE || @@ -353,15 +365,15 @@ int DetectHttpRawUriTest13(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n"); goto end; } DetectContentData *ud1 = - (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; DetectContentData *ud2 = - (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(ud1->content, "one", ud1->content_len) != 0 || ud2->flags != DETECT_CONTENT_WITHIN || @@ -472,15 +484,15 @@ int DetectHttpRawUriTest17(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n"); goto end; } DetectContentData *ud1 = - (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; DetectContentData *ud2 = - (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(ud1->content, "one", ud1->content_len) != 0 || ud2->flags != DETECT_CONTENT_DISTANCE || @@ -520,15 +532,15 @@ int DetectHttpRawUriTest18(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n"); goto end; } DetectContentData *ud1 = - (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx; + (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx; DetectContentData *ud2 = - (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx; + (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx; if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(ud1->content, "one", ud1->content_len) != 0 || ud2->flags != DETECT_CONTENT_WITHIN || diff --git a/src/detect-lua.c b/src/detect-lua.c index 618a8f9a77..3d59b5d61b 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -1000,9 +1000,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) } else if (lua->flags & DATATYPE_HTTP_URI) { int list = DetectBufferTypeGetByName("http_uri"); SigMatchAppendSMToList(s, sm, list); - } else if (lua->flags & DATATYPE_HTTP_URI_RAW) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH); - else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE || + } else if (lua->flags & DATATYPE_HTTP_URI_RAW) { + int list = DetectBufferTypeGetByName("http_raw_uri"); + SigMatchAppendSMToList(s, sm, list); + } else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE || lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE) { int list = DetectBufferTypeGetByName("http_cookie"); diff --git a/src/detect-parse.c b/src/detect-parse.c index dbfc317b00..5b8b939379 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list) switch (list) { CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet"); CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload"); - CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); @@ -172,7 +171,6 @@ const char *DetectListToString(int list) switch (list) { CASE_CODE(DETECT_SM_LIST_MATCH); CASE_CODE(DETECT_SM_LIST_PMATCH); - CASE_CODE(DETECT_SM_LIST_HRUDMATCH); CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH); @@ -1400,24 +1398,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) SCReturnInt(0); } - for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; sm != NULL; sm = sm->next) { - if (sm->type == DETECT_FLOW) { - DetectFlowData *fd = (DetectFlowData *)sm->ctx; - if (fd == NULL) - continue; - - if (fd->flags & FLOW_PKT_TOCLIENT) { - /* check for request + from_server/to_client */ - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent " - "/http_uri , raw_uri, http_client_body, " - "http_method, http_user_agent keywords " - "with flow:to_client or flow:from_server"); - SCReturnInt(0); - } - } - } - } #if 0 // TODO figure out why this is even necessary if ((s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_SMTP) || s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL || @@ -1505,15 +1485,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) SCReturnInt(0); } } - - if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH]) - { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet " - "specific matches (like dsize, flags, ttl) with stream / " - "state matching by matching on app layer proto (like using " - "http_* keywords)."); - SCReturnInt(0); - } } for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH]; sm != NULL; sm = sm->next) { diff --git a/src/detect-pcre.c b/src/detect-pcre.c index c57edd7cb7..29106304cc 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -441,13 +441,15 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, int list = DetectBufferTypeGetByName("http_header"); *sm_list = DetectPcreSetList(*sm_list, list); break; - } case 'I': /* snort's option */ + } case 'I': { /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'B'"); goto error; } - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRUDMATCH); + int list = DetectBufferTypeGetByName("http_raw_uri"); + *sm_list = DetectPcreSetList(*sm_list, list); break; + } case 'D': { /* snort's option */ int list = DetectBufferTypeGetByName("http_raw_header"); *sm_list = DetectPcreSetList(*sm_list, list); @@ -688,34 +690,12 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst if (DetectPcreParseCapture(regexstr, de_ctx, pd) < 0) goto error; - if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH) - { - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " - "Conflicting alprotos detected for this rule. Http " - "pcre modifier found along with a different protocol " - "for the rule."); - goto error; - } - if (s->init_data->list != DETECT_SM_LIST_NOTSET) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with http " - "modifier set, with file_data/dce_stub_data sticky " - "option set."); - goto error; - } - } - int sm_list = -1; if (s->init_data->list != DETECT_SM_LIST_NOTSET) { s->flags |= SIG_FLAG_APPLAYER; sm_list = s->init_data->list; } else { switch(parsed_sm_list) { - case DETECT_SM_LIST_HRUDMATCH: - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - sm_list = parsed_sm_list; - break; case DETECT_SM_LIST_NOTSET: sm_list = DETECT_SM_LIST_PMATCH; break; diff --git a/src/detect-urilen.c b/src/detect-urilen.c index c853efc315..02e29395ba 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -55,6 +55,7 @@ void DetectUrilenFree (void *); void DetectUrilenRegisterTests (void); static int g_http_uri_buffer_id = 0; +static int g_http_raw_uri_buffer_id = 0; /** * \brief Registration function for urilen: keyword @@ -75,6 +76,7 @@ void DetectUrilenRegister(void) DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri"); + g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri"); } /** @@ -263,7 +265,7 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile sm->ctx = (void *)urilend; if (urilend->raw_buffer) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH); + SigMatchAppendSMToList(s, sm, g_http_raw_uri_buffer_id); else SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id); diff --git a/src/detect.c b/src/detect.c index 4e7c019fc9..9f755bf090 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1912,9 +1912,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) return 0; @@ -1987,9 +1984,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) return 0; @@ -2088,9 +2082,8 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) SCReturnInt(0); } - if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) + if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL || + s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) { SCReturnInt(0); } @@ -2243,11 +2236,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires dce state"); } - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - SigMatch *sm; for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) { switch(sm->type) { diff --git a/src/detect.h b/src/detect.h index 5e6d1eb939..290c7d37ea 100644 --- a/src/detect.h +++ b/src/detect.h @@ -115,10 +115,8 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_BUILTIN_MAX, - /* list for http_raw_uri keyword and the ones relative to it */ - DETECT_SM_LIST_HRUDMATCH = DETECT_SM_LIST_BUILTIN_MAX, /* app event engine sm list */ - DETECT_SM_LIST_APP_EVENT, + DETECT_SM_LIST_APP_EVENT = DETECT_SM_LIST_BUILTIN_MAX, DETECT_SM_LIST_FILEMATCH,