From: Jeff Lucovsky Date: Wed, 27 Feb 2019 23:53:10 +0000 (-0500) Subject: detect: implement http {location,server} sticky buffer X-Git-Tag: suricata-5.0.0-beta1~113 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81c1af0887bd400dd44398381b8804a8d82eb52c;p=thirdparty%2Fsuricata.git detect: implement http {location,server} sticky buffer This implements inspection of the Server and Location buffer as a content sticky buffer. --- diff --git a/src/Makefile.am b/src/Makefile.am index 28eb33f445..85486cf1fa 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -179,12 +179,14 @@ detect-http-headers.c detect-http-headers.h detect-http-headers-stub.h \ detect-http-header-common.c detect-http-header-common.h \ detect-http-header-names.c detect-http-header-names.h \ detect-http-hh.c detect-http-hh.h \ +detect-http-location.c detect-http-location.h \ detect-http-method.c detect-http-method.h \ detect-http-protocol.c detect-http-protocol.h \ detect-http-raw-header.c detect-http-raw-header.h \ detect-http-referer.c detect-http-referer.h \ detect-http-request-line.c detect-http-request-line.h \ detect-http-response-line.c detect-http-response-line.h \ +detect-http-server.c detect-http-server.h \ detect-http-server-body.c detect-http-server-body.h \ detect-http-start.c detect-http-start.h \ detect-http-stat-code.c detect-http-stat-code.h \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 89d44bee6a..b788d52ae3 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -131,6 +131,8 @@ enum { DETECT_AL_HTTP_HEADER_CONNECTION, DETECT_AL_HTTP_HEADER_CONTENT_LEN, DETECT_AL_HTTP_HEADER_CONTENT_TYPE, + DETECT_AL_HTTP_HEADER_LOCATION, + DETECT_AL_HTTP_HEADER_SERVER, DETECT_AL_HTTP_HEADER_REFERER, DETECT_AL_HTTP_RAW_HEADER, DETECT_HTTP_RAW_HEADER, diff --git a/src/detect-http-headers.c b/src/detect-http-headers.c index 8bcef4b5bf..f9e8580606 100644 --- a/src/detect-http-headers.c +++ b/src/detect-http-headers.c @@ -21,6 +21,8 @@ #include "detect-http-connection.h" #include "detect-http-content-len.h" #include "detect-http-content-type.h" +#include "detect-http-location.h" +#include "detect-http-server.h" #include "detect-http-referer.h" #include "detect-http-headers.h" @@ -33,5 +35,7 @@ void DetectHttpHeadersRegister(void) RegisterHttpHeadersConnection(); RegisterHttpHeadersContentLen(); RegisterHttpHeadersContentType(); + RegisterHttpHeadersServer(); + RegisterHttpHeadersLocation(); } diff --git a/src/detect-http-location.c b/src/detect-http-location.c new file mode 100644 index 0000000000..bd4eb15dc9 --- /dev/null +++ b/src/detect-http-location.c @@ -0,0 +1,50 @@ +/* Copyright (C) 2007-2019 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \ingroup httplayer + * + * @{ + */ + + +/** + * \file + * + * \author Jeff Lucovsky + * + * Implements http.location sticky buffer + * + * "Location" is an HTTP response-header field used to redirect the recipient to + * a location other than the Request-URI for request completion. + */ + +#define KEYWORD_NAME "http.location" +#define KEYWORD_DOC "http-keywords.html#http-location" +#define BUFFER_NAME "http.location" +#define BUFFER_DESC "http location header" +#define HEADER_NAME "Location" +#define KEYWORD_ID DETECT_AL_HTTP_HEADER_LOCATION +#define KEYWORD_TOCLIENT 1 + +#include "detect-http-headers-stub.h" +#include "detect-http-location.h" + +void RegisterHttpHeadersLocation(void) +{ + DetectHttpHeadersRegisterStub(); +} diff --git a/src/detect-http-location.h b/src/detect-http-location.h new file mode 100644 index 0000000000..de55a705c8 --- /dev/null +++ b/src/detect-http-location.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2007-2019 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_HTTP_LOCATION_H__ +#define __DETECT_HTTP_LOCATION_H__ + +void RegisterHttpHeadersLocation(void); + +#endif /* __DETECT_HTTP_LOCATION_H__ */ diff --git a/src/detect-http-server.c b/src/detect-http-server.c new file mode 100644 index 0000000000..d0d598419a --- /dev/null +++ b/src/detect-http-server.c @@ -0,0 +1,50 @@ +/* Copyright (C) 2007-2019 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \ingroup httplayer + * + * @{ + */ + + +/** + * \file + * + * \author Jeff Lucovsky + * + * Implements http.server sticky buffer + * + * "Server" is an HTTP response-header field containing information about the software + * used by the origin server to handle the request. + */ + +#define KEYWORD_NAME "http.server" +#define KEYWORD_DOC "http-keywords.html#http-server" +#define BUFFER_NAME "http.server" +#define BUFFER_DESC "http server header" +#define HEADER_NAME "Server" +#define KEYWORD_ID DETECT_AL_HTTP_HEADER_SERVER +#define KEYWORD_TOCLIENT 1 + +#include "detect-http-headers-stub.h" +#include "detect-http-server.h" + +void RegisterHttpHeadersServer(void) +{ + DetectHttpHeadersRegisterStub(); +} diff --git a/src/detect-http-server.h b/src/detect-http-server.h new file mode 100644 index 0000000000..c74137264c --- /dev/null +++ b/src/detect-http-server.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2007-2019 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_HTTP_SERVER_H__ +#define __DETECT_HTTP_SERVER_H__ + +void RegisterHttpHeadersServer(void); + +#endif /* __DETECT_HTTP_SERVER_H__ */