From: Victor Julien <victor@inliniac.net>
Date: Wed, 28 Nov 2018 09:04:54 +0000 (+0100)
Subject: detect: add http.header sticky buffer keyword
X-Git-Tag: suricata-5.0.0-beta1~254
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85697671b89767c4ae4482453f36e0ef4cf2dfcd;p=thirdparty%2Fsuricata.git

detect: add http.header sticky buffer keyword
---

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
index 763e0c4beb..7acec2f211 100644
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -121,6 +121,7 @@ enum {
     DETECT_AL_HTTP_CLIENT_BODY,
     DETECT_AL_HTTP_SERVER_BODY,
     DETECT_AL_HTTP_HEADER,
+    DETECT_HTTP_HEADER,
     DETECT_AL_HTTP_HEADER_NAMES,
     DETECT_AL_HTTP_HEADER_ACCEPT,
     DETECT_AL_HTTP_HEADER_ACCEPT_LANG,
diff --git a/src/detect-http-header.c b/src/detect-http-header.c
index b38f829593..9a00f64ccb 100644
--- a/src/detect-http-header.c
+++ b/src/detect-http-header.c
@@ -384,11 +384,30 @@ static int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const ch
                                                   ALPROTO_HTTP);
 }
 
+/**
+ * \brief this function setup the http.header keyword used in the rule
+ *
+ * \param de_ctx   Pointer to the Detection Engine Context
+ * \param s        Pointer to the Signature to which the current keyword belongs
+ * \param str      Should hold an empty string always
+ *
+ * \retval 0       On success
+ */
+static int DetectHttpHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    if (DetectBufferSetActiveList(s, g_http_header_buffer_id) < 0)
+        return -1;
+    if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
+        return -1;
+    return 0;
+}
+
 /**
  * \brief Registers the keyword handlers for the "http_header" keyword.
  */
 void DetectHttpHeaderRegister(void)
 {
+    /* http_header content modifier */
     sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
     sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
     sigmatch_table[DETECT_AL_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header-and-http-raw-header";
@@ -397,6 +416,16 @@ void DetectHttpHeaderRegister(void)
     sigmatch_table[DETECT_AL_HTTP_HEADER].RegisterTests = DetectHttpHeaderRegisterTests;
 #endif
     sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_NOOPT ;
+    sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+    sigmatch_table[DETECT_AL_HTTP_HEADER].alternative = DETECT_HTTP_HEADER;
+
+    /* http.header sticky buffer */
+    sigmatch_table[DETECT_HTTP_HEADER].name = "http.header";
+    sigmatch_table[DETECT_HTTP_HEADER].desc = "sticky buffer to match on the normalized HTTP header-buffer";
+    sigmatch_table[DETECT_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header";
+    sigmatch_table[DETECT_HTTP_HEADER].Setup = DetectHttpHeaderSetupSticky;
+    sigmatch_table[DETECT_HTTP_HEADER].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_HTTP_HEADER].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
     DetectAppLayerInspectEngineRegister2("http_header", ALPROTO_HTTP,
             SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS,
diff --git a/src/tests/detect-http-header.c b/src/tests/detect-http-header.c
index 2e07edc17b..9949513c9f 100644
--- a/src/tests/detect-http-header.c
+++ b/src/tests/detect-http-header.c
@@ -66,6 +66,24 @@ static int DetectHttpHeaderParserTest01(void)
     PASS;
 }
 
+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectHttpHeaderParserTest02(void)
+{
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; nocase; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; endswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; endswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; bsize:10; sid:1;)", true));
+
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; rawbytes; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http.header; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (http.header; content:\"abc\"; sid:1;)", false));
+    PASS;
+}
+
 /**
  * \test Test that a signature containting a http_header is correctly parsed
  *       and the keyword is registered.
@@ -5045,6 +5063,8 @@ static int DetectEngineHttpHeaderTest35(void)
 void DetectHttpHeaderRegisterTests(void)
 {
     UtRegisterTest("DetectHttpHeaderParserTest01", DetectHttpHeaderParserTest01);
+    UtRegisterTest("DetectHttpHeaderParserTest02", DetectHttpHeaderParserTest02);
+
     UtRegisterTest("DetectHttpHeaderTest01", DetectHttpHeaderTest01);
     UtRegisterTest("DetectHttpHeaderTest06", DetectHttpHeaderTest06);
     UtRegisterTest("DetectHttpHeaderTest07", DetectHttpHeaderTest07);