From: Tom Peters (thopeter) Date: Fri, 27 Aug 2021 17:59:08 +0000 (+0000) Subject: Merge pull request #3037 in SNORT/snort3 from ~MDAGON/snort3:w_cookies to master X-Git-Tag: 3.1.12.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4ab782b3d614c607ae55cf371c6c5804641fe32;p=thirdparty%2Fsnort3.git Merge pull request #3037 in SNORT/snort3 from ~MDAGON/snort3:w_cookies to master Squashed commit of the following: commit 67af4c4f35b7c61a53ef9ac5e5653348420cd4ab Author: Maya Dagon Date: Mon Aug 23 09:53:15 2021 -0400 http_inspect: http_raw_header includes cookies --- diff --git a/doc/user/http_inspect.txt b/doc/user/http_inspect.txt index 721f19c1c..3f08584de 100755 --- a/doc/user/http_inspect.txt +++ b/doc/user/http_inspect.txt @@ -460,7 +460,7 @@ Note: this section uses informal language to explain some things. Nothing here is intended to conflict with the technical language of the HTTP RFCs and the implementation follows the RFCs. -===== http_header, http_raw_header, and http_raw_header_complete +===== http_header and http_raw_header These cover all the header lines except the first one. You may specify an individual header by name using the field option as shown in this earlier @@ -477,15 +477,10 @@ upper and lower case. With http_header the individual header value is normalized in a way that is appropriate for that header. -Specifying an individual header is not available for http_raw_header_complete, use -http_raw_header instead. - -If you don't specify a header you get all of the headers. http_raw_header_complete -includes cookie headers Cookie and Set-Cookie. http_header and http_raw_header don't. -http_raw_header and http_raw_header_complete include the unmodified header names -and values as they appeared in the original message. http_header is the same except -percent encodings are removed and paths are simplified exactly as if the headers -were a URI. +If you don't specify a header you get all of the headers. http_raw_header +includes the unmodified header names and values as they appeared in the +original message. http_header is the same except percent encodings and cookies +are removed and paths are simplified exactly as if the headers were a URI. In most cases specifying individual headers creates a more efficient and accurate rule. It is recommended that new rules be written using individual diff --git a/src/service_inspectors/http_inspect/http_api.cc b/src/service_inspectors/http_inspect/http_api.cc index fc9da8be5..9cae42e56 100644 --- a/src/service_inspectors/http_inspect/http_api.cc +++ b/src/service_inspectors/http_inspect/http_api.cc @@ -57,7 +57,6 @@ const char* HttpApi::classic_buffer_names[] = "http_raw_body", "http_raw_cookie", "http_raw_header", - "http_raw_header_complete", "http_raw_request", "http_raw_status", "http_raw_trailer", @@ -107,7 +106,6 @@ extern const BaseApi* ips_http_param; extern const BaseApi* ips_http_raw_body; extern const BaseApi* ips_http_raw_cookie; extern const BaseApi* ips_http_raw_header; -extern const BaseApi* ips_http_raw_header_complete; extern const BaseApi* ips_http_raw_request; extern const BaseApi* ips_http_raw_status; extern const BaseApi* ips_http_raw_trailer; @@ -134,7 +132,6 @@ const BaseApi* sin_http[] = ips_http_raw_body, ips_http_raw_cookie, ips_http_raw_header, - ips_http_raw_header_complete, ips_http_raw_request, ips_http_raw_status, ips_http_raw_trailer, diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h index 34a010cc8..5dd0af5c6 100755 --- a/src/service_inspectors/http_inspect/http_enum.h +++ b/src/service_inspectors/http_inspect/http_enum.h @@ -51,7 +51,7 @@ enum DetectionStatus { DET_REACTIVATING = 1, DET_ON, DET_DEACTIVATING, DET_OFF } // This enum must remain synchronized with HttpApi::classic_buffer_names[] enum HTTP_BUFFER { HTTP_BUFFER_CLIENT_BODY = 1, HTTP_BUFFER_COOKIE, HTTP_BUFFER_HEADER, HTTP_BUFFER_METHOD, HTTP_BUFFER_PARAM, HTTP_BUFFER_RAW_BODY, HTTP_BUFFER_RAW_COOKIE, - HTTP_BUFFER_RAW_HEADER, HTTP_BUFFER_RAW_HEADER_COMPLETE, HTTP_BUFFER_RAW_REQUEST, HTTP_BUFFER_RAW_STATUS, + HTTP_BUFFER_RAW_HEADER, HTTP_BUFFER_RAW_REQUEST, HTTP_BUFFER_RAW_STATUS, HTTP_BUFFER_RAW_TRAILER, HTTP_BUFFER_RAW_URI, HTTP_BUFFER_STAT_CODE, HTTP_BUFFER_STAT_MSG, HTTP_BUFFER_TRAILER, HTTP_BUFFER_TRUE_IP, HTTP_BUFFER_URI, HTTP_BUFFER_VERSION, HTTP_BUFFER_MAX }; diff --git a/src/service_inspectors/http_inspect/http_msg_head_shared.h b/src/service_inspectors/http_inspect/http_msg_head_shared.h index f27502c0a..b51bd4d96 100755 --- a/src/service_inspectors/http_inspect/http_msg_head_shared.h +++ b/src/service_inspectors/http_inspect/http_msg_head_shared.h @@ -38,7 +38,6 @@ class HttpMsgHeadShared : public HttpMsgSection public: void analyze() override; - const Field& get_classic_raw_header(); const Field& get_classic_raw_cookie(); const Field& get_classic_norm_header(); const Field& get_classic_norm_cookie(); @@ -87,6 +86,7 @@ private: void parse_header_lines(); void create_norm_head_list(); void derive_header_name_id(int index); + const Field& get_classic_raw_header(); Field classic_raw_header; // raw headers with cookies spliced out Field classic_norm_header; // URI normalization applied diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index 58100ecf0..913be484d 100755 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -700,8 +700,6 @@ void HttpMsgHeader::print_section(FILE* output) HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_COOKIE-1]); get_classic_buffer(HTTP_BUFFER_RAW_HEADER, 0, 0).print(output, HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_HEADER-1]); - get_classic_buffer(HTTP_BUFFER_RAW_HEADER_COMPLETE, 0, 0).print(output, - HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_HEADER_COMPLETE-1]); HttpMsgSection::print_section_wrapup(output); } #endif diff --git a/src/service_inspectors/http_inspect/http_msg_section.cc b/src/service_inspectors/http_inspect/http_msg_section.cc index 1c7ae7741..0f6922f80 100644 --- a/src/service_inspectors/http_inspect/http_msg_section.cc +++ b/src/service_inspectors/http_inspect/http_msg_section.cc @@ -323,14 +323,9 @@ const Field& HttpMsgSection::get_classic_buffer(Cursor& c, const HttpBufferInfo& if (head == nullptr) return Field::FIELD_NULL; if (buf.sub_id == 0) - return head->get_classic_raw_header(); + return head->msg_text; return head->get_all_header_values_raw((HeaderId)buf.sub_id); } - case HTTP_BUFFER_RAW_HEADER_COMPLETE: - { - return (header[buffer_side] != nullptr) ? header[buffer_side]->msg_text : - Field::FIELD_NULL; - } case HTTP_BUFFER_RAW_REQUEST: { return (request != nullptr) ? request->msg_text : Field::FIELD_NULL; diff --git a/src/service_inspectors/http_inspect/ips_http.cc b/src/service_inspectors/http_inspect/ips_http.cc index 06ece90b8..9f54962cb 100644 --- a/src/service_inspectors/http_inspect/ips_http.cc +++ b/src/service_inspectors/http_inspect/ips_http.cc @@ -61,7 +61,6 @@ bool HttpCursorModule::begin(const char*, int, SnortConfig*) case HTTP_BUFFER_PARAM: case HTTP_BUFFER_RAW_COOKIE: case HTTP_BUFFER_RAW_HEADER: - case HTTP_BUFFER_RAW_HEADER_COMPLETE: case HTTP_BUFFER_RAW_REQUEST: case HTTP_BUFFER_RAW_URI: case HTTP_BUFFER_TRUE_IP: @@ -667,59 +666,6 @@ static const IpsApi raw_header_api = nullptr }; -//------------------------------------------------------------------------- -// http_raw_header_complete -//------------------------------------------------------------------------- - -static const Parameter http_raw_header_complete_params[] = -{ - { "request", Parameter::PT_IMPLIED, nullptr, nullptr, - "match against the headers from the request message even when examining the response" }, - { "with_header", Parameter::PT_IMPLIED, nullptr, nullptr, - "this rule is limited to examining HTTP message headers" }, - { "with_body", Parameter::PT_IMPLIED, nullptr, nullptr, - "parts of this rule examine HTTP message body" }, - { "with_trailer", Parameter::PT_IMPLIED, nullptr, nullptr, - "parts of this rule examine HTTP message trailers" }, - { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } -}; - -#undef IPS_OPT -#define IPS_OPT "http_raw_header_complete" -#undef IPS_HELP -#define IPS_HELP "rule option to set the detection cursor to the unnormalized headers including cookies" - -static Module* raw_header_complete_mod_ctor() -{ - return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_RAW_HEADER_COMPLETE, - CAT_SET_OTHER, PSI_RAW_HEADER_COMPLETE, http_raw_header_complete_params); -} - -static const IpsApi raw_header_complete_api = -{ - { - PT_IPS_OPTION, - sizeof(IpsApi), - IPSAPI_VERSION, - 1, - API_RESERVED, - API_OPTIONS, - IPS_OPT, - IPS_HELP, - raw_header_complete_mod_ctor, - HttpCursorModule::mod_dtor - }, - OPT_TYPE_DETECTION, - 0, PROTO_BIT__TCP, - nullptr, - nullptr, - nullptr, - nullptr, - HttpIpsOption::opt_ctor, - HttpIpsOption::opt_dtor, - nullptr -}; - //------------------------------------------------------------------------- // http_raw_request //------------------------------------------------------------------------- @@ -1267,7 +1213,6 @@ const BaseApi* ips_http_param = ¶m_api.base; const BaseApi* ips_http_raw_body = &raw_body_api.base; const BaseApi* ips_http_raw_cookie = &raw_cookie_api.base; const BaseApi* ips_http_raw_header = &raw_header_api.base; -const BaseApi* ips_http_raw_header_complete = &raw_header_complete_api.base; const BaseApi* ips_http_raw_request = &raw_request_api.base; const BaseApi* ips_http_raw_status = &raw_status_api.base; const BaseApi* ips_http_raw_trailer = &raw_trailer_api.base; diff --git a/src/service_inspectors/http_inspect/ips_http.h b/src/service_inspectors/http_inspect/ips_http.h index 469e849bb..25d9d60c8 100644 --- a/src/service_inspectors/http_inspect/ips_http.h +++ b/src/service_inspectors/http_inspect/ips_http.h @@ -30,8 +30,8 @@ #include "http_enum.h" enum PsIdx { PSI_CLIENT_BODY, PSI_COOKIE, PSI_HEADER, PSI_METHOD, PSI_PARAM, - PSI_RAW_BODY, PSI_RAW_COOKIE, PSI_RAW_HEADER, PSI_RAW_HEADER_COMPLETE, PSI_RAW_REQUEST, - PSI_RAW_STATUS, PSI_RAW_TRAILER, PSI_RAW_URI, PSI_STAT_CODE, PSI_STAT_MSG, PSI_TRAILER, + PSI_RAW_BODY, PSI_RAW_COOKIE, PSI_RAW_HEADER, PSI_RAW_REQUEST, PSI_RAW_STATUS, + PSI_RAW_TRAILER, PSI_RAW_URI, PSI_STAT_CODE, PSI_STAT_MSG, PSI_TRAILER, PSI_TRUE_IP, PSI_URI, PSI_VERSION, PSI_MAX }; class HttpCursorModule : public snort::Module