From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Fri, 20 May 2022 01:09:52 +0000 (+0000)
Subject: Pull request #3411: http_inspect: added field for raw_body
X-Git-Tag: 3.1.31.0~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7b36014624cb2a95d1fd55478654da0c7eee8f1;p=thirdparty%2Fsnort3.git

Pull request #3411: http_inspect: added field for raw_body

Merge in SNORT/snort3 from ~ADMAMOLE/snort3:new_field_for_raw_body_w_depth to master

Squashed commit of the following:

commit ecfe918412a0ac3914b649f5f4eb8d8d57d88a62
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Wed May 4 15:59:54 2022 -0400

    http_inspect: added field for raw_body
---

diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index c45690bce..b3fb14de1 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -111,6 +111,15 @@ void HttpMsgBody::clean_partial(uint32_t& partial_inspected_octets, uint32_t& pa
 
 void HttpMsgBody::analyze()
 {
+    const int32_t raw_body_length =
+        (msg_text.length() <= session_data->detect_depth_remaining[source_id]) ?
+        msg_text.length() : session_data->detect_depth_remaining[source_id];
+
+    if (raw_body_length > 0)
+        raw_body.set(raw_body_length, msg_text.start());
+    else
+        raw_body.set(STAT_NO_SOURCE);
+
     uint32_t& partial_inspected_octets = session_data->partial_inspected_octets[source_id];
 
     // When there have been partial inspections we focus on the part of the message we have not
diff --git a/src/service_inspectors/http_inspect/http_msg_body.h b/src/service_inspectors/http_inspect/http_msg_body.h
index 96b871ee3..4241cdb82 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.h
+++ b/src/service_inspectors/http_inspect/http_msg_body.h
@@ -38,6 +38,7 @@ public:
     bool detection_required() const override { return (detect_data.length() > 0); }
     HttpMsgBody* get_body() override { return this; }
     const Field& get_classic_client_body();
+    const Field& get_raw_body() { return raw_body; }
     const Field& get_decomp_vba_data();
     const Field& get_norm_js_data();
     const Field& get_detect_data() { return detect_data; }
@@ -77,6 +78,7 @@ private:
     // In order of generation
     Field msg_text_new;
     Field decoded_body;
+    Field raw_body;              // request_depth or response_depth applied
     Field decompressed_file_body;
     Field cumulative_data;
     Field js_norm_body;
diff --git a/src/service_inspectors/http_inspect/http_msg_section.cc b/src/service_inspectors/http_inspect/http_msg_section.cc
index 6f8c9f7b5..3522fd3d2 100644
--- a/src/service_inspectors/http_inspect/http_msg_section.cc
+++ b/src/service_inspectors/http_inspect/http_msg_section.cc
@@ -193,7 +193,7 @@ const Field& HttpMsgSection::get_classic_buffer(const HttpBufferInfo& buf)
       }
     case HTTP_BUFFER_RAW_BODY:
       {
-        return (get_body() != nullptr) ? get_body()->msg_text : Field::FIELD_NULL;
+        return (get_body() != nullptr) ? get_body()->get_raw_body() : Field::FIELD_NULL;
       }
     case HTTP_BUFFER_RAW_HEADER:
     case HTTP_BUFFER_RAW_TRAILER: