From: Victor Julien <victor@inliniac.net>
Date: Sat, 15 Dec 2018 09:13:17 +0000 (+0100)
Subject: detect: add http.response_body sticky buffer
X-Git-Tag: suricata-5.0.0-beta1~238
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca8471387a2b041069423ffafffc176317cebb90;p=thirdparty%2Fsuricata.git

detect: add http.response_body sticky buffer

As a mirror of the http_server_body content modifier.
---

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
index bf8eee114a..3fa2e4ad0c 100644
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -121,6 +121,7 @@ enum {
     DETECT_AL_HTTP_CLIENT_BODY,
     DETECT_HTTP_REQUEST_BODY,
     DETECT_AL_HTTP_SERVER_BODY,
+    DETECT_HTTP_RESPONSE_BODY,
     DETECT_AL_HTTP_HEADER,
     DETECT_HTTP_HEADER,
     DETECT_AL_HTTP_HEADER_NAMES,
diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c
index 230565c2ce..bae9a11a70 100644
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@@ -60,6 +60,7 @@
 #include "stream-tcp.h"
 
 static int DetectHttpServerBodySetup(DetectEngineCtx *, Signature *, const char *);
+static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
 #ifdef UNITTESTS
 static void DetectHttpServerBodyRegisterTests(void);
 #endif
@@ -70,14 +71,25 @@ static int g_file_data_buffer_id = 0;
  */
 void DetectHttpServerBodyRegister(void)
 {
+    /* http_server_body content modifier */
     sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].name = "http_server_body";
-    sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match only on the HTTP response-body";
+    sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match on the HTTP response-body";
     sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-server-body";
     sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests;
 #endif
     sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+    sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].alternative = DETECT_HTTP_RESPONSE_BODY;
+
+    /* http.request_body sticky buffer */
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].name = "http.response_body";
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].desc = "sticky buffer to match the HTTP response body buffer";
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-server-body";
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].Setup = DetectHttpServerBodySetupSticky;
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_HTTP_RESPONSE_BODY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
     g_file_data_buffer_id = DetectBufferTypeRegister("file_data");
 }
@@ -103,6 +115,24 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char
                                                   ALPROTO_HTTP);
 }
 
+/**
+ * \brief this function setup the http.response_body keyword used in the rule
+ *
+ * \param de_ctx   Pointer to the Detection Engine Context
+ * \param s        Pointer to the Signature to which the current keyword belongs
+ * \param str      Should hold an empty string always
+ *
+ * \retval 0       On success
+ */
+static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    if (DetectBufferSetActiveList(s, g_file_data_buffer_id) < 0)
+        return -1;
+    if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
+        return -1;
+    return 0;
+}
+
 /************************************Unittests*********************************/
 
 #ifdef UNITTESTS
diff --git a/src/tests/detect-http-server-body.c b/src/tests/detect-http-server-body.c
index ae842edf0e..7ea6d018c2 100644
--- a/src/tests/detect-http-server-body.c
+++ b/src/tests/detect-http-server-body.c
@@ -29,6 +29,40 @@
 #include "../flow.h"
 #include "../detect.h"
 
+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectHttpServerBodyParserTest01(void)
+{
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
+
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
+    PASS;
+}
+
+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectHttpServerBodyParserTest02(void)
+{
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
+
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
+    PASS;
+}
 struct TestSteps {
     const uint8_t *input;
     size_t input_size;      /**< if 0 strlen will be used */
@@ -9059,6 +9093,9 @@ end:
 
 void DetectHttpServerBodyRegisterTests(void)
 {
+    UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
+    UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
+
     UtRegisterTest("DetectHttpServerBodyTest01", DetectHttpServerBodyTest01);
     UtRegisterTest("DetectHttpServerBodyTest02", DetectHttpServerBodyTest02);
     UtRegisterTest("DetectHttpServerBodyTest03", DetectHttpServerBodyTest03);