From: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date: Tue, 23 May 2023 15:23:59 +0000 (+0000)
Subject: Pull request #3852: http_inspect: rebuild start line
X-Git-Tag: 3.1.63.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e774977340b0ecc9b0d3ad18484dc2e77e6fc416;p=thirdparty%2Fsnort3.git

Pull request #3852: http_inspect: rebuild start line

Merge in SNORT/snort3 from ~ADMAMOLE/snort3:fix_pkt_event to master

Squashed commit of the following:

commit b0461bdcef28d7c669ef1bd38ce11bd5d706f2db
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Fri May 5 09:17:25 2023 -0400

    http_inspect: rebuild start line
---

diff --git a/src/detection/detect.cc b/src/detection/detect.cc
index 686e93e88..a655cd472 100644
--- a/src/detection/detect.cc
+++ b/src/detection/detect.cc
@@ -89,8 +89,31 @@ void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head)
     DetectionEngine::set_check_tags(false);
     pc.log_pkts++;
 
+    const uint8_t* data = nullptr;
+    uint16_t dsize = 0;
+
+    if (p->flow && p->flow->gadget)
+        data = p->flow->gadget->adjust_log_packet(p, dsize);
+
+    uint16_t old_dsize = 0;
+    const uint8_t* old_data = nullptr;
+    if (data)
+    {
+        old_dsize = p->dsize;
+        old_data = p->data;
+        p->data = data;
+        p->dsize = dsize;
+    }
+
     OutputSet* idx = head ? head->LogList : nullptr;
     EventManager::call_loggers(idx, p, otn->sigInfo.message.c_str(), &event);
+
+    if (data)
+    {
+        p->data = old_data;
+        p->dsize = old_dsize;
+        delete[] data;
+    }
 }
 
 void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head)
diff --git a/src/framework/inspector.h b/src/framework/inspector.h
index c65e00e2a..41c2bbac4 100644
--- a/src/framework/inspector.h
+++ b/src/framework/inspector.h
@@ -193,6 +193,9 @@ public:
     virtual void install_reload_handler(SnortConfig*)
     { }
 
+    virtual const uint8_t* adjust_log_packet(Packet*, uint16_t&)
+    { return nullptr; }
+
 public:
     static THREAD_LOCAL unsigned slot;
 
diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc
index 37373f57a..ae4f3e6b3 100755
--- a/src/service_inspectors/http_inspect/http_inspect.cc
+++ b/src/service_inspectors/http_inspect/http_inspect.cc
@@ -679,3 +679,58 @@ void HttpInspect::clear(Packet* p)
     }
 }
 
+const uint8_t* HttpInspect::adjust_log_packet(Packet* p, uint16_t& length)
+{
+    HttpMsgSection*  current_section = HttpContextData::get_snapshot(p);
+    if (current_section == nullptr ||
+        current_section->get_inspection_section() != PS_HEADER)
+        return nullptr;
+
+    HttpMsgSection* other_section = nullptr;
+    unsigned id;
+    if ((HttpMsgHeader*)current_section == current_section->get_header(SRC_CLIENT))
+    {
+        other_section = current_section->get_request();
+        id = HTTP_BUFFER_RAW_REQUEST;
+    }
+    else if ((HttpMsgHeader*)current_section == current_section->get_header(SRC_SERVER))
+    {
+        other_section = current_section->get_status();
+        id = HTTP_BUFFER_RAW_STATUS;
+    }
+    else
+        return nullptr;
+
+    const Field& start_line = other_section->get_classic_buffer(id, 0, 0);
+    if (start_line.length() > 0)
+    {
+        static const uint8_t END_HEADERS[] = "\r\n\r\n";
+        static const size_t END_HEADERS_LEN = 4;
+        static const uint8_t* END_START_LINE = END_HEADERS;
+        static const size_t END_START_LINE_LEN = 2;
+
+        const struct { const uint8_t* data; const size_t len; } frags[] =
+        {
+            { start_line.start(), (size_t) start_line.length() },
+            { END_START_LINE, END_START_LINE_LEN },
+            { p->data, p->dsize },
+            { END_HEADERS, END_HEADERS_LEN }
+        };
+        const uint frags_cnt = sizeof(frags)/sizeof(frags[0]);
+
+        uint8_t* data = new uint8_t[start_line.length() + END_START_LINE_LEN +
+                                    p->dsize + END_HEADERS_LEN];
+
+        uint8_t* dst = data;
+        for (uint i = 0; i < frags_cnt; i++)
+        {
+            memcpy(dst, frags[i].data, frags[i].len);
+            dst += frags[i].len;
+        }
+
+        length = dst - data;
+        return data;
+    }
+
+    return nullptr;
+}
diff --git a/src/service_inspectors/http_inspect/http_inspect.h b/src/service_inspectors/http_inspect/http_inspect.h
index fb9a83432..3b7dd770a 100644
--- a/src/service_inspectors/http_inspect/http_inspect.h
+++ b/src/service_inspectors/http_inspect/http_inspect.h
@@ -91,6 +91,8 @@ public:
     unsigned get_pub_id()
     { return pub_id; }
 
+    const uint8_t* adjust_log_packet(snort::Packet* p, uint16_t& length) override;
+
 private:
     friend HttpApi;
     friend HttpStreamSplitter;