From: Victor Julien Date: Fri, 9 Dec 2016 14:27:51 +0000 (+0100) Subject: http_header / http_raw_header: dynamic buffers X-Git-Tag: suricata-4.0.0-beta1~385 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7d5e845c799595faa6b3a25e59218a689144046;p=thirdparty%2Fsuricata.git http_header / http_raw_header: dynamic buffers --- diff --git a/src/detect-base64-decode.c b/src/detect-base64-decode.c index 83dfd64139..5bac625e0f 100644 --- a/src/detect-base64-decode.c +++ b/src/detect-base64-decode.c @@ -256,6 +256,8 @@ static void DetectBase64DecodeFree(void *ptr) #include "flow-util.h" #include "stream-tcp.h" +static int g_http_header_buffer_id = 0; + static int DetectBase64TestDecodeParse(void) { int retval = 0; @@ -411,7 +413,7 @@ static int DetectBase64DecodeHttpHeaderTestSetup(void) } /* Test that the http header list is not NULL. */ - if (s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL) { + if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) { goto end; } @@ -662,6 +664,8 @@ end: static void DetectBase64DecodeRegisterTests(void) { #ifdef UNITTESTS + g_http_header_buffer_id = DetectBufferTypeGetByName("http_header"); + UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse); UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup); UtRegisterTest("DetectBase64DecodeHttpHeaderTestSetup", diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 5de0ce168c..7990afc019 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -114,10 +114,6 @@ void EngineAnalysisFP(Signature *s, char *line) fprintf(fp_engine_analysis_FD, "content\n"); else if (list_type == DETECT_SM_LIST_HRUDMATCH) fprintf(fp_engine_analysis_FD, "http raw uri content\n"); - else if (list_type == DETECT_SM_LIST_HHDMATCH) - fprintf(fp_engine_analysis_FD, "http header content\n"); - else if (list_type == DETECT_SM_LIST_HRHDMATCH) - fprintf(fp_engine_analysis_FD, "http raw header content\n"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(fp_engine_analysis_FD, "http client body content\n"); else { @@ -456,10 +452,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) } else if (list_type == DETECT_SM_LIST_HRUDMATCH) fprintf(rule_engine_analysis_FD, "http raw uri content"); - else if (list_type == DETECT_SM_LIST_HHDMATCH) - fprintf(rule_engine_analysis_FD, "http header content"); - else if (list_type == DETECT_SM_LIST_HRHDMATCH) - fprintf(rule_engine_analysis_FD, "http raw header content"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(rule_engine_analysis_FD, "http client body content"); else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH) @@ -568,6 +560,8 @@ void EngineAnalysisRules(const Signature *s, const char *line) const int httpcookie_id = DetectBufferTypeGetByName("http_cookie"); const int httpstatcode_id = DetectBufferTypeGetByName("http_stat_code"); const int httpstatmsg_id = DetectBufferTypeGetByName("http_stat_msg"); + const int httpheader_id = DetectBufferTypeGetByName("http_header"); + const int httprawheader_id = DetectBufferTypeGetByName("http_raw_header"); if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; @@ -601,7 +595,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) norm_http_buf += 1; http_uri_buf += 1; } - else if (list_id == DETECT_SM_LIST_HHDMATCH) { + else if (list_id == httpheader_id) { rule_pcre_http += 1; norm_http_buf += 1; http_header_buf += 1; @@ -616,7 +610,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) http_server_body_buf += 1; raw_http_buf += 1; } - else if (list_id == DETECT_SM_LIST_HRHDMATCH) { + else if (list_id == httprawheader_id) { rule_pcre_http += 1; raw_http_buf += 1; http_raw_header_buf += 1; @@ -653,7 +647,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) else if (sm->type == DETECT_CONTENT) { if (list_id == httpuri_id - || list_id == DETECT_SM_LIST_HHDMATCH + || list_id == httpheader_id || list_id == httpcookie_id) { rule_content_http += 1; norm_http_buf += 1; @@ -665,7 +659,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) if (list_id == httpuri_id) { http_uri_buf += 1; } - else if (list_id == DETECT_SM_LIST_HHDMATCH) { + else if (list_id == httpheader_id) { http_header_buf += 1; } else if (list_id == httpcookie_id) { @@ -682,7 +676,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_server_body_buf += 1; } - else if (list_id == DETECT_SM_LIST_HRHDMATCH) { + else if (list_id == httprawheader_id) { rule_content_http += 1; raw_http_buf += 1; http_raw_header_buf += 1; diff --git a/src/detect-engine.c b/src/detect-engine.c index 381342e892..6b64f08cca 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2802,10 +2802,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http raw uri"; case DETECT_SM_LIST_HCBDMATCH: return "http client body"; - case DETECT_SM_LIST_HHDMATCH: - return "http headers"; - case DETECT_SM_LIST_HRHDMATCH: - return "http raw headers"; case DETECT_SM_LIST_APP_EVENT: return "app layer events"; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index e902f261b2..58925d51f6 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -330,6 +330,8 @@ static int g_http_host_buffer_id = 0; static int g_http_raw_host_buffer_id = 0; static int g_http_stat_code_buffer_id = 0; static int g_http_stat_msg_buffer_id = 0; +static int g_http_raw_header_buffer_id = 0; +static int g_http_header_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -4964,7 +4966,7 @@ int DetectFastPatternTest179(void) "content:\"three\"; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -5002,7 +5004,7 @@ int DetectFastPatternTest180(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -5039,7 +5041,7 @@ int DetectFastPatternTest181(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -5071,7 +5073,7 @@ int DetectFastPatternTest182(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && @@ -5105,7 +5107,7 @@ int DetectFastPatternTest183(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -5335,7 +5337,7 @@ int DetectFastPatternTest193(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -5365,7 +5367,7 @@ int DetectFastPatternTest194(void) "(content:\"one\"; http_header; content:\"two\"; http_header; within:30; content:\"two\"; fast_pattern:only; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -5395,7 +5397,7 @@ int DetectFastPatternTest195(void) "(content:\"one\"; http_header; content:\"two\"; http_header; offset:30; content:\"two\"; fast_pattern:only; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -5425,7 +5427,7 @@ int DetectFastPatternTest196(void) "(content:\"one\"; http_header; content:\"two\"; http_header; depth:30; content:\"two\"; fast_pattern:only; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -5455,7 +5457,7 @@ int DetectFastPatternTest197(void) "(content:!\"one\"; fast_pattern; http_header; content:\"two\"; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -5574,7 +5576,7 @@ int DetectFastPatternTest202(void) "(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5604,7 +5606,7 @@ int DetectFastPatternTest203(void) "(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5634,7 +5636,7 @@ int DetectFastPatternTest204(void) "(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5664,7 +5666,7 @@ int DetectFastPatternTest205(void) "(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5694,7 +5696,7 @@ int DetectFastPatternTest206(void) "(content:\"one\"; http_header; content:\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5724,7 +5726,7 @@ int DetectFastPatternTest207(void) "(content:\"one\"; http_header; content:\"two\"; http_header; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5754,7 +5756,7 @@ int DetectFastPatternTest208(void) "(content:\"one\"; http_header; content:\"two\"; http_header; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5784,7 +5786,7 @@ int DetectFastPatternTest209(void) "(content:\"one\"; http_header; content:\"two\"; http_header; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5814,7 +5816,7 @@ int DetectFastPatternTest210(void) "(content:\"one\"; http_header; content:\"two\"; http_header; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -5913,7 +5915,7 @@ int DetectFastPatternTest214(void) "(content:\"one\"; http_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -6032,7 +6034,7 @@ int DetectFastPatternTest219(void) "(content:\"one\"; http_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_header; content:\"three\"; http_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -6070,7 +6072,7 @@ int DetectFastPatternTest220(void) "content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -6108,7 +6110,7 @@ int DetectFastPatternTest221(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -6145,7 +6147,7 @@ int DetectFastPatternTest222(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -6177,7 +6179,7 @@ int DetectFastPatternTest223(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && @@ -6211,7 +6213,7 @@ int DetectFastPatternTest224(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -6441,7 +6443,7 @@ int DetectFastPatternTest234(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -6471,7 +6473,7 @@ int DetectFastPatternTest235(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -6501,7 +6503,7 @@ int DetectFastPatternTest236(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -6531,7 +6533,7 @@ int DetectFastPatternTest237(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:30; content:\"two\"; fast_pattern:only; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -6561,7 +6563,7 @@ int DetectFastPatternTest238(void) "(flow:to_server; content:!\"one\"; fast_pattern; http_raw_header; content:\"two\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -6680,7 +6682,7 @@ int DetectFastPatternTest243(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -6710,7 +6712,7 @@ int DetectFastPatternTest244(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -6740,7 +6742,7 @@ int DetectFastPatternTest245(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -6770,7 +6772,7 @@ int DetectFastPatternTest246(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -6800,7 +6802,7 @@ int DetectFastPatternTest247(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -6830,7 +6832,7 @@ int DetectFastPatternTest248(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -6860,7 +6862,7 @@ int DetectFastPatternTest249(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -6890,7 +6892,7 @@ int DetectFastPatternTest250(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -6920,7 +6922,7 @@ int DetectFastPatternTest251(void) "(flow:to_server; content:\"one\"; http_raw_header; content:\"two\"; http_raw_header; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -7019,7 +7021,7 @@ int DetectFastPatternTest255(void) "(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -7138,7 +7140,7 @@ int DetectFastPatternTest260(void) "(flow:to_server; content:\"one\"; http_raw_header; content:!\"oneonetwo\"; fast_pattern:3,4; http_raw_header; content:\"three\"; http_raw_header; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18839,6 +18841,8 @@ void DetectFastPatternRegisterTests(void) g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host"); g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code"); g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg"); + g_http_header_buffer_id = DetectBufferTypeGetByName("http_header"); + g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-header.c b/src/detect-http-header.c index a118249dcd..af1524f834 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -60,9 +60,11 @@ #include "detect-engine-hhd.h" #include "stream-tcp.h" -int DetectHttpHeaderSetup(DetectEngineCtx *, Signature *, char *); -void DetectHttpHeaderRegisterTests(void); -void DetectHttpHeaderFree(void *); +static int DetectHttpHeaderSetup(DetectEngineCtx *, Signature *, char *); +static void DetectHttpHeaderRegisterTests(void); +static void DetectHttpHeaderFree(void *); +static void DetectHttpHeaderSetupCallback(Signature *); +static int g_http_header_buffer_id = 0; /** * \brief Registers the keyword handlers for the "http_header" keyword. @@ -81,21 +83,25 @@ void DetectHttpHeaderRegister(void) sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_NOOPT ; sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_PAYLOAD ; - DetectMpmAppLayerRegister("http_header", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HHDMATCH, 2, + DetectAppLayerMpmRegister("http_header", SIG_FLAG_TOSERVER, 2, PrefilterTxHttpRequestHeadersRegister); - DetectMpmAppLayerRegister("http_header", SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HHDMATCH, 2, + DetectAppLayerMpmRegister("http_header", SIG_FLAG_TOCLIENT, 2, PrefilterTxHttpResponseHeadersRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HHDMATCH, + DetectAppLayerInspectEngineRegister2("http_header", + ALPROTO_HTTP, SIG_FLAG_TOSERVER, DetectEngineInspectHttpHeader); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HHDMATCH, + DetectAppLayerInspectEngineRegister2("http_header", + ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DetectEngineInspectHttpHeader); - return; + DetectBufferTypeSetDescriptionByName("http_header", + "http headers"); + + DetectBufferTypeRegisterSetupCallback("http_header", + DetectHttpHeaderSetupCallback); + + g_http_header_buffer_id = DetectBufferTypeGetByName("http_header"); } /** @@ -133,15 +139,22 @@ int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_HEADER, - DETECT_SM_LIST_HHDMATCH, + g_http_header_buffer_id, ALPROTO_HTTP, NULL); } +static void DetectHttpHeaderSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} + /************************************Unittests*********************************/ #ifdef UNITTESTS +#include "detect-isdataat.h" #include "stream-tcp-reassemble.h" /** @@ -169,7 +182,7 @@ static int DetectHttpHeaderTest01(void) goto end; } - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_header_buffer_id]; if (sm != NULL) { result &= (sm->type == DETECT_CONTENT); result &= (sm->next == NULL); @@ -1258,13 +1271,13 @@ int DetectHttpHeaderTest20(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n"); goto end; } - DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; - DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; + DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hhd1->content, "one", hhd1->content_len) != 0 || hhd2->flags != DETECT_CONTENT_DISTANCE || @@ -1302,13 +1315,13 @@ int DetectHttpHeaderTest21(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n"); goto end; } - DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; - DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; + DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hhd1->content, "one", hhd1->content_len) != 0 || hhd2->flags != DETECT_CONTENT_WITHIN || @@ -1418,21 +1431,21 @@ int DetectHttpHeaderTest25(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; - DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; + DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhd2->flags != DETECT_CONTENT_WITHIN || memcmp(hhd2->content, "two", hhd2->content_len) != 0) { @@ -1469,21 +1482,21 @@ int DetectHttpHeaderTest26(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_PCRE || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_CONTENT) { + if (de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->type != DETECT_PCRE || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->type != DETECT_CONTENT) { goto end; } - DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; - DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; + DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (pd2->flags != (DETECT_PCRE_RELATIVE) || hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hhd1->content, "two", hhd1->content_len) != 0) { @@ -1520,21 +1533,21 @@ int DetectHttpHeaderTest27(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_header_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->prev->ctx; - DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->prev->ctx; + DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_header_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhd2->flags != DETECT_CONTENT_DISTANCE || memcmp(hhd2->content, "two", hhd2->content_len) != 0) { @@ -1813,6 +1826,32 @@ static int DetectHttpHeaderTest30(void) return result; } +static int DetectHttpHeaderIsdataatParseTest(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "flow:to_server; " + "content:\"one\"; http_header; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_http_header_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + #endif /* UNITTESTS */ void DetectHttpHeaderRegisterTests(void) @@ -1842,6 +1881,10 @@ void DetectHttpHeaderRegisterTests(void) UtRegisterTest("DetectHttpHeaderTest28", DetectHttpHeaderTest28); UtRegisterTest("DetectHttpHeaderTest29", DetectHttpHeaderTest29); UtRegisterTest("DetectHttpHeaderTest30", DetectHttpHeaderTest30); + + UtRegisterTest("DetectHttpHeaderIsdataatParseTest", + DetectHttpHeaderIsdataatParseTest); + #endif /* UNITTESTS */ return; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 6f5c6ada7e..e7c122bcd3 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -60,9 +60,12 @@ #include "detect-engine-hrhd.h" #include "stream-tcp.h" -int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, char *); -void DetectHttpRawHeaderRegisterTests(void); -void DetectHttpRawHeaderFree(void *); +static int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, char *); +static void DetectHttpRawHeaderRegisterTests(void); +static void DetectHttpRawHeaderFree(void *); +static _Bool DetectHttpRawHeaderValidateCallback(const Signature *s); +static void DetectHttpRawHeaderSetupCallback(Signature *s); +static int g_http_raw_header_buffer_id = 0; /** * \brief Registers the keyword handlers for the "http_raw_header" keyword. @@ -79,20 +82,27 @@ void DetectHttpRawHeaderRegister(void) sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("http_raw_header", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HRHDMATCH, 2, + DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOSERVER, 2, PrefilterTxRequestHeadersRawRegister); - DetectMpmAppLayerRegister("http_raw_header", SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HRHDMATCH, 2, + DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOCLIENT, 2, PrefilterTxResponseHeadersRawRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HRHDMATCH, + DetectAppLayerInspectEngineRegister2("http_raw_header", + ALPROTO_HTTP, SIG_FLAG_TOSERVER, DetectEngineInspectHttpRawHeader); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_HRHDMATCH, + DetectAppLayerInspectEngineRegister2("http_raw_header", + ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DetectEngineInspectHttpRawHeader); - return; + + DetectBufferTypeSetDescriptionByName("http_raw_header", + "raw http headers"); + + DetectBufferTypeRegisterValidateCallback("http_raw_header", + DetectHttpRawHeaderValidateCallback); + DetectBufferTypeRegisterSetupCallback("http_raw_header", + DetectHttpRawHeaderSetupCallback); + + g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header"); } @@ -131,15 +141,34 @@ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_RAW_HEADER, - DETECT_SM_LIST_HRHDMATCH, + g_http_raw_header_buffer_id, ALPROTO_HTTP, NULL); } +static _Bool DetectHttpRawHeaderValidateCallback(const Signature *s) +{ + if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) { + SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature " + "without a flow direction. Use flow:to_server for " + "inspecting request headers or flow:to_client for " + "inspecting response headers."); + SCReturnInt(FALSE); + } + return TRUE; +} + +static void DetectHttpRawHeaderSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} + /************************************Unittests*********************************/ #ifdef UNITTESTS +#include "detect-isdataat.h" #include "stream-tcp-reassemble.h" /** @@ -167,7 +196,7 @@ static int DetectHttpRawHeaderTest01(void) goto end; } - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id]; if (sm != NULL) { result &= (sm->type == DETECT_CONTENT); result &= (sm->next == NULL); @@ -1256,13 +1285,13 @@ int DetectHttpRawHeaderTest20(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n"); goto end; } - DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; - DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; + DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 || hrhd2->flags != DETECT_CONTENT_DISTANCE || @@ -1300,13 +1329,13 @@ int DetectHttpRawHeaderTest21(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n"); goto end; } - DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; - DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; + DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 || hrhd2->flags != DETECT_CONTENT_WITHIN || @@ -1416,21 +1445,21 @@ int DetectHttpRawHeaderTest25(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; - DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; + DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhd2->flags != DETECT_CONTENT_WITHIN || memcmp(hhd2->content, "two", hhd2->content_len) != 0) { @@ -1467,21 +1496,21 @@ int DetectHttpRawHeaderTest26(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_PCRE || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_CONTENT) { + if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_PCRE || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_CONTENT) { goto end; } - DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; - DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; + DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (pd2->flags != (DETECT_PCRE_RELATIVE) || hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT || memcmp(hhd1->content, "two", hhd1->content_len) != 0) { @@ -1518,21 +1547,21 @@ int DetectHttpRawHeaderTest27(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRHDMATCH] == NULL\n"); + if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n"); goto end; } - if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type != DETECT_CONTENT || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev == NULL || - de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->type != DETECT_PCRE) { + if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL || + de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) { goto end; } - DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->prev->ctx; - DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; + DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx; + DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx; if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || hhd2->flags != DETECT_CONTENT_DISTANCE || memcmp(hhd2->content, "two", hhd2->content_len) != 0) { @@ -1547,6 +1576,32 @@ int DetectHttpRawHeaderTest27(void) return result; } +static int DetectHttpRawHeaderIsdataatParseTest(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "flow:to_server; " + "content:\"one\"; http_raw_header; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_http_raw_header_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + #endif /* UNITTESTS */ void DetectHttpRawHeaderRegisterTests(void) @@ -1573,6 +1628,9 @@ void DetectHttpRawHeaderRegisterTests(void) UtRegisterTest("DetectHttpRawHeaderTest25", DetectHttpRawHeaderTest25); UtRegisterTest("DetectHttpRawHeaderTest26", DetectHttpRawHeaderTest26); UtRegisterTest("DetectHttpRawHeaderTest27", DetectHttpRawHeaderTest27); + + UtRegisterTest("DetectHttpRawHeaderIsdataatParseTest", + DetectHttpRawHeaderIsdataatParseTest); #endif /* UNITTESTS */ return; diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 3b9e087efb..a5d28923dd 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -560,94 +560,6 @@ int DetectIsdataatTestParse09(void) return result; } -int DetectIsdataatTestParse10(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing bytejump_body\"; " - "content:\"one\"; http_header; " - "isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL) { - goto end; - } - - result = 1; - - result &= (s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - result = 0; - goto end; - } - - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - -int DetectIsdataatTestParse11(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing bytejump_body\"; " - "flow:to_server; content:\"one\"; http_raw_header; " - "isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL) { - goto end; - } - - result = 1; - - result &= (s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - result = 0; - goto end; - } - - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - /** * \test dns_query with isdataat relative to it */ @@ -817,8 +729,6 @@ void DetectIsdataatRegisterTests(void) UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05); UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06); UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09); - UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10); - UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11); UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16); UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01); diff --git a/src/detect-lua.c b/src/detect-lua.c index e349d66f6e..652dea1e68 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -1009,11 +1009,13 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) } else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) { int list = DetectBufferTypeGetByName("http_user_agent"); SigMatchAppendSMToList(s, sm, list); - } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS)) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH); - else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW)) - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH); - else { + } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS)) { + int list = DetectBufferTypeGetByName("http_header"); + SigMatchAppendSMToList(s, sm, list); + } else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW)) { + int list = DetectBufferTypeGetByName("http_raw_header"); + SigMatchAppendSMToList(s, sm, list); + } else { int list = DetectBufferTypeGetByName("http_request_line"); SigMatchAppendSMToList(s, sm, list); } diff --git a/src/detect-parse.c b/src/detect-parse.c index 842679a376..513e79ad66 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -143,8 +143,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload"); CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri"); CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body"); - CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header"); - CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); @@ -177,8 +175,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_PMATCH); CASE_CODE(DETECT_SM_LIST_HRUDMATCH); CASE_CODE(DETECT_SM_LIST_HCBDMATCH); - CASE_CODE(DETECT_SM_LIST_HHDMATCH); - CASE_CODE(DETECT_SM_LIST_HRHDMATCH); CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH); @@ -1450,16 +1446,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) SCReturnInt(0); } - if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) { - if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) { - SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature " - "without a flow direction. Use flow:to_server for " - "inspecting request headers or flow:to_client for " - "inspecting response headers."); - SCReturnInt(0); - } - } - //if (s->alproto != ALPROTO_UNKNOWN) { // if (s->flags & SIG_FLAG_STATE_MATCH) { // if (s->alproto == ALPROTO_DNS) { @@ -1524,9 +1510,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) } if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH]) + s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH]) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet " "specific matches (like dsize, flags, ttl) with stream / " diff --git a/src/detect-pcre.c b/src/detect-pcre.c index d430193e55..59d2ee1bef 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -433,23 +433,26 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, *sm_list = DetectPcreSetList(*sm_list, list); break; } - case 'H': /* snort's option */ + case 'H': { /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'B'"); goto error; } - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HHDMATCH); + int list = DetectBufferTypeGetByName("http_header"); + *sm_list = DetectPcreSetList(*sm_list, list); break; - case 'I': /* snort's option */ + } case 'I': /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'B'"); goto error; } *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRUDMATCH); break; - case 'D': /* snort's option */ - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRHDMATCH); + case 'D': { /* snort's option */ + int list = DetectBufferTypeGetByName("http_raw_header"); + *sm_list = DetectPcreSetList(*sm_list, list); break; + } case 'M': { /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'"); @@ -684,9 +687,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst goto error; if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH || - parsed_sm_list == DETECT_SM_LIST_HCBDMATCH || - parsed_sm_list == DETECT_SM_LIST_HHDMATCH || - parsed_sm_list == DETECT_SM_LIST_HRHDMATCH) + parsed_sm_list == DETECT_SM_LIST_HCBDMATCH) { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " @@ -717,8 +718,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst break; case DETECT_SM_LIST_HRUDMATCH: - case DETECT_SM_LIST_HHDMATCH: - case DETECT_SM_LIST_HRHDMATCH: s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; sm_list = parsed_sm_list; @@ -797,6 +796,7 @@ void DetectPcreFree(void *ptr) #ifdef UNITTESTS /* UNITTESTS */ static int g_file_data_buffer_id = 0; +static int g_http_header_buffer_id = 0; /** * \test DetectPcreParseTest01 make sure we don't allow invalid opts 7. @@ -3031,10 +3031,10 @@ static int DetectPcreFlowvarCapture01(void) s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; sid:1;)"); FAIL_IF(s == NULL); - FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE); - DetectPcreData *pd = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx; + FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || + s->sm_lists[g_http_header_buffer_id]->next == NULL || + s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); + DetectPcreData *pd = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); @@ -3132,18 +3132,18 @@ static int DetectPcreFlowvarCapture02(void) s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; priority:1; sid:1;)"); FAIL_IF(s == NULL); - FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE); - DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx; + FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || + s->sm_lists[g_http_header_buffer_id]->next == NULL || + s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); + DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; priority:3; sid:2;)"); FAIL_IF(s == NULL); - FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE); - DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx; + FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || + s->sm_lists[g_http_header_buffer_id]->next == NULL || + s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); + DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; FAIL_IF(pd1->capidx != pd2->capidx); @@ -3248,18 +3248,18 @@ static int DetectPcreFlowvarCapture03(void) s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:1; sid:1;)"); FAIL_IF(s == NULL); - FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE); - DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx; + FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || + s->sm_lists[g_http_header_buffer_id]->next == NULL || + s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); + DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:3; sid:2;)"); FAIL_IF(s == NULL); - FAIL_IF(s->sm_lists[DETECT_SM_LIST_HHDMATCH] == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next == NULL || - s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->type != DETECT_PCRE); - DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[DETECT_SM_LIST_HHDMATCH]->next->ctx; + FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || + s->sm_lists[g_http_header_buffer_id]->next == NULL || + s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); + DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; FAIL_IF(pd1->capidx != pd2->capidx); @@ -3338,6 +3338,7 @@ void DetectPcreRegisterTests(void) { #ifdef UNITTESTS /* UNITTESTS */ g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + g_http_header_buffer_id = DetectBufferTypeGetByName("http_header"); UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01); UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02); diff --git a/src/detect.c b/src/detect.c index 5ab7af0c3d..b91192d91c 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1915,12 +1915,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL) - return 0; - - if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) return 0; @@ -1999,12 +1993,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL) - return 0; - - if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) return 0; @@ -2109,8 +2097,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) { SCReturnInt(0); @@ -2269,16 +2255,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires http app state"); } - if (s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - - if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) { s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires http app state"); diff --git a/src/detect.h b/src/detect.h index ce6a609b5e..1b634fb028 100644 --- a/src/detect.h +++ b/src/detect.h @@ -119,10 +119,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HRUDMATCH = DETECT_SM_LIST_BUILTIN_MAX, /* list for http_client_body keyword and the ones relative to it */ DETECT_SM_LIST_HCBDMATCH, - /* list for http_header keyword and the ones relative to it */ - DETECT_SM_LIST_HHDMATCH, - /* list for http_raw_header keyword and the ones relative to it */ - DETECT_SM_LIST_HRHDMATCH, /* app event engine sm list */ DETECT_SM_LIST_APP_EVENT,