From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Fri, 11 Jun 2021 20:18:17 +0000 (+0000)
Subject: Merge pull request #2939 in SNORT/snort3 from ~KATHARVE/snort3:httpevent_uri_host... 
X-Git-Tag: 3.1.6.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec4a54751209d0eefd49751e35f1ab319b6486fc;p=thirdparty%2Fsnort3.git

Merge pull request #2939 in SNORT/snort3 from ~KATHARVE/snort3:httpevent_uri_host to master

Squashed commit of the following:

commit 4de5aba60ebef55abb31bec0be889f3431bfd0f2
Author: Katura Harvey <katharve@cisco.com>
Date:   Thu Jun 10 15:04:13 2021 -0400

    pub_sub: add get_uri_host() to HttpEvent
---

diff --git a/src/pub_sub/http_events.cc b/src/pub_sub/http_events.cc
index 627669293..2d859c168 100644
--- a/src/pub_sub/http_events.cc
+++ b/src/pub_sub/http_events.cc
@@ -28,13 +28,14 @@
 
 #include "service_inspectors/http_inspect/http_msg_header.h"
 #include "service_inspectors/http_inspect/http_msg_request.h"
+#include "service_inspectors/http_inspect/http_uri.h"
 
 using namespace snort;
 
 const uint8_t* HttpEvent::get_header(unsigned id, uint64_t sub_id, int32_t& length)
 {
     const Field& field = http_msg_header->get_classic_buffer(id, sub_id, 0);
-    if(field.length() > 0)
+    if (field.length() > 0)
     {
         length = field.length();
         return field.start();
@@ -76,6 +77,27 @@ const uint8_t* HttpEvent::get_authority(int32_t& length)
     return get_header(HttpEnums::HTTP_BUFFER_HEADER, HttpEnums::HEAD_HOST, length);
 }
 
+const uint8_t* HttpEvent::get_uri_host(int32_t &length)
+{
+    const uint8_t* uri_host = get_header(HttpEnums::HTTP_BUFFER_URI, HttpEnums::UC_HOST, length);
+    if (length > 0)
+        return uri_host;
+
+    // If there is no authority in the URI parse the host from the Host header
+    const Field& host_header = http_msg_header->get_classic_buffer(HttpEnums::HTTP_BUFFER_HEADER,
+        HttpEnums::HEAD_HOST, length);
+    if (host_header.length() > 0)
+    {
+        length = HttpUri::find_host_len(host_header);
+        return host_header.start();
+    }
+    else
+    {
+        length = 0;
+        return nullptr;
+    }
+}
+
 const uint8_t* HttpEvent::get_location(int32_t& length)
 {
     return get_header(HttpEnums::HTTP_BUFFER_HEADER, HttpEnums::HEAD_LOCATION,
diff --git a/src/pub_sub/http_events.h b/src/pub_sub/http_events.h
index 021bbdf7b..6915da57e 100644
--- a/src/pub_sub/http_events.h
+++ b/src/pub_sub/http_events.h
@@ -43,6 +43,7 @@ public:
     const uint8_t* get_content_type(int32_t &length);
     const uint8_t* get_cookie(int32_t &length);
     const uint8_t* get_authority(int32_t &length);
+    const uint8_t* get_uri_host(int32_t &length);
     const uint8_t* get_location(int32_t &length);
     const uint8_t* get_referer(int32_t &length);
     const uint8_t* get_server(int32_t &length);
diff --git a/src/pub_sub/test/pub_sub_http_event_test.cc b/src/pub_sub/test/pub_sub_http_event_test.cc
index f7a1af787..af1141d04 100644
--- a/src/pub_sub/test/pub_sub_http_event_test.cc
+++ b/src/pub_sub/test/pub_sub_http_event_test.cc
@@ -25,9 +25,10 @@
 
 #include "pub_sub/http_events.h"
 #include "service_inspectors/http_inspect/http_common.h"
+#include "service_inspectors/http_inspect/http_field.h"
 #include "service_inspectors/http_inspect/http_msg_header.h"
 #include "service_inspectors/http_inspect/http_msg_section.h"
-#include "service_inspectors/http_inspect/http_field.h"
+#include "service_inspectors/http_inspect/http_uri.h"
 
 #include <CppUTest/CommandLineTestRunner.h>
 #include <CppUTest/TestHarness.h>
@@ -55,6 +56,7 @@ const Field& HttpMsgHeader::get_true_ip_addr()
     Field *out = (Field*)mock().getData("output").getObjectPointer();
     return (*out);
 }
+int32_t HttpUri::find_host_len(const Field&) { return 0; }
 
 TEST_GROUP(pub_sub_http_event_test)
 {
diff --git a/src/service_inspectors/http_inspect/http_uri.cc b/src/service_inspectors/http_inspect/http_uri.cc
index 2507f01db..8b929d4c9 100644
--- a/src/service_inspectors/http_inspect/http_uri.cc
+++ b/src/service_inspectors/http_inspect/http_uri.cc
@@ -108,17 +108,9 @@ void HttpUri::parse_uri()
     }
 }
 
-void HttpUri::parse_authority()
+int32_t HttpUri::find_host_len(const Field& authority)
 {
-    if (authority.length() <= 0)
-    {
-        host.set(STAT_NO_SOURCE);
-        port.set(STAT_NO_SOURCE);
-        return;
-    }
-    
     int32_t host_len = 0;
-
     // IPv6 addresses are surrounded by [] to protect embedded colons
     if (authority.start()[0] == '[')
     {
@@ -128,6 +120,20 @@ void HttpUri::parse_authority()
 
     for (; (host_len < authority.length()) && (authority.start()[host_len] != ':');
         host_len++);
+
+    return host_len;
+}
+
+void HttpUri::parse_authority()
+{
+    if (authority.length() <= 0)
+    {
+        host.set(STAT_NO_SOURCE);
+        port.set(STAT_NO_SOURCE);
+        return;
+    }
+
+    int32_t host_len = find_host_len(authority);
     host.set(host_len, authority.start());
     if (host.length() < authority.length())
     {
diff --git a/src/service_inspectors/http_inspect/http_uri.h b/src/service_inspectors/http_inspect/http_uri.h
index d61c4cbe4..5c1bd91df 100644
--- a/src/service_inspectors/http_inspect/http_uri.h
+++ b/src/service_inspectors/http_inspect/http_uri.h
@@ -60,6 +60,8 @@ public:
     const Field& get_norm_fragment() { return fragment_norm; }
     const Field& get_norm_classic() { return classic_norm; }
 
+    static int32_t find_host_len(const Field& authority);
+
 private:
     const Field uri;