From: Tom Peters (thopeter) Date: Fri, 9 Apr 2021 20:44:21 +0000 (+0000) Subject: Merge pull request #2835 in SNORT/snort3 from ~THOPETER/snort3:script_detection_reloa... X-Git-Tag: 3.1.4.0~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6beaa633021e710f4be23fad9e47e9c23cdb134;p=thirdparty%2Fsnort3.git Merge pull request #2835 in SNORT/snort3 from ~THOPETER/snort3:script_detection_reload to master Squashed commit of the following: commit c47bbd6354de354dc2f297e4c32eeae407d03ff4 Author: russ Date: Thu Apr 1 23:30:47 2021 -0400 http_inspect: fix end of script match after reload --- diff --git a/src/service_inspectors/http_inspect/http_cutter.cc b/src/service_inspectors/http_inspect/http_cutter.cc index 67141ec34..5dbddca3d 100644 --- a/src/service_inspectors/http_inspect/http_cutter.cc +++ b/src/service_inspectors/http_inspect/http_cutter.cc @@ -278,8 +278,9 @@ ScanResult HttpHeaderCutter::cut(const uint8_t* buffer, uint32_t length, return SCAN_NOT_FOUND; } -HttpBodyCutter::HttpBodyCutter(bool accelerated_blocking_, CompressId compression_) - : accelerated_blocking(accelerated_blocking_), compression(compression_) +HttpBodyCutter::HttpBodyCutter(bool accelerated_blocking_, ScriptFinder* finder_, + CompressId compression_) + : accelerated_blocking(accelerated_blocking_), compression(compression_), finder(finder_) { if (accelerated_blocking) { @@ -306,7 +307,6 @@ HttpBodyCutter::HttpBodyCutter(bool accelerated_blocking_, CompressId compressio match_string = inspect_string; match_string_upper = inspect_upper; string_length = sizeof(inspect_string); - HttpModule::get_script_finder(finder, handle); } } @@ -903,7 +903,7 @@ bool HttpBodyCutter::dangerous(const uint8_t* data, uint32_t length) if ( partial_match and find_partial(input_buf, input_length, true) ) return true; - if ( finder->search(handle, input_buf, input_length) >= 0 ) + if ( finder->search(input_buf, input_length) >= 0 ) return true; uint32_t delta = input_length - string_length + 1; diff --git a/src/service_inspectors/http_inspect/http_cutter.h b/src/service_inspectors/http_inspect/http_cutter.h index 3aaa9488b..3cf1100b3 100644 --- a/src/service_inspectors/http_inspect/http_cutter.h +++ b/src/service_inspectors/http_inspect/http_cutter.h @@ -23,10 +23,9 @@ #include #include -#include "helpers/literal_search.h" - #include "http_enum.h" #include "http_event.h" +#include "http_module.h" //------------------------------------------------------------------------- // HttpCutter class and subclasses @@ -102,7 +101,8 @@ private: class HttpBodyCutter : public HttpCutter { public: - HttpBodyCutter(bool accelerated_blocking_, HttpEnums::CompressId compression_); + HttpBodyCutter(bool accelerated_blocking_, ScriptFinder* finder, + HttpEnums::CompressId compression_); ~HttpBodyCutter() override; void soft_reset() override { octets_seen = 0; } @@ -118,8 +118,7 @@ private: HttpEnums::CompressId compression; z_stream* compress_stream = nullptr; bool decompress_failed = false; - snort::LiteralSearch* finder = nullptr; - snort::LiteralSearch::Handle* handle = nullptr; + ScriptFinder* const finder; const uint8_t* match_string; const uint8_t* match_string_upper; uint8_t string_length; @@ -130,8 +129,9 @@ class HttpBodyClCutter : public HttpBodyCutter public: HttpBodyClCutter(int64_t expected_length, bool accelerated_blocking, + ScriptFinder* finder, HttpEnums::CompressId compression) : - HttpBodyCutter(accelerated_blocking, compression), remaining(expected_length) + HttpBodyCutter(accelerated_blocking, finder, compression), remaining(expected_length) { assert(remaining > 0); } HttpEnums::ScanResult cut(const uint8_t*, uint32_t length, HttpInfractions*, HttpEventGen*, uint32_t flow_target, bool stretch, HttpEnums::H2BodyState) override; @@ -143,8 +143,9 @@ private: class HttpBodyOldCutter : public HttpBodyCutter { public: - HttpBodyOldCutter(bool accelerated_blocking, HttpEnums::CompressId compression) : - HttpBodyCutter(accelerated_blocking, compression) + HttpBodyOldCutter(bool accelerated_blocking, ScriptFinder* finder, + HttpEnums::CompressId compression) : + HttpBodyCutter(accelerated_blocking, finder, compression) {} HttpEnums::ScanResult cut(const uint8_t*, uint32_t, HttpInfractions*, HttpEventGen*, uint32_t flow_target, bool stretch, HttpEnums::H2BodyState) override; @@ -153,8 +154,9 @@ public: class HttpBodyChunkCutter : public HttpBodyCutter { public: - HttpBodyChunkCutter(bool accelerated_blocking, HttpEnums::CompressId compression) : - HttpBodyCutter(accelerated_blocking, compression) + HttpBodyChunkCutter(bool accelerated_blocking, ScriptFinder* finder, + HttpEnums::CompressId compression) : + HttpBodyCutter(accelerated_blocking, finder, compression) {} HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length, HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch, @@ -181,8 +183,10 @@ class HttpBodyH2Cutter : public HttpBodyCutter public: HttpBodyH2Cutter(int64_t expected_length, bool accelerated_blocking, + ScriptFinder* finder, HttpEnums::CompressId compression) : - HttpBodyCutter(accelerated_blocking, compression), expected_body_length(expected_length) + HttpBodyCutter(accelerated_blocking, finder, compression), + expected_body_length(expected_length) {} HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length, HttpInfractions*, HttpEventGen*, uint32_t flow_target, bool stretch, HttpEnums::H2BodyState state) override; diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc index 6c6f6cf87..72f1f0ff9 100755 --- a/src/service_inspectors/http_inspect/http_inspect.cc +++ b/src/service_inspectors/http_inspect/http_inspect.cc @@ -124,6 +124,11 @@ HttpInspect::HttpInspect(const HttpParaList* params_) : HttpTestManager::set_show_scan(params->show_scan); } #endif + + if (params->script_detection) + { + script_finder = new ScriptFinder(params->script_detection_handle); + } } bool HttpInspect::configure(SnortConfig* ) diff --git a/src/service_inspectors/http_inspect/http_inspect.h b/src/service_inspectors/http_inspect/http_inspect.h index f4ea52a39..b61e742fe 100644 --- a/src/service_inspectors/http_inspect/http_inspect.h +++ b/src/service_inspectors/http_inspect/http_inspect.h @@ -25,6 +25,7 @@ //------------------------------------------------------------------------- #include "framework/cursor.h" +#include "helpers/literal_search.h" #include "log/messages.h" #include "http_buffer_info.h" @@ -41,7 +42,7 @@ class HttpInspect : public snort::Inspector { public: HttpInspect(const HttpParaList* params_); - ~HttpInspect() override { delete params; } + ~HttpInspect() override { delete params; delete script_finder; } bool get_buf(snort::InspectionBuffer::Type ibt, snort::Packet* p, snort::InspectionBuffer& b) override; @@ -84,6 +85,8 @@ private: static void http_set_flow_data(snort::Flow* flow, HttpFlowData* flow_data); const HttpParaList* const params; + snort::LiteralSearch::Handle* s_handle = nullptr; + ScriptFinder* script_finder = nullptr; // Registrations for "extra data" const uint32_t xtra_trueip_id; diff --git a/src/service_inspectors/http_inspect/http_module.cc b/src/service_inspectors/http_inspect/http_module.cc index a1a19c5ae..d72377cd3 100755 --- a/src/service_inspectors/http_inspect/http_module.cc +++ b/src/service_inspectors/http_inspect/http_module.cc @@ -23,7 +23,6 @@ #include "http_module.h" -#include "helpers/literal_search.h" #include "log/messages.h" #include "http_enum.h" @@ -34,26 +33,15 @@ using namespace snort; using namespace HttpEnums; -LiteralSearch::Handle* s_handle = nullptr; -LiteralSearch* s_script = nullptr; - -HttpModule::HttpModule() : Module(HTTP_NAME, HTTP_HELP, http_params) +HttpModule::HttpModule() : Module(HTTP_NAME, HTTP_HELP, http_params), + script_detection_handle(LiteralSearch::setup()) { - s_handle = LiteralSearch::setup(); - s_script = LiteralSearch::instantiate(s_handle, (const uint8_t*)"", 9, true, true); } HttpModule::~HttpModule() { delete params; - delete s_script; - LiteralSearch::cleanup(s_handle); -} - -void HttpModule::get_script_finder(LiteralSearch*& finder, LiteralSearch::Handle*& handle) -{ - finder = s_script; - handle = s_handle; + LiteralSearch::cleanup(script_detection_handle); } const Parameter HttpModule::http_params[] = @@ -408,8 +396,9 @@ bool HttpModule::end(const char*, int, SnortConfig*) if ( params->js_norm_param.is_javascript_normalization ) params->js_norm_param.js_norm = new HttpJsNorm(params->uri_param); - prepare_http_header_list(params); + params->script_detection_handle = script_detection_handle; + prepare_http_header_list(params); return true; } diff --git a/src/service_inspectors/http_inspect/http_module.h b/src/service_inspectors/http_inspect/http_module.h index 4b968e832..d8318d6a2 100755 --- a/src/service_inspectors/http_inspect/http_module.h +++ b/src/service_inspectors/http_inspect/http_module.h @@ -46,6 +46,7 @@ public: bool decompress_swf = false; bool decompress_zip = false; bool script_detection = false; + snort::LiteralSearch::Handle* script_detection_handle = nullptr; struct JsNormParam { @@ -109,6 +110,23 @@ public: #endif }; +class ScriptFinder +{ +public: + ScriptFinder(snort::LiteralSearch::Handle* h) : handle(h), + finder(snort::LiteralSearch::instantiate(h, (const uint8_t*)"", 9, true, true)) + {} + + ~ScriptFinder() { delete finder; } + + int search(const uint8_t* buf, unsigned len) const + { return finder->search(handle, buf, len); } + +private: + snort::LiteralSearch::Handle* const handle; + const snort::LiteralSearch* const finder; +}; + class HttpModule : public snort::Module { public: @@ -119,6 +137,7 @@ public: bool set(const char*, snort::Value&, snort::SnortConfig*) override; unsigned get_gid() const override { return HttpEnums::HTTP_GID; } const snort::RuleMap* get_rules() const override { return http_events; } + const HttpParaList* get_once_params() { HttpParaList* ret_val = params; @@ -137,8 +156,6 @@ public: static PegCount get_peg_counts(HttpEnums::PEG_COUNT counter) { return peg_counts[counter]; } - static void get_script_finder(snort::LiteralSearch*&, snort::LiteralSearch::Handle*&); - snort::ProfileStats* get_profile() const override; static snort::ProfileStats& get_profile_stats() @@ -166,6 +183,7 @@ private: static const PegInfo peg_names[]; static THREAD_LOCAL snort::ProfileStats http_profile; static THREAD_LOCAL PegCount peg_counts[]; + snort::LiteralSearch::Handle* const script_detection_handle; }; #endif diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc index 5af828730..3b4992d92 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc @@ -76,19 +76,23 @@ HttpCutter* HttpStreamSplitter::get_cutter(SectionType type, return (HttpCutter*)new HttpBodyClCutter( session_data->data_length[source_id], session_data->accelerated_blocking[source_id], + my_inspector->script_finder, session_data->compression[source_id]); case SEC_BODY_CHUNK: return (HttpCutter*)new HttpBodyChunkCutter( session_data->accelerated_blocking[source_id], + my_inspector->script_finder, session_data->compression[source_id]); case SEC_BODY_OLD: return (HttpCutter*)new HttpBodyOldCutter( session_data->accelerated_blocking[source_id], + my_inspector->script_finder, session_data->compression[source_id]); case SEC_BODY_H2: return (HttpCutter*)new HttpBodyH2Cutter( session_data->data_length[source_id], session_data->accelerated_blocking[source_id], + my_inspector->script_finder, session_data->compression[source_id]); default: assert(false);