From: Victor Julien <victor@inliniac.net>
Date: Fri, 9 Oct 2015 09:18:36 +0000 (+0200)
Subject: detect: validate http_method pattern
X-Git-Tag: suricata-3.1RC1~384
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f720dfd21e72596e0dde9ad6dbe575e4949ad66d;p=thirdparty%2Fsuricata.git

detect: validate http_method pattern

Leading and trailing spaces and tabs are invalid as these are not part
of the buffer as returned by libhtp.
---

diff --git a/src/detect-http-method.c b/src/detect-http-method.c
index 4cc8a7873f..6807648c6e 100644
--- a/src/detect-http-method.c
+++ b/src/detect-http-method.c
@@ -118,6 +118,41 @@ void DetectHttpMethodFree(void *ptr)
     SCFree(data);
 }
 
+/**
+ *  \retval 1 valid
+ *  \retval 0 invalid
+ */
+int DetectHttpMethodValidateRule(const Signature *s)
+{
+    if (s->alproto != ALPROTO_HTTP)
+        return 1;
+
+    if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
+        const SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HMDMATCH];
+        for ( ; sm != NULL; sm = sm->next) {
+            if (sm->type != DETECT_CONTENT)
+                continue;
+            const DetectContentData *cd = (const DetectContentData *)sm->ctx;
+            if (cd->content && cd->content_len) {
+                if (cd->content[cd->content_len-1] == 0x20) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space");
+                    return 0;
+                } else if (cd->content[0] == 0x20) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space");
+                    return 0;
+                } else if (cd->content[cd->content_len-1] == 0x09) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab");
+                    return 0;
+                } else if (cd->content[0] == 0x09) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab");
+                    return 0;
+                }
+            }
+        }
+    }
+    return 1;
+}
+
 #ifdef UNITTESTS /* UNITTESTS */
 
 #include "stream-tcp-reassemble.h"
@@ -649,7 +684,7 @@ static int DetectHttpMethodSigTest03(void)
     s = de_ctx->sig_list = SigInit(de_ctx,
                                    "alert tcp any any -> any any "
                                    "(msg:\"Testing http_method\"; "
-                                   "content:\" \"; "
+                                   "content:\"GET\"; "
                                    "http_method; sid:1;)");
     if (s == NULL) {
         SCLogDebug("Bad signature");
diff --git a/src/detect-http-method.h b/src/detect-http-method.h
index 9e6dc4dd95..d1593aed76 100644
--- a/src/detect-http-method.h
+++ b/src/detect-http-method.h
@@ -28,6 +28,7 @@
 void DetectHttpMethodRegister(void);
 int DetectHttpMethodDoMatch(DetectEngineThreadCtx *, Signature *, SigMatch *,
                             Flow *, uint8_t, void *);
+int DetectHttpMethodValidateRule(const Signature *s);
 
 #endif /* __DETECT_HTTP_METHOD_H__ */
 
diff --git a/src/detect-parse.c b/src/detect-parse.c
index 4139b9b102..c392ba3fd1 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -43,6 +43,7 @@
 #include "detect-engine-apt-event.h"
 #include "detect-lua.h"
 #include "detect-app-layer-event.h"
+#include "detect-http-method.h"
 
 #include "pkt-var.h"
 #include "host.h"
@@ -1206,6 +1207,9 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
         }
     }
 
+    if (!DetectHttpMethodValidateRule(s))
+        SCReturnInt(0);
+
     //if (s->alproto != ALPROTO_UNKNOWN) {
     //    if (s->flags & SIG_FLAG_STATE_MATCH) {
     //        if (s->alproto == ALPROTO_DNS) {