From 4bb19f776e9d06af2cfc78e021d236b9e2884abb Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 15 Oct 2024 21:05:19 +0200 Subject: [PATCH] detect/http: fix progress for headers keywords Ticket: 7326 Having a lower progress than one where we actually can get occurences of the multibuffer made prefilter bail out too early, not having found a buffer in the multi-buffer that matiched the prefilter. For example, we registered http_request_header with progress 0 instad of progress HTP_REQUEST_HEADERS==2, and if the first packet had only the request line, we would consider that signatures with http_request_header as prefilter/fast_pattern could not match for this transaction, even if they in fact could have a later packet with matching headers. Hence, we got false negatives, if http.request_header or http.response_header was used as fast pattern, and if the request or response came in multiple packets, and the first of these packets did not have enough data (like only http request line), and the next packets did have the matching data. (cherry picked from commit cca59cdaa9dd896a92a2dd4f30a6ebd5ba2cd000) --- src/detect-http-header.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/detect-http-header.c b/src/detect-http-header.c index cd36ea597c..3ca724fee0 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -810,10 +810,9 @@ void DetectHttpRequestHeaderRegister(void) DetectAppLayerInspectEngineRegister2("http_request_header", ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateOpen, DetectEngineInspectHttp2Header, NULL); DetectAppLayerMpmRegister2("http_request_header", SIG_FLAG_TOSERVER, 2, - PrefilterMpmHttp1HeaderRegister, NULL, ALPROTO_HTTP1, 0); + PrefilterMpmHttp1HeaderRegister, NULL, ALPROTO_HTTP1, HTP_REQUEST_HEADERS); DetectAppLayerInspectEngineRegister2("http_request_header", ALPROTO_HTTP1, SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS, DetectEngineInspectHttp1Header, NULL); - DetectBufferTypeSetDescriptionByName("http_request_header", "HTTP header name and value"); g_http_request_header_buffer_id = DetectBufferTypeGetByName("http_request_header"); DetectBufferTypeSupportsMultiInstance("http_request_header"); @@ -847,7 +846,7 @@ void DetectHttpResponseHeaderRegister(void) DetectAppLayerInspectEngineRegister2("http_response_header", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateOpen, DetectEngineInspectHttp2Header, NULL); DetectAppLayerMpmRegister2("http_response_header", SIG_FLAG_TOCLIENT, 2, - PrefilterMpmHttp1HeaderRegister, NULL, ALPROTO_HTTP1, 0); + PrefilterMpmHttp1HeaderRegister, NULL, ALPROTO_HTTP1, HTP_RESPONSE_HEADERS); DetectAppLayerInspectEngineRegister2("http_response_header", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT, HTP_RESPONSE_HEADERS, DetectEngineInspectHttp1Header, NULL); -- 2.47.2