From e34102d67aa53ab786987709a9a22b7c6a2a7c09 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 7 Dec 2016 18:02:37 +0100 Subject: [PATCH] http_method: make list dynamic --- src/detect-engine-analyzer.c | 9 +-- src/detect-engine.c | 2 - src/detect-fast-pattern.c | 44 +++++++------- src/detect-http-method.c | 111 ++++++++++++++++++++++++----------- src/detect-http-method.h | 3 - src/detect-isdataat.c | 45 -------------- src/detect-parse.c | 8 --- src/detect-pcre.c | 6 +- src/detect.c | 12 ---- src/detect.h | 2 - 10 files changed, 105 insertions(+), 137 deletions(-) diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index a13f405282..223a3b1c0f 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -120,8 +120,6 @@ void EngineAnalysisFP(Signature *s, char *line) fprintf(fp_engine_analysis_FD, "http header content\n"); else if (list_type == DETECT_SM_LIST_HRHDMATCH) fprintf(fp_engine_analysis_FD, "http raw header content\n"); - else if (list_type == DETECT_SM_LIST_HMDMATCH) - fprintf(fp_engine_analysis_FD, "http method content\n"); else if (list_type == DETECT_SM_LIST_HCDMATCH) fprintf(fp_engine_analysis_FD, "http cookie content\n"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) @@ -474,8 +472,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "http header content"); else if (list_type == DETECT_SM_LIST_HRHDMATCH) fprintf(rule_engine_analysis_FD, "http raw header content"); - else if (list_type == DETECT_SM_LIST_HMDMATCH) - fprintf(rule_engine_analysis_FD, "http method content"); else if (list_type == DETECT_SM_LIST_HCDMATCH) fprintf(rule_engine_analysis_FD, "http cookie content"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) @@ -586,6 +582,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) const int nlists = DetectBufferTypeMaxId(); const int filedata_id = DetectBufferTypeGetByName("file_data"); + const int httpmethod_id = DetectBufferTypeGetByName("http_method"); if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { rule_bidirectional = 1; @@ -639,7 +636,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_raw_header_buf += 1; } - else if (list_id == DETECT_SM_LIST_HMDMATCH) { + else if (list_id == httpmethod_id) { rule_pcre_http += 1; raw_http_buf += 1; http_method_buf += 1; @@ -720,7 +717,7 @@ void EngineAnalysisRules(const Signature *s, const char *line) raw_http_buf += 1; http_stat_code_buf += 1; } - else if (list_id == DETECT_SM_LIST_HMDMATCH) { + else if (list_id == httpmethod_id) { rule_content_http += 1; raw_http_buf += 1; http_method_buf += 1; diff --git a/src/detect-engine.c b/src/detect-engine.c index cbaef3ed9e..5bf07207f7 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2816,8 +2816,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http host"; case DETECT_SM_LIST_HRHHDMATCH: return "http raw host header"; - case DETECT_SM_LIST_HMDMATCH: - return "http method"; case DETECT_SM_LIST_HCDMATCH: return "http cookie"; case DETECT_SM_LIST_HUADMATCH: diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index e4d415c382..4179b5eac6 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -322,6 +322,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a #ifdef UNITTESTS static int g_file_data_buffer_id = 0; +static int g_http_method_buffer_id = 0; /** * \test Checks if a fast_pattern is registered in a Signature @@ -7168,7 +7169,7 @@ int DetectFastPatternTest261(void) "content:\"three\"; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -7206,7 +7207,7 @@ int DetectFastPatternTest262(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -7243,7 +7244,7 @@ int DetectFastPatternTest263(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id]; if (sm != NULL) { if ( ((DetectContentData *)sm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) { @@ -7275,7 +7276,7 @@ int DetectFastPatternTest264(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && @@ -7309,7 +7310,7 @@ int DetectFastPatternTest265(void) goto end; result = 0; - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH]; + sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id]; DetectContentData *ud = (DetectContentData *)sm->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -7539,7 +7540,7 @@ int DetectFastPatternTest275(void) if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -7569,7 +7570,7 @@ int DetectFastPatternTest276(void) "(content:\"one\"; http_method; content:\"two\"; http_method; within:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -7599,7 +7600,7 @@ int DetectFastPatternTest277(void) "(content:\"one\"; http_method; content:\"two\"; http_method; offset:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -7629,7 +7630,7 @@ int DetectFastPatternTest278(void) "(content:\"one\"; http_method; content:\"two\"; http_method; depth:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && @@ -7659,7 +7660,7 @@ int DetectFastPatternTest279(void) "(content:!\"one\"; fast_pattern; http_method; content:\"two\"; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -7778,7 +7779,7 @@ int DetectFastPatternTest284(void) "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -7808,7 +7809,7 @@ int DetectFastPatternTest285(void) "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; distance:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -7838,7 +7839,7 @@ int DetectFastPatternTest286(void) "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; within:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -7868,7 +7869,7 @@ int DetectFastPatternTest287(void) "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; offset:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -7898,7 +7899,7 @@ int DetectFastPatternTest288(void) "(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; depth:30; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -7928,7 +7929,7 @@ int DetectFastPatternTest289(void) "(content:\"one\"; http_method; content:\"two\"; http_method; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -7958,7 +7959,7 @@ int DetectFastPatternTest290(void) "(content:\"one\"; http_method; content:\"two\"; http_method; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -7988,7 +7989,7 @@ int DetectFastPatternTest291(void) "(content:\"one\"; http_method; content:\"two\"; http_method; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -8018,7 +8019,7 @@ int DetectFastPatternTest292(void) "(content:\"one\"; http_method; content:\"two\"; http_method; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && @@ -8117,7 +8118,7 @@ int DetectFastPatternTest296(void) "(content:\"one\"; http_method; content:!\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -8236,7 +8237,7 @@ int DetectFastPatternTest301(void) "(content:\"one\"; http_method; content:!\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)"); if (de_ctx->sig_list == NULL) goto end; - DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx; + DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx; if (ud->flags & DETECT_CONTENT_FAST_PATTERN && ud->flags & DETECT_CONTENT_NEGATED && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && @@ -18823,6 +18824,7 @@ void DetectFastPatternRegisterTests(void) { #ifdef UNITTESTS g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); + g_http_method_buffer_id = DetectBufferTypeGetByName("http_method"); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 5371b97b2e..af703c9a0f 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -60,10 +60,12 @@ #include "detect-engine-hmd.h" #include "stream-tcp.h" - +static int g_http_method_buffer_id = 0; static int DetectHttpMethodSetup(DetectEngineCtx *, Signature *, char *); void DetectHttpMethodRegisterTests(void); void DetectHttpMethodFree(void *); +static void DetectHttpMethodSetupCallback(Signature *s); +static _Bool DetectHttpMethodValidateCallback(const Signature *s); /** * \brief Registration function for keyword: http_method @@ -81,14 +83,23 @@ void DetectHttpMethodRegister(void) sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("http_method", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HMDMATCH, 4, + DetectAppLayerMpmRegister("http_method", SIG_FLAG_TOSERVER, 4, PrefilterTxMethodRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_HMDMATCH, + DetectAppLayerInspectEngineRegister2("http_method", + ALPROTO_HTTP, SIG_FLAG_TOSERVER, DetectEngineInspectHttpMethod); + DetectBufferTypeSetDescriptionByName("http_method", + "http request method"); + + DetectBufferTypeRegisterSetupCallback("http_method", + DetectHttpMethodSetupCallback); + DetectBufferTypeRegisterValidateCallback("http_method", + DetectHttpMethodValidateCallback); + + g_http_method_buffer_id = DetectBufferTypeGetByName("http_method"); + SCLogDebug("registering http_method rule option"); } @@ -107,7 +118,7 @@ static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *st { return DetectEngineContentModifierBufferSetup(de_ctx, s, str, DETECT_AL_HTTP_METHOD, - DETECT_SM_LIST_HMDMATCH, + g_http_method_buffer_id, ALPROTO_HTTP, NULL); } @@ -126,43 +137,45 @@ void DetectHttpMethodFree(void *ptr) SCFree(data); } +static void DetectHttpMethodSetupCallback(Signature *s) +{ + SCLogDebug("callback invoked by %u", s->id); + s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; +} + /** * \retval 1 valid * \retval 0 invalid */ -int DetectHttpMethodValidateRule(const Signature *s) +static _Bool DetectHttpMethodValidateCallback(const Signature *s) { - if (s->alproto != ALPROTO_HTTP) - return 1; - - if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL) { - const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_HMDMATCH]; - for ( ; sm != NULL; sm = sm->next) { - if (sm->type != DETECT_CONTENT) - continue; - const DetectContentData *cd = (const DetectContentData *)sm->ctx; - if (cd->content && cd->content_len) { - if (cd->content[cd->content_len-1] == 0x20) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space"); - return 0; - } else if (cd->content[0] == 0x20) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space"); - return 0; - } else if (cd->content[cd->content_len-1] == 0x09) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab"); - return 0; - } else if (cd->content[0] == 0x09) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab"); - return 0; - } + const SigMatch *sm = s->init_data->smlists[g_http_method_buffer_id]; + for ( ; sm != NULL; sm = sm->next) { + if (sm->type != DETECT_CONTENT) + continue; + const DetectContentData *cd = (const DetectContentData *)sm->ctx; + if (cd->content && cd->content_len) { + if (cd->content[cd->content_len-1] == 0x20) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space"); + return FALSE; + } else if (cd->content[0] == 0x20) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space"); + return FALSE; + } else if (cd->content[cd->content_len-1] == 0x09) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab"); + return FALSE; + } else if (cd->content[0] == 0x09) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab"); + return FALSE; } } } - return 1; + return TRUE; } #ifdef UNITTESTS /* UNITTESTS */ +#include "detect-isdataat.h" #include "stream-tcp-reassemble.h" /** \test Check a signature with content */ @@ -330,13 +343,13 @@ static int DetectHttpMethodTest12(void) goto end; } - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH] == NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH] == NULL: "); + if (de_ctx->sig_list->sm_lists[g_http_method_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_method_buffer_id] == NULL: "); goto end; } - DetectContentData *hmd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; - DetectContentData *hmd2 = (DetectContentData *)de_ctx->sig_list->next->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; + DetectContentData *hmd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx; + DetectContentData *hmd2 = (DetectContentData *)de_ctx->sig_list->next->sm_lists_tail[g_http_method_buffer_id]->ctx; if (!(hmd1->flags & DETECT_CONTENT_NOCASE)) { printf("nocase flag not set on sig 1: "); @@ -850,6 +863,31 @@ end: return result; } +static int DetectHttpMethodIsdataatParseTest(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "content:\"one\"; http_method; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_http_method_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + #endif /* UNITTESTS */ /** @@ -873,6 +911,9 @@ void DetectHttpMethodRegisterTests(void) UtRegisterTest("DetectHttpMethodSigTest02", DetectHttpMethodSigTest02); UtRegisterTest("DetectHttpMethodSigTest03", DetectHttpMethodSigTest03); UtRegisterTest("DetectHttpMethodSigTest04", DetectHttpMethodSigTest04); + + UtRegisterTest("DetectHttpMethodIsdataatParseTest", + DetectHttpMethodIsdataatParseTest); #endif /* UNITTESTS */ } diff --git a/src/detect-http-method.h b/src/detect-http-method.h index d1593aed76..871177b587 100644 --- a/src/detect-http-method.h +++ b/src/detect-http-method.h @@ -26,9 +26,6 @@ /* prototypes */ void DetectHttpMethodRegister(void); -int DetectHttpMethodDoMatch(DetectEngineThreadCtx *, Signature *, SigMatch *, - Flow *, uint8_t, void *); -int DetectHttpMethodValidateRule(const Signature *s); #endif /* __DETECT_HTTP_METHOD_H__ */ diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 407b0a6e70..d2e01b35d3 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -736,50 +736,6 @@ int DetectIsdataatTestParse11(void) return result; } -int DetectIsdataatTestParse12(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing bytejump_body\"; " - "content:\"one\"; http_method; " - "isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH] == NULL) { - goto end; - } - - result = 1; - - result &= (s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->type == DETECT_ISDATAAT); - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - result = 0; - goto end; - } - - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - int DetectIsdataatTestParse13(void) { DetectEngineCtx *de_ctx = NULL; @@ -997,7 +953,6 @@ void DetectIsdataatRegisterTests(void) UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09); UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10); UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11); - UtRegisterTest("DetectIsdataatTestParse12", DetectIsdataatTestParse12); UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13); UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16); diff --git a/src/detect-parse.c b/src/detect-parse.c index 98c3bf1d14..7b8670b325 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -150,7 +150,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code"); CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host"); CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host"); - CASE_CODE_STRING(DETECT_SM_LIST_HMDMATCH, "http_method"); CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie"); CASE_CODE_STRING(DETECT_SM_LIST_HUADMATCH, "http_user_agent"); CASE_CODE_STRING(DETECT_SM_LIST_HTTP_RESLINEMATCH, "http_response_line"); @@ -193,7 +192,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_HSCDMATCH); CASE_CODE(DETECT_SM_LIST_HHHDMATCH); CASE_CODE(DETECT_SM_LIST_HRHHDMATCH); - CASE_CODE(DETECT_SM_LIST_HMDMATCH); CASE_CODE(DETECT_SM_LIST_HCDMATCH); CASE_CODE(DETECT_SM_LIST_HUADMATCH); CASE_CODE(DETECT_SM_LIST_HTTP_RESLINEMATCH); @@ -1436,7 +1434,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent " "/http_uri , raw_uri, http_client_body, " @@ -1461,7 +1458,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) { sig_flags |= SIG_FLAG_TOSERVER; s->flags |= SIG_FLAG_TOSERVER; @@ -1521,9 +1517,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) } } - if (!DetectHttpMethodValidateRule(s)) - SCReturnInt(0); - //if (s->alproto != ALPROTO_UNKNOWN) { // if (s->flags & SIG_FLAG_STATE_MATCH) { // if (s->alproto == ALPROTO_DNS) { @@ -1592,7 +1585,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] || - s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] || diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 6be08703aa..c7477d8d92 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -445,7 +445,8 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr, SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'"); goto error; } - *sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HMDMATCH); + int list = DetectBufferTypeGetByName("http_method"); + *sm_list = DetectPcreSetList(*sm_list, list); break; case 'C': /* snort's option */ if (pd->flags & DETECT_PCRE_RAWBYTES) { @@ -674,7 +675,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst parsed_sm_list == DETECT_SM_LIST_HSCDMATCH || parsed_sm_list == DETECT_SM_LIST_HHHDMATCH || parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH || - parsed_sm_list == DETECT_SM_LIST_HMDMATCH || +// parsed_sm_list == DETECT_SM_LIST_HMDMATCH || parsed_sm_list == DETECT_SM_LIST_HCDMATCH || parsed_sm_list == DETECT_SM_LIST_HUADMATCH) { @@ -715,7 +716,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst case DETECT_SM_LIST_HSMDMATCH: case DETECT_SM_LIST_HSCDMATCH: case DETECT_SM_LIST_HCDMATCH: - case DETECT_SM_LIST_HMDMATCH: case DETECT_SM_LIST_HUADMATCH: s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_HTTP; diff --git a/src/detect.c b/src/detect.c index 11aecad951..321d21af17 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1924,9 +1924,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) return 0; @@ -2032,9 +2029,6 @@ static int SignatureIsPDOnly(const Signature *s) if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL) return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL) - return 0; - if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) return 0; @@ -2160,7 +2154,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s) s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL || - s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL || @@ -2340,11 +2333,6 @@ static int SignatureCreateMask(Signature *s) SCLogDebug("sig requires http app state"); } - if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL) { - s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; - SCLogDebug("sig requires http app state"); - } - if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) { s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires http app state"); diff --git a/src/detect.h b/src/detect.h index 330b918f4b..976d75b20d 100644 --- a/src/detect.h +++ b/src/detect.h @@ -133,8 +133,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HHHDMATCH, /* list for http_raw_host keyword and the ones relative to it */ DETECT_SM_LIST_HRHHDMATCH, - /* list for http_method keyword and the ones relative to it */ - DETECT_SM_LIST_HMDMATCH, /* list for http_cookie keyword and the ones relative to it */ DETECT_SM_LIST_HCDMATCH, /* list for http_user_agent keyword and the ones relative to it */ -- 2.47.2