return buffer;
}
-/**
- * \brief Helps buffer request bodies for different transactions and stores them
- * away in detection code.
- *
- * \param de_ctx Detection Engine ctx.
- * \param det_ctx Detection engine thread ctx.
- * \param f Pointer to the flow.
- * \param htp_state http state.
- *
- * \warning Make sure flow is locked -- flow is modified, WRITE lock needed
- */
-static void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags)
-{
- int idx = 0;
- htp_tx_t *tx = NULL;
- int i = 0;
-
- if (htp_state == NULL) {
- SCLogDebug("no HTTP state");
- goto end;
- }
-
- if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
- SCLogDebug("HTP state has no conn(p)");
- goto end;
- }
-
- /* get the transaction id */
- int tmp_idx = AppLayerTransactionGetInspectId(f);
- /* error! get out of here */
- if (tmp_idx == -1)
- goto end;
-
- /* let's get the transaction count. We need this to hold the client body
- * buffer for each transaction */
- size_t txs = list_size(htp_state->connp->conn->transactions) - tmp_idx;
- /* no transactions?! cool. get out of here */
- if (txs == 0) {
- det_ctx->hcbd_buffers_list_len = 0;
- goto end;
- } else if (txs > det_ctx->hcbd_buffers_list_len) {
- det_ctx->hcbd = SCRealloc(det_ctx->hcbd, txs * sizeof(HttpReassembledBody));
- if (det_ctx->hcbd == NULL) {
- det_ctx->hcbd_buffers_list_len = 0;
- goto end;
- }
-
- memset(det_ctx->hcbd + det_ctx->hcbd_buffers_list_len, 0,
- (txs - det_ctx->hcbd_buffers_list_len) * sizeof(HttpReassembledBody));
- det_ctx->hcbd_buffers_list_len = txs;
- }
-
- idx = AppLayerTransactionGetInspectId(f);
- if (idx == -1) {
- goto end;
- }
-
- int size = (int)list_size(htp_state->connp->conn->transactions);
- for (; idx < size; idx++, i++) {
- /* already set up */
- if (det_ctx->hcbd[i].buffer_len > 0) {
- SCLogDebug("set up already");
- continue;
- }
-
- tx = list_get(htp_state->connp->conn->transactions, idx);
- if (tx == NULL) {
- SCLogDebug("no tx");
- continue;
- }
-
- HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
- if (htud == NULL) {
- SCLogDebug("no htud");
- continue;
- }
-
- /* no new data */
- if (htud->request_body.body_inspected == htud->request_body.content_len_so_far) {
- SCLogDebug("no new data");
- continue;
- }
-
- HtpBodyChunk *cur = htud->request_body.first;
- if (cur == NULL) {
- SCLogDebug("No http chunks to inspect for this transacation");
- continue;
- }
-
- /* irrespective of chunked encoding or not, we rely on the tx state
- * to decide if we have seen the whole body or not */
- if ((htud->request_body.content_len_so_far > 0) &&
- tx->progress != TX_PROGRESS_REQ_BODY) {
- /* final length of the body */
- htud->tsflags |= HTP_REQ_BODY_COMPLETE;
- }
-
- if (flags & STREAM_EOF) {
- htud->tsflags |= HTP_REQ_BODY_COMPLETE;
- }
-
- /* inspect the body if the transfer is complete or we have hit
- * our body size limit */
- if (htud->request_body.content_len_so_far < BODY_MINIMAL_SIZE &&
- !(htud->tsflags & HTP_REQ_BODY_COMPLETE)) {
- SCLogDebug("we still haven't seen the entire request body. "
- "Let's defer body inspection till we see the "
- "entire body.");
- continue;
- }
-
- int first = 1;
- while (cur != NULL) {
- /* see if we can filter out chunks */
- if (htud->request_body.body_inspected > 0) {
- if (cur->stream_offset < htud->request_body.body_inspected) {
- if (htud->request_body.body_inspected - cur->stream_offset > BODY_SCAN_WINDOW) {
- cur = cur->next;
- continue;
- } else {
- /* include this one */
- }
- } else {
- /* include this one */
- }
- }
-
- if (first) {
- det_ctx->hcbd[i].offset = cur->stream_offset;
- first = 0;
- }
-
- /* see if we need to grow the buffer */
- if (det_ctx->hcbd[i].buffer == NULL || det_ctx->hcbd[i].buffer_len + cur->len > det_ctx->hcbd[i].buffer_size) {
- det_ctx->hcbd[i].buffer_size += cur->len * 2;
-
- if ((det_ctx->hcbd[i].buffer = SCRealloc(det_ctx->hcbd[i].buffer, det_ctx->hcbd[i].buffer_size)) == NULL) {
- goto end;
- }
- }
- memcpy(det_ctx->hcbd[i].buffer + det_ctx->hcbd[i].buffer_len, cur->data, cur->len);
- det_ctx->hcbd[i].buffer_len += cur->len;
-
- cur = cur->next;
- }
-
- /* update inspected tracker */
- htud->request_body.body_inspected =
- htud->request_body.last->stream_offset +
- htud->request_body.last->len;
- } /* for (idx = AppLayerTransactionGetInspectId(f); .. */
-
-end:
- return;
-}
-
int DetectEngineRunHttpClientBodyMpmV2(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
return cnt;
}
-int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx, Flow *f,
- HtpState *htp_state, uint8_t flags)
-{
- int i;
- uint32_t cnt = 0;
-
- FLOWLOCK_WRLOCK(f);
- DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state, flags);
- FLOWLOCK_UNLOCK(f);
-
- if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) {
- for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) {
- if (det_ctx->hcbd[i].buffer_len == 0)
- continue;
-
- cnt += HttpClientBodyPatternSearch(det_ctx,
- det_ctx->hcbd[i].buffer,
- det_ctx->hcbd[i].buffer_len,
- flags);
- }
- }
-
- return cnt;
-}
-
int DetectEngineInspectHttpClientBodyV2(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
return r;
}
-/**
- * \brief Do the http_client_body content inspection for a signature.
- *
- * \param de_ctx Detection engine context.
- * \param det_ctx Detection engine thread context.
- * \param s Signature to inspect.
- * \param f Flow.
- * \param flags App layer flags.
- * \param state App layer state.
- *
- * \retval 0 No match.
- * \retval 1 Match.
- */
-int DetectEngineInspectHttpClientBody(DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags,
- void *alstate)
-{
- SCEnter();
- int r = 0;
- int i = 0;
-
- FLOWLOCK_WRLOCK(f);
- DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, alstate, flags);
- FLOWLOCK_UNLOCK(f);
-
- if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) {
- for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) {
- uint8_t *hcbd_buffer = det_ctx->hcbd[i].buffer;
- uint32_t hcbd_buffer_len = det_ctx->hcbd[i].buffer_len;
-
- if (hcbd_buffer == NULL || hcbd_buffer_len == 0)
- continue;
-
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCBDMATCH],
- f,
- hcbd_buffer,
- hcbd_buffer_len,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_HCBD, NULL);
- if (r == 1) {
- break;
- }
- }
- }
-
- SCReturnInt(r);
-}
-
void DetectEngineCleanHCBDBuffersV2(DetectEngineThreadCtx *det_ctx)
{
if (det_ctx->hcbd_buffers_list_len > 0) {
return;
}
-/**
- * \brief Clean the hcbd buffers.
- *
- * \param det_ctx Pointer to the detection engine thread ctx.
- */
-void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *det_ctx)
-{
- int i;
- if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) {
- for (i = 0; i < det_ctx->hcbd_buffers_list_len; i++) {
- det_ctx->hcbd[i].buffer_len = 0;
- }
- }
- return;
-}
-
-
/***********************************Unittests**********************************/
#ifdef UNITTESTS
#include "app-layer-htp.h"
-int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *,
- DetectEngineThreadCtx *, Flow *f,
- HtpState *, uint8_t);
-int DetectEngineInspectHttpClientBody(DetectEngineCtx *,
- DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *);
-
-void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *);
-void DetectEngineHttpClientBodyRegisterTests(void);
-
-
int DetectEngineRunHttpClientBodyMpmV2(DetectEngineCtx *,
DetectEngineThreadCtx *, Flow *f,
HtpState *, uint8_t);
uint8_t, void *);
void DetectEngineCleanHCBDBuffersV2(DetectEngineThreadCtx *);
+void DetectEngineHttpClientBodyRegisterTests(void);
#endif /* __DETECT_ENGINE_HCBD_H__ */
return headers_buffer;
}
-/**
- * \brief Helps buffer http normalized headers from different transactions and
- * stores them away in detection context.
- *
- * \param de_ctx Detection engine ctx.
- * \param det_ctx Detection engine thread ctx.
- * \param f Pointer to the locked flow.
- * \param htp_state http state.
- *
- * \warning Make sure flow is locked.
- */
-static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *f,
- HtpState *htp_state, uint8_t flags)
-{
- int idx = 0;
- htp_tx_t *tx = NULL;
- int i = 0;
-
- if (htp_state == NULL) {
- SCLogDebug("no HTTP state");
- goto end;
- }
-
- if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
- SCLogDebug("HTP state has no conn(p)");
- goto end;
- }
-
- /* get the transaction id */
- int tmp_idx = AppLayerTransactionGetInspectId(f);
- /* error! get out of here */
- if (tmp_idx == -1)
- goto end;
-
- /* let's get the transaction count. We need this to hold the header
- * buffer for each transaction */
- det_ctx->hhd_buffers_list_len = list_size(htp_state->connp->conn->transactions) - tmp_idx;
- /* no transactions?! cool. get out of here */
- if (det_ctx->hhd_buffers_list_len == 0)
- goto end;
-
- /* assign space to hold buffers. Each per transaction */
- det_ctx->hhd_buffers = SCMalloc(det_ctx->hhd_buffers_list_len * sizeof(uint8_t *));
- if (det_ctx->hhd_buffers == NULL) {
- det_ctx->hhd_buffers_list_len = 0;
- goto end;
- }
- memset(det_ctx->hhd_buffers, 0, det_ctx->hhd_buffers_list_len * sizeof(uint8_t *));
-
- det_ctx->hhd_buffers_len = SCMalloc(det_ctx->hhd_buffers_list_len * sizeof(uint32_t));
- if (det_ctx->hhd_buffers_len == NULL) {
- det_ctx->hhd_buffers_list_len = 0;
- goto end;
- }
- memset(det_ctx->hhd_buffers_len, 0, det_ctx->hhd_buffers_list_len * sizeof(uint32_t));
-
- idx = AppLayerTransactionGetInspectId(f);
- if (idx == -1) {
- det_ctx->hhd_buffers_list_len = 0;
- goto end;
- }
-
- int size = (int)list_size(htp_state->connp->conn->transactions);
- for (; idx < size; idx++, i++) {
-
- tx = list_get(htp_state->connp->conn->transactions, idx);
- if (tx == NULL)
- continue;
-
- table_t *headers;
- if (flags & STREAM_TOSERVER) {
- headers = tx->request_headers;
- } else {
- headers = tx->response_headers;
- }
-
- htp_header_t *h = NULL;
- uint8_t *headers_buffer = NULL;
- size_t headers_buffer_len = 0;
-
- table_iterator_reset(headers);
- while (table_iterator_next(headers, (void **)&h) != NULL) {
- size_t size1 = bstr_size(h->name);
- size_t size2 = bstr_size(h->value);
-
- if (flags & STREAM_TOSERVER) {
- if (size1 == 6 &&
- SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6)) {
- continue;
- }
- } else {
- if (size1 == 10 &&
- SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) {
- continue;
- }
- }
-
- /* the extra 4 bytes if for ": " and "\r\n" */
- headers_buffer = SCRealloc(headers_buffer, headers_buffer_len + size1 + size2 + 4);
- if (headers_buffer == NULL) {
- headers_buffer_len = 0;
- continue;
- }
-
- memcpy(headers_buffer + headers_buffer_len, bstr_ptr(h->name), size1);
- headers_buffer_len += size1;
- headers_buffer[headers_buffer_len] = ':';
- headers_buffer[headers_buffer_len + 1] = ' ';
- headers_buffer_len += 2;
- memcpy(headers_buffer + headers_buffer_len, bstr_ptr(h->value), size2);
- headers_buffer_len += size2 + 2;
- /* \r */
- headers_buffer[headers_buffer_len - 2] = '\r';
- /* \n */
- headers_buffer[headers_buffer_len - 1] = '\n';
- }
-
- /* store the buffers. We will need it for further inspection */
- det_ctx->hhd_buffers[i] = headers_buffer;
- det_ctx->hhd_buffers_len[i] = headers_buffer_len;
-
- } /* for (idx = AppLayerTransactionGetInspectId(f); .. */
-
-end:
- return;
-}
-
int DetectEngineRunHttpHeaderMpmV2(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{
return cnt;
}
-/**
- * \brief run the mpm against the assembled http header buffer(s)
- * \retval cnt Number of matches reported by the mpm algo.
- */
-int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
- HtpState *htp_state, uint8_t flags)
-{
- int i;
- uint32_t cnt = 0;
-
- if (det_ctx->hhd_buffers_list_len == 0) {
- FLOWLOCK_RDLOCK(f);
- DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags);
- FLOWLOCK_UNLOCK(f);
-
- for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
- cnt += HttpHeaderPatternSearch(det_ctx,
- det_ctx->hhd_buffers[i],
- det_ctx->hhd_buffers_len[i],
- flags);
- }
- } else {
- for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
- cnt += HttpHeaderPatternSearch(det_ctx,
- det_ctx->hhd_buffers[i],
- det_ctx->hhd_buffers_len[i],
- flags);
- }
- }
-
- return cnt;
-}
-
int DetectEngineInspectHttpHeaderV2(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
return r;
}
-/**
- * \brief Do the http_header content inspection for a signature.
- *
- * \param de_ctx Detection engine context.
- * \param det_ctx Detection engine thread context.
- * \param s Signature to inspect.
- * \param f Flow.
- * \param flags App layer flags.
- * \param state App layer state.
- *
- * \retval 0 No match.
- * \retval 1 Match.
- */
-int DetectEngineInspectHttpHeader(DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx,
- Signature *s, Flow *f, uint8_t flags,
- void *alstate)
-{
- SCEnter();
- int r = 0;
- int i = 0;
-
- if (det_ctx->hhd_buffers_list_len == 0) {
- FLOWLOCK_RDLOCK(f);
- DetectEngineBufferHttpHeaders(det_ctx, f, alstate, flags);
- FLOWLOCK_UNLOCK(f);
- }
-
- for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
- uint8_t *hhd_buffer = det_ctx->hhd_buffers[i];
- uint32_t hhd_buffer_len = det_ctx->hhd_buffers_len[i];
-
- if (hhd_buffer == NULL)
- continue;
-
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHDMATCH],
- f,
- hhd_buffer,
- hhd_buffer_len,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_HHD, NULL);
- //r = DoInspectHttpHeader(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHDMATCH],
- //hhd_buffer, hhd_buffer_len);
- if (r == 1) {
- break;
- }
- }
-
- SCReturnInt(r);
-}
-
void DetectEngineCleanHHDBuffersV2(DetectEngineThreadCtx *det_ctx)
{
if (det_ctx->hhd_buffers_list_len != 0) {
return;
}
-/**
- * \brief Clean the hhd buffers.
- *
- * \param det_ctx Pointer to the detection engine thread ctx.
- */
-void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *det_ctx)
-{
- if (det_ctx->hhd_buffers_list_len != 0) {
- int i;
- for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
- if (det_ctx->hhd_buffers[i] != NULL)
- SCFree(det_ctx->hhd_buffers[i]);
- }
- }
- if (det_ctx->hhd_buffers != NULL) {
- SCFree(det_ctx->hhd_buffers);
- det_ctx->hhd_buffers = NULL;
- }
- if (det_ctx->hhd_buffers_len != NULL) {
- SCFree(det_ctx->hhd_buffers_len);
- det_ctx->hhd_buffers_len = NULL;
- }
- det_ctx->hhd_buffers_list_len = 0;
-
- return;
-}
-
/***********************************Unittests**********************************/
#ifdef UNITTESTS
#include "app-layer-htp.h"
-int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *,
- uint8_t);
-int DetectEngineInspectHttpHeader(DetectEngineCtx *, DetectEngineThreadCtx *,
- Signature *, Flow *, uint8_t, void *);
-void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *);
-void DetectEngineHttpHeaderRegisterTests(void);
-
int DetectEngineInspectHttpHeaderV2(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
HtpState *htp_state, uint8_t flags);
void DetectEngineCleanHHDBuffersV2(DetectEngineThreadCtx *det_ctx);
-#endif /* __DETECT_ENGINE_HHD_H__ */
+void DetectEngineHttpHeaderRegisterTests(void);
+#endif /* __DETECT_ENGINE_HHD_H__ */
return buffer;
}
-/**
- * \brief Helps buffer response bodies for different transactions and stores them
- * away in detection code.
- *
- * \param de_ctx Detection Engine ctx.
- * \param det_ctx Detection engine thread ctx.
- * \param f Pointer to the flow.
- * \param htp_state http state.
- *
- * \warning Make sure flow is locked. Flow is modified, WRITE lock needed.
- */
-static void DetectEngineBufferHttpServerBodies(DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags)
-{
- int idx = 0;
- htp_tx_t *tx = NULL;
- int i = 0;
-
- if (htp_state == NULL) {
- SCLogDebug("no HTTP state");
- goto end;
- }
-
- if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
- SCLogDebug("HTP state has no conn(p)");
- goto end;
- }
-
- /* get the transaction id */
- int tmp_idx = AppLayerTransactionGetInspectId(f);
- /* error! get out of here */
- if (tmp_idx == -1)
- goto end;
-
- /* let's get the transaction count. We need this to hold the server body
- * buffer for each transaction */
- size_t txs = list_size(htp_state->connp->conn->transactions) - tmp_idx;
- /* no transactions?! cool. get out of here */
- if (txs == 0) {
- det_ctx->hsbd_buffers_list_len = 0;
- goto end;
- } else if (txs > det_ctx->hsbd_buffers_list_len) {
- det_ctx->hsbd = SCRealloc(det_ctx->hsbd, txs * sizeof(HttpReassembledBody));
- if (det_ctx->hsbd == NULL) {
- det_ctx->hsbd_buffers_list_len = 0;
- goto end;
- }
-
- memset(det_ctx->hsbd + det_ctx->hsbd_buffers_list_len, 0,
- (txs - det_ctx->hsbd_buffers_list_len) * sizeof(HttpReassembledBody));
- det_ctx->hsbd_buffers_list_len = txs;
- }
-
- idx = AppLayerTransactionGetInspectId(f);
- if (idx == -1) {
- goto end;
- }
-
- int size = (int)list_size(htp_state->connp->conn->transactions);
- for (; idx < size; idx++, i++) {
- /* already set up */
- if (det_ctx->hsbd[i].buffer_len > 0)
- continue;
-
- tx = list_get(htp_state->connp->conn->transactions, idx);
- if (tx == NULL)
- continue;
-
- HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
- if (htud == NULL)
- continue;
-
- /* no new data */
- if (htud->response_body.body_inspected == htud->response_body.content_len_so_far) {
- continue;
- }
-
- HtpBodyChunk *cur = htud->response_body.first;
- if (cur == NULL) {
- SCLogDebug("No http chunks to inspect for this transacation");
- continue;
- }
-
- /* irrespective of chunked encoding or not, we rely on the tx state
- * to decide if we have seen the whole body or not */
- if ((htud->response_body.content_len_so_far > 0) &&
- tx->progress != TX_PROGRESS_RES_BODY) {
- /* final length of the body */
- htud->tcflags |= HTP_RES_BODY_COMPLETE;
- }
-
- if (flags & STREAM_EOF) {
- htud->tcflags |= HTP_RES_BODY_COMPLETE;
- }
-
- /* inspect the body if the transfer is complete or we have hit
- * our body size limit */
- if (htud->response_body.content_len_so_far < BODY_MINIMAL_SIZE &&
- !(htud->tcflags & HTP_RES_BODY_COMPLETE)) {
- SCLogDebug("we still haven't seen the entire response body. "
- "Let's defer body inspection till we see the "
- "entire body.");
- continue;
- }
-
- //SCLogInfo("now we inspect! %"PRIu64, htud->response_body.content_len_so_far);
-
- int first = 1;
- while (cur != NULL) {
- /* see if we can filter out chunks */
- if (htud->response_body.body_inspected > 0) {
- if (cur->stream_offset < htud->response_body.body_inspected) {
- if (htud->response_body.body_inspected - cur->stream_offset > BODY_SCAN_WINDOW) {
- cur = cur->next;
- continue;
- } else {
- /* include this one */
- }
- } else {
- /* include this one */
- }
- }
-
- if (first) {
- det_ctx->hsbd[i].offset = cur->stream_offset;
- first = 0;
- }
-
- /* see if we need to grow the buffer */
- if (det_ctx->hsbd[i].buffer == NULL || det_ctx->hsbd[i].buffer_len + cur->len > det_ctx->hsbd[i].buffer_size) {
- det_ctx->hsbd[i].buffer_size += cur->len * 2;
-
- if ((det_ctx->hsbd[i].buffer = SCRealloc(det_ctx->hsbd[i].buffer, det_ctx->hsbd[i].buffer_size)) == NULL) {
- goto end;
- }
- }
- memcpy(det_ctx->hsbd[i].buffer + det_ctx->hsbd[i].buffer_len, cur->data, cur->len);
- det_ctx->hsbd[i].buffer_len += cur->len;
-
- cur = cur->next;
- }
-
- /* update inspected tracker */
- htud->response_body.body_inspected =
- htud->response_body.last->stream_offset +
- htud->response_body.last->len;
- } /* for (idx = AppLayerTransactionGetInspectId(f); .. */
-
-end:
- return;
-}
-
int DetectEngineRunHttpServerBodyMpmV2(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
return cnt;
}
-int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx, Flow *f,
- HtpState *htp_state, uint8_t flags)
-{
- int i;
- uint32_t cnt = 0;
-
- FLOWLOCK_WRLOCK(f);
- DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, htp_state, flags);
- FLOWLOCK_UNLOCK(f);
-
- if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) {
- for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) {
- if (det_ctx->hsbd[i].buffer_len == 0)
- continue;
-
- cnt += HttpServerBodyPatternSearch(det_ctx,
- det_ctx->hsbd[i].buffer,
- det_ctx->hsbd[i].buffer_len,
- flags);
- }
- }
-
- return cnt;
-}
-
int DetectEngineInspectHttpServerBodyV2(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
return r;
}
-
-/**
- * \brief Do the http_server_body content inspection for a signature.
- *
- * \param de_ctx Detection engine context.
- * \param det_ctx Detection engine thread context.
- * \param s Signature to inspect.
- * \param f Flow.
- * \param flags App layer flags.
- * \param state App layer state.
- *
- * \retval 0 No match.
- * \retval 1 Match.
- */
-int DetectEngineInspectHttpServerBody(DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags,
- void *alstate)
-{
- SCEnter();
- int r = 0;
- int i = 0;
-
- FLOWLOCK_WRLOCK(f);
- DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, alstate, flags);
- FLOWLOCK_UNLOCK(f);
-
- if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) {
- for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) {
- uint8_t *hsbd_buffer = det_ctx->hsbd[i].buffer;
- uint32_t hsbd_buffer_len = det_ctx->hsbd[i].buffer_len;
-
- if (hsbd_buffer == NULL || hsbd_buffer_len == 0)
- continue;
-
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HSBDMATCH],
- f,
- hsbd_buffer,
- hsbd_buffer_len,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSBD, NULL);
- if (r == 1) {
- break;
- }
- }
- }
-
- SCReturnInt(r);
-}
-
void DetectEngineCleanHSBDBuffersV2(DetectEngineThreadCtx *det_ctx)
{
if (det_ctx->hsbd_buffers_list_len > 0) {
return;
}
-/**
- * \brief Clean the hsbd buffers.
- *
- * \param det_ctx Pointer to the detection engine thread ctx.
- */
-void DetectEngineCleanHSBDBuffers(DetectEngineThreadCtx *det_ctx)
-{
- int i;
- if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) {
- for (i = 0; i < det_ctx->hsbd_buffers_list_len; i++) {
- det_ctx->hsbd[i].buffer_len = 0;
- }
- }
- return;
-}
-
-
/***********************************Unittests**********************************/
#ifdef UNITTESTS
#include "app-layer-htp.h"
-int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *,
- DetectEngineThreadCtx *, Flow *f,
- HtpState *, uint8_t);
-int DetectEngineInspectHttpServerBody(DetectEngineCtx *,
- DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *);
-
-void DetectEngineCleanHSBDBuffers(DetectEngineThreadCtx *);
-void DetectEngineHttpServerBodyRegisterTests(void);
-
int DetectEngineRunHttpServerBodyMpmV2(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags);
void *alstate);
void DetectEngineCleanHSBDBuffersV2(DetectEngineThreadCtx *det_ctx);
+void DetectEngineHttpServerBodyRegisterTests(void);
+
#endif /* __DETECT_ENGINE_HSBD_H__ */
inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT;
if (DetectEngineInspectHttpClientBodyV2(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
- //if (DetectEngineInspectHttpClientBody(de_ctx, det_ctx, s, f,
- //flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HCBD_MATCH;
}
SCLogDebug("inspecting http client body");
inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
if (DetectEngineInspectHttpHeaderV2(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
- //if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
- //flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HHD_MATCH;
}
SCLogDebug("inspecting http header");
inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
if (DetectEngineInspectHttpHeaderV2(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
- //if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
- //flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HHD_MATCH;
}
SCLogDebug("inspecting http header");
if (DetectEngineInspectHttpClientBodyV2(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
- //if (DetectEngineInspectHttpClientBody(de_ctx, det_ctx, s, f,
- // flags, alstate) == 1) {
SCLogDebug("http client body matched");
match_flags |= DE_STATE_FLAG_HCBD_MATCH;
}
if (DetectEngineInspectHttpHeaderV2(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
- //if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
- // flags, alstate) == 1) {
SCLogDebug("http header matched");
match_flags |= DE_STATE_FLAG_HHD_MATCH;
}
inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
if (DetectEngineInspectHttpHeaderV2(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
- //if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
- //flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HHD_MATCH;
}
}
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD);
DetectEngineRunHttpClientBodyMpmV2(de_ctx, det_ctx, p->flow, alstate, flags);
- //DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD);
}
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) {
}
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD);
- //DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate, flags);
DetectEngineRunHttpHeaderMpmV2(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD);
}
projects / thirdparty / suricata.git / commitdiff
