From: maxtors Date: Fri, 17 Apr 2015 08:03:24 +0000 (+0200) Subject: Reworked pattern registration structure and feedback issues. X-Git-Tag: suricata-2.1beta4~50 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3b26b07963df9ae8e67a0257fe8c0af1112caffb;p=thirdparty%2Fsuricata.git Reworked pattern registration structure and feedback issues. 1) Reworked pattern registration for http methods and versions. Instead of being a manual and verbose action of adding one and one http method with N-amount if prefix spacings and the same for HTTP versions (eg. HTTP/1.1) i moved it all to be loop based actions reading values from char arrays. In the future all that is needed is to add new methods to the arrays and they will be added as a pattern. 2) Modified pattern registration after feedback. Changed variable used in snprintf for http method registration Should have been size of dest buffer at not another var (catsize) that i had created. Also removed this variable. Fixed a typo in the comment for registering http versions. TO_CIENT -> TO_CLIENT. --- diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index 73b11ad0e7..af313587bb 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -2656,218 +2656,46 @@ static int HTPSetTxDetectState(void *vtx, DetectEngineState *s) static int HTPRegisterPatternsForProtocolDetection(void) { - /* toserver */ - - /* GET */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "GET|20|", 4, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "GET|09|", 4, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* PUT */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "PUT|20|", 4, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "PUT|09|", 4, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* POST */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "POST|20|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "POST|09|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* HEAD */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "HEAD|20|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "HEAD|09|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* TRACE */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "TRACE|20|", 6, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "TRACE|09|", 6, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* OPTIONS */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "OPTIONS|20|", 8, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "OPTIONS|09|", 8, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* CONNECT */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "CONNECT|20|", 8, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "CONNECT|09|", 8, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* DELETE */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "DELETE|20|", 7, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "DELETE|09|", 7, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* PATCH */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "PATCH|20|", 6, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "PATCH|09|", 6, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* WEBDAV METHODS (rfc4918) */ - /* PROPFIND */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "PROPFIND|20|", 9, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "PROPFIND|09|", 9, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* PROPPATCH */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "PROPPATCH|20|", 10, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "PATCH|09|", 10, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* MKCOL */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "MKCOL|20|", 6, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "MKCOL|09|", 6, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* COPY */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "COPY|20|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "COPY|09|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* MOVE */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "MOVE|20|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "MOVE|09|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* LOCK */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "LOCK|20|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "LOCK|09|", 5, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - - /* UNLOCK */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "UNLOCK|20|", 7, 0, STREAM_TOSERVER) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "UNLOCK|09|", 7, 0, STREAM_TOSERVER) < 0) - { - return -1; + char *methods[] = { "GET", "PUT", "POST", "HEAD", "TRACE", "OPTIONS", + "CONNECT", "DELETE", "PATCH", "PROPFIND", "PROPPATCH", "MKCOL", + "COPY", "MOVE", "LOCK", "UNLOCK", NULL}; + char *spacings[] = { "|20|", "|09|", NULL }; + char *versions[] = { "HTTP/0.9", "HTTP/1.0", "HTTP/1.1", NULL }; + + uint methods_pos; + uint spacings_pos; + uint versions_pos; + int register_result; + char method_buffer[32] = ""; + + // Loop through all the methods ands spacings and register the patterns + for (methods_pos = 0; methods[methods_pos]; methods_pos++) { + for (spacings_pos = 0; spacings[spacings_pos]; spacings_pos++) { + + // Combine the method name and the spacing + snprintf(method_buffer, sizeof(method_buffer), "%s%s", methods[methods_pos], spacings[spacings_pos]); + + // Register the new method+spacing pattern + // 3 is subtracted from the length since the spacing is hex typed as |xx| + // but the pattern matching should only be one char. + register_result = AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, + ALPROTO_HTTP, method_buffer, strlen(method_buffer)-3, 0, STREAM_TOSERVER); + if (register_result < 0) { + return -1; + } + } } - /* toclient */ - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "HTTP/0.9", 8, 0, STREAM_TOCLIENT) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "HTTP/1.0", 8, 0, STREAM_TOCLIENT) < 0) - { - return -1; - } - if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP, - "HTTP/1.1", 8, 0, STREAM_TOCLIENT) < 0) - { - return -1; + // Loop through all the http verions patterns that are TO_CLIENT + for (versions_pos = 0; versions[versions_pos]; versions_pos++) { + register_result = AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, + ALPROTO_HTTP, versions[versions_pos], strlen(versions[versions_pos]), + 0, STREAM_TOCLIENT); + if (register_result < 0) { + return -1; + } } - + return 0; }