From: Victor Julien <victor@inliniac.net>
Date: Sun, 25 Nov 2018 11:05:24 +0000 (+0100)
Subject: detect/http: add http.uri.raw sticky buffer keyword
X-Git-Tag: suricata-5.0.0-beta1~282
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4e50df0f55f78e77f16d222175473b01f6235a02;p=thirdparty%2Fsuricata.git

detect/http: add http.uri.raw sticky buffer keyword
---

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
index 9cc563fa46..b3787a2b69 100644
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -130,6 +130,7 @@ enum {
     DETECT_AL_HTTP_RAW_HEADER,
     DETECT_AL_HTTP_URI,
     DETECT_HTTP_URI,
+    DETECT_HTTP_URI_RAW,
     DETECT_AL_HTTP_RAW_URI,
     DETECT_AL_HTTP_STAT_MSG,
     DETECT_AL_HTTP_STAT_CODE,
diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c
index 5b9041ae91..d7852b98f6 100644
--- a/src/detect-http-uri.c
+++ b/src/detect-http-uri.c
@@ -77,6 +77,7 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms,
         Flow *_f, const uint8_t _flow_flags,
         void *txv, const int list_id);
+static int DetectHttpRawUriSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
 
 static int g_http_raw_uri_buffer_id = 0;
 static int g_http_uri_buffer_id = 0;
@@ -130,6 +131,13 @@ void DetectHttpUriRegister (void)
     sigmatch_table[DETECT_AL_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup;
     sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT;
 
+    /* http.uri.raw sticky buffer */
+    sigmatch_table[DETECT_HTTP_URI_RAW].name = "http.uri.raw";
+    sigmatch_table[DETECT_HTTP_URI_RAW].desc = "sticky buffer to match specifically and only on the raw HTTP URI buffer";
+    sigmatch_table[DETECT_HTTP_URI_RAW].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri";
+    sigmatch_table[DETECT_HTTP_URI_RAW].Setup = DetectHttpRawUriSetupSticky;
+    sigmatch_table[DETECT_HTTP_URI_RAW].flags |= SIGMATCH_NOOPT;
+
     DetectAppLayerInspectEngineRegister2("http_raw_uri", ALPROTO_HTTP,
             SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
             DetectEngineInspectBufferGeneric, GetRawData);
@@ -253,6 +261,22 @@ static void DetectHttpRawUriSetupCallback(const DetectEngineCtx *de_ctx,
     DetectUrilenApplyToContent(s, g_http_raw_uri_buffer_id);
 }
 
+/**
+ * \brief this function setup the http.uri.raw keyword used in the rule
+ *
+ * \param de_ctx   Pointer to the Detection Engine Context
+ * \param s        Pointer to the Signature to which the current keyword belongs
+ * \param str      Should hold an empty string always
+ *
+ * \retval 0       On success
+ */
+static int DetectHttpRawUriSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    DetectBufferSetActiveList(s, g_http_raw_uri_buffer_id);
+    s->alproto = ALPROTO_HTTP;
+    return 0;
+}
+
 static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms, Flow *_f,
         const uint8_t _flow_flags, void *txv, const int list_id)