From: Anoop Saldanha Date: Sun, 14 Oct 2012 20:14:17 +0000 (+0530) Subject: New app inspection engine introduced. Moved existing inspecting engines to use it. X-Git-Tag: suricata-1.4beta3~73 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b99f9fe890d45c0a8da0baf121aba711f110440f;p=thirdparty%2Fsuricata.git New app inspection engine introduced. Moved existing inspecting engines to use it. --- diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h index a022e3e1c7..2da4b7cc94 100644 --- a/src/app-layer-protos.h +++ b/src/app-layer-protos.h @@ -39,12 +39,12 @@ enum { ALPROTO_DCERPC, ALPROTO_DCERPC_UDP, ALPROTO_IRC, -#ifdef UNITTESTS - ALPROTO_TEST, -#endif /* UNITESTS */ /* used by the probing parser when alproto detection fails * permanently for that particular stream */ ALPROTO_FAILED, +#ifdef UNITTESTS + ALPROTO_TEST, +#endif /* UNITESTS */ /* keep last */ ALPROTO_MAX, }; diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c index 43fd5bdf42..17bed6d3fe 100644 --- a/src/detect-engine-file.c +++ b/src/detect-engine-file.c @@ -201,70 +201,35 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, * \retval 2 can't match * \retval 3 can't match filestore signature * - * \note flow is not locked at this time + * \note flow should be locked when this function's called. */ int DetectFileInspectHttp(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - int r = 0; - HtpState *htp_state = NULL; - int idx = 0; - int start_tx = 0; - int end_tx = 0; - int match = 0; FileContainer *ffc; - - /* locking the flow, we will inspect the htp state, files + we will set - * magic, so need a WRITE lock */ - FLOWLOCK_WRLOCK(f); - - htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } + HtpState *htp_state = (HtpState *)alstate; if (flags & STREAM_TOCLIENT) ffc = htp_state->files_tc; else ffc = htp_state->files_ts; - if (htp_state->connp != NULL && htp_state->connp->conn != NULL) - { - start_tx = AppLayerTransactionGetInspectId(f); - if (start_tx == -1) { - goto end; - } + /* inspect files for this transaction */ + det_ctx->tx_id = (uint16_t)tx_id; - /* tx cnt is incremented after request finishes, so we need to inspect - * response one before the lowest. */ - if ((flags & STREAM_TOCLIENT) && start_tx > 0) - start_tx--; - end_tx = (int)list_size(htp_state->connp->conn->transactions); - } - - for (idx = start_tx ; idx < end_tx; idx++) - { - /* inspect files for this transaction */ - det_ctx->tx_id = (uint16_t)idx; - - match = DetectFileInspect(tv, det_ctx, f, s, flags, ffc); - if (match == 1) { - r = 1; - } else if (match == 2) { - if (r != 1) { - SCLogDebug("sid %u can't match on this transaction", s->id); - r = 2; - } - } else if (match == 3) { - if (r != 1) { - SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id); - r = 3; - } + int match = DetectFileInspect(tv, det_ctx, f, s, flags, ffc); + if (match == 1) { + r = 1; + } else if (match == 2) { + if (r != 1) { + SCLogDebug("sid %u can't match on this transaction", s->id); + r = 2; + } + } else if (match == 3) { + if (r != 1) { + SCLogDebug("sid %u can't match on this transaction (filestore sig)", s->id); + r = 3; } } -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return r; } diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index 1b70206427..45861275fd 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -60,6 +60,27 @@ #define BUFFER_STEP 50 +static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size) +{ + if (size > det_ctx->hcbd_buffers_size) { + det_ctx->hcbd = SCRealloc(det_ctx->hcbd, (det_ctx->hcbd_buffers_size + BUFFER_STEP) * sizeof(HttpReassembledBody)); + if (det_ctx->hcbd == NULL) { + det_ctx->hcbd_buffers_size = 0; + det_ctx->hcbd_buffers_list_len = 0; + return -1; + } + memset(det_ctx->hcbd + det_ctx->hcbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody)); + det_ctx->hcbd_buffers_size += BUFFER_STEP; + + for (int i = det_ctx->hcbd_buffers_list_len; i < (size); i++) { + det_ctx->hcbd[i].buffer_len = 0; + det_ctx->hcbd[i].offset = 0; + } + } + + return 0; +} + static uint8_t *DetectEngineHCBDGetBufferForTX(int tx_id, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, @@ -67,29 +88,13 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(int tx_id, uint8_t flags, uint32_t *buffer_len) { -#define HCBDCreateSpace(det_ctx, size) do { \ - if (size > det_ctx->hcbd_buffers_size) { \ - det_ctx->hcbd = SCRealloc(det_ctx->hcbd, (det_ctx->hcbd_buffers_size + BUFFER_STEP) * sizeof(HttpReassembledBody)); \ - if (det_ctx->hcbd == NULL) { \ - det_ctx->hcbd_buffers_size = 0; \ - det_ctx->hcbd_buffers_list_len = 0; \ - goto end; \ - } \ - memset(det_ctx->hcbd + det_ctx->hcbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody)); \ - det_ctx->hcbd_buffers_size += BUFFER_STEP; \ - } \ - for (int i = det_ctx->hcbd_buffers_list_len; i < (size); i++) { \ - det_ctx->hcbd[i].buffer_len = 0; \ - det_ctx->hcbd[i].offset = 0; \ - } \ - } while (0) - int index = 0; uint8_t *buffer = NULL; *buffer_len = 0; if (det_ctx->hcbd_buffers_list_len == 0) { - HCBDCreateSpace(det_ctx, 1); + if (HCBDCreateSpace(det_ctx, 1) < 0) + goto end; index = 0; } else { if ((tx_id - det_ctx->hcbd_start_tx_id) < det_ctx->hcbd_buffers_list_len) { @@ -98,7 +103,8 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(int tx_id, return det_ctx->hcbd[(tx_id - det_ctx->hcbd_start_tx_id)].buffer; } } else { - HCBDCreateSpace(det_ctx, (tx_id - det_ctx->hcbd_start_tx_id) + 1); + if (HCBDCreateSpace(det_ctx, (tx_id - det_ctx->hcbd_start_tx_id) + 1) < 0) + goto end; } index = (tx_id - det_ctx->hcbd_start_tx_id); } @@ -213,9 +219,9 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(int tx_id, return buffer; } -int DetectEngineRunHttpClientBodyMpmV2(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags) +int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags) { uint32_t cnt = 0; @@ -256,65 +262,38 @@ int DetectEngineRunHttpClientBodyMpmV2(DetectEngineCtx *de_ctx, return cnt; } -int DetectEngineInspectHttpClientBodyV2(ThreadVars *tv, - DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Signature *s, Flow *f, uint8_t flags, - void *alstate, int tx_id) +int DetectEngineInspectHttpClientBody(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, int tx_id) { - int r = 0; - HtpState *htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - FLOWLOCK_WRLOCK(f); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - /* get the transaction id */ - int idx = AppLayerTransactionGetInspectId(f); - /* error! get out of here */ - if (idx == -1) - goto end; - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) { - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - uint32_t buffer_len = 0; - uint8_t *buffer = DetectEngineHCBDGetBufferForTX(idx, - de_ctx, det_ctx, - f, htp_state, - flags, - &buffer_len); - if (buffer_len == 0) - continue; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCBDMATCH], + uint32_t buffer_len = 0; + uint8_t *buffer = DetectEngineHCBDGetBufferForTX(tx_id, + de_ctx, det_ctx, + f, htp_state, + flags, + &buffer_len); + if (buffer_len == 0) + return 0; + + det_ctx->buffer_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCBDMATCH], f, buffer, buffer_len, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HCBD, NULL); - if (r == 1) { - break; - } - } + if (r == 1) + return 1; - end: - FLOWLOCK_UNLOCK(f); - return r; + return 0; } -void DetectEngineCleanHCBDBuffersV2(DetectEngineThreadCtx *det_ctx) +void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *det_ctx) { if (det_ctx->hcbd_buffers_list_len > 0) { for (int i = 0; i < det_ctx->hcbd_buffers_list_len; i++) { diff --git a/src/detect-engine-hcbd.h b/src/detect-engine-hcbd.h index 438b7d441b..791f16df2f 100644 --- a/src/detect-engine-hcbd.h +++ b/src/detect-engine-hcbd.h @@ -27,15 +27,15 @@ #include "app-layer-htp.h" -int DetectEngineRunHttpClientBodyMpmV2(DetectEngineCtx *, - DetectEngineThreadCtx *, Flow *f, - HtpState *, uint8_t); -int DetectEngineInspectHttpClientBodyV2(ThreadVars *tv, - DetectEngineCtx *, - DetectEngineThreadCtx *, - Signature *, Flow *, - uint8_t, void *, int); -void DetectEngineCleanHCBDBuffersV2(DetectEngineThreadCtx *); +int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *, + DetectEngineThreadCtx *, Flow *f, + HtpState *, uint8_t); +int DetectEngineInspectHttpClientBody(ThreadVars *tv, + DetectEngineCtx *, + DetectEngineThreadCtx *, + Signature *, Flow *, + uint8_t, void *, int); +void DetectEngineCleanHCBDBuffers(DetectEngineThreadCtx *); void DetectEngineHttpClientBodyRegisterTests(void); diff --git a/src/detect-engine-hcd.c b/src/detect-engine-hcd.c index 8a94be7ad3..970119c8df 100644 --- a/src/detect-engine-hcd.c +++ b/src/detect-engine-hcd.c @@ -134,73 +134,40 @@ int DetectEngineInspectHttpCookie(ThreadVars *tv, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - int r = 0; - HtpState *htp_state = NULL; - htp_tx_t *tx = NULL; - int idx; - - FLOWLOCK_RDLOCK(f); - - htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - htp_header_t *h = NULL; - if (flags & STREAM_TOSERVER) { - h = (htp_header_t *)table_getc(tx->request_headers, - "Cookie"); - if (h == NULL) { - SCLogDebug("HTTP cookie header not present in this request"); - continue; - } - } else { - h = (htp_header_t *)table_getc(tx->response_headers, - "Set-Cookie"); - if (h == NULL) { - SCLogDebug("HTTP Set-Cookie header not present in this request"); - continue; - } + HtpState *htp_state = (HtpState *)alstate; + htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); + if (tx == NULL) + return 0; + + htp_header_t *h = NULL; + if (flags & STREAM_TOSERVER) { + h = (htp_header_t *)table_getc(tx->request_headers, + "Cookie"); + if (h == NULL) { + SCLogDebug("HTTP cookie header not present in this request"); + return 0; } + } else { + h = (htp_header_t *)table_getc(tx->response_headers, + "Set-Cookie"); + if (h == NULL) { + SCLogDebug("HTTP Set-Cookie header not present in this request"); + return 0; + } + } - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCDMATCH], + det_ctx->buffer_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCDMATCH], f, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value), DETECT_ENGINE_CONTENT_INSPECTION_MODE_HCD, NULL); - //r = DoInspectHttpCookie(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCDMATCH], - //(uint8_t *)bstr_ptr(h->value), - //bstr_len(h->value)); - if (r == 1) { - break; - } - } + if (r == 1) + return 1; -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return 0; } /***********************************Unittests**********************************/ diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index 1f77ee98f2..651cde7823 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -58,6 +58,30 @@ #define BUFFER_STEP 50 +static inline int HHDCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size) { + if (size > det_ctx->hhd_buffers_size) { + det_ctx->hhd_buffers = SCRealloc(det_ctx->hhd_buffers, (det_ctx->hhd_buffers_size + BUFFER_STEP) * sizeof(uint8_t *)); + if (det_ctx->hhd_buffers == NULL) { + det_ctx->hhd_buffers_size = 0; + det_ctx->hhd_buffers_list_len = 0; + return -1; + } + memset(det_ctx->hhd_buffers + det_ctx->hhd_buffers_size, 0, BUFFER_STEP * sizeof(uint8_t *)); + det_ctx->hhd_buffers_len = SCRealloc(det_ctx->hhd_buffers_len, (det_ctx->hhd_buffers_size + BUFFER_STEP) * sizeof(uint32_t)); + if (det_ctx->hhd_buffers_len == NULL) { + det_ctx->hhd_buffers_size = 0; + det_ctx->hhd_buffers_list_len = 0; + return -1; + } + memset(det_ctx->hhd_buffers_len + det_ctx->hhd_buffers_size, 0, BUFFER_STEP * sizeof(uint32_t)); + det_ctx->hhd_buffers_size += BUFFER_STEP; + } + memset(det_ctx->hhd_buffers_len + det_ctx->hhd_buffers_list_len, 0, (size - det_ctx->hhd_buffers_list_len) * sizeof(uint32_t)); + + return 0; +} + + static uint8_t *DetectEngineHHDGetBufferForTX(int tx_id, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, @@ -65,32 +89,12 @@ static uint8_t *DetectEngineHHDGetBufferForTX(int tx_id, uint8_t flags, uint32_t *buffer_len) { -#define HHDCreateSpace(det_ctx, size) do { \ - if (size > det_ctx->hhd_buffers_size) { \ - det_ctx->hhd_buffers = SCRealloc(det_ctx->hhd_buffers, (det_ctx->hhd_buffers_size + BUFFER_STEP) * sizeof(uint8_t *)); \ - if (det_ctx->hhd_buffers == NULL) { \ - det_ctx->hhd_buffers_size = 0; \ - det_ctx->hhd_buffers_list_len = 0; \ - goto end; \ - } \ - memset(det_ctx->hhd_buffers + det_ctx->hhd_buffers_size, 0, BUFFER_STEP * sizeof(uint8_t *)); \ - det_ctx->hhd_buffers_len = SCRealloc(det_ctx->hhd_buffers_len, (det_ctx->hhd_buffers_size + BUFFER_STEP) * sizeof(uint32_t)); \ - if (det_ctx->hhd_buffers_len == NULL) { \ - det_ctx->hhd_buffers_size = 0; \ - det_ctx->hhd_buffers_list_len = 0; \ - goto end; \ - } \ - memset(det_ctx->hhd_buffers_len + det_ctx->hhd_buffers_size, 0, BUFFER_STEP * sizeof(uint32_t)); \ - det_ctx->hhd_buffers_size += BUFFER_STEP; \ - } \ - memset(det_ctx->hhd_buffers_len + det_ctx->hhd_buffers_list_len, 0, (size - det_ctx->hhd_buffers_list_len) * sizeof(uint32_t)); \ - } while (0) - int index = 0; *buffer_len = 0; if (det_ctx->hhd_buffers_list_len == 0) { - HHDCreateSpace(det_ctx, 1); + if (HHDCreateSpace(det_ctx, 1) < 0) + goto end; index = 0; } else { if ((tx_id - det_ctx->hhd_start_tx_id) < det_ctx->hhd_buffers_list_len) { @@ -99,7 +103,8 @@ static uint8_t *DetectEngineHHDGetBufferForTX(int tx_id, return det_ctx->hhd_buffers[(tx_id - det_ctx->hhd_start_tx_id)]; } } else { - HHDCreateSpace(det_ctx, (tx_id - det_ctx->hhd_start_tx_id) + 1); + if (HHDCreateSpace(det_ctx, (tx_id - det_ctx->hhd_start_tx_id) + 1) < 0) + goto end; } index = (tx_id - det_ctx->hhd_start_tx_id); } @@ -173,8 +178,8 @@ static uint8_t *DetectEngineHHDGetBufferForTX(int tx_id, return headers_buffer; } -int DetectEngineRunHttpHeaderMpmV2(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags) +int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags) { uint32_t cnt = 0; @@ -215,65 +220,37 @@ int DetectEngineRunHttpHeaderMpmV2(DetectEngineThreadCtx *det_ctx, Flow *f, return cnt; } -int DetectEngineInspectHttpHeaderV2(ThreadVars *tv, - DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Signature *s, Flow *f, uint8_t flags, - void *alstate, int tx_id) +int DetectEngineInspectHttpHeader(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, int tx_id) { - int r = 0; - HtpState *htp_state = (HtpState *)alstate; - - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - FLOWLOCK_WRLOCK(f); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - /* get the transaction id */ - int idx = AppLayerTransactionGetInspectId(f); - /* error! get out of here */ - if (idx == -1) - goto end; - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) { - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - uint32_t buffer_len = 0; - uint8_t *buffer = DetectEngineHHDGetBufferForTX(idx, - de_ctx, det_ctx, - f, htp_state, - flags, - &buffer_len); - if (buffer_len == 0) - continue; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHDMATCH], + uint32_t buffer_len = 0; + uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx_id, + de_ctx, det_ctx, + f, htp_state, + flags, + &buffer_len); + if (buffer_len == 0) + return 0; + + det_ctx->buffer_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHDMATCH], f, buffer, buffer_len, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HHD, NULL); - if (r == 1) { - break; - } - } + if (r == 1) + return 1; - end: - FLOWLOCK_UNLOCK(f); - return r; + return 0; } -void DetectEngineCleanHHDBuffersV2(DetectEngineThreadCtx *det_ctx) +void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *det_ctx) { if (det_ctx->hhd_buffers_list_len != 0) { int i; diff --git a/src/detect-engine-hhd.h b/src/detect-engine-hhd.h index 089fb1fe2b..fd248309e9 100644 --- a/src/detect-engine-hhd.h +++ b/src/detect-engine-hhd.h @@ -25,14 +25,14 @@ #include "app-layer-htp.h" -int DetectEngineInspectHttpHeaderV2(ThreadVars *tv, - DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Signature *s, Flow *f, uint8_t flags, - void *alstate, int tx_id); -int DetectEngineRunHttpHeaderMpmV2(DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags); -void DetectEngineCleanHHDBuffersV2(DetectEngineThreadCtx *det_ctx); +int DetectEngineInspectHttpHeader(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, int tx_id); +int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags); +void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *det_ctx); void DetectEngineHttpHeaderRegisterTests(void); diff --git a/src/detect-engine-hmd.c b/src/detect-engine-hmd.c index 391d1d9065..f8d4bbc564 100644 --- a/src/detect-engine-hmd.c +++ b/src/detect-engine-hmd.c @@ -118,57 +118,23 @@ int DetectEngineInspectHttpMethod(ThreadVars *tv, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - int r = 0; - HtpState *htp_state = NULL; - htp_tx_t *tx = NULL; - int idx; - - FLOWLOCK_RDLOCK(f); - - htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) { - - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL || tx->request_method == NULL) - continue; - - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH], + HtpState *htp_state = (HtpState *)alstate; + htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); + if (tx == NULL || tx->request_method == NULL) + return 0; + + det_ctx->buffer_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH], f, (uint8_t *)bstr_ptr(tx->request_method), bstr_len(tx->request_method), DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, NULL); - //r = DoInspectHttpMethod(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH], - //(uint8_t *)bstr_ptr(tx->request_method), - //bstr_len(tx->request_method)); - if (r == 1) { - break; - } - } + if (r == 1) + return 1; -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return 0; } /***********************************Unittests**********************************/ diff --git a/src/detect-engine-hrhd.c b/src/detect-engine-hrhd.c index 3b8a471a63..7608c5629a 100644 --- a/src/detect-engine-hrhd.c +++ b/src/detect-engine-hrhd.c @@ -133,67 +133,35 @@ int DetectEngineInspectHttpRawHeader(ThreadVars *tv, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - int r = 0; - HtpState *htp_state = NULL; - htp_tx_t *tx = NULL; - int idx; - - FLOWLOCK_RDLOCK(f); + HtpState *htp_state = (HtpState *)alstate; + htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); + if (tx == NULL) + return 0; - htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; + bstr *raw_headers = NULL; + if (flags & STREAM_TOSERVER) { + raw_headers = htp_tx_get_request_headers_raw(tx); } - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) { - - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - bstr *raw_headers = NULL; - if (flags & STREAM_TOSERVER) { - raw_headers = htp_tx_get_request_headers_raw(tx); - } #ifdef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW - else { - raw_headers = htp_tx_get_response_headers_raw(tx); - } + else { + raw_headers = htp_tx_get_response_headers_raw(tx); + } #endif /* HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW */ - if (raw_headers == NULL) - continue; + if (raw_headers == NULL) + return 0; - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRHDMATCH], + det_ctx->buffer_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRHDMATCH], f, (uint8_t *)bstr_ptr(raw_headers), bstr_len(raw_headers), DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRHD, NULL); - //r = DoInspectHttpRawHeader(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRHDMATCH], - //(uint8_t *)bstr_ptr(raw_headers), - //bstr_len(raw_headers)); - if (r == 1) { - break; - } - } + if (r == 1) + return 1; -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return 0; } /***********************************Unittests**********************************/ diff --git a/src/detect-engine-hrud.c b/src/detect-engine-hrud.c index 52342a5c11..26a18d41b3 100644 --- a/src/detect-engine-hrud.c +++ b/src/detect-engine-hrud.c @@ -122,67 +122,25 @@ int DetectEngineInspectHttpRawUri(ThreadVars *tv, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - - int r = 0; - HtpState *htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - SCReturnInt(0); - } - - /* locking the flow, we will inspect the htp state */ - FLOWLOCK_RDLOCK(f); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - -#ifdef DEBUG - SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HRUDMATCH]; - DetectContentData *co = (DetectContentData *)sm->ctx; - SCLogDebug("co->id %"PRIu32, co->id); -#endif - - int idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - htp_tx_t *tx = NULL; - - int size = (int)list_size(htp_state->connp->conn->transactions); - for ( ; idx < size; idx++) - { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL || tx->request_uri == NULL) - continue; - - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; - - /* Inspect all the uricontents fetched on each - * transaction at the app layer */ - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRUDMATCH], + htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); + if (tx == NULL || tx->request_uri == NULL) + return 0; + + det_ctx->discontinue_matching = 0; + det_ctx->buffer_offset = 0; + det_ctx->inspection_recursion_counter = 0; + /* Inspect all the uricontents fetched on each + * transaction at the app layer */ + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRUDMATCH], f, (uint8_t *)bstr_ptr(tx->request_uri), bstr_len(tx->request_uri), DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRUD, NULL); - //r = DoInspectHttpRawUri(de_ctx, det_ctx, s, - // s->sm_lists[DETECT_SM_LIST_HRUDMATCH], - // (uint8_t *)bstr_ptr(tx->request_uri), - // bstr_len(tx->request_uri)); - if (r == 1) { - goto end; - } - } + if (r == 1) + return 1; -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return 0; } /***********************************Unittests**********************************/ diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index 0df51cb99b..49b1f46882 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -61,6 +61,27 @@ #define BUFFER_STEP 50 +static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size) +{ + if (size > det_ctx->hsbd_buffers_size) { + det_ctx->hsbd = SCRealloc(det_ctx->hsbd, (det_ctx->hsbd_buffers_size + BUFFER_STEP) * sizeof(HttpReassembledBody)); + if (det_ctx->hsbd == NULL) { + det_ctx->hsbd_buffers_size = 0; + det_ctx->hsbd_buffers_list_len = 0; + return -1; + } + memset(det_ctx->hsbd + det_ctx->hsbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody)); + det_ctx->hsbd_buffers_size += BUFFER_STEP; + } + for (int i = det_ctx->hsbd_buffers_list_len; i < (size); i++) { + det_ctx->hsbd[i].buffer_len = 0; + det_ctx->hsbd[i].offset = 0; + } + + return 0; +} + + static uint8_t *DetectEngineHSBDGetBufferForTX(int tx_id, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, @@ -68,29 +89,13 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(int tx_id, uint8_t flags, uint32_t *buffer_len) { -#define HSBDCreateSpace(det_ctx, size) do { \ - if (size > det_ctx->hsbd_buffers_size) { \ - det_ctx->hsbd = SCRealloc(det_ctx->hsbd, (det_ctx->hsbd_buffers_size + BUFFER_STEP) * sizeof(HttpReassembledBody)); \ - if (det_ctx->hsbd == NULL) { \ - det_ctx->hsbd_buffers_size = 0; \ - det_ctx->hsbd_buffers_list_len = 0; \ - goto end; \ - } \ - memset(det_ctx->hsbd + det_ctx->hsbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody)); \ - det_ctx->hsbd_buffers_size += BUFFER_STEP; \ - } \ - for (int i = det_ctx->hsbd_buffers_list_len; i < (size); i++) { \ - det_ctx->hsbd[i].buffer_len = 0; \ - det_ctx->hsbd[i].offset = 0; \ - } \ - } while (0) - int index = 0; uint8_t *buffer = NULL; *buffer_len = 0; if (det_ctx->hsbd_buffers_list_len == 0) { - HSBDCreateSpace(det_ctx, 1); + if (HSBDCreateSpace(det_ctx, 1) < 0) + goto end; index = 0; } else { if ((tx_id - det_ctx->hsbd_start_tx_id) < det_ctx->hsbd_buffers_list_len) { @@ -99,7 +104,8 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(int tx_id, return det_ctx->hsbd[(tx_id - det_ctx->hsbd_start_tx_id)].buffer; } } else { - HSBDCreateSpace(det_ctx, (tx_id - det_ctx->hsbd_start_tx_id) + 1); + if (HSBDCreateSpace(det_ctx, (tx_id - det_ctx->hsbd_start_tx_id) + 1) < 0) + goto end; } index = (tx_id - det_ctx->hsbd_start_tx_id); } @@ -214,9 +220,9 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(int tx_id, return buffer; } -int DetectEngineRunHttpServerBodyMpmV2(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags) +int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags) { uint32_t cnt = 0; @@ -257,65 +263,37 @@ int DetectEngineRunHttpServerBodyMpmV2(DetectEngineCtx *de_ctx, return cnt; } -int DetectEngineInspectHttpServerBodyV2(ThreadVars *tv, - DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Signature *s, Flow *f, uint8_t flags, - void *alstate, int tx_id) +int DetectEngineInspectHttpServerBody(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, int tx_id) { - int r = 0; - HtpState *htp_state = (HtpState *)alstate; - - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - FLOWLOCK_WRLOCK(f); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - /* get the transaction id */ - int idx = AppLayerTransactionGetInspectId(f); - /* error! get out of here */ - if (idx == -1) - goto end; - - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) { - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - uint32_t buffer_len = 0; - uint8_t *buffer = DetectEngineHSBDGetBufferForTX(idx, - de_ctx, det_ctx, - f, htp_state, - flags, - &buffer_len); - if (buffer_len == 0) - continue; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HSBDMATCH], + uint32_t buffer_len = 0; + uint8_t *buffer = DetectEngineHSBDGetBufferForTX(tx_id, + de_ctx, det_ctx, + f, htp_state, + flags, + &buffer_len); + if (buffer_len == 0) + return 0; + + det_ctx->buffer_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HSBDMATCH], f, buffer, buffer_len, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSBD, NULL); - if (r == 1) { - break; - } - } + if (r == 1) + return 1; - end: - FLOWLOCK_UNLOCK(f); - return r; + return 0; } -void DetectEngineCleanHSBDBuffersV2(DetectEngineThreadCtx *det_ctx) +void DetectEngineCleanHSBDBuffers(DetectEngineThreadCtx *det_ctx) { if (det_ctx->hsbd_buffers_list_len > 0) { for (int i = 0; i < det_ctx->hsbd_buffers_list_len; i++) { diff --git a/src/detect-engine-hsbd.h b/src/detect-engine-hsbd.h index 22e3c20957..e83838a04d 100644 --- a/src/detect-engine-hsbd.h +++ b/src/detect-engine-hsbd.h @@ -27,15 +27,15 @@ #include "app-layer-htp.h" -int DetectEngineRunHttpServerBodyMpmV2(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Flow *f, - HtpState *htp_state, uint8_t flags); -int DetectEngineInspectHttpServerBodyV2(ThreadVars *tv, - DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Signature *s, Flow *f, uint8_t flags, - void *alstate, int tx_id); -void DetectEngineCleanHSBDBuffersV2(DetectEngineThreadCtx *det_ctx); +int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, Flow *f, + HtpState *htp_state, uint8_t flags); +int DetectEngineInspectHttpServerBody(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, int tx_id); +void DetectEngineCleanHSBDBuffers(DetectEngineThreadCtx *det_ctx); void DetectEngineHttpServerBodyRegisterTests(void); diff --git a/src/detect-engine-hscd.c b/src/detect-engine-hscd.c index f82be47e5c..d66268fb58 100644 --- a/src/detect-engine-hscd.c +++ b/src/detect-engine-hscd.c @@ -119,62 +119,24 @@ int DetectEngineInspectHttpStatCode(ThreadVars *tv, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - - int r = 0; - HtpState *htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - SCReturnInt(0); - } - - /* locking the flow, we will inspect the htp state */ - FLOWLOCK_RDLOCK(f); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - -#ifdef DEBUG - SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HSCDMATCH]; - DetectContentData *co = (DetectContentData *)sm->ctx; - SCLogDebug("co->id %"PRIu32, co->id); -#endif - - int idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - htp_tx_t *tx = NULL; - - int size = (int)list_size(htp_state->connp->conn->transactions); - for ( ; idx < size; idx++) - { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL || tx->response_status == NULL) - continue; - - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, + htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); + if (tx == NULL || tx->response_status == NULL) + return 0; + + det_ctx->discontinue_matching = 0; + det_ctx->buffer_offset = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HSCDMATCH], f, (uint8_t *)bstr_ptr(tx->response_status), bstr_len(tx->response_status), DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSCD, NULL); - if (r == 1) { - goto end; - } - } + if (r == 1) + return 1; -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return 0; } /***********************************Unittests**********************************/ diff --git a/src/detect-engine-hsmd.c b/src/detect-engine-hsmd.c index d937a6e8bb..e23948a0da 100644 --- a/src/detect-engine-hsmd.c +++ b/src/detect-engine-hsmd.c @@ -119,62 +119,24 @@ int DetectEngineInspectHttpStatMsg(ThreadVars *tv, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - - int r = 0; - HtpState *htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - SCReturnInt(0); - } - - /* locking the flow, we will inspect the htp state */ - FLOWLOCK_RDLOCK(f); - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - -#ifdef DEBUG - SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HSMDMATCH]; - DetectContentData *co = (DetectContentData *)sm->ctx; - SCLogDebug("co->id %"PRIu32, co->id); -#endif - - int idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } - - htp_tx_t *tx = NULL; - - int size = (int)list_size(htp_state->connp->conn->transactions); - for ( ; idx < size; idx++) - { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL || tx->response_message == NULL) - continue; - - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, + htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); + if (tx == NULL || tx->response_message == NULL) + return 0; + + det_ctx->discontinue_matching = 0; + det_ctx->buffer_offset = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HSMDMATCH], f, (uint8_t *)bstr_ptr(tx->response_message), bstr_len(tx->response_message), DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSMD, NULL); - if (r == 1) { - goto end; - } - } + if (r == 1) + return 1; -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return 0; } /***********************************Unittests**********************************/ diff --git a/src/detect-engine-hua.c b/src/detect-engine-hua.c index 9cee91303e..abe17023b0 100644 --- a/src/detect-engine-hua.c +++ b/src/detect-engine-hua.c @@ -125,61 +125,30 @@ int DetectEngineInspectHttpUA(ThreadVars *tv, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - - int r = 0; - HtpState *htp_state = NULL; - htp_tx_t *tx = NULL; - int idx; - - FLOWLOCK_RDLOCK(f); - - htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - goto end; - } - - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } - - idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; + HtpState *htp_state = (HtpState *)alstate; + htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); + if (tx == NULL) + return 0; + + htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers, + "User-Agent"); + if (h == NULL) { + SCLogDebug("HTTP user agent header not present in this request"); + return 0; } - int size = (int)list_size(htp_state->connp->conn->transactions); - for (; idx < size; idx++) { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL) - continue; - - htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers, - "User-Agent"); - if (h == NULL) { - SCLogDebug("HTTP user agent header not present in this request"); - continue; - } - - det_ctx->buffer_offset = 0; - det_ctx->discontinue_matching = 0; - det_ctx->inspection_recursion_counter = 0; - - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HUADMATCH], + det_ctx->buffer_offset = 0; + det_ctx->discontinue_matching = 0; + det_ctx->inspection_recursion_counter = 0; + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HUADMATCH], f, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value), DETECT_ENGINE_CONTENT_INSPECTION_MODE_HUAD, NULL); - if (r == 1) { - break; - } - } + if (r == 1) + return 1; -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return 0; } /***********************************Unittests**********************************/ diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 16465b1d39..a6fc7a9948 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -409,198 +409,47 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, /* Check the uricontent, http client body, http header keywords here */ if (alproto == ALPROTO_HTTP) { - if (flags & STREAM_TOSERVER) { - if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_URI_INSPECT; + FLOWLOCK_WRLOCK(f); - SCLogDebug("inspecting uri"); - - if (DetectEngineInspectPacketUris(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) - { - SCLogDebug("uri matched"); - match_flags |= DE_STATE_FLAG_URI_MATCH; - } else { - SCLogDebug("uri inspected but no match"); - } - } - if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; - if (DetectEngineInspectHttpClientBodyV2(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HCBD_MATCH; - } - SCLogDebug("inspecting http client body"); - } - /* not inspecting in toserver direction */ - if (s->sm_lists[DETECT_SM_LIST_HSBDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HSBD_INSPECT; - } - if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; - if (DetectEngineInspectHttpHeaderV2(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HHD_MATCH; - } - SCLogDebug("inspecting http header"); - } - if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; - if (DetectEngineInspectHttpRawHeader(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HRHD_MATCH; - } - SCLogDebug("inspecting http raw header"); - } - if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; - if (DetectEngineInspectHttpMethod(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HMD_MATCH; - } - SCLogDebug("inspecting http method"); - } - if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; - if (DetectEngineInspectHttpCookie(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HCD_MATCH; - } - SCLogDebug("inspecting http cookie"); - } - if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; - if (DetectEngineInspectHttpRawUri(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HRUD_MATCH; - } - SCLogDebug("inspecting http raw uri"); - } + HtpState *htp_state = (HtpState *)alstate; + if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { + SCLogDebug("HTP state has no conn(p)"); + FLOWLOCK_UNLOCK(f); + SCReturnInt(0); + } - if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) { - SCLogDebug("file inspection"); - if (match_flags == inspect_flags) { - SCLogDebug("ready to inspect files"); - inspect_flags |= DE_STATE_FLAG_FILE_TS_INSPECT; + int tx_id = AppLayerTransactionGetInspectId(f); + if (tx_id == -1) { + FLOWLOCK_UNLOCK(f); + SCReturnInt(0); + } - match = DetectFileInspectHttp(tv, de_ctx, det_ctx, s, f, flags, alstate, 0); - if (match == 1) { - match_flags |= DE_STATE_FLAG_FILE_TS_MATCH; - } else if (match == 2) { - match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - } else if (match == 3) { - match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - file_no_match++; - } - } else { - SCLogDebug("skipping file inspection as we're not yet done with the other inspection"); - } - } - /* not inspecting in toserver direction */ - if (s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HSMD_INSPECT; - } - /* not inspecting in toserver direction */ - if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HSCD_INSPECT; - } - if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HUAD_INSPECT; - if (DetectEngineInspectHttpUA(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HUAD_MATCH; - } - SCLogDebug("inspecting http cookie"); - } - } else if (flags & STREAM_TOCLIENT) { - /* For to client set the flags in inspect so it can't match - * if the sig requires something only the request has. The rest - * will be inspected in the opposite direction. */ - if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_URI_INSPECT; - } - if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; - } - if (s->sm_lists[DETECT_SM_LIST_HSBDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HSBD_INSPECT; - if (DetectEngineInspectHttpServerBodyV2(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HSBD_MATCH; - } - SCLogDebug("inspecting http server body"); - } - if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; - if (DetectEngineInspectHttpHeaderV2(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HHD_MATCH; - } - SCLogDebug("inspecting http header"); - } - if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; - if (DetectEngineInspectHttpRawHeader(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HRHD_MATCH; - } - SCLogDebug("inspecting http raw header"); - } - if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; - } - if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; - if (DetectEngineInspectHttpCookie(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HCD_MATCH; - } - SCLogDebug("inspecting http cookie"); - } - if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; - } - if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) { - SCLogDebug("file inspection"); - if (match_flags == inspect_flags) { - SCLogDebug("ready to inspect files"); - - inspect_flags |= DE_STATE_FLAG_FILE_TC_INSPECT; - - match = DetectFileInspectHttp(tv, de_ctx, det_ctx, s, f, flags, alstate, 0); - SCLogDebug("match %d", match); - if (match == 1) { - match_flags |= DE_STATE_FLAG_FILE_TC_MATCH; - } else if (match == 2) { + int total_txs = (int)list_size(htp_state->connp->conn->transactions); + for ( ; tx_id < total_txs; tx_id++) { + DetectEngineAppInspectionEngine *engine = + app_inspection_engine[ALPROTO_HTTP][(flags & STREAM_TOSERVER) ? 0 : 1]; + while (engine != NULL) { + if (s->sm_lists[engine->sm_list] != NULL) { + inspect_flags |= engine->inspect_flags; + int r = engine->Callback(tv, de_ctx, det_ctx, s, f, + flags, alstate, tx_id); + if (r == 1) { + match_flags |= engine->match_flags; + } else if (r == 2) { match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - } else if (match == 3) { + } else if (r == 3) { match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; file_no_match++; } - } else { - SCLogDebug("skipping file inspection as we're not yet done with the other inspection"); - } - } - if (s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HSMD_INSPECT; - if (DetectEngineInspectHttpStatMsg(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HSMD_MATCH; } - SCLogDebug("inspecting http stat msg"); - } - if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HSCD_INSPECT; - if (DetectEngineInspectHttpStatCode(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HSCD_MATCH; - } - SCLogDebug("inspecting http stat code"); - } - if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) { - inspect_flags |= DE_STATE_FLAG_HUAD_INSPECT; + engine = engine->next; } + if (inspect_flags == match_flags) + break; } + + FLOWLOCK_UNLOCK(f); + } else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) { inspect_flags |= DE_STATE_FLAG_DCE_INSPECT; @@ -809,266 +658,47 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete /* let's continue detection */ /* first, check uricontent */ - if (alproto == ALPROTO_HTTP && (flags & STREAM_TOSERVER)) { - if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_URI_MATCH)) { - SCLogDebug("inspecting uri"); - inspect_flags |= DE_STATE_FLAG_URI_INSPECT; - - if (DetectEngineInspectPacketUris(tv, de_ctx, det_ctx, s, - f, flags, alstate, 0) == 1) - { - SCLogDebug("uri matched"); - match_flags |= DE_STATE_FLAG_URI_MATCH; - } else { - SCLogDebug("uri inspected but no match"); - } - } else { - SCLogDebug("uri already inspected"); - } - } - if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HCBD_MATCH)) { - SCLogDebug("inspecting http client body data"); - inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; - - if (DetectEngineInspectHttpClientBodyV2(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http client body matched"); - match_flags |= DE_STATE_FLAG_HCBD_MATCH; - } - } - } - /* not inspecting in toserver direction */ - if (s->sm_lists[DETECT_SM_LIST_HSBDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HSBD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HSBD_INSPECT; - } - } - if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HHD_MATCH)) { - SCLogDebug("inspecting http header data"); - inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; - - if (DetectEngineInspectHttpHeaderV2(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http header matched"); - match_flags |= DE_STATE_FLAG_HHD_MATCH; - } - } - } - if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HRHD_MATCH)) { - SCLogDebug("inspecting http raw header data"); - inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; - - if (DetectEngineInspectHttpRawHeader(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http raw header matched"); - match_flags |= DE_STATE_FLAG_HRHD_MATCH; - } - } - } - if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HMD_MATCH)) { - SCLogDebug("inspecting http method data"); - inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; - - if (DetectEngineInspectHttpMethod(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http method matched"); - match_flags |= DE_STATE_FLAG_HMD_MATCH; - } - } + if (alproto == ALPROTO_HTTP) { + FLOWLOCK_WRLOCK(f); + + HtpState *htp_state = (HtpState *)alstate; + if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { + SCLogDebug("HTP state has no conn(p)"); + FLOWLOCK_UNLOCK(f); + SCReturnInt(0); } - if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HCD_MATCH)) { - SCLogDebug("inspecting http cookie data"); - inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; - - if (DetectEngineInspectHttpCookie(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http cookie matched"); - match_flags |= DE_STATE_FLAG_HCD_MATCH; - } - } - } - if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HRUD_MATCH)) { - SCLogDebug("inspecting http raw uri data"); - inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; - - if (DetectEngineInspectHttpRawUri(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http raw uri matched"); - match_flags |= DE_STATE_FLAG_HRUD_MATCH; - } - } - } - - if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_FILE_TS_MATCH)) { - SCLogDebug("file inspection"); - if (match_flags == inspect_flags) { - SCLogDebug("ready to inspect files"); - - inspect_flags |= DE_STATE_FLAG_FILE_TS_INSPECT; - match = DetectFileInspectHttp(tv, de_ctx, det_ctx, s, f, flags, alstate, 0); - if (match == 1) { - match_flags |= DE_STATE_FLAG_FILE_TS_MATCH; - } else if (match == 2) { - match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - } else if (match == 3) { - match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - file_no_match++; - } - } else { - SCLogDebug("skipping file inspection as we're not yet done with the other inspection"); - } - } - } - /* not inspecting in toserver direction */ - if (s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HSMD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HSMD_INSPECT; - } - } - /* not inspecting in toserver direction */ - if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HSCD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HSCD_INSPECT; - } - } - if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HUAD_MATCH)) { - SCLogDebug("inspecting http user agent data"); - inspect_flags |= DE_STATE_FLAG_HUAD_INSPECT; - - if (DetectEngineInspectHttpUA(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http user agent matched"); - match_flags |= DE_STATE_FLAG_HUAD_MATCH; - } - } - } - } else if (alproto == ALPROTO_HTTP && (flags & STREAM_TOCLIENT)) { - /* For to client set the flags in inspect so it can't match - * if the sig requires something only the request has. The rest - * will be inspected in the opposite direction. */ - if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_URI_MATCH)) { - inspect_flags |= DE_STATE_FLAG_URI_INSPECT; - } - } - if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HCBD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; - } - } - if (s->sm_lists[DETECT_SM_LIST_HSBDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HSBD_MATCH)) { - SCLogDebug("inspecting http server body data"); - inspect_flags |= DE_STATE_FLAG_HSBD_INSPECT; - - if (DetectEngineInspectHttpServerBodyV2(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http server body matched"); - match_flags |= DE_STATE_FLAG_HSBD_MATCH; - } - } - } - if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HHD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; - if (DetectEngineInspectHttpHeaderV2(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HHD_MATCH; - } - } - SCLogDebug("inspecting http header"); - } - if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HRHD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; - if (DetectEngineInspectHttpRawHeader(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HRHD_MATCH; - } - SCLogDebug("inspecting http raw header"); - } + int tx_id = AppLayerTransactionGetInspectId(f); + if (tx_id == -1) { + FLOWLOCK_UNLOCK(f); + SCReturnInt(0); } - if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HMD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; - } - } - if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HCD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; - if (DetectEngineInspectHttpCookie(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - match_flags |= DE_STATE_FLAG_HCD_MATCH; - } - SCLogDebug("inspecting http cookie"); - } - } - if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HRUD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; - } - } - if (s->sm_lists[DETECT_SM_LIST_FILEMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_FILE_TC_MATCH)) { - SCLogDebug("file inspection"); - if (match_flags == inspect_flags) { - SCLogDebug("ready to inspect files"); - - inspect_flags |= DE_STATE_FLAG_FILE_TC_INSPECT; - - match = DetectFileInspectHttp(tv, de_ctx, det_ctx, s, f, flags, alstate, 0); - if (match == 1) { - match_flags |= DE_STATE_FLAG_FILE_TC_MATCH; - } else if (match == 2) { + + int total_txs = (int)list_size(htp_state->connp->conn->transactions); + for ( ; tx_id < total_txs; tx_id++) { + DetectEngineAppInspectionEngine *engine = + app_inspection_engine[ALPROTO_HTTP][(flags & STREAM_TOSERVER) ? 0 : 1]; + while (engine != NULL) { + if (s->sm_lists[engine->sm_list] != NULL && !(item->flags & engine->match_flags)) { + inspect_flags |= engine->inspect_flags; + int r = engine->Callback(tv, de_ctx, det_ctx, s, f, + flags, alstate, tx_id); + if (r == 1) { + match_flags |= engine->match_flags; + } else if (r == 2) { match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; - } else if (match == 3) { + } else if (r == 3) { match_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; file_no_match++; } - } else { - SCLogDebug("skipping file inspection as we're not yet done with the other inspection"); - } - } - } - if (s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HSMD_MATCH)) { - SCLogDebug("inspecting http stat msg data"); - inspect_flags |= DE_STATE_FLAG_HSMD_INSPECT; - - if (DetectEngineInspectHttpStatMsg(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http stat msg matched"); - match_flags |= DE_STATE_FLAG_HSMD_MATCH; } + engine = engine->next; } + if (inspect_flags == match_flags) + break; } - if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HSCD_MATCH)) { - SCLogDebug("inspecting http stat code data"); - inspect_flags |= DE_STATE_FLAG_HSCD_INSPECT; - - if (DetectEngineInspectHttpStatCode(tv, de_ctx, det_ctx, s, f, - flags, alstate, 0) == 1) { - SCLogDebug("http stat code matched"); - match_flags |= DE_STATE_FLAG_HSCD_MATCH; - } - } - } - if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) { - if (!(item->flags & DE_STATE_FLAG_HUAD_MATCH)) { - inspect_flags |= DE_STATE_FLAG_HUAD_INSPECT; - } - } + + FLOWLOCK_UNLOCK(f); } else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) { diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index e7979282b3..9633fefad3 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -65,72 +65,31 @@ int DetectEngineInspectPacketUris(ThreadVars *tv, Signature *s, Flow *f, uint8_t flags, void *alstate, int tx_id) { - SCEnter(); - int r = 0; - HtpState *htp_state = NULL; + HtpState *htp_state = (HtpState *)alstate; - htp_state = (HtpState *)alstate; - if (htp_state == NULL) { - SCLogDebug("no HTTP state"); - SCReturnInt(0); - } - - /* locking the flow, we will inspect the htp state */ - FLOWLOCK_RDLOCK(f); + htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, tx_id); + if (tx == NULL || tx->request_uri_normalized == NULL) + return 0; - if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { - SCLogDebug("HTP state has no conn(p)"); - goto end; - } + det_ctx->discontinue_matching = 0; + det_ctx->buffer_offset = 0; + det_ctx->inspection_recursion_counter = 0; -#ifdef DEBUG - SigMatch *sm = s->sm_lists[DETECT_SM_LIST_UMATCH]; - DetectContentData *co = (DetectContentData *)sm->ctx; - SCLogDebug("co->id %"PRIu32, co->id); -#endif - - int idx = AppLayerTransactionGetInspectId(f); - if (idx == -1) { - goto end; - } + //PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->request_uri_normalized), + // bstr_len(tx->request_uri_normalized)); - htp_tx_t *tx = NULL; - - int size = (int)list_size(htp_state->connp->conn->transactions); - for ( ; idx < size; idx++) - { - tx = list_get(htp_state->connp->conn->transactions, idx); - if (tx == NULL || tx->request_uri_normalized == NULL) - continue; - - det_ctx->discontinue_matching = 0; - det_ctx->buffer_offset = 0; - det_ctx->inspection_recursion_counter = 0; - - //PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->request_uri_normalized), - // bstr_len(tx->request_uri_normalized)); - - /* Inspect all the uricontents fetched on each - * transaction at the app layer */ - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH], + /* Inspect all the uricontents fetched on each + * transaction at the app layer */ + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH], f, (uint8_t *)bstr_ptr(tx->request_uri_normalized), bstr_len(tx->request_uri_normalized), DETECT_ENGINE_CONTENT_INSPECTION_MODE_URI, NULL); - //r = DoInspectPacketUri(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH], - //(uint8_t *)bstr_ptr(tx->request_uri_normalized), - //bstr_len(tx->request_uri_normalized)); - if (r == 1) { - break; - } + if (r == 1) { + return 1; } - if (r < 1) - r = 0; - -end: - FLOWLOCK_UNLOCK(f); - SCReturnInt(r); + return 0; } /***********************************Unittests**********************************/ diff --git a/src/detect-engine.c b/src/detect-engine.c index 826302933f..c91c5975ab 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -42,7 +42,21 @@ #include "detect-engine-iponly.h" #include "detect-engine-tag.h" +#include "detect-engine-uri.h" +#include "detect-engine-hcbd.h" +#include "detect-engine-hsbd.h" +#include "detect-engine-hhd.h" +#include "detect-engine-hrhd.h" +#include "detect-engine-hmd.h" +#include "detect-engine-hcd.h" +#include "detect-engine-hrud.h" +#include "detect-engine-hsmd.h" +#include "detect-engine-hscd.h" +#include "detect-engine-hua.h" +#include "detect-engine-file.h" + #include "detect-engine.h" +#include "detect-engine-state.h" #include "detect-byte-extract.h" #include "detect-content.h" @@ -64,6 +78,7 @@ #include "util-var-name.h" #include "tm-threads.h" +#include "runmodes.h" #ifdef PROFILING #include "util-profiling.h" @@ -77,6 +92,256 @@ static TmEcode DetectEngineThreadCtxInitForLiveRuleSwap(ThreadVars *, void *, vo static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *); +/* 2 - for each direction */ +DetectEngineAppInspectionEngine *app_inspection_engine[ALPROTO_MAX][2]; + +#if 0 + +static void DetectEnginePrintAppInspectionEngines(DetectEngineAppInspectionEngine *list[][2]) +{ + printf("\n"); + + uint16_t alproto = ALPROTO_UNKNOWN + 1; + for ( ; alproto < ALPROTO_MAX; alproto++) { + printf("alproto - %d\n", alproto); + int dir = 0; + for ( ; dir < 2; dir++) { + printf(" direction - %d\n", dir); + DetectEngineAppInspectionEngine *engine = list[alproto][dir]; + while (engine != NULL) { + printf(" engine->alproto - %"PRIu16"\n", engine->alproto); + printf(" engine->dir - %"PRIu16"\n", engine->dir); + printf(" engine->sm_list - %d\n", engine->sm_list); + printf(" engine->inspect_flags - %"PRIu32"\n", engine->inspect_flags); + printf(" engine->match_flags - %"PRIu32"\n", engine->match_flags); + printf("\n"); + + engine = engine->next; + } + } /* for ( ; dir < 2; dir++) */ + } /* for ( ; alproto < ALPROTO_MAX; alproto++) */ + + return; +} + +#endif + +void DetectEngineRegisterAppInspectionEngines(void) +{ + struct tmp_t { + uint16_t alproto; + int32_t sm_list; + uint32_t inspect_flags; + uint32_t match_flags; + uint16_t dir; + int (*Callback)(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *sig, Flow *f, + uint8_t flags, void *alstate, + int32_t tx_id); + + }; + + struct tmp_t data_toserver[] = { + { ALPROTO_HTTP, + DETECT_SM_LIST_UMATCH, + DE_STATE_FLAG_URI_INSPECT, + DE_STATE_FLAG_URI_MATCH, + 0, + DetectEngineInspectPacketUris }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HCBDMATCH, + DE_STATE_FLAG_HCBD_INSPECT, + DE_STATE_FLAG_HCBD_MATCH, + 0, + DetectEngineInspectHttpClientBody }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HHDMATCH, + DE_STATE_FLAG_HHD_INSPECT, + DE_STATE_FLAG_HHD_MATCH, + 0, + DetectEngineInspectHttpHeader }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HRHDMATCH, + DE_STATE_FLAG_HRHD_INSPECT, + DE_STATE_FLAG_HRHD_MATCH, + 0, + DetectEngineInspectHttpRawHeader }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HMDMATCH, + DE_STATE_FLAG_HMD_INSPECT, + DE_STATE_FLAG_HMD_MATCH, + 0, + DetectEngineInspectHttpMethod }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HCDMATCH, + DE_STATE_FLAG_HCD_INSPECT, + DE_STATE_FLAG_HCD_MATCH, + 0, + DetectEngineInspectHttpCookie }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HRUDMATCH, + DE_STATE_FLAG_HRUD_INSPECT, + DE_STATE_FLAG_HRUD_MATCH, + 0, + DetectEngineInspectHttpRawUri }, + { ALPROTO_HTTP, + DETECT_SM_LIST_FILEMATCH, + DE_STATE_FLAG_FILE_TS_INSPECT, + DE_STATE_FLAG_FILE_TS_MATCH, + 0, + DetectFileInspectHttp }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HUADMATCH, + DE_STATE_FLAG_HUAD_INSPECT, + DE_STATE_FLAG_HUAD_MATCH, + 0, + DetectEngineInspectHttpUA }, + }; + + struct tmp_t data_toclient[] = { + { ALPROTO_HTTP, + DETECT_SM_LIST_HSBDMATCH, + DE_STATE_FLAG_HSBD_INSPECT, + DE_STATE_FLAG_HSBD_MATCH, + 1, + DetectEngineInspectHttpServerBody }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HHDMATCH, + DE_STATE_FLAG_HHD_INSPECT, + DE_STATE_FLAG_HHD_MATCH, + 1, + DetectEngineInspectHttpHeader }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HRHDMATCH, + DE_STATE_FLAG_HRHD_INSPECT, + DE_STATE_FLAG_HRHD_MATCH, + 1, + DetectEngineInspectHttpRawHeader }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HCDMATCH, + DE_STATE_FLAG_HCD_INSPECT, + DE_STATE_FLAG_HCD_MATCH, + 1, + DetectEngineInspectHttpCookie }, + { ALPROTO_HTTP, + DETECT_SM_LIST_FILEMATCH, + DE_STATE_FLAG_FILE_TC_INSPECT, + DE_STATE_FLAG_FILE_TC_MATCH, + 1, + DetectFileInspectHttp }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HSMDMATCH, + DE_STATE_FLAG_HSMD_INSPECT, + DE_STATE_FLAG_HSMD_MATCH, + 1, + DetectEngineInspectHttpStatMsg }, + { ALPROTO_HTTP, + DETECT_SM_LIST_HSCDMATCH, + DE_STATE_FLAG_HSCD_INSPECT, + DE_STATE_FLAG_HSCD_MATCH, + 1, + DetectEngineInspectHttpStatCode } + }; + + size_t i; + for (i = 0 ; i < sizeof(data_toserver) / sizeof(struct tmp_t); i++) { + DetectEngineRegisterAppInspectionEngine(data_toserver[i].alproto, + data_toserver[i].dir, + data_toserver[i].sm_list, + data_toserver[i].inspect_flags, + data_toserver[i].match_flags, + data_toserver[i].Callback, + app_inspection_engine); + } + + for (i = 0 ; i < sizeof(data_toclient) / sizeof(struct tmp_t); i++) { + DetectEngineRegisterAppInspectionEngine(data_toclient[i].alproto, + data_toclient[i].dir, + data_toclient[i].sm_list, + data_toclient[i].inspect_flags, + data_toclient[i].match_flags, + data_toclient[i].Callback, + app_inspection_engine); + } + +#if 0 + DetectEnginePrintAppInspectionEngines(app_inspection_engine); +#endif + + return; +} + +static void AppendAppInspectionEngine(DetectEngineAppInspectionEngine *engine, + DetectEngineAppInspectionEngine *list[][2]) +{ + /* append to the list */ + DetectEngineAppInspectionEngine *tmp = list[engine->alproto][engine->dir]; + DetectEngineAppInspectionEngine *insert = NULL; + while (tmp != NULL) { + if (tmp->dir == engine->dir && + (tmp->sm_list == engine->sm_list || + tmp->inspect_flags == engine->inspect_flags || + tmp->match_flags == engine->match_flags)) { + SCLogError(SC_ERR_DETECT_PREPARE, "App Inspection Engine already " + "registered for this direction(%"PRIu16") ||" + "sm_list(%d) || " + "[match(%"PRIu32")|inspect(%"PRIu32")]_flags", + tmp->dir, tmp->sm_list, tmp->inspect_flags, + tmp->match_flags); + exit(EXIT_FAILURE); + } + insert = tmp; + tmp = tmp->next; + } + if (insert == NULL) + list[engine->alproto][engine->dir] = engine; + else + insert->next = engine; + + return; +} + +void DetectEngineRegisterAppInspectionEngine(uint16_t alproto, + uint16_t dir, + int32_t sm_list, + uint32_t inspect_flags, + uint32_t match_flags, + int (*Callback)(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *sig, Flow *f, + uint8_t flags, void *alstate, + int32_t tx_id), + DetectEngineAppInspectionEngine *list[][2]) +{ + if ((list == NULL) || + (alproto <= ALPROTO_UNKNOWN && alproto >= ALPROTO_FAILED) || + (dir > 1) || + (sm_list < DETECT_SM_LIST_MATCH || sm_list >= DETECT_SM_LIST_MAX) || + (Callback == NULL)) { + SCLogError(SC_ERR_INVALID_ARGUMENTS, "Invalid arguments"); + exit(EXIT_FAILURE); + } + + DetectEngineAppInspectionEngine *new_engine = SCMalloc(sizeof(DetectEngineAppInspectionEngine)); + if (unlikely(new_engine == NULL)) { + exit(EXIT_FAILURE); + } + memset(new_engine, 0, sizeof(*new_engine)); + new_engine->alproto = alproto; + new_engine->dir = dir; + new_engine->sm_list = sm_list; + new_engine->inspect_flags = inspect_flags; + new_engine->match_flags = match_flags; + new_engine->Callback = Callback; + + AppendAppInspectionEngine(new_engine, list); + + return; +} + static void *DetectEngineLiveRuleSwap(void *arg) { SCEnter(); @@ -1183,6 +1448,309 @@ static int DetectEngineTest04(void) return result; } +int DummyTestAppInspectionEngine01(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *sig, + Flow *f, + uint8_t flags, + void *alstate, + int32_t tx_id) +{ + return 0; +} + +int DummyTestAppInspectionEngine02(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *sig, + Flow *f, + uint8_t flags, + void *alstate, + int32_t tx_id) +{ + return 0; +} + +int DetectEngineTest05(void) +{ + int result = 0; + + DetectEngineAppInspectionEngine *engine_list[ALPROTO_MAX][2]; + memset(engine_list, 0, sizeof(engine_list)); + + DetectEngineRegisterAppInspectionEngine(ALPROTO_HTTP, + 0 /* STREAM_TOSERVER */, + DETECT_SM_LIST_UMATCH, + DE_STATE_FLAG_URI_INSPECT, + DE_STATE_FLAG_URI_MATCH, + DummyTestAppInspectionEngine01, + engine_list); + + int alproto = ALPROTO_UNKNOWN + 1; + for ( ; alproto < ALPROTO_FAILED; alproto++) { + int dir = 0; + for ( ; dir < 2; dir++) { + if (alproto == ALPROTO_HTTP && dir == 0) { + if (engine_list[alproto][dir]->next != NULL) { + printf("more than one entry found\n"); + goto end; + } + + DetectEngineAppInspectionEngine *engine = engine_list[alproto][dir]; + + if (engine->alproto != alproto || + engine->dir != dir || + engine->sm_list != DETECT_SM_LIST_UMATCH || + engine->inspect_flags != DE_STATE_FLAG_URI_INSPECT || + engine->match_flags != DE_STATE_FLAG_URI_MATCH || + engine->Callback != DummyTestAppInspectionEngine01) { + printf("failed for http and dir(0-toserver)\n"); + goto end; + } + } /* if (alproto == ALPROTO_HTTP && dir == 0) */ + + if (alproto == ALPROTO_HTTP && dir == 1) { + if (engine_list[alproto][dir] != NULL) { + printf("failed for http and dir(1-toclient)\n"); + goto end; + } + } + + if (alproto != ALPROTO_HTTP && + engine_list[alproto][0] != NULL && + engine_list[alproto][1] != NULL) { + printf("failed for protocol %d\n", alproto); + goto end; + } + } /* for ( ; dir < 2 ..)*/ + } /* for ( ; alproto < ALPROTO_FAILED; ..) */ + + result = 1; + end: + return result; +} + +int DetectEngineTest06(void) +{ + int result = 0; + + DetectEngineAppInspectionEngine *engine_list[ALPROTO_MAX][2]; + memset(engine_list, 0, sizeof(engine_list)); + + DetectEngineRegisterAppInspectionEngine(ALPROTO_HTTP, + 0 /* STREAM_TOSERVER */, + DETECT_SM_LIST_UMATCH, + DE_STATE_FLAG_URI_INSPECT, + DE_STATE_FLAG_URI_MATCH, + DummyTestAppInspectionEngine01, + engine_list); + DetectEngineRegisterAppInspectionEngine(ALPROTO_HTTP, + 1 /* STREAM_TOCLIENT */, + DETECT_SM_LIST_UMATCH, + DE_STATE_FLAG_URI_INSPECT, + DE_STATE_FLAG_URI_MATCH, + DummyTestAppInspectionEngine02, + engine_list); + + int alproto = ALPROTO_UNKNOWN + 1; + for ( ; alproto < ALPROTO_FAILED; alproto++) { + int dir = 0; + for ( ; dir < 2; dir++) { + if (alproto == ALPROTO_HTTP && dir == 0) { + if (engine_list[alproto][dir]->next != NULL) { + printf("more than one entry found\n"); + goto end; + } + + DetectEngineAppInspectionEngine *engine = engine_list[alproto][dir]; + + if (engine->alproto != alproto || + engine->dir != dir || + engine->sm_list != DETECT_SM_LIST_UMATCH || + engine->inspect_flags != DE_STATE_FLAG_URI_INSPECT || + engine->match_flags != DE_STATE_FLAG_URI_MATCH || + engine->Callback != DummyTestAppInspectionEngine01) { + printf("failed for http and dir(0-toserver)\n"); + goto end; + } + } /* if (alproto == ALPROTO_HTTP && dir == 0) */ + + if (alproto == ALPROTO_HTTP && dir == 1) { + if (engine_list[alproto][dir]->next != NULL) { + printf("more than one entry found\n"); + goto end; + } + + DetectEngineAppInspectionEngine *engine = engine_list[alproto][dir]; + + if (engine->alproto != alproto || + engine->dir != dir || + engine->sm_list != DETECT_SM_LIST_UMATCH || + engine->inspect_flags != DE_STATE_FLAG_URI_INSPECT || + engine->match_flags != DE_STATE_FLAG_URI_MATCH || + engine->Callback != DummyTestAppInspectionEngine02) { + printf("failed for http and dir(0-toclient)\n"); + goto end; + } + } /* if (alproto == ALPROTO_HTTP && dir == 1) */ + + if (alproto != ALPROTO_HTTP && + engine_list[alproto][0] != NULL && + engine_list[alproto][1] != NULL) { + printf("failed for protocol %d\n", alproto); + goto end; + } + } /* for ( ; dir < 2 ..)*/ + } /* for ( ; alproto < ALPROTO_FAILED; ..) */ + + result = 1; + end: + return result; +} + +int DetectEngineTest07(void) +{ + int result = 0; + + DetectEngineAppInspectionEngine *engine_list[ALPROTO_MAX][2]; + memset(engine_list, 0, sizeof(engine_list)); + + struct test_data_t { + int32_t sm_list; + uint32_t inspect_flags; + uint32_t match_flags; + uint16_t dir; + int (*Callback)(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *sig, Flow *f, + uint8_t flags, void *alstate, + int32_t tx_id); + + }; + + struct test_data_t data[] = { + { DETECT_SM_LIST_UMATCH, + DE_STATE_FLAG_URI_INSPECT, + DE_STATE_FLAG_URI_MATCH, + 0, + DummyTestAppInspectionEngine01 }, + { DETECT_SM_LIST_HCBDMATCH, + DE_STATE_FLAG_HCBD_INSPECT, + DE_STATE_FLAG_HCBD_MATCH, + 0, + DummyTestAppInspectionEngine02 }, + { DETECT_SM_LIST_HSBDMATCH, + DE_STATE_FLAG_HSBD_INSPECT, + DE_STATE_FLAG_HSBD_MATCH, + 1, + DummyTestAppInspectionEngine02 }, + { DETECT_SM_LIST_HHDMATCH, + DE_STATE_FLAG_HHD_INSPECT, + DE_STATE_FLAG_HHD_MATCH, + 0, + DummyTestAppInspectionEngine01 }, + { DETECT_SM_LIST_HRHDMATCH, + DE_STATE_FLAG_HRHD_INSPECT, + DE_STATE_FLAG_HRHD_MATCH, + 0, + DummyTestAppInspectionEngine01 }, + { DETECT_SM_LIST_HMDMATCH, + DE_STATE_FLAG_HMD_INSPECT, + DE_STATE_FLAG_HMD_MATCH, + 0, + DummyTestAppInspectionEngine02 }, + { DETECT_SM_LIST_HCDMATCH, + DE_STATE_FLAG_HCD_INSPECT, + DE_STATE_FLAG_HCD_MATCH, + 0, + DummyTestAppInspectionEngine01 }, + { DETECT_SM_LIST_HRUDMATCH, + DE_STATE_FLAG_HRUD_INSPECT, + DE_STATE_FLAG_HRUD_MATCH, + 0, + DummyTestAppInspectionEngine01 }, + { DETECT_SM_LIST_FILEMATCH, + DE_STATE_FLAG_FILE_TS_INSPECT, + DE_STATE_FLAG_FILE_TS_MATCH, + 0, + DummyTestAppInspectionEngine02 }, + { DETECT_SM_LIST_FILEMATCH, + DE_STATE_FLAG_FILE_TC_INSPECT, + DE_STATE_FLAG_FILE_TC_MATCH, + 1, + DummyTestAppInspectionEngine02 }, + { DETECT_SM_LIST_HSMDMATCH, + DE_STATE_FLAG_HSMD_INSPECT, + DE_STATE_FLAG_HSMD_MATCH, + 0, + DummyTestAppInspectionEngine01 }, + { DETECT_SM_LIST_HSCDMATCH, + DE_STATE_FLAG_HSCD_INSPECT, + DE_STATE_FLAG_HSCD_MATCH, + 0, + DummyTestAppInspectionEngine01 }, + { DETECT_SM_LIST_HUADMATCH, + DE_STATE_FLAG_HUAD_INSPECT, + DE_STATE_FLAG_HUAD_MATCH, + 0, + DummyTestAppInspectionEngine02 }, + }; + + size_t i = 0; + for ( ; i < sizeof(data) / sizeof(struct test_data_t); i++) { + DetectEngineRegisterAppInspectionEngine(ALPROTO_HTTP, + data[i].dir /* STREAM_TOCLIENT */, + data[i].sm_list, + data[i].inspect_flags, + data[i].match_flags, + data[i].Callback, + engine_list); + } + +#if 0 + DetectEnginePrintAppInspectionEngines(engine_list); +#endif + + int alproto = ALPROTO_UNKNOWN + 1; + for ( ; alproto < ALPROTO_FAILED; alproto++) { + int dir = 0; + for ( ; dir < 2; dir++) { + if (alproto == ALPROTO_HTTP) { + DetectEngineAppInspectionEngine *engine = engine_list[alproto][dir]; + + size_t i = 0; + for ( ; i < (sizeof(data) / sizeof(struct test_data_t)); i++) { + if (data[i].dir != dir) + continue; + + if (engine->alproto != ALPROTO_HTTP || + engine->dir != data[i].dir || + engine->sm_list != data[i].sm_list || + engine->inspect_flags != data[i].inspect_flags || + engine->match_flags != data[i].match_flags || + engine->Callback != data[i].Callback) { + printf("failed for http\n"); + goto end; + } + engine = engine->next; + } + } else { + if (engine_list[alproto][0] != NULL && + engine_list[alproto][1] != NULL) { + printf("failed for protocol %d\n", alproto); + goto end; + } + } /* else */ + } /* for ( ; dir < 2; dir++) */ + } /* for ( ; alproto < ALPROTO_FAILED; ..) */ + + result = 1; + end: + return result; +} + #endif void DetectEngineRegisterTests() @@ -1193,6 +1761,9 @@ void DetectEngineRegisterTests() UtRegisterTest("DetectEngineTest02", DetectEngineTest02, 1); UtRegisterTest("DetectEngineTest03", DetectEngineTest03, 1); UtRegisterTest("DetectEngineTest04", DetectEngineTest04, 1); + UtRegisterTest("DetectEngineTest05", DetectEngineTest05, 1); + UtRegisterTest("DetectEngineTest06", DetectEngineTest06, 1); + UtRegisterTest("DetectEngineTest07", DetectEngineTest07, 1); #endif return; diff --git a/src/detect-engine.h b/src/detect-engine.h index 0ee76571e2..081fda13a8 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -27,7 +27,26 @@ #include "detect.h" #include "tm-threads.h" +typedef struct DetectEngineAppInspectionEngine_ { + uint16_t alproto; + uint16_t dir; + + int32_t sm_list; + uint32_t inspect_flags; + uint32_t match_flags; + + int (*Callback)(ThreadVars *tv, + DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + Signature *sig, Flow *f, uint8_t flags, void *alstate, + int32_t tx_id); + + struct DetectEngineAppInspectionEngine_ *next; +} DetectEngineAppInspectionEngine; + +extern DetectEngineAppInspectionEngine *app_inspection_engine[ALPROTO_MAX][2]; + /* prototypes */ +void DetectEngineRegisterAppInspectionEngines(void); void DetectEngineSpawnLiveRuleSwapMgmtThread(void); DetectEngineCtx *DetectEngineCtxInit(void); DetectEngineCtx *DetectEngineGetGlobalDeCtx(void); @@ -41,5 +60,28 @@ TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *); void DetectEngineResetMaxSigId(DetectEngineCtx *); void DetectEngineRegisterTests(void); +/** + * \brief Registers an app inspection engine. + * + * \param alproto App layer protocol for which we will register the engine. + * \param direction The direction for the engine. 0 - toserver; 1- toclient. + * \param sm_list The SigMatch list against which the engine works. + * \param inspect_flags The inspection flags to be used by de_state + * against the engine. + * \param match_flags The match flags to be used by de_state in tandem with + * the inpsect_flags. + * \param Callback The engine callback. + */ +void DetectEngineRegisterAppInspectionEngine(uint16_t alproto, + uint16_t direction, + int32_t sm_list, + uint32_t inspect_flags, + uint32_t match_flags, + int (*Callback)(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *sig, Flow *f, + uint8_t flags, void *alstate, + int32_t tx_id), + DetectEngineAppInspectionEngine *list[][2]); #endif /* __DETECT_ENGINE_H__ */ - diff --git a/src/detect.c b/src/detect.c index dfec2f4c77..692f62fa11 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1261,7 +1261,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD); - DetectEngineRunHttpClientBodyMpmV2(de_ctx, det_ctx, p->flow, alstate, flags); + DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) { @@ -1277,7 +1277,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } else { /* implied FLOW_PKT_TOCLIENT */ if (p->flowflags & FLOW_PKT_TOCLIENT && det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD); - DetectEngineRunHttpServerBodyMpmV2(de_ctx, det_ctx, p->flow, alstate, flags); + DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSBD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSMD) { @@ -1293,7 +1293,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD); - DetectEngineRunHttpHeaderMpmV2(det_ctx, p->flow, alstate, flags); + DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate, flags); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD); } if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) { @@ -1901,12 +1901,9 @@ end: /* cleanup pkt specific part of the patternmatcher */ PacketPatternCleanup(th_v, det_ctx); - //DetectEngineCleanHCBDBuffers(det_ctx); - DetectEngineCleanHCBDBuffersV2(det_ctx); - //DetectEngineCleanHSBDBuffers(det_ctx); - DetectEngineCleanHSBDBuffersV2(det_ctx); - //DetectEngineCleanHHDBuffers(det_ctx); - DetectEngineCleanHHDBuffersV2(det_ctx); + DetectEngineCleanHCBDBuffers(det_ctx); + DetectEngineCleanHSBDBuffers(det_ctx); + DetectEngineCleanHHDBuffers(det_ctx); /* store the found sgh (or NULL) in the flow to save us from looking it * up again for the next packet. Also return any stream chunk we processed diff --git a/src/suricata.c b/src/suricata.c index aeb2c2d2e5..1763faf60a 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -1520,6 +1520,8 @@ int main(int argc, char **argv) AppLayerHtpNeedFileInspection(); + DetectEngineRegisterAppInspectionEngines(); + if (rule_reload) { if (sig_file == NULL) UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2Idle);