|
|
|
|
/* Copyright (C) 2007-2018 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \ingroup httplayer
|
|
|
|
|
*
|
|
|
|
|
* @{
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
|
|
|
|
|
*
|
|
|
|
|
* Implements support for http_raw_header keyword.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "suricata-common.h"
|
|
|
|
|
#include "threads.h"
|
|
|
|
|
#include "decode.h"
|
|
|
|
|
|
|
|
|
|
#include "detect.h"
|
|
|
|
|
#include "detect-parse.h"
|
|
|
|
|
#include "detect-engine.h"
|
|
|
|
|
#include "detect-engine-mpm.h"
|
|
|
|
|
#include "detect-engine-prefilter.h"
|
|
|
|
|
#include "detect-content.h"
|
|
|
|
|
#include "detect-pcre.h"
|
|
|
|
|
|
|
|
|
|
#include "flow.h"
|
|
|
|
|
#include "flow-var.h"
|
|
|
|
|
#include "flow-util.h"
|
|
|
|
|
|
|
|
|
|
#include "util-debug.h"
|
|
|
|
|
#include "util-unittest.h"
|
|
|
|
|
#include "util-unittest-helper.h"
|
|
|
|
|
#include "util-spm.h"
|
|
|
|
|
#include "util-print.h"
|
|
|
|
|
|
|
|
|
|
#include "app-layer.h"
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
#include "app-layer-parser.h"
|
|
|
|
|
|
|
|
|
|
#include "app-layer-htp.h"
|
|
|
|
|
#include "detect-http-raw-header.h"
|
|
|
|
|
#include "detect-engine-hrhd.h"
|
|
|
|
|
#include "stream-tcp.h"
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, const char *);
|
|
|
|
|
static void DetectHttpRawHeaderRegisterTests(void);
|
|
|
|
|
static _Bool DetectHttpRawHeaderValidateCallback(const Signature *s, const char **sigerror);
|
|
|
|
|
static int g_http_raw_header_buffer_id = 0;
|
|
|
|
|
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
const DetectEngineTransforms *transforms, Flow *_f,
|
|
|
|
|
const uint8_t flow_flags, void *txv, const int list_id);
|
|
|
|
|
|
|
|
|
|
static int PrefilterMpmHttpHeaderRawRequestRegister(DetectEngineCtx *de_ctx,
|
|
|
|
|
SigGroupHead *sgh, MpmCtx *mpm_ctx,
|
|
|
|
|
const DetectMpmAppLayerRegistery *mpm_reg, int list_id);
|
|
|
|
|
static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx *de_ctx,
|
|
|
|
|
SigGroupHead *sgh, MpmCtx *mpm_ctx,
|
|
|
|
|
const DetectMpmAppLayerRegistery *mpm_reg, int list_id);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Registers the keyword handlers for the "http_raw_header" keyword.
|
|
|
|
|
*/
|
|
|
|
|
void DetectHttpRawHeaderRegister(void)
|
|
|
|
|
{
|
|
|
|
|
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header";
|
|
|
|
|
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup;
|
|
|
|
|
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests;
|
|
|
|
|
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT;
|
|
|
|
|
|
|
|
|
|
DetectAppLayerInspectEngineRegister2("http_raw_header", ALPROTO_HTTP,
|
|
|
|
|
SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS+1,
|
|
|
|
|
DetectEngineInspectBufferGeneric, GetData);
|
|
|
|
|
DetectAppLayerInspectEngineRegister2("http_raw_header", ALPROTO_HTTP,
|
|
|
|
|
SIG_FLAG_TOCLIENT, HTP_RESPONSE_HEADERS+1,
|
|
|
|
|
DetectEngineInspectBufferGeneric, GetData);
|
|
|
|
|
|
|
|
|
|
DetectAppLayerMpmRegister2("http_raw_header", SIG_FLAG_TOSERVER, 2,
|
|
|
|
|
PrefilterMpmHttpHeaderRawRequestRegister, NULL, ALPROTO_HTTP,
|
|
|
|
|
0); /* progress handled in register */
|
|
|
|
|
DetectAppLayerMpmRegister2("http_raw_header", SIG_FLAG_TOCLIENT, 2,
|
|
|
|
|
PrefilterMpmHttpHeaderRawResponseRegister, NULL, ALPROTO_HTTP,
|
|
|
|
|
0); /* progress handled in register */
|
|
|
|
|
|
|
|
|
|
DetectBufferTypeSetDescriptionByName("http_raw_header",
|
|
|
|
|
"raw http headers");
|
|
|
|
|
|
|
|
|
|
DetectBufferTypeRegisterValidateCallback("http_raw_header",
|
|
|
|
|
DetectHttpRawHeaderValidateCallback);
|
|
|
|
|
|
|
|
|
|
g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief The setup function for the http_raw_header keyword for a signature.
|
|
|
|
|
*
|
|
|
|
|
* \param de_ctx Pointer to the detection engine context.
|
|
|
|
|
* \param s Pointer to signature for the current Signature being parsed
|
|
|
|
|
* from the rules.
|
|
|
|
|
* \param m Pointer to the head of the SigMatchs for the current rule
|
|
|
|
|
* being parsed.
|
|
|
|
|
* \param arg Pointer to the string holding the keyword value.
|
|
|
|
|
*
|
|
|
|
|
* \retval 0 On success.
|
|
|
|
|
* \retval -1 On failure.
|
|
|
|
|
*/
|
|
|
|
|
int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
|
|
|
|
|
{
|
|
|
|
|
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
|
|
|
|
|
DETECT_AL_HTTP_RAW_HEADER,
|
|
|
|
|
g_http_raw_header_buffer_id,
|
|
|
|
|
ALPROTO_HTTP);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static _Bool DetectHttpRawHeaderValidateCallback(const Signature *s, const char **sigerror)
|
|
|
|
|
{
|
|
|
|
|
if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) {
|
|
|
|
|
*sigerror = "http_raw_header signature "
|
|
|
|
|
"without a flow direction. Use flow:to_server for "
|
|
|
|
|
"inspecting request headers or flow:to_client for "
|
|
|
|
|
"inspecting response headers.";
|
|
|
|
|
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "%s", *sigerror);
|
|
|
|
|
SCReturnInt(FALSE);
|
|
|
|
|
}
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
const DetectEngineTransforms *transforms, Flow *_f,
|
|
|
|
|
const uint8_t flow_flags, void *txv, const int list_id)
|
|
|
|
|
{
|
|
|
|
|
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
|
|
|
|
|
if (buffer->inspect == NULL) {
|
|
|
|
|
htp_tx_t *tx = (htp_tx_t *)txv;
|
|
|
|
|
|
|
|
|
|
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
|
|
|
|
|
if (tx_ud == NULL)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
const bool ts = ((flow_flags & STREAM_TOSERVER) != 0);
|
|
|
|
|
const uint8_t *data = ts ?
|
|
|
|
|
tx_ud->request_headers_raw : tx_ud->response_headers_raw;
|
|
|
|
|
if (data == NULL)
|
|
|
|
|
return NULL;
|
|
|
|
|
const uint8_t data_len = ts ?
|
|
|
|
|
tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len;
|
|
|
|
|
|
|
|
|
|
InspectionBufferSetup(buffer, data, data_len);
|
|
|
|
|
InspectionBufferApplyTransforms(buffer, transforms);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return buffer;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
typedef struct PrefilterMpmHttpHeaderRawCtx {
|
|
|
|
|
int list_id;
|
|
|
|
|
const MpmCtx *mpm_ctx;
|
|
|
|
|
const DetectEngineTransforms *transforms;
|
|
|
|
|
} PrefilterMpmHttpHeaderRawCtx;
|
|
|
|
|
|
|
|
|
|
/** \brief Generic Mpm prefilter callback
|
|
|
|
|
*
|
|
|
|
|
* \param det_ctx detection engine thread ctx
|
|
|
|
|
* \param p packet to inspect
|
|
|
|
|
* \param f flow to inspect
|
|
|
|
|
* \param txv tx to inspect
|
|
|
|
|
* \param pectx inspection context
|
|
|
|
|
*/
|
|
|
|
|
static void PrefilterMpmHttpHeaderRaw(DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
const void *pectx,
|
|
|
|
|
Packet *p, Flow *f, void *txv,
|
|
|
|
|
const uint64_t idx, const uint8_t flags)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
const PrefilterMpmHttpHeaderRawCtx *ctx = pectx;
|
|
|
|
|
const MpmCtx *mpm_ctx = ctx->mpm_ctx;
|
|
|
|
|
SCLogDebug("running on list %d", ctx->list_id);
|
|
|
|
|
|
|
|
|
|
const int list_id = ctx->list_id;
|
|
|
|
|
|
|
|
|
|
InspectionBuffer *buffer = GetData(det_ctx, ctx->transforms, f,
|
|
|
|
|
flags, txv, list_id);
|
|
|
|
|
if (buffer == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
const uint32_t data_len = buffer->inspect_len;
|
|
|
|
|
const uint8_t *data = buffer->inspect;
|
|
|
|
|
|
|
|
|
|
SCLogDebug("mpm'ing buffer:");
|
|
|
|
|
//PrintRawDataFp(stdout, data, data_len);
|
|
|
|
|
|
|
|
|
|
if (data != NULL && data_len >= mpm_ctx->minlen) {
|
|
|
|
|
(void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
|
|
|
|
|
&det_ctx->mtcu, &det_ctx->pmq, data, data_len);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void PrefilterMpmHttpTrailerRaw(DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
const void *pectx,
|
|
|
|
|
Packet *p, Flow *f, void *txv,
|
|
|
|
|
const uint64_t idx, const uint8_t flags)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
htp_tx_t *tx = txv;
|
|
|
|
|
const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
|
|
|
|
|
/* if the request wasn't flagged as having a trailer, we skip */
|
|
|
|
|
if (htud && (
|
|
|
|
|
((flags & STREAM_TOSERVER) && !htud->request_has_trailers) ||
|
|
|
|
|
((flags & STREAM_TOCLIENT) && !htud->response_has_trailers))) {
|
|
|
|
|
SCReturn;
|
|
|
|
|
}
|
|
|
|
|
PrefilterMpmHttpHeaderRaw(det_ctx, pectx, p, f, txv, idx, flags);
|
|
|
|
|
SCReturn;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void PrefilterMpmHttpHeaderRawFree(void *ptr)
|
|
|
|
|
{
|
|
|
|
|
SCFree(ptr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int PrefilterMpmHttpHeaderRawRequestRegister(DetectEngineCtx *de_ctx,
|
|
|
|
|
SigGroupHead *sgh, MpmCtx *mpm_ctx,
|
|
|
|
|
const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
/* header */
|
|
|
|
|
PrefilterMpmHttpHeaderRawCtx *pectx = SCCalloc(1, sizeof(*pectx));
|
|
|
|
|
if (pectx == NULL)
|
|
|
|
|
return -1;
|
|
|
|
|
pectx->list_id = list_id;
|
|
|
|
|
pectx->mpm_ctx = mpm_ctx;
|
|
|
|
|
pectx->transforms = &mpm_reg->v2.transforms;
|
|
|
|
|
|
|
|
|
|
int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeaderRaw,
|
|
|
|
|
mpm_reg->v2.alproto, HTP_REQUEST_HEADERS+1,
|
|
|
|
|
pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
SCFree(pectx);
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* trailer */
|
|
|
|
|
pectx = SCCalloc(1, sizeof(*pectx));
|
|
|
|
|
if (pectx == NULL)
|
|
|
|
|
return -1;
|
|
|
|
|
pectx->list_id = list_id;
|
|
|
|
|
pectx->mpm_ctx = mpm_ctx;
|
|
|
|
|
pectx->transforms = &mpm_reg->v2.transforms;
|
|
|
|
|
|
|
|
|
|
r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailerRaw,
|
|
|
|
|
mpm_reg->v2.alproto, HTP_REQUEST_TRAILER+1,
|
|
|
|
|
pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
SCFree(pectx);
|
|
|
|
|
}
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx *de_ctx,
|
|
|
|
|
SigGroupHead *sgh, MpmCtx *mpm_ctx,
|
|
|
|
|
const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
/* header */
|
|
|
|
|
PrefilterMpmHttpHeaderRawCtx *pectx = SCCalloc(1, sizeof(*pectx));
|
|
|
|
|
if (pectx == NULL)
|
|
|
|
|
return -1;
|
|
|
|
|
pectx->list_id = list_id;
|
|
|
|
|
pectx->mpm_ctx = mpm_ctx;
|
|
|
|
|
pectx->transforms = &mpm_reg->v2.transforms;
|
|
|
|
|
|
|
|
|
|
int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeaderRaw,
|
|
|
|
|
mpm_reg->v2.alproto, HTP_RESPONSE_HEADERS,
|
|
|
|
|
pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
SCFree(pectx);
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* trailer */
|
|
|
|
|
pectx = SCCalloc(1, sizeof(*pectx));
|
|
|
|
|
if (pectx == NULL)
|
|
|
|
|
return -1;
|
|
|
|
|
pectx->list_id = list_id;
|
|
|
|
|
pectx->mpm_ctx = mpm_ctx;
|
|
|
|
|
pectx->transforms = &mpm_reg->v2.transforms;
|
|
|
|
|
|
|
|
|
|
r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailerRaw,
|
|
|
|
|
mpm_reg->v2.alproto, HTP_RESPONSE_TRAILER,
|
|
|
|
|
pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
SCFree(pectx);
|
|
|
|
|
}
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/************************************Unittests*********************************/
|
|
|
|
|
|
|
|
|
|
#ifdef UNITTESTS
|
|
|
|
|
|
|
|
|
|
#include "detect-isdataat.h"
|
|
|
|
|
#include "stream-tcp-reassemble.h"
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that a signature containting a http_header is correctly parsed
|
|
|
|
|
* and the keyword is registered.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest01(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_header\"; flow:to_server; "
|
|
|
|
|
"content:\"one\"; http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list != NULL) {
|
|
|
|
|
result = 1;
|
|
|
|
|
} else {
|
|
|
|
|
printf("Error parsing signature: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id];
|
|
|
|
|
if (sm != NULL) {
|
|
|
|
|
result &= (sm->type == DETECT_CONTENT);
|
|
|
|
|
result &= (sm->next == NULL);
|
|
|
|
|
} else {
|
|
|
|
|
result = 0;
|
|
|
|
|
printf("Error updating content pattern to http_header pattern: ");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that a signature containing an valid http_header entry is
|
|
|
|
|
* parsed.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest02(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_header\"; flow:to_server; "
|
|
|
|
|
"content:\"one\"; http_raw_header:; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list != NULL)
|
|
|
|
|
result = 1;
|
|
|
|
|
else
|
|
|
|
|
printf("Error parsing signature: ");
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that an invalid signature containing no content but a http_header
|
|
|
|
|
* is invalidated.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest03(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_header\"; flow:to_server; "
|
|
|
|
|
"http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
result = 1;
|
|
|
|
|
else
|
|
|
|
|
printf("Error parsing signature: ");
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that an invalid signature containing a rawbytes along with a
|
|
|
|
|
* http_header is invalidated.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest04(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_header\"; flow:to_server; "
|
|
|
|
|
"content:\"one\"; rawbytes; http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
result = 1;
|
|
|
|
|
else
|
|
|
|
|
printf("Error parsing signature: ");
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that an invalid signature containing a rawbytes along with a
|
|
|
|
|
* http_header is invalidated.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest05(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_header\"; flow:to_server; "
|
|
|
|
|
"content:\"one\"; nocase; http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list != NULL)
|
|
|
|
|
result = 1;
|
|
|
|
|
else
|
|
|
|
|
printf("Error parsing signature: ");
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the http_header content matches against a http request
|
|
|
|
|
* which holds the content.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest06(void)
|
|
|
|
|
{
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
Packet *p = NULL;
|
|
|
|
|
ThreadVars th_v;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
HtpState *http_state = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
uint8_t http_buf[] =
|
|
|
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
|
|
|
"Host: www.openinfosecfoundation.org\r\n"
|
|
|
|
|
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
|
|
|
|
|
"Content-Type: text/html\r\n"
|
|
|
|
|
"Content-Length: 26\r\n"
|
|
|
|
|
"\r\n"
|
|
|
|
|
"This is dummy message body\r\n";
|
|
|
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
|
|
|
int result = 0;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
|
memset(&f, 0, sizeof(f));
|
|
|
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
|
|
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
|
|
|
"(msg:\"http header test\"; flow:to_server; "
|
|
|
|
|
"content:\"Content-Type: text/html\"; http_raw_header; "
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http_buf, http_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
http_state = f.alstate;
|
|
|
|
|
if (http_state == NULL) {
|
|
|
|
|
printf("no http state: ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
|
|
|
|
|
|
if (!(PacketAlertCheck(p, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePackets(&p, 1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the http_header content matches against a http request
|
|
|
|
|
* which holds the content.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest07(void)
|
|
|
|
|
{
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
Packet *p1 = NULL;
|
|
|
|
|
Packet *p2 = NULL;
|
|
|
|
|
ThreadVars th_v;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
HtpState *http_state = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
uint8_t http1_buf[] =
|
|
|
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
|
|
|
"Host: www.openinfosecfoundation.org\r\n"
|
|
|
|
|
"User-Agent: Mozi";
|
|
|
|
|
uint8_t http2_buf[] =
|
|
|
|
|
"lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n"
|
|
|
|
|
"Content-Length: 67\r\n"
|
|
|
|
|
"\r\n"
|
|
|
|
|
"This is dummy message body1";
|
|
|
|
|
uint32_t http1_len = sizeof(http1_buf) - 1;
|
|
|
|
|
uint32_t http2_len = sizeof(http2_buf) - 1;
|
|
|
|
|
int result = 0;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
|
memset(&f, 0, sizeof(f));
|
|
|
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
|
|
|
|
|
|
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
p1->flow = &f;
|
|
|
|
|
p1->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p1->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
p2->flow = &f;
|
|
|
|
|
p2->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p2->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
|
|
|
"(msg:\"http header test\"; flow:to_server; "
|
|
|
|
|
"content:\"Mozilla\"; http_raw_header; "
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http1_buf, http1_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
http_state = f.alstate;
|
|
|
|
|
if (http_state == NULL) {
|
|
|
|
|
printf("no http state: ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
|
|
|
|
|
|
|
|
|
|
if ( (PacketAlertCheck(p1, 1))) {
|
|
|
|
|
printf("sid 1 matched but shouldn't have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http2_buf, http2_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
|
|
|
|
|
|
|
|
|
|
if (!(PacketAlertCheck(p2, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePackets(&p1, 1);
|
|
|
|
|
UTHFreePackets(&p2, 1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the http_header content matches against a http request
|
|
|
|
|
* which holds the content.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest08(void)
|
|
|
|
|
{
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
Packet *p1 = NULL;
|
|
|
|
|
Packet *p2 = NULL;
|
|
|
|
|
ThreadVars th_v;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
HtpState *http_state = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
uint8_t http1_buf[] =
|
|
|
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
|
|
|
"Host: www.openinfosecfoundation.org\r\n";
|
|
|
|
|
uint8_t http2_buf[] =
|
|
|
|
|
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
|
|
|
|
|
"Content-Type: text/html\r\n"
|
|
|
|
|
"Content-Length: 67\r\n"
|
|
|
|
|
"\r\n";
|
|
|
|
|
uint32_t http1_len = sizeof(http1_buf) - 1;
|
|
|
|
|
uint32_t http2_len = sizeof(http2_buf) - 1;
|
|
|
|
|
int result = 0;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
|
memset(&f, 0, sizeof(f));
|
|
|
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
|
|
|
|
|
|
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
p1->flow = &f;
|
|
|
|
|
p1->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p1->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
p2->flow = &f;
|
|
|
|
|
p2->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p2->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
|
|
|
"(msg:\"http header test\"; flow:to_server; "
|
|
|
|
|
"content:\"Gecko/20091221 Firefox/3.5.7\"; http_raw_header; "
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http1_buf, http1_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
http_state = f.alstate;
|
|
|
|
|
if (http_state == NULL) {
|
|
|
|
|
printf("no http state: ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
|
|
|
|
|
|
|
|
|
|
if ((PacketAlertCheck(p1, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http2_buf, http2_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
|
|
|
|
|
|
|
|
|
|
if (!(PacketAlertCheck(p2, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePackets(&p1, 1);
|
|
|
|
|
UTHFreePackets(&p2, 1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the http_header content matches against a http request
|
|
|
|
|
* which holds the content, against a cross boundary present pattern.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest09(void)
|
|
|
|
|
{
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
Packet *p1 = NULL;
|
|
|
|
|
Packet *p2 = NULL;
|
|
|
|
|
ThreadVars th_v;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
HtpState *http_state = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
uint8_t http1_buf[] =
|
|
|
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
|
|
|
"Host: www.openinfosecfoundation.org\r\n"
|
|
|
|
|
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
|
|
|
|
|
uint8_t http2_buf[] =
|
|
|
|
|
"Content-Type: text/html\r\n"
|
|
|
|
|
"Content-Length: 67\r\n"
|
|
|
|
|
"\r\n"
|
|
|
|
|
"This is dummy body\r\n";
|
|
|
|
|
uint32_t http1_len = sizeof(http1_buf) - 1;
|
|
|
|
|
uint32_t http2_len = sizeof(http2_buf) - 1;
|
|
|
|
|
int result = 0;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
|
memset(&f, 0, sizeof(f));
|
|
|
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
|
|
|
|
|
|
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
p1->flow = &f;
|
|
|
|
|
p1->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p1->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
p2->flow = &f;
|
|
|
|
|
p2->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p2->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
|
|
|
"(msg:\"http header test\"; flow:to_server; "
|
|
|
|
|
"content:\"Firefox/3.5.7|0D 0A|Content\"; http_raw_header; "
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http1_buf, http1_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
http_state = f.alstate;
|
|
|
|
|
if (http_state == NULL) {
|
|
|
|
|
printf("no http state: ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
|
|
|
|
|
|
|
|
|
|
if ((PacketAlertCheck(p1, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http2_buf, http2_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
|
|
|
|
|
|
|
|
|
|
if (!(PacketAlertCheck(p2, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePackets(&p1, 1);
|
|
|
|
|
UTHFreePackets(&p2, 1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the http_header content matches against a http request
|
|
|
|
|
* against a case insensitive pattern.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest10(void)
|
|
|
|
|
{
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
Packet *p1 = NULL;
|
|
|
|
|
Packet *p2 = NULL;
|
|
|
|
|
ThreadVars th_v;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
HtpState *http_state = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
uint8_t http1_buf[] =
|
|
|
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
|
|
|
"Host: www.openinfosecfoundation.org\r\n"
|
|
|
|
|
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
|
|
|
|
|
uint8_t http2_buf[] =
|
|
|
|
|
"Content-Type: text/html\r\n"
|
|
|
|
|
"Content-Length: 67\r\n"
|
|
|
|
|
"\r\n"
|
|
|
|
|
"This is dummy body";
|
|
|
|
|
uint32_t http1_len = sizeof(http1_buf) - 1;
|
|
|
|
|
uint32_t http2_len = sizeof(http2_buf) - 1;
|
|
|
|
|
int result = 0;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
|
memset(&f, 0, sizeof(f));
|
|
|
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
|
|
|
|
|
|
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
p1->flow = &f;
|
|
|
|
|
p1->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p1->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
p2->flow = &f;
|
|
|
|
|
p2->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p2->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
|
|
|
"(msg:\"http header test\"; flow:to_server; "
|
|
|
|
|
"content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_raw_header;"
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http1_buf, http1_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
http_state = f.alstate;
|
|
|
|
|
if (http_state == NULL) {
|
|
|
|
|
printf("no http state: ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
|
|
|
|
|
|
|
|
|
|
if ((PacketAlertCheck(p1, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http2_buf, http2_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
|
|
|
|
|
|
|
|
|
|
if (!(PacketAlertCheck(p2, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePackets(&p1, 1);
|
|
|
|
|
UTHFreePackets(&p2, 1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the negated http_header content matches against a
|
|
|
|
|
* http request which doesn't hold the content.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest11(void)
|
|
|
|
|
{
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
Packet *p = NULL;
|
|
|
|
|
ThreadVars th_v;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
HtpState *http_state = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
uint8_t http_buf[] =
|
|
|
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
|
|
|
"Host: www.openinfosecfoundation.org\r\n"
|
|
|
|
|
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
|
|
|
|
|
"Content-Type: text/html\r\n"
|
|
|
|
|
"Content-Length: 26\r\n"
|
|
|
|
|
"\r\n"
|
|
|
|
|
"This is dummy message body\r\n";
|
|
|
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
|
|
|
int result = 0;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
|
memset(&f, 0, sizeof(f));
|
|
|
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
|
|
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
|
|
|
"(msg:\"http header test\"; flow:to_server; "
|
|
|
|
|
"content:!\"lalalalala\"; http_raw_header; "
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http_buf, http_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
http_state = f.alstate;
|
|
|
|
|
if (http_state == NULL) {
|
|
|
|
|
printf("no http state: ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
|
|
|
|
|
|
if (!(PacketAlertCheck(p, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePackets(&p, 1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Negative test that the negated http_header content matches against a
|
|
|
|
|
* http request which holds hold the content.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest12(void)
|
|
|
|
|
{
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
Packet *p = NULL;
|
|
|
|
|
ThreadVars th_v;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
HtpState *http_state = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
uint8_t http_buf[] =
|
|
|
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
|
|
|
"Host: www.openinfosecfoundation.org\r\n"
|
|
|
|
|
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
|
|
|
|
|
"Content-Type: text/html\r\n"
|
|
|
|
|
"Content-Length: 26\r\n"
|
|
|
|
|
"\r\n"
|
|
|
|
|
"This is dummy message body\r\n";
|
|
|
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
|
|
|
int result = 0;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
|
memset(&f, 0, sizeof(f));
|
|
|
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
|
|
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
|
|
|
"(msg:\"http header test\"; flow:to_server; "
|
|
|
|
|
"content:!\"User-Agent: Mozilla/5.0 \"; http_raw_header; "
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http_buf, http_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
http_state = f.alstate;
|
|
|
|
|
if (http_state == NULL) {
|
|
|
|
|
printf("no http state: ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
|
|
|
|
|
|
if ((PacketAlertCheck(p, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
if (alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePackets(&p, 1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the http_header content matches against a http request
|
|
|
|
|
* which holds the content.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpRawHeaderTest13(void)
|
|
|
|
|
{
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
Packet *p = NULL;
|
|
|
|
|
ThreadVars th_v;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
HtpState *http_state = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
uint8_t http_buf[] =
|
|
|
|
|
"GET /index.html HTTP/1.0\r\n"
|
|
|
|
|
"Host: www.openinfosecfoundation.org\r\n"
|
|
|
|
|
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
|
|
|
|
|
"Content-Type: text/html\r\n"
|
|
|
|
|
"Content-Length: 100\r\n"
|
|
|
|
|
"\r\n"
|
|
|
|
|
"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
|
|
|
|
|
uint32_t http_len = sizeof(http_buf) - 1;
|
|
|
|
|
int result = 0;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
memset(&th_v, 0, sizeof(th_v));
|
|
|
|
|
memset(&f, 0, sizeof(f));
|
|
|
|
|
memset(&ssn, 0, sizeof(ssn));
|
|
|
|
|
|
|
|
|
|
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
p->flowflags |= FLOW_PKT_ESTABLISHED;
|
|
|
|
|
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
|
|
|
|
|
f.alproto = ALPROTO_HTTP;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(TRUE);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
|
|
|
|
|
"(msg:\"http header test\"; flow:to_server; "
|
|
|
|
|
"content:\"Host: www.openinfosecfoundation.org\"; http_raw_header; "
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
FLOWLOCK_WRLOCK(&f);
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
|
|
|
|
|
STREAM_TOSERVER, http_buf, http_len);
|
|
|
|
|
if (r != 0) {
|
|
|
|
|
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
|
|
|
|
|
result = 0;
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FLOWLOCK_UNLOCK(&f);
|
|
|
|
|
|
|
|
|
|
http_state = f.alstate;
|
|
|
|
|
if (http_state == NULL) {
|
|
|
|
|
printf("no http state: ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
|
|
|
|
|
|
|
|
|
|
if (!(PacketAlertCheck(p, 1))) {
|
|
|
|
|
printf("sid 1 didn't match but should have: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].
Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
"dnsudp" in the rules. A user who previously wrote a rule like this -
"alert dnstcp....." or
"alert dnsudp....."
would now have to use,
alert dns (ipproto:tcp;) or
alert udp (app-layer-protocol:dns;) or
alert ip (ipproto:udp; app-layer-protocol:dns;)
The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0. This is
needed by unittests, which would try to clean the flow, and that would
call the api, AppLayerParserCleanupParserState(), which would try to
clean the app state, but the app layer now needs an ipproto to figure
out which api to internally call to clean the state, and if the ipproto
is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
|
|
|
|
|
|
|
|
if (alp_tctx != NULL)
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
if (de_ctx != NULL)
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(TRUE);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePackets(&p, 1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderTest20(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
|
|
|
|
|
"(flow:to_server; content:\"one\"; http_raw_header; "
|
|
|
|
|
"content:\"two\"; distance:0; http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
|
|
|
|
|
if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 ||
|
|
|
|
|
hrhd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(hrhd2->content, "two", hrhd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderTest21(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
|
|
|
|
|
"(flow:to_server; content:\"one\"; http_raw_header; "
|
|
|
|
|
"content:\"two\"; within:5; http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
|
|
|
|
|
if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 ||
|
|
|
|
|
hrhd2->flags != DETECT_CONTENT_WITHIN ||
|
|
|
|
|
memcmp(hrhd2->content, "two", hrhd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderTest22(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
|
|
|
|
|
"(flow:to_server; content:\"one\"; within:5; http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderTest23(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
|
|
|
|
|
"(flow:to_server; content:\"one\"; http_raw_header; within:5; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderTest24(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
|
|
|
|
|
"(flow:to_server; content:\"one\"; within:5; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderTest25(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
|
|
|
|
|
"(flow:to_server; pcre:/one/D; "
|
|
|
|
|
"content:\"two\"; within:5; http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
hhd2->flags != DETECT_CONTENT_WITHIN ||
|
|
|
|
|
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderTest26(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
|
|
|
|
|
"(flow:to_server; content:\"two\"; http_raw_header; "
|
|
|
|
|
"pcre:/one/DR; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_PCRE ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_CONTENT) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
|
|
|
|
|
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
|
|
|
|
|
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
|
|
|
|
|
hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hhd1->content, "two", hhd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderTest27(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
|
|
|
|
|
"(flow:to_server; pcre:/one/D; "
|
|
|
|
|
"content:\"two\"; distance:5; http_raw_header; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
hhd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpRawHeaderIsdataatParseTest(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
|
|
|
|
|
FAIL_IF_NULL(de_ctx);
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
Signature *s = DetectEngineAppendSig(de_ctx,
|
|
|
|
|
"alert tcp any any -> any any ("
|
|
|
|
|
"flow:to_server; "
|
|
|
|
|
"content:\"one\"; http_raw_header; "
|
|
|
|
|
"isdataat:!4,relative; sid:1;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
|
|
|
|
|
SigMatch *sm = s->init_data->smlists_tail[g_http_raw_header_buffer_id];
|
|
|
|
|
FAIL_IF_NULL(sm);
|
|
|
|
|
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
|
|
|
|
|
|
|
|
|
|
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
|
|
|
|
|
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
|
|
|
|
|
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
|
|
|
|
|
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
|
|
|
|
|
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
|
|
|
|
|
void DetectHttpRawHeaderRegisterTests(void)
|
|
|
|
|
{
|
|
|
|
|
#ifdef UNITTESTS
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest01", DetectHttpRawHeaderTest01);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest02", DetectHttpRawHeaderTest02);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest03", DetectHttpRawHeaderTest03);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest04", DetectHttpRawHeaderTest04);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest05", DetectHttpRawHeaderTest05);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest06", DetectHttpRawHeaderTest06);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest07", DetectHttpRawHeaderTest07);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest08", DetectHttpRawHeaderTest08);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest09", DetectHttpRawHeaderTest09);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest10", DetectHttpRawHeaderTest10);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest11", DetectHttpRawHeaderTest11);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest12", DetectHttpRawHeaderTest12);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest13", DetectHttpRawHeaderTest13);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest20", DetectHttpRawHeaderTest20);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest21", DetectHttpRawHeaderTest21);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest22", DetectHttpRawHeaderTest22);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest23", DetectHttpRawHeaderTest23);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest24", DetectHttpRawHeaderTest24);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest25", DetectHttpRawHeaderTest25);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest26", DetectHttpRawHeaderTest26);
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderTest27", DetectHttpRawHeaderTest27);
|
|
|
|
|
|
|
|
|
|
UtRegisterTest("DetectHttpRawHeaderIsdataatParseTest",
|
|
|
|
|
DetectHttpRawHeaderIsdataatParseTest);
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
/**
|
|
|
|
|
* @}
|
|
|
|
|
*/
|
