aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e4ea38a8de'
${ noResults }
suricata/src/detect-http-method.c

873 lines
25 KiB
C
Raw Normal View History Unescape Escape

Import of GPLv2 Header 050410
15 years ago
/* Copyright (C) 2007-2010 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
Detection keyword cleanup
16 years ago
doc: create http support group This patch create an httplayer group and adds related files to it. It also fixes some typo in documentation string and format.
14 years ago
/**
* \ingroup httplayer
*
* @{
*/
Added http_method rule keyword.
16 years ago
/**
* \file
Import of GPLv2 Header 050410
15 years ago
*
Added http_method rule keyword.
16 years ago
* \author Brian Rectanus <brectanu@gmail.com>
Import of GPLv2 Header 050410
15 years ago
*
* Implements the http_method keyword
Added http_method rule keyword.
16 years ago
*/
#include "suricata-common.h"
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
FLOW_DESTROY added to clean-up UT's that init flow
15 years ago
#include "detect-engine-state.h"
Added http_method rule keyword.
16 years ago
#include "detect-content.h"
fast pattern support for http_method. Also support relative modifiers
15 years ago
#include "detect-pcre.h"
Added http_method rule keyword.
16 years ago
#include "flow.h"
#include "flow-var.h"
properly init flows inside of unit-tests caused lock-up when falling back to using mutex locks
15 years ago
#include "flow-util.h"
Added http_method rule keyword.
16 years ago
#include "util-debug.h"
#include "util-unittest.h"
Fix unittests after ip_proto keyword change.
15 years ago
#include "util-unittest-helper.h"
Adding single pattern matcher algorithms. If you cannot store a context for the patterns, use SpmSearch() macro. Adding unittests and stats
16 years ago
#include "util-spm.h"
Added http_method rule keyword.
16 years ago
#include "app-layer.h"
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
#include "app-layer-parser.h"
Added http_method rule keyword.
16 years ago
#include "app-layer-htp.h"
#include "detect-http-method.h"
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
#include "stream-tcp.h"
Added http_method rule keyword.
16 years ago
Detection keyword cleanup
16 years ago
static int DetectHttpMethodSetup(DetectEngineCtx *, Signature *, char *);
Added http_method rule keyword.
16 years ago
void DetectHttpMethodRegisterTests(void);
void DetectHttpMethodFree(void *);
/**
* \brief Registration function for keyword: http_method
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void DetectHttpMethodRegister(void)
{
Added http_method rule keyword.
16 years ago
sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
Add documentation url in list-keyword output. The output of the list-keyword is modified to include the url to the keyword documentation when this is available. All documented keywords should have their link set. list-keyword can be used with an optional value: no option or short: display list of keywords csv: display a csv output on info an all keywords all: display a human readable output of keywords info $KWD: display the info about one keyword.
13 years ago
sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
sigmatch_table[DETECT_AL_HTTP_METHOD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_method";
Added http_method rule keyword.
16 years ago
sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
fast pattern support for http_method. Also support relative modifiers
15 years ago
sigmatch_table[DETECT_AL_HTTP_METHOD].AppLayerMatch = NULL;
Added http_method rule keyword.
16 years ago
sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
sigmatch_table[DETECT_AL_HTTP_METHOD].Free = DetectHttpMethodFree;
sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
rule parser: set flag for optionless keywords If a keyword doesn't have an argument, it should set the SIGMATCH_NOOPT flag so the parser knows.
11 years ago
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT;
Added http_method rule keyword.
16 years ago
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_PAYLOAD;
SCLogDebug("registering http_method rule option");
}
/**
fast pattern support for http_method. Also support relative modifiers
15 years ago
* \brief This function is used to add the parsed "http_method" option
* into the current signature.
Added http_method rule keyword.
16 years ago
*
fast pattern support for http_method. Also support relative modifiers
15 years ago
* \param de_ctx Pointer to the Detection Engine Context.
* \param s Pointer to the Current Signature.
* \param str Pointer to the user provided option string.
Added http_method rule keyword.
16 years ago
*
fast pattern support for http_method. Also support relative modifiers
15 years ago
* \retval 0 on Success.
* \retval -1 on Failure.
Added http_method rule keyword.
16 years ago
*/
Detection keyword cleanup
16 years ago
static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
Added http_method rule keyword.
16 years ago
{
http_* setup unified.
13 years ago
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_HTTP_METHOD,
Further customize content modifier buffer registration. Allow modifier setups functions to have CustomCallbacks to enable their internal conditions.
13 years ago
DETECT_SM_LIST_HMDMATCH,
ALPROTO_HTTP,
NULL);
Added http_method rule keyword.
16 years ago
}
/**
unifying content structure - http_method now uses DetectContentData
15 years ago
* \brief this function will free memory associated with DetectContentData
Added http_method rule keyword.
16 years ago
*
unifying content structure - http_method now uses DetectContentData
15 years ago
* \param id_d pointer to DetectContentData
Added http_method rule keyword.
16 years ago
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void DetectHttpMethodFree(void *ptr)
{
unifying content structure - http_method now uses DetectContentData
15 years ago
DetectContentData *data = (DetectContentData *)ptr;
Added http_method rule keyword.
16 years ago
Make sure http_cookie inspects all HTTP transactions. Clean up error messages. Get rid of unused code and dead comments.
15 years ago
if (data->content != NULL)
SCFree(data->content);
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(data);
Added http_method rule keyword.
16 years ago
}
detect: validate http_method pattern Leading and trailing spaces and tabs are invalid as these are not part of the buffer as returned by libhtp.
10 years ago
/**
* \retval 1 valid
* \retval 0 invalid
*/
int DetectHttpMethodValidateRule(const Signature *s)
{
if (s->alproto != ALPROTO_HTTP)
return 1;
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
const SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HMDMATCH];
for ( ; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
const DetectContentData *cd = (const DetectContentData *)sm->ctx;
if (cd->content && cd->content_len) {
if (cd->content[cd->content_len-1] == 0x20) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space");
return 0;
} else if (cd->content[0] == 0x20) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space");
return 0;
} else if (cd->content[cd->content_len-1] == 0x09) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab");
return 0;
} else if (cd->content[0] == 0x09) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab");
return 0;
}
}
}
}
return 1;
}
Added http_method rule keyword.
16 years ago
#ifdef UNITTESTS /* UNITTESTS */
#include "stream-tcp-reassemble.h"
/** \test Check a signature with content */
int DetectHttpMethodTest01(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"GET\"; "
"http_method; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 1;
First stage of detect engine redesign: equal patterns share id's, search phase no longer used, new match verification phase.
16 years ago
} else {
printf("sig parse failed: ");
Added http_method rule keyword.
16 years ago
}
end:
fast pattern support for http_method. Also support relative modifiers
15 years ago
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
Added http_method rule keyword.
16 years ago
return result;
}
/** \test Check a signature without content (fail) */
int DetectHttpMethodTest02(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"http_method; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 1;
}
end:
fast pattern support for http_method. Also support relative modifiers
15 years ago
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
Added http_method rule keyword.
16 years ago
return result;
}
/** \test Check a signature with parameter (fail) */
int DetectHttpMethodTest03(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"foobar\"; "
"http_method:\"GET\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 1;
}
end:
fast pattern support for http_method. Also support relative modifiers
15 years ago
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
Added http_method rule keyword.
16 years ago
return result;
}
Fixing unittests for fast_pattern options compatibility
15 years ago
/** \test Check a signature with fast_pattern (should work) */
Added http_method rule keyword.
16 years ago
int DetectHttpMethodTest04(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"GET\"; "
"fast_pattern; "
"http_method; sid:1;)");
Fixing unittests for fast_pattern options compatibility
15 years ago
if (de_ctx->sig_list != NULL) {
Added http_method rule keyword.
16 years ago
result = 1;
}
end:
fast pattern support for http_method. Also support relative modifiers
15 years ago
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
Added http_method rule keyword.
16 years ago
return result;
}
/** \test Check a signature with rawbytes (fail) */
int DetectHttpMethodTest05(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"GET\"; "
"rawbytes; "
"http_method; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 1;
}
end:
fast pattern support for http_method. Also support relative modifiers
15 years ago
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
Added http_method rule keyword.
16 years ago
return result;
}
Fix http_method not inspecting all http transactions all the time. Fix proper nocase setting. Switch to pattern scanning only, no more numeric compares as it turned to be incompatible with how the keyword is used (nocase, etc).
15 years ago
/** \test setting the nocase flag */
static int DetectHttpMethodTest12(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
if (DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"(content:\"one\"; http_method; nocase; sid:1;)") == NULL) {
Fix http_method not inspecting all http transactions all the time. Fix proper nocase setting. Switch to pattern scanning only, no more numeric compares as it turned to be incompatible with how the keyword is used (nocase, etc).
15 years ago
printf("DetectEngineAppend == NULL: ");
goto end;
}
if (DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords
14 years ago
"(content:\"one\"; nocase; http_method; sid:2;)") == NULL) {
Fix http_method not inspecting all http transactions all the time. Fix proper nocase setting. Switch to pattern scanning only, no more numeric compares as it turned to be incompatible with how the keyword is used (nocase, etc).
15 years ago
printf("DetectEngineAppend == NULL: ");
goto end;
}
fast pattern support for http_method. Also support relative modifiers
15 years ago
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH] == NULL: ");
Fix http_method not inspecting all http transactions all the time. Fix proper nocase setting. Switch to pattern scanning only, no more numeric compares as it turned to be incompatible with how the keyword is used (nocase, etc).
15 years ago
goto end;
}
Change Match() function to take const SigMatchCtx* The Match functions don't need a pointer to the SigMatch object, just the context pointer contained inside, so pass the Context to the Match function rather than the SigMatch object. This allows for further optimization. Change SigMatch->ctx to have type SigMatchCtx* rather than void* for better type checking. This requires adding type casts when using or assigning it. The SigMatch contex should not be changed by the Match() funciton, so pass it as a const SigMatchCtx*.
11 years ago
DetectContentData *hmd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *hmd2 = (DetectContentData *)de_ctx->sig_list->next->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
Fix http_method not inspecting all http transactions all the time. Fix proper nocase setting. Switch to pattern scanning only, no more numeric compares as it turned to be incompatible with how the keyword is used (nocase, etc).
15 years ago
unifying content structure - http_method now uses DetectContentData
15 years ago
if (!(hmd1->flags & DETECT_CONTENT_NOCASE)) {
Fix http_method not inspecting all http transactions all the time. Fix proper nocase setting. Switch to pattern scanning only, no more numeric compares as it turned to be incompatible with how the keyword is used (nocase, etc).
15 years ago
printf("nocase flag not set on sig 1: ");
goto end;
}
unifying content structure - http_method now uses DetectContentData
15 years ago
if (!(hmd2->flags & DETECT_CONTENT_NOCASE)) {
Fix http_method not inspecting all http transactions all the time. Fix proper nocase setting. Switch to pattern scanning only, no more numeric compares as it turned to be incompatible with how the keyword is used (nocase, etc).
15 years ago
printf("nocase flag not set on sig 2: ");
goto end;
}
result = 1;
end:
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
fixed relative handling for pcre cookie and method
14 years ago
/** \test Check a signature with method + within and pcre with /M (should work) */
int DetectHttpMethodTest13(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"pcre:\"/HE/M\"; "
"content:\"AD\"; "
"within:2; http_method; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 1;
}
end:
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/** \test Check a signature with method + within and pcre without /M (should fail) */
int DetectHttpMethodTest14(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"pcre:\"/HE/\"; "
"content:\"AD\"; "
"http_method; within:2; sid:1;)");
All http_http_method modified patterns now are DETECT_CONTENT and not DETECT_AL_HTTP_METHOD
14 years ago
if (de_ctx->sig_list != NULL) {
fixed relative handling for pcre cookie and method
14 years ago
result = 1;
}
end:
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/** \test Check a signature with method + within and pcre with /M (should work) */
int DetectHttpMethodTest15(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"pcre:\"/HE/M\"; "
"content:\"AD\"; "
"http_method; within:2; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 1;
}
end:
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
Added http_method rule keyword.
16 years ago
/** \test Check a signature with an known request method */
static int DetectHttpMethodSigTest01(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
"Host: foo.bar.tld\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Added http_method rule keyword.
16 years ago
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
HtpState *http_state = NULL;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
Added http_method rule keyword.
16 years ago
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
Added http_method rule keyword.
16 years ago
properly init flows inside of unit-tests caused lock-up when falling back to using mutex locks
15 years ago
FLOW_INITIALIZE(&f);
Added http_method rule keyword.
16 years ago
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
f.flags |= FLOW_IPV4;
Explicitly test for ipv6 in the htp personalities code. Update all affected unittests to set addr family to the flow.
15 years ago
Fix unittests after ip_proto keyword change.
15 years ago
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
Update all unittests
15 years ago
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
UDP support at AppLayer message handling
15 years ago
f.alproto = ALPROTO_HTTP;
Added http_method rule keyword.
16 years ago
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
StreamTcpInitConfig(TRUE);
Added http_method rule keyword.
16 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"GET\"; "
"http_method; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"POST\"; "
"http_method; sid:2;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_WRLOCK(&f);
app-layer: add ThreadVars to AppLayerParserParse To be able to add a transaction counter we will need a ThreadVars in the AppLayerParserParse function. This function is massively used in unittests and this result in an long commit.
9 years ago
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
Added http_method rule keyword.
16 years ago
if (r != 0) {
SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_UNLOCK(&f);
Added http_method rule keyword.
16 years ago
goto end;
}
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_UNLOCK(&f);
Added http_method rule keyword.
16 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
http_state = f.alstate;
Added http_method rule keyword.
16 years ago
if (http_state == NULL) {
SCLogDebug("no http state: ");
goto end;
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
Added http_method rule keyword.
16 years ago
Fix unittests after ip_proto keyword change.
15 years ago
if (!(PacketAlertCheck(p, 1))) {
Added http_method rule keyword.
16 years ago
goto end;
}
Fix unittests after ip_proto keyword change.
15 years ago
if (PacketAlertCheck(p, 2)) {
Added http_method rule keyword.
16 years ago
goto end;
}
result = 1;
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
Added http_method rule keyword.
16 years ago
if (de_ctx != NULL) SigGroupCleanup(de_ctx);
if (de_ctx != NULL) SigCleanSignatures(de_ctx);
if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY added to clean-up UT's that init flow
15 years ago
FLOW_DESTROY(&f);
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Added http_method rule keyword.
16 years ago
return result;
}
/** \test Check a signature with an unknown request method */
static int DetectHttpMethodSigTest02(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = "FOO / HTTP/1.0\r\n"
"Host: foo.bar.tld\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Added http_method rule keyword.
16 years ago
Signature *s = NULL;
ThreadVars th_v;
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
DetectEngineThreadCtx *det_ctx = NULL;
HtpState *http_state = NULL;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
Added http_method rule keyword.
16 years ago
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
Added http_method rule keyword.
16 years ago
properly init flows inside of unit-tests caused lock-up when falling back to using mutex locks
15 years ago
FLOW_INITIALIZE(&f);
Added http_method rule keyword.
16 years ago
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
f.flags |= FLOW_IPV4;
Explicitly test for ipv6 in the htp personalities code. Update all affected unittests to set addr family to the flow.
15 years ago
Fix unittests after ip_proto keyword change.
15 years ago
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
Update all unittests
15 years ago
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
UDP support at AppLayer message handling
15 years ago
f.alproto = ALPROTO_HTTP;
Added http_method rule keyword.
16 years ago
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
StreamTcpInitConfig(TRUE);
Added http_method rule keyword.
16 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"FOO\"; "
"http_method; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"BAR\"; "
"http_method; sid:2;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_WRLOCK(&f);
app-layer: add ThreadVars to AppLayerParserParse To be able to add a transaction counter we will need a ThreadVars in the AppLayerParserParse function. This function is massively used in unittests and this result in an long commit.
9 years ago
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
Added http_method rule keyword.
16 years ago
if (r != 0) {
SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_UNLOCK(&f);
Added http_method rule keyword.
16 years ago
goto end;
}
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_UNLOCK(&f);
Added http_method rule keyword.
16 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
http_state = f.alstate;
Added http_method rule keyword.
16 years ago
if (http_state == NULL) {
SCLogDebug("no http state: ");
goto end;
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
Added http_method rule keyword.
16 years ago
Fix unittests after ip_proto keyword change.
15 years ago
if (!(PacketAlertCheck(p, 1))) {
Added http_method rule keyword.
16 years ago
goto end;
}
Fix unittests after ip_proto keyword change.
15 years ago
if (PacketAlertCheck(p, 2)) {
Added http_method rule keyword.
16 years ago
goto end;
}
result = 1;
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
Added http_method rule keyword.
16 years ago
if (de_ctx != NULL) SigGroupCleanup(de_ctx);
if (de_ctx != NULL) SigCleanSignatures(de_ctx);
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
Added http_method rule keyword.
16 years ago
if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY added to clean-up UT's that init flow
15 years ago
FLOW_DESTROY(&f);
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Added http_method rule keyword.
16 years ago
return result;
}
/** \test Check a signature against an unparsable request */
static int DetectHttpMethodSigTest03(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = " ";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Added http_method rule keyword.
16 years ago
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
HtpState *http_state = NULL;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
Added http_method rule keyword.
16 years ago
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
Added http_method rule keyword.
16 years ago
properly init flows inside of unit-tests caused lock-up when falling back to using mutex locks
15 years ago
FLOW_INITIALIZE(&f);
Added http_method rule keyword.
16 years ago
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
f.flags |= FLOW_IPV4;
Explicitly test for ipv6 in the htp personalities code. Update all affected unittests to set addr family to the flow.
15 years ago
Fix unittests after ip_proto keyword change.
15 years ago
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
Update all unittests
15 years ago
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
UDP support at AppLayer message handling
15 years ago
f.alproto = ALPROTO_HTTP;
Added http_method rule keyword.
16 years ago
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
StreamTcpInitConfig(TRUE);
Added http_method rule keyword.
16 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
detect: validate http_method pattern Leading and trailing spaces and tabs are invalid as these are not part of the buffer as returned by libhtp.
10 years ago
"content:\"GET\"; "
Added http_method rule keyword.
16 years ago
"http_method; sid:1;)");
if (s == NULL) {
SCLogDebug("Bad signature");
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_WRLOCK(&f);
app-layer: add ThreadVars to AppLayerParserParse To be able to add a transaction counter we will need a ThreadVars in the AppLayerParserParse function. This function is massively used in unittests and this result in an long commit.
9 years ago
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
Added http_method rule keyword.
16 years ago
if (r != 0) {
SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_UNLOCK(&f);
Fix 2 unittests
12 years ago
goto end;
Added http_method rule keyword.
16 years ago
}
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_UNLOCK(&f);
Added http_method rule keyword.
16 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
http_state = f.alstate;
Added http_method rule keyword.
16 years ago
if (http_state == NULL) {
SCLogDebug("no http state: ");
goto end;
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
Added http_method rule keyword.
16 years ago
Fix unittests after ip_proto keyword change.
15 years ago
if (PacketAlertCheck(p, 1)) {
Added http_method rule keyword.
16 years ago
goto end;
}
result = 1;
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
Added http_method rule keyword.
16 years ago
if (de_ctx != NULL) SigGroupCleanup(de_ctx);
if (de_ctx != NULL) SigCleanSignatures(de_ctx);
if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY added to clean-up UT's that init flow
15 years ago
FLOW_DESTROY(&f);
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Added http_method rule keyword.
16 years ago
return result;
}
support for http_stat_code keyword has been added to detection module
15 years ago
/** \test Check a signature with an request method and negation of the same */
static int DetectHttpMethodSigTest04(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
"Host: foo.bar.tld\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
HtpState *http_state = NULL;
Update tests to use AppLayerParserThreadCtx ptr instead of void. Fix a few bugs uncovered by this.
12 years ago
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
support for http_stat_code keyword has been added to detection module
15 years ago
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
f.proto = IPPROTO_TCP;
flow: shrink Flow datatype Introduce a separate FlowAddress structure for holding the ipv4 or ipv6 address that doesn't have the family in it like the Address structure. Instead, the family is stored in the flow as a flag: FLOW_IPV4 and FLOW_IPV6. Add macro's to check the family, copy the address, etc. Update many unittests to reflect these changes. Introduce unittest helper functions for creating and initializing a flow and freeing it again. On 64 bit this shrinks the flow with 8 bytes.
14 years ago
f.flags |= FLOW_IPV4;
support for http_stat_code keyword has been added to detection module
15 years ago
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
Update all unittests
15 years ago
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
support for http_stat_code keyword has been added to detection module
15 years ago
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
Fix negated http_method not working properly, causing false positives.
15 years ago
"alert tcp any any -> any any (msg:\"Testing http_method\"; "
"content:\"GET\"; http_method; sid:1;)");
support for http_stat_code keyword has been added to detection module
15 years ago
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,
Fix negated http_method not working properly, causing false positives.
15 years ago
"alert tcp any any -> any any (msg:\"Testing http_method\"; "
"content:!\"GET\"; http_method; sid:2;)");
support for http_stat_code keyword has been added to detection module
15 years ago
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_WRLOCK(&f);
app-layer: add ThreadVars to AppLayerParserParse To be able to add a transaction counter we will need a ThreadVars in the AppLayerParserParse function. This function is massively used in unittests and this result in an long commit.
9 years ago
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
support for http_stat_code keyword has been added to detection module
15 years ago
if (r != 0) {
SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_UNLOCK(&f);
support for http_stat_code keyword has been added to detection module
15 years ago
goto end;
}
unittests: replace SCMutex* calls by FLOWLOCK_*
9 years ago
FLOWLOCK_UNLOCK(&f);
support for http_stat_code keyword has been added to detection module
15 years ago
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
http_state = f.alstate;
support for http_stat_code keyword has been added to detection module
15 years ago
if (http_state == NULL) {
SCLogDebug("no http state: ");
goto end;
}
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) {
printf("sid 1 didn't match but should have: ");
goto end;
}
if (PacketAlertCheck(p, 2)) {
printf("sid 2 matched but shouldn't have: ");
goto end;
}
result = 1;
end:
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (alp_tctx != NULL)
app-layer: rename AppLayerThreadCtx funcs AppLayerParserGetCtxThread -> AppLayerParserThreadCtxAlloc AppLayerParserDestroyCtxThread -> AppLayerParserThreadCtxFree
12 years ago
AppLayerParserThreadCtxFree(alp_tctx);
Fix negated http_method not working properly, causing false positives.
15 years ago
if (de_ctx != NULL) {
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
}
if (det_ctx != NULL) {
DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
}
if (de_ctx != NULL) {
DetectEngineCtxFree(de_ctx);
}
support for http_stat_code keyword has been added to detection module
15 years ago
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}
Added http_method rule keyword.
16 years ago
#endif /* UNITTESTS */
/**
* \brief this function registers unit tests for DetectHttpMethod
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void DetectHttpMethodRegisterTests(void)
{
Added http_method rule keyword.
16 years ago
#ifdef UNITTESTS /* UNITTESTS */
SCLogDebug("Registering tests for DetectHttpMethod...");
tests: no longer necessary to provide successful return code 1 pass, 0 is fail.
9 years ago
UtRegisterTest("DetectHttpMethodTest01", DetectHttpMethodTest01);
UtRegisterTest("DetectHttpMethodTest02", DetectHttpMethodTest02);
UtRegisterTest("DetectHttpMethodTest03", DetectHttpMethodTest03);
UtRegisterTest("DetectHttpMethodTest04", DetectHttpMethodTest04);
UtRegisterTest("DetectHttpMethodTest05", DetectHttpMethodTest05);
UtRegisterTest("DetectHttpMethodTest12 -- nocase flag",
DetectHttpMethodTest12);
UtRegisterTest("DetectHttpMethodTest13", DetectHttpMethodTest13);
UtRegisterTest("DetectHttpMethodTest14", DetectHttpMethodTest14);
UtRegisterTest("DetectHttpMethodTest15", DetectHttpMethodTest15);
UtRegisterTest("DetectHttpMethodSigTest01", DetectHttpMethodSigTest01);
UtRegisterTest("DetectHttpMethodSigTest02", DetectHttpMethodSigTest02);
UtRegisterTest("DetectHttpMethodSigTest03", DetectHttpMethodSigTest03);
UtRegisterTest("DetectHttpMethodSigTest04", DetectHttpMethodSigTest04);
Added http_method rule keyword.
16 years ago
#endif /* UNITTESTS */
}
doc: create http support group This patch create an httplayer group and adds related files to it. It also fixes some typo in documentation string and format.
14 years ago
/**
* @}
*/