uricontent new design

15 years ago · 0cb43d27e9
parent 356a8bf385
commit 0cb43d27e9
3 changed files with 59 additions and 27 deletions
--- a/src/detect-uricontent.c
+++ b/src/detect-uricontent.c
@ -494,7 +494,6 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_

        }
        det_ctx->pmq.searchable = 0;
-        det_ctx->de_scanned_uri = TRUE;
    }
    return ret;
 }
@ -521,7 +520,6 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct
    SCEnter();
    int ret = 0;
    int res = 0;
-    DetectUricontentData *co = (DetectUricontentData *)sm->ctx;
    /* if we don't have a uri, don't bother scanning */
    if (det_ctx->de_have_httpuri == FALSE) {
        SCLogDebug("We don't have uri");
@ -535,14 +533,14 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct
        if (ssn == NULL) {
            SCLogDebug("no Tcp Session");
            det_ctx->de_have_httpuri = FALSE;
-            goto end;
+            goto unlock;
        }

        HtpState *htp_state = ssn->aldata[AlpGetStateIdx(ALPROTO_HTTP)];
        if (htp_state == NULL) {
            SCLogDebug("no HTTP state");
            det_ctx->de_have_httpuri = FALSE;
-            goto end;
+            goto unlock;
        }

        htp_tx_t *tx = NULL;
@ -555,28 +553,27 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct
            ret = DoDetectAppLayerUricontentMatch(tv, det_ctx, (uint8_t *)
                    bstr_ptr(tx->request_uri_normalized),
                    bstr_len(tx->request_uri_normalized));
-
-            if (ret > 0 && det_ctx->mtcu.match[co->id].len > 0) {
-                SCLogDebug("Match has been found in the received request and "
-                        "given uricontent rule for s->id %"PRIu32"", s->id);
-                res = 1;
-            }
        }
-    } else if (det_ctx->mtcu.match[co->id].len > 0) {
-        SCLogDebug("We have app layer URI match");
+unlock:
+        SCMutexUnlock(&f->m);
+        det_ctx->de_scanned_uri = TRUE;
+        SCReturnInt(ret);
+    }
+
+    DetectUricontentData *co = (DetectUricontentData *)sm->ctx;
+    if (det_ctx->mtcu.match[co->id].len > 0) {
+        SCLogDebug("Match has been found in the received request and "
+                        "signature s->id %"PRIu32"", s->id);
        res = 1;
    } else {
        SCLogDebug("We don't have app layer URI match");
        res = 0;
    }

-end:
-    SCMutexUnlock(&f->m);
    SCReturnInt(res);
 }

 /*
- * TESTS
 * UNITTTESTS
 */

@ -1081,4 +1078,4 @@ void HttpUriRegisterTests(void) {
    UtRegisterTest("DetectUriSigTest02", DetectUriSigTest02, 1);
    UtRegisterTest("DetectUriSigTest03", DetectUriSigTest03, 1);
 #endif /* UNITTESTS */
-}
+}
--- a/src/detect-uricontent.h
+++ b/src/detect-uricontent.h
@ -26,6 +26,8 @@ typedef struct DetectUricontentData_ {
 void DetectUricontentRegister (void);
 uint32_t DetectUricontentMaxId(DetectEngineCtx *);
 void PktHttpUriFree(Packet *p);
+int DetectAppLayerUricontentMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
+                                   uint8_t , void *, Signature *, SigMatch *);

 #endif /* __DETECT_URICONTENT_H__ */

--- a/src/detect.c
+++ b/src/detect.c
@ -602,6 +602,16 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
        }
    }

+    /* If we have the uricontent multi pattern matcher signatures in
+       signature list, then scan the received HTTP uri in the packet against
+       them, if it hasn't been done so */
+    if (det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT &&
+            det_ctx->de_scanned_uri == FALSE)
+    {
+        DetectAppLayerUricontentMatch(th_v, det_ctx, p->flow, flags,
+                alstate, NULL, NULL);
+    }
+
    /* inspect the sigs against the packet */
    for (idx = 0; idx < det_ctx->sgh->sig_cnt; idx++) {
    //for (idx = 0; idx < det_ctx->pmq.sig_id_array_cnt; idx++) {
@ -622,17 +632,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
         * have no matches */
        if (!(det_ctx->pmq.sig_bitarray[(sig / 8)] & (1<<(sig % 8))) &&
                (s->flags & SIG_FLAG_MPM) && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
-            /* If uri_ctx sigs are not scanned till now, we need to scan them
-               Once */
-            if (det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT) {
-                if (det_ctx->de_scanned_uri == TRUE) {
-                    SCLogDebug("mpm sig without matches.");
-                    continue;
-                }
-            } else {
                SCLogDebug("mpm sig without matches.");
                continue;
-            }
        }

        //printf("idx %" PRIu32 ", det_ctx->pmq.sig_id_array_cnt %" PRIu32 ", s->id %" PRIu32 " (MPM? %s)\n", idx, det_ctx->pmq.sig_id_array_cnt, s->id, s->flags & SIG_FLAG_MPM ? "TRUE":"FALSE");
@ -3342,15 +3343,24 @@ static int SigTest07Real (int mpm_type) {
    Packet p;
    ThreadVars th_v;
    DetectEngineThreadCtx *det_ctx;
+    Flow f;
+    TcpSession ssn;
    int result = 0;

    memset(&th_v, 0, sizeof(th_v));
    memset(&p, 0, sizeof(p));
+    memset(&f, 0, sizeof(f));
+    memset(&ssn, 0, sizeof(ssn));
    p.src.family = AF_INET;
    p.dst.family = AF_INET;
    p.payload = buf;
    p.payload_len = buflen;
    p.proto = IPPROTO_TCP;
+    StreamL7DataPtrInit(&ssn,StreamL7GetStorageSize());
+    f.protoctx = (void *)&ssn;
+    p.flow = &f;
+    p.flowflags |= FLOW_PKT_TOSERVER;
+    ssn.alproto = ALPROTO_HTTP;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    if (de_ctx == NULL) {
@ -3375,6 +3385,13 @@ static int SigTest07Real (int mpm_type) {
    //PatternMatchPrepare(mpm_ctx, mpm_type);
    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);

+    int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, buf, buflen);
+    if (r != 0) {
+        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+        result = 0;
+        goto end;
+    }
+
    SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
    if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2))
        result = 0;
@ -3502,15 +3519,24 @@ static int SigTest09Real (int mpm_type) {
    Packet p;
    ThreadVars th_v;
    DetectEngineThreadCtx *det_ctx;
+    Flow f;
+    TcpSession ssn;
    int result = 0;

    memset(&th_v, 0, sizeof(th_v));
    memset(&p, 0, sizeof(p));
+    memset(&f, 0, sizeof(f));
+    memset(&ssn, 0, sizeof(ssn));
    p.src.family = AF_INET;
    p.dst.family = AF_INET;
    p.payload = buf;
    p.payload_len = buflen;
    p.proto = IPPROTO_TCP;
+    StreamL7DataPtrInit(&ssn,StreamL7GetStorageSize());
+    f.protoctx = (void *)&ssn;
+    p.flow = &f;
+    p.flowflags |= FLOW_PKT_TOSERVER;
+    ssn.alproto = ALPROTO_HTTP;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    if (de_ctx == NULL) {
@ -3535,11 +3561,18 @@ static int SigTest09Real (int mpm_type) {
    //PatternMatchPrepare(mpm_ctx, mpm_type);
    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);

+    int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, buf, buflen);
+    if (r != 0) {
+        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+        result = 0;
+        goto end;
+    }
+
    SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
    if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2))
-        result = 0;
-    else
        result = 1;
+    else
+        result = 0;

    SigGroupCleanup(de_ctx);
    SigCleanSignatures(de_ctx);