From 0cb43d27e9a196e709930e4b586c7c15c83542b2 Mon Sep 17 00:00:00 2001 From: Gurvinder Singh Date: Tue, 26 Jan 2010 19:17:39 +0100 Subject: [PATCH] uricontent new design --- src/detect-uricontent.c | 29 ++++++++++------------ src/detect-uricontent.h | 2 ++ src/detect.c | 55 ++++++++++++++++++++++++++++++++--------- 3 files changed, 59 insertions(+), 27 deletions(-) diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 5dda77c6b5..13d9ee120c 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -494,7 +494,6 @@ int DoDetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ } det_ctx->pmq.searchable = 0; - det_ctx->de_scanned_uri = TRUE; } return ret; } @@ -521,7 +520,6 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct SCEnter(); int ret = 0; int res = 0; - DetectUricontentData *co = (DetectUricontentData *)sm->ctx; /* if we don't have a uri, don't bother scanning */ if (det_ctx->de_have_httpuri == FALSE) { SCLogDebug("We don't have uri"); @@ -535,14 +533,14 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct if (ssn == NULL) { SCLogDebug("no Tcp Session"); det_ctx->de_have_httpuri = FALSE; - goto end; + goto unlock; } HtpState *htp_state = ssn->aldata[AlpGetStateIdx(ALPROTO_HTTP)]; if (htp_state == NULL) { SCLogDebug("no HTTP state"); det_ctx->de_have_httpuri = FALSE; - goto end; + goto unlock; } htp_tx_t *tx = NULL; @@ -555,28 +553,27 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct ret = DoDetectAppLayerUricontentMatch(tv, det_ctx, (uint8_t *) bstr_ptr(tx->request_uri_normalized), bstr_len(tx->request_uri_normalized)); - - if (ret > 0 && det_ctx->mtcu.match[co->id].len > 0) { - SCLogDebug("Match has been found in the received request and " - "given uricontent rule for s->id %"PRIu32"", s->id); - res = 1; - } } - } else if (det_ctx->mtcu.match[co->id].len > 0) { - SCLogDebug("We have app layer URI match"); +unlock: + SCMutexUnlock(&f->m); + det_ctx->de_scanned_uri = TRUE; + SCReturnInt(ret); + } + + DetectUricontentData *co = (DetectUricontentData *)sm->ctx; + if (det_ctx->mtcu.match[co->id].len > 0) { + SCLogDebug("Match has been found in the received request and " + "signature s->id %"PRIu32"", s->id); res = 1; } else { SCLogDebug("We don't have app layer URI match"); res = 0; } -end: - SCMutexUnlock(&f->m); SCReturnInt(res); } /* - * TESTS * UNITTTESTS */ @@ -1081,4 +1078,4 @@ void HttpUriRegisterTests(void) { UtRegisterTest("DetectUriSigTest02", DetectUriSigTest02, 1); UtRegisterTest("DetectUriSigTest03", DetectUriSigTest03, 1); #endif /* UNITTESTS */ -} \ No newline at end of file +} diff --git a/src/detect-uricontent.h b/src/detect-uricontent.h index d45a7e4088..528971ce98 100644 --- a/src/detect-uricontent.h +++ b/src/detect-uricontent.h @@ -26,6 +26,8 @@ typedef struct DetectUricontentData_ { void DetectUricontentRegister (void); uint32_t DetectUricontentMaxId(DetectEngineCtx *); void PktHttpUriFree(Packet *p); +int DetectAppLayerUricontentMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, + uint8_t , void *, Signature *, SigMatch *); #endif /* __DETECT_URICONTENT_H__ */ diff --git a/src/detect.c b/src/detect.c index 82bf68be29..5bf2667796 100644 --- a/src/detect.c +++ b/src/detect.c @@ -602,6 +602,16 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } + /* If we have the uricontent multi pattern matcher signatures in + signature list, then scan the received HTTP uri in the packet against + them, if it hasn't been done so */ + if (det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT && + det_ctx->de_scanned_uri == FALSE) + { + DetectAppLayerUricontentMatch(th_v, det_ctx, p->flow, flags, + alstate, NULL, NULL); + } + /* inspect the sigs against the packet */ for (idx = 0; idx < det_ctx->sgh->sig_cnt; idx++) { //for (idx = 0; idx < det_ctx->pmq.sig_id_array_cnt; idx++) { @@ -622,17 +632,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh * have no matches */ if (!(det_ctx->pmq.sig_bitarray[(sig / 8)] & (1<<(sig % 8))) && (s->flags & SIG_FLAG_MPM) && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) { - /* If uri_ctx sigs are not scanned till now, we need to scan them - Once */ - if (det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT) { - if (det_ctx->de_scanned_uri == TRUE) { - SCLogDebug("mpm sig without matches."); - continue; - } - } else { SCLogDebug("mpm sig without matches."); continue; - } } //printf("idx %" PRIu32 ", det_ctx->pmq.sig_id_array_cnt %" PRIu32 ", s->id %" PRIu32 " (MPM? %s)\n", idx, det_ctx->pmq.sig_id_array_cnt, s->id, s->flags & SIG_FLAG_MPM ? "TRUE":"FALSE"); @@ -3342,15 +3343,24 @@ static int SigTest07Real (int mpm_type) { Packet p; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; + Flow f; + TcpSession ssn; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); p.src.family = AF_INET; p.dst.family = AF_INET; p.payload = buf; p.payload_len = buflen; p.proto = IPPROTO_TCP; + StreamL7DataPtrInit(&ssn,StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_HTTP; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -3375,6 +3385,13 @@ static int SigTest07Real (int mpm_type) { //PatternMatchPrepare(mpm_ctx, mpm_type); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx); + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, buf, buflen); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) result = 0; @@ -3502,15 +3519,24 @@ static int SigTest09Real (int mpm_type) { Packet p; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; + Flow f; + TcpSession ssn; int result = 0; memset(&th_v, 0, sizeof(th_v)); memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); p.src.family = AF_INET; p.dst.family = AF_INET; p.payload = buf; p.payload_len = buflen; p.proto = IPPROTO_TCP; + StreamL7DataPtrInit(&ssn,StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_HTTP; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -3535,11 +3561,18 @@ static int SigTest09Real (int mpm_type) { //PatternMatchPrepare(mpm_ctx, mpm_type); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx); + int r = AppLayerParse(&f, ALPROTO_HTTP, STREAM_TOSERVER, buf, buflen); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); if (PacketAlertCheck(&p, 1) && PacketAlertCheck(&p, 2)) - result = 0; - else result = 1; + else + result = 0; SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx);