detect: add http.request_body sticky buffer

Sticky buffer version of the http_client_body content modifier.
6 years ago · 2221dd9403
parent 64987f36fb
commit 2221dd9403
3 changed files with 68 additions and 0 deletions
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@ -119,6 +119,7 @@ enum {
    DETECT_AL_HTTP_START,
    DETECT_AL_URILEN,
    DETECT_AL_HTTP_CLIENT_BODY,
+    DETECT_HTTP_REQUEST_BODY,
    DETECT_AL_HTTP_SERVER_BODY,
    DETECT_AL_HTTP_HEADER,
    DETECT_HTTP_HEADER,
--- a/src/detect-http-client-body.c
+++ b/src/detect-http-client-body.c
@ -59,6 +59,7 @@
 #include "stream-tcp.h"

 static int DetectHttpClientBodySetup(DetectEngineCtx *, Signature *, const char *);
+static int DetectHttpClientBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
 #ifdef UNITTESTS
 static void DetectHttpClientBodyRegisterTests(void);
 #endif
@ -77,6 +78,7 @@ static InspectionBuffer *HttpClientBodyGetDataCallback(
 */
 void DetectHttpClientBodyRegister(void)
 {
+    /* http_client_body content modifier */
    sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].name = "http_client_body";
    sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].desc = "content modifier to match only on HTTP request-body";
    sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-client-body";
@ -85,6 +87,16 @@ void DetectHttpClientBodyRegister(void)
    sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].RegisterTests = DetectHttpClientBodyRegisterTests;
 #endif
    sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_NOOPT ;
+    sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+    sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].alternative = DETECT_HTTP_REQUEST_BODY;
+
+    /* http.request_body sticky buffer */
+    sigmatch_table[DETECT_HTTP_REQUEST_BODY].name = "http.request_body";
+    sigmatch_table[DETECT_HTTP_REQUEST_BODY].desc = "sticky buffer to match the HTTP request body buffer";
+    sigmatch_table[DETECT_HTTP_REQUEST_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-client-body";
+    sigmatch_table[DETECT_HTTP_REQUEST_BODY].Setup = DetectHttpClientBodySetupSticky;
+    sigmatch_table[DETECT_HTTP_REQUEST_BODY].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_HTTP_REQUEST_BODY].flags |= SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister2("http_client_body", ALPROTO_HTTP,
            SIG_FLAG_TOSERVER, HTP_REQUEST_BODY,
@ -135,6 +147,24 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char
                                                  ALPROTO_HTTP);
 }

+/**
+ * \brief this function setup the http.request_body keyword used in the rule
+ *
+ * \param de_ctx   Pointer to the Detection Engine Context
+ * \param s        Pointer to the Signature to which the current keyword belongs
+ * \param str      Should hold an empty string always
+ *
+ * \retval 0       On success
+ */
+static int DetectHttpClientBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    if (DetectBufferSetActiveList(s, g_http_client_body_buffer_id) < 0)
+        return -1;
+    if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
+        return -1;
+    return 0;
+}
+
 static inline HtpBody *GetRequestBody(htp_tx_t *tx)
 {
    HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
--- a/src/tests/detect-http-client-body.c
+++ b/src/tests/detect-http-client-body.c
@ -69,6 +69,41 @@

 #ifdef UNITTESTS

+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectHttpClientBodyParserTest01(void)
+{
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; http_client_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_client_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_client_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_client_body; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_client_body; sid:1;)", true));
+
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_client_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http_client_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; content:\"abc\"; http_client_body; sid:1;)", false));
+    PASS;
+}
+
+/**
+ * \test Test parser accepting valid rules and rejecting invalid rules
+ */
+static int DetectHttpClientBodyParserTest02(void)
+{
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; nocase; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; endswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; bsize:10; sid:1;)", true));
+
+    FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; rawbytes; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http.request_body; sid:1;)", false));
+    FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; http.request_body; content:\"abc\"; sid:1;)", false));
+    PASS;
+}
+
 struct TestSteps {
    const uint8_t *input;
    size_t input_size;      /**< if 0 strlen will be used */
@ -2996,6 +3031,8 @@ static int DetectHttpClientBodyIsdataatParseTest(void)

 void DetectHttpClientBodyRegisterTests(void)
 {
+    UtRegisterTest("DetectHttpClientBodyParserTest01", DetectHttpClientBodyParserTest01);
+    UtRegisterTest("DetectHttpClientBodyParserTest02", DetectHttpClientBodyParserTest02);
    UtRegisterTest("DetectHttpClientBodyTest01", DetectHttpClientBodyTest01);
    UtRegisterTest("DetectHttpClientBodyTest02", DetectHttpClientBodyTest02);
    UtRegisterTest("DetectHttpClientBodyTest03", DetectHttpClientBodyTest03);