From 2221dd94036781998e73a7e2c17c7c20aabff45e Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 14 Dec 2018 07:35:45 +0100 Subject: [PATCH] detect: add http.request_body sticky buffer Sticky buffer version of the http_client_body content modifier. --- src/detect-engine-register.h | 1 + src/detect-http-client-body.c | 30 +++++++++++++++++++++++ src/tests/detect-http-client-body.c | 37 +++++++++++++++++++++++++++++ 3 files changed, 68 insertions(+) diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 4077d9113a..bf8eee114a 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -119,6 +119,7 @@ enum { DETECT_AL_HTTP_START, DETECT_AL_URILEN, DETECT_AL_HTTP_CLIENT_BODY, + DETECT_HTTP_REQUEST_BODY, DETECT_AL_HTTP_SERVER_BODY, DETECT_AL_HTTP_HEADER, DETECT_HTTP_HEADER, diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 6d451a7989..15a0e13269 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -59,6 +59,7 @@ #include "stream-tcp.h" static int DetectHttpClientBodySetup(DetectEngineCtx *, Signature *, const char *); +static int DetectHttpClientBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str); #ifdef UNITTESTS static void DetectHttpClientBodyRegisterTests(void); #endif @@ -77,6 +78,7 @@ static InspectionBuffer *HttpClientBodyGetDataCallback( */ void DetectHttpClientBodyRegister(void) { + /* http_client_body content modifier */ sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].name = "http_client_body"; sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].desc = "content modifier to match only on HTTP request-body"; sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-client-body"; @@ -85,6 +87,16 @@ void DetectHttpClientBodyRegister(void) sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].RegisterTests = DetectHttpClientBodyRegisterTests; #endif sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_NOOPT ; + sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].alternative = DETECT_HTTP_REQUEST_BODY; + + /* http.request_body sticky buffer */ + sigmatch_table[DETECT_HTTP_REQUEST_BODY].name = "http.request_body"; + sigmatch_table[DETECT_HTTP_REQUEST_BODY].desc = "sticky buffer to match the HTTP request body buffer"; + sigmatch_table[DETECT_HTTP_REQUEST_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-client-body"; + sigmatch_table[DETECT_HTTP_REQUEST_BODY].Setup = DetectHttpClientBodySetupSticky; + sigmatch_table[DETECT_HTTP_REQUEST_BODY].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_HTTP_REQUEST_BODY].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister2("http_client_body", ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_BODY, @@ -135,6 +147,24 @@ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char ALPROTO_HTTP); } +/** + * \brief this function setup the http.request_body keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectHttpClientBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + if (DetectBufferSetActiveList(s, g_http_client_body_buffer_id) < 0) + return -1; + if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0) + return -1; + return 0; +} + static inline HtpBody *GetRequestBody(htp_tx_t *tx) { HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx); diff --git a/src/tests/detect-http-client-body.c b/src/tests/detect-http-client-body.c index 845fb17f54..2532b4a7ab 100644 --- a/src/tests/detect-http-client-body.c +++ b/src/tests/detect-http-client-body.c @@ -69,6 +69,41 @@ #ifdef UNITTESTS +/** + * \test Test parser accepting valid rules and rejecting invalid rules + */ +static int DetectHttpClientBodyParserTest01(void) +{ + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; http_client_body; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_client_body; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_client_body; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_client_body; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_client_body; sid:1;)", true)); + + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_client_body; sid:1;)", false)); + FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http_client_body; sid:1;)", false)); + FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; content:\"abc\"; http_client_body; sid:1;)", false)); + PASS; +} + +/** + * \test Test parser accepting valid rules and rejecting invalid rules + */ +static int DetectHttpClientBodyParserTest02(void) +{ + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; nocase; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; endswith; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; endswith; sid:1;)", true)); + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; bsize:10; sid:1;)", true)); + + FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; rawbytes; sid:1;)", false)); + FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http.request_body; sid:1;)", false)); + FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; http.request_body; content:\"abc\"; sid:1;)", false)); + PASS; +} + struct TestSteps { const uint8_t *input; size_t input_size; /**< if 0 strlen will be used */ @@ -2996,6 +3031,8 @@ static int DetectHttpClientBodyIsdataatParseTest(void) void DetectHttpClientBodyRegisterTests(void) { + UtRegisterTest("DetectHttpClientBodyParserTest01", DetectHttpClientBodyParserTest01); + UtRegisterTest("DetectHttpClientBodyParserTest02", DetectHttpClientBodyParserTest02); UtRegisterTest("DetectHttpClientBodyTest01", DetectHttpClientBodyTest01); UtRegisterTest("DetectHttpClientBodyTest02", DetectHttpClientBodyTest02); UtRegisterTest("DetectHttpClientBodyTest03", DetectHttpClientBodyTest03);