aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http: move body settings into per dir struct

Browse Source
pull/2091/head
Victor Julien 10 years ago
parent 6fb808fc1a
commit 24a2f51569
5 changed files with 55 additions and 60 deletions
Show Stats Download Patch File Download Diff File

8
src/app-layer-htp-body.c
Unescape Escape View File

@ -205,12 +205,12 @@ void HtpBodyPrune(HtpState *state, HtpBody *body, int direction)
}
/* get the configured inspect sizes. Default to response values */
uint32_t min_size = state->cfg->response_inspect_min_size;
uint32_t window = state->cfg->response_inspect_window;
uint32_t min_size = state->cfg->response.inspect_min_size;
uint32_t window = state->cfg->response.inspect_window;
if (direction == STREAM_TOSERVER) {
min_size = state->cfg->request_inspect_min_size;
window = state->cfg->request_inspect_window;
min_size = state->cfg->request.inspect_min_size;
window = state->cfg->request.inspect_window;
}
uint64_t max_window = ((min_size > window) ? min_size : window);

76
src/app-layer-htp.c
Unescape Escape View File

@ -1750,17 +1750,17 @@ int HTPCallbackRequestBodyData(htp_tx_data_t *d)
HtpBodyPrune(hstate, &tx_ud->request_body, STREAM_TOSERVER);
SCLogDebug("tx_ud->request_body.content_len_so_far %"PRIu64, tx_ud->request_body.content_len_so_far);
SCLogDebug("hstate->cfg->request_body_limit %u", hstate->cfg->request_body_limit);
SCLogDebug("hstate->cfg->request.body_limit %u", hstate->cfg->request.body_limit);
/* within limits, add the body chunk to the state. */
if (hstate->cfg->request_body_limit == 0 || tx_ud->request_body.content_len_so_far < hstate->cfg->request_body_limit)
if (hstate->cfg->request.body_limit == 0 || tx_ud->request_body.content_len_so_far < hstate->cfg->request.body_limit)
{
uint32_t len = (uint32_t)d->len;
if (hstate->cfg->request_body_limit > 0 &&
(tx_ud->request_body.content_len_so_far + len) > hstate->cfg->request_body_limit)
if (hstate->cfg->request.body_limit > 0 &&
(tx_ud->request_body.content_len_so_far + len) > hstate->cfg->request.body_limit)
{
len = hstate->cfg->request_body_limit - tx_ud->request_body.content_len_so_far;
len = hstate->cfg->request.body_limit - tx_ud->request_body.content_len_so_far;
BUG_ON(len > (uint32_t)d->len);
}
SCLogDebug("len %u", len);
@ -1846,17 +1846,17 @@ int HTPCallbackResponseBodyData(htp_tx_data_t *d)
HtpBodyPrune(hstate, &tx_ud->response_body, STREAM_TOCLIENT);
SCLogDebug("tx_ud->response_body.content_len_so_far %"PRIu64, tx_ud->response_body.content_len_so_far);
SCLogDebug("hstate->cfg->response_body_limit %u", hstate->cfg->response_body_limit);
SCLogDebug("hstate->cfg->response.body_limit %u", hstate->cfg->response.body_limit);
/* within limits, add the body chunk to the state. */
if (hstate->cfg->response_body_limit == 0 || tx_ud->response_body.content_len_so_far < hstate->cfg->response_body_limit)
if (hstate->cfg->response.body_limit == 0 || tx_ud->response_body.content_len_so_far < hstate->cfg->response.body_limit)
{
uint32_t len = (uint32_t)d->len;
if (hstate->cfg->response_body_limit > 0 &&
(tx_ud->response_body.content_len_so_far + len) > hstate->cfg->response_body_limit)
if (hstate->cfg->response.body_limit > 0 &&
(tx_ud->response_body.content_len_so_far + len) > hstate->cfg->response.body_limit)
{
len = hstate->cfg->response_body_limit - tx_ud->response_body.content_len_so_far;
len = hstate->cfg->response.body_limit - tx_ud->response_body.content_len_so_far;
BUG_ON(len > (uint32_t)d->len);
}
SCLogDebug("len %u", len);
@ -2124,12 +2124,12 @@ static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data)
static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec)
{
cfg_prec->uri_include_all = FALSE;
cfg_prec->request_body_limit = HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT;
cfg_prec->response_body_limit = HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT;
cfg_prec->request_inspect_min_size = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE;
cfg_prec->request_inspect_window = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW;
cfg_prec->response_inspect_min_size = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE;
cfg_prec->response_inspect_window = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW;
cfg_prec->request.body_limit = HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT;
cfg_prec->response.body_limit = HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT;
cfg_prec->request.inspect_min_size = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE;
cfg_prec->request.inspect_window = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW;
cfg_prec->response.inspect_min_size = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE;
cfg_prec->response.inspect_window = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW;
#ifndef AFLFUZZ_NO_RANDOM
cfg_prec->randomize = HTP_CONFIG_DEFAULT_RANDOMIZE;
#else
@ -2178,40 +2178,40 @@ static void HTPConfigSetDefaultsPhase2(char *name, HTPCfgRec *cfg_prec)
if (cfg_prec->randomize) {
int rdrange = cfg_prec->randomize_range;
cfg_prec->request_inspect_min_size +=
(int) (cfg_prec->request_inspect_min_size *
cfg_prec->request.inspect_min_size +=
(int) (cfg_prec->request.inspect_min_size *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
cfg_prec->request_inspect_window +=
(int) (cfg_prec->request_inspect_window *
cfg_prec->request.inspect_window +=
(int) (cfg_prec->request.inspect_window *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
SCLogInfo("'%s' server has 'request-body-minimal-inspect-size' set to"
" %d and 'request-body-inspect-window' set to %d after"
" randomization.",
name,
cfg_prec->request_inspect_min_size,
cfg_prec->request_inspect_window);
cfg_prec->request.inspect_min_size,
cfg_prec->request.inspect_window);
cfg_prec->response_inspect_min_size +=
(int) (cfg_prec->response_inspect_min_size *
cfg_prec->response.inspect_min_size +=
(int) (cfg_prec->response.inspect_min_size *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
cfg_prec->response_inspect_window +=
(int) (cfg_prec->response_inspect_window *
cfg_prec->response.inspect_window +=
(int) (cfg_prec->response.inspect_window *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
SCLogInfo("'%s' server has 'response-body-minimal-inspect-size' set to"
" %d and 'response-body-inspect-window' set to %d after"
" randomization.",
name,
cfg_prec->response_inspect_min_size,
cfg_prec->response_inspect_window);
cfg_prec->response.inspect_min_size,
cfg_prec->response.inspect_window);
}
htp_config_register_request_line(cfg_prec->cfg, HTPCallbackRequestLine);
cfg_prec->request.sbcfg.flags = 0;
cfg_prec->request.sbcfg.buf_size = cfg_prec->request_inspect_window ?
cfg_prec->request_inspect_window : 256;
cfg_prec->request.sbcfg.buf_size = cfg_prec->request.inspect_window ?
cfg_prec->request.inspect_window : 256;
cfg_prec->request.sbcfg.buf_slide = 0;
cfg_prec->request.sbcfg.Malloc = HTPMalloc;
cfg_prec->request.sbcfg.Calloc = HTPCalloc;
@ -2219,8 +2219,8 @@ static void HTPConfigSetDefaultsPhase2(char *name, HTPCfgRec *cfg_prec)
cfg_prec->request.sbcfg.Free = HTPFree;
cfg_prec->response.sbcfg.flags = 0;
cfg_prec->response.sbcfg.buf_size = cfg_prec->response_inspect_window ?
cfg_prec->response_inspect_window : 256;
cfg_prec->response.sbcfg.buf_size = cfg_prec->response.inspect_window ?
cfg_prec->response.inspect_window : 256;
cfg_prec->response.sbcfg.buf_slide = 0;
cfg_prec->response.sbcfg.Malloc = HTPMalloc;
cfg_prec->response.sbcfg.Calloc = HTPCalloc;
@ -2295,28 +2295,28 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
} else if (strcasecmp("request-body-limit", p->name) == 0 ||
strcasecmp("request_body_limit", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request_body_limit) < 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request.body_limit) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-limit "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);
}
} else if (strcasecmp("response-body-limit", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response_body_limit) < 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response.body_limit) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-limit "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);
}
} else if (strcasecmp("request-body-minimal-inspect-size", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request_inspect_min_size) < 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request.inspect_min_size) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-minimal-inspect-size "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);
}
} else if (strcasecmp("request-body-inspect-window", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request_inspect_window) < 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request.inspect_window) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-inspect-window "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);
@ -2335,14 +2335,14 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
}
} else if (strcasecmp("response-body-minimal-inspect-size", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response_inspect_min_size) < 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response.inspect_min_size) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-minimal-inspect-size "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);
}
} else if (strcasecmp("response-body-inspect-window", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response_inspect_window) < 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response.inspect_window) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-inspect-window "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);

11
src/app-layer-htp.h
Unescape Escape View File

@ -141,6 +141,9 @@ enum {
matched on some rule */
typedef struct HTPCfgDir_ {
uint32_t body_limit;
uint32_t inspect_min_size;
uint32_t inspect_window;
StreamingBufferConfig sbcfg;
} HTPCfgDir;
@ -152,14 +155,6 @@ typedef struct HTPCfgRec_ {
int uri_include_all; /**< use all info in uri (bool) */
/** max size of the client body we inspect */
uint32_t request_body_limit;
uint32_t response_body_limit;
uint32_t request_inspect_min_size;
uint32_t request_inspect_window;
uint32_t response_inspect_min_size;
uint32_t response_inspect_window;
int randomize;
int randomize_range;
int http_body_inline;

6
src/detect-engine-hcbd.c
Unescape Escape View File

@ -159,9 +159,9 @@ static const uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_i
/* inspect the body if the transfer is complete or we have hit
* our body size limit */
if ((htp_state->cfg->request_body_limit == 0 ||
htud->request_body.content_len_so_far < htp_state->cfg->request_body_limit) &&
htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size &&
if ((htp_state->cfg->request.body_limit == 0 ||
htud->request_body.content_len_so_far < htp_state->cfg->request.body_limit) &&
htud->request_body.content_len_so_far < htp_state->cfg->request.inspect_min_size &&
!(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_BODY) &&
!(flags & STREAM_EOF)) {
SCLogDebug("we still haven't seen the entire request body. "

14
src/detect-engine-hsbd.c
Unescape Escape View File

@ -155,20 +155,20 @@ static const uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_i
goto end;
}
SCLogDebug("response_body_limit %u response_body.content_len_so_far %"PRIu64
", response_inspect_min_size %"PRIu32", EOF %s, progress > body? %s",
htp_state->cfg->response_body_limit,
SCLogDebug("response.body_limit %u response_body.content_len_so_far %"PRIu64
", response.inspect_min_size %"PRIu32", EOF %s, progress > body? %s",
htp_state->cfg->response.body_limit,
htud->response_body.content_len_so_far,
htp_state->cfg->response_inspect_min_size,
htp_state->cfg->response.inspect_min_size,
flags & STREAM_EOF ? "true" : "false",
(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) ? "true" : "false");
if (!htp_state->cfg->http_body_inline) {
/* inspect the body if the transfer is complete or we have hit
* our body size limit */
if ((htp_state->cfg->response_body_limit == 0 ||
htud->response_body.content_len_so_far < htp_state->cfg->response_body_limit) &&
htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size &&
if ((htp_state->cfg->response.body_limit == 0 ||
htud->response_body.content_len_so_far < htp_state->cfg->response.body_limit) &&
htud->response_body.content_len_so_far < htp_state->cfg->response.inspect_min_size &&
!(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) &&
!(flags & STREAM_EOF)) {
SCLogDebug("we still haven't seen the entire response body. "

Write Preview
Loading…
Cancel
Save