aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http: move body settings into per dir struct

Browse Source
pull/2091/head
Victor Julien 10 years ago
parent 6fb808fc1a
commit 24a2f51569
5 changed files with 55 additions and 60 deletions
Show Stats Download Patch File Download Diff File

8
src/app-layer-htp-body.c
Unescape Escape View File

@ -205,12 +205,12 @@ void HtpBodyPrune(HtpState *state, HtpBody *body, int direction)
} }
/* get the configured inspect sizes. Default to response values */ /* get the configured inspect sizes. Default to response values */
uint32_t min_size = state->cfg->response_inspect_min_size; uint32_t min_size = state->cfg->response.inspect_min_size;
uint32_t window = state->cfg->response_inspect_window; uint32_t window = state->cfg->response.inspect_window;
if (direction == STREAM_TOSERVER) { if (direction == STREAM_TOSERVER) {
min_size = state->cfg->request_inspect_min_size; min_size = state->cfg->request.inspect_min_size;
window = state->cfg->request_inspect_window; window = state->cfg->request.inspect_window;
} }
uint64_t max_window = ((min_size > window) ? min_size : window); uint64_t max_window = ((min_size > window) ? min_size : window);

76
src/app-layer-htp.c
Unescape Escape View File

@ -1750,17 +1750,17 @@ int HTPCallbackRequestBodyData(htp_tx_data_t *d)
HtpBodyPrune(hstate, &tx_ud->request_body, STREAM_TOSERVER); HtpBodyPrune(hstate, &tx_ud->request_body, STREAM_TOSERVER);
SCLogDebug("tx_ud->request_body.content_len_so_far %"PRIu64, tx_ud->request_body.content_len_so_far); SCLogDebug("tx_ud->request_body.content_len_so_far %"PRIu64, tx_ud->request_body.content_len_so_far);
SCLogDebug("hstate->cfg->request_body_limit %u", hstate->cfg->request_body_limit); SCLogDebug("hstate->cfg->request.body_limit %u", hstate->cfg->request.body_limit);
/* within limits, add the body chunk to the state. */ /* within limits, add the body chunk to the state. */
if (hstate->cfg->request_body_limit == 0 || tx_ud->request_body.content_len_so_far < hstate->cfg->request_body_limit) if (hstate->cfg->request.body_limit == 0 || tx_ud->request_body.content_len_so_far < hstate->cfg->request.body_limit)
{ {
uint32_t len = (uint32_t)d->len; uint32_t len = (uint32_t)d->len;
if (hstate->cfg->request_body_limit > 0 && if (hstate->cfg->request.body_limit > 0 &&
(tx_ud->request_body.content_len_so_far + len) > hstate->cfg->request_body_limit) (tx_ud->request_body.content_len_so_far + len) > hstate->cfg->request.body_limit)
{ {
len = hstate->cfg->request_body_limit - tx_ud->request_body.content_len_so_far; len = hstate->cfg->request.body_limit - tx_ud->request_body.content_len_so_far;
BUG_ON(len > (uint32_t)d->len); BUG_ON(len > (uint32_t)d->len);
} }
SCLogDebug("len %u", len); SCLogDebug("len %u", len);
@ -1846,17 +1846,17 @@ int HTPCallbackResponseBodyData(htp_tx_data_t *d)
HtpBodyPrune(hstate, &tx_ud->response_body, STREAM_TOCLIENT); HtpBodyPrune(hstate, &tx_ud->response_body, STREAM_TOCLIENT);
SCLogDebug("tx_ud->response_body.content_len_so_far %"PRIu64, tx_ud->response_body.content_len_so_far); SCLogDebug("tx_ud->response_body.content_len_so_far %"PRIu64, tx_ud->response_body.content_len_so_far);
SCLogDebug("hstate->cfg->response_body_limit %u", hstate->cfg->response_body_limit); SCLogDebug("hstate->cfg->response.body_limit %u", hstate->cfg->response.body_limit);
/* within limits, add the body chunk to the state. */ /* within limits, add the body chunk to the state. */
if (hstate->cfg->response_body_limit == 0 || tx_ud->response_body.content_len_so_far < hstate->cfg->response_body_limit) if (hstate->cfg->response.body_limit == 0 || tx_ud->response_body.content_len_so_far < hstate->cfg->response.body_limit)
{ {
uint32_t len = (uint32_t)d->len; uint32_t len = (uint32_t)d->len;
if (hstate->cfg->response_body_limit > 0 && if (hstate->cfg->response.body_limit > 0 &&
(tx_ud->response_body.content_len_so_far + len) > hstate->cfg->response_body_limit) (tx_ud->response_body.content_len_so_far + len) > hstate->cfg->response.body_limit)
{ {
len = hstate->cfg->response_body_limit - tx_ud->response_body.content_len_so_far; len = hstate->cfg->response.body_limit - tx_ud->response_body.content_len_so_far;
BUG_ON(len > (uint32_t)d->len); BUG_ON(len > (uint32_t)d->len);
} }
SCLogDebug("len %u", len); SCLogDebug("len %u", len);
@ -2124,12 +2124,12 @@ static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data)
static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec) static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec)
{ {
cfg_prec->uri_include_all = FALSE; cfg_prec->uri_include_all = FALSE;
cfg_prec->request_body_limit = HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT; cfg_prec->request.body_limit = HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT;
cfg_prec->response_body_limit = HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT; cfg_prec->response.body_limit = HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT;
cfg_prec->request_inspect_min_size = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE; cfg_prec->request.inspect_min_size = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE;
cfg_prec->request_inspect_window = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW; cfg_prec->request.inspect_window = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW;
cfg_prec->response_inspect_min_size = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE; cfg_prec->response.inspect_min_size = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE;
cfg_prec->response_inspect_window = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW; cfg_prec->response.inspect_window = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW;
#ifndef AFLFUZZ_NO_RANDOM #ifndef AFLFUZZ_NO_RANDOM
cfg_prec->randomize = HTP_CONFIG_DEFAULT_RANDOMIZE; cfg_prec->randomize = HTP_CONFIG_DEFAULT_RANDOMIZE;
#else #else
@ -2178,40 +2178,40 @@ static void HTPConfigSetDefaultsPhase2(char *name, HTPCfgRec *cfg_prec)
if (cfg_prec->randomize) { if (cfg_prec->randomize) {
int rdrange = cfg_prec->randomize_range; int rdrange = cfg_prec->randomize_range;
cfg_prec->request_inspect_min_size += cfg_prec->request.inspect_min_size +=
(int) (cfg_prec->request_inspect_min_size * (int) (cfg_prec->request.inspect_min_size *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100); (random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
cfg_prec->request_inspect_window += cfg_prec->request.inspect_window +=
(int) (cfg_prec->request_inspect_window * (int) (cfg_prec->request.inspect_window *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100); (random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
SCLogInfo("'%s' server has 'request-body-minimal-inspect-size' set to" SCLogInfo("'%s' server has 'request-body-minimal-inspect-size' set to"
" %d and 'request-body-inspect-window' set to %d after" " %d and 'request-body-inspect-window' set to %d after"
" randomization.", " randomization.",
name, name,
cfg_prec->request_inspect_min_size, cfg_prec->request.inspect_min_size,
cfg_prec->request_inspect_window); cfg_prec->request.inspect_window);
cfg_prec->response_inspect_min_size += cfg_prec->response.inspect_min_size +=
(int) (cfg_prec->response_inspect_min_size * (int) (cfg_prec->response.inspect_min_size *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100); (random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
cfg_prec->response_inspect_window += cfg_prec->response.inspect_window +=
(int) (cfg_prec->response_inspect_window * (int) (cfg_prec->response.inspect_window *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100); (random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
SCLogInfo("'%s' server has 'response-body-minimal-inspect-size' set to" SCLogInfo("'%s' server has 'response-body-minimal-inspect-size' set to"
" %d and 'response-body-inspect-window' set to %d after" " %d and 'response-body-inspect-window' set to %d after"
" randomization.", " randomization.",
name, name,
cfg_prec->response_inspect_min_size, cfg_prec->response.inspect_min_size,
cfg_prec->response_inspect_window); cfg_prec->response.inspect_window);
} }
htp_config_register_request_line(cfg_prec->cfg, HTPCallbackRequestLine); htp_config_register_request_line(cfg_prec->cfg, HTPCallbackRequestLine);
cfg_prec->request.sbcfg.flags = 0; cfg_prec->request.sbcfg.flags = 0;
cfg_prec->request.sbcfg.buf_size = cfg_prec->request_inspect_window ? cfg_prec->request.sbcfg.buf_size = cfg_prec->request.inspect_window ?
cfg_prec->request_inspect_window : 256; cfg_prec->request.inspect_window : 256;
cfg_prec->request.sbcfg.buf_slide = 0; cfg_prec->request.sbcfg.buf_slide = 0;
cfg_prec->request.sbcfg.Malloc = HTPMalloc; cfg_prec->request.sbcfg.Malloc = HTPMalloc;
cfg_prec->request.sbcfg.Calloc = HTPCalloc; cfg_prec->request.sbcfg.Calloc = HTPCalloc;
@ -2219,8 +2219,8 @@ static void HTPConfigSetDefaultsPhase2(char *name, HTPCfgRec *cfg_prec)
cfg_prec->request.sbcfg.Free = HTPFree; cfg_prec->request.sbcfg.Free = HTPFree;
cfg_prec->response.sbcfg.flags = 0; cfg_prec->response.sbcfg.flags = 0;
cfg_prec->response.sbcfg.buf_size = cfg_prec->response_inspect_window ? cfg_prec->response.sbcfg.buf_size = cfg_prec->response.inspect_window ?
cfg_prec->response_inspect_window : 256; cfg_prec->response.inspect_window : 256;
cfg_prec->response.sbcfg.buf_slide = 0; cfg_prec->response.sbcfg.buf_slide = 0;
cfg_prec->response.sbcfg.Malloc = HTPMalloc; cfg_prec->response.sbcfg.Malloc = HTPMalloc;
cfg_prec->response.sbcfg.Calloc = HTPCalloc; cfg_prec->response.sbcfg.Calloc = HTPCalloc;
@ -2295,28 +2295,28 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
} else if (strcasecmp("request-body-limit", p->name) == 0 || } else if (strcasecmp("request-body-limit", p->name) == 0 ||
strcasecmp("request_body_limit", p->name) == 0) { strcasecmp("request_body_limit", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request_body_limit) < 0) { if (ParseSizeStringU32(p->val, &cfg_prec->request.body_limit) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-limit " SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-limit "
"from conf file - %s. Killing engine", p->val); "from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} else if (strcasecmp("response-body-limit", p->name) == 0) { } else if (strcasecmp("response-body-limit", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response_body_limit) < 0) { if (ParseSizeStringU32(p->val, &cfg_prec->response.body_limit) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-limit " SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-limit "
"from conf file - %s. Killing engine", p->val); "from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} else if (strcasecmp("request-body-minimal-inspect-size", p->name) == 0) { } else if (strcasecmp("request-body-minimal-inspect-size", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request_inspect_min_size) < 0) { if (ParseSizeStringU32(p->val, &cfg_prec->request.inspect_min_size) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-minimal-inspect-size " SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-minimal-inspect-size "
"from conf file - %s. Killing engine", p->val); "from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} else if (strcasecmp("request-body-inspect-window", p->name) == 0) { } else if (strcasecmp("request-body-inspect-window", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->request_inspect_window) < 0) { if (ParseSizeStringU32(p->val, &cfg_prec->request.inspect_window) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-inspect-window " SCLogError(SC_ERR_SIZE_PARSE, "Error parsing request-body-inspect-window "
"from conf file - %s. Killing engine", p->val); "from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
@ -2335,14 +2335,14 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
} }
} else if (strcasecmp("response-body-minimal-inspect-size", p->name) == 0) { } else if (strcasecmp("response-body-minimal-inspect-size", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response_inspect_min_size) < 0) { if (ParseSizeStringU32(p->val, &cfg_prec->response.inspect_min_size) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-minimal-inspect-size " SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-minimal-inspect-size "
"from conf file - %s. Killing engine", p->val); "from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} else if (strcasecmp("response-body-inspect-window", p->name) == 0) { } else if (strcasecmp("response-body-inspect-window", p->name) == 0) {
if (ParseSizeStringU32(p->val, &cfg_prec->response_inspect_window) < 0) { if (ParseSizeStringU32(p->val, &cfg_prec->response.inspect_window) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-inspect-window " SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-inspect-window "
"from conf file - %s. Killing engine", p->val); "from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);

11
src/app-layer-htp.h
Unescape Escape View File

@ -141,6 +141,9 @@ enum {
matched on some rule */ matched on some rule */
typedef struct HTPCfgDir_ { typedef struct HTPCfgDir_ {
uint32_t body_limit;
uint32_t inspect_min_size;
uint32_t inspect_window;
StreamingBufferConfig sbcfg; StreamingBufferConfig sbcfg;
} HTPCfgDir; } HTPCfgDir;
@ -152,14 +155,6 @@ typedef struct HTPCfgRec_ {
int uri_include_all; /**< use all info in uri (bool) */ int uri_include_all; /**< use all info in uri (bool) */
/** max size of the client body we inspect */ /** max size of the client body we inspect */
uint32_t request_body_limit;
uint32_t response_body_limit;
uint32_t request_inspect_min_size;
uint32_t request_inspect_window;
uint32_t response_inspect_min_size;
uint32_t response_inspect_window;
int randomize; int randomize;
int randomize_range; int randomize_range;
int http_body_inline; int http_body_inline;

6
src/detect-engine-hcbd.c
Unescape Escape View File

@ -159,9 +159,9 @@ static const uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_i
/* inspect the body if the transfer is complete or we have hit /* inspect the body if the transfer is complete or we have hit
* our body size limit */ * our body size limit */
if ((htp_state->cfg->request_body_limit == 0 || if ((htp_state->cfg->request.body_limit == 0 ||
htud->request_body.content_len_so_far < htp_state->cfg->request_body_limit) && htud->request_body.content_len_so_far < htp_state->cfg->request.body_limit) &&
htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size && htud->request_body.content_len_so_far < htp_state->cfg->request.inspect_min_size &&
!(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_BODY) && !(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_BODY) &&
!(flags & STREAM_EOF)) { !(flags & STREAM_EOF)) {
SCLogDebug("we still haven't seen the entire request body. " SCLogDebug("we still haven't seen the entire request body. "

14
src/detect-engine-hsbd.c
Unescape Escape View File

@ -155,20 +155,20 @@ static const uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_i
goto end; goto end;
} }
SCLogDebug("response_body_limit %u response_body.content_len_so_far %"PRIu64 SCLogDebug("response.body_limit %u response_body.content_len_so_far %"PRIu64
", response_inspect_min_size %"PRIu32", EOF %s, progress > body? %s", ", response.inspect_min_size %"PRIu32", EOF %s, progress > body? %s",
htp_state->cfg->response_body_limit, htp_state->cfg->response.body_limit,
htud->response_body.content_len_so_far, htud->response_body.content_len_so_far,
htp_state->cfg->response_inspect_min_size, htp_state->cfg->response.inspect_min_size,
flags & STREAM_EOF ? "true" : "false", flags & STREAM_EOF ? "true" : "false",
(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) ? "true" : "false"); (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) ? "true" : "false");
if (!htp_state->cfg->http_body_inline) { if (!htp_state->cfg->http_body_inline) {
/* inspect the body if the transfer is complete or we have hit /* inspect the body if the transfer is complete or we have hit
* our body size limit */ * our body size limit */
if ((htp_state->cfg->response_body_limit == 0 || if ((htp_state->cfg->response.body_limit == 0 ||
htud->response_body.content_len_so_far < htp_state->cfg->response_body_limit) && htud->response_body.content_len_so_far < htp_state->cfg->response.body_limit) &&
htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size && htud->response_body.content_len_so_far < htp_state->cfg->response.inspect_min_size &&
!(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) && !(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) &&
!(flags & STREAM_EOF)) { !(flags & STREAM_EOF)) {
SCLogDebug("we still haven't seen the entire response body. " SCLogDebug("we still haven't seen the entire response body. "

Write Preview
Loading…
Cancel
Save