From 2c5703761110dedaa39e8fc35d2a2fdcd90527b1 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sun, 25 Nov 2018 17:20:58 +0100
Subject: [PATCH] detect/http_raw_host: use inspect v2 api

---
 src/detect-engine-hrhhd.c | 107 --------------------------------------
 src/detect-http-hrh.c     |  50 +++++++++++++++---
 2 files changed, 44 insertions(+), 113 deletions(-)

diff --git a/src/detect-engine-hrhhd.c b/src/detect-engine-hrhhd.c
index 564c7cd180..b5dda0a752 100644
--- a/src/detect-engine-hrhhd.c
+++ b/src/detect-engine-hrhhd.c
@@ -62,113 +62,6 @@
 #include "detect-engine-hrhhd.h"
 #include "util-validate.h"
 
-/** \brief HTTP Host (Raw) Mpm prefilter callback
- *
- *  \param det_ctx detection engine thread ctx
- *  \param p packet to inspect
- *  \param f flow to inspect
- *  \param txv tx to inspect
- *  \param pectx inspection context
- */
-static void PrefilterTxHostnameRaw(DetectEngineThreadCtx *det_ctx,
-        const void *pectx,
-        Packet *p, Flow *f, void *txv,
-        const uint64_t idx, const uint8_t flags)
-{
-    SCEnter();
-
-    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
-    htp_tx_t *tx = (htp_tx_t *)txv;
-    const uint8_t *hname = NULL;
-    uint32_t hname_len = 0;
-
-    if (tx->parsed_uri == NULL || tx->parsed_uri->hostname == NULL) {
-        if (tx->request_headers == NULL)
-            return;
-
-        htp_header_t *h = (htp_header_t *)htp_table_get_c(tx->request_headers,
-                                                          "Host");
-        if (h == NULL || h->value == NULL)
-            return;
-
-        hname = (const uint8_t *)bstr_ptr(h->value);
-        hname_len = bstr_len(h->value);
-    } else {
-        hname = (const uint8_t *)bstr_ptr(tx->parsed_uri->hostname);
-        hname_len = bstr_len(tx->parsed_uri->hostname);
-    }
-
-    if (hname != NULL && hname_len >= mpm_ctx->minlen) {
-        (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
-                &det_ctx->mtcu, &det_ctx->pmq, hname, hname_len);
-    }
-}
-
-int PrefilterTxHostnameRawRegister(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, MpmCtx *mpm_ctx)
-{
-    SCEnter();
-
-    return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHostnameRaw,
-        ALPROTO_HTTP, HTP_REQUEST_HEADERS,
-        mpm_ctx, NULL, "http_raw_host");
-}
-
-/**
- * \brief Do the http_header content inspection for a signature.
- *
- * \param de_ctx  Detection engine context.
- * \param det_ctx Detection engine thread context.
- * \param s       Signature to inspect.
- * \param f       Flow.
- * \param flags   App layer flags.
- * \param state   App layer state.
- *
- * \retval 0 No match.
- * \retval 1 Match.
- */
-int DetectEngineInspectHttpHRH(ThreadVars *tv,
-        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
-        const Signature *s, const SigMatchData *smd,
-        Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
-{
-    uint8_t *hname;
-    uint32_t hname_len;
-    htp_tx_t *tx = (htp_tx_t *)txv;
-    if (tx->parsed_uri == NULL || tx->parsed_uri->hostname == NULL) {
-        htp_header_t *h = NULL;
-        h = (htp_header_t *)htp_table_get_c(tx->request_headers, "Host");
-        if (h == NULL) {
-            SCLogDebug("HTTP host header not present in this request");
-            goto end;
-        }
-        hname = (uint8_t *)bstr_ptr(h->value);
-        hname_len = bstr_len(h->value);
-    } else {
-        hname = (uint8_t *)bstr_ptr(tx->parsed_uri->hostname);
-        if (hname == NULL)
-            goto end;
-        hname_len = bstr_len(tx->parsed_uri->hostname);
-    }
-
-    det_ctx->buffer_offset = 0;
-    det_ctx->discontinue_matching = 0;
-    det_ctx->inspection_recursion_counter = 0;
-    int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
-                                          f,
-                                          hname, hname_len,
-                                          0, DETECT_CI_FLAGS_SINGLE,
-                                          DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
-    if (r == 1)
-        return DETECT_ENGINE_INSPECT_SIG_MATCH;
-
- end:
-    if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_HEADERS)
-        return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-    else
-        return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
-}
-
 /***********************************Unittests**********************************/
 
 #ifdef UNITTESTS
diff --git a/src/detect-http-hrh.c b/src/detect-http-hrh.c
index ba0c582e13..d2b8748a03 100644
--- a/src/detect-http-hrh.c
+++ b/src/detect-http-hrh.c
@@ -38,7 +38,7 @@
 #include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-engine-mpm.h"
-#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 
@@ -62,6 +62,9 @@
 static int DetectHttpHRHSetup(DetectEngineCtx *, Signature *, const char *);
 static void DetectHttpHRHRegisterTests(void);
 static int g_http_raw_host_buffer_id = 0;
+static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f,
+        const uint8_t _flow_flags, void *txv, const int list_id);
 
 /**
  * \brief Registers the keyword handlers for the "http_raw_host" keyword.
@@ -76,12 +79,13 @@ void DetectHttpHRHRegister(void)
 #endif
     sigmatch_table[DETECT_AL_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT ;
 
-    DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2,
-            PrefilterTxHostnameRawRegister);
+    DetectAppLayerInspectEngineRegister2("http_raw_host", ALPROTO_HTTP,
+            SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS,
+            DetectEngineInspectBufferGeneric, GetData);
 
-    DetectAppLayerInspectEngineRegister("http_raw_host",
-            ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS,
-            DetectEngineInspectHttpHRH);
+    DetectAppLayerMpmRegister2("http_raw_host", SIG_FLAG_TOSERVER, 2,
+            PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP,
+            HTP_REQUEST_HEADERS);
 
     DetectBufferTypeSetDescriptionByName("http_raw_host",
             "http raw host header");
@@ -110,6 +114,40 @@ int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
                                                   ALPROTO_HTTP);
 }
 
+static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f,
+        const uint8_t _flow_flags, void *txv, const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        htp_tx_t *tx = (htp_tx_t *)txv;
+
+        const uint8_t *data = NULL;
+        uint32_t data_len = 0;
+
+        if (tx->parsed_uri == NULL || tx->parsed_uri->hostname == NULL) {
+            if (tx->request_headers == NULL)
+                return NULL;
+
+            htp_header_t *h = (htp_header_t *)htp_table_get_c(tx->request_headers,
+                    "Host");
+            if (h == NULL || h->value == NULL)
+                return NULL;
+
+            data = (const uint8_t *)bstr_ptr(h->value);
+            data_len = bstr_len(h->value);
+        } else {
+            data = (const uint8_t *)bstr_ptr(tx->parsed_uri->hostname);
+            data_len = bstr_len(tx->parsed_uri->hostname);
+        }
+
+        InspectionBufferSetup(buffer, data, data_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+
+    return buffer;
+}
+
 /************************************Unittests*********************************/
 
 #ifdef UNITTESTS