aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bug 389 - support http response header inspection + fix bug with stateful inspection for sigs that would have both request/response inpection

Browse Source
remotes/origin/master-1.2.x
Anoop Saldanha 14 years ago committed by Victor Julien
parent 7d07b5375e
commit 30247dce8c
4 changed files with 37 additions and 22 deletions
Show Stats Download Patch File Download Diff File

20
src/detect-engine-hhd.c
Unescape Escape View File

@ -320,7 +320,7 @@ match:
* \warning Make sure flow is locked.
*/
static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state)
HtpState *htp_state, uint8_t flags)
{
int idx = 0;
htp_tx_t *tx = NULL;
@ -374,12 +374,19 @@ static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *
if (tx == NULL)
continue;
table_t *headers;
if (flags & STREAM_TOSERVER) {
headers = tx->request_headers;
} else {
headers = tx->response_headers;
}
htp_header_t *h = NULL;
uint8_t *headers_buffer = NULL;
size_t headers_buffer_len = 0;
table_iterator_reset(tx->request_headers);
while (table_iterator_next(tx->request_headers, (void **)&h) != NULL) {
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
size_t size1 = bstr_size(h->name);
size_t size2 = bstr_size(h->value);
@ -416,14 +423,15 @@ end:
* \brief run the mpm against the assembled http header buffer(s)
* \retval cnt Number of matches reported by the mpm algo.
*/
int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state)
int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{
int i;
uint32_t cnt = 0;
if (det_ctx->hhd_buffers_list_len == 0) {
SCMutexLock(&f->m);
DetectEngineBufferHttpHeaders(det_ctx, f, htp_state);
DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags);
SCMutexUnlock(&f->m);
}
@ -460,7 +468,7 @@ int DetectEngineInspectHttpHeader(DetectEngineCtx *de_ctx,
if (det_ctx->hhd_buffers_list_len == 0) {
SCMutexLock(&f->m);
DetectEngineBufferHttpHeaders(det_ctx, f, alstate);
DetectEngineBufferHttpHeaders(det_ctx, f, alstate, flags);
SCMutexUnlock(&f->m);
}

3
src/detect-engine-hhd.h
Unescape Escape View File

@ -25,7 +25,8 @@
#include "app-layer-htp.h"
int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *);
int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *,
uint8_t);
int DetectEngineInspectHttpHeader(DetectEngineCtx *, DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t, void *);
void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *);

34
src/detect-engine-state.c
Unescape Escape View File

@ -912,20 +912,24 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
}
}
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HHD_MATCH;
if (!(item->flags & DE_STATE_FLAG_HHD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HHD_MATCH;
}
}
SCLogDebug("inspecting http header");
}
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT;
if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HRHD_MATCH;
if (!(item->flags & DE_STATE_FLAG_HRHD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT;
if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HRHD_MATCH;
}
SCLogDebug("inspecting http raw header");
}
SCLogDebug("inspecting http raw header");
}
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HMD_MATCH)) {
@ -933,12 +937,14 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
}
}
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HCD_INSPECT;
if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HCD_MATCH;
if (!(item->flags & DE_STATE_FLAG_HCD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HCD_INSPECT;
if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HCD_MATCH;
}
SCLogDebug("inspecting http cookie");
}
SCLogDebug("inspecting http cookie");
}
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HRUD_MATCH)) {

2
src/detect.c
Unescape Escape View File

@ -1162,7 +1162,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
}
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD);
DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate);
DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD);
}
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) {

Write Preview
Loading…
Cancel
Save