aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bug 389 - support http response header inspection + fix bug with stateful inspection for sigs that would have both request/response inpection

Browse Source
remotes/origin/master-1.2.x
Anoop Saldanha 14 years ago committed by Victor Julien
parent 7d07b5375e
commit 30247dce8c
4 changed files with 37 additions and 22 deletions
Show Stats Download Patch File Download Diff File

20
src/detect-engine-hhd.c
Unescape Escape View File

@ -320,7 +320,7 @@ match:
* \warning Make sure flow is locked. * \warning Make sure flow is locked.
*/ */
static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *f, static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state) HtpState *htp_state, uint8_t flags)
{ {
int idx = 0; int idx = 0;
htp_tx_t *tx = NULL; htp_tx_t *tx = NULL;
@ -374,12 +374,19 @@ static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *
if (tx == NULL) if (tx == NULL)
continue; continue;
table_t *headers;
if (flags & STREAM_TOSERVER) {
headers = tx->request_headers;
} else {
headers = tx->response_headers;
}
htp_header_t *h = NULL; htp_header_t *h = NULL;
uint8_t *headers_buffer = NULL; uint8_t *headers_buffer = NULL;
size_t headers_buffer_len = 0; size_t headers_buffer_len = 0;
table_iterator_reset(tx->request_headers); table_iterator_reset(headers);
while (table_iterator_next(tx->request_headers, (void **)&h) != NULL) { while (table_iterator_next(headers, (void **)&h) != NULL) {
size_t size1 = bstr_size(h->name); size_t size1 = bstr_size(h->name);
size_t size2 = bstr_size(h->value); size_t size2 = bstr_size(h->value);
@ -416,14 +423,15 @@ end:
* \brief run the mpm against the assembled http header buffer(s) * \brief run the mpm against the assembled http header buffer(s)
* \retval cnt Number of matches reported by the mpm algo. * \retval cnt Number of matches reported by the mpm algo.
*/ */
int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state) int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{ {
int i; int i;
uint32_t cnt = 0; uint32_t cnt = 0;
if (det_ctx->hhd_buffers_list_len == 0) { if (det_ctx->hhd_buffers_list_len == 0) {
SCMutexLock(&f->m); SCMutexLock(&f->m);
DetectEngineBufferHttpHeaders(det_ctx, f, htp_state); DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags);
SCMutexUnlock(&f->m); SCMutexUnlock(&f->m);
} }
@ -460,7 +468,7 @@ int DetectEngineInspectHttpHeader(DetectEngineCtx *de_ctx,
if (det_ctx->hhd_buffers_list_len == 0) { if (det_ctx->hhd_buffers_list_len == 0) {
SCMutexLock(&f->m); SCMutexLock(&f->m);
DetectEngineBufferHttpHeaders(det_ctx, f, alstate); DetectEngineBufferHttpHeaders(det_ctx, f, alstate, flags);
SCMutexUnlock(&f->m); SCMutexUnlock(&f->m);
} }

3
src/detect-engine-hhd.h
Unescape Escape View File

@ -25,7 +25,8 @@
#include "app-layer-htp.h" #include "app-layer-htp.h"
int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *); int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *,
uint8_t);
int DetectEngineInspectHttpHeader(DetectEngineCtx *, DetectEngineThreadCtx *, int DetectEngineInspectHttpHeader(DetectEngineCtx *, DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t, void *); Signature *, Flow *, uint8_t, void *);
void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *); void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *);

6
src/detect-engine-state.c
Unescape Escape View File

@ -912,14 +912,17 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
} }
} }
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HHD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
flags, alstate) == 1) { flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HHD_MATCH; match_flags |= DE_STATE_FLAG_HHD_MATCH;
} }
}
SCLogDebug("inspecting http header"); SCLogDebug("inspecting http header");
} }
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HRHD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT;
if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f, if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f,
flags, alstate) == 1) { flags, alstate) == 1) {
@ -927,12 +930,14 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
} }
SCLogDebug("inspecting http raw header"); SCLogDebug("inspecting http raw header");
} }
}
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HMD_MATCH)) { if (!(item->flags & DE_STATE_FLAG_HMD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; inspect_flags |= DE_STATE_FLAG_HMD_INSPECT;
} }
} }
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HCD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; inspect_flags |= DE_STATE_FLAG_HCD_INSPECT;
if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f,
flags, alstate) == 1) { flags, alstate) == 1) {
@ -940,6 +945,7 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
} }
SCLogDebug("inspecting http cookie"); SCLogDebug("inspecting http cookie");
} }
}
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HRUD_MATCH)) { if (!(item->flags & DE_STATE_FLAG_HRUD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT;

2
src/detect.c
Unescape Escape View File

@ -1162,7 +1162,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD); PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD);
DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate); DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD);
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) {

Write Preview
Loading…
Cancel
Save