bug 389 - support http response header inspection + fix bug with stateful inspection for sigs that would have both request/response inpection

14 years ago · 30247dce8c
parent 7d07b5375e
commit 30247dce8c
4 changed files with 37 additions and 22 deletions
--- a/src/detect-engine-hhd.c
+++ b/src/detect-engine-hhd.c
@ -320,7 +320,7 @@ match:
 * \warning Make sure flow is locked.
 */
 static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *f,
-                                          HtpState *htp_state)
+                                          HtpState *htp_state, uint8_t flags)
 {
    int idx = 0;
    htp_tx_t *tx = NULL;
@ -374,12 +374,19 @@ static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow *
        if (tx == NULL)
            continue;

+        table_t *headers;
+        if (flags & STREAM_TOSERVER) {
+            headers = tx->request_headers;
+        } else {
+            headers = tx->response_headers;
+        }
+
        htp_header_t *h = NULL;
        uint8_t *headers_buffer = NULL;
        size_t headers_buffer_len = 0;

-        table_iterator_reset(tx->request_headers);
-        while (table_iterator_next(tx->request_headers, (void **)&h) != NULL) {
+        table_iterator_reset(headers);
+        while (table_iterator_next(headers, (void **)&h) != NULL) {
            size_t size1 = bstr_size(h->name);
            size_t size2 = bstr_size(h->value);

@ -416,14 +423,15 @@ end:
 *  \brief run the mpm against the assembled http header buffer(s)
 *  \retval cnt Number of matches reported by the mpm algo.
 */
-int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state)
+int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
+                                 HtpState *htp_state, uint8_t flags)
 {
    int i;
    uint32_t cnt = 0;

    if (det_ctx->hhd_buffers_list_len == 0) {
        SCMutexLock(&f->m);
-        DetectEngineBufferHttpHeaders(det_ctx, f, htp_state);
+        DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags);
        SCMutexUnlock(&f->m);
    }

@ -460,7 +468,7 @@ int DetectEngineInspectHttpHeader(DetectEngineCtx *de_ctx,

    if (det_ctx->hhd_buffers_list_len == 0) {
        SCMutexLock(&f->m);
-        DetectEngineBufferHttpHeaders(det_ctx, f, alstate);
+        DetectEngineBufferHttpHeaders(det_ctx, f, alstate, flags);
        SCMutexUnlock(&f->m);
    }

--- a/src/detect-engine-hhd.h
+++ b/src/detect-engine-hhd.h
@ -25,7 +25,8 @@

 #include "app-layer-htp.h"

-int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *);
+int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *, Flow *, HtpState *,
+                                 uint8_t);
 int DetectEngineInspectHttpHeader(DetectEngineCtx *, DetectEngineThreadCtx *,
                                  Signature *, Flow *, uint8_t, void *);
 void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *);
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@ -912,14 +912,17 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
                    }
                }
                if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
+                    if (!(item->flags & DE_STATE_FLAG_HHD_MATCH)) {
                        inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
                        if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
                                                          flags, alstate) == 1) {
                            match_flags |= DE_STATE_FLAG_HHD_MATCH;
                        }
+                    }
                    SCLogDebug("inspecting http header");
                }
                if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
+                    if (!(item->flags & DE_STATE_FLAG_HRHD_MATCH)) {
                        inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT;
                        if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f,
                                                             flags, alstate) == 1) {
@ -927,12 +930,14 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
                        }
                        SCLogDebug("inspecting http raw header");
                    }
+                }
                if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
                    if (!(item->flags & DE_STATE_FLAG_HMD_MATCH)) {
                        inspect_flags |= DE_STATE_FLAG_HMD_INSPECT;
                    }
                }
                if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
+                    if (!(item->flags & DE_STATE_FLAG_HCD_MATCH)) {
                        inspect_flags |= DE_STATE_FLAG_HCD_INSPECT;
                        if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f,
                                                          flags, alstate) == 1) {
@ -940,6 +945,7 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
                        }
                        SCLogDebug("inspecting http cookie");
                    }
+                }
                if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
                    if (!(item->flags & DE_STATE_FLAG_HRUD_MATCH)) {
                        inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT;
--- a/src/detect.c
+++ b/src/detect.c
@ -1162,7 +1162,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
            }
            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
                PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD);
-                DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate);
+                DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate, flags);
                PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD);
            }
            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) {