From 59c3c748c973ddfbde44f0f9ec62f3c90d0f5562 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Mon, 26 Nov 2018 12:23:42 +0100 Subject: [PATCH] detect: add http.stat_msg sticky buffer keyword --- src/detect-engine-register.h | 1 + src/detect-http-stat-msg.c | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 4ca936e395..dfe964b476 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -134,6 +134,7 @@ enum { DETECT_HTTP_URI_RAW, DETECT_AL_HTTP_RAW_URI, DETECT_AL_HTTP_STAT_MSG, + DETECT_HTTP_STAT_MSG, DETECT_AL_HTTP_STAT_CODE, DETECT_AL_HTTP_USER_AGENT, DETECT_HTTP_UA, diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index d76e5bc215..ee50203a2c 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -71,12 +71,14 @@ static int g_http_stat_msg_buffer_id = 0; static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, const int list_id); +static int DetectHttpStatMsgSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str); /** * \brief Registration function for keyword: http_stat_msg */ void DetectHttpStatMsgRegister (void) { + /* http_stat_msg content modifier */ sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg"; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer"; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-stat-msg"; @@ -86,6 +88,13 @@ void DetectHttpStatMsgRegister (void) #endif sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT; + /* http.stat_msg sticky buffer */ + sigmatch_table[DETECT_HTTP_STAT_MSG].name = "http.stat_msg"; + sigmatch_table[DETECT_HTTP_STAT_MSG].desc = "sticky buffer to match on the HTTP response status message"; + sigmatch_table[DETECT_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_stat-msg"; + sigmatch_table[DETECT_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetupSticky; + sigmatch_table[DETECT_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT; + DetectAppLayerInspectEngineRegister2("http_stat_msg", ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_LINE, DetectEngineInspectBufferGeneric, GetData); @@ -119,6 +128,22 @@ static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, const c ALPROTO_HTTP); } +/** + * \brief this function setup the http.stat_msg keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectHttpStatMsgSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + DetectBufferSetActiveList(s, g_http_stat_msg_buffer_id); + s->alproto = ALPROTO_HTTP; + return 0; +} + static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, const int list_id)