aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: http lists in engine

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent 1ee32da2ca
commit 5a2e568385
18 changed files with 50 additions and 51 deletions
Show Stats Download Patch File Download Diff File

2
src/detect-engine-filedata-smtp.c
Unescape Escape View File

@ -201,7 +201,7 @@ int DetectEngineInspectSMTPFiledata(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
match = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_FILEDATA], match = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
(uint8_t *)buffer, (uint8_t *)buffer,
buffer_len, buffer_len,

2
src/detect-engine-hcbd.c
Unescape Escape View File

@ -276,7 +276,7 @@ int DetectEngineInspectHttpClientBody(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCBDMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
(uint8_t *)buffer, (uint8_t *)buffer,
buffer_len, buffer_len,

2
src/detect-engine-hcd.c
Unescape Escape View File

@ -191,7 +191,7 @@ int DetectEngineInspectHttpCookie(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCDMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
(uint8_t *)bstr_ptr(h->value), (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value), bstr_len(h->value),

7
src/detect-engine-hhd.c
Unescape Escape View File

@ -399,7 +399,7 @@ int DetectEngineInspectHttpHeader(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHDMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
buffer, buffer,
buffer_len, buffer_len,
@ -3200,10 +3200,7 @@ static int DetectEngineHttpHeaderTest28(void)
/* do detect */ /* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
if (!PacketAlertCheck(p2, 1)) { FAIL_IF(!PacketAlertCheck(p2, 1));
printf("sid 1 didn't match but should have");
goto end;
}
result = 1; result = 1;

2
src/detect-engine-hhhd.c
Unescape Escape View File

@ -130,7 +130,7 @@ int DetectEngineInspectHttpHH(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHHDMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
hname, hname_len, hname, hname_len,
0, 0,

2
src/detect-engine-hmd.c
Unescape Escape View File

@ -127,7 +127,7 @@ int DetectEngineInspectHttpMethod(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
(uint8_t *)bstr_ptr(tx->request_method), (uint8_t *)bstr_ptr(tx->request_method),
bstr_len(tx->request_method), bstr_len(tx->request_method),

2
src/detect-engine-hrhd.c
Unescape Escape View File

@ -195,7 +195,7 @@ int DetectEngineInspectHttpRawHeader(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRHDMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
headers_raw, headers_raw,
headers_raw_len, headers_raw_len,

2
src/detect-engine-hrhhd.c
Unescape Escape View File

@ -153,7 +153,7 @@ int DetectEngineInspectHttpHRH(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRHHDMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
hname, hname_len, hname, hname_len,
0, 0,

2
src/detect-engine-hrud.c
Unescape Escape View File

@ -129,7 +129,7 @@ int DetectEngineInspectHttpRawUri(ThreadVars *tv,
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
/* Inspect all the uricontents fetched on each /* Inspect all the uricontents fetched on each
* transaction at the app layer */ * transaction at the app layer */
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRUDMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
(uint8_t *)bstr_ptr(tx->request_uri), (uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri), bstr_len(tx->request_uri),

2
src/detect-engine-hsbd.c
Unescape Escape View File

@ -281,7 +281,7 @@ int DetectEngineInspectHttpServerBody(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_FILEDATA], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
(uint8_t *)buffer, (uint8_t *)buffer,
buffer_len, buffer_len,

3
src/detect-engine-hscd.c
Unescape Escape View File

@ -126,8 +126,7 @@ int DetectEngineInspectHttpStatCode(ThreadVars *tv,
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
s->sm_lists[DETECT_SM_LIST_HSCDMATCH],
f, f,
(uint8_t *)bstr_ptr(tx->response_status), (uint8_t *)bstr_ptr(tx->response_status),
bstr_len(tx->response_status), bstr_len(tx->response_status),

3
src/detect-engine-hsmd.c
Unescape Escape View File

@ -126,8 +126,7 @@ int DetectEngineInspectHttpStatMsg(ThreadVars *tv,
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
s->sm_lists[DETECT_SM_LIST_HSMDMATCH],
f, f,
(uint8_t *)bstr_ptr(tx->response_message), (uint8_t *)bstr_ptr(tx->response_message),
bstr_len(tx->response_message), bstr_len(tx->response_message),

2
src/detect-engine-hua.c
Unescape Escape View File

@ -135,7 +135,7 @@ int DetectEngineInspectHttpUA(ThreadVars *tv,
det_ctx->buffer_offset = 0; det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0; det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0; det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HUADMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
(uint8_t *)bstr_ptr(h->value), (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value), bstr_len(h->value),

2
src/detect-engine-uri.c
Unescape Escape View File

@ -129,7 +129,7 @@ int DetectEngineInspectHttpUri(ThreadVars *tv,
/* Inspect all the uricontents fetched on each /* Inspect all the uricontents fetched on each
* transaction at the app layer */ * transaction at the app layer */
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
bstr_ptr(tx_ud->request_uri_normalized), bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized), bstr_len(tx_ud->request_uri_normalized),

25
src/detect-engine.c
Unescape Escape View File

@ -172,6 +172,31 @@ int DetectEngineAppInspectionEngine2Signature(Signature *s)
new_engine->sm_list = t->sm_list; new_engine->sm_list = t->sm_list;
new_engine->Callback = t->Callback; new_engine->Callback = t->Callback;
switch (new_engine->sm_list) {
case DETECT_SM_LIST_HMDMATCH:
case DETECT_SM_LIST_UMATCH:
case DETECT_SM_LIST_HRUDMATCH:
case DETECT_SM_LIST_HTTP_REQLINEMATCH:
case DETECT_SM_LIST_HTTP_RESLINEMATCH:
case DETECT_SM_LIST_HCBDMATCH:
case DETECT_SM_LIST_FILEDATA:
case DETECT_SM_LIST_HHDMATCH:
case DETECT_SM_LIST_HRHDMATCH:
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
case DETECT_SM_LIST_HHHDMATCH:
case DETECT_SM_LIST_HRHHDMATCH:
case DETECT_SM_LIST_HCDMATCH:
case DETECT_SM_LIST_HUADMATCH:
new_engine->sm = s->sm_lists[new_engine->sm_list];
s->sm_lists[new_engine->sm_list] = NULL;
s->sm_lists_tail[new_engine->sm_list] = NULL;
lists_used[t->sm_list] = 1;
break;
default:
break;
}
if (s->app_inspect == NULL) { if (s->app_inspect == NULL) {
s->app_inspect = new_engine; s->app_inspect = new_engine;
new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */ new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */

2
src/detect-http-request-line.c
Unescape Escape View File

@ -191,7 +191,7 @@ static int DetectEngineInspectHttpRequestLine(ThreadVars *tv,
/* Inspect all the uricontents fetched on each /* Inspect all the uricontents fetched on each
* transaction at the app layer */ * transaction at the app layer */
int r = DetectEngineContentInspection(de_ctx, det_ctx, int r = DetectEngineContentInspection(de_ctx, det_ctx,
s, s->sm_lists[DETECT_SM_LIST_HTTP_REQLINEMATCH], s, sm,
f, f,
bstr_ptr(tx->request_line), bstr_ptr(tx->request_line),
bstr_len(tx->request_line), bstr_len(tx->request_line),

2
src/detect-http-response-line.c
Unescape Escape View File

@ -194,7 +194,7 @@ int DetectEngineInspectHttpResponseLine(ThreadVars *tv,
#endif #endif
/* run the inspection against the buffer */ /* run the inspection against the buffer */
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HTTP_RESLINEMATCH], int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm,
f, f,
bstr_ptr(tx->response_line), bstr_ptr(tx->response_line),
bstr_len(tx->response_line), bstr_len(tx->response_line),

37
src/detect-uricontent.c
Unescape Escape View File

@ -486,45 +486,24 @@ end:
*/ */
int DetectUriSigTest01(void) int DetectUriSigTest01(void)
{ {
SigMatch *sm = NULL;
int result = 0;
ThreadVars th_v; ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
Signature *s = NULL; Signature *s = NULL;
memset(&th_v, 0, sizeof(th_v)); memset(&th_v, 0, sizeof(th_v));
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any (msg:"
"\" Test uricontent\"; " "\" Test uricontent\"; content:\"me\"; uricontent:\"me\"; sid:1;)");
"content:\"me\"; uricontent:\"me\"; sid:1;)"); FAIL_IF_NULL(s);
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
BUG_ON(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL); BUG_ON(s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL);
FAIL_IF_NOT(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]->type == DETECT_CONTENT);
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; DetectEngineCtxFree(de_ctx);
if (sm->type == DETECT_CONTENT) { PASS;
result = 1;
} else {
result = 0;
}
end:
if (de_ctx != NULL) SigGroupCleanup(de_ctx);
if (de_ctx != NULL) SigCleanSignatures(de_ctx);
if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx);
if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
return result;
} }
/** \test Check the signature working to alert when http_cookie is matched . */ /** \test Check the signature working to alert when http_cookie is matched . */

Write Preview
Loading…
Cancel
Save