mirror of https://github.com/OISF/suricata
http_header: common detection code
parent
5ee68ca2b2
commit
6279ec399e
@ -0,0 +1,206 @@
|
||||
/* Copyright (C) 2007-2017 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \ingroup httplayer
|
||||
*
|
||||
* @{
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "threads.h"
|
||||
#include "decode.h"
|
||||
|
||||
#include "detect.h"
|
||||
#include "detect-parse.h"
|
||||
#include "detect-engine.h"
|
||||
#include "detect-engine-mpm.h"
|
||||
#include "detect-engine-state.h"
|
||||
#include "detect-engine-prefilter.h"
|
||||
#include "detect-engine-content-inspection.h"
|
||||
#include "detect-content.h"
|
||||
#include "detect-pcre.h"
|
||||
|
||||
#include "flow.h"
|
||||
#include "flow-var.h"
|
||||
#include "flow-util.h"
|
||||
|
||||
#include "util-debug.h"
|
||||
#include "util-unittest.h"
|
||||
#include "util-unittest-helper.h"
|
||||
#include "util-spm.h"
|
||||
#include "util-print.h"
|
||||
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
|
||||
#include "app-layer-htp.h"
|
||||
#include "detect-http-header.h"
|
||||
#include "stream-tcp.h"
|
||||
|
||||
#include "util-print.h"
|
||||
|
||||
#include "detect-http-header-common.h"
|
||||
|
||||
static inline int CreateSpace(HttpHeaderThreadData *td, uint64_t size);
|
||||
|
||||
void *HttpHeaderThreadDataInit(void *data)
|
||||
{
|
||||
HttpHeaderThreadData *td = SCCalloc(1, sizeof(*td));
|
||||
if (td != NULL) {
|
||||
if (data == NULL) {
|
||||
td->tx_step = 4;
|
||||
td->size_step = 512;
|
||||
} else {
|
||||
HttpHeaderThreadDataConfig *c = data;
|
||||
td->tx_step = c->tx_step;
|
||||
td->size_step = c->size_step;
|
||||
}
|
||||
|
||||
/* initialize minimal buffers */
|
||||
(void)CreateSpace(td, 1);
|
||||
int i;
|
||||
for (i = 0; i < td->buffers_size; i++) {
|
||||
(void)HttpHeaderExpandBuffer(td, &td->buffers[i], 1);
|
||||
}
|
||||
}
|
||||
return td;
|
||||
}
|
||||
|
||||
void HttpHeaderThreadDataFree(void *data)
|
||||
{
|
||||
HttpHeaderThreadData *hdrnames = data;
|
||||
|
||||
int i;
|
||||
for (i = 0; i < hdrnames->buffers_size; i++) {
|
||||
if (hdrnames->buffers[i].buffer)
|
||||
SCFree(hdrnames->buffers[i].buffer);
|
||||
if (hdrnames->buffers[i].size) {
|
||||
SCLogDebug("hdrnames->buffers[%d].size %u (%u)",
|
||||
i, hdrnames->buffers[i].size, hdrnames->buffers_size);
|
||||
}
|
||||
}
|
||||
SCFree(hdrnames->buffers);
|
||||
SCFree(hdrnames);
|
||||
}
|
||||
|
||||
static void Reset(HttpHeaderThreadData *hdrnames, uint64_t tick)
|
||||
{
|
||||
uint16_t i;
|
||||
for (i = 0; i < hdrnames->buffers_list_len; i++) {
|
||||
hdrnames->buffers[i].len = 0;
|
||||
}
|
||||
hdrnames->buffers_list_len = 0;
|
||||
hdrnames->start_tx_id = 0;
|
||||
hdrnames->tick = tick;
|
||||
}
|
||||
|
||||
static inline int CreateSpace(HttpHeaderThreadData *td, uint64_t size)
|
||||
{
|
||||
if (size >= SHRT_MAX)
|
||||
return -1;
|
||||
|
||||
if (size > td->buffers_size) {
|
||||
uint16_t extra = td->tx_step;
|
||||
while (td->buffers_size + extra < size) {
|
||||
extra += td->tx_step;
|
||||
}
|
||||
SCLogDebug("adding %u to the buffer", (uint)extra);
|
||||
|
||||
void *ptmp = SCRealloc(td->buffers,
|
||||
(td->buffers_size + extra) * sizeof(HttpHeaderBuffer));
|
||||
if (ptmp == NULL) {
|
||||
SCFree(td->buffers);
|
||||
td->buffers = NULL;
|
||||
td->buffers_size = 0;
|
||||
td->buffers_list_len = 0;
|
||||
return -1;
|
||||
}
|
||||
td->buffers = ptmp;
|
||||
memset(td->buffers + td->buffers_size, 0, extra * sizeof(HttpHeaderBuffer));
|
||||
td->buffers_size += extra;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int HttpHeaderExpandBuffer(HttpHeaderThreadData *td,
|
||||
HttpHeaderBuffer *buf, uint32_t size)
|
||||
{
|
||||
size_t extra = td->size_step;
|
||||
while ((buf->size + extra) < (size + buf->len)) {
|
||||
extra += td->size_step;
|
||||
}
|
||||
SCLogDebug("adding %u to the buffer", (uint)extra);
|
||||
|
||||
uint8_t *new_buffer = SCRealloc(buf->buffer, buf->size + extra);
|
||||
if (unlikely(new_buffer == NULL)) {
|
||||
buf->len = 0;
|
||||
return -1;
|
||||
}
|
||||
buf->buffer = new_buffer;
|
||||
buf->size += extra;
|
||||
return 0;
|
||||
}
|
||||
|
||||
HttpHeaderBuffer *HttpHeaderGetBufferSpaceForTXID(DetectEngineThreadCtx *det_ctx,
|
||||
Flow *f, uint8_t flags, uint64_t tx_id, const int keyword_id,
|
||||
HttpHeaderThreadData **ret_hdr_td)
|
||||
{
|
||||
int index = 0;
|
||||
*ret_hdr_td = NULL;
|
||||
|
||||
HttpHeaderThreadData *hdr_td =
|
||||
DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, keyword_id);
|
||||
if (hdr_td == NULL)
|
||||
return NULL;
|
||||
if (hdr_td->tick != det_ctx->ticker)
|
||||
Reset(hdr_td, det_ctx->ticker);
|
||||
*ret_hdr_td = hdr_td;
|
||||
|
||||
if (hdr_td->buffers_list_len == 0) {
|
||||
/* get the inspect id to use as a 'base id' */
|
||||
uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
|
||||
BUG_ON(base_inspect_id > tx_id);
|
||||
/* see how many space we need for the current tx_id */
|
||||
uint64_t txs = (tx_id - base_inspect_id) + 1;
|
||||
if (CreateSpace(hdr_td, txs) < 0)
|
||||
return NULL;
|
||||
|
||||
index = (tx_id - base_inspect_id);
|
||||
hdr_td->start_tx_id = base_inspect_id;
|
||||
hdr_td->buffers_list_len = txs;
|
||||
} else {
|
||||
/* tx fits in our current buffers */
|
||||
if ((tx_id - hdr_td->start_tx_id) < hdr_td->buffers_list_len) {
|
||||
/* if we previously reassembled, return that buffer */
|
||||
if (hdr_td->buffers[(tx_id - hdr_td->start_tx_id)].len != 0) {
|
||||
return &hdr_td->buffers[(tx_id - hdr_td->start_tx_id)];
|
||||
}
|
||||
/* otherwise fall through */
|
||||
} else {
|
||||
/* not enough space, lets expand */
|
||||
uint64_t txs = (tx_id - hdr_td->start_tx_id) + 1;
|
||||
if (CreateSpace(hdr_td, txs) < 0)
|
||||
return NULL;
|
||||
|
||||
hdr_td->buffers_list_len = txs;
|
||||
}
|
||||
index = (tx_id - hdr_td->start_tx_id);
|
||||
}
|
||||
HttpHeaderBuffer *buf = &hdr_td->buffers[index];
|
||||
return buf;
|
||||
}
|
@ -0,0 +1,58 @@
|
||||
/* Copyright (C) 2007-2017 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Victor Julien <victor@inliniac.net>
|
||||
*/
|
||||
|
||||
#ifndef __DETECT_HTTP_HEADER_COMMON_H__
|
||||
#define __DETECT_HTTP_HEADER_COMMON_H__
|
||||
|
||||
typedef struct HttpHeaderBuffer_ {
|
||||
uint8_t *buffer;
|
||||
uint32_t size; /**< buffer size */
|
||||
uint32_t len; /**< part of buffer in use */
|
||||
} HttpHeaderBuffer;
|
||||
|
||||
typedef struct HttpHeaderThreadConfig_ {
|
||||
uint16_t tx_step;
|
||||
uint16_t size_step;
|
||||
} HttpHeaderThreadDataConfig;
|
||||
|
||||
typedef struct HttpHeaderThreadData_ {
|
||||
HttpHeaderBuffer *buffers; /**< array of buffers */
|
||||
uint16_t buffers_size; /**< number of buffers */
|
||||
uint16_t buffers_list_len;
|
||||
uint16_t size_step; /**< increase size of HttpHeaderBuffer::buffer with this */
|
||||
uint16_t tx_step; /**< increase number of txs with this */
|
||||
uint64_t start_tx_id;
|
||||
uint64_t tick;
|
||||
} HttpHeaderThreadData;
|
||||
|
||||
void *HttpHeaderThreadDataInit(void *data);
|
||||
void HttpHeaderThreadDataFree(void *data);
|
||||
|
||||
HttpHeaderBuffer *HttpHeaderGetBufferSpaceForTXID(DetectEngineThreadCtx *det_ctx,
|
||||
Flow *f, uint8_t flags, uint64_t tx_id, const int keyword_id,
|
||||
HttpHeaderThreadData **ret_hdr_td);
|
||||
|
||||
int HttpHeaderExpandBuffer(HttpHeaderThreadData *td,
|
||||
HttpHeaderBuffer *buf, uint32_t size);
|
||||
|
||||
#endif /* __DETECT_HTTP_HEADER_COMMON_H__ */
|
Loading…
Reference in New Issue