Fix issue with log-httplog where it logged uri's of previous packets because of a broken uri check.

17 years ago · 69162f9cd0
parent 05fd319f6c
commit 69162f9cd0
3 changed files with 9 additions and 6 deletions
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@ -116,7 +116,7 @@ int DetectPcreMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signat

                    p->http_uri.raw[pmt->pkt_cnt] = (u_int8_t *)str_ptr;
                    p->http_uri.raw_size[pmt->pkt_cnt] = ret;
-                    p->http_uri.cnt = pmt->pkt_cnt;
+                    p->http_uri.cnt = pmt->pkt_cnt + 1;
                } else {
                    FlowVarAdd(p->flow, pe->capname, (u_int8_t *)str_ptr, ret);
                }
--- a/src/detect-uricontent.c
+++ b/src/detect-uricontent.c
@ -245,7 +245,7 @@ int DetectUricontentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p,

        /* scan all buffers we have */
        u_int8_t i;
-        for (i = 0; i <= p->http_uri.cnt; i++) {
+        for (i = 0; i < p->http_uri.cnt; i++) {
            //printf("p->http_uri.raw_size[%u] %u, %p, %s\n", i, p->http_uri.raw_size[i], p->http_uri.raw[i], p->http_uri.raw[i]);
            //printf("pmt->mcu %p\n", pmt->mcu);
            ret += pmt->mcu->Search(pmt->mcu, &pmt->mtcu, p->http_uri.raw[i], p->http_uri.raw_size[i]);
--- a/src/log-httplog.c
+++ b/src/log-httplog.c
@ -82,7 +82,7 @@ int LogHttplogIPv4(ThreadVars *tv, Packet *p, void *data)
    u_int16_t size;

    /* XXX add a better check for this */
-    if (p->http_uri.raw_size[0] == 0)
+    if (p->http_uri.cnt == 0)
        return 0;

    /* we need a lock */
@ -112,7 +112,7 @@ int LogHttplogIPv4(ThreadVars *tv, Packet *p, void *data)
    inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
    inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));

-    for (i = 0; i <= p->http_uri.cnt; i++) {
+    for (i = 0; i < p->http_uri.cnt; i++) {
        fprintf(aft->fp, "%s %s [**] %s [**] %s [**] %s:%u -> %s:%u\n",
            timebuf, hostname, p->http_uri.raw[i], ua, srcip, p->sp, dstip, p->dp);
        fflush(aft->fp);
@ -129,7 +129,7 @@ int LogHttplogIPv6(ThreadVars *tv, Packet *p, void *data)
    u_int16_t size;

    /* XXX add a better check for this */
-    if (p->http_uri.raw_size[0] == 0)
+    if (p->http_uri.cnt == 0)
        return 0;

    /* we need a lock */
@ -159,7 +159,7 @@ int LogHttplogIPv6(ThreadVars *tv, Packet *p, void *data)
    inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
    inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));

-    for (i = 0; i <= p->http_uri.cnt; i++) {
+    for (i = 0; i < p->http_uri.cnt; i++) {
        fprintf(aft->fp, "%s %s [**] %s [**] %s [**] %s:%u -> %s:%u\n",
            timebuf, hostname, p->http_uri.raw[i], ua, srcip, p->sp, dstip, p->dp);
        fflush(aft->fp);
@ -169,6 +169,9 @@ int LogHttplogIPv6(ThreadVars *tv, Packet *p, void *data)

 int LogHttplog (ThreadVars *tv, Packet *p, void *data)
 {
+    if (!(PKT_IS_TCP(p)))
+        return 0;
+
    if (PKT_IS_IPV4(p)) {
        return LogHttplogIPv4(tv, p, data);
    } else if (PKT_IS_IPV6(p)) {