aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_raw_uri: dynamic buffer

Browse Source
pull/2559/head
Victor Julien 8 years ago
parent ee55aefa1c
commit 6f867c3c73
10 changed files with 79 additions and 130 deletions
Show Stats Download Patch File Download Diff File

9
src/detect-engine-analyzer.c
Unescape Escape View File

@ -112,8 +112,6 @@ void EngineAnalysisFP(Signature *s, char *line)
int list_type = SigMatchListSMBelongsTo(s, mpm_sm);
if (list_type == DETECT_SM_LIST_PMATCH)
fprintf(fp_engine_analysis_FD, "content\n");
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(fp_engine_analysis_FD, "http raw uri content\n");
else {
const char *desc = DetectBufferTypeGetDescriptionById(list_type);
const char *name = DetectBufferTypeGetNameById(list_type);
@ -448,8 +446,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
fprintf(rule_engine_analysis_FD, "%s",
payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream");
}
else if (list_type == DETECT_SM_LIST_HRUDMATCH)
fprintf(rule_engine_analysis_FD, "http raw uri content");
else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
fprintf(rule_engine_analysis_FD, "dns query name content");
else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH)
@ -559,6 +555,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
const int httpheader_id = DetectBufferTypeGetByName("http_header");
const int httprawheader_id = DetectBufferTypeGetByName("http_raw_header");
const int httpclientbody_id = DetectBufferTypeGetByName("http_client_body");
const int httprawuri_id = DetectBufferTypeGetByName("http_raw_uri");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
@ -617,7 +614,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1;
http_method_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HRUDMATCH) {
else if (list_id == httprawuri_id) {
rule_pcre_http += 1;
raw_http_buf += 1;
http_raw_uri_buf += 1;
@ -678,7 +675,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1;
http_raw_header_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HRUDMATCH) {
else if (list_id == httprawuri_id) {
rule_content_http += 1;
raw_http_buf += 1;
http_raw_uri_buf += 1;

2
src/detect-engine.c
Unescape Escape View File

@ -2798,8 +2798,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
case DETECT_SM_LIST_PMATCH:
return "packet/stream payload";
case DETECT_SM_LIST_HRUDMATCH:
return "http raw uri";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";

44
src/detect-fast-pattern.c
Unescape Escape View File

@ -333,6 +333,7 @@ static int g_http_stat_msg_buffer_id = 0;
static int g_http_raw_header_buffer_id = 0;
static int g_http_header_buffer_id = 0;
static int g_http_client_body_buffer_id = 0;
static int g_http_raw_uri_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
@ -9391,7 +9392,7 @@ int DetectFastPatternTest343(void)
"content:\"three\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -9429,7 +9430,7 @@ int DetectFastPatternTest344(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -9466,7 +9467,7 @@ int DetectFastPatternTest345(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -9498,7 +9499,7 @@ int DetectFastPatternTest346(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@ -9532,7 +9533,7 @@ int DetectFastPatternTest347(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -9773,7 +9774,7 @@ int DetectFastPatternTest357(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -9805,7 +9806,7 @@ int DetectFastPatternTest358(void)
"content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -9837,7 +9838,7 @@ int DetectFastPatternTest359(void)
"content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -9869,7 +9870,7 @@ int DetectFastPatternTest360(void)
"content:\"two\"; fast_pattern:only; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -9900,7 +9901,7 @@ int DetectFastPatternTest361(void)
"content:\"two\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -10025,7 +10026,7 @@ int DetectFastPatternTest366(void)
"content:\"three\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10057,7 +10058,7 @@ int DetectFastPatternTest367(void)
"content:\"three\"; http_raw_uri; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10089,7 +10090,7 @@ int DetectFastPatternTest368(void)
"content:\"three\"; http_raw_uri; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10121,7 +10122,7 @@ int DetectFastPatternTest369(void)
"content:\"three\"; http_raw_uri; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10153,7 +10154,7 @@ int DetectFastPatternTest370(void)
"content:\"three\"; http_raw_uri; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10185,7 +10186,7 @@ int DetectFastPatternTest371(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10217,7 +10218,7 @@ int DetectFastPatternTest372(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10249,7 +10250,7 @@ int DetectFastPatternTest373(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10281,7 +10282,7 @@ int DetectFastPatternTest374(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -10388,7 +10389,7 @@ int DetectFastPatternTest378(void)
"content:\"three\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -10517,7 +10518,7 @@ int DetectFastPatternTest383(void)
"content:\"three\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18845,6 +18846,7 @@ void DetectFastPatternRegisterTests(void)
g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
g_http_client_body_buffer_id = DetectBufferTypeGetByName("http_client_body");
g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);

66
src/detect-http-raw-uri.c
Unescape Escape View File

@ -57,6 +57,8 @@
static int DetectHttpRawUriSetup(DetectEngineCtx *, Signature *, char *);
static void DetectHttpRawUriRegisterTests(void);
static void DetectHttpRawUriSetupCallback(Signature *s);
static int g_http_raw_uri_buffer_id = 0;
/**
* \brief Registration function for keyword http_raw_uri.
@ -74,15 +76,20 @@ void DetectHttpRawUriRegister(void)
sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_raw_uri", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HRUDMATCH, 2,
DetectAppLayerMpmRegister("http_raw_uri", SIG_FLAG_TOSERVER, 2,
PrefilterTxRawUriRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HRUDMATCH,
DetectAppLayerInspectEngineRegister2("http_raw_uri",
ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpRawUri);
return;
DetectBufferTypeSetDescriptionByName("http_raw_uri",
"raw http uri");
DetectBufferTypeRegisterSetupCallback("http_raw_uri",
DetectHttpRawUriSetupCallback);
g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri");
}
/**
@ -99,11 +106,16 @@ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *ar
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_RAW_URI,
DETECT_SM_LIST_HRUDMATCH,
g_http_raw_uri_buffer_id,
ALPROTO_HTTP,
NULL);
}
static void DetectHttpRawUriSetupCallback(Signature *s)
{
SCLogDebug("callback invoked by %u", s->id);
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
/******************************** UNITESTS **********************************/
@ -184,7 +196,7 @@ int DetectHttpRawUriTest03(void)
goto end;
}
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id];
if (sm == NULL) {
printf("no sigmatch(es): ");
goto end;
@ -256,19 +268,19 @@ int DetectHttpRawUriTest05(void)
printf("sig failed to parse\n");
goto end;
}
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL)
if (s->sm_lists[g_http_raw_uri_buffer_id] == NULL)
goto end;
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH]->type != DETECT_CONTENT) {
if (s->sm_lists[g_http_raw_uri_buffer_id]->type != DETECT_CONTENT) {
printf("wrong type\n");
goto end;
}
char *str = "we are testing http_raw_uri keyword";
int uricomp = memcmp((const char *)
((DetectContentData*)s->sm_lists[DETECT_SM_LIST_HRUDMATCH]->ctx)->content,
((DetectContentData*)s->sm_lists[g_http_raw_uri_buffer_id]->ctx)->content,
str,
strlen(str) - 1);
int urilen = ((DetectContentData*)s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx)->content_len;
int urilen = ((DetectContentData*)s->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx)->content_len;
if (uricomp != 0 ||
urilen != strlen("we are testing http_raw_uri keyword")) {
printf("sig failed to parse, content not setup properly\n");
@ -306,15 +318,15 @@ int DetectHttpRawUriTest12(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 =
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 =
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_DISTANCE ||
@ -353,15 +365,15 @@ int DetectHttpRawUriTest13(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 =
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 =
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_WITHIN ||
@ -472,15 +484,15 @@ int DetectHttpRawUriTest17(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 =
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 =
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_DISTANCE ||
@ -520,15 +532,15 @@ int DetectHttpRawUriTest18(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HRUDMATCH] == NULL\n");
if (de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_raw_uri_buffer_id] == NULL\n");
goto end;
}
DetectContentData *ud1 =
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->prev->ctx;
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->prev->ctx;
DetectContentData *ud2 =
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]->ctx;
(DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_uri_buffer_id]->ctx;
if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(ud1->content, "one", ud1->content_len) != 0 ||
ud2->flags != DETECT_CONTENT_WITHIN ||

7
src/detect-lua.c
Unescape Escape View File

@ -1000,9 +1000,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
} else if (lua->flags & DATATYPE_HTTP_URI) {
int list = DetectBufferTypeGetByName("http_uri");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_URI_RAW)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE ||
} else if (lua->flags & DATATYPE_HTTP_URI_RAW) {
int list = DetectBufferTypeGetByName("http_raw_uri");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE ||
lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE)
{
int list = DetectBufferTypeGetByName("http_cookie");

29
src/detect-parse.c
Unescape Escape View File

@ -141,7 +141,6 @@ const char *DetectListToHumanString(int list)
switch (list) {
CASE_CODE_STRING(DETECT_SM_LIST_MATCH, "packet");
CASE_CODE_STRING(DETECT_SM_LIST_PMATCH, "payload");
CASE_CODE_STRING(DETECT_SM_LIST_HRUDMATCH, "http_raw_uri");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
@ -172,7 +171,6 @@ const char *DetectListToString(int list)
switch (list) {
CASE_CODE(DETECT_SM_LIST_MATCH);
CASE_CODE(DETECT_SM_LIST_PMATCH);
CASE_CODE(DETECT_SM_LIST_HRUDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
@ -1400,24 +1398,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
SCReturnInt(0);
}
for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_FLOW) {
DetectFlowData *fd = (DetectFlowData *)sm->ctx;
if (fd == NULL)
continue;
if (fd->flags & FLOW_PKT_TOCLIENT) {
/* check for request + from_server/to_client */
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent "
"/http_uri , raw_uri, http_client_body, "
"http_method, http_user_agent keywords "
"with flow:to_client or flow:from_server");
SCReturnInt(0);
}
}
}
}
#if 0 // TODO figure out why this is even necessary
if ((s->init_data->smlists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_SMTP) ||
s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
@ -1505,15 +1485,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
SCReturnInt(0);
}
}
if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH])
{
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / "
"state matching by matching on app layer proto (like using "
"http_* keywords).");
SCReturnInt(0);
}
}
for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH]; sm != NULL; sm = sm->next) {

28
src/detect-pcre.c
Unescape Escape View File

@ -441,13 +441,15 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
int list = DetectBufferTypeGetByName("http_header");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
} case 'I': /* snort's option */
} case 'I': { /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'I' inconsistent with 'B'");
goto error;
}
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HRUDMATCH);
int list = DetectBufferTypeGetByName("http_raw_uri");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'D': { /* snort's option */
int list = DetectBufferTypeGetByName("http_raw_header");
*sm_list = DetectPcreSetList(*sm_list, list);
@ -688,34 +690,12 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
if (DetectPcreParseCapture(regexstr, de_ctx, pd) < 0)
goto error;
if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
"Conflicting alprotos detected for this rule. Http "
"pcre modifier found along with a different protocol "
"for the rule.");
goto error;
}
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with http "
"modifier set, with file_data/dce_stub_data sticky "
"option set.");
goto error;
}
}
int sm_list = -1;
if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
s->flags |= SIG_FLAG_APPLAYER;
sm_list = s->init_data->list;
} else {
switch(parsed_sm_list) {
case DETECT_SM_LIST_HRUDMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;
break;
case DETECT_SM_LIST_NOTSET:
sm_list = DETECT_SM_LIST_PMATCH;
break;

4
src/detect-urilen.c
Unescape Escape View File

@ -55,6 +55,7 @@ void DetectUrilenFree (void *);
void DetectUrilenRegisterTests (void);
static int g_http_uri_buffer_id = 0;
static int g_http_raw_uri_buffer_id = 0;
/**
* \brief Registration function for urilen: keyword
@ -75,6 +76,7 @@ void DetectUrilenRegister(void)
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri");
}
/**
@ -263,7 +265,7 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, char *urile
sm->ctx = (void *)urilend;
if (urilend->raw_buffer)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
SigMatchAppendSMToList(s, sm, g_http_raw_uri_buffer_id);
else
SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);

16
src/detect.c
Unescape Escape View File

@ -1912,9 +1912,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
@ -1987,9 +1984,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
@ -2088,9 +2082,8 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
SCReturnInt(0);
}
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
{
SCReturnInt(0);
}
@ -2243,11 +2236,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires dce state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
SigMatch *sm;
for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
switch(sm->type) {

4
src/detect.h
Unescape Escape View File

@ -115,10 +115,8 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_BUILTIN_MAX,
/* list for http_raw_uri keyword and the ones relative to it */
DETECT_SM_LIST_HRUDMATCH = DETECT_SM_LIST_BUILTIN_MAX,
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT,
DETECT_SM_LIST_APP_EVENT = DETECT_SM_LIST_BUILTIN_MAX,
DETECT_SM_LIST_FILEMATCH,

Write Preview
Loading…
Cancel
Save