aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_raw_uri: mpm prefilter engine

Browse Source
pull/2310/head
Victor Julien 10 years ago
parent 746a169127
commit 7a46364e42
4 changed files with 30 additions and 340 deletions
Show Stats Download Patch File Download Diff File

356
src/detect-engine-hrud.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation
/* Copyright (C) 2007-2016 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -25,6 +25,7 @@
/** \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
* \author Victor Julien <victor@inliniac.net>
*
* \brief Handle HTTP raw uri match
*/
@ -40,6 +41,7 @@
#include "detect-parse.h"
#include "detect-engine-state.h"
#include "detect-engine-content-inspection.h"
#include "detect-engine-prefilter.h"
#include "flow-util.h"
#include "util-debug.h"
@ -58,52 +60,42 @@
#include "util-validate.h"
/**
* \brief Http raw uri match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param uri Raw uri to inspect.
* \param uri_len Raw uri length.
/** \brief HTTP URI Raw Mpm prefilter callback
*
* \retval ret Number of matches.
* \param det_ctx detection engine thread ctx
* \param p packet to inspect
* \param f flow to inspect
* \param txv tx to inspect
* \param pectx inspection context
*/
static inline uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx,
const uint8_t *uri, const uint32_t uri_len)
static void PrefilterTxRawUri(DetectEngineThreadCtx *det_ctx,
const void *pectx,
Packet *p, Flow *f, void *txv,
const uint64_t idx, const uint8_t flags)
{
SCEnter();
uint32_t ret = 0;
const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
htp_tx_t *tx = (htp_tx_t *)txv;
DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL);
if (likely(tx->request_uri != NULL)) {
const uint32_t uri_len = bstr_len(tx->request_uri);
const uint8_t *uri = bstr_ptr(tx->request_uri);
if (uri_len >= det_ctx->sgh->mpm_hrud_ctx_ts->minlen) {
ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, uri, uri_len);
if (uri_len >= mpm_ctx->minlen) {
(void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
&det_ctx->mtcu, &det_ctx->pmq, uri, uri_len);
}
}
SCReturnUInt(ret);
}
/**
* \brief Run the mpm against raw http uris.
*
* \retval cnt Number of matches reported by the mpm algo.
*/
int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, void *txv)
int PrefilterTxRawUriRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
{
SCEnter();
htp_tx_t *tx = (htp_tx_t *)txv;
uint32_t cnt = 0;
if (tx->request_uri == NULL)
goto end;
cnt = HttpRawUriPatternSearch(det_ctx,
(const uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
end:
SCReturnInt(cnt);
return PrefilterAppendTxEngine(sgh, PrefilterTxRawUri,
ALPROTO_HTTP, HTP_REQUEST_LINE,
mpm_ctx, NULL);
}
/**
@ -2208,294 +2200,6 @@ end:
return result;
}
static int DetectEngineHttpRawUriTest17(void)
{
TcpSession ssn;
Packet *p1 = NULL;
ThreadVars th_v;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
Flow f;
uint8_t http1_buf[] = "This_is_dummy_body1";
uint32_t http1_len = sizeof(http1_buf) - 1;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:\"body1\"; http_raw_uri; "
"content:\"bambu\"; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len);
if (r != 1) {
printf("expected 1 result, got %"PRIu32": ", r);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p1, 1);
return result;
}
static int DetectEngineHttpRawUriTest18(void)
{
TcpSession ssn;
Packet *p1 = NULL;
ThreadVars th_v;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
Flow f;
uint8_t http1_buf[] = "This_is_dummy_body1";
uint32_t http1_len = sizeof(http1_buf) - 1;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:\"body1\"; http_raw_uri; "
"content:\"bambu\"; http_raw_uri; fast_pattern; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len);
if (r != 0) {
printf("expected 0 result, got %"PRIu32": ", r);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p1, 1);
return result;
}
static int DetectEngineHttpRawUriTest19(void)
{
TcpSession ssn;
Packet *p1 = NULL;
ThreadVars th_v;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
Flow f;
uint8_t http1_buf[] = "This_is_dummy_body1";
uint32_t http1_len = sizeof(http1_buf) - 1;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:\"bambu\"; http_raw_uri; "
"content:\"is\"; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len);
if (r != 0) {
printf("expected 0 result, got %"PRIu32": ", r);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p1, 1);
return result;
}
static int DetectEngineHttpRawUriTest20(void)
{
TcpSession ssn;
Packet *p1 = NULL;
ThreadVars th_v;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
Flow f;
uint8_t http1_buf[] = "This_is_dummy_body1";
uint32_t http1_len = sizeof(http1_buf) - 1;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:\"bambu\"; http_raw_uri; "
"content:\"is\"; http_raw_uri; fast_pattern; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* start the search phase */
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1);
uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len);
if (r < 1) {
printf("expected result >= 1, got %"PRIu32": ", r);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p1, 1);
return result;
}
static int DetectEngineHttpRawUriTest21(void)
{
TcpSession ssn;
@ -3762,14 +3466,6 @@ void DetectEngineHttpRawUriRegisterTests(void)
DetectEngineHttpRawUriTest15);
UtRegisterTest("DetectEngineHttpRawUriTest16",
DetectEngineHttpRawUriTest16);
UtRegisterTest("DetectEngineHttpRawUriTest17",
DetectEngineHttpRawUriTest17);
UtRegisterTest("DetectEngineHttpRawUriTest18",
DetectEngineHttpRawUriTest18);
UtRegisterTest("DetectEngineHttpRawUriTest19",
DetectEngineHttpRawUriTest19);
UtRegisterTest("DetectEngineHttpRawUriTest20",
DetectEngineHttpRawUriTest20);
UtRegisterTest("DetectEngineHttpRawUriTest21",
DetectEngineHttpRawUriTest21);
UtRegisterTest("DetectEngineHttpRawUriTest22",

2
src/detect-engine-hrud.h
Unescape Escape View File

@ -26,7 +26,7 @@
#include "app-layer-htp.h"
int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, void *txv);
int PrefilterTxRawUriRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx);
int DetectEngineInspectHttpRawUri(ThreadVars *tv,
DetectEngineCtx *de_ctx,

4
src/detect-engine-mpm.c
Unescape Escape View File

@ -50,6 +50,7 @@
#include "detect-engine-payload.h"
#include "detect-engine-uri.h"
#include "detect-engine-hrud.h"
#include "detect-engine-hmd.h"
#include "detect-engine-dns.h"
@ -86,7 +87,8 @@ typedef struct AppLayerMpms_ {
AppLayerMpms app_mpms[] = {
{ "http_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_UMATCH,
SIG_GROUP_HEAD_MPM_URI, PrefilterTxUriRegister, 0 },
{ "http_raw_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRUDMATCH, SIG_GROUP_HEAD_MPM_HRUD, NULL, 1 },
{ "http_raw_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRUDMATCH,
SIG_GROUP_HEAD_MPM_HRUD, PrefilterTxRawUriRegister, 1 },
{ "http_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, NULL, 2},
{ "http_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, NULL, 3},

8
src/detect.c
Unescape Escape View File

@ -902,14 +902,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
if (p->flowflags & FLOW_PKT_TOSERVER) {
tx_progress = AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags);
if (tx_progress > HTP_REQUEST_LINE) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD);
DetectEngineRunHttpRawUriMpm(det_ctx, tx);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD);
}
}
if (tx_progress >= HTP_REQUEST_HEADERS) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHHD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHHD);

Write Preview
Loading…
Cancel
Save