From 7a46364e429eb15c3420de8f5e1ec5c4e19c65b1 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 8 Jul 2016 13:07:52 +0200 Subject: [PATCH] http_raw_uri: mpm prefilter engine --- src/detect-engine-hrud.c | 356 +++------------------------------------ src/detect-engine-hrud.h | 2 +- src/detect-engine-mpm.c | 4 +- src/detect.c | 8 - 4 files changed, 30 insertions(+), 340 deletions(-) diff --git a/src/detect-engine-hrud.c b/src/detect-engine-hrud.c index 7084ad5892..5139b21a86 100644 --- a/src/detect-engine-hrud.c +++ b/src/detect-engine-hrud.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation +/* Copyright (C) 2007-2016 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -25,6 +25,7 @@ /** \file * * \author Anoop Saldanha + * \author Victor Julien * * \brief Handle HTTP raw uri match */ @@ -40,6 +41,7 @@ #include "detect-parse.h" #include "detect-engine-state.h" #include "detect-engine-content-inspection.h" +#include "detect-engine-prefilter.h" #include "flow-util.h" #include "util-debug.h" @@ -58,52 +60,42 @@ #include "util-validate.h" -/** - * \brief Http raw uri match -- searches for one pattern per signature. - * - * \param det_ctx Detection engine thread ctx. - * \param uri Raw uri to inspect. - * \param uri_len Raw uri length. +/** \brief HTTP URI Raw Mpm prefilter callback * - * \retval ret Number of matches. + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context */ -static inline uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx, - const uint8_t *uri, const uint32_t uri_len) +static void PrefilterTxRawUri(DetectEngineThreadCtx *det_ctx, + const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) { SCEnter(); - uint32_t ret = 0; + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; + htp_tx_t *tx = (htp_tx_t *)txv; - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL); + if (likely(tx->request_uri != NULL)) { + const uint32_t uri_len = bstr_len(tx->request_uri); + const uint8_t *uri = bstr_ptr(tx->request_uri); - if (uri_len >= det_ctx->sgh->mpm_hrud_ctx_ts->minlen) { - ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, uri, uri_len); + if (uri_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len); + } } - - SCReturnUInt(ret); } -/** - * \brief Run the mpm against raw http uris. - * - * \retval cnt Number of matches reported by the mpm algo. - */ -int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, void *txv) +int PrefilterTxRawUriRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) { SCEnter(); - htp_tx_t *tx = (htp_tx_t *)txv; - uint32_t cnt = 0; - if (tx->request_uri == NULL) - goto end; - - cnt = HttpRawUriPatternSearch(det_ctx, - (const uint8_t *)bstr_ptr(tx->request_uri), - bstr_len(tx->request_uri)); -end: - SCReturnInt(cnt); + return PrefilterAppendTxEngine(sgh, PrefilterTxRawUri, + ALPROTO_HTTP, HTP_REQUEST_LINE, + mpm_ctx, NULL); } /** @@ -2208,294 +2200,6 @@ end: return result; } -static int DetectEngineHttpRawUriTest17(void) -{ - TcpSession ssn; - Packet *p1 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - Flow f; - uint8_t http1_buf[] = "This_is_dummy_body1"; - uint32_t http1_len = sizeof(http1_buf) - 1; - int result = 0; - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http raw uri test\"; " - "content:\"body1\"; http_raw_uri; " - "content:\"bambu\"; http_raw_uri; " - "sid:1;)"); - if (de_ctx->sig_list == NULL) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - /* start the search phase */ - det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); - if (r != 1) { - printf("expected 1 result, got %"PRIu32": ", r); - goto end; - } - - result = 1; - -end: - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - return result; -} - -static int DetectEngineHttpRawUriTest18(void) -{ - TcpSession ssn; - Packet *p1 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - Flow f; - uint8_t http1_buf[] = "This_is_dummy_body1"; - uint32_t http1_len = sizeof(http1_buf) - 1; - int result = 0; - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http raw uri test\"; " - "content:\"body1\"; http_raw_uri; " - "content:\"bambu\"; http_raw_uri; fast_pattern; " - "sid:1;)"); - if (de_ctx->sig_list == NULL) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - /* start the search phase */ - det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); - if (r != 0) { - printf("expected 0 result, got %"PRIu32": ", r); - goto end; - } - - result = 1; - -end: - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - return result; -} - -static int DetectEngineHttpRawUriTest19(void) -{ - TcpSession ssn; - Packet *p1 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - Flow f; - uint8_t http1_buf[] = "This_is_dummy_body1"; - uint32_t http1_len = sizeof(http1_buf) - 1; - int result = 0; - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http raw uri test\"; " - "content:\"bambu\"; http_raw_uri; " - "content:\"is\"; http_raw_uri; " - "sid:1;)"); - if (de_ctx->sig_list == NULL) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - /* start the search phase */ - det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); - if (r != 0) { - printf("expected 0 result, got %"PRIu32": ", r); - goto end; - } - - result = 1; - -end: - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - return result; -} - -static int DetectEngineHttpRawUriTest20(void) -{ - TcpSession ssn; - Packet *p1 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - Flow f; - uint8_t http1_buf[] = "This_is_dummy_body1"; - uint32_t http1_len = sizeof(http1_buf) - 1; - int result = 0; - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " - "(msg:\"http raw uri test\"; " - "content:\"bambu\"; http_raw_uri; " - "content:\"is\"; http_raw_uri; fast_pattern; " - "sid:1;)"); - if (de_ctx->sig_list == NULL) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - /* start the search phase */ - det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p1); - uint32_t r = HttpRawUriPatternSearch(det_ctx, http1_buf, http1_len); - if (r < 1) { - printf("expected result >= 1, got %"PRIu32": ", r); - goto end; - } - - result = 1; - -end: - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - return result; -} - static int DetectEngineHttpRawUriTest21(void) { TcpSession ssn; @@ -3762,14 +3466,6 @@ void DetectEngineHttpRawUriRegisterTests(void) DetectEngineHttpRawUriTest15); UtRegisterTest("DetectEngineHttpRawUriTest16", DetectEngineHttpRawUriTest16); - UtRegisterTest("DetectEngineHttpRawUriTest17", - DetectEngineHttpRawUriTest17); - UtRegisterTest("DetectEngineHttpRawUriTest18", - DetectEngineHttpRawUriTest18); - UtRegisterTest("DetectEngineHttpRawUriTest19", - DetectEngineHttpRawUriTest19); - UtRegisterTest("DetectEngineHttpRawUriTest20", - DetectEngineHttpRawUriTest20); UtRegisterTest("DetectEngineHttpRawUriTest21", DetectEngineHttpRawUriTest21); UtRegisterTest("DetectEngineHttpRawUriTest22", diff --git a/src/detect-engine-hrud.h b/src/detect-engine-hrud.h index e6f72d2461..9418b077ca 100644 --- a/src/detect-engine-hrud.h +++ b/src/detect-engine-hrud.h @@ -26,7 +26,7 @@ #include "app-layer-htp.h" -int DetectEngineRunHttpRawUriMpm(DetectEngineThreadCtx *det_ctx, void *txv); +int PrefilterTxRawUriRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx); int DetectEngineInspectHttpRawUri(ThreadVars *tv, DetectEngineCtx *de_ctx, diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 6ad75e8624..9402e2099e 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -50,6 +50,7 @@ #include "detect-engine-payload.h" #include "detect-engine-uri.h" +#include "detect-engine-hrud.h" #include "detect-engine-hmd.h" #include "detect-engine-dns.h" @@ -86,7 +87,8 @@ typedef struct AppLayerMpms_ { AppLayerMpms app_mpms[] = { { "http_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_UMATCH, SIG_GROUP_HEAD_MPM_URI, PrefilterTxUriRegister, 0 }, - { "http_raw_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRUDMATCH, SIG_GROUP_HEAD_MPM_HRUD, NULL, 1 }, + { "http_raw_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRUDMATCH, + SIG_GROUP_HEAD_MPM_HRUD, PrefilterTxRawUriRegister, 1 }, { "http_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, NULL, 2}, { "http_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, NULL, 3}, diff --git a/src/detect.c b/src/detect.c index 57a023791f..0788c6fe55 100644 --- a/src/detect.c +++ b/src/detect.c @@ -902,14 +902,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, if (p->flowflags & FLOW_PKT_TOSERVER) { tx_progress = AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags); - if (tx_progress > HTP_REQUEST_LINE) { - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) { - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD); - DetectEngineRunHttpRawUriMpm(det_ctx, tx); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD); - } - } - if (tx_progress >= HTP_REQUEST_HEADERS) { if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHHD) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHHD);