diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index 81d474a6c5..bcd53cf6a1 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -303,14 +303,17 @@ static int HTPHandleResponseData(Flow *f, void *htp_state, void HtpBodyAppendChunk(HtpBody *body, uint8_t *data, uint32_t len) { SCEnter(); - BodyChunk *bd = NULL; + + HtpBodyChunk *bd = NULL; + if (body->nchunks == 0) { /* New chunk */ - bd = (BodyChunk *)SCMalloc(sizeof(BodyChunk)); + bd = (HtpBodyChunk *)SCMalloc(sizeof(HtpBodyChunk)); if (bd == NULL) { SCLogError(SC_ERR_MEM_ALLOC, "Fatal error, error allocationg memory"); exit(EXIT_FAILURE); } + bd->len = len; bd->data = data; body->first = body->last = bd; @@ -326,7 +329,12 @@ void HtpBodyAppendChunk(HtpBody *body, uint8_t *data, uint32_t len) body->last->len = len; bd = body->last; } else { - bd = (BodyChunk *)SCMalloc(sizeof(BodyChunk)); + bd = (HtpBodyChunk *)SCMalloc(sizeof(HtpBodyChunk)); + if (bd == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Fatal error, error allocationg memory"); + exit(EXIT_FAILURE); + } + bd->len = len; bd->data = data; body->last->next = bd; @@ -353,7 +361,7 @@ void HtpBodyPrint(HtpBody *body) if (body->nchunks == 0) return; - BodyChunk *cur = NULL; + HtpBodyChunk *cur = NULL; SCLogDebug("--- Start body chunks at %p ---", body); for (cur = body->first; cur != NULL; cur = cur->next) { SCLogDebug("Body %p; Chunk id: %"PRIu32", data %p, len %"PRIu32"\n", @@ -372,6 +380,7 @@ void HtpBodyPrint(HtpBody *body) void HtpBodyFree(HtpBody *body) { SCEnter(); + if (body->nchunks == 0) return; @@ -380,8 +389,9 @@ void HtpBodyFree(HtpBody *body) (uint32_t)body->last->len); body->nchunks = 0; - BodyChunk *cur = NULL; - BodyChunk *prev = NULL; + HtpBodyChunk *cur = NULL; + HtpBodyChunk *prev = NULL; + prev = body->first; while (prev != NULL) { cur = prev->next; diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h index 525e883d0f..a6b707708b 100644 --- a/src/app-layer-htp.h +++ b/src/app-layer-htp.h @@ -48,17 +48,17 @@ enum { matched on some rule */ /** Struct used to hold chunks of a body on a request */ -typedef struct BodyChunk_ { +typedef struct HtpBodyChunk_ { uint8_t *data; /**< Pointer to the data of the chunk */ uint32_t len; /**< Length of the chunk */ - struct BodyChunk_ *next; /**< Pointer to the next chunk */ + struct HtpBodyChunk_ *next; /**< Pointer to the next chunk */ uint32_t id; /**< number of chunk of the current body */ -} BodyChunk; +} HtpBodyChunk; /** Struct used to hold all the chunks of a body on a request */ -typedef struct Body_ { - BodyChunk *first; /**< Pointer to the first chunk */ - BodyChunk *last; /**< Pointer to the last chunk */ +typedef struct HtpBody_ { + HtpBodyChunk *first; /**< Pointer to the first chunk */ + HtpBodyChunk *last; /**< Pointer to the last chunk */ uint32_t nchunks; /**< Number of chunks in the current operation */ uint8_t operation; /**< This flag indicate if it's a request or a response */ @@ -68,13 +68,12 @@ typedef struct Body_ { typedef struct HtpState_ { - htp_connp_t *connp; /**< Connection parser structure for - each connection */ + htp_connp_t *connp; /**< Connection parser structure for + each connection */ + HtpBody body; /**< Body of the request (if any) */ + size_t new_in_tx_index; /**< Index to indicate that after this we have + new requests to log */ uint8_t flags; - HtpBody body; /**< Body of the request (if any) */ - uint8_t new_in_tx_index; /**< Index to indicate that after this we have - new requests to log */ - } HtpState; htp_cfg_t *cfg; /**< Config structure for HTP library */ diff --git a/src/detect-depth.c b/src/detect-depth.c index 75e93069b5..c6d44d3220 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -1,11 +1,15 @@ /* DEPTH part of the detection engine. */ #include "suricata-common.h" + #include "decode.h" + #include "detect.h" -#include "flow-var.h" #include "detect-content.h" -#include "detect-pcre.h" +#include "detect-uricontent.h" + +#include "flow-var.h" + #include "util-debug.h" static int DetectDepthSetup (DetectEngineCtx *, Signature *, char *); diff --git a/src/detect-distance.c b/src/detect-distance.c index 1ef19a961f..bbc6a6168c 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -1,12 +1,15 @@ /* DISTANCE part of the detection engine. */ #include "suricata-common.h" + #include "decode.h" + #include "detect.h" -#include "flow-var.h" #include "detect-content.h" #include "detect-uricontent.h" -#include "detect-pcre.h" + +#include "flow-var.h" + #include "util-debug.h" static int DetectDistanceSetup(DetectEngineCtx *, Signature *, char *); diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index f3db7535c9..9ca1754a69 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -1,18 +1,20 @@ +/* Copyright (c) 2010 Victor Julien */ + +/** \file + * \author Victor Julien + */ + #include "suricata-common.h" #include "suricata.h" #include "decode.h" #include "detect.h" - #include "detect-content.h" -#include "detect-uricontent.h" #include "detect-pcre.h" #include "detect-isdataat.h" #include "detect-bytetest.h" #include "detect-bytejump.h" -#include "detect-http-method.h" -#include "detect-http-cookie.h" #include "util-spm.h" #include "util-debug.h" @@ -22,14 +24,23 @@ #include "util-unittest-helper.h" /** \brief Run the actual payload match functions + * + * The follwing keywords are inspected: + * - content + * - isdaatat + * - pcre + * - bytejump + * - bytetest + * + * All keywords are evaluated against the payload with payload_len. + * + * For accounting the last match in relative matching the + * det_ctx->payload_offset int is used. * * \param de_ctx Detection engine context * \param det_ctx Detection engine thread context * \param s Signature to inspect * \param sm SigMatch to inspect - * \param f Flow - * \param flags app layer flags - * \param state App layer state * \param p Packet * \param payload ptr to the payload to inspect * \param payload_len length of the payload @@ -38,9 +49,8 @@ * \retval 1 match */ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm, Flow *f, - uint8_t flags, void *alstate, Packet *p, uint8_t *payload, - uint32_t payload_len) + DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm, + Packet *p, uint8_t *payload, uint32_t payload_len) { SCEnter(); @@ -78,9 +88,10 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, depth = payload_len; if (cd->flags & DETECT_CONTENT_DISTANCE) { - /** \todo distance can be negative */ - - offset += cd->distance; + if (cd->distance < 0 && (uint32_t)(abs(cd->distance)) > offset) + offset = 0; + else + offset += cd->distance; SCLogDebug("cd->distance %"PRIi32", offset %"PRIu32", depth %"PRIu32, cd->distance, offset, depth); @@ -179,8 +190,8 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, /* see if the next payload keywords match. If not, we will * search for another occurence of this content and see - * if the others match then */ - int r = DoInspectPacketPayload(de_ctx,det_ctx,s,sm->next, f, flags, alstate, p, payload, payload_len); + * if the others match then until we run out of matches */ + int r = DoInspectPacketPayload(de_ctx,det_ctx,s,sm->next, p, payload, payload_len); if (r == 1) { SCReturnInt(1); } @@ -219,8 +230,7 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, { SCLogDebug("inspecting pcre"); - /** \todo consider ptrs */ - int r = DetectPcreDoMatch(det_ctx, p, s, sm); + int r = DetectPcrePayloadMatch(det_ctx, p, s, sm); if (r == 1) { goto match; } @@ -243,6 +253,7 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, goto match; } + /* we should never get here, but bail out just in case */ default: { BUG_ON(1); @@ -250,16 +261,19 @@ static inline int DoInspectPacketPayload(DetectEngineCtx *de_ctx, } SCReturnInt(0); + match: + /* this sigmatch matched, inspect the next one. If it was the last, + * the payload portion of the signature matched. */ if (sm->next != NULL) { - int r = DoInspectPacketPayload(de_ctx,det_ctx,s,sm->next, f, flags, alstate, p, payload, payload_len); + int r = DoInspectPacketPayload(de_ctx,det_ctx,s,sm->next, p, payload, payload_len); SCReturnInt(r); } else { SCReturnInt(1); } } -/** \brief Do the content inspection for a signature +/** \brief Do the content inspection & validation for a signature * * \param de_ctx Detection engine context * \param det_ctx Detection engine thread context @@ -286,7 +300,7 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, det_ctx->payload_offset = 0; - r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->pmatch, f, flags, alstate, p, p->payload, p->payload_len); + r = DoInspectPacketPayload(de_ctx, det_ctx, s, s->pmatch, p, p->payload, p->payload_len); if (r == 1) { SCReturnInt(1); } @@ -339,12 +353,34 @@ end: return result; } +/** \test Negative distance matching */ +static int PayloadTestSig03 (void) { + uint8_t *buf = (uint8_t *) + "abcaBcd"; + uint16_t buflen = strlen((char *)buf); + Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP); + int result = 0; + + char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:1; sid:1;)"; + if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) { + result = 0; + goto end; + } + + result = 1; +end: + if (p != NULL) + UTHFreePacket(p); + return result; +} + #endif /* UNITTESTS */ void PayloadRegisterTests(void) { #ifdef UNITTESTS UtRegisterTest("PayloadTestSig01", PayloadTestSig01, 1); UtRegisterTest("PayloadTestSig02", PayloadTestSig02, 1); + UtRegisterTest("PayloadTestSig03", PayloadTestSig03, 1); #endif /* UNITTESTS */ } diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 8dd417653b..7b8821ad6d 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -52,8 +52,24 @@ void DetectHttpCookieRegister (void) { sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_PAYLOAD; } -int DetectHttpCookieDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, - SigMatch *sm, Flow *f, uint8_t flags, void *state) +/** + * \brief match the specified content in the signature with the received http + * cookie header in the http request. + * + * \param t pointer to thread vars + * \param det_ctx pointer to the pattern matcher thread + * \param f pointer to the current flow + * \param flags flags to indicate the direction of the received packet + * \param state pointer the app layer state, which will cast into HtpState + * \param s pointer to the current signature + * \param sm pointer to the sigmatch + * + * \retval 0 no match + * \retval 1 match + */ +int DetectHttpCookieMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, void *state, Signature *s, + SigMatch *sm) { SCEnter(); @@ -117,29 +133,6 @@ end: SCReturnInt(ret); } -/** - * \brief match the specified content in the signature with the received http - * cookie header in the http request. - * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param f pointer to the current flow - * \param flags flags to indicate the direction of the received packet - * \param state pointer the app layer state, which will cast into HtpState - * \param s pointer to the current signature - * \param m pointer to the sigmatch that we will cast into DetectContentData - * - * \retval 0 no match - * \retval 1 match - */ -int DetectHttpCookieMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, Signature *s, - SigMatch *m) -{ - int r = DetectHttpCookieDoMatch(det_ctx, s, m, f, flags, state); - SCReturnInt(r); -} - /** * \brief this function setups the http_cookie modifier keyword used in the rule * diff --git a/src/detect-http-method.c b/src/detect-http-method.c index b65865662f..af88dd7976 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -53,9 +53,25 @@ void DetectHttpMethodRegister(void) { SCLogDebug("registering http_method rule option"); } -int DetectHttpMethodDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm, Flow *f, uint8_t flags, void *state) { +/** + * \brief match the specified version on a tls session + * + * \param t pointer to thread vars + * \param det_ctx pointer to the pattern matcher thread + * \param f pointer to the current flow + * \param flags flags to indicate the direction of the received packet + * \param state pointer the app layer state, which will cast into HtpState + * \param sm pointer to the sigmatch + * + * \retval 0 no match + * \retval 1 match + */ +int DetectHttpMethodMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, void *state, + Signature *s, SigMatch *sm) +{ SCEnter(); - uint8_t i; + size_t idx; DetectHttpMethodData *data = (DetectHttpMethodData *)sm->ctx; HtpState *hs = (HtpState *)state; htp_tx_t *tx = NULL; @@ -67,16 +83,15 @@ int DetectHttpMethodDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMat } SCMutexLock(&f->m); - for (i = hs->new_in_tx_index; i < list_size(hs->connp->conn->transactions); i++) + for ( idx = hs->new_in_tx_index; + idx < list_size(hs->connp->conn->transactions); idx++) { - tx = list_get(hs->connp->conn->transactions, i); + tx = list_get(hs->connp->conn->transactions, idx); if (tx == NULL) continue; - /* Compare the numeric methods if they are known, otherwise compare - * the raw values. - */ + * the raw values. */ if (data->method != M_UNKNOWN) { if (data->method == tx->request_method_number) { SCLogDebug("Matched numeric HTTP method values."); @@ -85,7 +100,6 @@ int DetectHttpMethodDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMat } else if (tx->request_method != NULL) { const uint8_t *meth_str = (const uint8_t *) bstr_ptr(tx->request_method); - if ((meth_str != NULL) && SpmSearch((uint8_t*) meth_str, bstr_size(tx->request_method), data->content, data->content_len) != NULL) @@ -101,27 +115,6 @@ int DetectHttpMethodDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMat SCReturnInt(ret); } -/** - * \brief match the specified version on a tls session - * - * \param t pointer to thread vars - * \param det_ctx pointer to the pattern matcher thread - * \param f pointer to the current flow - * \param flags flags to indicate the direction of the received packet - * \param state pointer the app layer state, which will cast into HtpState - * \param m pointer to the sigmatch cast into DetectHttpMethodData - * - * \retval 0 no match - * \retval 1 match - */ -int DetectHttpMethodMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, - Signature *s, SigMatch *sm) -{ - int r = DetectHttpMethodDoMatch(det_ctx, s, sm, f, flags, state); - SCReturnInt(r); -} - /** * \brief this function is used to add the parsed "http_method" option * \brief into the current signature diff --git a/src/detect-offset.c b/src/detect-offset.c index b7490549d0..d8ecc77c90 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -3,11 +3,12 @@ #include "suricata-common.h" #include "decode.h" -#include "detect.h" -#include "flow-var.h" +#include "detect.h" #include "detect-content.h" -#include "detect-pcre.h" +#include "detect-uricontent.h" + +#include "flow-var.h" #include "util-debug.h" diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 02cb880681..26d484fa49 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -167,7 +167,7 @@ int DetectPcreALDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch * int wspace[255]; int flags = PCRE_PARTIAL; - BodyChunk *cur = htp_state->body.first; + HtpBodyChunk *cur = htp_state->body.first; if (cur == NULL) { SCLogDebug("No body chunks to inspect"); goto unlock; @@ -239,7 +239,18 @@ int DetectPcreALMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, SCReturnInt(r); } -int DetectPcreDoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *sm) { +/** + * \brief match a regex on a single payload' + * + * \param det_ctx thread detection ctx + * \param p packet + * \param s signature + * \param sm sig match to match against + * + * \retval 1: match + * \retval 0: no match + */ +int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *sm) { SCEnter(); #define MAX_SUBSTRINGS 30 int ret = 0; @@ -269,24 +280,28 @@ int DetectPcreDoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, S len = p->payload_len; } - //printf("DetectPcre: ptr %p, len %" PRIu32 "\n", ptr, len); - + /* run the actual pcre detection */ ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS); SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set"); if (ret == PCRE_ERROR_NOMATCH) { if (pe->negate == 1) { - /* regex didn't match with negate option means we consider it a match */ + /* regex didn't match with negate option means we + * consider it a match */ ret = 1; } else { ret = 0; } } else if (ret >= 0) { if (pe->negate == 1) { - /* regex matched but we're negated, so not considering it a match */ + /* regex matched but we're negated, so not + * considering it a match */ ret = 0; } else { - /* regex matched and we're not negated, considering it a match */ + /* regex matched and we're not negated, + * considering it a match */ + + /* see if we need to do substring capturing. */ if (ret > 1 && pe->capidx != 0) { const char *str_ptr; ret = pcre_get_substring((char *)ptr, ov, MAX_SUBSTRINGS, 1, &str_ptr); @@ -298,6 +313,7 @@ int DetectPcreDoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, S } } } + /* update offset for pcre RELATIVE */ det_ctx->payload_offset = (ptr+ov[1]) - p->payload; @@ -316,15 +332,20 @@ int DetectPcreDoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, S * DetectPcreALMatch is used if we parse the option 'P' * * \param t pointer to the threadvars structure - * \param t pointer to the threadvars structure + * \param det_ctx thread detection ctx + * \param p packet + * \param s signature + * \param sm sig match to match against * - * \retval 1: match ; 0 No Match; -1: error + * \retval 1: match + * \retval 0: no match */ int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *sm) { SCEnter(); - SCReturnInt(DetectPcreDoMatch(det_ctx,p,s,sm)); + int r = DetectPcrePayloadMatch(det_ctx, p, s, sm); + SCReturnInt(r); } DetectPcreData *DetectPcreParse (char *regexstr) diff --git a/src/detect-pcre.h b/src/detect-pcre.h index ea5d97261b..e6e1a21cd6 100644 --- a/src/detect-pcre.h +++ b/src/detect-pcre.h @@ -1,21 +1,15 @@ #ifndef __DETECT_PCRE_H__ #define __DETECT_PCRE_H__ -#define DETECT_PCRE_DISTANCE 0x0001 -#define DETECT_PCRE_WITHIN 0x0002 -#define DETECT_PCRE_RELATIVE 0x0004 +#define DETECT_PCRE_RELATIVE 0x01 +#define DETECT_PCRE_RAWBYTES 0x02 +#define DETECT_PCRE_URI 0x04 -#define DETECT_PCRE_DISTANCE_NEXT 0x0008 -#define DETECT_PCRE_WITHIN_NEXT 0x0010 +#define DETECT_PCRE_CAPTURE_PKT 0x08 +#define DETECT_PCRE_CAPTURE_FLOW 0x10 +#define DETECT_PCRE_MATCH_LIMIT 0x20 -#define DETECT_PCRE_RAWBYTES 0x0020 -#define DETECT_PCRE_URI 0x0040 - -#define DETECT_PCRE_CAPTURE_PKT 0x0080 -#define DETECT_PCRE_CAPTURE_FLOW 0x0100 -#define DETECT_PCRE_MATCH_LIMIT 0x0200 - -#define DETECT_PCRE_HTTP_BODY_AL 0x0400 +#define DETECT_PCRE_HTTP_BODY_AL 0x40 typedef struct DetectPcreData_ { /* pcre options */ @@ -23,13 +17,7 @@ typedef struct DetectPcreData_ { pcre_extra *sd; int opts; - /* match position vars */ - uint16_t depth; - uint16_t offset; - int32_t within; - int32_t distance; - - uint16_t flags; + uint8_t flags; uint8_t negate; char *capname; @@ -37,8 +25,7 @@ typedef struct DetectPcreData_ { } DetectPcreData; /* prototypes */ -int DetectPcreDoMatch(DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); -int DetectPcreALDoMatch(DetectEngineThreadCtx *, Signature *, SigMatch *, Flow *, uint8_t, void *); +int DetectPcrePayloadMatch(DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); void DetectPcreRegister (void); #endif /* __DETECT_PCRE_H__ */ diff --git a/src/detect-urilen.c b/src/detect-urilen.c index ee4ab30c25..29406ee61d 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -89,7 +89,7 @@ int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, { SCEnter(); int ret = 0; - uint8_t i; + size_t idx = 0; DetectUrilenData *urilend = (DetectUrilenData *) m->ctx; HtpState *htp_state = (HtpState *)state; @@ -101,10 +101,10 @@ int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, SCMutexLock(&f->m); htp_tx_t *tx = NULL; - for (i = htp_state->new_in_tx_index; - i < list_size(htp_state->connp->conn->transactions); i++) + for (idx = htp_state->new_in_tx_index; + idx < list_size(htp_state->connp->conn->transactions); idx++) { - tx = list_get(htp_state->connp->conn->transactions, i); + tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL || tx->request_uri_normalized == NULL) goto end; diff --git a/src/detect-within.c b/src/detect-within.c index 7cb99897e1..6d4b7aeb2b 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -5,12 +5,15 @@ */ #include "suricata-common.h" + #include "decode.h" + #include "detect.h" -#include "flow-var.h" #include "detect-content.h" #include "detect-uricontent.h" -#include "detect-pcre.h" + +#include "flow-var.h" + #include "util-debug.h" static int DetectWithinSetup (DetectEngineCtx *, Signature *, char *); diff --git a/src/log-httplog.c b/src/log-httplog.c index 37369ba46a..b0f032fa9d 100644 --- a/src/log-httplog.c +++ b/src/log-httplog.c @@ -89,7 +89,7 @@ TmEcode LogHttpLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) SCEnter(); LogHttpLogThread *aft = (LogHttpLogThread *)data; char timebuf[64]; - uint8_t i = 0; + size_t idx = 0; /* no flow, no htp state */ if (p->flow == NULL) { @@ -135,10 +135,10 @@ TmEcode LogHttpLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) } SCMutexLock(&aft->file_ctx->fp_mutex); - for (i = htp_state->new_in_tx_index; - i < list_size(htp_state->connp->conn->transactions); i++) + for (idx = htp_state->new_in_tx_index; + idx < list_size(htp_state->connp->conn->transactions); idx++) { - tx = list_get(htp_state->connp->conn->transactions, i); + tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL) { SCLogDebug("tx is NULL not logging !!"); continue; @@ -181,12 +181,12 @@ TmEcode LogHttpLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) /* ip/tcp header info */ fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n", srcip, sp, dstip, dp); + + aft->uri_cnt ++; } fflush(aft->file_ctx->fp); SCMutexUnlock(&aft->file_ctx->fp_mutex); - aft->uri_cnt += list_size(htp_state->connp->conn->transactions) - - htp_state->new_in_tx_index; htp_state->flags &= ~HTP_FLAG_NEW_REQUEST; end: SCMutexUnlock(&p->flow->m); @@ -198,7 +198,7 @@ TmEcode LogHttpLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) SCEnter(); LogHttpLogThread *aft = (LogHttpLogThread *)data; char timebuf[64]; - uint8_t i = 0; + size_t idx = 0; /* no flow, no htp state */ if (p->flow == NULL) { @@ -244,10 +244,10 @@ TmEcode LogHttpLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) dp = p->sp; } SCMutexLock(&aft->file_ctx->fp_mutex); - for (i = htp_state->new_in_tx_index; - i < list_size(htp_state->connp->conn->transactions); i++) + for (idx = htp_state->new_in_tx_index; + idx < list_size(htp_state->connp->conn->transactions); idx++) { - tx = list_get(htp_state->connp->conn->transactions, i); + tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL) { SCLogDebug("tx is NULL not logging !!"); continue; @@ -290,12 +290,12 @@ TmEcode LogHttpLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) /* ip/tcp header info */ fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n", srcip, sp, dstip, dp); + + aft->uri_cnt++; } fflush(aft->file_ctx->fp); SCMutexUnlock(&aft->file_ctx->fp_mutex); - aft->uri_cnt += list_size(htp_state->connp->conn->transactions) - - htp_state->new_in_tx_index; htp_state->flags &= ~HTP_FLAG_NEW_REQUEST; end: SCMutexUnlock(&p->flow->m);