support for http_client_body keyword

src/Makefile.am

@@ -113,6 +113,7 @@ detect-dce-opnum.c detect-dce-opnum.h \
 detect-dce-stub-data.c detect-dce-stub-data.h \
 detect-urilen.c detect-urilen.h \
 detect-detection-filter.c detect-detection-filter.h \
+detect-http-client-body.c detect-http-client-body.h \
 util-print.c util-print.h \
 util-fmemopen.c util-fmemopen.h \
 util-cpu.c util-cpu.h \

src/app-layer-htp.c

@@ -38,7 +38,8 @@ static SCMutex htp_state_mem_lock = PTHREAD_MUTEX_INITIALIZER;
 static uint64_t htp_state_memuse = 0;
 static uint64_t htp_state_memcnt = 0;
 #endif
-extern uint8_t pcre_need_htp_request_body;
+
+static uint8_t need_htp_request_body = 0;
 
 /** \brief Function to allocates the HTTP state memory and also creates the HTTP
  *         connection parser to be used by the HTP library
@@ -118,6 +119,18 @@ void HTPStateFree(void *state)
     SCReturn;
 }
 
+/**
+ * \brief Sets a flag that informs the HTP app layer that some module in the
+ *        engine needs the http request body data.
+ */
+void AppLayerHtpEnableRequestBodyCallback(void)
+{
+    need_htp_request_body = 1;
+
+    return;
+}
+
+
 /**
  *  \brief  Function to convert the IP addresses in to the string
  *
@@ -553,13 +566,14 @@ void RegisterHTPParsers(void)
 }
 
 /**
- * \brief This function is called at the end of SigLoadSignatures
+ * \brief This function is called at the end of SigLoadSignatures.  This function
- * pcre_need_htp_request_body is a flag that indicates if we need
+ *        enables the htp layer to register a callback for the http request body.
- * to inspect the body of requests from a pcre keyword.
+ *        need_htp_request_body is a flag that informs the htp app layer that
+ *        a module in the engine needs the http request body.
  */
 void AppLayerHtpRegisterExtraCallbacks(void) {
     SCLogDebug("Registering extra htp callbacks");
-    if (pcre_need_htp_request_body == 1) {
+    if (need_htp_request_body == 1) {
         SCLogDebug("Registering callback htp_config_register_request_body_data on htp");
         htp_config_register_request_body_data(cfg, HTPCallbackRequestBodyData);
     } else {

src/app-layer-htp.h

@@ -91,6 +91,7 @@ void HtpBodyFree(HtpBody *);
 void AppLayerHtpRegisterExtraCallbacks(void);
 /* To free the state from unittests using app-layer-htp */
 void HTPStateFree(void *);
+void AppLayerHtpEnableRequestBodyCallback(void);
 
 #endif	/* __APP_LAYER_HTP_H__ */
 

src/detect-content.c

@@ -338,21 +338,42 @@ SigMatch *SigMatchGetLastPattern(Signature *s) {
 
     BUG_ON(s == NULL);
 
-    SigMatch *co_sm = DetectContentGetLastPattern(s->pmatch_tail);
+    SigMatch *co_sm = DetectContentFindPrevApplicableSM(s->pmatch_tail);
-    SigMatch *ur_sm = SigMatchGetLastSM(s->umatch_tail, DETECT_URICONTENT);
+    SigMatch *ur_sm = SigMatchGetLastSM(s->match_tail, DETECT_URICONTENT);
+    /* http client body SigMatch */
+    SigMatch *hcbd_sm = SigMatchGetLastSM(s->match_tail, DETECT_AL_HTTP_CLIENT_BODY);
     SigMatch *sm = NULL;
 
-    if (co_sm != NULL && ur_sm != NULL) {
+    if (co_sm != NULL && ur_sm != NULL && hcbd_sm != NULL) {
         BUG_ON(co_sm->idx == ur_sm->idx);
 
+        if (co_sm->idx > ur_sm->idx && ur_sm > hcbd_sm)
+            sm = co_sm;
+        else if (ur_sm->idx > co_sm->idx && co_sm > hcbd_sm)
+            sm = ur_sm;
+        else
+            sm = hcbd_sm;
+    } else if (co_sm != NULL && ur_sm != NULL) {
         if (co_sm->idx > ur_sm->idx)
             sm = co_sm;
         else
             sm = ur_sm;
+    } else if (co_sm != NULL && hcbd_sm != NULL) {
+        if (co_sm->idx > hcbd_sm->idx)
+            sm = co_sm;
+        else
+            sm = hcbd_sm;
+    } else if (ur_sm != NULL && hcbd_sm != NULL) {
+        if (ur_sm->idx > hcbd_sm->idx)
+            sm = ur_sm;
+        else
+            sm = hcbd_sm;
     } else if (co_sm != NULL) {
         sm = co_sm;
     } else if (ur_sm != NULL) {
         sm = ur_sm;
+    } else if (hcbd_sm != NULL) {
+        sm = hcbd_sm;
     }
 
     SCReturnPtr(sm, "SigMatch");

src/detect-http-client-body.h

@@ -0,0 +1,21 @@
+/**
+ * Copyright (c) 2010 Open Information Security Foundation.
+ *
+ * \author Anoop Saldanha <poonaatsoc@gmail.com>
+ */
+
+#ifndef __DETECT_HTTP_CLIENT_BODY_H__
+#define __DETECT_HTTP_CLIENT_BODY_H__
+
+#define DETECT_AL_HTTP_CLIENT_BODY_NOCASE   0x01
+#define DETECT_AL_HTTP_CLIENT_BODY_NEGATED  0x02
+
+typedef struct DetectHttpClientBodyData_ {
+    uint8_t *content;
+    uint8_t content_len;
+    uint8_t flags;
+} DetectHttpClientBodyData;
+
+void DetectHttpClientBodyRegister(void);
+
+#endif /* __DETECT_HTTP_CLIENT_BODY_H__ */

src/detect-nocase.c

@@ -11,6 +11,7 @@
 #include "detect-content.h"
 #include "detect-uricontent.h"
 #include "detect-pcre.h"
+#include "detect-http-client-body.h"
 
 #include "util-debug.h"
 
@@ -61,7 +62,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
                 SCReturnInt(-1);
             }
             ud->flags |= DETECT_URICONTENT_NOCASE;
-        break;
+            break;
 
         case DETECT_CONTENT:
             cd = (DetectContentData *)pm->ctx;
@@ -70,12 +71,18 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
                 SCReturnInt(-1);
             }
             cd->flags |= DETECT_CONTENT_NOCASE;
-        break;
+            break;
+        case DETECT_AL_HTTP_CLIENT_BODY:
+            {
+                ((DetectHttpClientBodyData *)(pm->ctx))->flags |= DETECT_AL_HTTP_CLIENT_BODY_NOCASE;
+                break;
+            }
 
+        /* should never happen */
         default:
             SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "nocase needs a preceeding content (or uricontent) option");
             SCReturnInt(-1);
-        break;
+            break;
     }
 
     SCReturnInt(0);

src/detect-pcre.c

@@ -51,8 +51,6 @@ static pcre_extra *parse_regex_study;
 static pcre *parse_capture_regex;
 static pcre_extra *parse_capture_regex_study;
 
-uint8_t pcre_need_htp_request_body = 0;
-
 int DetectPcreMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
 int DetectPcreALMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m);
 static int DetectPcreSetup (DetectEngineCtx *, Signature *, char *);
@@ -599,7 +597,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
 
         SCLogDebug("Body inspection modifier set");
         s->flags |= SIG_FLAG_APPLAYER;
-        pcre_need_htp_request_body = 1;
+        AppLayerHtpEnableRequestBodyCallback();
 
         SigMatchAppendAppLayer(s, sm);
     } else {

src/detect.c

@@ -82,6 +82,7 @@
 #include "detect-dce-stub-data.h"
 #include "detect-urilen.h"
 #include "detect-detection-filter.h"
+#include "detect-http-client-body.h"
 
 #include "util-rule-vars.h"
 
@@ -2954,6 +2955,7 @@ void SigTableSetup(void) {
     DetectTlsVersionRegister();
     DetectUrilenRegister();
     DetectDetectionFilterRegister();
+    DetectHttpClientBodyRegister();
 
     uint8_t i = 0;
     for (i = 0; i < DETECT_TBLSIZE; i++) {

src/detect.h

@@ -606,6 +606,7 @@ enum {
     DETECT_AL_HTTP_COOKIE,
     DETECT_AL_HTTP_METHOD,
     DETECT_AL_URILEN,
+    DETECT_AL_HTTP_CLIENT_BODY,
 
     DETECT_DCE_IFACE,
     DETECT_DCE_OPNUM,

src/suricata.c

@@ -123,7 +123,6 @@ static uint8_t sigflags = 0;
 
 /* Run mode selected */
 int run_mode = MODE_UNKNOWN;
-extern uint8_t pcre_need_htp_request_body;
 
 /* Maximum packets to simultaneously process. */
 intmax_t max_pending_packets;
@@ -721,7 +720,7 @@ int main(int argc, char **argv)
             UtRunSelftest(regex_arg); /* inits and cleans up again */
         }
 
-        pcre_need_htp_request_body = 1;
+        AppLayerHtpEnableRequestBodyCallback();
         AppLayerHtpRegisterExtraCallbacks();
 
         UtInitialize();