aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_* setup unified.

Browse Source
pull/325/head
Anoop Saldanha 13 years ago committed by Victor Julien
parent 434bdca9e2
commit a304a98d1d
15 changed files with 131 additions and 1024 deletions
Show Stats Download Patch File Download Diff File

83
src/detect-http-client-body.c
Unescape Escape View File

@ -94,86 +94,9 @@ void DetectHttpClientBodyRegister(void)
*/
int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_client_body shouldn't be supplied "
"with an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_client_body\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
s->flags &= ~SIG_FLAG_TOCLIENT;
s->flags |= SIG_FLAG_TOSERVER;
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_client_body\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_client_body\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HCBDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
AppLayerHtpEnableRequestBodyCallback();
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HCBDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_CLIENT_BODY,
DETECT_SM_LIST_HCBDMATCH);
}
/**

80
src/detect-http-cookie.c
Unescape Escape View File

@ -109,83 +109,9 @@ void DetectHttpCookieFree(void *ptr)
static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SigMatch *sm = NULL;
int ret = -1;
if (str != NULL && strcmp(str, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_cookie shouldn't be supplied "
"with an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_cookie\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_cookie\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_cookie\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_HTTP_COOKIE_INCOMPATIBLE_WITH_RAWBYTES, "http_cookie "
"rule can not be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HCDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hcdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HCDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_HTTP_COOKIE,
DETECT_SM_LIST_HCDMATCH);
}
/******************************** UNITESTS **********************************/

80
src/detect-http-header.c
Unescape Escape View File

@ -115,83 +115,9 @@ void DetectHttpHeaderFree(void *ptr)
*/
int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_header shouldn't be supplied with "
"an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_header\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HHDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hhdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HHDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_HEADER,
DETECT_SM_LIST_HHDMATCH);
}
/************************************Unittests*********************************/

80
src/detect-http-hh.c
Unescape Escape View File

@ -95,83 +95,9 @@ void DetectHttpHHRegister(void)
*/
int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_host shouldn't be supplied "
"with an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_host\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_host\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_host\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host "
"rule can not be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HHHDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hhhdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HHHDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_HOST,
DETECT_SM_LIST_HHHDMATCH);
}
/**

80
src/detect-http-hrh.c
Unescape Escape View File

@ -95,83 +95,9 @@ void DetectHttpHRHRegister(void)
*/
int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_host shouldn't be supplied "
"with an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_host\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_host\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_raw_host\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host "
"rule can not be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRHHDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hrhhdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HRHHDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_RAW_HOST,
DETECT_SM_LIST_HRHHDMATCH);
}
/**

83
src/detect-http-method.c
Unescape Escape View File

@ -94,86 +94,9 @@ void DetectHttpMethodRegister(void) {
*/
static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SCEnter();
SigMatch *sm = NULL;
int ret = -1;
if ((str != NULL) && (strcmp(str, "") != 0)) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_method shouldn't be supplied "
"with an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_method\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
s->flags &= ~SIG_FLAG_TOCLIENT;
s->flags |= SIG_FLAG_TOSERVER;
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT,
"\"http_method\" keyword found inside the rule without "
"a content context. Please use a \"content\" keyword "
"before using the \"http_cookie\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_HTTP_METHOD_INCOMPATIBLE_WITH_RAWBYTES, "http_method "
"cannot be used with \"rawbytes\"");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HMDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hmdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HMDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]);
ret = 0;
end:
SCReturnInt(ret);
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_HTTP_METHOD,
DETECT_SM_LIST_HMDMATCH);
}
/**

80
src/detect-http-raw-header.c
Unescape Escape View File

@ -114,83 +114,9 @@ void DetectHttpRawHeaderFree(void *ptr)
*/
int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_header shouldn't be supplied with "
"an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_rheader\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_header\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_header\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_header rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRUDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hrhdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HRHDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_RAW_HEADER,
DETECT_SM_LIST_HRHDMATCH);
}
/************************************Unittests*********************************/

85
src/detect-http-raw-uri.c
Unescape Escape View File

@ -88,88 +88,9 @@ void DetectHttpRawUriRegister(void)
*/
static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_uri shouldn't be "
"supplied with an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
s->flags &= ~SIG_FLAG_TOCLIENT;
s->flags |= SIG_FLAG_TOSERVER;
/* retrieve the content to apply it against */
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_uri\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_raw_uri\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_uri rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRUDMATCH);
/* Flagged the signature as to inspect the app layer data */
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hrudmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HRUDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_RAW_URI,
DETECT_SM_LIST_HRUDMATCH);
}

83
src/detect-http-server-body.c
Unescape Escape View File

@ -95,86 +95,9 @@ void DetectHttpServerBodyRegister(void)
*/
int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_server_body shouldn't be supplied with "
"an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_server_body\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
s->flags &= ~SIG_FLAG_TOSERVER;
s->flags |= SIG_FLAG_TOCLIENT;
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_server_body\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_server_body\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSBDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
AppLayerHtpEnableResponseBodyCallback();
/* transfer the sm from the pmatch list to hsbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HSBDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_SERVER_BODY,
DETECT_SM_LIST_HSBDMATCH);
}
/**

82
src/detect-http-stat-code.c
Unescape Escape View File

@ -98,85 +98,9 @@ void DetectHttpStatCodeRegister (void) {
static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_code shouldn't be supplied with "
"an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_code\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
s->flags &= ~SIG_FLAG_TOSERVER;
s->flags |= SIG_FLAG_TOCLIENT;
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_code\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_stat_code\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSCDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HSCDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_STAT_CODE,
DETECT_SM_LIST_HSCDMATCH);
}
#ifdef UNITTESTS

82
src/detect-http-stat-msg.c
Unescape Escape View File

@ -98,85 +98,9 @@ void DetectHttpStatMsgRegister (void) {
static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_msg shouldn't be supplied with "
"an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
s->flags &= ~SIG_FLAG_TOSERVER;
s->flags |= SIG_FLAG_TOCLIENT;
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_stat_msg\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSMDMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HSMDMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_STAT_MSG,
DETECT_SM_LIST_HSMDMATCH);
}
#ifdef UNITTESTS

82
src/detect-http-ua.c
Unescape Escape View File

@ -96,85 +96,9 @@ void DetectHttpUARegister(void)
*/
int DetectHttpUASetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_user_agent shouldn't be supplied "
"with an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_user_agent\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
s->flags &= ~SIG_FLAG_TOCLIENT;
s->flags |= SIG_FLAG_TOSERVER;
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_user_agent\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_user_agent\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_user_agent rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HUADMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to huadmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_HUADMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_USER_AGENT,
DETECT_SM_LIST_HUADMATCH);
}
/**

83
src/detect-http-uri.c
Unescape Escape View File

@ -89,86 +89,9 @@ void DetectHttpUriRegister (void) {
int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
SigMatch *sm = NULL;
int ret = -1;
if (str != NULL && strcmp(str, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "http_uri shouldn't be supplied with "
"an argument");
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.");
goto end;
}
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
s->flags &= ~SIG_FLAG_TOCLIENT;
s->flags |= SIG_FLAG_TOSERVER;
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"http_uri\" keyword");
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_uri rule can not "
"be used with the rawbytes rule keyword");
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_UMATCH);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
/* transfer the sm from the pmatch list to umatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[DETECT_SM_LIST_UMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
ret = 0;
end:
return ret;
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_HTTP_URI,
DETECT_SM_LIST_UMATCH);
}

90
src/detect-parse.c
Unescape Escape View File

@ -96,6 +96,96 @@ typedef struct SigDuplWrapper_ {
#define OPTION_PARTS 3
#define OPTION_PCRE "^\\s*([A-z_0-9-\\.]+)(?:\\s*\\:\\s*(.*)(?<!\\\\))?\\s*;\\s*(?:\\s*(.*))?\\s*$"
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg,
uint8_t sm_type, uint8_t sm_list)
{
SigMatch *sm = NULL;
int ret = -1;
if (arg != NULL && strcmp(arg, "") != 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "%s shouldn't be supplied "
"with an argument", sigmatch_table[sm_type].name);
goto end;
}
if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword seen "
"with a sticky buffer still set. Reset sticky buffer "
"with pkt_data before using the modifier.",
sigmatch_table[sm_type].name);
goto end;
}
/* for now let's hardcode it as http */
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http "
"alproto set");
goto end;
}
sm = SigMatchGetLastSMFromLists(s, 2,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
if (sm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword "
"found inside the rule without a content context. "
"Please use a \"content\" keyword before using the "
"\"%s\" keyword", sigmatch_table[sm_type].name,
sigmatch_table[sm_type].name);
goto end;
}
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "%s rule can not "
"be used with the rawbytes rule keyword",
sigmatch_table[sm_type].name);
goto end;
}
if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, sm->prev,
DETECT_PCRE, sm->prev);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT;
}
}
pm = SigMatchGetLastSMFromLists(s, 4,
DETECT_CONTENT, s->sm_lists_tail[sm_list],
DETECT_PCRE, s->sm_lists_tail[sm_list]);
if (pm != NULL) {
if (pm->type == DETECT_CONTENT) {
DetectContentData *tmp_cd = (DetectContentData *)pm->ctx;
tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
} else {
DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx;
tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
}
}
}
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, sm_list);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
if (sm_type == DETECT_AL_HTTP_CLIENT_BODY)
AppLayerHtpEnableRequestBodyCallback();
else if (sm_type == DETECT_AL_HTTP_SERVER_BODY)
AppLayerHtpEnableResponseBodyCallback();
/* transfer the sm from the pmatch list to hcbdmatch list */
SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
&s->sm_lists[sm_list],
&s->sm_lists_tail[sm_list]);
ret = 0;
end:
return ret;
}
uint32_t DbgGetSrcPortAnyCnt(void) {
return dbg_srcportany_cnt;
}

2
src/detect-parse.h
Unescape Escape View File

@ -62,5 +62,7 @@ void DetectParseDupSigHashFree(DetectEngineCtx *);
int DetectParseContentString (char *, uint8_t **, uint16_t *, uint32_t *);
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg,
uint8_t sm_type, uint8_t sm_list);
#endif /* __DETECT_PARSE_H__ */

Write Preview
Loading…
Cancel
Save