diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 5dec75356e..7769fe6f7a 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -94,86 +94,9 @@ void DetectHttpClientBodyRegister(void) */ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_client_body shouldn't be supplied " - "with an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_client_body\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - s->flags &= ~SIG_FLAG_TOCLIENT; - s->flags |= SIG_FLAG_TOSERVER; - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_client_body\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_client_body\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_client_body rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HCBDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - AppLayerHtpEnableRequestBodyCallback(); - - /* transfer the sm from the pmatch list to hcbdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HCBDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_CLIENT_BODY, + DETECT_SM_LIST_HCBDMATCH); } /** diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index fa3ca504bb..0fd583fd9b 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -109,83 +109,9 @@ void DetectHttpCookieFree(void *ptr) static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - SigMatch *sm = NULL; - int ret = -1; - - if (str != NULL && strcmp(str, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_cookie shouldn't be supplied " - "with an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_cookie\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_cookie\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_cookie\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_HTTP_COOKIE_INCOMPATIBLE_WITH_RAWBYTES, "http_cookie " - "rule can not be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HCDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hcdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HCDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, str, + DETECT_AL_HTTP_COOKIE, + DETECT_SM_LIST_HCDMATCH); } /******************************** UNITESTS **********************************/ diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 1ad8cf0d06..2150acfb08 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -115,83 +115,9 @@ void DetectHttpHeaderFree(void *ptr) */ int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_header shouldn't be supplied with " - "an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_header\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_header\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_header rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HHDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hhdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HHDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_HEADER, + DETECT_SM_LIST_HHDMATCH); } /************************************Unittests*********************************/ diff --git a/src/detect-http-hh.c b/src/detect-http-hh.c index d28d388278..e0cbdc812f 100644 --- a/src/detect-http-hh.c +++ b/src/detect-http-hh.c @@ -95,83 +95,9 @@ void DetectHttpHHRegister(void) */ int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_host shouldn't be supplied " - "with an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_host\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_host\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_host\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host " - "rule can not be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HHHDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hhhdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HHHDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_HOST, + DETECT_SM_LIST_HHHDMATCH); } /** diff --git a/src/detect-http-hrh.c b/src/detect-http-hrh.c index 87e4cc370d..d2def6370c 100644 --- a/src/detect-http-hrh.c +++ b/src/detect-http-hrh.c @@ -95,83 +95,9 @@ void DetectHttpHRHRegister(void) */ int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_host shouldn't be supplied " - "with an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_host\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_host\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_raw_host\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_host " - "rule can not be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRHHDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hrhhdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HRHHDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_RAW_HOST, + DETECT_SM_LIST_HRHHDMATCH); } /** diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 5306da6820..80d6f208a4 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -94,86 +94,9 @@ void DetectHttpMethodRegister(void) { */ static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - SCEnter(); - SigMatch *sm = NULL; - int ret = -1; - - if ((str != NULL) && (strcmp(str, "") != 0)) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_method shouldn't be supplied " - "with an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_method\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - s->flags &= ~SIG_FLAG_TOCLIENT; - s->flags |= SIG_FLAG_TOSERVER; - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_HTTP_METHOD_NEEDS_PRECEEDING_CONTENT, - "\"http_method\" keyword found inside the rule without " - "a content context. Please use a \"content\" keyword " - "before using the \"http_cookie\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_HTTP_METHOD_INCOMPATIBLE_WITH_RAWBYTES, "http_method " - "cannot be used with \"rawbytes\""); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HMDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hmdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HMDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]); - - ret = 0; - end: - SCReturnInt(ret); + return DetectEngineContentModifierBufferSetup(de_ctx, s, str, + DETECT_AL_HTTP_METHOD, + DETECT_SM_LIST_HMDMATCH); } /** diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 4e94cf4fb9..37da514abc 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -114,83 +114,9 @@ void DetectHttpRawHeaderFree(void *ptr) */ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_header shouldn't be supplied with " - "an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_rheader\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_header\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_header\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_header rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRUDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hrhdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HRHDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_RAW_HEADER, + DETECT_SM_LIST_HRHDMATCH); } /************************************Unittests*********************************/ diff --git a/src/detect-http-raw-uri.c b/src/detect-http-raw-uri.c index adf701bfdc..ca41bdb184 100644 --- a/src/detect-http-raw-uri.c +++ b/src/detect-http-raw-uri.c @@ -88,88 +88,9 @@ void DetectHttpRawUriRegister(void) */ static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_raw_uri shouldn't be " - "supplied with an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - s->flags &= ~SIG_FLAG_TOCLIENT; - s->flags |= SIG_FLAG_TOSERVER; - - /* retrieve the content to apply it against */ - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_raw_uri\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_raw_uri\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_raw_uri rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HRUDMATCH); - /* Flagged the signature as to inspect the app layer data */ - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hrudmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HRUDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); - - ret = 0; - - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_RAW_URI, + DETECT_SM_LIST_HRUDMATCH); } diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index 7c3ce4792b..e2ecd5e100 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -95,86 +95,9 @@ void DetectHttpServerBodyRegister(void) */ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_server_body shouldn't be supplied with " - "an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_server_body\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - s->flags &= ~SIG_FLAG_TOSERVER; - s->flags |= SIG_FLAG_TOCLIENT; - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_server_body\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_server_body\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_server_body rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSBDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - AppLayerHtpEnableResponseBodyCallback(); - - /* transfer the sm from the pmatch list to hsbdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HSBDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_SERVER_BODY, + DETECT_SM_LIST_HSBDMATCH); } /** diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index f28c67f47a..6825145605 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -98,85 +98,9 @@ void DetectHttpStatCodeRegister (void) { static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_code shouldn't be supplied with " - "an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_code\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - s->flags &= ~SIG_FLAG_TOSERVER; - s->flags |= SIG_FLAG_TOCLIENT; - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_code\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_stat_code\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_code rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSCDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hcbdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HSCDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_STAT_CODE, + DETECT_SM_LIST_HSCDMATCH); } #ifdef UNITTESTS diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index 662e54cda7..7a350066e6 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -98,85 +98,9 @@ void DetectHttpStatMsgRegister (void) { static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_stat_msg shouldn't be supplied with " - "an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - s->flags &= ~SIG_FLAG_TOSERVER; - s->flags |= SIG_FLAG_TOCLIENT; - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_stat_msg\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_stat_msg\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_stat_msg rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HSMDMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to hcbdmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HSMDMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_STAT_MSG, + DETECT_SM_LIST_HSMDMATCH); } #ifdef UNITTESTS diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index ef8e720392..fbc9d13ee6 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -96,85 +96,9 @@ void DetectHttpUARegister(void) */ int DetectHttpUASetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) { - SigMatch *sm = NULL; - int ret = -1; - - if (arg != NULL && strcmp(arg, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_user_agent shouldn't be supplied " - "with an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_user_agent\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - s->flags &= ~SIG_FLAG_TOCLIENT; - s->flags |= SIG_FLAG_TOSERVER; - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_user_agent\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_user_agent\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_user_agent rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_HUADMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to huadmatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_HUADMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]); - - ret = 0; - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, + DETECT_AL_HTTP_USER_AGENT, + DETECT_SM_LIST_HUADMATCH); } /** diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 29cf73f112..0b84a20c30 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -89,86 +89,9 @@ void DetectHttpUriRegister (void) { int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - SigMatch *sm = NULL; - int ret = -1; - - if (str != NULL && strcmp(str, "") != 0) { - SCLogError(SC_ERR_INVALID_ARGUMENT, "http_uri shouldn't be supplied with " - "an argument"); - goto end; - } - - if (s->init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword seen " - "with a sticky buffer still set. Reset sticky buffer " - "with pkt_data before using the modifier."); - goto end; - } - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " - "alproto set"); - goto end; - } - s->flags &= ~SIG_FLAG_TOCLIENT; - s->flags |= SIG_FLAG_TOSERVER; - - sm = SigMatchGetLastSMFromLists(s, 2, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); - if (sm == NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"http_uri\" keyword " - "found inside the rule without a content context. " - "Please use a \"content\" keyword before using the " - "\"http_uri\" keyword"); - goto end; - } - DetectContentData *cd = (DetectContentData *)sm->ctx; - if (cd->flags & DETECT_CONTENT_RAWBYTES) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "http_uri rule can not " - "be used with the rawbytes rule keyword"); - goto end; - } - if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { - SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, sm->prev, - DETECT_PCRE, sm->prev); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; - } - } - - pm = SigMatchGetLastSMFromLists(s, 4, - DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], - DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); - if (pm != NULL) { - if (pm->type == DETECT_CONTENT) { - DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; - tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else { - DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; - tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; - } - } - } - cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, DETECT_SM_LIST_UMATCH); - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = ALPROTO_HTTP; - - /* transfer the sm from the pmatch list to umatch list */ - SigMatchTransferSigMatchAcrossLists(sm, - &s->sm_lists[DETECT_SM_LIST_PMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], - &s->sm_lists[DETECT_SM_LIST_UMATCH], - &s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); - - ret = 0; - - end: - return ret; + return DetectEngineContentModifierBufferSetup(de_ctx, s, str, + DETECT_AL_HTTP_URI, + DETECT_SM_LIST_UMATCH); } diff --git a/src/detect-parse.c b/src/detect-parse.c index 7176d0a4d9..e700ec8f44 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -96,6 +96,96 @@ typedef struct SigDuplWrapper_ { #define OPTION_PARTS 3 #define OPTION_PCRE "^\\s*([A-z_0-9-\\.]+)(?:\\s*\\:\\s*(.*)(?init_flags & (SIG_FLAG_INIT_FILE_DATA | SIG_FLAG_INIT_DCE_STUB_DATA)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword seen " + "with a sticky buffer still set. Reset sticky buffer " + "with pkt_data before using the modifier.", + sigmatch_table[sm_type].name); + goto end; + } + /* for now let's hardcode it as http */ + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains a non http " + "alproto set"); + goto end; + } + + sm = SigMatchGetLastSMFromLists(s, 2, + DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]); + if (sm == NULL) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"%s\" keyword " + "found inside the rule without a content context. " + "Please use a \"content\" keyword before using the " + "\"%s\" keyword", sigmatch_table[sm_type].name, + sigmatch_table[sm_type].name); + goto end; + } + DetectContentData *cd = (DetectContentData *)sm->ctx; + if (cd->flags & DETECT_CONTENT_RAWBYTES) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "%s rule can not " + "be used with the rawbytes rule keyword", + sigmatch_table[sm_type].name); + goto end; + } + if (cd->flags & (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE)) { + SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, sm->prev, + DETECT_PCRE, sm->prev); + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags &= ~DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags &= ~DETECT_PCRE_RELATIVE_NEXT; + } + } + + pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, s->sm_lists_tail[sm_list], + DETECT_PCRE, s->sm_lists_tail[sm_list]); + if (pm != NULL) { + if (pm->type == DETECT_CONTENT) { + DetectContentData *tmp_cd = (DetectContentData *)pm->ctx; + tmp_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; + } else { + DetectPcreData *tmp_pd = (DetectPcreData *)pm->ctx; + tmp_pd->flags |= DETECT_PCRE_RELATIVE_NEXT; + } + } + } + cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, s, sm_list); + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ALPROTO_HTTP; + if (sm_type == DETECT_AL_HTTP_CLIENT_BODY) + AppLayerHtpEnableRequestBodyCallback(); + else if (sm_type == DETECT_AL_HTTP_SERVER_BODY) + AppLayerHtpEnableResponseBodyCallback(); + + /* transfer the sm from the pmatch list to hcbdmatch list */ + SigMatchTransferSigMatchAcrossLists(sm, + &s->sm_lists[DETECT_SM_LIST_PMATCH], + &s->sm_lists_tail[DETECT_SM_LIST_PMATCH], + &s->sm_lists[sm_list], + &s->sm_lists_tail[sm_list]); + + ret = 0; + end: + return ret; +} + uint32_t DbgGetSrcPortAnyCnt(void) { return dbg_srcportany_cnt; } diff --git a/src/detect-parse.h b/src/detect-parse.h index d23937dcc3..09194ce95d 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -62,5 +62,7 @@ void DetectParseDupSigHashFree(DetectEngineCtx *); int DetectParseContentString (char *, uint8_t **, uint16_t *, uint32_t *); +int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg, + uint8_t sm_type, uint8_t sm_list); #endif /* __DETECT_PARSE_H__ */