http_uri: mpm prefilter engine

Inspect partial request line as well.
10 years ago · b62c4cc359
parent 5bcdbe3922
commit b62c4cc359
4 changed files with 56 additions and 69 deletions
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@ -47,7 +47,8 @@
 #include "detect-flow.h"

 #include "detect-content.h"
-#include "detect-uricontent.h"
+
+#include "detect-engine-uri.h"

 #include "stream.h"

@ -73,44 +74,48 @@ typedef struct AppLayerMpms_ {
    int direction;              /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
    int sm_list;
    uint32_t flags;             /**< flags set to SGH when this mpm is present */
+
+    int (*PrefilterRegister)(SigGroupHead *sgh, MpmCtx *mpm_ctx);
+
    int id;                     /**< index into this array and result arrays */
 } AppLayerMpms;

 AppLayerMpms app_mpms[] = {
-    { "http_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_UMATCH, SIG_GROUP_HEAD_MPM_URI, 0 },
-    { "http_raw_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRUDMATCH, SIG_GROUP_HEAD_MPM_HRUD, 1 },
+    { "http_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_UMATCH,
+        SIG_GROUP_HEAD_MPM_URI, PrefilterTxUriRegister, 0 },
+    { "http_raw_uri", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRUDMATCH, SIG_GROUP_HEAD_MPM_HRUD, NULL, 1 },

-    { "http_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, 2},
-    { "http_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, 3},
+    { "http_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, NULL, 2},
+    { "http_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HHDMATCH, SIG_GROUP_HEAD_MPM_HHD, NULL, 3},

-    { "http_user_agent", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HUADMATCH, SIG_GROUP_HEAD_MPM_HUAD, 4},
+    { "http_user_agent", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HUADMATCH, SIG_GROUP_HEAD_MPM_HUAD, NULL, 4},

-    { "http_raw_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRHDMATCH, SIG_GROUP_HEAD_MPM_HRHD, 5},
-    { "http_raw_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HRHDMATCH, SIG_GROUP_HEAD_MPM_HRHD, 6},
+    { "http_raw_header", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRHDMATCH, SIG_GROUP_HEAD_MPM_HRHD, NULL, 5},
+    { "http_raw_header", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HRHDMATCH, SIG_GROUP_HEAD_MPM_HRHD, NULL, 6},

-    { "http_method", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HMDMATCH, SIG_GROUP_HEAD_MPM_HMD, 7},
+    { "http_method", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HMDMATCH, SIG_GROUP_HEAD_MPM_HMD, NULL, 7},

-    { "file_data", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_FD_SMTP, 8}, /* smtp */
-    { "file_data", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_HSBD, 9}, /* http server body */
+    { "file_data", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_FD_SMTP, NULL, 8}, /* smtp */
+    { "file_data", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_FILEDATA, SIG_GROUP_HEAD_MPM_HSBD, NULL, 9}, /* http server body */

-    { "http_stat_msg", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HSMDMATCH, SIG_GROUP_HEAD_MPM_HSMD, 10},
-    { "http_stat_code", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HSCDMATCH, SIG_GROUP_HEAD_MPM_HSCD, 11},
+    { "http_stat_msg", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HSMDMATCH, SIG_GROUP_HEAD_MPM_HSMD, NULL, 10},
+    { "http_stat_code", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HSCDMATCH, SIG_GROUP_HEAD_MPM_HSCD, NULL, 11},

-    { "http_client_body", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCBDMATCH, SIG_GROUP_HEAD_MPM_HCBD, 12},
+    { "http_client_body", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCBDMATCH, SIG_GROUP_HEAD_MPM_HCBD, NULL, 12},

-    { "http_host", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHHDMATCH, SIG_GROUP_HEAD_MPM_HHHD, 13},
-    { "http_raw_host", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRHHDMATCH, SIG_GROUP_HEAD_MPM_HRHHD, 14},
+    { "http_host", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HHHDMATCH, SIG_GROUP_HEAD_MPM_HHHD, NULL, 13},
+    { "http_raw_host", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HRHHDMATCH, SIG_GROUP_HEAD_MPM_HRHHD, NULL, 14},

-    { "http_cookie", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, 15},
-    { "http_cookie", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, 16},
+    { "http_cookie", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, NULL, 15},
+    { "http_cookie", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, NULL, 16},

-    { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, SIG_GROUP_HEAD_MPM_DNSQUERY, 17},
+    { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, SIG_GROUP_HEAD_MPM_DNSQUERY, NULL, 17},

-    { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, 18},
-    { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, 19},
-    { "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH, SIG_GROUP_HEAD_MPM_TLSSUBJECT, 20},
+    { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, NULL, 18},
+    { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, NULL, 19},
+    { "tls_cert_subject", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSSUBJECT_MATCH, SIG_GROUP_HEAD_MPM_TLSSUBJECT, NULL, 20},

-    { NULL, 0, 0, 0, 0, 0, }
+    { NULL, 0, 0, 0, 0, NULL, 0, }
 };

 void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
@ -1291,6 +1296,10 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
            sh->init->app_mpms[a->id] = mpm_store->mpm_ctx;
            if (sh->init->app_mpms[a->id] != NULL)
                sh->flags |= a->flags;
+
+            if (a->PrefilterRegister) {
+                BUG_ON(a->PrefilterRegister(sh, mpm_store->mpm_ctx) != 0);
+            }
        }
        a++;
    }
--- a/src/detect-engine-uri.c
+++ b/src/detect-engine-uri.c
@ -32,6 +32,7 @@
 #include "detect-parse.h"
 #include "detect-engine-state.h"
 #include "detect-engine-content-inspection.h"
+#include "detect-engine-prefilter.h"

 #include "flow-util.h"
 #include "util-debug.h"
@ -49,61 +50,43 @@
 #include "app-layer-protos.h"
 #include "util-validate.h"

-/** \brief Uri Pattern match -- searches for one pattern per signature.
+/** \brief HTTP URI Mpm prefilter callback
 *
 *  \param det_ctx detection engine thread ctx
 *  \param p packet to inspect
- *
- *  \retval ret number of matches
+ *  \param f flow to inspect
+ *  \param txv tx to inspect
+ *  \param pectx inspection context
 */
-static inline uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx,
-        const uint8_t *uri, const uint16_t uri_len)
+static void PrefilterTxUri(DetectEngineThreadCtx *det_ctx, const void *pectx,
+        Packet *p, Flow *f, void *txv,
+        const uint64_t idx, const uint8_t flags)
 {
    SCEnter();

-    uint32_t ret = 0;
-
-    DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_uri_ctx_ts == NULL);
+    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
+    htp_tx_t *tx = (htp_tx_t *)txv;
+    HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);

-    if (uri_len >= det_ctx->sgh->mpm_uri_ctx_ts->minlen) {
-        ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].
-            Search(det_ctx->sgh->mpm_uri_ctx_ts,
-                    &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len);
-    }
+    if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL)
+        return;

-    //PrintRawDataFp(stdout, uri, uri_len);
+    const uint32_t uri_len = bstr_len(tx_ud->request_uri_normalized);
+    const uint8_t *uri = bstr_ptr(tx_ud->request_uri_normalized);

-    SCReturnUInt(ret);
+    if (uri_len >= mpm_ctx->minlen) {
+        (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+                &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len);
+    }
 }

-/**
- *  \brief Run the pattern matcher against the uri(s)
- *
- *  We run against _all_ uri(s) we have as the pattern matcher will
- *  flag each sig that has a match. We need to do this for all uri(s)
- *  to not miss possible events.
- *
- *  \param f locked flow
- *  \param htp_state initialized htp state
- *
- *  \todo what should we return? Just the fact that we matched?
- */
-uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, void *txv)
+int PrefilterTxUriRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
 {
    SCEnter();

-    htp_tx_t *tx = (htp_tx_t *)txv;
-    HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
-    uint32_t cnt = 0;
-
-    if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL)
-        goto end;
-    cnt = UriPatternSearch(det_ctx, (const uint8_t *)
-                           bstr_ptr(tx_ud->request_uri_normalized),
-                           bstr_len(tx_ud->request_uri_normalized));
-
-end:
-    SCReturnUInt(cnt);
+    return PrefilterAppendTxEngine(sgh, PrefilterTxUri,
+        ALPROTO_HTTP, HTP_REQUEST_LINE,
+        mpm_ctx, NULL);
 }

 /**
--- a/src/detect-engine-uri.h
+++ b/src/detect-engine-uri.h
@ -24,7 +24,7 @@
 #ifndef __DETECT_ENGINE_URICONTENT_H__
 #define __DETECT_ENGINE_URICONTENT_H__

-uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, void *tx);
+int PrefilterTxUriRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx);

 int DetectEngineInspectPacketUris(ThreadVars *tv,
                                  DetectEngineCtx *de_ctx,
--- a/src/detect.c
+++ b/src/detect.c
@ -903,11 +903,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
                    tx_progress = AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags);

                    if (tx_progress > HTP_REQUEST_LINE) {
-                        if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
-                            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI);
-                            DetectUricontentInspectMpm(det_ctx, tx);
-                            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI);
-                        }
                        if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) {
                            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD);
                            DetectEngineRunHttpRawUriMpm(det_ctx, tx);