aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_stat_msg: dynamic buffer

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent 7e3ab4f5ea
commit b694d96e22
8 changed files with 55 additions and 72 deletions
Show Stats Download Patch File Download Diff File

9
src/detect-engine-analyzer.c
Unescape Escape View File

@ -120,8 +120,6 @@ void EngineAnalysisFP(Signature *s, char *line)
fprintf(fp_engine_analysis_FD, "http raw header content\n"); fprintf(fp_engine_analysis_FD, "http raw header content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH) else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(fp_engine_analysis_FD, "http client body content\n"); fprintf(fp_engine_analysis_FD, "http client body content\n");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
fprintf(fp_engine_analysis_FD, "http stat msg content\n");
else { else {
const char *desc = DetectBufferTypeGetDescriptionById(list_type); const char *desc = DetectBufferTypeGetDescriptionById(list_type);
const char *name = DetectBufferTypeGetNameById(list_type); const char *name = DetectBufferTypeGetNameById(list_type);
@ -464,8 +462,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
fprintf(rule_engine_analysis_FD, "http raw header content"); fprintf(rule_engine_analysis_FD, "http raw header content");
else if (list_type == DETECT_SM_LIST_HCBDMATCH) else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(rule_engine_analysis_FD, "http client body content"); fprintf(rule_engine_analysis_FD, "http client body content");
else if (list_type == DETECT_SM_LIST_HSMDMATCH)
fprintf(rule_engine_analysis_FD, "http stat msg content");
else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH) else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
fprintf(rule_engine_analysis_FD, "dns query name content"); fprintf(rule_engine_analysis_FD, "dns query name content");
else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH) else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH)
@ -571,6 +567,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent"); const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent");
const int httpcookie_id = DetectBufferTypeGetByName("http_cookie"); const int httpcookie_id = DetectBufferTypeGetByName("http_cookie");
const int httpstatcode_id = DetectBufferTypeGetByName("http_stat_code"); const int httpstatcode_id = DetectBufferTypeGetByName("http_stat_code");
const int httpstatmsg_id = DetectBufferTypeGetByName("http_stat_msg");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) { if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1; rule_bidirectional = 1;
@ -634,7 +631,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1; raw_http_buf += 1;
http_raw_uri_buf += 1; http_raw_uri_buf += 1;
} }
else if (list_id == DETECT_SM_LIST_HSMDMATCH) { else if (list_id == httpstatmsg_id) {
rule_pcre_http += 1; rule_pcre_http += 1;
raw_http_buf += 1; raw_http_buf += 1;
http_stat_msg_buf += 1; http_stat_msg_buf += 1;
@ -695,7 +692,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1; raw_http_buf += 1;
http_raw_uri_buf += 1; http_raw_uri_buf += 1;
} }
else if (list_id == DETECT_SM_LIST_HSMDMATCH) { else if (list_id == httpstatmsg_id) {
rule_content_http += 1; rule_content_http += 1;
raw_http_buf += 1; raw_http_buf += 1;
http_stat_msg_buf += 1; http_stat_msg_buf += 1;

2
src/detect-engine.c
Unescape Escape View File

@ -2806,8 +2806,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
return "http headers"; return "http headers";
case DETECT_SM_LIST_HRHDMATCH: case DETECT_SM_LIST_HRHDMATCH:
return "http raw headers"; return "http raw headers";
case DETECT_SM_LIST_HSMDMATCH:
return "http stat msg";
case DETECT_SM_LIST_APP_EVENT: case DETECT_SM_LIST_APP_EVENT:
return "app layer events"; return "app layer events";

44
src/detect-fast-pattern.c
Unescape Escape View File

@ -329,6 +329,7 @@ static int g_http_cookie_buffer_id = 0;
static int g_http_host_buffer_id = 0; static int g_http_host_buffer_id = 0;
static int g_http_raw_host_buffer_id = 0; static int g_http_raw_host_buffer_id = 0;
static int g_http_stat_code_buffer_id = 0; static int g_http_stat_code_buffer_id = 0;
static int g_http_stat_msg_buffer_id = 0;
/** /**
* \test Checks if a fast_pattern is registered in a Signature * \test Checks if a fast_pattern is registered in a Signature
@ -10551,7 +10552,7 @@ int DetectFastPatternTest384(void)
"content:\"three\"; http_stat_msg; sid:1;)"); "content:\"three\"; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED && ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -10589,7 +10590,7 @@ int DetectFastPatternTest385(void)
goto end; goto end;
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id];
if (sm != NULL) { if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags & if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) { DETECT_CONTENT_FAST_PATTERN) {
@ -10626,7 +10627,7 @@ int DetectFastPatternTest386(void)
goto end; goto end;
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id];
if (sm != NULL) { if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags & if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) { DETECT_CONTENT_FAST_PATTERN) {
@ -10657,7 +10658,7 @@ int DetectFastPatternTest387(void)
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id];
if (sm == NULL) { if (sm == NULL) {
goto end; goto end;
} }
@ -10693,7 +10694,7 @@ int DetectFastPatternTest388(void)
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id];
if (sm == NULL) { if (sm == NULL) {
goto end; goto end;
} }
@ -10938,7 +10939,7 @@ int DetectFastPatternTest398(void)
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -10970,7 +10971,7 @@ int DetectFastPatternTest399(void)
"content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)"); "content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -11002,7 +11003,7 @@ int DetectFastPatternTest400(void)
"content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)"); "content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -11034,7 +11035,7 @@ int DetectFastPatternTest401(void)
"content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)"); "content:\"two\"; fast_pattern:only; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY && ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -11065,7 +11066,7 @@ int DetectFastPatternTest402(void)
"content:\"two\"; http_stat_msg; sid:1;)"); "content:\"two\"; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED && ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -11190,7 +11191,7 @@ int DetectFastPatternTest407(void)
"content:\"three\"; http_stat_msg; sid:1;)"); "content:\"three\"; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11222,7 +11223,7 @@ int DetectFastPatternTest408(void)
"content:\"three\"; http_stat_msg; distance:30; sid:1;)"); "content:\"three\"; http_stat_msg; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11254,7 +11255,7 @@ int DetectFastPatternTest409(void)
"content:\"three\"; http_stat_msg; within:30; sid:1;)"); "content:\"three\"; http_stat_msg; within:30; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11286,7 +11287,7 @@ int DetectFastPatternTest410(void)
"content:\"three\"; http_stat_msg; offset:30; sid:1;)"); "content:\"three\"; http_stat_msg; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11318,7 +11319,7 @@ int DetectFastPatternTest411(void)
"content:\"three\"; http_stat_msg; depth:30; sid:1;)"); "content:\"three\"; http_stat_msg; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11350,7 +11351,7 @@ int DetectFastPatternTest412(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)"); "content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11382,7 +11383,7 @@ int DetectFastPatternTest413(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)"); "content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11414,7 +11415,7 @@ int DetectFastPatternTest414(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)"); "content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11446,7 +11447,7 @@ int DetectFastPatternTest415(void)
"content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)"); "content:\"oneonethree\"; fast_pattern:3,4; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP && ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -11553,7 +11554,7 @@ int DetectFastPatternTest419(void)
"content:\"three\"; http_stat_msg; sid:1;)"); "content:\"three\"; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED && ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -11682,7 +11683,7 @@ int DetectFastPatternTest424(void)
"content:\"three\"; http_stat_msg; sid:1;)"); "content:\"three\"; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]->prev->ctx; DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_stat_msg_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN && if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED && ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) && !(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18837,6 +18838,7 @@ void DetectFastPatternRegisterTests(void)
g_http_host_buffer_id = DetectBufferTypeGetByName("http_host"); g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");
g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host"); g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code"); g_http_stat_code_buffer_id = DetectBufferTypeGetByName("http_stat_code");
g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01); UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02); UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);

35
src/detect-http-stat-msg.c
Unescape Escape View File

@ -63,12 +63,10 @@
#include "stream-tcp-private.h" #include "stream-tcp-private.h"
#include "stream-tcp.h" #include "stream-tcp.h"
int DetectHttpStatMsgMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t , void *, Signature *,
SigMatch *);
static int DetectHttpStatMsgSetup(DetectEngineCtx *, Signature *, char *); static int DetectHttpStatMsgSetup(DetectEngineCtx *, Signature *, char *);
void DetectHttpStatMsgRegisterTests(void); static void DetectHttpStatMsgRegisterTests(void);
void DetectHttpStatMsgFree(void *); static void DetectHttpStatMsgSetupCallback(Signature *s);
static int g_http_stat_msg_buffer_id = 0;
/** /**
* \brief Registration function for keyword: http_stat_msg * \brief Registration function for keyword: http_stat_msg
@ -87,13 +85,20 @@ void DetectHttpStatMsgRegister (void)
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_PAYLOAD; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_stat_msg", SIG_FLAG_TOCLIENT, DetectAppLayerMpmRegister("http_stat_msg", SIG_FLAG_TOCLIENT, 3,
DETECT_SM_LIST_HSMDMATCH, 3,
PrefilterTxHttpStatMsgRegister); PrefilterTxHttpStatMsgRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DetectAppLayerInspectEngineRegister2("http_stat_msg",
DETECT_SM_LIST_HSMDMATCH, ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DetectEngineInspectHttpStatMsg); DetectEngineInspectHttpStatMsg);
DetectBufferTypeSetDescriptionByName("http_stat_msg",
"http response status message");
DetectBufferTypeRegisterSetupCallback("http_stat_msg",
DetectHttpStatMsgSetupCallback);
g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg");
} }
/** /**
@ -111,11 +116,17 @@ static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
{ {
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_STAT_MSG, DETECT_AL_HTTP_STAT_MSG,
DETECT_SM_LIST_HSMDMATCH, g_http_stat_msg_buffer_id,
ALPROTO_HTTP, ALPROTO_HTTP,
NULL); NULL);
} }
static void DetectHttpStatMsgSetupCallback(Signature *s)
{
SCLogDebug("callback invoked by %u", s->id);
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
#ifdef UNITTESTS #ifdef UNITTESTS
/** /**
@ -148,7 +159,7 @@ int DetectHttpStatMsgTest01(void)
"fast_pattern; http_stat_msg; sid:1;)"); "fast_pattern; http_stat_msg; sid:1;)");
if (de_ctx->sig_list == NULL) if (de_ctx->sig_list == NULL)
goto end; goto end;
if (!(((DetectContentData *)de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]->ctx)->flags & if (!(((DetectContentData *)de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id]->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN)) DETECT_CONTENT_FAST_PATTERN))
{ {
goto end; goto end;
@ -186,7 +197,7 @@ int DetectHttpStatMsgTest02(void)
} }
result = 0; result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HSMDMATCH]; sm = de_ctx->sig_list->sm_lists[g_http_stat_msg_buffer_id];
if (sm == NULL) { if (sm == NULL) {
printf("no sigmatch(es): "); printf("no sigmatch(es): ");
goto end; goto end;

13
src/detect-parse.c
Unescape Escape View File

@ -145,7 +145,6 @@ const char *DetectListToHumanString(int list)
CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body"); CASE_CODE_STRING(DETECT_SM_LIST_HCBDMATCH, "http_client_body");
CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header"); CASE_CODE_STRING(DETECT_SM_LIST_HHDMATCH, "http_header");
CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header"); CASE_CODE_STRING(DETECT_SM_LIST_HRHDMATCH, "http_raw_header");
CASE_CODE_STRING(DETECT_SM_LIST_HSMDMATCH, "http_stat_msg");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
@ -180,7 +179,6 @@ const char *DetectListToString(int list)
CASE_CODE(DETECT_SM_LIST_HCBDMATCH); CASE_CODE(DETECT_SM_LIST_HCBDMATCH);
CASE_CODE(DETECT_SM_LIST_HHDMATCH); CASE_CODE(DETECT_SM_LIST_HHDMATCH);
CASE_CODE(DETECT_SM_LIST_HRHDMATCH); CASE_CODE(DETECT_SM_LIST_HRHDMATCH);
CASE_CODE(DETECT_SM_LIST_HSMDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH);
@ -1424,14 +1422,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
"with flow:to_client or flow:from_server"); "with flow:to_client or flow:from_server");
SCReturnInt(0); SCReturnInt(0);
} }
} else if (fd->flags & FLOW_PKT_TOSERVER) {
/* check for uricontent + from_server/to_client */
if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use http_"
"server_body, http_stat_msg, http_stat_code "
"with flow:to_server or flow:from_client");
SCReturnInt(0);
}
} }
} }
} }
@ -1536,8 +1526,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] || if (s->init_data->smlists_tail[DETECT_SM_LIST_HRUDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] || s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH])
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH])
{ {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet " SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / " "specific matches (like dsize, flags, ttl) with stream / "

10
src/detect-pcre.c
Unescape Escape View File

@ -478,10 +478,12 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
*sm_list = DetectPcreSetList(*sm_list, list); *sm_list = DetectPcreSetList(*sm_list, list);
break; break;
} }
case 'Y': case 'Y': {
/* snort's option */ /* snort's option */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HSMDMATCH); int list = DetectBufferTypeGetByName("http_stat_msg");
*sm_list = DetectPcreSetList(*sm_list, list);
break; break;
}
case 'S': { case 'S': {
/* snort's option */ /* snort's option */
int list = DetectBufferTypeGetByName("http_stat_code"); int list = DetectBufferTypeGetByName("http_stat_code");
@ -684,8 +686,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH || if (parsed_sm_list == DETECT_SM_LIST_HRUDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HCBDMATCH || parsed_sm_list == DETECT_SM_LIST_HCBDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HHDMATCH || parsed_sm_list == DETECT_SM_LIST_HHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHDMATCH || parsed_sm_list == DETECT_SM_LIST_HRHDMATCH)
parsed_sm_list == DETECT_SM_LIST_HSMDMATCH)
{ {
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) { if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
@ -718,7 +719,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
case DETECT_SM_LIST_HRUDMATCH: case DETECT_SM_LIST_HRUDMATCH:
case DETECT_SM_LIST_HHDMATCH: case DETECT_SM_LIST_HHDMATCH:
case DETECT_SM_LIST_HRHDMATCH: case DETECT_SM_LIST_HRHDMATCH:
case DETECT_SM_LIST_HSMDMATCH:
s->flags |= SIG_FLAG_APPLAYER; s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP; s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list; sm_list = parsed_sm_list;

12
src/detect.c
Unescape Escape View File

@ -1924,9 +1924,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0; return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0; return 0;
@ -2011,9 +2008,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0; return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL) if (s->init_data->smlists[DETECT_SM_LIST_AMATCH] != NULL)
return 0; return 0;
@ -2117,7 +2111,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL || s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
{ {
SCReturnInt(0); SCReturnInt(0);
@ -2291,11 +2284,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires http app state"); SCLogDebug("sig requires http app state");
} }
if (s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
SigMatch *sm; SigMatch *sm;
for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) { for (sm = s->init_data->smlists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
switch(sm->type) { switch(sm->type) {

2
src/detect.h
Unescape Escape View File

@ -123,8 +123,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_HHDMATCH, DETECT_SM_LIST_HHDMATCH,
/* list for http_raw_header keyword and the ones relative to it */ /* list for http_raw_header keyword and the ones relative to it */
DETECT_SM_LIST_HRHDMATCH, DETECT_SM_LIST_HRHDMATCH,
/* list for http_stat_msg keyword and the ones relative to it */
DETECT_SM_LIST_HSMDMATCH,
/* app event engine sm list */ /* app event engine sm list */
DETECT_SM_LIST_APP_EVENT, DETECT_SM_LIST_APP_EVENT,

Write Preview
Loading…
Cancel
Save