From b8a0a0d6ea891d5ea40ca54bae9353d2ae0f3c72 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Mon, 26 Nov 2018 13:34:16 +0100 Subject: [PATCH] detect: add http.stat_code sticky buffer keyword --- src/detect-engine-register.h | 1 + src/detect-http-stat-code.c | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index dfe964b476..e0a5d9d394 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -136,6 +136,7 @@ enum { DETECT_AL_HTTP_STAT_MSG, DETECT_HTTP_STAT_MSG, DETECT_AL_HTTP_STAT_CODE, + DETECT_HTTP_STAT_CODE, DETECT_AL_HTTP_USER_AGENT, DETECT_HTTP_UA, DETECT_AL_HTTP_HOST, diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index 02ad637b4c..bf2cd16087 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -64,6 +64,7 @@ #include "stream-tcp.h" static int DetectHttpStatCodeSetup(DetectEngineCtx *, Signature *, const char *); +static int DetectHttpStatCodeSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str); #ifdef UNITTESTS static void DetectHttpStatCodeRegisterTests(void); #endif @@ -77,6 +78,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, */ void DetectHttpStatCodeRegister (void) { + /* http_stat_code content modifier */ sigmatch_table[DETECT_AL_HTTP_STAT_CODE].name = "http_stat_code"; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].desc = "content modifier to match only on HTTP stat-code-buffer"; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-stat-code"; @@ -86,6 +88,13 @@ void DetectHttpStatCodeRegister (void) #endif sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_NOOPT; + /* http.stat_code content modifier */ + sigmatch_table[DETECT_HTTP_STAT_CODE].name = "http.stat_code"; + sigmatch_table[DETECT_HTTP_STAT_CODE].desc = "sticky buffer to match only on HTTP stat-code-buffer"; + sigmatch_table[DETECT_HTTP_STAT_CODE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_stat-code"; + sigmatch_table[DETECT_HTTP_STAT_CODE].Setup = DetectHttpStatCodeSetupSticky; + sigmatch_table[DETECT_HTTP_STAT_CODE].flags |= SIGMATCH_NOOPT; + DetectAppLayerInspectEngineRegister2("http_stat_code", ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_LINE, DetectEngineInspectBufferGeneric, GetData); @@ -119,6 +128,22 @@ static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, const ALPROTO_HTTP); } +/** + * \brief this function setup the http.stat_code keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectHttpStatCodeSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + DetectBufferSetActiveList(s, g_http_stat_code_buffer_id); + s->alproto = ALPROTO_HTTP; + return 0; +} + static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, const int list_id)