aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for a new keyword to inspect http_host header.

Browse Source 
The corresponding content keyword would now be - http_host.
The corresponding pcre modifier would be W.
pull/279/merge
Anoop Saldanha 13 years ago committed by Victor Julien
parent ebccb9ffcd
commit c4ce19a1be
25 changed files with 5661 additions and 34 deletions
Show Stats Download Patch File Download Diff File

2
src/Makefile.am
Unescape Escape View File

@ -92,6 +92,7 @@ detect-engine-hsbd.c detect-engine-hsbd.h \
detect-engine-hscd.c detect-engine-hscd.h \
detect-engine-hsmd.c detect-engine-hsmd.h \
detect-engine-hua.c detect-engine-hua.h \
detect-engine-hhhd.c detect-engine-hhhd.h \
detect-engine-iponly.c detect-engine-iponly.h \
detect-engine-mpm.c detect-engine-mpm.h \
detect-engine-payload.c detect-engine-payload.h \
@ -124,6 +125,7 @@ detect-gid.c detect-gid.h \
detect-http-client-body.c detect-http-client-body.h \
detect-http-cookie.c detect-http-cookie.h \
detect-http-header.c detect-http-header.h \
detect-http-hh.c detect-http-hh.h \
detect-http-method.c detect-http-method.h \
detect-http-raw-header.c detect-http-raw-header.h \
detect-http-raw-uri.c detect-http-raw-uri.h \

8
src/detect-depth.c
Unescape Escape View File

@ -87,7 +87,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
break;
default:
pm = SigMatchGetLastSMFromLists(s, 24,
pm = SigMatchGetLastSMFromLists(s, 26,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
@ -99,13 +99,15 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header option, http_raw_header option, "
"http_method option, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code or http_user_agent option");
"http_stat_msg, http_stat_code, http_user_agent or "
"http_host option");
if (dubbed)
SCFree(str);
return -1;

9
src/detect-distance.c
Unescape Escape View File

@ -162,7 +162,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
}
}
} else {
pm = SigMatchGetLastSMFromLists(s, 24,
pm = SigMatchGetLastSMFromLists(s, 26,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
@ -174,13 +174,14 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
"preceding content, uricontent option, http_client_body, "
"http_server_body, http_header, http_raw_header, http_method, "
"http_cookie, http_raw_uri, http_stat_msg, http_stat_code "
"or http_user_agent option");
"http_cookie, http_raw_uri, http_stat_msg, http_stat_code, "
"http_user_agent or http_host option");
if (dubbed)
SCFree(str);
return -1;

1
src/detect-engine-content-inspection.h
Unescape Escape View File

@ -39,6 +39,7 @@ enum {
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSCD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSMD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HUAD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HHHD,
};
int DetectEngineContentInspection(DetectEngineCtx *,

1751
src/detect-engine-hhhd.c
View File

File diff suppressed because it is too large Load Diff

34
src/detect-engine-hhhd.h
Unescape Escape View File

@ -0,0 +1,34 @@
/* Copyright (C) 2007-2013 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/** \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
*/
#ifndef __DETECT_ENGINE_HHHD_H__
#define __DETECT_ENGINE_HHHD_H__
#include "app-layer-htp.h"
int DetectEngineInspectHttpHH(ThreadVars *tv,
DetectEngineCtx *, DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t, void *, int);
int DetectEngineRunHttpHHMpm(DetectEngineThreadCtx *, Flow *, HtpState *, uint8_t);
void DetectEngineHttpHHRegisterTests(void);
#endif /* __DETECT_ENGINE_HHHD_H__ */

102
src/detect-engine-mpm.c
Unescape Escape View File

@ -636,6 +636,41 @@ uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx,
SCReturnUInt(ret);
}
/**
* \brief Http host header match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param hh Host header to inspect.
* \param hh_len Host header buffer length.
* \param flags Flags
*
* \retval ret Number of matches.
*/
uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *hh, uint32_t hh_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_hhhd_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, hh, hh_len);
} else {
if (det_ctx->sgh->mpm_hhhd_ctx_tc == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_hhhd_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, hh, hh_len);
}
SCReturnUInt(ret);
}
/** \brief Pattern match -- searches for only one pattern per signature.
*
* \param det_ctx detection engine thread ctx
@ -1455,6 +1490,7 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
case DETECT_SM_LIST_HUADMATCH:
case DETECT_SM_LIST_HHHDMATCH:
{
MpmCtx *mpm_ctx_ts = NULL;
MpmCtx *mpm_ctx_tc = NULL;
@ -1562,6 +1598,15 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
} else if (sm_list == DETECT_SM_LIST_HHHDMATCH) {
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_hhhd_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_hhhd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HHHD;
sig_flags |= SIG_FLAG_MPM_HTTP;
if (cd->flags & DETECT_CONTENT_NEGATED)
sig_flags |= SIG_FLAG_MPM_HTTP_NEG;
}
if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
@ -1827,6 +1872,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
uint32_t has_co_hscd = 0;
/* used to indicate if sgh has atleast one sig with http_user_agent */
uint32_t has_co_huad = 0;
/* used to indicate if sgh has atleast one sig with http_host */
uint32_t has_co_hhhd = 0;
//uint32_t cnt = 0;
uint32_t sig = 0;
@ -1886,6 +1933,10 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
has_co_huad = 1;
}
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
has_co_hhhd = 1;
}
}
/* intialize contexes */
@ -2210,6 +2261,28 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
#endif
}
if (has_co_hhhd) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_hhhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hhhd, 0);
sh->mpm_hhhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hhhd, 1);
} else {
sh->mpm_hhhd_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_hhhd_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx, MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
}
if (sh->mpm_hhhd_ctx_ts == NULL || sh->mpm_hhhd_ctx_tc == NULL) {
SCLogDebug("sh->mpm_hhhd_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
#ifndef __SC_CUDA_SUPPORT__
MpmInitCtx(sh->mpm_hhhd_ctx_ts, de_ctx->mpm_matcher, -1);
MpmInitCtx(sh->mpm_hhhd_ctx_tc, de_ctx->mpm_matcher, -1);
#else
MpmInitCtx(sh->mpm_hhhd_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle);
MpmInitCtx(sh->mpm_hhhd_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle);
#endif
}
if (has_co_packet ||
has_co_stream ||
has_co_uri ||
@ -2222,7 +2295,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
has_co_hsmd ||
has_co_hscd ||
has_co_hrud ||
has_co_huad) {
has_co_huad ||
has_co_hhhd) {
PatternMatchPreparePopulateMpm(de_ctx, sh);
@ -2567,6 +2641,28 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
}
}
}
if (sh->mpm_hhhd_ctx_ts != NULL) {
if (sh->mpm_hhhd_ctx_ts->pattern_cnt == 0) {
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhhd_ctx_ts);
sh->mpm_hhhd_ctx_ts = NULL;
} else {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
if (mpm_table[sh->mpm_hhhd_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hhhd_ctx_ts->mpm_type].Prepare(sh->mpm_hhhd_ctx_ts);
}
}
}
if (sh->mpm_hhhd_ctx_tc != NULL) {
if (sh->mpm_hhhd_ctx_tc->pattern_cnt == 0) {
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhhd_ctx_tc);
sh->mpm_hhhd_ctx_tc = NULL;
} else {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) {
if (mpm_table[sh->mpm_hhhd_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_hhhd_ctx_tc->mpm_type].Prepare(sh->mpm_hhhd_ctx_tc);
}
}
}
//} /* if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) */
} else {
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_other_ctx);
@ -2598,6 +2694,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
sh->mpm_hscd_ctx_ts = NULL;
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_huad_ctx_ts);
sh->mpm_huad_ctx_ts = NULL;
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhhd_ctx_ts);
sh->mpm_hhhd_ctx_ts = NULL;
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_proto_tcp_ctx_tc);
sh->mpm_proto_tcp_ctx_tc = NULL;
@ -2625,6 +2723,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
sh->mpm_hscd_ctx_tc = NULL;
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_huad_ctx_tc);
sh->mpm_huad_ctx_tc = NULL;
MpmFactoryReClaimMpmCtx(de_ctx, sh->mpm_hhhd_ctx_tc);
sh->mpm_hhhd_ctx_tc = NULL;
}
return 0;

1
src/detect-engine-mpm.h
Unescape Escape View File

@ -49,6 +49,7 @@ uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, u
uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);
void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg);

1
src/detect-engine-state.c
Unescape Escape View File

@ -67,6 +67,7 @@
#include "detect-engine-hsmd.h"
#include "detect-engine-hscd.h"
#include "detect-engine-hua.h"
#include "detect-engine-hhhd.h"
#include "detect-engine-dcepayload.h"
#include "detect-engine-file.h"

2
src/detect-engine-state.h
Unescape Escape View File

@ -68,6 +68,7 @@
#define DE_STATE_FLAG_HSMD_MATCH 1 << 14 /**< hsmd payload inspection part matched */
#define DE_STATE_FLAG_HSCD_MATCH 1 << 15 /**< hscd payload inspection part matched */
#define DE_STATE_FLAG_HUAD_MATCH 1 << 16 /**< huad payload inspection part matched */
#define DE_STATE_FLAG_HHHD_MATCH 1 << 17 /**< hhhd payload inspection part matched */
#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */
#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */
@ -83,6 +84,7 @@
#define DE_STATE_FLAG_HSMD_INSPECT DE_STATE_FLAG_HSMD_MATCH /**< hsmd payload inspection part inspected */
#define DE_STATE_FLAG_HSCD_INSPECT DE_STATE_FLAG_HSCD_MATCH /**< hscd payload inspection part inspected */
#define DE_STATE_FLAG_HUAD_INSPECT DE_STATE_FLAG_HUAD_MATCH /**< huad payload inspection part inspected */
#define DE_STATE_FLAG_HHHD_INSPECT DE_STATE_FLAG_HHHD_MATCH /**< hhhd payload inspection part inspected */
/* state flags */
#define DE_STATE_FILE_STORE_DISABLED 0x0001

7
src/detect-engine.c
Unescape Escape View File

@ -53,6 +53,7 @@
#include "detect-engine-hsmd.h"
#include "detect-engine-hscd.h"
#include "detect-engine-hua.h"
#include "detect-engine-hhhd.h"
#include "detect-engine-file.h"
#include "detect-engine.h"
@ -200,6 +201,12 @@ void DetectEngineRegisterAppInspectionEngines(void)
DE_STATE_FLAG_HUAD_MATCH,
0,
DetectEngineInspectHttpUA },
{ ALPROTO_HTTP,
DETECT_SM_LIST_HHHDMATCH,
DE_STATE_FLAG_HHHD_INSPECT,
DE_STATE_FLAG_HHHD_MATCH,
0,
DetectEngineInspectHttpHH },
};
struct tmp_t data_toclient[] = {

1254
src/detect-fast-pattern.c
View File

File diff suppressed because it is too large Load Diff

2354
src/detect-http-hh.c
View File

File diff suppressed because it is too large Load Diff

29
src/detect-http-hh.h
Unescape Escape View File

@ -0,0 +1,29 @@
/* Copyright (C) 2007-2013 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
*/
#ifndef __DETECT_HTTP_HH_H__
#define __DETECT_HTTP_HH_H__
void DetectHttpHHRegister(void);
#endif /* __DETECT_HTTP_HH_H__ */

7
src/detect-isdataat.c
Unescape Escape View File

@ -353,7 +353,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
}
return 0;
}
pm = SigMatchGetLastSMFromLists(s, 56,
pm = SigMatchGetLastSMFromLists(s, 60,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -366,6 +366,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -376,6 +377,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
@ -389,7 +391,8 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
"http_client_body, http_header, http_raw_header, "
"http_method, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code, byte_test, "
"byte_extract, byte_jump or http_user_agent keyword");
"byte_extract, byte_jump, http_user_agent or "
"http_host keyword");
goto error;
} else {
int list_type = SigMatchListSMBelongsTo(s, pm);

9
src/detect-nocase.c
Unescape Escape View File

@ -76,7 +76,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
}
/* Search for the first previous SigMatch that supports nocase */
SigMatch *pm = SigMatchGetLastSMFromLists(s, 24,
SigMatch *pm = SigMatchGetLastSMFromLists(s, 26,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -88,13 +88,14 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceding "
"content, uricontent, http_client_body, http_server_body, "
"http_header, http_method, http_uri, http_cookie, "
"http_raw_uri, http_stat_msg, http_stat_code or http_user_agent "
"option");
"http_raw_uri, http_stat_msg, http_stat_code, "
"http_user_agent or http_host option");
SCReturnInt(-1);
}

8
src/detect-offset.c
Unescape Escape View File

@ -85,7 +85,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
break;
default:
pm = SigMatchGetLastSMFromLists(s, 24,
pm = SigMatchGetLastSMFromLists(s, 26,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -97,13 +97,15 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
"preceding content or uricontent option, http_client_body, "
"http_header, http_raw_header, http_method, "
"http_cookie, http_raw_uri, http_stat_msg, "
"http_stat_code or http_user_agent option");
"http_stat_code, http_user_agent or "
"http_host option");
if (dubbed)
SCFree(str);
return -1;

33
src/detect-parse.c
Unescape Escape View File

@ -33,6 +33,7 @@
#include "detect-engine-mpm.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-uricontent.h"
#include "detect-reference.h"
#include "detect-ipproto.h"
@ -1080,8 +1081,30 @@ static int SigValidate(Signature *s) {
}
}
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
for (SigMatch *sm = s->sm_lists[DETECT_SM_LIST_HHHDMATCH];
sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (!(cd->flags & DETECT_CONTENT_NOCASE)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_host keyword "
"requires the \"nocase\" modifier to be set.");
SCReturnInt(0);
}
} else if (sm->type == DETECT_PCRE) {
DetectPcreData *pd = (DetectPcreData *)sm->ctx;
if (!(pd->flags & DETECT_PCRE_CASELESS)) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre http_host "
"modifier requires the nocase modifier "
"\"i\"to be set");
SCReturnInt(0);
}
}
}
}
if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
SigMatch *pm = SigMatchGetLastSMFromLists(s, 14,
SigMatch *pm = SigMatchGetLastSMFromLists(s, 24,
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -1092,7 +1115,8 @@ static int SigValidate(Signature *s) {
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
if (pm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature has"
" replace keyword linked with a modified content"
@ -1111,7 +1135,8 @@ static int SigValidate(Signature *s) {
s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH])
s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH])
{
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / "
@ -1260,6 +1285,8 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
sig->flags |= SIG_FLAG_STATE_MATCH;
if (sig->sm_lists[DETECT_SM_LIST_HUADMATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
if (sig->sm_lists[DETECT_SM_LIST_HHHDMATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
if (!(sig->init_flags & SIG_FLAG_INIT_FLOW)) {
sig->flags |= SIG_FLAG_TOSERVER;

22
src/detect-pcre.c
Unescape Escape View File

@ -334,6 +334,7 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
case 'i':
opts |= PCRE_CASELESS;
pd->flags |= DETECT_PCRE_CASELESS;
break;
case 'm':
opts |= PCRE_MULTILINE;
@ -385,6 +386,13 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
}
pd->flags |= DETECT_PCRE_HTTP_USER_AGENT;
break;
case 'W':
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'W' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_HTTP_HOST;
break;
case 'H': /* snort's option */
if (pd->flags & DETECT_PCRE_RAW_HEADER) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'D'");
@ -636,7 +644,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
(pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) ||
(pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) ||
(pd->flags & DETECT_PCRE_HTTP_RAW_URI) ||
(pd->flags & DETECT_PCRE_HTTP_USER_AGENT) ) {
(pd->flags & DETECT_PCRE_HTTP_USER_AGENT) ||
(pd->flags & DETECT_PCRE_HTTP_HOST) ) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
"DCERPC rule has pcre keyword with http related modifier.");
goto error;
@ -689,6 +698,17 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
s->alproto = ALPROTO_HTTP;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HUADMATCH);
} else if (pd->flags & DETECT_PCRE_HTTP_HOST) {
SCLogDebug("Host inspection modifier set on pcre");
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
"conflicting keywords.");
goto error;
}
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHHDMATCH);
} else if (pd->flags & DETECT_PCRE_METHOD) {
//sm->type = DETECT_PCRE_HTTPMETHOD;

4
src/detect-pcre.h
Unescape Escape View File

@ -46,9 +46,11 @@
#define DETECT_PCRE_HTTP_STAT_MSG 0x04000
#define DETECT_PCRE_HTTP_STAT_CODE 0x08000
#define DETECT_PCRE_HTTP_USER_AGENT 0x10000
#define DETECT_PCRE_HTTP_HOST 0x20000
#define DETECT_PCRE_NEGATE 0x20000
#define DETECT_PCRE_NEGATE 0x40000
#define DETECT_PCRE_CASELESS 0x80000
typedef struct DetectPcreData_ {
/* pcre options */

9
src/detect-within.c
Unescape Escape View File

@ -165,7 +165,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
}
}
} else {
pm = SigMatchGetLastSMFromLists(s, 24,
pm = SigMatchGetLastSMFromLists(s, 26,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -177,14 +177,15 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]);
if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires "
"preceding content, uricontent, http_client_body, "
"http_server_body, http_header, http_raw_header, "
"http_method, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code or http_user_agent "
"option");
"http_stat_msg, http_stat_code, http_user_agent or "
"http_host option");
if (dubbed)
SCFree(str);
return -1;

34
src/detect.c
Unescape Escape View File

@ -52,6 +52,7 @@
#include "detect-http-cookie.h"
#include "detect-http-method.h"
#include "detect-http-ua.h"
#include "detect-http-hh.h"
#include "detect-engine-event.h"
#include "decode.h"
@ -136,6 +137,7 @@
#include "detect-engine-hsmd.h"
#include "detect-engine-hscd.h"
#include "detect-engine-hua.h"
#include "detect-engine-hhhd.h"
#include "detect-byte-extract.h"
#include "detect-file-data.h"
#include "detect-pkt-data.h"
@ -1012,6 +1014,11 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
DetectEngineRunHttpUAMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HUAD);
}
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHHD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHHD);
DetectEngineRunHttpHHMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHHD);
}
} else { /* implied FLOW_PKT_TOCLIENT */
if ((p->flowflags & FLOW_PKT_TOCLIENT) && (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD)) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD);
@ -1963,6 +1970,9 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) {
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL)
return 0;
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL)
return 0;
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL)
return 0;
@ -2060,7 +2070,8 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, Signature *s) {
s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL)
s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL)
{
SCReturnInt(0);
}
@ -2223,6 +2234,11 @@ static int SignatureCreateMask(Signature *s) {
SCLogDebug("sig requires http app state");
}
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
SigMatch *sm;
for (sm = s->sm_lists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
switch(sm->type) {
@ -2389,6 +2405,9 @@ static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
de_ctx->sgh_mpm_context_huad =
MpmFactoryRegisterMpmCtxProfile(de_ctx, "huad",
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
de_ctx->sgh_mpm_context_hhhd =
MpmFactoryRegisterMpmCtxProfile(de_ctx, "hhhd",
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
de_ctx->sgh_mpm_context_app_proto_detect =
MpmFactoryRegisterMpmCtxProfile(de_ctx, "app_proto_detect", 0);
@ -4567,6 +4586,18 @@ int SigGroupBuild (DetectEngineCtx *de_ctx) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
//printf("huad- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hhhd, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
//printf("hhhd- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_hhhd, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
//printf("hhhd- %d\n", mpm_ctx->pattern_cnt);
}
// SigAddressPrepareStage5(de_ctx);
@ -4783,6 +4814,7 @@ void SigTableSetup(void) {
DetectFilesizeRegister();
DetectAppLayerEventRegister();
DetectHttpUARegister();
DetectHttpHHRegister();
DetectLuajitRegister();
DetectIPRepRegister();

11
src/detect.h
Unescape Escape View File

@ -107,6 +107,8 @@ enum {
DETECT_SM_LIST_HSCDMATCH,
/* list for http_user_agent keyword and the ones relative to it */
DETECT_SM_LIST_HUADMATCH,
/* list for http_host keyword and the ones relative to it */
DETECT_SM_LIST_HHHDMATCH,
DETECT_SM_LIST_FILEMATCH,
@ -670,6 +672,7 @@ typedef struct DetectEngineCtx_ {
int32_t sgh_mpm_context_hsmd;
int32_t sgh_mpm_context_hscd;
int32_t sgh_mpm_context_huad;
int32_t sgh_mpm_context_hhhd;
int32_t sgh_mpm_context_app_proto_detect;
/* the max local id used amongst all sigs */
@ -884,8 +887,9 @@ typedef struct SigTableElmt_ {
#define SIG_GROUP_HEAD_MPM_HSMD (1 << 16)
#define SIG_GROUP_HEAD_MPM_HSCD (1 << 17)
#define SIG_GROUP_HEAD_MPM_HUAD (1 << 18)
#define SIG_GROUP_HEAD_HAVEFILEMD5 (1 << 19)
#define SIG_GROUP_HEAD_HAVEFILESIZE (1 << 20)
#define SIG_GROUP_HEAD_MPM_HHHD (1 << 19)
#define SIG_GROUP_HEAD_HAVEFILEMD5 (1 << 20)
#define SIG_GROUP_HEAD_HAVEFILESIZE (1 << 21)
typedef struct SigGroupHeadInitData_ {
/* list of content containers
@ -944,6 +948,7 @@ typedef struct SigGroupHead_ {
MpmCtx *mpm_hsmd_ctx_ts;
MpmCtx *mpm_hscd_ctx_ts;
MpmCtx *mpm_huad_ctx_ts;
MpmCtx *mpm_hhhd_ctx_ts;
MpmCtx *mpm_proto_tcp_ctx_tc;
MpmCtx *mpm_proto_udp_ctx_tc;
@ -959,6 +964,7 @@ typedef struct SigGroupHead_ {
MpmCtx *mpm_hsmd_ctx_tc;
MpmCtx *mpm_hscd_ctx_tc;
MpmCtx *mpm_huad_ctx_tc;
MpmCtx *mpm_hhhd_ctx_tc;
uint16_t mpm_uricontent_maxlen;
@ -1069,6 +1075,7 @@ enum {
DETECT_AL_HTTP_STAT_MSG,
DETECT_AL_HTTP_STAT_CODE,
DETECT_AL_HTTP_USER_AGENT,
DETECT_AL_HTTP_HOST,
DETECT_AL_SSH_PROTOVERSION,
DETECT_AL_SSH_SOFTWAREVERSION,
DETECT_AL_SSL_VERSION,

1
src/suricata-common.h
Unescape Escape View File

@ -281,6 +281,7 @@ typedef enum PacketProfileDetectId_ {
PROF_DETECT_MPM_HSMD,
PROF_DETECT_MPM_HSCD,
PROF_DETECT_MPM_HUAD,
PROF_DETECT_MPM_HHHD,
PROF_DETECT_IPONLY,
PROF_DETECT_RULES,
PROF_DETECT_STATEFUL,

2
src/suricata.c
Unescape Escape View File

@ -79,6 +79,7 @@
#include "detect-engine-hsmd.h"
#include "detect-engine-hscd.h"
#include "detect-engine-hua.h"
#include "detect-engine-hhhd.h"
#include "detect-engine-state.h"
#include "detect-engine-tag.h"
#include "detect-fast-pattern.h"
@ -1690,6 +1691,7 @@ int main(int argc, char **argv)
DetectEngineHttpStatMsgRegisterTests();
DetectEngineHttpStatCodeRegisterTests();
DetectEngineHttpUARegisterTests();
DetectEngineHttpHHRegisterTests();
DetectEngineRegisterTests();
SCLogRegisterTests();
SMTPParserRegisterTests();

Write Preview
Loading…
Cancel
Save