aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: add http.response_body sticky buffer

Browse Source 
As a mirror of the http_server_body content modifier.
pull/3632/head
Victor Julien 7 years ago
parent 998f32f88c
commit ca8471387a
3 changed files with 69 additions and 1 deletions
Show Stats Download Patch File Download Diff File

1
src/detect-engine-register.h
Unescape Escape View File

@ -121,6 +121,7 @@ enum {
DETECT_AL_HTTP_CLIENT_BODY,
DETECT_HTTP_REQUEST_BODY,
DETECT_AL_HTTP_SERVER_BODY,
DETECT_HTTP_RESPONSE_BODY,
DETECT_AL_HTTP_HEADER,
DETECT_HTTP_HEADER,
DETECT_AL_HTTP_HEADER_NAMES,

32
src/detect-http-server-body.c
Unescape Escape View File

@ -60,6 +60,7 @@
#include "stream-tcp.h"
static int DetectHttpServerBodySetup(DetectEngineCtx *, Signature *, const char *);
static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
#ifdef UNITTESTS
static void DetectHttpServerBodyRegisterTests(void);
#endif
@ -70,14 +71,25 @@ static int g_file_data_buffer_id = 0;
*/
void DetectHttpServerBodyRegister(void)
{
/* http_server_body content modifier */
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].name = "http_server_body";
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match only on the HTTP response-body";
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match on the HTTP response-body";
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-server-body";
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests;
#endif
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].alternative = DETECT_HTTP_RESPONSE_BODY;
/* http.request_body sticky buffer */
sigmatch_table[DETECT_HTTP_RESPONSE_BODY].name = "http.response_body";
sigmatch_table[DETECT_HTTP_RESPONSE_BODY].desc = "sticky buffer to match the HTTP response body buffer";
sigmatch_table[DETECT_HTTP_RESPONSE_BODY].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-server-body";
sigmatch_table[DETECT_HTTP_RESPONSE_BODY].Setup = DetectHttpServerBodySetupSticky;
sigmatch_table[DETECT_HTTP_RESPONSE_BODY].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_HTTP_RESPONSE_BODY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
g_file_data_buffer_id = DetectBufferTypeRegister("file_data");
}
@ -103,6 +115,24 @@ int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char
ALPROTO_HTTP);
}
/**
* \brief this function setup the http.response_body keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
* \retval 0 On success
*/
static int DetectHttpServerBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
if (DetectBufferSetActiveList(s, g_file_data_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
return -1;
return 0;
}
/************************************Unittests*********************************/
#ifdef UNITTESTS

37
src/tests/detect-http-server-body.c
Unescape Escape View File

@ -29,6 +29,40 @@
#include "../flow.h"
#include "../detect.h"
/**
* \test Test parser accepting valid rules and rejecting invalid rules
*/
static int DetectHttpServerBodyParserTest01(void)
{
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
PASS;
}
/**
* \test Test parser accepting valid rules and rejecting invalid rules
*/
static int DetectHttpServerBodyParserTest02(void)
{
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
PASS;
}
struct TestSteps {
const uint8_t *input;
size_t input_size; /**< if 0 strlen will be used */
@ -9059,6 +9093,9 @@ end:
void DetectHttpServerBodyRegisterTests(void)
{
UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
UtRegisterTest("DetectHttpServerBodyTest01", DetectHttpServerBodyTest01);
UtRegisterTest("DetectHttpServerBodyTest02", DetectHttpServerBodyTest02);
UtRegisterTest("DetectHttpServerBodyTest03", DetectHttpServerBodyTest03);

Write Preview
Loading…
Cancel
Save