http_method: make list dynamic

pull/2559/head
Victor Julien 9 years ago
parent 6bd37611ee
commit e34102d67a

@ -120,8 +120,6 @@ void EngineAnalysisFP(Signature *s, char *line)
fprintf(fp_engine_analysis_FD, "http header content\n");
else if (list_type == DETECT_SM_LIST_HRHDMATCH)
fprintf(fp_engine_analysis_FD, "http raw header content\n");
else if (list_type == DETECT_SM_LIST_HMDMATCH)
fprintf(fp_engine_analysis_FD, "http method content\n");
else if (list_type == DETECT_SM_LIST_HCDMATCH)
fprintf(fp_engine_analysis_FD, "http cookie content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
@ -474,8 +472,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
fprintf(rule_engine_analysis_FD, "http header content");
else if (list_type == DETECT_SM_LIST_HRHDMATCH)
fprintf(rule_engine_analysis_FD, "http raw header content");
else if (list_type == DETECT_SM_LIST_HMDMATCH)
fprintf(rule_engine_analysis_FD, "http method content");
else if (list_type == DETECT_SM_LIST_HCDMATCH)
fprintf(rule_engine_analysis_FD, "http cookie content");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
@ -586,6 +582,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
const int nlists = DetectBufferTypeMaxId();
const int filedata_id = DetectBufferTypeGetByName("file_data");
const int httpmethod_id = DetectBufferTypeGetByName("http_method");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
@ -639,7 +636,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1;
http_raw_header_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HMDMATCH) {
else if (list_id == httpmethod_id) {
rule_pcre_http += 1;
raw_http_buf += 1;
http_method_buf += 1;
@ -720,7 +717,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
raw_http_buf += 1;
http_stat_code_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HMDMATCH) {
else if (list_id == httpmethod_id) {
rule_content_http += 1;
raw_http_buf += 1;
http_method_buf += 1;

@ -2816,8 +2816,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
return "http host";
case DETECT_SM_LIST_HRHHDMATCH:
return "http raw host header";
case DETECT_SM_LIST_HMDMATCH:
return "http method";
case DETECT_SM_LIST_HCDMATCH:
return "http cookie";
case DETECT_SM_LIST_HUADMATCH:

@ -322,6 +322,7 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
#ifdef UNITTESTS
static int g_file_data_buffer_id = 0;
static int g_http_method_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
@ -7168,7 +7169,7 @@ int DetectFastPatternTest261(void)
"content:\"three\"; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -7206,7 +7207,7 @@ int DetectFastPatternTest262(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -7243,7 +7244,7 @@ int DetectFastPatternTest263(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -7275,7 +7276,7 @@ int DetectFastPatternTest264(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@ -7309,7 +7310,7 @@ int DetectFastPatternTest265(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_method_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -7539,7 +7540,7 @@ int DetectFastPatternTest275(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -7569,7 +7570,7 @@ int DetectFastPatternTest276(void)
"(content:\"one\"; http_method; content:\"two\"; http_method; within:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -7599,7 +7600,7 @@ int DetectFastPatternTest277(void)
"(content:\"one\"; http_method; content:\"two\"; http_method; offset:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -7629,7 +7630,7 @@ int DetectFastPatternTest278(void)
"(content:\"one\"; http_method; content:\"two\"; http_method; depth:30; content:\"two\"; fast_pattern:only; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -7659,7 +7660,7 @@ int DetectFastPatternTest279(void)
"(content:!\"one\"; fast_pattern; http_method; content:\"two\"; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -7778,7 +7779,7 @@ int DetectFastPatternTest284(void)
"(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -7808,7 +7809,7 @@ int DetectFastPatternTest285(void)
"(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -7838,7 +7839,7 @@ int DetectFastPatternTest286(void)
"(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -7868,7 +7869,7 @@ int DetectFastPatternTest287(void)
"(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -7898,7 +7899,7 @@ int DetectFastPatternTest288(void)
"(content:\"one\"; http_method; content:\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -7928,7 +7929,7 @@ int DetectFastPatternTest289(void)
"(content:\"one\"; http_method; content:\"two\"; http_method; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -7958,7 +7959,7 @@ int DetectFastPatternTest290(void)
"(content:\"one\"; http_method; content:\"two\"; http_method; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -7988,7 +7989,7 @@ int DetectFastPatternTest291(void)
"(content:\"one\"; http_method; content:\"two\"; http_method; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -8018,7 +8019,7 @@ int DetectFastPatternTest292(void)
"(content:\"one\"; http_method; content:\"two\"; http_method; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -8117,7 +8118,7 @@ int DetectFastPatternTest296(void)
"(content:\"one\"; http_method; content:!\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -8236,7 +8237,7 @@ int DetectFastPatternTest301(void)
"(content:\"one\"; http_method; content:!\"oneonetwo\"; fast_pattern:3,4; http_method; content:\"three\"; http_method; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18823,6 +18824,7 @@ void DetectFastPatternRegisterTests(void)
{
#ifdef UNITTESTS
g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);

@ -60,10 +60,12 @@
#include "detect-engine-hmd.h"
#include "stream-tcp.h"
static int g_http_method_buffer_id = 0;
static int DetectHttpMethodSetup(DetectEngineCtx *, Signature *, char *);
void DetectHttpMethodRegisterTests(void);
void DetectHttpMethodFree(void *);
static void DetectHttpMethodSetupCallback(Signature *s);
static _Bool DetectHttpMethodValidateCallback(const Signature *s);
/**
* \brief Registration function for keyword: http_method
@ -81,14 +83,23 @@ void DetectHttpMethodRegister(void)
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_method", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HMDMATCH, 4,
DetectAppLayerMpmRegister("http_method", SIG_FLAG_TOSERVER, 4,
PrefilterTxMethodRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HMDMATCH,
DetectAppLayerInspectEngineRegister2("http_method",
ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpMethod);
DetectBufferTypeSetDescriptionByName("http_method",
"http request method");
DetectBufferTypeRegisterSetupCallback("http_method",
DetectHttpMethodSetupCallback);
DetectBufferTypeRegisterValidateCallback("http_method",
DetectHttpMethodValidateCallback);
g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
SCLogDebug("registering http_method rule option");
}
@ -107,7 +118,7 @@ static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, char *st
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_HTTP_METHOD,
DETECT_SM_LIST_HMDMATCH,
g_http_method_buffer_id,
ALPROTO_HTTP,
NULL);
}
@ -126,43 +137,45 @@ void DetectHttpMethodFree(void *ptr)
SCFree(data);
}
static void DetectHttpMethodSetupCallback(Signature *s)
{
SCLogDebug("callback invoked by %u", s->id);
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
/**
* \retval 1 valid
* \retval 0 invalid
*/
int DetectHttpMethodValidateRule(const Signature *s)
static _Bool DetectHttpMethodValidateCallback(const Signature *s)
{
if (s->alproto != ALPROTO_HTTP)
return 1;
if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL) {
const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_HMDMATCH];
for ( ; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
const DetectContentData *cd = (const DetectContentData *)sm->ctx;
if (cd->content && cd->content_len) {
if (cd->content[cd->content_len-1] == 0x20) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space");
return 0;
} else if (cd->content[0] == 0x20) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space");
return 0;
} else if (cd->content[cd->content_len-1] == 0x09) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab");
return 0;
} else if (cd->content[0] == 0x09) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab");
return 0;
}
const SigMatch *sm = s->init_data->smlists[g_http_method_buffer_id];
for ( ; sm != NULL; sm = sm->next) {
if (sm->type != DETECT_CONTENT)
continue;
const DetectContentData *cd = (const DetectContentData *)sm->ctx;
if (cd->content && cd->content_len) {
if (cd->content[cd->content_len-1] == 0x20) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing space");
return FALSE;
} else if (cd->content[0] == 0x20) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading space");
return FALSE;
} else if (cd->content[cd->content_len-1] == 0x09) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with trailing tab");
return FALSE;
} else if (cd->content[0] == 0x09) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "http_method pattern with leading tab");
return FALSE;
}
}
}
return 1;
return TRUE;
}
#ifdef UNITTESTS /* UNITTESTS */
#include "detect-isdataat.h"
#include "stream-tcp-reassemble.h"
/** \test Check a signature with content */
@ -330,13 +343,13 @@ static int DetectHttpMethodTest12(void)
goto end;
}
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH] == NULL) {
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HMDMATCH] == NULL: ");
if (de_ctx->sig_list->sm_lists[g_http_method_buffer_id] == NULL) {
printf("de_ctx->sig_list->sm_lists[g_http_method_buffer_id] == NULL: ");
goto end;
}
DetectContentData *hmd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *hmd2 = (DetectContentData *)de_ctx->sig_list->next->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
DetectContentData *hmd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_method_buffer_id]->ctx;
DetectContentData *hmd2 = (DetectContentData *)de_ctx->sig_list->next->sm_lists_tail[g_http_method_buffer_id]->ctx;
if (!(hmd1->flags & DETECT_CONTENT_NOCASE)) {
printf("nocase flag not set on sig 1: ");
@ -850,6 +863,31 @@ end:
return result;
}
static int DetectHttpMethodIsdataatParseTest(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any ("
"content:\"one\"; http_method; "
"isdataat:!4,relative; sid:1;)");
FAIL_IF_NULL(s);
SigMatch *sm = s->init_data->smlists_tail[g_http_method_buffer_id];
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
DetectEngineCtxFree(de_ctx);
PASS;
}
#endif /* UNITTESTS */
/**
@ -873,6 +911,9 @@ void DetectHttpMethodRegisterTests(void)
UtRegisterTest("DetectHttpMethodSigTest02", DetectHttpMethodSigTest02);
UtRegisterTest("DetectHttpMethodSigTest03", DetectHttpMethodSigTest03);
UtRegisterTest("DetectHttpMethodSigTest04", DetectHttpMethodSigTest04);
UtRegisterTest("DetectHttpMethodIsdataatParseTest",
DetectHttpMethodIsdataatParseTest);
#endif /* UNITTESTS */
}

@ -26,9 +26,6 @@
/* prototypes */
void DetectHttpMethodRegister(void);
int DetectHttpMethodDoMatch(DetectEngineThreadCtx *, Signature *, SigMatch *,
Flow *, uint8_t, void *);
int DetectHttpMethodValidateRule(const Signature *s);
#endif /* __DETECT_HTTP_METHOD_H__ */

@ -736,50 +736,6 @@ int DetectIsdataatTestParse11(void)
return result;
}
int DetectIsdataatTestParse12(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:\"one\"; http_method; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH] == NULL) {
goto end;
}
result = 1;
result &= (s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->type == DETECT_ISDATAAT);
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
result = 0;
goto end;
}
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
int DetectIsdataatTestParse13(void)
{
DetectEngineCtx *de_ctx = NULL;
@ -997,7 +953,6 @@ void DetectIsdataatRegisterTests(void)
UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09);
UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10);
UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11);
UtRegisterTest("DetectIsdataatTestParse12", DetectIsdataatTestParse12);
UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13);
UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);

@ -150,7 +150,6 @@ const char *DetectListToHumanString(int list)
CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code");
CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host");
CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host");
CASE_CODE_STRING(DETECT_SM_LIST_HMDMATCH, "http_method");
CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie");
CASE_CODE_STRING(DETECT_SM_LIST_HUADMATCH, "http_user_agent");
CASE_CODE_STRING(DETECT_SM_LIST_HTTP_RESLINEMATCH, "http_response_line");
@ -193,7 +192,6 @@ const char *DetectListToString(int list)
CASE_CODE(DETECT_SM_LIST_HSCDMATCH);
CASE_CODE(DETECT_SM_LIST_HHHDMATCH);
CASE_CODE(DETECT_SM_LIST_HRHHDMATCH);
CASE_CODE(DETECT_SM_LIST_HMDMATCH);
CASE_CODE(DETECT_SM_LIST_HCDMATCH);
CASE_CODE(DETECT_SM_LIST_HUADMATCH);
CASE_CODE(DETECT_SM_LIST_HTTP_RESLINEMATCH);
@ -1436,7 +1434,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent "
"/http_uri , raw_uri, http_client_body, "
@ -1461,7 +1458,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
s->init_data->smlists[DETECT_SM_LIST_UMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HUADMATCH] != NULL) {
sig_flags |= SIG_FLAG_TOSERVER;
s->flags |= SIG_FLAG_TOSERVER;
@ -1521,9 +1517,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
}
}
if (!DetectHttpMethodValidateRule(s))
SCReturnInt(0);
//if (s->alproto != ALPROTO_UNKNOWN) {
// if (s->flags & SIG_FLAG_STATE_MATCH) {
// if (s->alproto == ALPROTO_DNS) {
@ -1592,7 +1585,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
s->init_data->smlists_tail[DETECT_SM_LIST_HCBDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HMDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] ||

@ -445,7 +445,8 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'M' inconsistent with 'B'");
goto error;
}
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HMDMATCH);
int list = DetectBufferTypeGetByName("http_method");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
case 'C': /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
@ -674,7 +675,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
parsed_sm_list == DETECT_SM_LIST_HSCDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HHHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HMDMATCH ||
// parsed_sm_list == DETECT_SM_LIST_HMDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HCDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HUADMATCH)
{
@ -715,7 +716,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
case DETECT_SM_LIST_HCDMATCH:
case DETECT_SM_LIST_HMDMATCH:
case DETECT_SM_LIST_HUADMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;

@ -1924,9 +1924,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL)
return 0;
@ -2032,9 +2029,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL)
return 0;
@ -2160,7 +2154,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
@ -2340,11 +2333,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires http app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HMDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");

@ -133,8 +133,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_HHHDMATCH,
/* list for http_raw_host keyword and the ones relative to it */
DETECT_SM_LIST_HRHHDMATCH,
/* list for http_method keyword and the ones relative to it */
DETECT_SM_LIST_HMDMATCH,
/* list for http_cookie keyword and the ones relative to it */
DETECT_SM_LIST_HCDMATCH,
/* list for http_user_agent keyword and the ones relative to it */

Loading…
Cancel
Save