aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make sure stateful detection engine inspecting HTTP streams works well for to_client rules as well.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent b4427e81ec
commit f7f037c1d1
3 changed files with 108 additions and 60 deletions
Show Stats Download Patch File Download Diff File

156
src/detect-engine-state.c
Unescape Escape View File

@ -335,70 +335,111 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
SCLogDebug("s->id %"PRIu32, s->id); SCLogDebug("s->id %"PRIu32, s->id);
/* Check the uricontent, http client body, http header keywords here */ /* Check the uricontent, http client body, http header keywords here */
if (alproto == ALPROTO_HTTP && (flags & STREAM_TOSERVER)) { if (alproto == ALPROTO_HTTP) {
if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) { if (flags & STREAM_TOSERVER) {
inspect_flags |= DE_STATE_FLAG_URI_INSPECT; if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_URI_INSPECT;
SCLogDebug("inspecting uri");
SCLogDebug("inspecting uri");
if (DetectEngineInspectPacketUris(de_ctx, det_ctx, s, f,
flags, alstate) == 1) if (DetectEngineInspectPacketUris(de_ctx, det_ctx, s, f,
{ flags, alstate) == 1)
SCLogDebug("uri matched"); {
match_flags |= DE_STATE_FLAG_URI_MATCH; SCLogDebug("uri matched");
} else { match_flags |= DE_STATE_FLAG_URI_MATCH;
SCLogDebug("uri inspected but no match"); } else {
SCLogDebug("uri inspected but no match");
}
} }
} if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) { inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT;
inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT; if (DetectEngineInspectHttpClientBody(de_ctx, det_ctx, s, f,
if (DetectEngineInspectHttpClientBody(de_ctx, det_ctx, s, f, flags, alstate) == 1) {
flags, alstate) == 1) { match_flags |= DE_STATE_FLAG_HCBD_MATCH;
match_flags |= DE_STATE_FLAG_HCBD_MATCH; }
SCLogDebug("inspecting http client body");
} }
SCLogDebug("inspecting http client body"); if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
} inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) { if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
inspect_flags |= DE_STATE_FLAG_HHD_INSPECT; flags, alstate) == 1) {
if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f, match_flags |= DE_STATE_FLAG_HHD_MATCH;
flags, alstate) == 1) { }
match_flags |= DE_STATE_FLAG_HHD_MATCH; SCLogDebug("inspecting http header");
} }
SCLogDebug("inspecting http header"); if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
} inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT;
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) { if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f,
inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT; flags, alstate) == 1) {
if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f, match_flags |= DE_STATE_FLAG_HRHD_MATCH;
flags, alstate) == 1) { }
match_flags |= DE_STATE_FLAG_HRHD_MATCH; SCLogDebug("inspecting http raw header");
} }
SCLogDebug("inspecting http raw header"); if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
} inspect_flags |= DE_STATE_FLAG_HMD_INSPECT;
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) { if (DetectEngineInspectHttpMethod(de_ctx, det_ctx, s, f,
inspect_flags |= DE_STATE_FLAG_HMD_INSPECT; flags, alstate) == 1) {
if (DetectEngineInspectHttpMethod(de_ctx, det_ctx, s, f, match_flags |= DE_STATE_FLAG_HMD_MATCH;
flags, alstate) == 1) { }
match_flags |= DE_STATE_FLAG_HMD_MATCH; SCLogDebug("inspecting http method");
} }
SCLogDebug("inspecting http method"); if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
} inspect_flags |= DE_STATE_FLAG_HCD_INSPECT;
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) { if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f,
inspect_flags |= DE_STATE_FLAG_HCD_INSPECT; flags, alstate) == 1) {
if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f, match_flags |= DE_STATE_FLAG_HCD_MATCH;
flags, alstate) == 1) { }
match_flags |= DE_STATE_FLAG_HCD_MATCH; SCLogDebug("inspecting http cookie");
} }
SCLogDebug("inspecting http cookie"); if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
} inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT;
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) { if (DetectEngineInspectHttpRawUri(de_ctx, det_ctx, s, f,
inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT; flags, alstate) == 1) {
if (DetectEngineInspectHttpRawUri(de_ctx, det_ctx, s, f, match_flags |= DE_STATE_FLAG_HRUD_MATCH;
flags, alstate) == 1) { }
match_flags |= DE_STATE_FLAG_HRUD_MATCH; SCLogDebug("inspecting http raw uri");
}
} else if (flags & STREAM_TOCLIENT) {
/* For to client set the flags in inspect so it can't match
* if the sig requires something only the request has. The rest
* will be inspected in the opposite direction. */
if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_URI_INSPECT;
}
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HCBD_INSPECT;
}
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HHD_INSPECT;
if (DetectEngineInspectHttpHeader(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HHD_MATCH;
}
SCLogDebug("inspecting http header");
}
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HRHD_INSPECT;
if (DetectEngineInspectHttpRawHeader(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HRHD_MATCH;
}
SCLogDebug("inspecting http raw header");
}
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HMD_INSPECT;
}
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HCD_INSPECT;
if (DetectEngineInspectHttpCookie(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HCD_MATCH;
}
SCLogDebug("inspecting http cookie");
}
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HRUD_INSPECT;
} }
SCLogDebug("inspecting http raw uri");
} }
} else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { } else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) {
if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_DCE_INSPECT; inspect_flags |= DE_STATE_FLAG_DCE_INSPECT;
@ -467,7 +508,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
} }
} }
SCLogDebug("detection done, store results: sm %p, match_flags %04X", sm, match_flags); SCLogDebug("detection done, store results: sm %p, inspect_flags %04X, "
"match_flags %04X", sm, inspect_flags, match_flags);
SCMutexLock(&f->de_state_m); SCMutexLock(&f->de_state_m);
/* match or no match, we store the state anyway /* match or no match, we store the state anyway

2
src/detect-http-cookie.c
Unescape Escape View File

@ -176,7 +176,7 @@ static int DetectHttpCookieSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_AL_HTTP_COOKIE); cd->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, cd, DETECT_AL_HTTP_COOKIE);
sm->type = DETECT_AL_HTTP_COOKIE; sm->type = DETECT_AL_HTTP_COOKIE;
/* transfer the sm from the pmatch list to hmdmatch list */ /* transfer the sm from the pmatch list to hcdmatch list */
SigMatchTransferSigMatchAcrossLists(sm, SigMatchTransferSigMatchAcrossLists(sm,
&s->sm_lists[DETECT_SM_LIST_PMATCH], &s->sm_lists[DETECT_SM_LIST_PMATCH],
&s->sm_lists_tail[DETECT_SM_LIST_PMATCH], &s->sm_lists_tail[DETECT_SM_LIST_PMATCH],

10
src/detect.c
Unescape Escape View File

@ -1573,8 +1573,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
} }
} }
SCLogDebug("s->sm_lists[DETECT_SM_LIST_AMATCH] %p, s->sm_lists[DETECT_SM_LIST_UMATCH] %p, s->sm_lists[DETECT_SM_LIST_DMATCH] %p", SCLogDebug("s->sm_lists[DETECT_SM_LIST_AMATCH] %p, "
s->sm_lists[DETECT_SM_LIST_AMATCH], s->sm_lists[DETECT_SM_LIST_UMATCH], s->sm_lists[DETECT_SM_LIST_DMATCH]); "s->sm_lists[DETECT_SM_LIST_UMATCH] %p, "
"s->sm_lists[DETECT_SM_LIST_DMATCH] %p, "
"s->sm_lists[DETECT_SM_LIST_HCDMATCH] %p",
s->sm_lists[DETECT_SM_LIST_AMATCH],
s->sm_lists[DETECT_SM_LIST_UMATCH],
s->sm_lists[DETECT_SM_LIST_DMATCH],
s->sm_lists[DETECT_SM_LIST_HCDMATCH]);
/* consider stateful sig matches */ /* consider stateful sig matches */
if (s->flags & SIG_FLAG_STATE_MATCH) { if (s->flags & SIG_FLAG_STATE_MATCH) {

Write Preview
Loading…
Cancel
Save