aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reworked pattern registration structure and feedback issues.

Browse Source 
1) Reworked pattern registration for http methods and versions.

Instead of being a manual and verbose action of adding one
and one http method with N-amount if prefix spacings and
the same for HTTP versions (eg. HTTP/1.1) i moved it all
to be loop based actions reading values from char arrays.

In the future all that is needed is to add new methods
to the arrays and they will be added as a pattern.

2) Modified pattern registration after feedback.

Changed variable used in snprintf for http method registration
Should have been size of dest buffer at not another var (catsize)
that i had created. Also removed this variable.

Fixed a typo in the comment for registering http versions.
TO_CIENT -> TO_CLIENT.
pull/1445/head
maxtors 11 years ago
parent 7a9e963619
commit 3b26b07963
1 changed files with 37 additions and 209 deletions
Show Stats Download Patch File Download Diff File

246
src/app-layer-htp.c
Unescape Escape View File

@ -2656,218 +2656,46 @@ static int HTPSetTxDetectState(void *vtx, DetectEngineState *s)
static int HTPRegisterPatternsForProtocolDetection(void)
{
/* toserver */
/* GET */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"GET|20|", 4, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"GET|09|", 4, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* PUT */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"PUT|20|", 4, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"PUT|09|", 4, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* POST */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"POST|20|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"POST|09|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* HEAD */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"HEAD|20|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"HEAD|09|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* TRACE */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"TRACE|20|", 6, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"TRACE|09|", 6, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* OPTIONS */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"OPTIONS|20|", 8, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"OPTIONS|09|", 8, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* CONNECT */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"CONNECT|20|", 8, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"CONNECT|09|", 8, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* DELETE */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"DELETE|20|", 7, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"DELETE|09|", 7, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* PATCH */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"PATCH|20|", 6, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"PATCH|09|", 6, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* WEBDAV METHODS (rfc4918) */
/* PROPFIND */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"PROPFIND|20|", 9, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"PROPFIND|09|", 9, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* PROPPATCH */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"PROPPATCH|20|", 10, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"PATCH|09|", 10, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* MKCOL */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"MKCOL|20|", 6, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"MKCOL|09|", 6, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* COPY */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"COPY|20|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"COPY|09|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* MOVE */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"MOVE|20|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"MOVE|09|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* LOCK */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"LOCK|20|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"LOCK|09|", 5, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
/* UNLOCK */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"UNLOCK|20|", 7, 0, STREAM_TOSERVER) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"UNLOCK|09|", 7, 0, STREAM_TOSERVER) < 0)
{
return -1;
char *methods[] = { "GET", "PUT", "POST", "HEAD", "TRACE", "OPTIONS",
"CONNECT", "DELETE", "PATCH", "PROPFIND", "PROPPATCH", "MKCOL",
"COPY", "MOVE", "LOCK", "UNLOCK", NULL};
char *spacings[] = { "|20|", "|09|", NULL };
char *versions[] = { "HTTP/0.9", "HTTP/1.0", "HTTP/1.1", NULL };
uint methods_pos;
uint spacings_pos;
uint versions_pos;
int register_result;
char method_buffer[32] = "";
// Loop through all the methods ands spacings and register the patterns
for (methods_pos = 0; methods[methods_pos]; methods_pos++) {
for (spacings_pos = 0; spacings[spacings_pos]; spacings_pos++) {
// Combine the method name and the spacing
snprintf(method_buffer, sizeof(method_buffer), "%s%s", methods[methods_pos], spacings[spacings_pos]);
// Register the new method+spacing pattern
// 3 is subtracted from the length since the spacing is hex typed as |xx|
// but the pattern matching should only be one char.
register_result = AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP,
ALPROTO_HTTP, method_buffer, strlen(method_buffer)-3, 0, STREAM_TOSERVER);
if (register_result < 0) {
return -1;
}
}
}
/* toclient */
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"HTTP/0.9", 8, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"HTTP/1.0", 8, 0, STREAM_TOCLIENT) < 0)
{
return -1;
}
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_HTTP,
"HTTP/1.1", 8, 0, STREAM_TOCLIENT) < 0)
{
return -1;
// Loop through all the http verions patterns that are TO_CLIENT
for (versions_pos = 0; versions[versions_pos]; versions_pos++) {
register_result = AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP,
ALPROTO_HTTP, versions[versions_pos], strlen(versions[versions_pos]),
0, STREAM_TOCLIENT);
if (register_result < 0) {
return -1;
}
}
return 0;
}

Write Preview
Loading…
Cancel
Save