aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Suricata upgrade to libhtp 0.5.x.

Browse Source 
Remove the support for now unsupported personalities from libhtp -
TOMCAT_6_0, APACHE and APACHE_2_2.  We instead use the APACHE_2
personality.
pull/432/head
Anoop Saldanha 12 years ago
parent 080c15b3fc
commit 48cf0585fb
31 changed files with 1032 additions and 784 deletions
Show Stats Download Patch File Download Diff File

11
configure.ac
Unescape Escape View File

@ -1050,17 +1050,10 @@ AC_INIT(configure.ac)
echo
exit 1
fi
PKG_CHECK_MODULES(LIBHTPMINVERSION, htp >= 0.2.3,[libhtp_minver_found="yes"],[libhtp_minver_found="no"])
PKG_CHECK_MODULES(LIBHTPMINVERSION, htp >= 0.5.X,[libhtp_minver_found="yes"],[libhtp_minver_found="no"])
if test "$libhtp_minver_found" = "no"; then
echo
echo " ERROR! libhtp was found but is not the minimum version required >=0.2.3"
echo
exit 1
fi
PKG_CHECK_MODULES(LIBHTPMAXVERSION, htp <= 0.3.0,[libhtp_maxver_found="yes"],[libhtp_maxver_found="no"])
if test "$libhtp_maxver_found" = "no"; then
echo
echo " ERROR! libhtp 0.3.x was found but only 0.2.x is supported"
echo " ERROR! libhtp was found but is not the minimum version required >= 0.5.X"
echo
exit 1
fi

1
src/Makefile.am
Unescape Escape View File

@ -24,6 +24,7 @@ app-layer-ftp.c app-layer-ftp.h \
app-layer-htp-body.c app-layer-htp-body.h \
app-layer-htp.c app-layer-htp.h \
app-layer-htp-file.c app-layer-htp-file.h \
app-layer-htp-libhtp.c app-layer-htp-libhtp.h \
app-layer-parser.c app-layer-parser.h \
app-layer-protos.c app-layer-protos.h \
app-layer-smb2.c app-layer-smb2.h \

32
src/app-layer-htp-file.c
Unescape Escape View File

@ -348,9 +348,9 @@ static int HTPFileParserTest01(void) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
if (tx->request_method == NULL || memcmp(bstr_util_strdup_to_c(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
printf("expected method POST, got %s \n", bstr_util_strdup_to_c(tx->request_method));
goto end;
}
@ -445,9 +445,9 @@ static int HTPFileParserTest02(void) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
if (tx->request_method == NULL || memcmp(bstr_util_strdup_to_c(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
printf("expected method POST, got %s \n", bstr_util_strdup_to_c(tx->request_method));
goto end;
}
@ -568,9 +568,9 @@ static int HTPFileParserTest03(void) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
if (tx->request_method == NULL || memcmp(bstr_util_strdup_to_c(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
printf("expected method POST, got %s \n", bstr_util_strdup_to_c(tx->request_method));
goto end;
}
@ -696,9 +696,9 @@ static int HTPFileParserTest04(void) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
if (tx->request_method == NULL || memcmp(bstr_util_strdup_to_c(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s: ", bstr_tocstr(tx->request_method));
printf("expected method POST, got %s: ", bstr_util_strdup_to_c(tx->request_method));
goto end;
}
@ -778,9 +778,9 @@ static int HTPFileParserTest05(void) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
if (tx->request_method == NULL || memcmp(bstr_util_strdup_to_c(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
printf("expected method POST, got %s \n", bstr_util_strdup_to_c(tx->request_method));
goto end;
}
@ -892,9 +892,9 @@ static int HTPFileParserTest06(void) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
if (tx->request_method == NULL || memcmp(bstr_util_strdup_to_c(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
printf("expected method POST, got %s \n", bstr_util_strdup_to_c(tx->request_method));
goto end;
}
@ -995,9 +995,9 @@ static int HTPFileParserTest07(void) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
if (tx->request_method == NULL || memcmp(bstr_util_strdup_to_c(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
printf("expected method POST, got %s \n", bstr_util_strdup_to_c(tx->request_method));
goto end;
}
@ -1399,9 +1399,9 @@ static int HTPFileParserTest11(void) {
goto end;
}
if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0)
if (tx->request_method == NULL || memcmp(bstr_util_strdup_to_c(tx->request_method), "POST", 4) != 0)
{
printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method));
printf("expected method POST, got %s \n", bstr_util_strdup_to_c(tx->request_method));
goto end;
}

209
src/app-layer-htp-libhtp.c
Unescape Escape View File

@ -0,0 +1,209 @@
/*
* We are using this file to hold APIs copied from libhtp 0.5.x.
*/
/***************************************************************************
* Copyright (c) 2009-2010 Open Information Security Foundation
* Copyright (c) 2010-2013 Qualys, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of the Qualys, Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
***************************************************************************/
/**
* Anoop Saldanha <anoopsaldanha@gmail.com>
*/
#include "suricata.h"
#include "suricata-common.h"
/**
* \brief A direct flick off libhtp-0.5.x htp_is_lws().
*/
static int SC_htp_is_lws(int c)
{
if ((c == ' ') || (c == '\t')) return 1;
else return 0;
}
/**
* \brief A direct flick off libhtp-0.5.x htp_parse_positive_integer_whitespace().
*/
static int64_t SC_htp_parse_positive_integer_whitespace(unsigned char *data, size_t len, int base)
{
if (len == 0) return -1003;
size_t last_pos;
size_t pos = 0;
// Ignore LWS before
while ((pos < len) && (SC_htp_is_lws(data[pos]))) pos++;
if (pos == len) return -1001;
int64_t r = bstr_util_mem_to_pint(data + pos, len - pos, base, &last_pos);
if (r < 0) return r;
// Move after the last digit
pos += last_pos;
// Ignore LWS after
while (pos < len) {
if (!SC_htp_is_lws(data[pos])) {
return -1002;
}
pos++;
}
return r;
}
/**
* \brief A direct flick off libhtp-0.5.x htp_parse_content_length()
*/
int64_t SC_htp_parse_content_length(bstr *b)
{
return SC_htp_parse_positive_integer_whitespace((unsigned char *) bstr_ptr(b), bstr_len(b), 10);
}
/**
* \brief Generates the normalized uri.
*
* Libhtp doesn't recreate the whole normalized uri and save it.
* That duty has now been passed to us. A lot of this code has been
* copied from libhtp.
*
* Keep an eye out on the tx->parsed_uri struct and how the parameters
* in it are generated, just in case some modifications are made to
* them in the future.
*/
bstr *SCHTPGenerateNormalizedUri(htp_tx_t *tx, htp_uri_t *uri)
{
if (uri == NULL)
return NULL;
// On the first pass determine the length of the final string
size_t len = 0;
if (uri->scheme != NULL) {
len += bstr_len(uri->scheme);
len += 3; // "://"
}
if ((uri->username != NULL) || (uri->password != NULL)) {
if (uri->username != NULL) {
len += bstr_len(uri->username);
}
len += 1; // ":"
if (uri->password != NULL) {
len += bstr_len(uri->password);
}
len += 1; // "@"
}
if (uri->hostname != NULL) {
len += bstr_len(uri->hostname);
}
if (uri->port != NULL) {
len += 1; // ":"
len += bstr_len(uri->port);
}
if (uri->path != NULL) {
len += bstr_len(uri->path);
}
if (uri->query != NULL) {
len += 1; // "?"
len += bstr_len(uri->query);
}
if (uri->fragment != NULL) {
len += 1; // "#"
len += bstr_len(uri->fragment);
}
// On the second pass construct the string
bstr *r = bstr_alloc(len);
if (r == NULL) {
return NULL;
}
if (uri->scheme != NULL) {
bstr_add_noex(r, uri->scheme);
bstr_add_c_noex(r, "://");
}
if ((uri->username != NULL) || (uri->password != NULL)) {
if (uri->username != NULL) {
bstr_add_noex(r, uri->username);
}
bstr_add_c(r, ":");
if (uri->password != NULL) {
bstr_add_noex(r, uri->password);
}
bstr_add_c_noex(r, "@");
}
if (uri->hostname != NULL) {
bstr_add_noex(r, uri->hostname);
}
if (uri->port != NULL) {
bstr_add_c(r, ":");
bstr_add_noex(r, uri->port);
}
if (uri->path != NULL) {
bstr_add_noex(r, uri->path);
}
if (uri->query != NULL) {
bstr *query = bstr_dup(uri->query);
uint64_t flags = 0;
htp_urldecode_inplace(tx->cfg, HTP_DECODER_URLENCODED, query, &flags);
bstr_add_c_noex(r, "?");
bstr_add_noex(r, query);
bstr_free(query);
}
if (uri->fragment != NULL) {
bstr_add_c_noex(r, "#");
bstr_add_noex(r, uri->fragment);
}
return r;
}

51
src/app-layer-htp-libhtp.h
Unescape Escape View File

@ -0,0 +1,51 @@
/*
* We are using this file to hold APIs copied from libhtp 0.5.x.
*/
/***************************************************************************
* Copyright (c) 2009-2010 Open Information Security Foundation
* Copyright (c) 2010-2013 Qualys, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of the Qualys, Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
***************************************************************************/
/**
* Anoop Saldanha <anoopsaldanha@gmail.com>
*/
#ifndef __APP_LAYER_HTP_LIBHTP__H__
#define __APP_LAYER_HTP_LIBHTP__H__
#include "suricata.h"
#include "suricata-common.h"
bstr *SCHTPGenerateNormalizedUri(htp_tx_t *tx, htp_uri_t *uri);
int64_t SC_htp_parse_content_length(bstr *b);
#endif /* __APP_LAYER_HTP_LIBHTP__H__ */

1082
src/app-layer-htp.c
View File

File diff suppressed because it is too large Load Diff

15
src/app-layer-htp.h
Unescape Escape View File

@ -190,9 +190,18 @@ typedef struct HtpBody_ {
* the tx user data */
typedef struct HtpTxUserData_ {
/* Body of the request (if any) */
uint8_t request_body_init;
uint8_t response_body_init;
HtpBody request_body;
HtpBody response_body;
bstr *request_uri_normalized;
uint8_t *request_headers_raw;
uint8_t *response_headers_raw;
uint32_t request_headers_raw_len;
uint32_t response_headers_raw_len;
/** Holds the boundary identificator string if any (used on
* multipart/form-data only)
*/
@ -211,8 +220,10 @@ typedef struct HtpTxUserData_ {
typedef struct HtpState_ {
htp_connp_t *connp; /**< Connection parser structure for
each connection */
/* Connection parser structure for each connection */
htp_connp_t *connp;
/* Connection structure for each connection */
htp_conn_t *conn;
Flow *f; /**< Needed to retrieve the original flow when usin HTPLib callbacks */
uint64_t transaction_cnt;
uint64_t store_tx_id;

6
src/detect-engine-hcbd.c
Unescape Escape View File

@ -157,12 +157,12 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
* when they come */
if (htud->request_body.content_len == 0) {
if ((htud->request_body.content_len_so_far > 0) &&
tx->progress[0] != TX_PROGRESS_REQ_BODY) {
tx->request_progress != HTP_REQUEST_BODY) {
/* final length of the body */
htud->tsflags |= HTP_REQ_BODY_COMPLETE;
}
} else {
if (htud->request_body.content_len == tx->request_entity_len) {
if (htud->request_body.content_len == (uint64_t)tx->request_entity_len) {
SCLogDebug("content_len reached");
htud->tsflags |= HTP_RES_BODY_COMPLETE;
}
@ -284,7 +284,7 @@ int DetectEngineInspectHttpClientBody(ThreadVars *tv,
end:
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_BODY)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_BODY)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

20
src/detect-engine-hcd.c
Unescape Escape View File

@ -66,15 +66,15 @@ int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
htp_header_t *h = NULL;
if (flags & STREAM_TOSERVER) {
h = (htp_header_t *)table_getc(tx->request_headers,
"Cookie");
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"Cookie");
if (h == NULL) {
SCLogDebug("HTTP cookie header not present in this request");
goto end;
}
} else {
h = (htp_header_t *)table_getc(tx->response_headers,
"Set-Cookie");
h = (htp_header_t *)htp_table_get_c(tx->response_headers,
"Set-Cookie");
if (h == NULL) {
SCLogDebug("HTTP Set-Cookie header not present in this request");
goto end;
@ -111,15 +111,15 @@ int DetectEngineInspectHttpCookie(ThreadVars *tv,
htp_tx_t *tx = (htp_tx_t *)txv;
htp_header_t *h = NULL;
if (flags & STREAM_TOSERVER) {
h = (htp_header_t *)table_getc(tx->request_headers,
"Cookie");
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"Cookie");
if (h == NULL) {
SCLogDebug("HTTP cookie header not present in this request");
goto end;
}
} else {
h = (htp_header_t *)table_getc(tx->response_headers,
"Set-Cookie");
h = (htp_header_t *)htp_table_get_c(tx->response_headers,
"Set-Cookie");
if (h == NULL) {
SCLogDebug("HTTP Set-Cookie header not present in this request");
goto end;
@ -140,10 +140,10 @@ int DetectEngineInspectHttpCookie(ThreadVars *tv,
end:
if (flags & STREAM_TOSERVER) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
} else {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > TX_PROGRESS_RES_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
}
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

16
src/detect-engine-hhd.c
Unescape Escape View File

@ -120,10 +120,14 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
index = (tx_id - det_ctx->hhd_start_tx_id);
}
table_t *headers;
htp_table_t *headers;
if (flags & STREAM_TOSERVER) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) <= HTP_REQUEST_HEADERS)
goto end;
headers = tx->request_headers;
} else {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) <= HTP_RESPONSE_HEADERS)
goto end;
headers = tx->response_headers;
}
if (headers == NULL)
@ -132,9 +136,11 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
htp_header_t *h = NULL;
headers_buffer = det_ctx->hhd_buffers[index];
size_t headers_buffer_len = 0;
size_t i = 0;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
size_t no_of_headers = htp_table_size(headers);
for (; i < no_of_headers; i++) {
h = htp_table_get_index(headers, i, NULL);
size_t size1 = bstr_size(h->name);
size_t size2 = bstr_size(h->value);
@ -231,10 +237,10 @@ int DetectEngineInspectHttpHeader(ThreadVars *tv,
end:
if (flags & STREAM_TOSERVER) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
} else {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > TX_PROGRESS_RES_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
}
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

14
src/detect-engine-hhhd.c
Unescape Escape View File

@ -63,12 +63,12 @@ int DetectEngineRunHttpHHMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
{
uint32_t cnt = 0;
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->parsed_uri == NULL || tx->parsed_uri->hostname == NULL)
if (tx->request_hostname == NULL)
goto end;
uint8_t *hname = (uint8_t *)bstr_ptr(tx->parsed_uri->hostname);
uint8_t *hname = (uint8_t *)bstr_ptr(tx->request_hostname);
if (hname == NULL)
goto end;
uint32_t hname_len = bstr_len(tx->parsed_uri->hostname);
uint32_t hname_len = bstr_len(tx->request_hostname);
cnt += HttpHHPatternSearch(det_ctx, hname, hname_len, flags);
@ -97,12 +97,12 @@ int DetectEngineInspectHttpHH(ThreadVars *tv,
void *txv, uint64_t tx_id)
{
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->parsed_uri == NULL || tx->parsed_uri->hostname == NULL)
if (tx->parsed_uri == NULL || tx->request_hostname == NULL)
goto end;
uint8_t *hname = (uint8_t *)bstr_ptr(tx->parsed_uri->hostname);
uint8_t *hname = (uint8_t *)bstr_ptr(tx->request_hostname);
if (hname == NULL)
goto end;
uint32_t hname_len = bstr_len(tx->parsed_uri->hostname);
uint32_t hname_len = bstr_len(tx->request_hostname);
det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0;
@ -116,7 +116,7 @@ int DetectEngineInspectHttpHH(ThreadVars *tv,
return DETECT_ENGINE_INSPECT_SIG_MATCH;
end:
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

2
src/detect-engine-hmd.c
Unescape Escape View File

@ -94,7 +94,7 @@ int DetectEngineInspectHttpMethod(ThreadVars *tv,
{
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->request_method == NULL) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_LINE)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_LINE)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

73
src/detect-engine-hrhd.c
Unescape Escape View File

@ -63,28 +63,31 @@ int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
SCEnter();
uint32_t cnt = 0;
bstr *raw_headers;
htp_tx_t *tx = (htp_tx_t *)txv;
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud == NULL)
SCReturnInt(cnt);
if (flags & STREAM_TOSERVER) {
raw_headers = htp_tx_get_request_headers_raw(tx);
if (raw_headers != NULL) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, txv, 0) <= HTP_REQUEST_HEADERS)
SCReturnInt(cnt);
if (tx_ud->request_headers_raw != NULL) {
cnt = HttpRawHeaderPatternSearch(det_ctx,
(uint8_t *)bstr_ptr(raw_headers),
bstr_len(raw_headers), flags);
} else {
SCLogDebug("no raw headers");
tx_ud->request_headers_raw,
tx_ud->request_headers_raw_len,
flags);
}
} else {
#ifdef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
raw_headers = htp_tx_get_response_headers_raw(tx);
if (raw_headers != NULL) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, txv, 1) <= HTP_RESPONSE_HEADERS)
SCReturnInt(cnt);
if (tx_ud->response_headers_raw != NULL) {
cnt += HttpRawHeaderPatternSearch(det_ctx,
(uint8_t *)bstr_ptr(raw_headers),
bstr_len(raw_headers), flags);
} else {
SCLogDebug("no raw headers");
tx_ud->response_headers_raw,
tx_ud->response_headers_raw_len,
flags);
}
#endif /* HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW */
}
SCReturnInt(cnt);
@ -110,17 +113,29 @@ int DetectEngineInspectHttpRawHeader(ThreadVars *tv,
void *alstate,
void *txv, uint64_t tx_id)
{
htp_tx_t *tx = (htp_tx_t *)txv;
bstr *raw_headers = NULL;
HtpTxUserData *tx_ud = NULL;
uint8_t *headers_raw = NULL;
uint32_t headers_raw_len = 0;
if (flags & STREAM_TOSERVER) {
raw_headers = htp_tx_get_request_headers_raw(tx);
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, txv, 0) <= HTP_REQUEST_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
} else {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, txv, 1) <= HTP_RESPONSE_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}
#ifdef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
else {
raw_headers = htp_tx_get_response_headers_raw(tx);
tx_ud = htp_tx_get_user_data(txv);
if (tx_ud == NULL)
goto end;
if (flags & STREAM_TOSERVER) {
headers_raw = tx_ud->request_headers_raw;
headers_raw_len = tx_ud->request_headers_raw_len;
} else {
headers_raw = tx_ud->response_headers_raw;
headers_raw_len = tx_ud->response_headers_raw_len;
}
#endif /* HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW */
if (raw_headers == NULL)
if (headers_raw == NULL)
goto end;
det_ctx->buffer_offset = 0;
@ -128,8 +143,8 @@ int DetectEngineInspectHttpRawHeader(ThreadVars *tv,
det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRHDMATCH],
f,
(uint8_t *)bstr_ptr(raw_headers),
bstr_len(raw_headers),
headers_raw,
headers_raw_len,
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HRHD, NULL);
if (r == 1)
@ -137,10 +152,10 @@ int DetectEngineInspectHttpRawHeader(ThreadVars *tv,
end:
if (flags & STREAM_TOSERVER) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, txv, 0) > HTP_REQUEST_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
} else {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > TX_PROGRESS_RES_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, txv, 1) > HTP_RESPONSE_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
}
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
@ -2725,7 +2740,6 @@ end:
static int DetectEngineHttpRawHeaderTest28(void)
{
#ifdef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
TcpSession ssn;
Packet *p1 = NULL;
Packet *p2 = NULL;
@ -2841,9 +2855,6 @@ end:
UTHFreePackets(&p1, 1);
UTHFreePackets(&p2, 1);
return result;
#else
return 1;
#endif
}
static int DetectEngineHttpRawHeaderTest29(void)

18
src/detect-engine-hrhhd.c
Unescape Escape View File

@ -66,11 +66,11 @@ int DetectEngineRunHttpHRHMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t *hname = NULL;
uint32_t hname_len = 0;
if (tx->parsed_uri_incomplete == NULL || tx->parsed_uri_incomplete->hostname == NULL) {
if (tx->parsed_uri == NULL || tx->parsed_uri->hostname == NULL) {
if (tx->request_headers == NULL)
goto end;
htp_header_t *h = NULL;
h = (htp_header_t *)table_getc(tx->request_headers, "Host");
h = (htp_header_t *)htp_table_get_c(tx->request_headers, "Host");
if (h != NULL) {
SCLogDebug("HTTP host header not present in this request");
hname = (uint8_t *)bstr_ptr(h->value);
@ -79,9 +79,9 @@ int DetectEngineRunHttpHRHMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
goto end;
}
} else {
hname = (uint8_t *)bstr_ptr(tx->parsed_uri_incomplete->hostname);
hname = (uint8_t *)bstr_ptr(tx->parsed_uri->hostname);
if (hname != NULL)
hname_len = bstr_len(tx->parsed_uri_incomplete->hostname);
hname_len = bstr_len(tx->parsed_uri->hostname);
else
goto end;
}
@ -115,9 +115,9 @@ int DetectEngineInspectHttpHRH(ThreadVars *tv,
uint8_t *hname;
uint32_t hname_len;
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->parsed_uri_incomplete == NULL || tx->parsed_uri_incomplete->hostname == NULL) {
if (tx->parsed_uri == NULL || tx->parsed_uri->hostname == NULL) {
htp_header_t *h = NULL;
h = (htp_header_t *)table_getc(tx->request_headers, "Host");
h = (htp_header_t *)htp_table_get_c(tx->request_headers, "Host");
if (h == NULL) {
SCLogDebug("HTTP host header not present in this request");
goto end;
@ -125,10 +125,10 @@ int DetectEngineInspectHttpHRH(ThreadVars *tv,
hname = (uint8_t *)bstr_ptr(h->value);
hname_len = bstr_len(h->value);
} else {
hname = (uint8_t *)bstr_ptr(tx->parsed_uri_incomplete->hostname);
hname = (uint8_t *)bstr_ptr(tx->parsed_uri->hostname);
if (hname == NULL)
goto end;
hname_len = bstr_len(tx->parsed_uri_incomplete->hostname);
hname_len = bstr_len(tx->parsed_uri->hostname);
}
det_ctx->buffer_offset = 0;
@ -143,7 +143,7 @@ int DetectEngineInspectHttpHRH(ThreadVars *tv,
return DETECT_ENGINE_INSPECT_SIG_MATCH;
end:
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

2
src/detect-engine-hrud.c
Unescape Escape View File

@ -100,7 +100,7 @@ int DetectEngineInspectHttpRawUri(ThreadVars *tv,
{
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->request_uri == NULL) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_LINE)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_LINE)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

6
src/detect-engine-hsbd.c
Unescape Escape View File

@ -156,12 +156,12 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
* when they come */
if (htud->response_body.content_len == 0) {
if ((htud->response_body.content_len_so_far > 0) &&
tx->progress[1] != TX_PROGRESS_RES_BODY) {
tx->response_progress != HTP_RESPONSE_BODY) {
/* final length of the body */
htud->tcflags |= HTP_RES_BODY_COMPLETE;
}
} else {
if (htud->response_body.content_len == tx->response_entity_len) {
if (htud->response_body.content_len == (uint64_t)tx->response_entity_len) {
SCLogDebug("content_len reached");
htud->tcflags |= HTP_RES_BODY_COMPLETE;
}
@ -283,7 +283,7 @@ int DetectEngineInspectHttpServerBody(ThreadVars *tv,
return DETECT_ENGINE_INSPECT_SIG_MATCH;
end:
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_RES_BODY)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

2
src/detect-engine-hscd.c
Unescape Escape View File

@ -98,7 +98,7 @@ int DetectEngineInspectHttpStatCode(ThreadVars *tv,
{
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->response_status == NULL) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_RES_LINE)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_RESPONSE_LINE)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

2
src/detect-engine-hsmd.c
Unescape Escape View File

@ -98,7 +98,7 @@ int DetectEngineInspectHttpStatMsg(ThreadVars *tv,
{
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->response_message == NULL) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_RES_LINE)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_RESPONSE_LINE)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

10
src/detect-engine-hua.c
Unescape Escape View File

@ -65,8 +65,8 @@ int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
if (tx->request_headers == NULL)
goto end;
htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers,
"User-Agent");
htp_header_t *h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"User-Agent");
if (h == NULL) {
SCLogDebug("HTTP user agent header not present in this request");
goto end;
@ -100,8 +100,8 @@ int DetectEngineInspectHttpUA(ThreadVars *tv,
void *txv, uint64_t tx_id)
{
htp_tx_t *tx = (htp_tx_t *)txv;
htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers,
"User-Agent");
htp_header_t *h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"User-Agent");
if (h == NULL) {
SCLogDebug("HTTP user agent header not present in this request");
goto end;
@ -120,7 +120,7 @@ int DetectEngineInspectHttpUA(ThreadVars *tv,
return DETECT_ENGINE_INSPECT_SIG_MATCH;
end:
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_HEADERS)
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_HEADERS)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

2
src/detect-engine-mpm.c
Unescape Escape View File

@ -2842,6 +2842,7 @@ int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
if (s->mpm_sm != NULL) {
int sm_list = SigMatchListSMBelongsTo(s, s->mpm_sm);
BUG_ON(sm_list == -1);
DetectContentData *cd = (DetectContentData *)s->mpm_sm->ctx;
DetectFPAndItsId *dup = (DetectFPAndItsId *)ahb;
for (; dup != struct_offset; dup++) {
@ -2873,5 +2874,6 @@ int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
de_ctx->max_fp_id = max_id;
SCFree(ahb);
return 0;
}

5
src/detect-engine-state.c
Unescape Escape View File

@ -268,12 +268,11 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
if (alproto == ALPROTO_HTTP) {
htp_state = (HtpState *)alstate;
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
if (htp_state->conn == NULL) {
FLOWLOCK_UNLOCK(f);
goto end;
}
}
tx_id = AppLayerTransactionGetInspectId(f, flags);
SCLogDebug("tx_id %"PRIu64, tx_id);
total_txs = AppLayerGetTxCnt(alproto, alstate);
@ -534,7 +533,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
if (alproto == ALPROTO_HTTP) {
htp_state = (HtpState *)alstate;
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
if (htp_state->conn == NULL) {
FLOWLOCK_UNLOCK(f);
RULE_PROFILING_END(det_ctx, s, match);
goto end;

14
src/detect-engine-uri.c
Unescape Escape View File

@ -68,10 +68,10 @@ int DetectEngineInspectPacketUris(ThreadVars *tv,
void *alstate,
void *txv, uint64_t tx_id)
{
htp_tx_t *tx = (htp_tx_t *)txv;
HtpTxUserData *tx_ud = htp_tx_get_user_data(txv);
if (tx->request_uri_normalized == NULL) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > TX_PROGRESS_REQ_LINE)
if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) {
if (AppLayerGetAlstateProgress(ALPROTO_HTTP, txv, 0) > HTP_REQUEST_LINE)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
@ -82,16 +82,16 @@ int DetectEngineInspectPacketUris(ThreadVars *tv,
det_ctx->inspection_recursion_counter = 0;
#if 0
PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->request_uri_normalized),
bstr_len(tx->request_uri_normalized));
PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized));
#endif
/* Inspect all the uricontents fetched on each
* transaction at the app layer */
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH],
f,
(uint8_t *)bstr_ptr(tx->request_uri_normalized),
bstr_len(tx->request_uri_normalized),
bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_URI, NULL);
if (r == 1) {

8
src/detect-parse.c
Unescape Escape View File

@ -1178,14 +1178,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) {
"inspecting response headers.");
SCReturnInt(0);
}
#ifndef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
if (s->flags & SIG_FLAG_TOCLIENT) {
SCLogError(SC_ERR_INVALID_SIGNATURE,"http_raw_header signature with "
"to_client flow direction. See issues #389 and #397. Update "
"libhtp to at least 0.2.7.");
SCReturnInt(0);
}
#endif /* HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW */
}
if (s->sm_lists[DETECT_SM_LIST_HHHDMATCH] != NULL) {

48
src/detect-uricontent.c
Unescape Escape View File

@ -250,12 +250,14 @@ uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
SCEnter();
htp_tx_t *tx = (htp_tx_t *)txv;
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
uint32_t cnt = 0;
if (tx->request_uri_normalized == NULL)
if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL)
goto end;
cnt = DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *)
bstr_ptr(tx->request_uri_normalized),
bstr_len(tx->request_uri_normalized),
bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized),
flags);
end:
@ -304,20 +306,20 @@ static int HTTPUriTest01(void) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, 0);
if (tx->request_method_number != M_GET ||
tx->request_protocol_number != HTTP_1_1)
if (tx->request_method_number != HTP_M_GET ||
tx->request_protocol_number != HTP_PROTOCOL_1_1)
{
goto end;
}
if ((tx->parsed_uri->hostname == NULL) ||
(bstr_cmpc(tx->parsed_uri->hostname, "www.example.com") != 0))
if ((tx->request_hostname == NULL) ||
(bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
{
goto end;
}
if ((tx->parsed_uri->path == NULL) ||
(bstr_cmpc(tx->parsed_uri->path, "/images.gif") != 0))
(bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
{
goto end;
}
@ -364,20 +366,20 @@ static int HTTPUriTest02(void) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, 0);
if (tx->request_method_number != M_GET ||
tx->request_protocol_number != HTTP_1_1)
if (tx->request_method_number != HTP_M_GET ||
tx->request_protocol_number != HTP_PROTOCOL_1_1)
{
goto end;
}
if ((tx->parsed_uri->hostname == NULL) ||
(bstr_cmpc(tx->parsed_uri->hostname, "www.example.com") != 0))
if ((tx->request_hostname == NULL) ||
(bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
{
goto end;
}
if ((tx->parsed_uri->path == NULL) ||
(bstr_cmpc(tx->parsed_uri->path, "/images.gif") != 0))
(bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
{
goto end;
}
@ -426,20 +428,20 @@ static int HTTPUriTest03(void) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, 0);
if (tx->request_method_number != M_UNKNOWN ||
tx->request_protocol_number != HTTP_1_1)
if (tx->request_method_number != HTP_M_UNKNOWN ||
tx->request_protocol_number != HTP_PROTOCOL_1_1)
{
goto end;
}
if ((tx->parsed_uri->hostname == NULL) ||
(bstr_cmpc(tx->parsed_uri->hostname, "www.example.com") != 0))
if ((tx->request_hostname == NULL) ||
(bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
{
goto end;
}
if ((tx->parsed_uri->path == NULL) ||
(bstr_cmpc(tx->parsed_uri->path, "/images.gif") != 0))
(bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
{
goto end;
}
@ -489,20 +491,20 @@ static int HTTPUriTest04(void) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, 0);
if (tx->request_method_number != M_GET ||
tx->request_protocol_number != HTTP_1_1)
if (tx->request_method_number != HTP_M_GET ||
tx->request_protocol_number != HTP_PROTOCOL_1_1)
{
goto end;
}
if ((tx->parsed_uri->hostname == NULL) ||
(bstr_cmpc(tx->parsed_uri->hostname, "www.example.com") != 0))
if ((tx->request_hostname == NULL) ||
(bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
{
goto end;
}
if ((tx->parsed_uri->path == NULL) ||
(bstr_cmpc(tx->parsed_uri->path, "/images.gif") != 0))
(bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
{
goto end;
}

12
src/detect.c
Unescape Escape View File

@ -974,7 +974,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
tx_progress = AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0);
if (p->flowflags & FLOW_PKT_TOSERVER) {
if (tx_progress > TX_PROGRESS_REQ_LINE) {
if (tx_progress > HTP_REQUEST_LINE) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI);
DetectUricontentInspectMpm(det_ctx, p->flow, alstate, flags, tx, idx);
@ -992,7 +992,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
}
}
if (tx_progress >= TX_PROGRESS_REQ_HEADERS) {
if (tx_progress >= HTP_REQUEST_HEADERS) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHHD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHHD);
DetectEngineRunHttpHHMpm(det_ctx, p->flow, alstate, flags, tx, idx);
@ -1025,7 +1025,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
}
}
if (tx_progress >= TX_PROGRESS_REQ_BODY) {
if (tx_progress >= HTP_REQUEST_BODY) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD);
DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags, tx, idx);
@ -1035,7 +1035,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
} else { /* implied FLOW_PKT_TOCLIENT */
tx_progress = AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1);
if (tx_progress > TX_PROGRESS_RES_LINE) {
if (tx_progress > HTP_RESPONSE_LINE) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSMD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSMD);
DetectEngineRunHttpStatMsgMpm(det_ctx, p->flow, alstate, flags, tx, idx);
@ -1048,7 +1048,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
}
}
if (tx_progress >= TX_PROGRESS_RES_HEADERS) {
if (tx_progress >= HTP_RESPONSE_HEADERS) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD);
DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate, flags, tx, idx);
@ -1066,7 +1066,7 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
}
}
if (tx_progress >= TX_PROGRESS_RES_BODY) {
if (tx_progress >= HTP_RESPONSE_BODY) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HSBD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HSBD);
DetectEngineRunHttpServerBodyMpm(de_ctx, det_ctx, p->flow, alstate, flags, tx, idx);

61
src/log-file.c
Unescape Escape View File

@ -105,9 +105,13 @@ static void LogFileMetaGetUri(FILE *fp, Packet *p, File *ff) {
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL && tx->request_uri_normalized != NULL) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(tx->request_uri_normalized),
bstr_len(tx->request_uri_normalized));
if (tx != NULL) {
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud->request_uri_normalized != NULL) {
PrintRawJsonFp(fp,
bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized));
}
return;
}
}
@ -120,18 +124,13 @@ static void LogFileMetaGetHost(FILE *fp, Packet *p, File *ff) {
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
table_t *headers;
headers = tx->request_headers;
htp_header_t *h = NULL;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
if (bstr_len(h->name) >= 4 &&
SCMemcmpLowercase((uint8_t *)"host", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"Host");
if (h != NULL) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}
@ -144,18 +143,13 @@ static void LogFileMetaGetReferer(FILE *fp, Packet *p, File *ff) {
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
table_t *headers;
headers = tx->request_headers;
htp_header_t *h = NULL;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
if (bstr_len(h->name) >= 7 &&
SCMemcmpLowercase((uint8_t *)"referer", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"Referer");
if (h != NULL) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}
@ -168,18 +162,13 @@ static void LogFileMetaGetUserAgent(FILE *fp, Packet *p, File *ff) {
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
table_t *headers;
headers = tx->request_headers;
htp_header_t *h = NULL;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
if (bstr_len(h->name) >= 10 &&
SCMemcmpLowercase((uint8_t *)"user-agent", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"User-Agent");
if (h != NULL) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}

60
src/log-filestore.c
Unescape Escape View File

@ -108,9 +108,12 @@ static void LogFilestoreMetaGetUri(FILE *fp, Packet *p, File *ff) {
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL && tx->request_uri_normalized != NULL) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(tx->request_uri_normalized),
bstr_len(tx->request_uri_normalized));
if (tx != NULL) {
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud->request_uri_normalized != NULL) {
PrintRawUriFp(fp, bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized));
}
return;
}
}
@ -123,18 +126,13 @@ static void LogFilestoreMetaGetHost(FILE *fp, Packet *p, File *ff) {
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
table_t *headers;
headers = tx->request_headers;
htp_header_t *h = NULL;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
if (bstr_len(h->name) >= 4 &&
SCMemcmpLowercase((uint8_t *)"host", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"Host");
if (h != NULL) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}
@ -147,18 +145,13 @@ static void LogFilestoreMetaGetReferer(FILE *fp, Packet *p, File *ff) {
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
table_t *headers;
headers = tx->request_headers;
htp_header_t *h = NULL;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
if (bstr_len(h->name) >= 7 &&
SCMemcmpLowercase((uint8_t *)"referer", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"Referer");
if (h != NULL) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}
@ -171,18 +164,13 @@ static void LogFilestoreMetaGetUserAgent(FILE *fp, Packet *p, File *ff) {
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerGetTx(ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
table_t *headers;
headers = tx->request_headers;
htp_header_t *h = NULL;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
if (bstr_len(h->name) >= 10 &&
SCMemcmpLowercase((uint8_t *)"user-agent", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"User-Agent");
if (h != NULL) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}

15
src/log-httplog.c
Unescape Escape View File

@ -254,7 +254,7 @@ static void LogHttpLogCustom(LogHttpLogThread *aft, htp_tx_t *tx, const struct t
case LOG_HTTP_CF_REQUEST_HEADER:
/* REQUEST HEADER */
if (tx->request_headers != NULL) {
h_request_hdr = table_getc(tx->request_headers, httplog_ctx->cf_nodes[i]->data);
h_request_hdr = htp_table_get_c(tx->request_headers, httplog_ctx->cf_nodes[i]->data);
}
if (h_request_hdr != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
@ -275,7 +275,7 @@ static void LogHttpLogCustom(LogHttpLogThread *aft, htp_tx_t *tx, const struct t
tx->response_status_number > 300 &&
tx->response_status_number < 303)
{
htp_header_t *h_location = table_getc(tx->response_headers, "location");
htp_header_t *h_location = htp_table_get_c(tx->response_headers, "location");
if (h_location != NULL) {
MemBufferWriteString(aft->buffer, "(");
@ -292,7 +292,7 @@ static void LogHttpLogCustom(LogHttpLogThread *aft, htp_tx_t *tx, const struct t
case LOG_HTTP_CF_RESPONSE_HEADER:
/* RESPONSE HEADER */
if (tx->response_headers != NULL) {
h_response_hdr = table_getc(tx->response_headers,
h_response_hdr = htp_table_get_c(tx->response_headers,
httplog_ctx->cf_nodes[i]->data);
}
if (h_response_hdr != NULL) {
@ -319,7 +319,7 @@ static void LogHttpLogExtended(LogHttpLogThread *aft, htp_tx_t *tx)
/* referer */
htp_header_t *h_referer = NULL;
if (tx->request_headers != NULL) {
h_referer = table_getc(tx->request_headers, "referer");
h_referer = htp_table_get_c(tx->request_headers, "referer");
}
if (h_referer != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
@ -355,7 +355,7 @@ static void LogHttpLogExtended(LogHttpLogThread *aft, htp_tx_t *tx)
bstr_len(tx->response_status));
/* Redirect? */
if ((tx->response_status_number > 300) && ((tx->response_status_number) < 303)) {
htp_header_t *h_location = table_getc(tx->response_headers, "location");
htp_header_t *h_location = htp_table_get_c(tx->response_headers, "location");
if (h_location != NULL) {
MemBufferWriteString(aft->buffer, " => ");
@ -410,9 +410,6 @@ static TmEcode LogHttpLogIPWrapper(ThreadVars *tv, Packet *p, void *data, Packet
tx_progress_done_value_ts = AppLayerGetAlstateProgressCompletionStatus(ALPROTO_HTTP, 0);
tx_progress_done_value_tc = AppLayerGetAlstateProgressCompletionStatus(ALPROTO_HTTP, 1);
if (htp_state->connp == NULL || htp_state->connp->conn == NULL)
goto end;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
@ -501,7 +498,7 @@ static TmEcode LogHttpLogIPWrapper(ThreadVars *tv, Packet *p, void *data, Packet
/* user agent */
htp_header_t *h_user_agent = NULL;
if (tx->request_headers != NULL) {
h_user_agent = table_getc(tx->request_headers, "user-agent");
h_user_agent = htp_table_get_c(tx->request_headers, "user-agent");
}
if (h_user_agent != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,

4
src/suricata-common.h
Unescape Escape View File

@ -313,9 +313,5 @@ typedef enum PacketProfileDetectId_ {
size_t strlcat(char *, const char *src, size_t siz);
size_t strlcpy(char *dst, const char *src, size_t siz);
#define table_getc(x, y) table_get_c(x, y)
#define bstr_cmpc(x, y) bstr_cmp_c(x, y)
#define bstr_tocstr(x) bstr_util_strdup_to_c(x)
#endif /* __SURICATA_COMMON_H__ */

10
src/suricata.c
Unescape Escape View File

@ -625,9 +625,6 @@ void SCPrintBuildInfo(void) {
#ifdef HAVE_HTP_URI_NORMALIZE_HOOK
strlcat(features, "HAVE_HTP_URI_NORMALIZE_HOOK ", sizeof(features));
#endif
#ifdef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
strlcat(features, "HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW ", sizeof(features));
#endif
#ifdef PCRE_HAVE_JIT
strlcat(features, "PCRE_JIT ", sizeof(features));
#endif
@ -700,7 +697,7 @@ void SCPrintBuildInfo(void) {
printf("L1 cache line size (CLS)=%d\n", CLS);
#endif
printf("compiled with libhtp %s, linked against %s\n", HTP_BASE_VERSION_TEXT, htp_get_version());
printf("compiled with libhtp %s, linked against %s\n", HTP_VERSION_STRING, HTP_VERSION_STRING);
#include "build-info.h"
}
@ -1290,11 +1287,6 @@ int main(int argc, char **argv)
#endif
}
#ifndef HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
SCLogWarning(SC_WARN_OUTDATED_LIBHTP, "libhtp < 0.2.7 detected. Keyword "
"http_raw_header will not be able to inspect response headers.");
#endif
SetBpfString(optind, argv);
if (!list_keywords && !list_app_layer_protocols)

5
suricata.yaml.in
Unescape Escape View File

@ -962,8 +962,7 @@ pcre:
# IIS_6_0
# IIS_7_0
# IIS_7_5
# Apache
# Apache_2_2
# Apache_2
###########################################################################
libhtp:
@ -989,7 +988,7 @@ libhtp:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2_2
personality: Apache_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 4096

Write Preview
Loading…
Cancel
Save