http body inspection: force body inspection on stream eof.

14 years ago · 59ec493f7c
parent 4d4671c470
commit 59ec493f7c
3 changed files with 15 additions and 7 deletions
--- a/src/detect-engine-hcbd.c
+++ b/src/detect-engine-hcbd.c
@ -70,7 +70,7 @@
 * \warning Make sure flow is locked -- flow is modified, WRITE lock needed
 */
 static void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx,
-        DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state)
+        DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags)
 {
    int idx = 0;
    htp_tx_t *tx = NULL;
@ -169,6 +169,10 @@ static void DetectEngineBufferHttpClientBodies(DetectEngineCtx *de_ctx,
            }
        }

+        if (flags & STREAM_EOF) {
+            htud->flags |= HTP_REQ_BODY_COMPLETE;
+        }
+
        /* inspect the body if the transfer is complete or we have hit
         * our body size limit */
        if (htud->request_body.content_len_so_far < BODY_MINIMAL_SIZE &&
@ -232,7 +236,7 @@ int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx,
    uint32_t cnt = 0;

    FLOWLOCK_WRLOCK(f);
-    DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state);
+    DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, htp_state, flags);
    FLOWLOCK_UNLOCK(f);

    if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) {
@ -273,7 +277,7 @@ int DetectEngineInspectHttpClientBody(DetectEngineCtx *de_ctx,
    int i = 0;

    FLOWLOCK_WRLOCK(f);
-    DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, alstate);
+    DetectEngineBufferHttpClientBodies(de_ctx, det_ctx, f, alstate, flags);
    FLOWLOCK_UNLOCK(f);

    if (det_ctx->hcbd != NULL && det_ctx->hcbd_buffers_list_len) {
--- a/src/detect-engine-hsbd.c
+++ b/src/detect-engine-hsbd.c
@ -71,7 +71,7 @@
 * \warning Make sure flow is locked. Flow is modified, WRITE lock needed.
 */
 static void DetectEngineBufferHttpServerBodies(DetectEngineCtx *de_ctx,
-        DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state)
+        DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags)
 {
    int idx = 0;
    htp_tx_t *tx = NULL;
@ -163,6 +163,10 @@ static void DetectEngineBufferHttpServerBodies(DetectEngineCtx *de_ctx,
            }
        }

+        if (flags & STREAM_EOF) {
+            htud->flags |= HTP_RES_BODY_COMPLETE;
+        }
+
        /* inspect the body if the transfer is complete or we have hit
         * our body size limit */
        if (htud->response_body.content_len_so_far < BODY_MINIMAL_SIZE &&
@ -228,7 +232,7 @@ int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx,
    uint32_t cnt = 0;

    FLOWLOCK_WRLOCK(f);
-    DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, htp_state);
+    DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, htp_state, flags);
    FLOWLOCK_UNLOCK(f);

    if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) {
@ -269,7 +273,7 @@ int DetectEngineInspectHttpServerBody(DetectEngineCtx *de_ctx,
    int i = 0;

    FLOWLOCK_WRLOCK(f);
-    DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, alstate);
+    DetectEngineBufferHttpServerBodies(de_ctx, det_ctx, f, alstate, flags);
    FLOWLOCK_UNLOCK(f);

    if (det_ctx->hsbd != NULL && det_ctx->hsbd_buffers_list_len) {
--- a/src/detect-http-server-body.c
+++ b/src/detect-http-server-body.c
@ -584,7 +584,7 @@ static int DetectHttpServerBodyTest07(void)
    SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);

    if ((PacketAlertCheck(p1, 1))) {
-        printf("sid 1 matched on chunk2 but should have: ");
+        printf("sid 1 matched on chunk2 but shouldn't have: ");
        goto end;
    }