From 5a2e5683858ddd152697db740c97dcd81fe5a74a Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 15 Oct 2016 14:57:39 +0200 Subject: [PATCH] detect: http lists in engine --- src/detect-engine-filedata-smtp.c | 2 +- src/detect-engine-hcbd.c | 2 +- src/detect-engine-hcd.c | 2 +- src/detect-engine-hhd.c | 7 ++---- src/detect-engine-hhhd.c | 2 +- src/detect-engine-hmd.c | 2 +- src/detect-engine-hrhd.c | 2 +- src/detect-engine-hrhhd.c | 2 +- src/detect-engine-hrud.c | 2 +- src/detect-engine-hsbd.c | 2 +- src/detect-engine-hscd.c | 3 +-- src/detect-engine-hsmd.c | 3 +-- src/detect-engine-hua.c | 2 +- src/detect-engine-uri.c | 2 +- src/detect-engine.c | 25 +++++++++++++++++++++ src/detect-http-request-line.c | 2 +- src/detect-http-response-line.c | 2 +- src/detect-uricontent.c | 37 +++++++------------------------ 18 files changed, 50 insertions(+), 51 deletions(-) diff --git a/src/detect-engine-filedata-smtp.c b/src/detect-engine-filedata-smtp.c index fa27c4c90e..6b1049cdba 100644 --- a/src/detect-engine-filedata-smtp.c +++ b/src/detect-engine-filedata-smtp.c @@ -201,7 +201,7 @@ int DetectEngineInspectSMTPFiledata(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - match = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_FILEDATA], + match = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)buffer, buffer_len, diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index aad694a68c..34b0bd7d00 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -276,7 +276,7 @@ int DetectEngineInspectHttpClientBody(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCBDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)buffer, buffer_len, diff --git a/src/detect-engine-hcd.c b/src/detect-engine-hcd.c index 7bee6534b8..c6243f7adf 100644 --- a/src/detect-engine-hcd.c +++ b/src/detect-engine-hcd.c @@ -191,7 +191,7 @@ int DetectEngineInspectHttpCookie(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HCDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value), diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index 5586db41dd..3554e2a476 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -399,7 +399,7 @@ int DetectEngineInspectHttpHeader(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, buffer, buffer_len, @@ -3200,10 +3200,7 @@ static int DetectEngineHttpHeaderTest28(void) /* do detect */ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - if (!PacketAlertCheck(p2, 1)) { - printf("sid 1 didn't match but should have"); - goto end; - } + FAIL_IF(!PacketAlertCheck(p2, 1)); result = 1; diff --git a/src/detect-engine-hhhd.c b/src/detect-engine-hhhd.c index 619136e0ff..198d975173 100644 --- a/src/detect-engine-hhhd.c +++ b/src/detect-engine-hhhd.c @@ -130,7 +130,7 @@ int DetectEngineInspectHttpHH(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HHHDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, hname, hname_len, 0, diff --git a/src/detect-engine-hmd.c b/src/detect-engine-hmd.c index 74b004c737..35cdc5969d 100644 --- a/src/detect-engine-hmd.c +++ b/src/detect-engine-hmd.c @@ -127,7 +127,7 @@ int DetectEngineInspectHttpMethod(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)bstr_ptr(tx->request_method), bstr_len(tx->request_method), diff --git a/src/detect-engine-hrhd.c b/src/detect-engine-hrhd.c index 8f7ad5a9f3..50626399e4 100644 --- a/src/detect-engine-hrhd.c +++ b/src/detect-engine-hrhd.c @@ -195,7 +195,7 @@ int DetectEngineInspectHttpRawHeader(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRHDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, headers_raw, headers_raw_len, diff --git a/src/detect-engine-hrhhd.c b/src/detect-engine-hrhhd.c index d9e79f7604..8b335cfcf9 100644 --- a/src/detect-engine-hrhhd.c +++ b/src/detect-engine-hrhhd.c @@ -153,7 +153,7 @@ int DetectEngineInspectHttpHRH(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRHHDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, hname, hname_len, 0, diff --git a/src/detect-engine-hrud.c b/src/detect-engine-hrud.c index 811092c28e..e5a40b50b2 100644 --- a/src/detect-engine-hrud.c +++ b/src/detect-engine-hrud.c @@ -129,7 +129,7 @@ int DetectEngineInspectHttpRawUri(ThreadVars *tv, det_ctx->inspection_recursion_counter = 0; /* Inspect all the uricontents fetched on each * transaction at the app layer */ - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HRUDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)bstr_ptr(tx->request_uri), bstr_len(tx->request_uri), diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index 326f834f6e..7f40e6ea28 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -281,7 +281,7 @@ int DetectEngineInspectHttpServerBody(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_FILEDATA], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)buffer, buffer_len, diff --git a/src/detect-engine-hscd.c b/src/detect-engine-hscd.c index 77ea0632cf..0e73d73aa4 100644 --- a/src/detect-engine-hscd.c +++ b/src/detect-engine-hscd.c @@ -126,8 +126,7 @@ int DetectEngineInspectHttpStatCode(ThreadVars *tv, det_ctx->discontinue_matching = 0; det_ctx->buffer_offset = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, - s->sm_lists[DETECT_SM_LIST_HSCDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)bstr_ptr(tx->response_status), bstr_len(tx->response_status), diff --git a/src/detect-engine-hsmd.c b/src/detect-engine-hsmd.c index 7cecf37d6b..22e38487d9 100644 --- a/src/detect-engine-hsmd.c +++ b/src/detect-engine-hsmd.c @@ -126,8 +126,7 @@ int DetectEngineInspectHttpStatMsg(ThreadVars *tv, det_ctx->discontinue_matching = 0; det_ctx->buffer_offset = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, - s->sm_lists[DETECT_SM_LIST_HSMDMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)bstr_ptr(tx->response_message), bstr_len(tx->response_message), diff --git a/src/detect-engine-hua.c b/src/detect-engine-hua.c index 18f716f234..d2cbbcea7b 100644 --- a/src/detect-engine-hua.c +++ b/src/detect-engine-hua.c @@ -135,7 +135,7 @@ int DetectEngineInspectHttpUA(ThreadVars *tv, det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HUADMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value), diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index 7f8a46fd80..6bc28adfeb 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -129,7 +129,7 @@ int DetectEngineInspectHttpUri(ThreadVars *tv, /* Inspect all the uricontents fetched on each * transaction at the app layer */ - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_UMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, bstr_ptr(tx_ud->request_uri_normalized), bstr_len(tx_ud->request_uri_normalized), diff --git a/src/detect-engine.c b/src/detect-engine.c index dad076c42a..0fc7dd5499 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -172,6 +172,31 @@ int DetectEngineAppInspectionEngine2Signature(Signature *s) new_engine->sm_list = t->sm_list; new_engine->Callback = t->Callback; + switch (new_engine->sm_list) { + case DETECT_SM_LIST_HMDMATCH: + case DETECT_SM_LIST_UMATCH: + case DETECT_SM_LIST_HRUDMATCH: + case DETECT_SM_LIST_HTTP_REQLINEMATCH: + case DETECT_SM_LIST_HTTP_RESLINEMATCH: + case DETECT_SM_LIST_HCBDMATCH: + case DETECT_SM_LIST_FILEDATA: + case DETECT_SM_LIST_HHDMATCH: + case DETECT_SM_LIST_HRHDMATCH: + case DETECT_SM_LIST_HSMDMATCH: + case DETECT_SM_LIST_HSCDMATCH: + case DETECT_SM_LIST_HHHDMATCH: + case DETECT_SM_LIST_HRHHDMATCH: + case DETECT_SM_LIST_HCDMATCH: + case DETECT_SM_LIST_HUADMATCH: + new_engine->sm = s->sm_lists[new_engine->sm_list]; + s->sm_lists[new_engine->sm_list] = NULL; + s->sm_lists_tail[new_engine->sm_list] = NULL; + lists_used[t->sm_list] = 1; + break; + default: + break; + } + if (s->app_inspect == NULL) { s->app_inspect = new_engine; new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */ diff --git a/src/detect-http-request-line.c b/src/detect-http-request-line.c index 057f84a514..8561f3fb5d 100644 --- a/src/detect-http-request-line.c +++ b/src/detect-http-request-line.c @@ -191,7 +191,7 @@ static int DetectEngineInspectHttpRequestLine(ThreadVars *tv, /* Inspect all the uricontents fetched on each * transaction at the app layer */ int r = DetectEngineContentInspection(de_ctx, det_ctx, - s, s->sm_lists[DETECT_SM_LIST_HTTP_REQLINEMATCH], + s, sm, f, bstr_ptr(tx->request_line), bstr_len(tx->request_line), diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index 04f7a8e539..5dff95ec19 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -194,7 +194,7 @@ int DetectEngineInspectHttpResponseLine(ThreadVars *tv, #endif /* run the inspection against the buffer */ - int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HTTP_RESLINEMATCH], + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, sm, f, bstr_ptr(tx->response_line), bstr_len(tx->response_line), diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index a8a1f0d9a3..4e66237129 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -486,45 +486,24 @@ end: */ int DetectUriSigTest01(void) { - SigMatch *sm = NULL; - int result = 0; ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; Signature *s = NULL; memset(&th_v, 0, sizeof(th_v)); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } + FAIL_IF_NULL(de_ctx); de_ctx->flags |= DE_QUIET; - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\" Test uricontent\"; " - "content:\"me\"; uricontent:\"me\"; sid:1;)"); - if (s == NULL) { - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any (msg:" + "\" Test uricontent\"; content:\"me\"; uricontent:\"me\"; sid:1;)"); + FAIL_IF_NULL(s); - BUG_ON(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH] == NULL); + BUG_ON(s->sm_lists[DETECT_SM_LIST_UMATCH] == NULL); + FAIL_IF_NOT(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]->type == DETECT_CONTENT); - sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; - if (sm->type == DETECT_CONTENT) { - result = 1; - } else { - result = 0; - } - - end: - if (de_ctx != NULL) SigGroupCleanup(de_ctx); - if (de_ctx != NULL) SigCleanSignatures(de_ctx); - if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx); - if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); - return result; + DetectEngineCtxFree(de_ctx); + PASS; } /** \test Check the signature working to alert when http_cookie is matched . */