aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http_cookie: dynamic buffer

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent 54604c7bf2
commit 67b7d9734e
10 changed files with 95 additions and 117 deletions
Show Stats Download Patch File Download Diff File

11
src/detect-engine-analyzer.c
Unescape Escape View File

@ -118,8 +118,6 @@ void EngineAnalysisFP(Signature *s, char *line)
fprintf(fp_engine_analysis_FD, "http header content\n");
else if (list_type == DETECT_SM_LIST_HRHDMATCH)
fprintf(fp_engine_analysis_FD, "http raw header content\n");
else if (list_type == DETECT_SM_LIST_HCDMATCH)
fprintf(fp_engine_analysis_FD, "http cookie content\n");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(fp_engine_analysis_FD, "http client body content\n");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
@ -466,8 +464,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
fprintf(rule_engine_analysis_FD, "http header content");
else if (list_type == DETECT_SM_LIST_HRHDMATCH)
fprintf(rule_engine_analysis_FD, "http raw header content");
else if (list_type == DETECT_SM_LIST_HCDMATCH)
fprintf(rule_engine_analysis_FD, "http cookie content");
else if (list_type == DETECT_SM_LIST_HCBDMATCH)
fprintf(rule_engine_analysis_FD, "http client body content");
else if (list_type == DETECT_SM_LIST_HSCDMATCH)
@ -577,6 +573,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
const int httpmethod_id = DetectBufferTypeGetByName("http_method");
const int httpuri_id = DetectBufferTypeGetByName("http_uri");
const int httpuseragent_id = DetectBufferTypeGetByName("http_user_agent");
const int httpcookie_id = DetectBufferTypeGetByName("http_cookie");
if (s->init_data->init_flags & SIG_FLAG_INIT_BIDIREC) {
rule_bidirectional = 1;
@ -615,7 +612,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
norm_http_buf += 1;
http_header_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HCDMATCH) {
else if (list_id == httpcookie_id) {
rule_pcre_http += 1;
norm_http_buf += 1;
http_cookie_buf += 1;
@ -663,7 +660,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
if (list_id == httpuri_id
|| list_id == DETECT_SM_LIST_HHDMATCH
|| list_id == DETECT_SM_LIST_HCDMATCH) {
|| list_id == httpcookie_id) {
rule_content_http += 1;
norm_http_buf += 1;
DetectContentData *cd = (DetectContentData *)sm->ctx;
@ -677,7 +674,7 @@ void EngineAnalysisRules(const Signature *s, const char *line)
else if (list_id == DETECT_SM_LIST_HHDMATCH) {
http_header_buf += 1;
}
else if (list_id == DETECT_SM_LIST_HCDMATCH) {
else if (list_id == httpcookie_id) {
http_cookie_buf += 1;
}
}

2
src/detect-engine.c
Unescape Escape View File

@ -2814,8 +2814,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
return "http host";
case DETECT_SM_LIST_HRHHDMATCH:
return "http raw host header";
case DETECT_SM_LIST_HCDMATCH:
return "http cookie";
case DETECT_SM_LIST_APP_EVENT:
return "app layer events";

44
src/detect-fast-pattern.c
Unescape Escape View File

@ -325,6 +325,7 @@ static int g_file_data_buffer_id = 0;
static int g_http_method_buffer_id = 0;
static int g_http_uri_buffer_id = 0;
static int g_http_ua_buffer_id = 0;
static int g_http_cookie_buffer_id = 0;
/**
* \test Checks if a fast_pattern is registered in a Signature
@ -8277,7 +8278,7 @@ int DetectFastPatternTest302(void)
"content:\"three\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -8315,7 +8316,7 @@ int DetectFastPatternTest303(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -8352,7 +8353,7 @@ int DetectFastPatternTest304(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
if (sm != NULL) {
if ( ((DetectContentData *)sm->ctx)->flags &
DETECT_CONTENT_FAST_PATTERN) {
@ -8384,7 +8385,7 @@ int DetectFastPatternTest305(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
@ -8418,7 +8419,7 @@ int DetectFastPatternTest306(void)
goto end;
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
DetectContentData *ud = (DetectContentData *)sm->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -8648,7 +8649,7 @@ int DetectFastPatternTest316(void)
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -8678,7 +8679,7 @@ int DetectFastPatternTest317(void)
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; within:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -8708,7 +8709,7 @@ int DetectFastPatternTest318(void)
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; offset:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -8738,7 +8739,7 @@ int DetectFastPatternTest319(void)
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; depth:30; content:\"two\"; fast_pattern:only; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
@ -8768,7 +8769,7 @@ int DetectFastPatternTest320(void)
"(content:!\"one\"; fast_pattern; http_cookie; content:\"two\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -8887,7 +8888,7 @@ int DetectFastPatternTest325(void)
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -8917,7 +8918,7 @@ int DetectFastPatternTest326(void)
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; distance:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -8947,7 +8948,7 @@ int DetectFastPatternTest327(void)
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; within:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -8977,7 +8978,7 @@ int DetectFastPatternTest328(void)
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; offset:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -9007,7 +9008,7 @@ int DetectFastPatternTest329(void)
"(content:\"one\"; http_cookie; content:\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; depth:30; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -9037,7 +9038,7 @@ int DetectFastPatternTest330(void)
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; distance:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -9067,7 +9068,7 @@ int DetectFastPatternTest331(void)
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; within:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -9097,7 +9098,7 @@ int DetectFastPatternTest332(void)
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; offset:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -9127,7 +9128,7 @@ int DetectFastPatternTest333(void)
"(content:\"one\"; http_cookie; content:\"two\"; http_cookie; depth:10; content:\"oneonethree\"; fast_pattern:3,4; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
@ -9226,7 +9227,7 @@ int DetectFastPatternTest337(void)
"(content:\"one\"; http_cookie; content:!\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -9345,7 +9346,7 @@ int DetectFastPatternTest342(void)
"(content:\"one\"; http_cookie; content:!\"oneonetwo\"; fast_pattern:3,4; http_cookie; content:\"three\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->prev->ctx;
DetectContentData *ud = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_cookie_buffer_id]->prev->ctx;
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
ud->flags & DETECT_CONTENT_NEGATED &&
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
@ -18829,6 +18830,7 @@ void DetectFastPatternRegisterTests(void)
g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
g_http_ua_buffer_id = DetectBufferTypeGetByName("http_user_agent");
g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie");
UtRegisterTest("DetectFastPatternTest01", DetectFastPatternTest01);
UtRegisterTest("DetectFastPatternTest02", DetectFastPatternTest02);

71
src/detect-http-cookie.c
Unescape Escape View File

@ -62,8 +62,10 @@
#include "stream-tcp.h"
static int DetectHttpCookieSetup (DetectEngineCtx *, Signature *, char *);
void DetectHttpCookieRegisterTests(void);
void DetectHttpCookieFree(void *);
static void DetectHttpCookieRegisterTests(void);
static void DetectHttpCookieFree(void *);
static void DetectHttpCookieSetupCallback(Signature *s);
static int g_http_cookie_buffer_id = 0;
/**
* \brief Registration function for keyword: http_cookie
@ -82,19 +84,25 @@ void DetectHttpCookieRegister(void)
sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_cookie", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HCDMATCH, 2,
DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOSERVER, 2,
PrefilterTxRequestCookieRegister);
DetectMpmAppLayerRegister("http_cookie", SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_HCDMATCH, 2,
DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOCLIENT, 2,
PrefilterTxResponseCookieRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HCDMATCH,
DetectAppLayerInspectEngineRegister2("http_cookie",
ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DetectEngineInspectHttpCookie);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_HCDMATCH,
DetectAppLayerInspectEngineRegister2("http_cookie",
ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DetectEngineInspectHttpCookie);
DetectBufferTypeSetDescriptionByName("http_cookie",
"http cookie header");
DetectBufferTypeRegisterSetupCallback("http_cookie",
DetectHttpCookieSetupCallback);
g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie");
}
/**
@ -127,15 +135,23 @@ static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, char *st
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_HTTP_COOKIE,
DETECT_SM_LIST_HCDMATCH,
g_http_cookie_buffer_id,
ALPROTO_HTTP,
NULL);
}
static void DetectHttpCookieSetupCallback(Signature *s)
{
SCLogDebug("callback invoked by %u", s->id);
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
/******************************** UNITESTS **********************************/
#ifdef UNITTESTS
#include "detect-isdataat.h"
#include "stream-tcp-reassemble.h"
static int g_http_uri_buffer_id = 0;
@ -213,7 +229,7 @@ static int DetectHttpCookieTest03(void)
}
result = 0;
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HCDMATCH];
sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
if (sm == NULL) {
printf("no sigmatch(es): ");
goto end;
@ -306,9 +322,9 @@ static int DetectHttpCookieTest06(void)
Signature *s = de_ctx->sig_list;
BUG_ON(s->sm_lists[DETECT_SM_LIST_HCDMATCH] == NULL);
BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL);
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH]->type != DETECT_CONTENT)
if (s->sm_lists[g_http_cookie_buffer_id]->type != DETECT_CONTENT)
goto end;
if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
@ -1273,6 +1289,31 @@ end:
return result;
}
static int DetectHttpCookieIsdataatParseTest(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any ("
"content:\"one\"; http_cookie; "
"isdataat:!4,relative; sid:1;)");
FAIL_IF_NULL(s);
SigMatch *sm = s->init_data->smlists_tail[g_http_cookie_buffer_id];
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
DetectEngineCtxFree(de_ctx);
PASS;
}
#endif /* UNITTESTS */
/**
@ -1298,6 +1339,8 @@ void DetectHttpCookieRegisterTests (void)
UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
UtRegisterTest("DetectHttpCookieIsdataatParseTest",
DetectHttpCookieIsdataatParseTest);
#endif /* UNITTESTS */
}

45
src/detect-isdataat.c
Unescape Escape View File

@ -648,50 +648,6 @@ int DetectIsdataatTestParse11(void)
return result;
}
int DetectIsdataatTestParse13(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:\"one\"; http_cookie; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH] == NULL) {
goto end;
}
result = 1;
result &= (s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->type == DETECT_ISDATAAT);
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
result = 0;
goto end;
}
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test dns_query with isdataat relative to it
*/
@ -863,7 +819,6 @@ void DetectIsdataatRegisterTests(void)
UtRegisterTest("DetectIsdataatTestParse09", DetectIsdataatTestParse09);
UtRegisterTest("DetectIsdataatTestParse10", DetectIsdataatTestParse10);
UtRegisterTest("DetectIsdataatTestParse11", DetectIsdataatTestParse11);
UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13);
UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);

11
src/detect-lua.c
Unescape Escape View File

@ -1001,17 +1001,18 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_URI_RAW)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRUDMATCH);
else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);
else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) {
else if (lua->flags & DATATYPE_HTTP_REQUEST_COOKIE ||
lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE)
{
int list = DetectBufferTypeGetByName("http_cookie");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_HTTP_REQUEST_UA) {
int list = DetectBufferTypeGetByName("http_user_agent");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS|DATATYPE_HTTP_RESPONSE_HEADERS))
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HHDMATCH);
else if (lua->flags & (DATATYPE_HTTP_REQUEST_HEADERS_RAW|DATATYPE_HTTP_RESPONSE_HEADERS_RAW))
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HRHDMATCH);
else if (lua->flags & DATATYPE_HTTP_RESPONSE_COOKIE)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);
else {
int list = DetectBufferTypeGetByName("http_request_line");
SigMatchAppendSMToList(s, sm, list);

3
src/detect-parse.c
Unescape Escape View File

@ -149,7 +149,6 @@ const char *DetectListToHumanString(int list)
CASE_CODE_STRING(DETECT_SM_LIST_HSCDMATCH, "http_stat_code");
CASE_CODE_STRING(DETECT_SM_LIST_HHHDMATCH, "http_host");
CASE_CODE_STRING(DETECT_SM_LIST_HRHHDMATCH, "http_raw_host");
CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie");
CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event");
CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer");
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
@ -188,7 +187,6 @@ const char *DetectListToString(int list)
CASE_CODE(DETECT_SM_LIST_HSCDMATCH);
CASE_CODE(DETECT_SM_LIST_HHHDMATCH);
CASE_CODE(DETECT_SM_LIST_HRHHDMATCH);
CASE_CODE(DETECT_SM_LIST_HCDMATCH);
CASE_CODE(DETECT_SM_LIST_APP_EVENT);
CASE_CODE(DETECT_SM_LIST_AMATCH);
CASE_CODE(DETECT_SM_LIST_DMATCH);
@ -1578,7 +1576,6 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
s->init_data->smlists_tail[DETECT_SM_LIST_HRHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSMDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HSCDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HCDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HHHDMATCH] ||
s->init_data->smlists_tail[DETECT_SM_LIST_HRHHDMATCH])
{

11
src/detect-pcre.c
Unescape Escape View File

@ -453,13 +453,15 @@ static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr,
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'C': /* snort's option */
case 'C': { /* snort's option */
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'C' inconsistent with 'B'");
goto error;
}
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCDMATCH);
int list = DetectBufferTypeGetByName("http_cookie");
*sm_list = DetectPcreSetList(*sm_list, list);
break;
}
case 'P':
/* snort's option (http request body inspection) */
*sm_list = DetectPcreSetList(*sm_list, DETECT_SM_LIST_HCBDMATCH);
@ -678,9 +680,7 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
parsed_sm_list == DETECT_SM_LIST_HSMDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HSCDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HHHDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH ||
// parsed_sm_list == DETECT_SM_LIST_HMDMATCH ||
parsed_sm_list == DETECT_SM_LIST_HCDMATCH)
parsed_sm_list == DETECT_SM_LIST_HRHHDMATCH)
{
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
@ -717,7 +717,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
case DETECT_SM_LIST_HRHHDMATCH:
case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH:
case DETECT_SM_LIST_HCDMATCH:
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = parsed_sm_list;

12
src/detect.c
Unescape Escape View File

@ -1921,9 +1921,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
@ -2020,9 +2017,6 @@ static int SignatureIsPDOnly(const Signature *s)
if (s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL)
return 0;
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL)
return 0;
@ -2141,7 +2135,6 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
s->init_data->smlists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
@ -2314,11 +2307,6 @@ static int SignatureCreateMask(Signature *s)
SCLogDebug("sig requires http app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HCDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
if (s->init_data->smlists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");

2
src/detect.h
Unescape Escape View File

@ -131,8 +131,6 @@ enum DetectSigmatchListEnum {
DETECT_SM_LIST_HHHDMATCH,
/* list for http_raw_host keyword and the ones relative to it */
DETECT_SM_LIST_HRHHDMATCH,
/* list for http_cookie keyword and the ones relative to it */
DETECT_SM_LIST_HCDMATCH,
/* app event engine sm list */
DETECT_SM_LIST_APP_EVENT,

Write Preview
Loading…
Cancel
Save