Fixed broken nocase for http_method and http_header

src/detect-http-method.c

@@ -121,20 +121,25 @@ int DetectHttpMethodMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
         } else if (tx->request_method != NULL) {
             const uint8_t *meth_str = (const uint8_t *)
                                                bstr_ptr(tx->request_method);
-            if ((meth_str != NULL) &&
-                    SpmSearch((uint8_t*) meth_str, bstr_size(tx->request_method),
-                    data->content, data->content_len) != NULL)
-            {
-                SCLogDebug("Matched raw HTTP method values.");
-
-                ret = 1;
+            if (meth_str != NULL) {
+                if (data->flags & DETECT_AL_HTTP_METHOD_NOCASE) {
+                    ret = (SpmNocaseSearch((uint8_t *)meth_str, bstr_size(tx->request_method),
+                                          data->content, data->content_len) != NULL);
+                } else {
+                    ret = (SpmSearch((uint8_t*) meth_str, bstr_size(tx->request_method),
+                    data->content, data->content_len) != NULL);
+                }
+                if (ret == 1) {
+                    SCLogDebug("Matched raw HTTP method values.");
+                }
                 break;
             }
         }
     }
 
     SCMutexUnlock(&f->m);
-    SCReturnInt(ret);
+    //SCReturnInt(ret);
+    SCReturnInt(ret ^ ((data->flags & DETECT_AL_HTTP_METHOD_NEGATED) ? 1 : 0));
 }
 
 /**

src/detect-http-method.h

@@ -24,10 +24,14 @@
 #ifndef __DETECT_HTTP_METHOD_H__
 #define __DETECT_HTTP_METHOD_H__
 
+#define DETECT_AL_HTTP_METHOD_NOCASE   0x01
+#define DETECT_AL_HTTP_METHOD_NEGATED  0x02
+
 typedef struct DetectHttpMethodData_ {
     uint8_t *content;     /**< Raw HTTP method content to match */
     size_t   content_len; /**< Raw HTTP method content length */
     int      method;      /**< Numeric HTTP method to match */
+    uint8_t flags;
 } DetectHttpMethodData;
 
 /* prototypes */

src/detect-nocase.c

@@ -36,6 +36,9 @@
 #include "detect-pcre.h"
 #include "detect-http-client-body.h"
 #include "detect-http-cookie.h"
+#include "detect-http-header.h"
+#include "detect-http-method.h"
+#include "detect-http-uri.h"
 
 #include "util-debug.h"
 
@@ -73,6 +76,11 @@ static SigMatch *SigMatchGetLastNocasePattern(Signature *s) {
     SigMatch *hcbd_sm = SigMatchGetLastSM(s->amatch_tail, DETECT_AL_HTTP_CLIENT_BODY);
     /* http cookie SigMatch */
     SigMatch *hcd_sm = SigMatchGetLastSM(s->amatch_tail, DETECT_AL_HTTP_COOKIE);
+    /* http header SigMatch */
+    SigMatch *hhd_sm = SigMatchGetLastSM(s->amatch_tail, DETECT_AL_HTTP_HEADER);
+    /* http method SigMatch */
+    SigMatch *hmd_sm = SigMatchGetLastSM(s->amatch_tail, DETECT_AL_HTTP_METHOD);
+
     SigMatch *temp_sm = NULL;
 
     SigMatch **sm_list = NULL;
@@ -110,6 +118,23 @@ static SigMatch *SigMatchGetLastNocasePattern(Signature *s) {
         }
         sm_list[sm_list_count - 1] = hcd_sm;
     }
+    if (hhd_sm != NULL) {
+        sm_list_count++;
+        if ( (sm_list = SCRealloc(sm_list, sizeof(SigMatch *) * sm_list_count)) == NULL) {
+            SCLogError(SC_ERR_FATAL, "Fatal error encountered in SigMatchGetLastNocasePattern. Exiting...");
+            exit(EXIT_FAILURE);
+        }
+        sm_list[sm_list_count - 1] = hhd_sm;
+    }
+
+    if (hmd_sm != NULL) {
+        sm_list_count++;
+        if ( (sm_list = SCRealloc(sm_list, sizeof(SigMatch *) * sm_list_count)) == NULL) {
+            SCLogError(SC_ERR_FATAL, "Fatal error encountered in SigMatchGetLastNocasePattern. Exiting...");
+            exit(EXIT_FAILURE);
+        }
+        sm_list[sm_list_count - 1] = hmd_sm;
+    }
 
     if (sm_list_count == 0)
         SCReturnPtr(NULL, "SigMatch");
@@ -158,7 +183,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
     SigMatch *pm = SigMatchGetLastNocasePattern(s);
     if (pm == NULL) {
         SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceeding"
-                " content, uricontent, http_client_body or http_cookie option");
+                " content, uricontent, http_client_body, http_header, http_method, http_uri, http_cookie option");
         SCReturnInt(-1);
     }
 
@@ -166,6 +191,8 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
     DetectContentData *cd = NULL;
     DetectHttpClientBodyData *dhcb = NULL;
     DetectHttpCookieData *dhcd = NULL;
+    DetectHttpHeaderData *dhhd = NULL;
+    DetectHttpMethodData *dhmd = NULL;
 
     switch (pm->type) {
         case DETECT_URICONTENT:
@@ -195,6 +222,14 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
             /* Recreate the context with nocase chars */
             BoyerMooreCtxToNocase(dhcb->bm_ctx, dhcb->content, dhcb->content_len);
             break;
+        case DETECT_AL_HTTP_HEADER:
+            dhhd =(DetectHttpHeaderData *) pm->ctx;
+            dhhd->flags |= DETECT_AL_HTTP_HEADER_NOCASE;
+            break;
+        case DETECT_AL_HTTP_METHOD:
+            dhmd =(DetectHttpMethodData *) pm->ctx;
+            dhmd->flags |= DETECT_AL_HTTP_METHOD_NOCASE;
+            break;
         case DETECT_AL_HTTP_COOKIE:
             dhcd = (DetectHttpCookieData *) pm->ctx;
             dhcd->flags |= DETECT_AL_HTTP_COOKIE_NOCASE;