From 7b13ba9f9e9e991b805e1cf7688241d0888d9a83 Mon Sep 17 00:00:00 2001 From: William Metcalf Date: Sat, 18 Sep 2010 15:22:23 -0500 Subject: [PATCH] Fixed broken nocase for http_method and http_header --- src/detect-http-method.c | 21 +++++++++++++-------- src/detect-http-method.h | 4 ++++ src/detect-nocase.c | 37 ++++++++++++++++++++++++++++++++++++- 3 files changed, 53 insertions(+), 9 deletions(-) diff --git a/src/detect-http-method.c b/src/detect-http-method.c index a11a104f3d..4c2919cabf 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -121,20 +121,25 @@ int DetectHttpMethodMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, } else if (tx->request_method != NULL) { const uint8_t *meth_str = (const uint8_t *) bstr_ptr(tx->request_method); - if ((meth_str != NULL) && - SpmSearch((uint8_t*) meth_str, bstr_size(tx->request_method), - data->content, data->content_len) != NULL) - { - SCLogDebug("Matched raw HTTP method values."); - - ret = 1; + if (meth_str != NULL) { + if (data->flags & DETECT_AL_HTTP_METHOD_NOCASE) { + ret = (SpmNocaseSearch((uint8_t *)meth_str, bstr_size(tx->request_method), + data->content, data->content_len) != NULL); + } else { + ret = (SpmSearch((uint8_t*) meth_str, bstr_size(tx->request_method), + data->content, data->content_len) != NULL); + } + if (ret == 1) { + SCLogDebug("Matched raw HTTP method values."); + } break; } } } SCMutexUnlock(&f->m); - SCReturnInt(ret); + //SCReturnInt(ret); + SCReturnInt(ret ^ ((data->flags & DETECT_AL_HTTP_METHOD_NEGATED) ? 1 : 0)); } /** diff --git a/src/detect-http-method.h b/src/detect-http-method.h index a5b12f5ce1..0df79371fb 100644 --- a/src/detect-http-method.h +++ b/src/detect-http-method.h @@ -24,10 +24,14 @@ #ifndef __DETECT_HTTP_METHOD_H__ #define __DETECT_HTTP_METHOD_H__ +#define DETECT_AL_HTTP_METHOD_NOCASE 0x01 +#define DETECT_AL_HTTP_METHOD_NEGATED 0x02 + typedef struct DetectHttpMethodData_ { uint8_t *content; /**< Raw HTTP method content to match */ size_t content_len; /**< Raw HTTP method content length */ int method; /**< Numeric HTTP method to match */ + uint8_t flags; } DetectHttpMethodData; /* prototypes */ diff --git a/src/detect-nocase.c b/src/detect-nocase.c index 2c4baf3e13..77d188a5f0 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -36,6 +36,9 @@ #include "detect-pcre.h" #include "detect-http-client-body.h" #include "detect-http-cookie.h" +#include "detect-http-header.h" +#include "detect-http-method.h" +#include "detect-http-uri.h" #include "util-debug.h" @@ -73,6 +76,11 @@ static SigMatch *SigMatchGetLastNocasePattern(Signature *s) { SigMatch *hcbd_sm = SigMatchGetLastSM(s->amatch_tail, DETECT_AL_HTTP_CLIENT_BODY); /* http cookie SigMatch */ SigMatch *hcd_sm = SigMatchGetLastSM(s->amatch_tail, DETECT_AL_HTTP_COOKIE); + /* http header SigMatch */ + SigMatch *hhd_sm = SigMatchGetLastSM(s->amatch_tail, DETECT_AL_HTTP_HEADER); + /* http method SigMatch */ + SigMatch *hmd_sm = SigMatchGetLastSM(s->amatch_tail, DETECT_AL_HTTP_METHOD); + SigMatch *temp_sm = NULL; SigMatch **sm_list = NULL; @@ -110,6 +118,23 @@ static SigMatch *SigMatchGetLastNocasePattern(Signature *s) { } sm_list[sm_list_count - 1] = hcd_sm; } + if (hhd_sm != NULL) { + sm_list_count++; + if ( (sm_list = SCRealloc(sm_list, sizeof(SigMatch *) * sm_list_count)) == NULL) { + SCLogError(SC_ERR_FATAL, "Fatal error encountered in SigMatchGetLastNocasePattern. Exiting..."); + exit(EXIT_FAILURE); + } + sm_list[sm_list_count - 1] = hhd_sm; + } + + if (hmd_sm != NULL) { + sm_list_count++; + if ( (sm_list = SCRealloc(sm_list, sizeof(SigMatch *) * sm_list_count)) == NULL) { + SCLogError(SC_ERR_FATAL, "Fatal error encountered in SigMatchGetLastNocasePattern. Exiting..."); + exit(EXIT_FAILURE); + } + sm_list[sm_list_count - 1] = hmd_sm; + } if (sm_list_count == 0) SCReturnPtr(NULL, "SigMatch"); @@ -158,7 +183,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls SigMatch *pm = SigMatchGetLastNocasePattern(s); if (pm == NULL) { SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceeding" - " content, uricontent, http_client_body or http_cookie option"); + " content, uricontent, http_client_body, http_header, http_method, http_uri, http_cookie option"); SCReturnInt(-1); } @@ -166,6 +191,8 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls DetectContentData *cd = NULL; DetectHttpClientBodyData *dhcb = NULL; DetectHttpCookieData *dhcd = NULL; + DetectHttpHeaderData *dhhd = NULL; + DetectHttpMethodData *dhmd = NULL; switch (pm->type) { case DETECT_URICONTENT: @@ -195,6 +222,14 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls /* Recreate the context with nocase chars */ BoyerMooreCtxToNocase(dhcb->bm_ctx, dhcb->content, dhcb->content_len); break; + case DETECT_AL_HTTP_HEADER: + dhhd =(DetectHttpHeaderData *) pm->ctx; + dhhd->flags |= DETECT_AL_HTTP_HEADER_NOCASE; + break; + case DETECT_AL_HTTP_METHOD: + dhmd =(DetectHttpMethodData *) pm->ctx; + dhmd->flags |= DETECT_AL_HTTP_METHOD_NOCASE; + break; case DETECT_AL_HTTP_COOKIE: dhcd = (DetectHttpCookieData *) pm->ctx; dhcd->flags |= DETECT_AL_HTTP_COOKIE_NOCASE;