detect: implement http {location,server} sticky buffer

This implements inspection of the Server and Location buffer as a content sticky buffer.
7 years ago · 81c1af0887
parent 081fdc6804
commit 81c1af0887
7 changed files with 154 additions and 0 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -179,12 +179,14 @@ detect-http-headers.c detect-http-headers.h detect-http-headers-stub.h \
 detect-http-header-common.c detect-http-header-common.h \
 detect-http-header-names.c detect-http-header-names.h \
 detect-http-hh.c detect-http-hh.h \
+detect-http-location.c detect-http-location.h \
 detect-http-method.c detect-http-method.h \
 detect-http-protocol.c detect-http-protocol.h \
 detect-http-raw-header.c detect-http-raw-header.h \
 detect-http-referer.c detect-http-referer.h \
 detect-http-request-line.c detect-http-request-line.h \
 detect-http-response-line.c detect-http-response-line.h \
+detect-http-server.c detect-http-server.h \
 detect-http-server-body.c detect-http-server-body.h \
 detect-http-start.c detect-http-start.h \
 detect-http-stat-code.c detect-http-stat-code.h \
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@ -131,6 +131,8 @@ enum {
    DETECT_AL_HTTP_HEADER_CONNECTION,
    DETECT_AL_HTTP_HEADER_CONTENT_LEN,
    DETECT_AL_HTTP_HEADER_CONTENT_TYPE,
+    DETECT_AL_HTTP_HEADER_LOCATION,
+    DETECT_AL_HTTP_HEADER_SERVER,
    DETECT_AL_HTTP_HEADER_REFERER,
    DETECT_AL_HTTP_RAW_HEADER,
    DETECT_HTTP_RAW_HEADER,
--- a/src/detect-http-headers.c
+++ b/src/detect-http-headers.c
@ -21,6 +21,8 @@
 #include "detect-http-connection.h"
 #include "detect-http-content-len.h"
 #include "detect-http-content-type.h"
+#include "detect-http-location.h"
+#include "detect-http-server.h"
 #include "detect-http-referer.h"
 #include "detect-http-headers.h"

@ -33,5 +35,7 @@ void DetectHttpHeadersRegister(void)
    RegisterHttpHeadersConnection();
    RegisterHttpHeadersContentLen();
    RegisterHttpHeadersContentType();
+    RegisterHttpHeadersServer();
+    RegisterHttpHeadersLocation();
 }

--- a/src/detect-http-location.c
+++ b/src/detect-http-location.c
@ -0,0 +1,50 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \ingroup httplayer
+ *
+ * @{
+ */
+
+
+/**
+ * \file
+ *
+ * \author Jeff Lucovsky <jeff@lucovsky.org>
+ *
+ * Implements http.location sticky buffer
+ *
+ * "Location" is an HTTP response-header field used to redirect the recipient to
+ * a location other than the Request-URI for request completion.
+ */
+
+#define KEYWORD_NAME "http.location"
+#define KEYWORD_DOC "http-keywords.html#http-location"
+#define BUFFER_NAME "http.location"
+#define BUFFER_DESC "http location header"
+#define HEADER_NAME "Location"
+#define KEYWORD_ID DETECT_AL_HTTP_HEADER_LOCATION
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-http-headers-stub.h"
+#include "detect-http-location.h"
+
+void RegisterHttpHeadersLocation(void)
+{
+    DetectHttpHeadersRegisterStub();
+}
--- a/src/detect-http-location.h
+++ b/src/detect-http-location.h
@ -0,0 +1,23 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_HTTP_LOCATION_H__
+#define __DETECT_HTTP_LOCATION_H__
+
+void RegisterHttpHeadersLocation(void);
+
+#endif /* __DETECT_HTTP_LOCATION_H__ */
--- a/src/detect-http-server.c
+++ b/src/detect-http-server.c
@ -0,0 +1,50 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \ingroup httplayer
+ *
+ * @{
+ */
+
+
+/**
+ * \file
+ *
+ * \author Jeff Lucovsky <jeff@lucovsky.org>
+ *
+ * Implements http.server sticky buffer
+ *
+ * "Server" is an HTTP response-header field containing information about the software
+ * used by the origin server to handle the request.
+ */
+
+#define KEYWORD_NAME "http.server"
+#define KEYWORD_DOC "http-keywords.html#http-server"
+#define BUFFER_NAME "http.server"
+#define BUFFER_DESC "http server header"
+#define HEADER_NAME "Server"
+#define KEYWORD_ID DETECT_AL_HTTP_HEADER_SERVER
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-http-headers-stub.h"
+#include "detect-http-server.h"
+
+void RegisterHttpHeadersServer(void)
+{
+    DetectHttpHeadersRegisterStub();
+}
--- a/src/detect-http-server.h
+++ b/src/detect-http-server.h
@ -0,0 +1,23 @@
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_HTTP_SERVER_H__
+#define __DETECT_HTTP_SERVER_H__
+
+void RegisterHttpHeadersServer(void);
+
+#endif /* __DETECT_HTTP_SERVER_H__ */