diff --git a/src/Makefile.am b/src/Makefile.am index b950ad220a..b760631521 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -165,6 +165,7 @@ detect-http-method.c detect-http-method.h \ detect-http-raw-header.c detect-http-raw-header.h \ detect-http-raw-uri.c detect-http-raw-uri.h \ detect-http-request-line.c detect-http-request-line.h \ +detect-http-response-line.c detect-http-response-line.h \ detect-http-server-body.c detect-http-server-body.h \ detect-http-stat-code.c detect-http-stat-code.h \ detect-http-stat-msg.c detect-http-stat-msg.h \ diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index 70d9d30fb4..c5b18c7300 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -93,6 +93,7 @@ #define DE_STATE_FLAG_TLSVALIDITY_INSPECT BIT_U32(27) #define DE_STATE_FLAG_DCE_PAYLOAD_INSPECT BIT_U32(28) #define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT BIT_U32(29) +#define DE_STATE_FLAG_HTTP_RESLINE_INSPECT BIT_U32(30) /* state flags */ #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001 diff --git a/src/detect-engine.c b/src/detect-engine.c index e5e2957005..6a22155690 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -73,6 +73,7 @@ #include "detect-engine-threshold.h" #include "detect-http-request-line.h" +#include "detect-http-response-line.h" #include "detect-engine-loader.h" @@ -352,6 +353,12 @@ void DetectEngineRegisterAppInspectionEngines(void) DE_STATE_FLAG_HSCD_INSPECT, 1, DetectEngineInspectHttpStatCode }, + { IPPROTO_TCP, + ALPROTO_HTTP, + DETECT_SM_LIST_HTTP_RESLINEMATCH, + DE_STATE_FLAG_HTTP_RESLINE_INSPECT, + 1, + DetectEngineInspectHttpResponseLine }, /* Modbus */ { IPPROTO_TCP, ALPROTO_MODBUS, @@ -2809,6 +2816,8 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) return "http user-agent"; case DETECT_SM_LIST_HTTP_REQLINEMATCH: return "http request line"; + case DETECT_SM_LIST_HTTP_RESLINEMATCH: + return "http response line"; case DETECT_SM_LIST_APP_EVENT: return "app layer events"; diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c new file mode 100644 index 0000000000..7b41311083 --- /dev/null +++ b/src/detect-http-response-line.c @@ -0,0 +1,331 @@ +/* Copyright (C) 2007-2016 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \ingroup httplayer + * + * @{ + */ + + +/** + * \file + * + * \author Victor Julien + * + * Implements support for the http_response_line keyword. + */ + +#include "suricata-common.h" +#include "threads.h" +#include "decode.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" +#include "detect-engine-prefilter.h" +#include "detect-engine-content-inspection.h" +#include "detect-content.h" +#include "detect-pcre.h" + +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" + +#include "util-debug.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" +#include "util-spm.h" + +#include "app-layer.h" +#include "app-layer-parser.h" + +#include "app-layer-htp.h" +#include "stream-tcp.h" +#include "detect-http-response-line.h" + +int DetectHttpResponseLineSetup(DetectEngineCtx *, Signature *, char *); +void DetectHttpResponseLineRegisterTests(void); +void DetectHttpResponseLineFree(void *); +static int PrefilterTxHttpResponseLineRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx); + +/** + * \brief Registers the keyword handlers for the "http_response_line" keyword. + */ +void DetectHttpResponseLineRegister(void) +{ + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].name = "http_response_line"; + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].desc = "content modifier to match only on the HTTP response line"; + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_response_line"; + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Match = NULL; + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].AppLayerMatch = NULL; + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup; + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests; + + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_PAYLOAD ; + + DetectMpmAppLayerRegister("http_response_line", SIG_FLAG_TOCLIENT, + DETECT_SM_LIST_HTTP_RESLINEMATCH, 2, + PrefilterTxHttpResponseLineRegister); + return; +} + +/** + * \brief The setup function for the http_response_line keyword for a signature. + * + * \param de_ctx Pointer to the detection engine context. + * \param s Pointer to the signature for the current Signature being + * parsed from the rules. + * \param m Pointer to the head of the SigMatch for the current rule + * being parsed. + * \param arg Pointer to the string holding the keyword value. + * + * \retval 0 On success + * \retval -1 On failure + */ +int DetectHttpResponseLineSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg) +{ + s->list = DETECT_SM_LIST_HTTP_RESLINEMATCH; + s->alproto = ALPROTO_HTTP; + return 0; +} + +/** \brief HTTP response line Mpm prefilter callback + * + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context + */ +static void PrefilterTxHttpResponseLine(DetectEngineThreadCtx *det_ctx, + const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) +{ + SCEnter(); + + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; + htp_tx_t *tx = (htp_tx_t *)txv; + + if (tx->response_line == NULL) + return; + + const uint32_t buffer_len = bstr_len(tx->response_line); + const uint8_t *buffer = bstr_ptr(tx->response_line); + + if (buffer_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len); + } +} + +static int PrefilterTxHttpResponseLineRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) +{ + SCEnter(); + + return PrefilterAppendTxEngine(sgh, PrefilterTxHttpResponseLine, + ALPROTO_HTTP, HTP_RESPONSE_LINE, + mpm_ctx, NULL, "http_response_line"); +} + +/** + * \brief Do the content inspection & validation for a signature + * + * \param de_ctx Detection engine context + * \param det_ctx Detection engine thread context + * \param s Signature to inspect + * \param sm SigMatch to inspect + * \param f Flow + * \param flags app layer flags + * \param state App layer state + * + * \retval 0 no match. + * \retval 1 match. + * \retval 2 Sig can't match. + */ +int DetectEngineInspectHttpResponseLine(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, + void *txv, uint64_t tx_id) +{ + htp_tx_t *tx = (htp_tx_t *)txv; + + if (tx->response_line == NULL) { + if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, txv, flags) > HTP_RESPONSE_LINE) + return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH; + else + return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; + } + + det_ctx->discontinue_matching = 0; + det_ctx->buffer_offset = 0; + det_ctx->inspection_recursion_counter = 0; + +#if 0 + PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->response_line), + bstr_len(tx->response_line)); +#endif + + /* run the inspection against the buffer */ + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HTTP_RESLINEMATCH], + f, + bstr_ptr(tx->response_line), + bstr_len(tx->response_line), + 0, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + if (r == 1) { + return DETECT_ENGINE_INSPECT_SIG_MATCH; + } else { + return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH; + } +} + +/************************************Unittests*********************************/ + +#ifdef UNITTESTS + +#include "stream-tcp-reassemble.h" + +/** + * \test Test that a signature containting a http_response_line is correctly parsed + * and the keyword is registered. + */ +static int DetectHttpResponseLineTest01(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(http_response_line; content:\"200 OK\"; sid:1;)"); + FAIL_IF_NULL(de_ctx->sig_list); + + DetectEngineCtxFree(de_ctx); + PASS; +} + + +/** + *\test Test that the http_response_line content matches against a http request + * which holds the content. + */ +static int DetectHttpResponseLineTest02(void) +{ + TcpSession ssn; + Packet *p = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http_buf[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: This is dummy message body\r\n" + "Content-Type: text/html\r\n" + "\r\n"; + uint32_t http_len = sizeof(http_buf) - 1; + uint8_t http_buf2[] = + "HTTP/1.0 200 OK\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 7\r\n" + "\r\n" + "message"; + uint32_t http_len2 = sizeof(http_buf2) - 1; + + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + FAIL_IF_NULL(alp_tctx); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + FAIL_IF_NULL(p); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.proto = IPPROTO_TCP; + f.flags |= FLOW_IPV4; + + p->flow = &f; + p->flowflags |= (FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED); + p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + + de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(http_response_line; content:\"HTTP/1.0 200 OK\"; " + "sid:1;)"); + FAIL_IF_NULL(de_ctx->sig_list); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len); + FAIL_IF(r != 0); + + http_state = f.alstate; + FAIL_IF_NULL(http_state); + + r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); + FAIL_IF(r != 0); + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(PacketAlertCheck(p, 1)); + + p->flowflags = (FLOW_PKT_TOCLIENT|FLOW_PKT_ESTABLISHED); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(!(PacketAlertCheck(p, 1))); + + AppLayerParserThreadCtxFree(alp_tctx); + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + PASS; +} + +#endif /* UNITTESTS */ + +void DetectHttpResponseLineRegisterTests(void) +{ +#ifdef UNITTESTS + UtRegisterTest("DetectHttpResponseLineTest01", DetectHttpResponseLineTest01); + UtRegisterTest("DetectHttpResponseLineTest02", DetectHttpResponseLineTest02); +#endif /* UNITTESTS */ + + return; +} +/** + * @} + */ diff --git a/src/detect-http-response-line.h b/src/detect-http-response-line.h new file mode 100644 index 0000000000..53e7480130 --- /dev/null +++ b/src/detect-http-response-line.h @@ -0,0 +1,35 @@ +/* Copyright (C) 2007-2016 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien + */ + +#ifndef __DETECT_HTTP_RESPONSE_LINE_H__ +#define __DETECT_HTTP_RESPONSE_LINE_H__ + +int DetectEngineInspectHttpResponseLine(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, + void *txv, uint64_t tx_id); +void DetectHttpResponseLineRegister(void); + +#endif /* __DETECT_HTTP_RESPONSE_LINE_H__ */ diff --git a/src/detect-parse.c b/src/detect-parse.c index 639c5aad90..ec7e0b18c8 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -156,6 +156,7 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_HCDMATCH, "http_cookie"); CASE_CODE_STRING(DETECT_SM_LIST_HUADMATCH, "http_user_agent"); CASE_CODE_STRING(DETECT_SM_LIST_HTTP_REQLINEMATCH, "http_request_line"); + CASE_CODE_STRING(DETECT_SM_LIST_HTTP_RESLINEMATCH, "http_response_line"); CASE_CODE_STRING(DETECT_SM_LIST_APP_EVENT, "app-layer-event"); CASE_CODE_STRING(DETECT_SM_LIST_AMATCH, "app-layer"); CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); @@ -200,6 +201,7 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_HCDMATCH); CASE_CODE(DETECT_SM_LIST_HUADMATCH); CASE_CODE(DETECT_SM_LIST_HTTP_REQLINEMATCH); + CASE_CODE(DETECT_SM_LIST_HTTP_RESLINEMATCH); CASE_CODE(DETECT_SM_LIST_APP_EVENT); CASE_CODE(DETECT_SM_LIST_AMATCH); CASE_CODE(DETECT_SM_LIST_DMATCH); @@ -1563,6 +1565,8 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_HTTP_REQLINEMATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; + if (sig->sm_lists[DETECT_SM_LIST_HTTP_RESLINEMATCH]) + sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_HCBDMATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_FILEDATA]) diff --git a/src/detect.c b/src/detect.c index 160feb323d..c80daf800b 100644 --- a/src/detect.c +++ b/src/detect.c @@ -143,6 +143,7 @@ #include "detect-http-raw-uri.h" #include "detect-http-stat-msg.h" #include "detect-http-request-line.h" +#include "detect-http-response-line.h" #include "detect-engine-hcbd.h" #include "detect-engine-hsbd.h" #include "detect-engine-hhd.h" @@ -4227,6 +4228,7 @@ void SigTableSetup(void) DetectTemplateBufferRegister(); DetectBypassRegister(); DetectHttpRequestLineRegister(); + DetectHttpResponseLineRegister(); } void SigTableRegisterTests(void) diff --git a/src/detect.h b/src/detect.h index ba154d11a0..c181c90a01 100644 --- a/src/detect.h +++ b/src/detect.h @@ -115,6 +115,8 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_HUADMATCH, /* list for http_request_line keyword and the ones relative to it */ DETECT_SM_LIST_HTTP_REQLINEMATCH, + /* list for http_response_line keyword and the ones relative to it */ + DETECT_SM_LIST_HTTP_RESLINEMATCH, /* app event engine sm list */ DETECT_SM_LIST_APP_EVENT, @@ -1231,6 +1233,7 @@ enum { DETECT_AL_HTTP_HOST, DETECT_AL_HTTP_RAW_HOST, DETECT_AL_HTTP_REQUEST_LINE, + DETECT_AL_HTTP_RESPONSE_LINE, DETECT_AL_SSH_PROTOVERSION, DETECT_AL_SSH_SOFTWAREVERSION, DETECT_AL_SSL_VERSION,