suricata
app-layer-htp.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup httplayer HTTP layer support
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * This file provides a HTTP protocol support for the engine using HTP library.
31  */
32 
33 #ifndef __APP_LAYER_HTP_H__
34 #define __APP_LAYER_HTP_H__
35 
36 #include "util-radix-tree.h"
37 #include "util-file.h"
38 #include "app-layer-htp-mem.h"
39 #include "detect-engine-state.h"
40 #include "util-streaming-buffer.h"
41 
42 #include <htp/htp.h>
43 
44 /* default request body limit */
45 #define HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT 4096U
46 #define HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT 4096U
47 #define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE 32768U
48 #define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW 4096U
49 #define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE 32768U
50 #define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW 4096U
51 #define HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT 9000U
52 #define HTP_CONFIG_DEFAULT_FIELD_LIMIT_HARD 18000U
53 
54 #define HTP_CONFIG_DEFAULT_RANDOMIZE 1
55 #define HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE 10
56 
57 /** a boundary should be smaller in size */
58 #define HTP_BOUNDARY_MAX 200U
59 
60 // 0x0001 not used
61 #define HTP_FLAG_STATE_CLOSED_TS 0x0002 /**< Flag to indicate that HTTP
62  connection is closed */
63 #define HTP_FLAG_STATE_CLOSED_TC 0x0004 /**< Flag to indicate that HTTP
64  connection is closed */
65 #define HTP_FLAG_STORE_FILES_TS 0x0040
66 #define HTP_FLAG_STORE_FILES_TC 0x0080
67 #define HTP_FLAG_STORE_FILES_TX_TS 0x0100
68 #define HTP_FLAG_STORE_FILES_TX_TC 0x0200
69 
70 enum {
72  HTP_BODY_REQUEST_MULTIPART, /* POST, MP */
73  HTP_BODY_REQUEST_POST, /* POST, no MP */
75 };
76 
77 enum {
78  /* libhtp errors/warnings */
111  /* suricata errors/warnings */
115 };
117 typedef enum HtpSwfCompressType_ {
124 typedef struct HTPCfgDir_ {
125  uint32_t body_limit;
127  uint32_t inspect_window;
131 /** Need a linked list in order to keep track of these */
132 typedef struct HTPCfgRec_ {
133  htp_cfg_t *cfg;
134  struct HTPCfgRec_ *next;
136  int uri_include_all; /**< use all info in uri (bool) */
137 
138  /** max size of the client body we inspect */
139  int randomize;
140  int randomize_range;
152 /** Struct used to hold chunks of a body on a request */
153 struct HtpBodyChunk_ {
154  struct HtpBodyChunk_ *next; /**< Pointer to the next chunk */
155  int logged;
156  StreamingBufferSegment sbseg;
157 } __attribute__((__packed__));
159 
160 /** Struct used to hold all the chunks of a body on a request */
161 typedef struct HtpBody_ {
162  HtpBodyChunk *first; /**< Pointer to the first chunk */
163  HtpBodyChunk *last; /**< Pointer to the last chunk */
166 
167  /* Holds the length of the htp request body seen so far */
168  uint64_t content_len_so_far;
169  /* parser tracker */
170  uint64_t body_parsed;
171  /* inspection tracker */
172  uint64_t body_inspected;
173 } HtpBody;
175 #define HTP_CONTENTTYPE_SET 0x01 /**< We have the content type */
176 #define HTP_BOUNDARY_SET 0x02 /**< We have a boundary string */
177 #define HTP_BOUNDARY_OPEN 0x04 /**< We have a boundary string */
178 #define HTP_FILENAME_SET 0x08 /**< filename is registered in the flow */
179 #define HTP_DONTSTORE 0x10 /**< not storing this file */
181 /** Now the Body Chunks will be stored per transaction, at
182  * the tx user data */
183 typedef struct HtpTxUserData_ {
184  /** detection engine flags */
185  uint64_t detect_flags_ts;
186  uint64_t detect_flags_tc;
188  /* Body of the request (if any) */
189  uint8_t request_body_init;
190  uint8_t response_body_init;
192  uint8_t request_has_trailers;
193  uint8_t response_has_trailers;
195  /* indicates which loggers that have logged */
196  uint32_t logged;
197 
198  HtpBody request_body;
199  HtpBody response_body;
201  bstr *request_uri_normalized;
202 
203  uint8_t *request_headers_raw;
204  uint8_t *response_headers_raw;
205  uint32_t request_headers_raw_len;
206  uint32_t response_headers_raw_len;
208  AppLayerDecoderEvents *decoder_events; /**< per tx events */
209 
210  /** Holds the boundary identificator string if any (used on
211  * multipart/form-data only)
212  */
213  uint8_t *boundary;
214  uint8_t boundary_len;
216  uint8_t tsflags;
217  uint8_t tcflags;
219  uint8_t request_body_type;
220 
221  DetectEngineState *de_state;
222 } HtpTxUserData;
224 typedef struct HtpState_ {
225  /* Connection parser structure for each connection */
226  htp_connp_t *connp;
227  /* Connection structure for each connection */
228  htp_conn_t *conn;
229  Flow *f; /**< Needed to retrieve the original flow when usin HTPLib callbacks */
230  uint64_t transaction_cnt;
231  uint64_t store_tx_id;
232  FileContainer *files_ts;
233  FileContainer *files_tc;
234  const struct HTPCfgRec_ *cfg;
235  uint16_t flags;
236  uint16_t events;
237  uint16_t htp_messages_offset; /**< offset into conn->messages list */
238  uint64_t last_request_data_stamp;
239  uint64_t last_response_data_stamp;
242 /** part of the engine needs the request body (e.g. http_client_body keyword) */
243 #define HTP_REQUIRE_REQUEST_BODY (1 << 0)
244 /** part of the engine needs the request body multipart header (e.g. filename
245  * and / or fileext keywords) */
246 #define HTP_REQUIRE_REQUEST_MULTIPART (1 << 1)
247 /** part of the engine needs the request file (e.g. log-file module) */
248 #define HTP_REQUIRE_REQUEST_FILE (1 << 2)
249 /** part of the engine needs the request body (e.g. file_data keyword) */
250 #define HTP_REQUIRE_RESPONSE_BODY (1 << 3)
251 
252 SC_ATOMIC_DECLARE(uint32_t, htp_config_flags);
253 
254 void RegisterHTPParsers(void);
255 void HTPParserRegisterTests(void);
256 void HTPAtExitPrintStats(void);
257 void HTPFreeConfig(void);
258 
259 void HtpBodyPrint(HtpBody *);
260 void HtpBodyFree(HtpBody *);
261 /* To free the state from unittests using app-layer-htp */
262 void HTPStateFree(void *);
266 void AppLayerHtpPrintStats(void);
267 
268 void HTPConfigure(void);
269 
270 void HtpConfigCreateBackup(void);
271 void HtpConfigRestoreBackup(void);
272 
273 #endif /* __APP_LAYER_HTP_H__ */
274 
275 /**
276  * @}
277  */
void AppLayerHtpPrintStats(void)
uint16_t flags
void HtpBodyFree(HtpBody *)
Free the information held in the request body.
struct HtpBodyChunk_ * next
uint32_t inspect_window
HTPCfgDir response
int logged
uint32_t inspect_min_size
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
int http_body_inline
htp_cfg_t * cfg
void HTPStateFree(void *)
Function to frees the HTTP state memory and also frees the HTTP connection parser memory which was us...
StreamingBufferSegment sbseg
uint32_t swf_decompress_depth
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
void HTPConfigure(void)
Data structure to store app layer decoder events.
void HtpConfigCreateBackup(void)
HTPCfgDir request
Data structures and function prototypes for keeping state for the detection engine.
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
enum HtpSwfCompressType_ HtpSwfCompressType
void RegisterHTPParsers(void)
Register the HTTP protocol and state handling functions to APP layer of the engine.
void HTPParserRegisterTests(void)
Register the Unit tests for the HTTP protocol.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
struct HtpState_ HtpState
struct HTPCfgDir_ HTPCfgDir
int randomize_range
void HtpConfigRestoreBackup(void)
uint32_t body_limit
StreamingBufferConfig sbcfg
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
SC_ATOMIC_DECLARE(uint32_t, htp_config_flags)
HtpSwfCompressType swf_compression_type
struct HTPCfgRec_ HTPCfgRec
void HtpBodyPrint(HtpBody *)
Print the information and chunks of a Body.
HtpSwfCompressType_
int swf_decompression_enabled
int uri_include_all
uint32_t swf_compress_depth
struct HtpTxUserData_ HtpTxUserData
Flow data structure.
Definition: flow.h:325
struct HtpBodyChunk_ __attribute__((__packed__))
DNP3 link header.
struct HtpBody_ HtpBody