suricata
app-layer-htp.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup httplayer HTTP layer support
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * This file provides a HTTP protocol support for the engine using HTP library.
31  */
32 
33 #ifndef __APP_LAYER_HTP_H__
34 #define __APP_LAYER_HTP_H__
35 
36 #include "util-radix-tree.h"
37 #include "util-file.h"
38 #include "app-layer-htp-mem.h"
39 #include "detect-engine-state.h"
40 #include "util-streaming-buffer.h"
41 
42 #include <htp/htp.h>
43 
44 /* default request body limit */
45 #define HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT 4096U
46 #define HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT 4096U
47 #define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE 32768U
48 #define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW 4096U
49 #define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE 32768U
50 #define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW 4096U
51 #define HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT 9000U
52 #define HTP_CONFIG_DEFAULT_FIELD_LIMIT_HARD 18000U
53 
54 /* default libhtp lzma limit, taken from libhtp. */
55 #define HTP_CONFIG_DEFAULT_LZMA_MEMLIMIT 1048576U
56 #define HTP_CONFIG_DEFAULT_COMPRESSION_BOMB_LIMIT 1048576U
57 
58 #define HTP_CONFIG_DEFAULT_RANDOMIZE 1
59 #define HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE 10
60 
61 /** a boundary should be smaller in size */
62 #define HTP_BOUNDARY_MAX 200U
63 
64 // 0x0001 not used
65 #define HTP_FLAG_STATE_CLOSED_TS 0x0002 /**< Flag to indicate that HTTP
66  connection is closed */
67 #define HTP_FLAG_STATE_CLOSED_TC 0x0004 /**< Flag to indicate that HTTP
68  connection is closed */
69 #define HTP_FLAG_STORE_FILES_TS 0x0040
70 #define HTP_FLAG_STORE_FILES_TC 0x0080
71 #define HTP_FLAG_STORE_FILES_TX_TS 0x0100
72 #define HTP_FLAG_STORE_FILES_TX_TC 0x0200
73 
74 enum {
76  HTP_BODY_REQUEST_MULTIPART, /* POST, MP */
77  HTP_BODY_REQUEST_POST, /* POST, no MP */
79 };
80 
81 enum {
82  /* libhtp errors/warnings */
131  /* suricata errors/warnings */
135 };
137 typedef enum HtpSwfCompressType_ {
144 typedef struct HTPCfgDir_ {
145  uint32_t body_limit;
147  uint32_t inspect_window;
151 /** Need a linked list in order to keep track of these */
152 typedef struct HTPCfgRec_ {
153  htp_cfg_t *cfg;
154  struct HTPCfgRec_ *next;
156  int uri_include_all; /**< use all info in uri (bool) */
157 
158  /** max size of the client body we inspect */
159  int randomize;
160  int randomize_range;
172 /** Struct used to hold chunks of a body on a request */
173 struct HtpBodyChunk_ {
174  struct HtpBodyChunk_ *next; /**< Pointer to the next chunk */
175  int logged;
176  StreamingBufferSegment sbseg;
177 } __attribute__((__packed__));
179 
180 /** Struct used to hold all the chunks of a body on a request */
181 typedef struct HtpBody_ {
182  HtpBodyChunk *first; /**< Pointer to the first chunk */
183  HtpBodyChunk *last; /**< Pointer to the last chunk */
186 
187  /* Holds the length of the htp request body seen so far */
188  uint64_t content_len_so_far;
189  /* parser tracker */
190  uint64_t body_parsed;
191  /* inspection tracker */
192  uint64_t body_inspected;
193 } HtpBody;
195 #define HTP_CONTENTTYPE_SET BIT_U8(0) /**< We have the content type */
196 #define HTP_BOUNDARY_SET BIT_U8(1) /**< We have a boundary string */
197 #define HTP_BOUNDARY_OPEN BIT_U8(2) /**< We have a boundary string */
198 #define HTP_FILENAME_SET BIT_U8(3) /**< filename is registered in the flow */
199 #define HTP_DONTSTORE BIT_U8(4) /**< not storing this file */
200 #define HTP_STREAM_DEPTH_SET BIT_U8(5) /**< stream-depth is set */
202 /** Now the Body Chunks will be stored per transaction, at
203  * the tx user data */
204 typedef struct HtpTxUserData_ {
205  /** detection engine flags */
206  uint64_t detect_flags_ts;
207  uint64_t detect_flags_tc;
209  /* Body of the request (if any) */
210  uint8_t request_body_init;
211  uint8_t response_body_init;
213  uint8_t request_has_trailers;
214  uint8_t response_has_trailers;
216  /* indicates which loggers that have logged */
217  uint32_t logged;
218 
219  HtpBody request_body;
220  HtpBody response_body;
222  bstr *request_uri_normalized;
223 
224  uint8_t *request_headers_raw;
225  uint8_t *response_headers_raw;
226  uint32_t request_headers_raw_len;
227  uint32_t response_headers_raw_len;
229  AppLayerDecoderEvents *decoder_events; /**< per tx events */
230 
231  /** Holds the boundary identification string if any (used on
232  * multipart/form-data only)
233  */
234  uint8_t *boundary;
235  uint8_t boundary_len;
237  uint8_t tsflags;
238  uint8_t tcflags;
240  uint8_t request_body_type;
241 
242  DetectEngineState *de_state;
243 } HtpTxUserData;
245 typedef struct HtpState_ {
246  /* Connection parser structure for each connection */
247  htp_connp_t *connp;
248  /* Connection structure for each connection */
249  htp_conn_t *conn;
250  Flow *f; /**< Needed to retrieve the original flow when using HTPLib callbacks */
251  uint64_t transaction_cnt;
252  uint64_t store_tx_id;
253  FileContainer *files_ts;
254  FileContainer *files_tc;
255  const struct HTPCfgRec_ *cfg;
256  uint16_t flags;
257  uint16_t events;
258  uint16_t htp_messages_offset; /**< offset into conn->messages list */
259  uint32_t file_track_id; /**< used to assign file track ids to files */
260  uint64_t last_request_data_stamp;
261  uint64_t last_response_data_stamp;
264 /** part of the engine needs the request body (e.g. http_client_body keyword) */
265 #define HTP_REQUIRE_REQUEST_BODY (1 << 0)
266 /** part of the engine needs the request body multipart header (e.g. filename
267  * and / or fileext keywords) */
268 #define HTP_REQUIRE_REQUEST_MULTIPART (1 << 1)
269 /** part of the engine needs the request file (e.g. log-file module) */
270 #define HTP_REQUIRE_REQUEST_FILE (1 << 2)
271 /** part of the engine needs the request body (e.g. file_data keyword) */
272 #define HTP_REQUIRE_RESPONSE_BODY (1 << 3)
273 
274 SC_ATOMIC_DECLARE(uint32_t, htp_config_flags);
275 
276 void RegisterHTPParsers(void);
277 void HTPParserRegisterTests(void);
278 void HTPAtExitPrintStats(void);
279 void HTPFreeConfig(void);
280 
281 void HtpBodyPrint(HtpBody *);
282 void HtpBodyFree(HtpBody *);
283 /* To free the state from unittests using app-layer-htp */
284 void HTPStateFree(void *);
288 void AppLayerHtpPrintStats(void);
289 
290 void HTPConfigure(void);
291 
292 void HtpConfigCreateBackup(void);
293 void HtpConfigRestoreBackup(void);
294 
295 #endif /* __APP_LAYER_HTP_H__ */
296 
297 /**
298  * @}
299  */
void AppLayerHtpPrintStats(void)
uint16_t flags
void HtpBodyFree(HtpBody *)
Free the information held in the request body.
struct HtpBodyChunk_ * next
uint32_t inspect_window
HTPCfgDir response
int logged
uint32_t inspect_min_size
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
int http_body_inline
htp_cfg_t * cfg
void HTPStateFree(void *)
Function to frees the HTTP state memory and also frees the HTTP connection parser memory which was us...
StreamingBufferSegment sbseg
uint32_t swf_decompress_depth
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
void HTPConfigure(void)
Data structure to store app layer decoder events.
void HtpConfigCreateBackup(void)
HTPCfgDir request
Data structures and function prototypes for keeping state for the detection engine.
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
enum HtpSwfCompressType_ HtpSwfCompressType
void RegisterHTPParsers(void)
Register the HTTP protocol and state handling functions to APP layer of the engine.
void HTPParserRegisterTests(void)
Register the Unit tests for the HTTP protocol.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
struct HtpState_ HtpState
struct HTPCfgDir_ HTPCfgDir
int randomize_range
void HtpConfigRestoreBackup(void)
uint32_t body_limit
StreamingBufferConfig sbcfg
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
SC_ATOMIC_DECLARE(uint32_t, htp_config_flags)
HtpSwfCompressType swf_compression_type
struct HTPCfgRec_ HTPCfgRec
void HtpBodyPrint(HtpBody *)
Print the information and chunks of a Body.
HtpSwfCompressType_
int swf_decompression_enabled
int uri_include_all
uint32_t swf_compress_depth
struct HtpTxUserData_ HtpTxUserData
Flow data structure.
Definition: flow.h:325
struct HtpBodyChunk_ __attribute__((__packed__))
DNP3 link header.
struct HtpBody_ HtpBody