suricata
app-layer-htp.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup httplayer HTTP layer support
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * This file provides a HTTP protocol support for the engine using HTP library.
31  */
32 
33 #ifndef __APP_LAYER_HTP_H__
34 #define __APP_LAYER_HTP_H__
35 
36 #include "util-radix-tree.h"
37 #include "util-file.h"
38 #include "app-layer-htp-mem.h"
39 #include "detect-engine-state.h"
40 #include "util-streaming-buffer.h"
41 
42 #include <htp/htp.h>
43 
44 /* default request body limit */
45 #define HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT 4096U
46 #define HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT 4096U
47 #define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE 32768U
48 #define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW 4096U
49 #define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE 32768U
50 #define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW 4096U
51 #define HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT 9000U
52 #define HTP_CONFIG_DEFAULT_FIELD_LIMIT_HARD 18000U
53 
54 #define HTP_CONFIG_DEFAULT_RANDOMIZE 1
55 #define HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE 10
56 
57 /** a boundary should be smaller in size */
58 #define HTP_BOUNDARY_MAX 200U
59 
60 // 0x0001 not used
61 #define HTP_FLAG_STATE_CLOSED_TS 0x0002 /**< Flag to indicate that HTTP
62  connection is closed */
63 #define HTP_FLAG_STATE_CLOSED_TC 0x0004 /**< Flag to indicate that HTTP
64  connection is closed */
65 #define HTP_FLAG_STORE_FILES_TS 0x0040
66 #define HTP_FLAG_STORE_FILES_TC 0x0080
67 #define HTP_FLAG_STORE_FILES_TX_TS 0x0100
68 #define HTP_FLAG_STORE_FILES_TX_TC 0x0200
69 
70 enum {
72  HTP_BODY_REQUEST_MULTIPART, /* POST, MP */
73  HTP_BODY_REQUEST_POST, /* POST, no MP */
75 };
76 
77 enum {
78  /* libhtp errors/warnings */
110  /* suricata errors/warnings */
114 };
116 typedef enum HtpSwfCompressType_ {
123 typedef struct HTPCfgDir_ {
124  uint32_t body_limit;
126  uint32_t inspect_window;
130 /** Need a linked list in order to keep track of these */
131 typedef struct HTPCfgRec_ {
132  htp_cfg_t *cfg;
133  struct HTPCfgRec_ *next;
135  int uri_include_all; /**< use all info in uri (bool) */
136 
137  /** max size of the client body we inspect */
138  int randomize;
139  int randomize_range;
151 /** Struct used to hold chunks of a body on a request */
152 struct HtpBodyChunk_ {
153  struct HtpBodyChunk_ *next; /**< Pointer to the next chunk */
154  int logged;
155  StreamingBufferSegment sbseg;
156 } __attribute__((__packed__));
158 
159 /** Struct used to hold all the chunks of a body on a request */
160 typedef struct HtpBody_ {
161  HtpBodyChunk *first; /**< Pointer to the first chunk */
162  HtpBodyChunk *last; /**< Pointer to the last chunk */
165 
166  /* Holds the length of the htp request body seen so far */
167  uint64_t content_len_so_far;
168  /* parser tracker */
169  uint64_t body_parsed;
170  /* inspection tracker */
171  uint64_t body_inspected;
172 } HtpBody;
174 #define HTP_CONTENTTYPE_SET 0x01 /**< We have the content type */
175 #define HTP_BOUNDARY_SET 0x02 /**< We have a boundary string */
176 #define HTP_BOUNDARY_OPEN 0x04 /**< We have a boundary string */
177 #define HTP_FILENAME_SET 0x08 /**< filename is registered in the flow */
178 #define HTP_DONTSTORE 0x10 /**< not storing this file */
180 /** Now the Body Chunks will be stored per transaction, at
181  * the tx user data */
182 typedef struct HtpTxUserData_ {
183  /** detection engine flags */
184  uint64_t detect_flags_ts;
185  uint64_t detect_flags_tc;
187  /* Body of the request (if any) */
188  uint8_t request_body_init;
189  uint8_t response_body_init;
191  uint8_t request_has_trailers;
192  uint8_t response_has_trailers;
194  /* indicates which loggers that have logged */
195  uint32_t logged;
196 
197  HtpBody request_body;
198  HtpBody response_body;
200  bstr *request_uri_normalized;
201 
202  uint8_t *request_headers_raw;
203  uint8_t *response_headers_raw;
204  uint32_t request_headers_raw_len;
205  uint32_t response_headers_raw_len;
207  AppLayerDecoderEvents *decoder_events; /**< per tx events */
208 
209  /** Holds the boundary identificator string if any (used on
210  * multipart/form-data only)
211  */
212  uint8_t *boundary;
213  uint8_t boundary_len;
215  uint8_t tsflags;
216  uint8_t tcflags;
218  uint8_t request_body_type;
219 
220  DetectEngineState *de_state;
221 } HtpTxUserData;
223 typedef struct HtpState_ {
224  /* Connection parser structure for each connection */
225  htp_connp_t *connp;
226  /* Connection structure for each connection */
227  htp_conn_t *conn;
228  Flow *f; /**< Needed to retrieve the original flow when usin HTPLib callbacks */
229  uint64_t transaction_cnt;
230  uint64_t store_tx_id;
231  FileContainer *files_ts;
232  FileContainer *files_tc;
233  const struct HTPCfgRec_ *cfg;
234  uint16_t flags;
235  uint16_t events;
236  uint16_t htp_messages_offset; /**< offset into conn->messages list */
237  uint64_t last_request_data_stamp;
238  uint64_t last_response_data_stamp;
241 /** part of the engine needs the request body (e.g. http_client_body keyword) */
242 #define HTP_REQUIRE_REQUEST_BODY (1 << 0)
243 /** part of the engine needs the request body multipart header (e.g. filename
244  * and / or fileext keywords) */
245 #define HTP_REQUIRE_REQUEST_MULTIPART (1 << 1)
246 /** part of the engine needs the request file (e.g. log-file module) */
247 #define HTP_REQUIRE_REQUEST_FILE (1 << 2)
248 /** part of the engine needs the request body (e.g. file_data keyword) */
249 #define HTP_REQUIRE_RESPONSE_BODY (1 << 3)
250 
251 SC_ATOMIC_DECLARE(uint32_t, htp_config_flags);
252 
253 void RegisterHTPParsers(void);
254 void HTPParserRegisterTests(void);
255 void HTPAtExitPrintStats(void);
256 void HTPFreeConfig(void);
257 
258 void HtpBodyPrint(HtpBody *);
259 void HtpBodyFree(HtpBody *);
260 /* To free the state from unittests using app-layer-htp */
261 void HTPStateFree(void *);
265 void AppLayerHtpPrintStats(void);
266 
267 void HTPConfigure(void);
268 
269 void HtpConfigCreateBackup(void);
270 void HtpConfigRestoreBackup(void);
271 
272 #endif /* __APP_LAYER_HTP_H__ */
273 
274 /**
275  * @}
276  */
void AppLayerHtpPrintStats(void)
uint16_t flags
void HtpBodyFree(HtpBody *)
Free the information held in the request body.
struct HtpBodyChunk_ * next
uint32_t inspect_window
HTPCfgDir response
int logged
uint32_t inspect_min_size
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
int http_body_inline
htp_cfg_t * cfg
void HTPStateFree(void *)
Function to frees the HTTP state memory and also frees the HTTP connection parser memory which was us...
StreamingBufferSegment sbseg
uint32_t swf_decompress_depth
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
void HTPConfigure(void)
Data structure to store app layer decoder events.
void HtpConfigCreateBackup(void)
HTPCfgDir request
Data structures and function prototypes for keeping state for the detection engine.
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
enum HtpSwfCompressType_ HtpSwfCompressType
void RegisterHTPParsers(void)
Register the HTTP protocol and state handling functions to APP layer of the engine.
void HTPParserRegisterTests(void)
Register the Unit tests for the HTTP protocol.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
struct HtpState_ HtpState
struct HTPCfgDir_ HTPCfgDir
int randomize_range
void HtpConfigRestoreBackup(void)
uint32_t body_limit
StreamingBufferConfig sbcfg
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
SC_ATOMIC_DECLARE(uint32_t, htp_config_flags)
HtpSwfCompressType swf_compression_type
struct HTPCfgRec_ HTPCfgRec
void HtpBodyPrint(HtpBody *)
Print the information and chunks of a Body.
HtpSwfCompressType_
int swf_decompression_enabled
int uri_include_all
uint32_t swf_compress_depth
struct HtpTxUserData_ HtpTxUserData
Flow data structure.
Definition: flow.h:327
struct HtpBodyChunk_ __attribute__((__packed__))
DNP3 link header.
struct HtpBody_ HtpBody