suricata
app-layer-htp.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup httplayer HTTP layer support
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * This file provides a HTTP protocol support for the engine using HTP library.
31  */
32 
33 #ifndef __APP_LAYER_HTP_H__
34 #define __APP_LAYER_HTP_H__
35 
36 #include "util-radix-tree.h"
37 #include "util-file.h"
38 #include "app-layer-htp-mem.h"
39 #include "detect-engine-state.h"
40 #include "util-streaming-buffer.h"
41 
42 #include <htp/htp.h>
43 
44 /* default request body limit */
45 #define HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT 4096U
46 #define HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT 4096U
47 #define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE 32768U
48 #define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW 4096U
49 #define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE 32768U
50 #define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW 4096U
51 #define HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT 9000U
52 #define HTP_CONFIG_DEFAULT_FIELD_LIMIT_HARD 18000U
53 
54 #define HTP_CONFIG_DEFAULT_RANDOMIZE 1
55 #define HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE 10
56 
57 /** a boundary should be smaller in size */
58 #define HTP_BOUNDARY_MAX 200U
59 
60 // 0x0001 not used
61 #define HTP_FLAG_STATE_CLOSED_TS 0x0002 /**< Flag to indicate that HTTP
62  connection is closed */
63 #define HTP_FLAG_STATE_CLOSED_TC 0x0004 /**< Flag to indicate that HTTP
64  connection is closed */
65 #define HTP_FLAG_STORE_FILES_TS 0x0040
66 #define HTP_FLAG_STORE_FILES_TC 0x0080
67 #define HTP_FLAG_STORE_FILES_TX_TS 0x0100
68 #define HTP_FLAG_STORE_FILES_TX_TC 0x0200
69 
70 enum {
72  HTP_BODY_REQUEST_MULTIPART, /* POST, MP */
73  HTP_BODY_REQUEST_POST, /* POST, no MP */
75 };
76 
77 enum {
78  /* libhtp errors/warnings */
122  /* suricata errors/warnings */
126 };
128 typedef enum HtpSwfCompressType_ {
135 typedef struct HTPCfgDir_ {
136  uint32_t body_limit;
138  uint32_t inspect_window;
142 /** Need a linked list in order to keep track of these */
143 typedef struct HTPCfgRec_ {
144  htp_cfg_t *cfg;
145  struct HTPCfgRec_ *next;
147  int uri_include_all; /**< use all info in uri (bool) */
148 
149  /** max size of the client body we inspect */
150  int randomize;
151  int randomize_range;
163 /** Struct used to hold chunks of a body on a request */
164 struct HtpBodyChunk_ {
165  struct HtpBodyChunk_ *next; /**< Pointer to the next chunk */
166  int logged;
167  StreamingBufferSegment sbseg;
168 } __attribute__((__packed__));
170 
171 /** Struct used to hold all the chunks of a body on a request */
172 typedef struct HtpBody_ {
173  HtpBodyChunk *first; /**< Pointer to the first chunk */
174  HtpBodyChunk *last; /**< Pointer to the last chunk */
177 
178  /* Holds the length of the htp request body seen so far */
179  uint64_t content_len_so_far;
180  /* parser tracker */
181  uint64_t body_parsed;
182  /* inspection tracker */
183  uint64_t body_inspected;
184 } HtpBody;
186 #define HTP_CONTENTTYPE_SET 0x01 /**< We have the content type */
187 #define HTP_BOUNDARY_SET 0x02 /**< We have a boundary string */
188 #define HTP_BOUNDARY_OPEN 0x04 /**< We have a boundary string */
189 #define HTP_FILENAME_SET 0x08 /**< filename is registered in the flow */
190 #define HTP_DONTSTORE 0x10 /**< not storing this file */
192 /** Now the Body Chunks will be stored per transaction, at
193  * the tx user data */
194 typedef struct HtpTxUserData_ {
195  /** detection engine flags */
196  uint64_t detect_flags_ts;
197  uint64_t detect_flags_tc;
199  /* Body of the request (if any) */
200  uint8_t request_body_init;
201  uint8_t response_body_init;
203  uint8_t request_has_trailers;
204  uint8_t response_has_trailers;
206  /* indicates which loggers that have logged */
207  uint32_t logged;
208 
209  HtpBody request_body;
210  HtpBody response_body;
212  bstr *request_uri_normalized;
213 
214  uint8_t *request_headers_raw;
215  uint8_t *response_headers_raw;
216  uint32_t request_headers_raw_len;
217  uint32_t response_headers_raw_len;
219  AppLayerDecoderEvents *decoder_events; /**< per tx events */
220 
221  /** Holds the boundary identificator string if any (used on
222  * multipart/form-data only)
223  */
224  uint8_t *boundary;
225  uint8_t boundary_len;
227  uint8_t tsflags;
228  uint8_t tcflags;
230  uint8_t request_body_type;
231 
232  DetectEngineState *de_state;
233 } HtpTxUserData;
235 typedef struct HtpState_ {
236  /* Connection parser structure for each connection */
237  htp_connp_t *connp;
238  /* Connection structure for each connection */
239  htp_conn_t *conn;
240  Flow *f; /**< Needed to retrieve the original flow when usin HTPLib callbacks */
241  uint64_t transaction_cnt;
242  uint64_t store_tx_id;
243  FileContainer *files_ts;
244  FileContainer *files_tc;
245  const struct HTPCfgRec_ *cfg;
246  uint16_t flags;
247  uint16_t events;
248  uint16_t htp_messages_offset; /**< offset into conn->messages list */
249  uint32_t file_track_id; /**< used to assign file track ids to files */
250  uint64_t last_request_data_stamp;
251  uint64_t last_response_data_stamp;
254 /** part of the engine needs the request body (e.g. http_client_body keyword) */
255 #define HTP_REQUIRE_REQUEST_BODY (1 << 0)
256 /** part of the engine needs the request body multipart header (e.g. filename
257  * and / or fileext keywords) */
258 #define HTP_REQUIRE_REQUEST_MULTIPART (1 << 1)
259 /** part of the engine needs the request file (e.g. log-file module) */
260 #define HTP_REQUIRE_REQUEST_FILE (1 << 2)
261 /** part of the engine needs the request body (e.g. file_data keyword) */
262 #define HTP_REQUIRE_RESPONSE_BODY (1 << 3)
263 
264 SC_ATOMIC_DECLARE(uint32_t, htp_config_flags);
265 
266 void RegisterHTPParsers(void);
267 void HTPParserRegisterTests(void);
268 void HTPAtExitPrintStats(void);
269 void HTPFreeConfig(void);
270 
271 void HtpBodyPrint(HtpBody *);
272 void HtpBodyFree(HtpBody *);
273 /* To free the state from unittests using app-layer-htp */
274 void HTPStateFree(void *);
278 void AppLayerHtpPrintStats(void);
279 
280 void HTPConfigure(void);
281 
282 void HtpConfigCreateBackup(void);
283 void HtpConfigRestoreBackup(void);
284 
285 #endif /* __APP_LAYER_HTP_H__ */
286 
287 /**
288  * @}
289  */
void AppLayerHtpPrintStats(void)
uint16_t flags
void HtpBodyFree(HtpBody *)
Free the information held in the request body.
struct HtpBodyChunk_ * next
uint32_t inspect_window
HTPCfgDir response
int logged
uint32_t inspect_min_size
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
int http_body_inline
htp_cfg_t * cfg
void HTPStateFree(void *)
Function to frees the HTTP state memory and also frees the HTTP connection parser memory which was us...
StreamingBufferSegment sbseg
uint32_t swf_decompress_depth
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
void HTPConfigure(void)
Data structure to store app layer decoder events.
void HtpConfigCreateBackup(void)
HTPCfgDir request
Data structures and function prototypes for keeping state for the detection engine.
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
enum HtpSwfCompressType_ HtpSwfCompressType
void RegisterHTPParsers(void)
Register the HTTP protocol and state handling functions to APP layer of the engine.
void HTPParserRegisterTests(void)
Register the Unit tests for the HTTP protocol.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
struct HtpState_ HtpState
struct HTPCfgDir_ HTPCfgDir
int randomize_range
void HtpConfigRestoreBackup(void)
uint32_t body_limit
StreamingBufferConfig sbcfg
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
SC_ATOMIC_DECLARE(uint32_t, htp_config_flags)
HtpSwfCompressType swf_compression_type
struct HTPCfgRec_ HTPCfgRec
void HtpBodyPrint(HtpBody *)
Print the information and chunks of a Body.
HtpSwfCompressType_
int swf_decompression_enabled
int uri_include_all
uint32_t swf_compress_depth
struct HtpTxUserData_ HtpTxUserData
Flow data structure.
Definition: flow.h:325
struct HtpBodyChunk_ __attribute__((__packed__))
DNP3 link header.
struct HtpBody_ HtpBody