Go to the documentation of this file.
72 static int g_http_client_body_buffer_id = 0;
107 HTP_REQUEST_BODY, DetectEngineInspectBufferHttpBody, NULL);
110 PrefilterMpmHttpRequestBodyRegister, NULL,
ALPROTO_HTTP1, HTP_REQUEST_BODY);
118 "http request body");
121 DetectHttpClientBodySetupCallback);
173 static inline HtpBody *GetRequestBody(htp_tx_t *tx)
191 static void PrefilterMpmHttpRequestBodyFree(
void *ptr)
212 const int list_id,
const int base_id)
217 if (base_id != list_id && buffer->
inspect != NULL)
218 return HttpRequestBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
219 else if (buffer->
inspect != NULL)
224 const uint8_t
flags = flow_flags;
226 HtpBody *body = GetRequestBody(tx);
239 SCLogDebug(
"No http chunks to inspect for this transaction");
243 SCLogDebug(
"request.body_limit %u request_body.content_len_so_far %" PRIu64
244 ", request.inspect_min_size %" PRIu32
", EOF %s, progress > body? %s",
260 !(
flags & STREAM_EOF)) {
261 SCLogDebug(
"we still haven't seen the entire request body. "
262 "Let's defer body inspection till we see the "
278 SCLogDebug(
"inspect_win %"PRIu64, inspect_win);
279 if (inspect_win < htp_state->cfg->request.inspect_window) {
294 &data, &data_len,
offset);
300 if (base_id != list_id) {
301 buffer = HttpRequestBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
314 if (buffer == NULL || buffer->
inspect == NULL) {
322 const uint8_t *data = buffer->
inspect;
327 ci_flags |= buffer->
flags;
337 if (
flags & STREAM_TOSERVER) {
366 const int list_id =
ctx->list_id;
369 det_ctx,
ctx->transforms, f,
flags, txv, list_id,
ctx->base_list_id);
393 mpm_reg->
app_v2.tx_min_progress, pectx, PrefilterMpmHttpRequestBodyFree,
const struct HTPCfgRec_ * cfg
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define SIGMATCH_INFO_STICKY_BUFFER
SigTableElmt * sigmatch_table
#define DETECT_CI_FLAGS_START
#define SIGMATCH_INFO_CONTENT_MODIFIER
Container for matching data for a signature group.
void DetectHttpClientBodyRegisterTests(void)
#define SIG_FLAG_INIT_NEED_FLUSH
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
@ DETECT_AL_HTTP_CLIENT_BODY
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
struct DetectBufferMpmRegistry_::@84::@86 app_v2
main detection engine ctx
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
struct DetectEngineAppInspectionEngine_::@79 v2
one time registration of keywords at start up
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
DetectEngineTransforms transforms
struct PrefilterMpmHttpRequestBody PrefilterMpmHttpRequestBody
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
@ DETECT_HTTP_REQUEST_BODY
int DetectBufferTypeGetByName(const char *name)
uint64_t content_len_so_far
#define SIG_FLAG_TOSERVER
const DetectEngineTransforms * transforms
uint32_t inspect_min_size
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
Handle HTTP request body match corresponding to http_client_body keyword.
#define DETECT_ENGINE_INSPECT_SIG_MATCH
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
#define DETECT_CI_FLAGS_END
SignatureInitData * init_data
#define SCReturnPtr(x, type)
Data structures and function prototypes for keeping state for the detection engine.
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
struct AppLayerTxData AppLayerTxData
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
void DetectHttpClientBodyRegister(void)
Registers the keyword handlers for the "http_client_body" keyword.
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
const DetectEngineTransforms * transforms
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
AppProto alproto
application level protocol
uint8_t DetectEngineInspectFiledata(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
void(* RegisterTests)(void)