suricata
detect-http-cookie.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
29  *
30  * Implements the http_cookie keyword
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 #include "detect.h"
37 
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-buffer.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-prefilter.h"
43 #include "detect-content.h"
44 #include "detect-pcre.h"
45 
46 #include "flow.h"
47 #include "flow-var.h"
48 #include "flow-util.h"
49 
50 #include "util-debug.h"
51 #include "util-error.h"
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 #include "util-spm.h"
55 #include "util-print.h"
56 
57 #include "app-layer.h"
58 #include "app-layer-parser.h"
59 
60 #include "app-layer-htp.h"
61 #include "detect-http-cookie.h"
62 #include "stream-tcp.h"
63 
64 static int DetectHttpCookieSetup (DetectEngineCtx *, Signature *, const char *);
65 static int DetectHttpCookieSetupSticky (DetectEngineCtx *, Signature *, const char *);
66 #ifdef UNITTESTS
67 static void DetectHttpCookieRegisterTests(void);
68 #endif
69 static int g_http_cookie_buffer_id = 0;
70 static int g_http2_thread_id = 0;
71 
72 static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx,
73  const DetectEngineTransforms *transforms,
74  Flow *_f, const uint8_t _flow_flags,
75  void *txv, const int list_id);
76 static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx,
77  const DetectEngineTransforms *transforms,
78  Flow *_f, const uint8_t _flow_flags,
79  void *txv, const int list_id);
80 static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx,
81  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
82  const int list_id);
83 static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx,
84  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
85  const int list_id);
86 /**
87  * \brief Registration function for keyword: http_cookie
88  */
89 void DetectHttpCookieRegister(void)
90 {
91  /* http_cookie content modifier */
92  sigmatch_table[DETECT_HTTP_COOKIE_CM].name = "http_cookie";
93  sigmatch_table[DETECT_HTTP_COOKIE_CM].desc =
94  "content modifier to match only on the HTTP cookie-buffer";
95  sigmatch_table[DETECT_HTTP_COOKIE_CM].url = "/rules/http-keywords.html#http-cookie";
96  sigmatch_table[DETECT_HTTP_COOKIE_CM].Setup = DetectHttpCookieSetup;
97 #ifdef UNITTESTS
98  sigmatch_table[DETECT_HTTP_COOKIE_CM].RegisterTests = DetectHttpCookieRegisterTests;
99 #endif
100  sigmatch_table[DETECT_HTTP_COOKIE_CM].flags |= SIGMATCH_NOOPT;
101  sigmatch_table[DETECT_HTTP_COOKIE_CM].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
102  sigmatch_table[DETECT_HTTP_COOKIE_CM].alternative = DETECT_HTTP_COOKIE;
103 
104  /* http.cookie sticky buffer */
105  sigmatch_table[DETECT_HTTP_COOKIE].name = "http.cookie";
106  sigmatch_table[DETECT_HTTP_COOKIE].desc = "sticky buffer to match on the HTTP Cookie/Set-Cookie buffers";
107  sigmatch_table[DETECT_HTTP_COOKIE].url = "/rules/http-keywords.html#http-cookie";
108  sigmatch_table[DETECT_HTTP_COOKIE].Setup = DetectHttpCookieSetupSticky;
109  sigmatch_table[DETECT_HTTP_COOKIE].flags |= SIGMATCH_NOOPT;
110  sigmatch_table[DETECT_HTTP_COOKIE].flags |= SIGMATCH_INFO_STICKY_BUFFER;
111 
112  DetectAppLayerInspectEngineRegister("http_cookie", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
113  HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetRequestData);
114  DetectAppLayerInspectEngineRegister("http_cookie", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
115  HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetResponseData);
116 
117  DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
118  GetRequestData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);
119  DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
120  GetResponseData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);
121 
122  DetectAppLayerInspectEngineRegister("http_cookie", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
123  HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetRequestData2);
124  DetectAppLayerInspectEngineRegister("http_cookie", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT,
125  HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetResponseData2);
126 
127  DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
128  GetRequestData2, ALPROTO_HTTP2, HTTP2StateDataClient);
129  DetectAppLayerMpmRegister("http_cookie", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
130  GetResponseData2, ALPROTO_HTTP2, HTTP2StateDataServer);
131 
132  DetectBufferTypeSetDescriptionByName("http_cookie",
133  "http cookie header");
134 
135  g_http2_thread_id = DetectRegisterThreadCtxGlobalFuncs(
136  "http_cookie", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);
137 
138  g_http_cookie_buffer_id = DetectBufferTypeGetByName("http_cookie");
139 }
140 
141 /**
142  * \brief this function setups the http_cookie modifier keyword used in the rule
143  *
144  * \param de_ctx Pointer to the Detection Engine Context
145  * \param s Pointer to the Signature to which the current keyword belongs
146  * \param str Should hold an empty string always
147  *
148  * \retval 0 On success
149  * \retval -1 On failure
150  */
151 
152 static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
153 {
154  return DetectEngineContentModifierBufferSetup(
155  de_ctx, s, str, DETECT_HTTP_COOKIE_CM, g_http_cookie_buffer_id, ALPROTO_HTTP1);
156 }
157 
158 /**
159  * \brief this function setup the http.cookie keyword used in the rule
160  *
161  * \param de_ctx Pointer to the Detection Engine Context
162  * \param s Pointer to the Signature to which the current keyword belongs
163  * \param str Should hold an empty string always
164  *
165  * \retval 0 On success
166  */
167 static int DetectHttpCookieSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
168 {
169  if (SCDetectBufferSetActiveList(de_ctx, s, g_http_cookie_buffer_id) < 0)
170  return -1;
171 
172  if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
173  return -1;
174 
175  return 0;
176 }
177 
178 static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx,
179  const DetectEngineTransforms *transforms, Flow *_f,
180  const uint8_t _flow_flags, void *txv, const int list_id)
181 {
182  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
183  if (buffer->inspect == NULL) {
184  htp_tx_t *tx = (htp_tx_t *)txv;
185 
186  if (htp_tx_request_headers(tx) == NULL)
187  return NULL;
188 
189  const htp_header_t *h = htp_tx_request_header(tx, "Cookie");
190  if (h == NULL || htp_header_value(h) == NULL) {
191  SCLogDebug("HTTP cookie header not present in this request");
192  return NULL;
193  }
194 
195  const uint32_t data_len = (uint32_t)htp_header_value_len(h);
196  const uint8_t *data = htp_header_value_ptr(h);
197 
198  InspectionBufferSetupAndApplyTransforms(
199  det_ctx, list_id, buffer, data, data_len, transforms);
200  }
201 
202  return buffer;
203 }
204 
205 static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx,
206  const DetectEngineTransforms *transforms, Flow *_f,
207  const uint8_t _flow_flags, void *txv, const int list_id)
208 {
209  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
210  if (buffer->inspect == NULL) {
211  htp_tx_t *tx = (htp_tx_t *)txv;
212 
213  if (htp_tx_response_headers(tx) == NULL)
214  return NULL;
215 
216  const htp_header_t *h = htp_tx_response_header(tx, "Set-Cookie");
217  if (h == NULL || htp_header_value(h) == NULL) {
218  SCLogDebug("HTTP cookie header not present in this request");
219  return NULL;
220  }
221 
222  const uint32_t data_len = (uint32_t)htp_header_value_len(h);
223  const uint8_t *data = htp_header_value_ptr(h);
224 
225  InspectionBufferSetupAndApplyTransforms(
226  det_ctx, list_id, buffer, data, data_len, transforms);
227  }
228 
229  return buffer;
230 }
231 
232 static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx,
233  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
234  const int list_id)
235 {
236  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
237  if (buffer->inspect == NULL) {
238  uint32_t b_len = 0;
239  const uint8_t *b = NULL;
240 
241  void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_thread_id);
242  if (thread_buf == NULL)
243  return NULL;
244  if (SCHttp2TxGetCookie(txv, STREAM_TOSERVER, &b, &b_len, thread_buf) != 1)
245  return NULL;
246  if (b == NULL || b_len == 0)
247  return NULL;
248 
249  InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
250  }
251 
252  return buffer;
253 }
254 
255 static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx,
256  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
257  const int list_id)
258 {
259  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
260  if (buffer->inspect == NULL) {
261  uint32_t b_len = 0;
262  const uint8_t *b = NULL;
263 
264  void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_thread_id);
265  if (thread_buf == NULL)
266  return NULL;
267  if (SCHttp2TxGetCookie(txv, STREAM_TOCLIENT, &b, &b_len, thread_buf) != 1)
268  return NULL;
269  if (b == NULL || b_len == 0)
270  return NULL;
271 
272  InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
273  }
274 
275  return buffer;
276 }
277 
278 /******************************** UNITESTS **********************************/
279 
280 #ifdef UNITTESTS
281 #include "tests/detect-http-cookie.c"
282 #endif /* UNITTESTS */
283 
284 /**
285  * @}
286  */
SigTableElmt_::url
const char * url
Definition: detect.h:1464
detect-content.h
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1678
SigTableElmt_::desc
const char * desc
Definition: detect.h:1463
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2049
flow-util.h
SIGMATCH_INFO_CONTENT_MODIFIER
#define SIGMATCH_INFO_CONTENT_MODIFIER
Definition: detect.h:1676
SigTableElmt_::name
const char * name
Definition: detect.h:1461
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:390
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1452
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DETECT_HTTP_COOKIE_CM
@ DETECT_HTTP_COOKIE_CM
Definition: detect-engine-register.h:154
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2236
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine-inspect-buffer.c:56
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1443
detect-pcre.h
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
app-layer-htp.h
decode.h
util-debug.h
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
DetectEngineThreadCtx_
Definition: detect.h:1245
util-print.h
detect-engine-mpm.h
detect.h
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1577
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1459
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:152
app-layer-parser.h
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:146
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
util-spm.h
detect-engine-buffer.h
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect-engine-inspect-buffer.h:35
str
#define str(s)
Definition: suricata-common.h:308
DetectThreadCtxGetGlobalKeywordThreadCtx
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3849
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:197
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1653
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:273
DETECT_HTTP_COOKIE
@ DETECT_HTTP_COOKIE
Definition: detect-engine-register.h:155
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1375
flow.h
flow-var.h
DetectRegisterThreadCtxGlobalFuncs
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
Definition: detect-engine.c:3805
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1450
app-layer.h