suricata
detect-http-header-names.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Implements support http_header_names
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 
37 #include "detect.h"
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
44 #include "detect-content.h"
45 #include "detect-pcre.h"
48 
49 #include "flow.h"
50 #include "flow-var.h"
51 #include "flow-util.h"
52 
53 #include "util-debug.h"
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 #include "util-spm.h"
57 #include "util-print.h"
58 
59 #include "app-layer.h"
60 #include "app-layer-parser.h"
61 
62 #include "app-layer-htp.h"
63 #include "detect-http-header.h"
64 #include "stream-tcp.h"
65 
66 #include "util-print.h"
67 
68 #define KEYWORD_NAME "http_header_names"
69 #define KEYWORD_DOC "http-keywords.html#http-header-names"
70 #define BUFFER_NAME "http_header_names"
71 #define BUFFER_DESC "http header names"
72 static int g_buffer_id = 0;
73 static int g_keyword_thread_id = 0;
74 
75 #define BUFFER_TX_STEP 4
76 #define BUFFER_SIZE_STEP 256
78 
79 static uint8_t *GetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
80  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
81  Flow *f, HtpState *htp_state, uint8_t flags,
82  uint32_t *buffer_len)
83 {
84  *buffer_len = 0;
85 
86  HttpHeaderThreadData *hdr_td = NULL;
88  tx_id, g_keyword_thread_id, &hdr_td);
89  if (unlikely(buf == NULL)) {
90  return NULL;
91  } else if (buf->len > 0) {
92  /* already filled buf, reuse */
93  *buffer_len = buf->len;
94  return buf->buffer;
95  }
96 
97  htp_table_t *headers;
98  if (flags & STREAM_TOSERVER) {
99  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) <=
100  HTP_REQUEST_HEADERS)
101  return NULL;
102  headers = tx->request_headers;
103  } else {
104  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) <=
105  HTP_RESPONSE_HEADERS)
106  return NULL;
107  headers = tx->response_headers;
108  }
109  if (headers == NULL)
110  return NULL;
111 
112  /* fill the buffer. \r\nName1\r\nName2\r\n\r\n */
113  size_t i = 0;
114  size_t no_of_headers = htp_table_size(headers);
115  for (; i < no_of_headers; i++) {
116  htp_header_t *h = htp_table_get_index(headers, i, NULL);
117  size_t size = bstr_size(h->name) + 2; // for \r\n
118  if (i == 0)
119  size += 2;
120  if (i + 1 == no_of_headers)
121  size += 2;
122 
123  SCLogDebug("size %"PRIuMAX" + buf->len %u vs buf->size %u",
124  (uintmax_t)size, buf->len, buf->size);
125  if (size + buf->len > buf->size) {
126  if (HttpHeaderExpandBuffer(hdr_td, buf, size) != 0) {
127  return NULL;
128  }
129  }
130 
131  /* start with a \r\n */
132  if (i == 0) {
133  buf->buffer[buf->len++] = '\r';
134  buf->buffer[buf->len++] = '\n';
135  }
136 
137  memcpy(buf->buffer + buf->len, bstr_ptr(h->name), bstr_size(h->name));
138  buf->len += bstr_size(h->name);
139  buf->buffer[buf->len++] = '\r';
140  buf->buffer[buf->len++] = '\n';
141 
142  /* end with an extra \r\n */
143  if (i + 1 == no_of_headers) {
144  buf->buffer[buf->len++] = '\r';
145  buf->buffer[buf->len++] = '\n';
146  }
147  }
148 
149  *buffer_len = buf->len;
150  return buf->buffer;
151 }
152 
153 /** \brief HTTP Headers Mpm prefilter callback
154  *
155  * \param det_ctx detection engine thread ctx
156  * \param p packet to inspect
157  * \param f flow to inspect
158  * \param txv tx to inspect
159  * \param pectx inspection context
160  */
161 static void PrefilterTxHttpRequestHeaderNames(DetectEngineThreadCtx *det_ctx,
162  const void *pectx,
163  Packet *p, Flow *f, void *txv,
164  const uint64_t idx, const uint8_t flags)
165 {
166  SCEnter();
167 
168  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
169  htp_tx_t *tx = (htp_tx_t *)txv;
170 
171  if (tx->request_headers == NULL)
172  return;
173 
174  HtpState *htp_state = f->alstate;
175  uint32_t buffer_len = 0;
176  const uint8_t *buffer = GetBufferForTX(tx, idx,
177  NULL, det_ctx, f, htp_state,
178  flags, &buffer_len);
179 
180  if (buffer_len >= mpm_ctx->minlen) {
181  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
182  &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
183  }
184 }
185 #if 0
186 static void PrefilterTxHttpRequestTrailers(DetectEngineThreadCtx *det_ctx,
187  const void *pectx,
188  Packet *p, Flow *f, void *txv,
189  const uint64_t idx, const uint8_t flags)
190 {
191  SCEnter();
192 
193  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
194  htp_tx_t *tx = (htp_tx_t *)txv;
195 
196  if (tx->request_headers == NULL)
197  return;
198  const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
199  /* if the request wasn't flagged as having a trailer, we skip */
200  if (htud && !htud->request_has_trailers)
201  return;
202 
203  HtpState *htp_state = f->alstate;
204  uint32_t buffer_len = 0;
205  const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
206  NULL, det_ctx,
207  f, htp_state,
208  flags,
209  &buffer_len);
210 
211  if (buffer_len >= mpm_ctx->minlen) {
212  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
213  &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
214  }
215 }
216 #endif
217 static int PrefilterTxHttpRequestHeaderNamesRegister(DetectEngineCtx *de_ctx,
218  SigGroupHead *sgh, MpmCtx *mpm_ctx)
219 {
220  SCEnter();
221 
222  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttpRequestHeaderNames,
223  ALPROTO_HTTP, HTP_REQUEST_HEADERS,
224  mpm_ctx, NULL, KEYWORD_NAME " (request)");
225  return r;
226 #if 0
227  if (r != 0)
228  return r;
229  return PrefilterAppendTxEngine(sgh, PrefilterTxHttpRequestTrailers,
230  ALPROTO_HTTP, HTP_REQUEST_TRAILER,
231  mpm_ctx, NULL, "http_header (request)");
232 #endif
233 }
234 
235 /** \brief HTTP Headers Mpm prefilter callback
236  *
237  * \param det_ctx detection engine thread ctx
238  * \param p packet to inspect
239  * \param f flow to inspect
240  * \param txv tx to inspect
241  * \param pectx inspection context
242  */
243 static void PrefilterTxHttpResponseHeaderNames(DetectEngineThreadCtx *det_ctx,
244  const void *pectx,
245  Packet *p, Flow *f, void *txv,
246  const uint64_t idx, const uint8_t flags)
247 {
248  SCEnter();
249 
250  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
251  htp_tx_t *tx = (htp_tx_t *)txv;
252 
253  if (tx->response_headers == NULL)
254  return;
255 
256  HtpState *htp_state = f->alstate;
257  uint32_t buffer_len = 0;
258  const uint8_t *buffer = GetBufferForTX(tx, idx, NULL, det_ctx,
259  f, htp_state, flags, &buffer_len);
260 
261  if (buffer_len >= mpm_ctx->minlen) {
262  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
263  &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
264  }
265 }
266 #if 0
267 static void PrefilterTxHttpResponseTrailers(DetectEngineThreadCtx *det_ctx,
268  const void *pectx,
269  Packet *p, Flow *f, void *txv,
270  const uint64_t idx, const uint8_t flags)
271 {
272  SCEnter();
273 
274  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
275  htp_tx_t *tx = (htp_tx_t *)txv;
276 
277  if (tx->response_headers == NULL)
278  return;
279  const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
280  /* if the request wasn't flagged as having a trailer, we skip */
281  if (htud && !htud->response_has_trailers)
282  return;
283 
284  HtpState *htp_state = f->alstate;
285  uint32_t buffer_len = 0;
286  const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
287  NULL, det_ctx,
288  f, htp_state,
289  flags,
290  &buffer_len);
291 
292  if (buffer_len >= mpm_ctx->minlen) {
293  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
294  &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
295  }
296 }
297 #endif
298 static int PrefilterTxHttpResponseHeaderNamesRegister(DetectEngineCtx *de_ctx,
299  SigGroupHead *sgh, MpmCtx *mpm_ctx)
300 {
301  SCEnter();
302 
303  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttpResponseHeaderNames,
304  ALPROTO_HTTP, HTP_RESPONSE_HEADERS,
305  mpm_ctx, NULL, KEYWORD_NAME " (response)");
306  return r;
307 #if 0
308  if (r != 0)
309  return r;
310  return PrefilterAppendTxEngine(sgh, PrefilterTxHttpResponseTrailers,
311  ALPROTO_HTTP, HTP_RESPONSE_TRAILER,
312  mpm_ctx, NULL, "http_header (response)");
313 #endif
314 }
315 
316 static int InspectEngineHttpHeaderNames(ThreadVars *tv,
317  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
318  const Signature *s, const SigMatchData *smd,
319  Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
320 {
321  HtpState *htp_state = (HtpState *)alstate;
322  uint32_t buffer_len = 0;
323  uint8_t *buffer = GetBufferForTX(tx, tx_id,
324  de_ctx, det_ctx, f, htp_state,
325  flags, &buffer_len);
326  if (buffer_len == 0)
327  goto end;
328 
329  det_ctx->buffer_offset = 0;
330  det_ctx->discontinue_matching = 0;
331  det_ctx->inspection_recursion_counter = 0;
332  int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
333  f,
334  buffer, buffer_len,
337  if (r == 1)
339 
340  end:
341  if (flags & STREAM_TOSERVER) {
342  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_HEADERS)
344  } else {
345  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_HEADERS)
347  }
349 }
350 
351 /**
352  * \brief The setup function for the http_header keyword for a signature.
353  *
354  * \param de_ctx Pointer to the detection engine context.
355  * \param s Pointer to signature for the current Signature being parsed
356  * from the rules.
357  * \param m Pointer to the head of the SigMatchs for the current rule
358  * being parsed.
359  * \param arg Pointer to the string holding the keyword value.
360  *
361  * \retval 0 On success.
362  * \retval -1 On failure.
363  */
364 static int DetectHttpHeaderNamesSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
365 {
366  s->init_data->list = g_buffer_id;
367  return 0;
368 }
369 
370 /**
371  * \brief Registers the keyword handlers for the "http_header" keyword.
372  */
374 {
378  sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].Setup = DetectHttpHeaderNamesSetup;
379 
381 
383  PrefilterTxHttpRequestHeaderNamesRegister);
385  PrefilterTxHttpResponseHeaderNamesRegister);
386 
388  ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS,
389  InspectEngineHttpHeaderNames);
391  ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_HEADERS,
392  InspectEngineHttpHeaderNames);
393 
395  BUFFER_DESC);
396 
397  g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
398 
399  g_keyword_thread_id = DetectRegisterThreadCtxGlobalFuncs(KEYWORD_NAME,
401 
402  SCLogDebug("keyword %s registered. Thread id %d. "
403  "Buffer %s registered. Buffer id %d",
404  KEYWORD_NAME, g_keyword_thread_id,
405  BUFFER_NAME, g_buffer_id);
406 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
SignatureInitData * init_data
Definition: detect.h:563
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
#define SCLogDebug(...)
Definition: util-debug.h:335
#define KEYWORD_DOC
uint16_t minlen
Definition: util-mpm.h:99
uint16_t discontinue_matching
Definition: detect.h:1029
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx))
register an app layer keyword for mpm
void HttpHeaderThreadDataFree(void *data)
int HttpHeaderExpandBuffer(HttpHeaderThreadData *td, HttpHeaderBuffer *buf, uint32_t size)
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
#define unlikely(expr)
Definition: util-optimize.h:35
#define KEYWORD_NAME
#define BUFFER_DESC
Data needed for Match()
Definition: detect.h:331
Container for matching data for a signature group.
Definition: detect.h:1298
uint32_t buffer_offset
Definition: detect.h:994
const char * name
Definition: detect.h:1163
Signature container.
Definition: detect.h:495
void DetectHttpHeaderNamesRegister(void)
Registers the keyword handlers for the "http_header" keyword.
uint8_t response_has_trailers
main detection engine ctx
Definition: detect.h:723
void * alstate
Definition: flow.h:433
int DetectBufferTypeGetByName(const char *name)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:242
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define BUFFER_SIZE_STEP
Data structures and function prototypes for keeping state for the detection engine.
uint8_t mpm_type
Definition: util-mpm.h:90
HttpHeaderBuffer * HttpHeaderGetBufferSpaceForTXID(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, uint64_t tx_id, const int keyword_id, HttpHeaderThreadData **ret_hdr_td)
#define SIG_FLAG_TOSERVER
Definition: detect.h:241
#define SCEnter(...)
Definition: util-debug.h:337
PrefilterRuleStore pmq
Definition: detect.h:1064
void * HttpHeaderThreadDataInit(void *data)
const char * desc
Definition: detect.h:1165
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
uint8_t request_has_trailers
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
uint16_t tx_id
#define BUFFER_TX_STEP
MpmThreadCtx mtcu
Definition: detect.h:1062
#define SIGMATCH_NOOPT
Definition: detect.h:1331
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
Run the actual payload match functions.
const char * url
Definition: detect.h:1166
#define STREAM_TOSERVER
Definition: stream.h:31
int inspection_recursion_counter
Definition: detect.h:1041
#define DETECT_CI_FLAGS_SINGLE
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Per thread variable structure.
Definition: threadvars.h:57
#define BUFFER_NAME
#define DOC_VERSION
Definition: suricata.h:91
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
uint16_t flags
Definition: detect.h:1157
Flow data structure.
Definition: flow.h:324
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time