suricata
detect-http-header.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * Implements support for http_header keyword.
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 
37 #include "detect.h"
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
44 #include "detect-content.h"
45 #include "detect-pcre.h"
46 
47 #include "util-debug.h"
48 #include "util-print.h"
49 #include "util-memcmp.h"
50 #include "util-profiling.h"
51 #include "util-validate.h"
52 
53 #include "app-layer.h"
54 #include "app-layer-parser.h"
55 
56 #include "app-layer-htp.h"
57 #include "detect-http-header.h"
59 
60 static int DetectHttpHeaderSetup(DetectEngineCtx *, Signature *, const char *);
61 #ifdef UNITTESTS
62 static void DetectHttpHeaderRegisterTests(void);
63 #endif
64 static int g_http_header_buffer_id = 0;
65 static int g_keyword_thread_id = 0;
66 
67 #define BUFFER_SIZE_STEP 1024
69 
70 static uint8_t *GetBufferForTX(
71  htp_tx_t *tx, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, uint32_t *buffer_len)
72 {
73  *buffer_len = 0;
74 
75  HttpHeaderThreadData *hdr_td = NULL;
76  HttpHeaderBuffer *buf =
77  HttpHeaderGetBufferSpace(det_ctx, f, flags, g_keyword_thread_id, &hdr_td);
78  if (unlikely(buf == NULL)) {
79  return NULL;
80  }
81 
82  htp_table_t *headers;
83  if (flags & STREAM_TOSERVER) {
84  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, tx, flags) <=
85  HTP_REQUEST_HEADERS)
86  return NULL;
87  headers = tx->request_headers;
88  } else {
89  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, tx, flags) <=
90  HTP_RESPONSE_HEADERS)
91  return NULL;
92  headers = tx->response_headers;
93  }
94  if (headers == NULL)
95  return NULL;
96 
97  size_t i = 0;
98  size_t no_of_headers = htp_table_size(headers);
99  for (; i < no_of_headers; i++) {
100  htp_header_t *h = htp_table_get_index(headers, i, NULL);
101  size_t size1 = bstr_size(h->name);
102  size_t size2 = bstr_size(h->value);
103 
104  if (flags & STREAM_TOSERVER) {
105  if (size1 == 6 &&
106  SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6) == 0) {
107  continue;
108  }
109  } else {
110  if (size1 == 10 &&
111  SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) {
112  continue;
113  }
114  }
115 
116  size_t size = size1 + size2 + 4;
117 #if 0
118  if (i + 1 == no_of_headers)
119  size += 2;
120 #endif
121  if (size + buf->len > buf->size) {
122  if (HttpHeaderExpandBuffer(hdr_td, buf, size) != 0) {
123  return NULL;
124  }
125  }
126 
127  memcpy(buf->buffer + buf->len, bstr_ptr(h->name), bstr_size(h->name));
128  buf->len += bstr_size(h->name);
129  buf->buffer[buf->len++] = ':';
130  buf->buffer[buf->len++] = ' ';
131  memcpy(buf->buffer + buf->len, bstr_ptr(h->value), bstr_size(h->value));
132  buf->len += bstr_size(h->value);
133  buf->buffer[buf->len++] = '\r';
134  buf->buffer[buf->len++] = '\n';
135 #if 0 // looks like this breaks existing rules
136  if (i + 1 == no_of_headers) {
137  buf->buffer[buf->len++] = '\r';
138  buf->buffer[buf->len++] = '\n';
139  }
140 #endif
141  }
142 
143  *buffer_len = buf->len;
144  return buf->buffer;
145 }
146 
147 static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx,
148  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv,
149  const int list_id)
150 {
151  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
152  if (buffer->inspect == NULL) {
153  uint32_t b_len = 0;
154  const uint8_t *b = NULL;
155 
156  if (rs_http2_tx_get_headers(txv, flow_flags, &b, &b_len) != 1)
157  return NULL;
158  if (b == NULL || b_len == 0)
159  return NULL;
160 
161  InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
162  InspectionBufferApplyTransforms(buffer, transforms);
163  }
164 
165  return buffer;
166 }
167 
168 /** \internal
169  * \brief custom inspect function to utilize the cached headers
170  */
171 static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx,
173  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
174 {
175  SCEnter();
176 
177  const int list_id = engine->sm_list;
178  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
179  if (buffer->inspect == NULL) {
180  SCLogDebug("setting up inspect buffer %d", list_id);
181 
182  /* if prefilter didn't already run, we need to consider transformations */
183  const DetectEngineTransforms *transforms = NULL;
184  if (!engine->mpm) {
185  transforms = engine->v2.transforms;
186  }
187 
188  uint32_t rawdata_len = 0;
189  uint8_t *rawdata = GetBufferForTX(txv, det_ctx, f, flags, &rawdata_len);
190  if (rawdata_len == 0) {
191  SCLogDebug("no data");
192  goto end;
193  }
194  /* setup buffer and apply transforms */
195  InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len);
196  InspectionBufferApplyTransforms(buffer, transforms);
197  }
198 
199  const uint32_t data_len = buffer->inspect_len;
200  const uint8_t *data = buffer->inspect;
201  const uint64_t offset = buffer->inspect_offset;
202 
203  /* Inspect all the uricontents fetched on each
204  * transaction at the app layer */
205  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
206  (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE,
208  if (match) {
210  }
211 end:
212  if (flags & STREAM_TOSERVER) {
213  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, txv, flags) >
214  HTP_REQUEST_HEADERS)
216  } else {
217  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, txv, flags) >
218  HTP_RESPONSE_HEADERS)
220  }
222 }
223 
225  int list_id;
226  const MpmCtx *mpm_ctx;
229 
230 /** \brief Generic Mpm prefilter callback
231  *
232  * \param det_ctx detection engine thread ctx
233  * \param p packet to inspect
234  * \param f flow to inspect
235  * \param txv tx to inspect
236  * \param pectx inspection context
237  */
238 static void PrefilterMpmHttpHeader(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
239  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
240 {
241  SCEnter();
242 
243  const PrefilterMpmHttpHeaderCtx *ctx = pectx;
244  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
245  SCLogDebug("running on list %d", ctx->list_id);
246 
247  const int list_id = ctx->list_id;
248  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
249  if (buffer->inspect == NULL) {
250  uint32_t rawdata_len = 0;
251  uint8_t *rawdata = GetBufferForTX(txv, det_ctx, f, flags, &rawdata_len);
252  if (rawdata_len == 0)
253  return;
254 
255  /* setup buffer and apply transforms */
256  InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len);
258  }
259 
260  const uint32_t data_len = buffer->inspect_len;
261  const uint8_t *data = buffer->inspect;
262 
263  SCLogDebug("mpm'ing buffer:");
264  //PrintRawDataFp(stdout, data, data_len);
265 
266  if (data != NULL && data_len >= mpm_ctx->minlen) {
267  (void)mpm_table[mpm_ctx->mpm_type].Search(
268  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len);
269  PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len);
270  }
271 }
272 
273 static void PrefilterMpmHttpTrailer(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
274  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
275 {
276  SCEnter();
277 
278  htp_tx_t *tx = txv;
279  const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
280  /* if the request wasn't flagged as having a trailer, we skip */
281  if (htud && (
282  ((flags & STREAM_TOSERVER) && !htud->request_has_trailers) ||
283  ((flags & STREAM_TOCLIENT) && !htud->response_has_trailers))) {
284  SCReturn;
285  }
286  PrefilterMpmHttpHeader(det_ctx, pectx, p, f, txv, idx, _txd, flags);
287  SCReturn;
288 }
289 
290 static void PrefilterMpmHttpHeaderFree(void *ptr)
291 {
292  SCFree(ptr);
293 }
294 
295 static int PrefilterMpmHttpHeaderRequestRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
296  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
297 {
298  SCEnter();
299 
300  /* header */
301  PrefilterMpmHttpHeaderCtx *pectx = SCCalloc(1, sizeof(*pectx));
302  if (pectx == NULL)
303  return -1;
304  pectx->list_id = list_id;
305  pectx->mpm_ctx = mpm_ctx;
306  pectx->transforms = &mpm_reg->transforms;
307 
308  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeader,
309  mpm_reg->app_v2.alproto, HTP_REQUEST_HEADERS,
310  pectx, PrefilterMpmHttpHeaderFree, mpm_reg->pname);
311  if (r != 0) {
312  SCFree(pectx);
313  return r;
314  }
315 
316  /* trailer */
317  pectx = SCCalloc(1, sizeof(*pectx));
318  if (pectx == NULL)
319  return -1;
320  pectx->list_id = list_id;
321  pectx->mpm_ctx = mpm_ctx;
322  pectx->transforms = &mpm_reg->transforms;
323 
324  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailer,
325  mpm_reg->app_v2.alproto, HTP_REQUEST_TRAILER,
326  pectx, PrefilterMpmHttpHeaderFree, mpm_reg->pname);
327  if (r != 0) {
328  SCFree(pectx);
329  }
330  return r;
331 }
332 
333 static int PrefilterMpmHttpHeaderResponseRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
334  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
335 {
336  SCEnter();
337 
338  /* header */
339  PrefilterMpmHttpHeaderCtx *pectx = SCCalloc(1, sizeof(*pectx));
340  if (pectx == NULL)
341  return -1;
342  pectx->list_id = list_id;
343  pectx->mpm_ctx = mpm_ctx;
344  pectx->transforms = &mpm_reg->transforms;
345 
346  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeader,
347  mpm_reg->app_v2.alproto, HTP_RESPONSE_HEADERS,
348  pectx, PrefilterMpmHttpHeaderFree, mpm_reg->pname);
349  if (r != 0) {
350  SCFree(pectx);
351  return r;
352  }
353 
354  /* trailer */
355  pectx = SCCalloc(1, sizeof(*pectx));
356  if (pectx == NULL)
357  return -1;
358  pectx->list_id = list_id;
359  pectx->mpm_ctx = mpm_ctx;
360  pectx->transforms = &mpm_reg->transforms;
361 
362  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailer,
363  mpm_reg->app_v2.alproto, HTP_RESPONSE_TRAILER,
364  pectx, PrefilterMpmHttpHeaderFree, mpm_reg->pname);
365  if (r != 0) {
366  SCFree(pectx);
367  }
368  return r;
369 }
370 
371 /**
372  * \brief The setup function for the http_header keyword for a signature.
373  *
374  * \param de_ctx Pointer to the detection engine context.
375  * \param s Pointer to signature for the current Signature being parsed
376  * from the rules.
377  * \param m Pointer to the head of the SigMatchs for the current rule
378  * being parsed.
379  * \param arg Pointer to the string holding the keyword value.
380  *
381  * \retval 0 On success.
382  * \retval -1 On failure.
383  */
384 static int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
385 {
387  de_ctx, s, arg, DETECT_AL_HTTP_HEADER, g_http_header_buffer_id, ALPROTO_HTTP1);
388 }
389 
390 /**
391  * \brief this function setup the http.header keyword used in the rule
392  *
393  * \param de_ctx Pointer to the Detection Engine Context
394  * \param s Pointer to the Signature to which the current keyword belongs
395  * \param str Should hold an empty string always
396  *
397  * \retval 0 On success
398  */
399 static int DetectHttpHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
400 {
401  if (DetectBufferSetActiveList(de_ctx, s, g_http_header_buffer_id) < 0)
402  return -1;
404  return -1;
405  return 0;
406 }
407 
408 /**
409  * \brief Registers the keyword handlers for the "http_header" keyword.
410  */
412 {
413  /* http_header content modifier */
414  sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
415  sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
416  sigmatch_table[DETECT_AL_HTTP_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
417  sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup;
418 #ifdef UNITTESTS
420 #endif
424 
425  /* http.header sticky buffer */
426  sigmatch_table[DETECT_HTTP_HEADER].name = "http.header";
427  sigmatch_table[DETECT_HTTP_HEADER].desc = "sticky buffer to match on the normalized HTTP header-buffer";
428  sigmatch_table[DETECT_HTTP_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
429  sigmatch_table[DETECT_HTTP_HEADER].Setup = DetectHttpHeaderSetupSticky;
432 
434  HTP_REQUEST_HEADERS, DetectEngineInspectBufferHttpHeader, NULL);
436  PrefilterMpmHttpHeaderRequestRegister, NULL, ALPROTO_HTTP1,
437  0); /* not used, registered twice: HEADERS/TRAILER */
438 
440  HTP_RESPONSE_HEADERS, DetectEngineInspectBufferHttpHeader, NULL);
442  PrefilterMpmHttpHeaderResponseRegister, NULL, ALPROTO_HTTP1,
443  0); /* not used, registered twice: HEADERS/TRAILER */
444 
446  HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetBuffer2ForTX);
448  GetBuffer2ForTX, ALPROTO_HTTP2, HTTP2StateDataClient);
449 
451  HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetBuffer2ForTX);
453  GetBuffer2ForTX, ALPROTO_HTTP2, HTTP2StateDataServer);
454 
456  "http headers");
457 
458  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
459 
460  g_keyword_thread_id = DetectRegisterThreadCtxGlobalFuncs("http_header",
462 }
463 
464 static int g_http_request_header_buffer_id = 0;
465 static int g_http_response_header_buffer_id = 0;
466 static int g_request_header_thread_id = 0;
467 static int g_response_header_thread_id = 0;
468 
469 static InspectionBuffer *GetHttp2HeaderData(DetectEngineThreadCtx *det_ctx, const uint8_t flags,
470  const DetectEngineTransforms *transforms, Flow *_f, const struct MpmListIdDataArgs *cbdata,
471  int list_id)
472 {
473  SCEnter();
474 
475  InspectionBuffer *buffer =
476  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
477  if (buffer == NULL)
478  return NULL;
479  if (buffer->initialized)
480  return buffer;
481 
482  uint32_t b_len = 0;
483  const uint8_t *b = NULL;
484 
485  if (rs_http2_tx_get_header(cbdata->txv, flags, cbdata->local_id, &b, &b_len) != 1) {
487  return NULL;
488  }
489  if (b == NULL || b_len == 0) {
491  return NULL;
492  }
493 
494  InspectionBufferSetupMulti(buffer, transforms, b, b_len);
495 
496  SCReturnPtr(buffer, "InspectionBuffer");
497 }
498 
499 static void PrefilterTxHttp2Header(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
500  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
501 {
502  SCEnter();
503 
504  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
505  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
506  const int list_id = ctx->list_id;
507 
508  uint32_t local_id = 0;
509 
510  while (1) {
511  // loop until we get a NULL
512 
513  struct MpmListIdDataArgs cbdata = { local_id, txv };
514  InspectionBuffer *buffer =
515  GetHttp2HeaderData(det_ctx, flags, ctx->transforms, f, &cbdata, list_id);
516  if (buffer == NULL)
517  break;
518 
519  if (buffer->inspect_len >= mpm_ctx->minlen) {
520  (void)mpm_table[mpm_ctx->mpm_type].Search(
521  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
522  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
523  }
524 
525  local_id++;
526  }
527 }
528 
529 static uint8_t DetectEngineInspectHttp2Header(DetectEngineCtx *de_ctx,
531  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
532 {
533  uint32_t local_id = 0;
534 
535  const DetectEngineTransforms *transforms = NULL;
536  if (!engine->mpm) {
537  transforms = engine->v2.transforms;
538  }
539 
540  while (1) {
541  struct MpmListIdDataArgs cbdata = {
542  local_id,
543  txv,
544  };
545  InspectionBuffer *buffer =
546  GetHttp2HeaderData(det_ctx, flags, transforms, f, &cbdata, engine->sm_list);
547  if (buffer == NULL || buffer->inspect == NULL)
548  break;
549 
550  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
551  buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
553  if (match) {
555  }
556  local_id++;
557  }
558 
560 }
561 
562 static int PrefilterMpmHttp2HeaderRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
563  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
564 {
565  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
566  if (pectx == NULL)
567  return -1;
568  pectx->list_id = list_id;
569  pectx->mpm_ctx = mpm_ctx;
570  pectx->transforms = &mpm_reg->transforms;
571 
572  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttp2Header, mpm_reg->app_v2.alproto,
573  mpm_reg->app_v2.tx_min_progress, pectx, PrefilterMpmHttpHeaderFree, mpm_reg->name);
574 }
575 
576 typedef struct HttpMultiBufItem {
577  uint8_t *buffer;
578  size_t len;
580 
582  // array of items, being defined as a buffer with its length just above
584  // capacity of items (size of allocation)
585  size_t cap;
586  // length of items (number in use)
587  size_t len;
589 
590 static void *HttpMultiBufHeaderThreadDataInit(void *data)
591 {
592  HttpMultiBufHeaderThreadData *td = SCCalloc(1, sizeof(*td));
593 
594  /* This return value check to satisfy our Cocci malloc checks. */
595  if (td == NULL) {
596  SCLogError("failed to allocate %" PRIuMAX " bytes: %s", (uintmax_t)sizeof(*td),
597  strerror(errno));
598  return NULL;
599  }
600  return td;
601 }
602 
603 static void HttpMultiBufHeaderThreadDataFree(void *data)
604 {
605  HttpMultiBufHeaderThreadData *td = data;
606  for (size_t i = 0; i < td->cap; i++) {
607  SCFree(td->items[i].buffer);
608  }
609  SCFree(td->items);
610  SCFree(td);
611 }
612 
613 static InspectionBuffer *GetHttp1HeaderData(DetectEngineThreadCtx *det_ctx, const uint8_t flags,
614  const DetectEngineTransforms *transforms, Flow *f, const struct MpmListIdDataArgs *cbdata,
615  int list_id)
616 {
617  SCEnter();
618 
619  InspectionBuffer *buffer =
620  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
621  if (buffer == NULL)
622  return NULL;
623  if (buffer->initialized)
624  return buffer;
625 
626  int kw_thread_id;
627  if (flags & STREAM_TOSERVER) {
628  kw_thread_id = g_request_header_thread_id;
629  } else {
630  kw_thread_id = g_response_header_thread_id;
631  }
633  DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, kw_thread_id);
634  if (unlikely(hdr_td == NULL)) {
635  return NULL;
636  }
637 
638  htp_tx_t *tx = (htp_tx_t *)cbdata->txv;
639  htp_table_t *headers;
640  if (flags & STREAM_TOSERVER) {
641  headers = tx->request_headers;
642  } else {
643  headers = tx->response_headers;
644  }
645  size_t no_of_headers = htp_table_size(headers);
646  if (cbdata->local_id == 0) {
647  // We initialize a big buffer on first item
648  // Then, we will just use parts of it
649  hdr_td->len = 0;
650  if (hdr_td->cap < no_of_headers) {
651  void *new_buffer = SCRealloc(hdr_td->items, no_of_headers * sizeof(HttpMultiBufItem));
652  if (unlikely(new_buffer == NULL)) {
653  return NULL;
654  }
655  hdr_td->items = new_buffer;
656  // zeroes the new part of the items
657  memset(hdr_td->items + hdr_td->cap, 0,
658  (no_of_headers - hdr_td->cap) * sizeof(HttpMultiBufItem));
659  hdr_td->cap = no_of_headers;
660  }
661  for (size_t i = 0; i < no_of_headers; i++) {
662  htp_header_t *h = htp_table_get_index(headers, i, NULL);
663  size_t size1 = bstr_size(h->name);
664  size_t size2 = bstr_size(h->value);
665  size_t size = size1 + size2 + 2;
666  if (hdr_td->items[i].len < size) {
667  // Use realloc, as this pointer is not freed until HttpMultiBufHeaderThreadDataFree
668  void *tmp = SCRealloc(hdr_td->items[i].buffer, size);
669  if (unlikely(tmp == NULL)) {
670  return NULL;
671  }
672  hdr_td->items[i].buffer = tmp;
673  }
674  memcpy(hdr_td->items[i].buffer, bstr_ptr(h->name), size1);
675  hdr_td->items[i].buffer[size1] = ':';
676  hdr_td->items[i].buffer[size1 + 1] = ' ';
677  memcpy(hdr_td->items[i].buffer + size1 + 2, bstr_ptr(h->value), size2);
678  hdr_td->items[i].len = size;
679  }
680  hdr_td->len = no_of_headers;
681  }
682 
683  // cbdata->local_id is the index of the requested header buffer
684  // hdr_td->len is the number of header buffers
685  if (cbdata->local_id < hdr_td->len) {
686  // we have one valid header buffer
687  InspectionBufferSetupMulti(buffer, transforms, hdr_td->items[cbdata->local_id].buffer,
688  hdr_td->items[cbdata->local_id].len);
689  SCReturnPtr(buffer, "InspectionBuffer");
690  } // else there are no more header buffer to get
692  return NULL;
693 }
694 
695 static void PrefilterTxHttp1Header(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
696  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
697 {
698  SCEnter();
699 
700  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
701  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
702  const int list_id = ctx->list_id;
703 
704  uint32_t local_id = 0;
705 
706  while (1) {
707  // loop until we get a NULL
708 
709  struct MpmListIdDataArgs cbdata = { local_id, txv };
710  InspectionBuffer *buffer =
711  GetHttp1HeaderData(det_ctx, flags, ctx->transforms, f, &cbdata, list_id);
712  if (buffer == NULL)
713  break;
714 
715  if (buffer->inspect_len >= mpm_ctx->minlen) {
716  (void)mpm_table[mpm_ctx->mpm_type].Search(
717  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
718  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
719  }
720 
721  local_id++;
722  }
723 }
724 
725 static int PrefilterMpmHttp1HeaderRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
726  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
727 {
728  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
729  if (pectx == NULL)
730  return -1;
731  pectx->list_id = list_id;
732  pectx->mpm_ctx = mpm_ctx;
733  pectx->transforms = &mpm_reg->transforms;
734 
735  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttp1Header, mpm_reg->app_v2.alproto,
736  mpm_reg->app_v2.tx_min_progress, pectx, PrefilterMpmHttpHeaderFree, mpm_reg->name);
737 }
738 
739 static uint8_t DetectEngineInspectHttp1Header(DetectEngineCtx *de_ctx,
741  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
742 {
743  uint32_t local_id = 0;
744 
745  const DetectEngineTransforms *transforms = NULL;
746  if (!engine->mpm) {
747  transforms = engine->v2.transforms;
748  }
749 
750  while (1) {
751  struct MpmListIdDataArgs cbdata = {
752  local_id,
753  txv,
754  };
755  InspectionBuffer *buffer =
756  GetHttp1HeaderData(det_ctx, flags, transforms, f, &cbdata, engine->sm_list);
757  if (buffer == NULL || buffer->inspect == NULL)
758  break;
759 
760  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
761  (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
763  if (match) {
765  }
766  local_id++;
767  }
768 
770 }
771 
772 static int DetectHTTPRequestHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
773 {
774  if (DetectBufferSetActiveList(de_ctx, s, g_http_request_header_buffer_id) < 0)
775  return -1;
776 
778  return -1;
779 
780  return 0;
781 }
782 
784 {
785  sigmatch_table[DETECT_HTTP_REQUEST_HEADER].name = "http.request_header";
787  "sticky buffer to match on only one HTTP header name and value";
788  sigmatch_table[DETECT_HTTP_REQUEST_HEADER].url = "/rules/http-keywords.html#request_header";
789  sigmatch_table[DETECT_HTTP_REQUEST_HEADER].Setup = DetectHTTPRequestHeaderSetup;
792 
793  DetectAppLayerMpmRegister("http_request_header", SIG_FLAG_TOSERVER, 2,
794  PrefilterMpmHttp2HeaderRegister, NULL, ALPROTO_HTTP2, HTTP2StateOpen);
796  HTTP2StateOpen, DetectEngineInspectHttp2Header, NULL);
797  DetectAppLayerMpmRegister("http_request_header", SIG_FLAG_TOSERVER, 2,
798  PrefilterMpmHttp1HeaderRegister, NULL, ALPROTO_HTTP1, 0);
800  HTP_REQUEST_HEADERS, DetectEngineInspectHttp1Header, NULL);
801 
802  DetectBufferTypeSetDescriptionByName("http_request_header", "HTTP header name and value");
803  g_http_request_header_buffer_id = DetectBufferTypeGetByName("http_request_header");
804  DetectBufferTypeSupportsMultiInstance("http_request_header");
805  g_request_header_thread_id = DetectRegisterThreadCtxGlobalFuncs("http_request_header",
806  HttpMultiBufHeaderThreadDataInit, NULL, HttpMultiBufHeaderThreadDataFree);
807 }
808 
809 static int DetectHTTPResponseHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
810 {
811  if (DetectBufferSetActiveList(de_ctx, s, g_http_response_header_buffer_id) < 0)
812  return -1;
813 
815  return -1;
816 
817  return 0;
818 }
819 
821 {
822  sigmatch_table[DETECT_HTTP_RESPONSE_HEADER].name = "http.response_header";
824  "sticky buffer to match on only one HTTP header name and value";
825  sigmatch_table[DETECT_HTTP_RESPONSE_HEADER].url = "/rules/http2-keywords.html#response_header";
826  sigmatch_table[DETECT_HTTP_RESPONSE_HEADER].Setup = DetectHTTPResponseHeaderSetup;
829 
830  DetectAppLayerMpmRegister("http_response_header", SIG_FLAG_TOCLIENT, 2,
831  PrefilterMpmHttp2HeaderRegister, NULL, ALPROTO_HTTP2, HTTP2StateOpen);
833  HTTP2StateOpen, DetectEngineInspectHttp2Header, NULL);
834  DetectAppLayerMpmRegister("http_response_header", SIG_FLAG_TOCLIENT, 2,
835  PrefilterMpmHttp1HeaderRegister, NULL, ALPROTO_HTTP1, 0);
837  HTP_RESPONSE_HEADERS, DetectEngineInspectHttp1Header, NULL);
838 
839  DetectBufferTypeSetDescriptionByName("http_response_header", "HTTP header name and value");
840  g_http_response_header_buffer_id = DetectBufferTypeGetByName("http_response_header");
841  DetectBufferTypeSupportsMultiInstance("http_response_header");
842  g_response_header_thread_id = DetectRegisterThreadCtxGlobalFuncs("http_response_header",
843  HttpMultiBufHeaderThreadDataInit, NULL, HttpMultiBufHeaderThreadDataFree);
844 }
845 
846 /************************************Unittests*********************************/
847 
848 #ifdef UNITTESTS
850 #endif
851 
852 /**
853  * @}
854  */
DetectEngineAppInspectionEngine_
Definition: detect.h:424
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
BUFFER_SIZE_STEP
#define BUFFER_SIZE_STEP
Definition: detect-http-header.c:67
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:428
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1497
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2169
SIGMATCH_INFO_CONTENT_MODIFIER
#define SIGMATCH_INFO_CONTENT_MODIFIER
Definition: detect.h:1495
SigTableElmt_::name
const char * name
Definition: detect.h:1293
InspectionBuffer::initialized
bool initialized
Definition: detect.h:375
MpmListIdDataArgs
Definition: detect-engine-mpm.h:130
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1445
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:406
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectHttpRequestHeaderRegister
void DetectHttpRequestHeaderRegister(void)
Definition: detect-http-header.c:783
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1382
HttpHeaderBuffer_::len
uint32_t len
Definition: detect-http-header-common.h:30
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1103
InspectionBuffer
Definition: detect.h:371
threads.h
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1201
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1287
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
MpmListIdDataArgs::local_id
uint32_t local_id
Definition: detect-engine-mpm.h:131
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1069
detect-http-header.h
MpmListIdDataArgs::txv
void * txv
Definition: detect-engine-mpm.h:132
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:677
HttpMultiBufItem::len
size_t len
Definition: detect-http-header.c:578
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@88::@90 app_v2
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:264
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
detect-pcre.h
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:690
detect-engine-prefilter.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1526
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1119
util-memcmp.h
DetectHttpResponseHeaderRegister
void DetectHttpResponseHeaderRegister(void)
Definition: detect-http-header.c:820
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:430
DETECT_AL_HTTP_HEADER
@ DETECT_AL_HTTP_HEADER
Definition: detect-engine-register.h:142
PrefilterMpmListId
Definition: detect-engine-mpm.h:124
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:263
app-layer-htp.h
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine.c:1593
HttpMultiBufHeaderThreadData::len
size_t len
Definition: detect-http-header.c:587
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
HttpMultiBufHeaderThreadData::items
HttpMultiBufItem * items
Definition: detect-http-header.c:583
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
HtpTxUserData_::response_has_trailers
uint8_t response_has_trailers
Definition: app-layer-htp.h:213
DETECT_HTTP_REQUEST_HEADER
@ DETECT_HTTP_REQUEST_HEADER
Definition: detect-engine-register.h:196
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
HttpMultiBufHeaderThreadData
Definition: detect-http-header.c:581
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:373
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:745
PrefilterMpmListId::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-mpm.h:127
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1291
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
HttpMultiBufItem
struct HttpMultiBufItem HttpMultiBufItem
HtpTxUserData_::request_has_trailers
uint8_t request_has_trailers
Definition: app-layer-htp.h:212
util-profiling.h
SCReturn
#define SCReturn
Definition: util-debug.h:273
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:205
PrefilterMpmListId::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-mpm.h:126
detect-http-header.c
Packet_
Definition: decode.h:437
detect-http-header-common.h
HttpMultiBufHeaderThreadData
struct HttpMultiBufHeaderThreadData HttpMultiBufHeaderThreadData
HttpHeaderThreadConfig_
Definition: detect-http-header-common.h:33
HttpHeaderBuffer_::buffer
uint8_t * buffer
Definition: detect-http-header-common.h:28
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:61
HttpMultiBufHeaderThreadData::cap
size_t cap
Definition: detect-http-header.c:585
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:168
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@85 v2
HttpMultiBufItem
Definition: detect-http-header.c:576
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:39
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1200
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
detect-engine-content-inspection.h
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:441
HttpHeaderThreadDataInit
void * HttpHeaderThreadDataInit(void *data)
Definition: detect-http-header-common.c:57
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1355
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:287
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
flags
uint8_t flags
Definition: decode-gre.h:0
PrefilterMpmHttpHeaderCtx::list_id
int list_id
Definition: detect-http-header.c:225
PrefilterMpmHttpHeaderCtx
Definition: detect-http-header.c:224
DetectHttpHeaderRegister
void DetectHttpHeaderRegister(void)
Registers the keyword handlers for the "http_header" keyword.
Definition: detect-http-header.c:411
suricata-common.h
DETECT_HTTP_HEADER
@ DETECT_HTTP_HEADER
Definition: detect-engine-register.h:143
DetectBufferMpmRegistry_::name
const char * name
Definition: detect.h:678
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1725
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1606
HttpHeaderBuffer_::size
uint32_t size
Definition: detect-http-header-common.h:29
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
HtpTxUserData_
Definition: app-layer-htp.h:207
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
util-validate.h
PrefilterMpmHttpHeaderCtx::transforms
const DetectEngineTransforms * transforms
Definition: detect-http-header.c:227
PrefilterMpmHttpHeaderCtx
struct PrefilterMpmHttpHeaderCtx PrefilterMpmHttpHeaderCtx
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:374
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:372
PrefilterMpmHttpHeaderCtx::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-http-header.c:226
str
#define str(s)
Definition: suricata-common.h:291
DetectThreadCtxGetGlobalKeywordThreadCtx
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3698
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1621
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:438
PrefilterMpmListId::list_id
int list_id
Definition: detect-engine-mpm.h:125
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1546
HttpHeaderGetBufferSpace
HttpHeaderBuffer * HttpHeaderGetBufferSpace(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, const int keyword_id, HttpHeaderThreadData **ret_hdr_td)
Definition: detect-http-header-common.c:100
HttpHeaderExpandBuffer
int HttpHeaderExpandBuffer(HttpHeaderThreadData *td, HttpHeaderBuffer *buf, uint32_t size)
Definition: detect-http-header-common.c:81
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1473
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:216
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1216
MpmCtx_
Definition: util-mpm.h:88
HttpHeaderBuffer_
Definition: detect-http-header-common.h:27
DETECT_HTTP_RESPONSE_HEADER
@ DETECT_HTTP_RESPONSE_HEADER
Definition: detect-engine-register.h:197
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:723
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectHttpHeaderRegisterTests
void DetectHttpHeaderRegisterTests(void)
Definition: detect-http-header.c:4557
HttpMultiBufItem::buffer
uint8_t * buffer
Definition: detect-http-header.c:577
HttpHeaderThreadData_
Definition: detect-http-header-common.h:37
HttpHeaderThreadDataFree
void HttpHeaderThreadDataFree(void *data)
Definition: detect-http-header-common.c:74
DetectRegisterThreadCtxGlobalFuncs
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
Definition: detect-engine.c:3654
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
app-layer.h
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:679