suricata
detect-http-headers-stub.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * Stub for per HTTP header detection keyword. Meant to be included into
20  * a C file.
21  */
22 
23 /**
24  * \ingroup httplayer
25  *
26  * @{
27  */
28 
29 #include "suricata-common.h"
30 #include "flow.h"
31 
32 #include <htp/htp.h>
33 
34 #include "detect.h"
35 #include "detect-parse.h"
36 #include "detect-engine.h"
37 #include "detect-engine-mpm.h"
39 
40 #include "util-debug.h"
41 #include "rust.h"
42 
43 static int g_buffer_id = 0;
44 
45 #ifdef KEYWORD_TOSERVER
46 static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx,
47  const DetectEngineTransforms *transforms, Flow *_f,
48  const uint8_t _flow_flags, void *txv, const int list_id)
49 {
50  SCEnter();
51 
52  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
53  if (buffer->inspect == NULL) {
54  htp_tx_t *tx = (htp_tx_t *)txv;
55 
56  if (tx->request_headers == NULL)
57  return NULL;
58 
59  htp_header_t *h = (htp_header_t *)htp_table_get_c(tx->request_headers,
60  HEADER_NAME);
61  if (h == NULL || h->value == NULL) {
62  SCLogDebug("HTTP %s header not present in this request",
63  HEADER_NAME);
64  return NULL;
65  }
66 
67  const uint32_t data_len = bstr_len(h->value);
68  const uint8_t *data = bstr_ptr(h->value);
69 
70  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
71  InspectionBufferApplyTransforms(buffer, transforms);
72  }
73 
74  return buffer;
75 }
76 
77 static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx,
78  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
79  const int list_id)
80 {
81  SCEnter();
82 
83  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
84  if (buffer->inspect == NULL) {
85  uint32_t b_len = 0;
86  const uint8_t *b = NULL;
87 
88  if (rs_http2_tx_get_header_value(txv, STREAM_TOSERVER, HEADER_NAME, &b, &b_len) != 1)
89  return NULL;
90  if (b == NULL || b_len == 0)
91  return NULL;
92 
93  InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
94  InspectionBufferApplyTransforms(buffer, transforms);
95  }
96 
97  return buffer;
98 }
99 
100 #endif
101 #ifdef KEYWORD_TOCLIENT
102 static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx,
103  const DetectEngineTransforms *transforms, Flow *_f,
104  const uint8_t _flow_flags, void *txv, const int list_id)
105 {
106  SCEnter();
107 
108  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
109  if (buffer->inspect == NULL) {
110  htp_tx_t *tx = (htp_tx_t *)txv;
111 
112  if (tx->response_headers == NULL)
113  return NULL;
114 
115  htp_header_t *h = (htp_header_t *)htp_table_get_c(tx->response_headers,
116  HEADER_NAME);
117  if (h == NULL || h->value == NULL) {
118  SCLogDebug("HTTP %s header not present in this request",
119  HEADER_NAME);
120  return NULL;
121  }
122 
123  const uint32_t data_len = bstr_len(h->value);
124  const uint8_t *data = bstr_ptr(h->value);
125 
126  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
127  InspectionBufferApplyTransforms(buffer, transforms);
128  }
129 
130  return buffer;
131 }
132 
133 static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx,
134  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
135  const int list_id)
136 {
137  SCEnter();
138 
139  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
140  if (buffer->inspect == NULL) {
141  uint32_t b_len = 0;
142  const uint8_t *b = NULL;
143 
144  if (rs_http2_tx_get_header_value(txv, STREAM_TOCLIENT, HEADER_NAME, &b, &b_len) != 1)
145  return NULL;
146  if (b == NULL || b_len == 0)
147  return NULL;
148 
149  InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
150  InspectionBufferApplyTransforms(buffer, transforms);
151  }
152 
153  return buffer;
154 }
155 #endif
156 
157 /**
158  * \brief this function setup the http.header keyword used in the rule
159  *
160  * \param de_ctx Pointer to the Detection Engine Context
161  * \param s Pointer to the Signature to which the current keyword belongs
162  * \param str Should hold an empty string always
163  *
164  * \retval 0 On success
165  */
166 static int DetectHttpHeadersSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
167 {
168  if (DetectBufferSetActiveList(s, g_buffer_id) < 0)
169  return -1;
170 
172  return -1;
173 
174  return 0;
175 }
176 
177 static void DetectHttpHeadersRegisterStub(void)
178 {
180 #ifdef KEYWORD_NAME_LEGACY
182 #endif
183  sigmatch_table[KEYWORD_ID].desc = KEYWORD_NAME " sticky buffer for the " BUFFER_DESC;
185  sigmatch_table[KEYWORD_ID].Setup = DetectHttpHeadersSetupSticky;
187 
188 #ifdef KEYWORD_TOSERVER
190  GetRequestData, ALPROTO_HTTP1, HTP_REQUEST_HEADERS);
192  GetRequestData2, ALPROTO_HTTP2, HTTP2StateDataClient);
193 #endif
194 #ifdef KEYWORD_TOCLIENT
196  GetResponseData, ALPROTO_HTTP1, HTP_RESPONSE_HEADERS);
198  GetResponseData2, ALPROTO_HTTP2, HTTP2StateDataServer);
199 #endif
200 #ifdef KEYWORD_TOSERVER
202  HTP_REQUEST_HEADERS, DetectEngineInspectBufferGeneric, GetRequestData);
204  HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetRequestData2);
205 #endif
206 #ifdef KEYWORD_TOCLIENT
208  HTP_RESPONSE_HEADERS, DetectEngineInspectBufferGeneric, GetResponseData);
210  HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetResponseData2);
211 #endif
212 
214 
215  g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
216 }
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1447
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1991
SigTableElmt_::name
const char * name
Definition: detect.h:1238
DetectEngineTransforms
Definition: detect.h:372
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
InspectionBuffer
Definition: detect.h:337
Flow_
Flow data structure.
Definition: flow.h:357
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:749
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
HEADER_NAME
#define HEADER_NAME
Definition: detect-http-accept-enc.c:38
rust.h
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
detect-engine-prefilter.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1364
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
KEYWORD_DOC
#define KEYWORD_DOC
Definition: detect-http-accept-enc.c:35
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:61
BUFFER_DESC
#define BUFFER_DESC
Definition: detect-http-accept-enc.c:37
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
KEYWORD_NAME_LEGACY
#define KEYWORD_NAME_LEGACY
Definition: detect-http-accept-enc.c:33
SigTableElmt_::alias
const char * alias
Definition: detect.h:1239
suricata-common.h
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1550
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
KEYWORD_NAME
#define KEYWORD_NAME
Definition: detect-dce-stub-data.c:61
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338
str
#define str(s)
Definition: suricata-common.h:280
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1446
KEYWORD_ID
#define KEYWORD_ID
Definition: detect-http-accept-enc.c:39
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:60
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1423
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1293
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
flow.h