suricata
detect-http-headers-stub.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * Stub for per HTTP header detection keyword. Meant to be included into
20  * a C file.
21  */
22 
23 /**
24  * \ingroup httplayer
25  *
26  * @{
27  */
28 
29 #include "suricata-common.h"
30 #include "flow.h"
31 
32 #include "htp/htp_rs.h"
33 
34 #include "detect.h"
35 #include "detect-parse.h"
36 #include "detect-engine.h"
37 #include "detect-engine-mpm.h"
39 
40 #include "util-debug.h"
41 #include "rust.h"
42 
43 static int g_buffer_id = 0;
44 
45 #ifdef KEYWORD_TOSERVER
46 static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx,
47  const DetectEngineTransforms *transforms, Flow *_f,
48  const uint8_t _flow_flags, void *txv, const int list_id)
49 {
50  SCEnter();
51 
52  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
53  if (buffer->inspect == NULL) {
54  htp_tx_t *tx = (htp_tx_t *)txv;
55 
56  if (htp_tx_request_headers(tx) == NULL)
57  return NULL;
58 
59  const htp_header_t *h = htp_tx_request_header(tx, HEADER_NAME);
60  if (h == NULL || htp_header_value(h) == NULL) {
61  SCLogDebug("HTTP %s header not present in this request",
62  HEADER_NAME);
63  return NULL;
64  }
65 
66  const uint32_t data_len = htp_header_value_len(h);
67  const uint8_t *data = htp_header_value_ptr(h);
68 
70  det_ctx, list_id, buffer, data, data_len, transforms);
71  }
72 
73  return buffer;
74 }
75 
76 static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx,
77  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
78  const int list_id)
79 {
80  SCEnter();
81 
82  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
83  if (buffer->inspect == NULL) {
84  uint32_t b_len = 0;
85  const uint8_t *b = NULL;
86 
87  if (rs_http2_tx_get_header_value(txv, STREAM_TOSERVER, HEADER_NAME, &b, &b_len) != 1)
88  return NULL;
89  if (b == NULL || b_len == 0)
90  return NULL;
91 
92  InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
93  }
94 
95  return buffer;
96 }
97 
98 #endif
99 #ifdef KEYWORD_TOCLIENT
100 static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx,
101  const DetectEngineTransforms *transforms, Flow *_f,
102  const uint8_t _flow_flags, void *txv, const int list_id)
103 {
104  SCEnter();
105 
106  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
107  if (buffer->inspect == NULL) {
108  htp_tx_t *tx = (htp_tx_t *)txv;
109 
110  if (htp_tx_response_headers(tx) == NULL)
111  return NULL;
112 
113  const htp_header_t *h = htp_tx_response_header(tx, HEADER_NAME);
114  if (h == NULL || htp_header_value(h) == NULL) {
115  SCLogDebug("HTTP %s header not present in this request",
116  HEADER_NAME);
117  return NULL;
118  }
119 
120  const uint32_t data_len = htp_header_value_len(h);
121  const uint8_t *data = htp_header_value_ptr(h);
122 
124  det_ctx, list_id, buffer, data, data_len, transforms);
125  }
126 
127  return buffer;
128 }
129 
130 static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx,
131  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
132  const int list_id)
133 {
134  SCEnter();
135 
136  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
137  if (buffer->inspect == NULL) {
138  uint32_t b_len = 0;
139  const uint8_t *b = NULL;
140 
141  if (rs_http2_tx_get_header_value(txv, STREAM_TOCLIENT, HEADER_NAME, &b, &b_len) != 1)
142  return NULL;
143  if (b == NULL || b_len == 0)
144  return NULL;
145 
146  InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
147  }
148 
149  return buffer;
150 }
151 #endif
152 
153 /**
154  * \brief this function setup the http.header keyword used in the rule
155  *
156  * \param de_ctx Pointer to the Detection Engine Context
157  * \param s Pointer to the Signature to which the current keyword belongs
158  * \param str Should hold an empty string always
159  *
160  * \retval 0 On success
161  */
162 static int DetectHttpHeadersSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
163 {
164  if (DetectSetupDirection(s, str) < 0) {
165  SCLogError(KEYWORD_NAME " failed to setup direction");
166  return -1;
167  }
168 
169  if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0)
170  return -1;
171 
174 
176  return -1;
177 
178  return 0;
179 }
180 
181 static void DetectHttpHeadersRegisterStub(void)
182 {
184 #ifdef KEYWORD_NAME_LEGACY
186 #endif
187  sigmatch_table[KEYWORD_ID].desc = KEYWORD_NAME " sticky buffer for the " BUFFER_DESC;
189  sigmatch_table[KEYWORD_ID].Setup = DetectHttpHeadersSetupSticky;
190 #if defined(KEYWORD_TOSERVER) && defined(KEYWORD_TOSERVER)
192 #else
194 #endif
195 
196 #ifdef KEYWORD_TOSERVER
198  GetRequestData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);
200  GetRequestData2, ALPROTO_HTTP2, HTTP2StateDataClient);
201 #endif
202 #ifdef KEYWORD_TOCLIENT
204  GetResponseData, ALPROTO_HTTP1, HTP_RESPONSE_PROGRESS_HEADERS);
206  GetResponseData2, ALPROTO_HTTP2, HTTP2StateDataServer);
207 #endif
208 #ifdef KEYWORD_TOSERVER
210  HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetRequestData);
212  HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetRequestData2);
213 #endif
214 #ifdef KEYWORD_TOCLIENT
216  HTP_RESPONSE_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetResponseData);
218  HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetResponseData2);
219 #endif
220 
222 
223  g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
224 }
SigTableElmt_::url
const char * url
Definition: detect.h:1405
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2218
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1616
SigTableElmt_::desc
const char * desc
Definition: detect.h:1404
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2252
SigTableElmt_::name
const char * name
Definition: detect.h:1402
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine.c:1719
DetectEngineTransforms
Definition: detect.h:415
KEYWORD_DOC
#define KEYWORD_DOC
Definition: detect-ftp-command-data.c:46
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
BUFFER_DESC
#define BUFFER_DESC
Definition: detect-ftp-command-data.c:48
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1422
InspectionBuffer
Definition: detect.h:380
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1396
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:920
HEADER_NAME
#define HEADER_NAME
Definition: detect-http-accept-enc.c:38
SIG_FLAG_INIT_FORCE_TOCLIENT
#define SIG_FLAG_INIT_FORCE_TOCLIENT
Definition: detect.h:300
rust.h
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:609
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1387
detect-engine-prefilter.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1578
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1157
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
util-debug.h
DetectSetupDirection
int DetectSetupDirection(Signature *s, const char *str)
Parse and setup a direction.
Definition: detect-parse.c:3539
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1197
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
KEYWORD_NAME
#define KEYWORD_NAME
Definition: detect-ftp-command-data.c:45
detect.h
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1547
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:151
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:748
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
KEYWORD_NAME_LEGACY
#define KEYWORD_NAME_LEGACY
Definition: detect-http-accept-enc.c:33
SigTableElmt_::alias
const char * alias
Definition: detect.h:1403
suricata-common.h
SIG_FLAG_INIT_FORCE_TOSERVER
#define SIG_FLAG_INIT_FORCE_TOSERVER
Definition: detect.h:301
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1601
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:381
str
#define str(s)
Definition: suricata-common.h:300
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
KEYWORD_ID
#define KEYWORD_ID
Definition: detect-http-accept-enc.c:39
detect-parse.h
Signature_
Signature container.
Definition: detect.h:669
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:60
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:75
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1592
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:245
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1254
flow.h