suricata
detect-http-headers-stub.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * Stub for per HTTP header detection keyword. Meant to be included into
20  * a C file.
21  */
22 
23 /**
24  * \ingroup httplayer
25  *
26  * @{
27  */
28 
29 #include "suricata-common.h"
30 #include "threads.h"
31 #include "decode.h"
32 #include "flow.h"
33 #include "app-layer.h"
34 #include "app-layer-parser.h"
35 #include "app-layer-protos.h"
36 #include "app-layer-htp.h"
37 
38 #include "detect.h"
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-state.h"
45 #include "detect-content.h"
46 #include "detect-http-header.h"
47 
48 #include "util-debug.h"
49 
50 static int g_buffer_id = 0;
51 
52 #ifdef KEYWORD_TOSERVER
53 static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx,
54  const DetectEngineTransforms *transforms, Flow *_f,
55  const uint8_t _flow_flags, void *txv, const int list_id)
56 {
57  SCEnter();
58 
59  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
60  if (buffer->inspect == NULL) {
61  htp_tx_t *tx = (htp_tx_t *)txv;
62 
63  if (tx->request_headers == NULL)
64  return NULL;
65 
66  htp_header_t *h = (htp_header_t *)htp_table_get_c(tx->request_headers,
67  HEADER_NAME);
68  if (h == NULL || h->value == NULL) {
69  SCLogDebug("HTTP %s header not present in this request",
70  HEADER_NAME);
71  return NULL;
72  }
73 
74  const uint32_t data_len = bstr_len(h->value);
75  const uint8_t *data = bstr_ptr(h->value);
76 
77  InspectionBufferSetup(buffer, data, data_len);
78  InspectionBufferApplyTransforms(buffer, transforms);
79  }
80 
81  return buffer;
82 }
83 
84 #endif
85 #ifdef KEYWORD_TOCLIENT
86 static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx,
87  const DetectEngineTransforms *transforms, Flow *_f,
88  const uint8_t _flow_flags, void *txv, const int list_id)
89 {
90  SCEnter();
91 
92  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
93  if (buffer->inspect == NULL) {
94  htp_tx_t *tx = (htp_tx_t *)txv;
95 
96  if (tx->response_headers == NULL)
97  return NULL;
98 
99  htp_header_t *h = (htp_header_t *)htp_table_get_c(tx->response_headers,
100  HEADER_NAME);
101  if (h == NULL || h->value == NULL) {
102  SCLogDebug("HTTP %s header not present in this request",
103  HEADER_NAME);
104  return NULL;
105  }
106 
107  const uint32_t data_len = bstr_len(h->value);
108  const uint8_t *data = bstr_ptr(h->value);
109 
110  InspectionBufferSetup(buffer, data, data_len);
111  InspectionBufferApplyTransforms(buffer, transforms);
112  }
113 
114  return buffer;
115 }
116 #endif
117 
118 /**
119  * \brief this function setup the http.header keyword used in the rule
120  *
121  * \param de_ctx Pointer to the Detection Engine Context
122  * \param s Pointer to the Signature to which the current keyword belongs
123  * \param str Should hold an empty string always
124  *
125  * \retval 0 On success
126  */
127 static int DetectHttpHeadersSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
128 {
129  if (DetectBufferSetActiveList(s, g_buffer_id) < 0)
130  return -1;
131 
133  return -1;
134 
135  return 0;
136 }
137 
138 static void DetectHttpHeadersRegisterStub(void)
139 {
141 #ifdef KEYWORD_NAME_LEGACY
143 #endif
144  sigmatch_table[KEYWORD_ID].desc = KEYWORD_NAME " sticky buffer for the " BUFFER_DESC;
146  sigmatch_table[KEYWORD_ID].Setup = DetectHttpHeadersSetupSticky;
148 
149 #ifdef KEYWORD_TOSERVER
151  PrefilterGenericMpmRegister, GetRequestData,
152  ALPROTO_HTTP, HTP_REQUEST_HEADERS);
153 #endif
154 #ifdef KEYWORD_TOCLIENT
156  PrefilterGenericMpmRegister, GetResponseData,
157  ALPROTO_HTTP, HTP_RESPONSE_HEADERS);
158 #endif
159 #ifdef KEYWORD_TOSERVER
161  ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS,
162  DetectEngineInspectBufferGeneric, GetRequestData);
163 #endif
164 #ifdef KEYWORD_TOCLIENT
166  ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_HEADERS,
167  DetectEngineInspectBufferGeneric, GetResponseData);
168 #endif
169 
171 
172  g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
173 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define BUFFER_DESC
#define KEYWORD_NAME_LEGACY
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
#define KEYWORD_ID
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
main detection engine ctx
Definition: detect.h:761
#define KEYWORD_DOC
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1393
Data structures and function prototypes for keeping state for the detection engine.
#define HEADER_NAME
#define KEYWORD_NAME
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
#define SCEnter(...)
Definition: util-debug.h:337
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
const char * desc
Definition: detect.h:1202
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
const char * alias
Definition: detect.h:1201
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1369
const char * url
Definition: detect.h:1203
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:343
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1194
Flow data structure.
Definition: flow.h:325
#define BUFFER_NAME