detect-http-protocol_8c_source.html

 /* Copyright (C) 2007-2017 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
  * Software Foundation.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * version 2 along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  */

 /**
  * \ingroup httplayer
  *
  * @{
  */


 /**
  * \file
  *
  * \author Victor Julien <victor@inliniac.net>
  *
  * Implements support http_protocol sticky buffer
  */

 #include "suricata-common.h"
 #include "threads.h"
 #include "decode.h"

 #include "detect.h"
 #include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-engine-mpm.h"
 #include "detect-engine-state.h"
 #include "detect-engine-prefilter.h"
 #include "detect-engine-content-inspection.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 #include "detect-http-header-common.h"
 #include "detect-http-protocol.h"

 #include "flow.h"
 #include "flow-var.h"
 #include "flow-util.h"

 #include "util-debug.h"
 #include "util-unittest.h"
 #include "util-unittest-helper.h"
 #include "util-spm.h"
 #include "util-print.h"

 #include "app-layer.h"
 #include "app-layer-parser.h"

 #include "app-layer-htp.h"
 #include "detect-http-header.h"
 #include "stream-tcp.h"

 #include "util-print.h"

 #define KEYWORD_NAME "http.protocol"
 #define KEYWORD_NAME_LEGACY "http_protocol"
 #define KEYWORD_DOC "http-keywords.html#http-protocol"
 #define BUFFER_NAME "http_protocol"
 #define BUFFER_DESC "http protocol"
 static int g_buffer_id = 0;

 static int DetectHttpProtocolSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
     if (DetectBufferSetActiveList(s, g_buffer_id) < 0)
         return -1;

     if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
         return -1;

     return 0;
 }

 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
         const DetectEngineTransforms *transforms, Flow *_f,
         const uint8_t flow_flags, void *txv, const int list_id)
 {
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
         bstr *str = NULL;
         htp_tx_t *tx = (htp_tx_t *)txv;

         if (flow_flags & STREAM_TOSERVER)
             str = tx->request_protocol;
         else if (flow_flags & STREAM_TOCLIENT)
             str = tx->response_protocol;

         if (str == NULL) {
             SCLogDebug("HTTP protocol not set");
             return NULL;
         }

         uint32_t data_len = bstr_size(str);
         uint8_t *data = bstr_ptr(str);
         if (data == NULL || data_len == 0) {
             SCLogDebug("HTTP protocol not present");
             return NULL;
         }

         InspectionBufferSetup(buffer, data, data_len);
         InspectionBufferApplyTransforms(buffer, transforms);
     }

     return buffer;
 }

 /**
  * \brief Registers the keyword handlers for the "http.protocol" keyword.
  */
 void DetectHttpProtocolRegister(void)
 {
     sigmatch_table[DETECT_AL_HTTP_PROTOCOL].name = KEYWORD_NAME;
     sigmatch_table[DETECT_AL_HTTP_PROTOCOL].alias = KEYWORD_NAME_LEGACY;
     sigmatch_table[DETECT_AL_HTTP_PROTOCOL].desc = BUFFER_NAME " sticky buffer";
     sigmatch_table[DETECT_AL_HTTP_PROTOCOL].url = DOC_URL DOC_VERSION "/rules/" KEYWORD_DOC;
     sigmatch_table[DETECT_AL_HTTP_PROTOCOL].Setup = DetectHttpProtocolSetup;
     sigmatch_table[DETECT_AL_HTTP_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;

     DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
             PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP,
             HTP_REQUEST_LINE);
     DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
             PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP,
             HTP_RESPONSE_LINE);
     DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_HTTP,
             SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
             DetectEngineInspectBufferGeneric, GetData);
     DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_HTTP,
             SIG_FLAG_TOCLIENT, HTP_RESPONSE_LINE,
             DetectEngineInspectBufferGeneric, GetData);

     DetectBufferTypeSetDescriptionByName(BUFFER_NAME,
             BUFFER_DESC);

     g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
 }
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439

SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179

SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335

detect-content.h

DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1392

detect-http-protocol.h

KEYWORD_DOC
#define KEYWORD_DOC
Definition: detect-http-protocol.c:70

BUFFER_NAME
#define BUFFER_NAME
Definition: detect-http-protocol.c:71

DetectEngineTransforms
Definition: detect.h:364

detect-pcre.h

detect-engine-prefilter.h

InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1025

SigTableElmt_::name
const char * name
Definition: detect.h:1193

util-unittest.h

Signature_
Signature container.
Definition: detect.h:517

decode.h

KEYWORD_NAME
#define KEYWORD_NAME
Definition: detect-http-protocol.c:68

DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89

DetectEngineCtx_
main detection engine ctx
Definition: detect.h:756

flow.h

detect-http-header.h

DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:852

str
#define str(s)
Definition: suricata-common.h:258

threads.h

SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:233

SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1386

KEYWORD_NAME_LEGACY
#define KEYWORD_NAME_LEGACY
Definition: detect-http-protocol.c:69

BUFFER_DESC
#define BUFFER_DESC
Definition: detect-http-protocol.c:72

detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.

util-debug.h

util-unittest-helper.h

SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:232

DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224

detect-engine-mpm.h

suricata-common.h

STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32

util-spm.h

detect-engine.h

util-print.h

DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1562

SigTableElmt_::desc
const char * desc
Definition: detect.h:1195

PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:611

DetectHttpProtocolRegister
void DetectHttpProtocolRegister(void)
Registers the keyword handlers for the "http.protocol" keyword.
Definition: detect-http-protocol.c:122

SigTableElmt_::alias
const char * alias
Definition: detect.h:1194

stream-tcp.h

app-layer-htp.h

detect-parse.h

InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1084

detect-engine-content-inspection.h

InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1132

SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1362

ALPROTO_HTTP
Definition: app-layer-protos.h:30

flow-util.h

SigTableElmt_::url
const char * url
Definition: detect.h:1196

STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31

flow-var.h

DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:964

InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338

DOC_URL
#define DOC_URL
Definition: suricata.h:86

DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:880

detect-http-header-common.h

app-layer.h

DetectEngineThreadCtx_
Definition: detect.h:996

DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91

SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1187

DETECT_AL_HTTP_PROTOCOL
Definition: detect-engine-register.h:118

InspectionBuffer
Definition: detect.h:337

Flow_
Flow data structure.
Definition: flow.h:325

app-layer-parser.h

detect.h