suricata
detect-http-request-line.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Implements support for the http_request_line keyword.
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 
37 #include "detect.h"
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
44 #include "detect-content.h"
45 #include "detect-pcre.h"
46 
47 #include "flow.h"
48 #include "flow-var.h"
49 #include "flow-util.h"
50 
51 #include "util-debug.h"
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 #include "util-spm.h"
55 
56 #include "app-layer.h"
57 #include "app-layer-parser.h"
58 
59 #include "app-layer-htp.h"
60 #include "stream-tcp.h"
62 
63 static int DetectHttpRequestLineSetup(DetectEngineCtx *, Signature *, const char *);
64 static void DetectHttpRequestLineRegisterTests(void);
65 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
66  const DetectEngineTransforms *transforms,
67  Flow *_f, const uint8_t _flow_flags,
68  void *txv, const int list_id);
69 static int g_http_request_line_buffer_id = 0;
70 
71 /**
72  * \brief Registers the keyword handlers for the "http_request_line" keyword.
73  */
75 {
76  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].name = "http_request_line";
77  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].desc = "content modifier to match only on the HTTP request line";
78  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-request-line";
80  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup;
81  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests;
82 
84 
85  DetectAppLayerInspectEngineRegister2("http_request_line",
86  ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
88  GetData);
89 
90  DetectAppLayerMpmRegister2("http_request_line", SIG_FLAG_TOSERVER, 2,
92  ALPROTO_HTTP, HTP_REQUEST_LINE);
93 
94  DetectBufferTypeSetDescriptionByName("http_request_line",
95  "http request line");
96 
97  g_http_request_line_buffer_id = DetectBufferTypeGetByName("http_request_line");
98 }
99 
100 /**
101  * \brief The setup function for the http_request_line keyword for a signature.
102  *
103  * \param de_ctx Pointer to the detection engine context.
104  * \param s Pointer to the signature for the current Signature being
105  * parsed from the rules.
106  * \param m Pointer to the head of the SigMatch for the current rule
107  * being parsed.
108  * \param arg Pointer to the string holding the keyword value.
109  *
110  * \retval 0 On success
111  * \retval -1 On failure
112  */
113 static int DetectHttpRequestLineSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
114 {
115  DetectBufferSetActiveList(s, g_http_request_line_buffer_id);
116  s->alproto = ALPROTO_HTTP;
117  return 0;
118 }
119 
120 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
121  const DetectEngineTransforms *transforms,
122  Flow *_f, const uint8_t _flow_flags,
123  void *txv, const int list_id)
124 {
125  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
126  if (buffer->inspect == NULL) {
127  htp_tx_t *tx = (htp_tx_t *)txv;
128  if (unlikely(tx->request_line == NULL)) {
129  return NULL;
130  }
131  const uint32_t data_len = bstr_len(tx->request_line);
132  const uint8_t *data = bstr_ptr(tx->request_line);
133 
134  InspectionBufferSetup(buffer, data, data_len);
135  InspectionBufferApplyTransforms(buffer, transforms);
136  }
137  return buffer;
138 }
139 
140 /************************************Unittests*********************************/
141 
142 #ifdef UNITTESTS
143 
144 #include "stream-tcp-reassemble.h"
145 
146 /**
147  * \test Test that a signature containting a http_request_line is correctly parsed
148  * and the keyword is registered.
149  */
150 static int DetectHttpRequestLineTest01(void)
151 {
153  FAIL_IF_NULL(de_ctx);
154 
155  de_ctx->flags |= DE_QUIET;
156  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
157  "(http_request_line; content:\"GET /\"; sid:1;)");
158  FAIL_IF_NULL(de_ctx->sig_list);
159 
160  DetectEngineCtxFree(de_ctx);
161  PASS;
162 }
163 
164 
165 /**
166  *\test Test that the http_request_line content matches against a http request
167  * which holds the content.
168  */
169 static int DetectHttpRequestLineTest02(void)
170 {
171  TcpSession ssn;
172  Packet *p = NULL;
173  ThreadVars th_v;
174  DetectEngineCtx *de_ctx = NULL;
175  DetectEngineThreadCtx *det_ctx = NULL;
176  HtpState *http_state = NULL;
177  Flow f;
178  uint8_t http_buf[] =
179  "GET /index.html HTTP/1.0\r\n"
180  "Host: www.openinfosecfoundation.org\r\n"
181  "User-Agent: This is dummy message body\r\n"
182  "Content-Type: text/html\r\n"
183  "\r\n";
184  uint32_t http_len = sizeof(http_buf) - 1;
185 
187  FAIL_IF_NULL(alp_tctx);
188 
189  memset(&th_v, 0, sizeof(th_v));
190  memset(&f, 0, sizeof(f));
191  memset(&ssn, 0, sizeof(ssn));
192 
193  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
194  FAIL_IF_NULL(p);
195 
196  FLOW_INITIALIZE(&f);
197  f.protoctx = (void *)&ssn;
198  f.proto = IPPROTO_TCP;
199  f.flags |= FLOW_IPV4;
200 
201  p->flow = &f;
205  f.alproto = ALPROTO_HTTP;
206 
208 
209  de_ctx = DetectEngineCtxInit();
210  FAIL_IF_NULL(de_ctx);
211 
212  de_ctx->flags |= DE_QUIET;
213 
214  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
215  "(http_request_line; content:\"GET /index.html HTTP/1.0\"; "
216  "sid:1;)");
217  FAIL_IF_NULL(de_ctx->sig_list);
218 
219  SigGroupBuild(de_ctx);
220  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
221 
222  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
223  FAIL_IF(r != 0);
224 
225  http_state = f.alstate;
226  FAIL_IF_NULL(http_state);
227 
228  /* do detect */
229  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
230 
231  FAIL_IF(!(PacketAlertCheck(p, 1)));
232 
233  AppLayerParserThreadCtxFree(alp_tctx);
234  DetectEngineCtxFree(de_ctx);
235 
237  FLOW_DESTROY(&f);
238  UTHFreePackets(&p, 1);
239  PASS;
240 }
241 
242 static int DetectHttpRequestLineWrapper(const char *sig, const int expectation)
243 {
244  TcpSession ssn;
245  Packet *p = NULL;
246  ThreadVars th_v;
247  DetectEngineCtx *de_ctx = NULL;
248  DetectEngineThreadCtx *det_ctx = NULL;
249  HtpState *http_state = NULL;
250  Flow f;
251  uint8_t http_buf[] =
252  "GET /index.html HTTP/1.0\r\n"
253  "Host: www.openinfosecfoundation.org\r\n"
254  "User-Agent: This is dummy message body\r\n"
255  "Content-Type: text/html\r\n"
256  "\r\n";
257  uint32_t http_len = sizeof(http_buf) - 1;
258 
260  FAIL_IF_NULL(alp_tctx);
261 
262  memset(&th_v, 0, sizeof(th_v));
263  memset(&f, 0, sizeof(f));
264  memset(&ssn, 0, sizeof(ssn));
265 
266  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
267  FAIL_IF_NULL(p);
268 
269  FLOW_INITIALIZE(&f);
270  f.protoctx = (void *)&ssn;
271  f.proto = IPPROTO_TCP;
272  f.flags |= FLOW_IPV4;
273 
274  p->flow = &f;
278  f.alproto = ALPROTO_HTTP;
279 
281 
282  de_ctx = DetectEngineCtxInit();
283  FAIL_IF_NULL(de_ctx);
284 
285  de_ctx->flags |= DE_QUIET;
286 
287  de_ctx->sig_list = SigInit(de_ctx, sig);
288  FAIL_IF_NULL(de_ctx->sig_list);
289  int sid = de_ctx->sig_list->id;
290 
291  SigGroupBuild(de_ctx);
292  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
293 
294  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
295  FAIL_IF(r != 0);
296 
297  http_state = f.alstate;
298  FAIL_IF_NULL(http_state);
299 
300  /* do detect */
301  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
302 
303  r = PacketAlertCheck(p, sid);
304  FAIL_IF_NOT(r == expectation);
305 
306  AppLayerParserThreadCtxFree(alp_tctx);
307  DetectEngineCtxFree(de_ctx);
308 
310  FLOW_DESTROY(&f);
311  UTHFreePackets(&p, 1);
312  PASS;
313 }
314 
315 static int DetectHttpRequestLineTest03(void)
316 {
317  FAIL_IF_NOT(DetectHttpRequestLineWrapper("alert http any any -> any any (http_request_line; bsize:>10; sid:1;)", true));
318  FAIL_IF_NOT(DetectHttpRequestLineWrapper("alert http any any -> any any (http_request_line; bsize:<100; sid:2;)", true));
319  FAIL_IF_NOT(DetectHttpRequestLineWrapper("alert http any any -> any any (http_request_line; bsize:10<>100; sid:3;)", true));
320  FAIL_IF_NOT(DetectHttpRequestLineWrapper("alert http any any -> any any (http_request_line; bsize:>100; sid:3;)", false));
321  PASS;
322 }
323 
324 #endif /* UNITTESTS */
325 
326 static void DetectHttpRequestLineRegisterTests(void)
327 {
328 #ifdef UNITTESTS
329  UtRegisterTest("DetectHttpRequestLineTest01", DetectHttpRequestLineTest01);
330  UtRegisterTest("DetectHttpRequestLineTest02", DetectHttpRequestLineTest02);
331  UtRegisterTest("DetectHttpRequestLineTest03", DetectHttpRequestLineTest03);
332 #endif /* UNITTESTS */
333 
334  return;
335 }
336 /**
337  * @}
338  */
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
struct Flow_ * flow
Definition: decode.h:444
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:346
uint32_t id
Definition: detect.h:525
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
void DetectHttpRequestLineRegister(void)
Registers the keyword handlers for the "http_request_line" keyword.
Signature * sig_list
Definition: detect.h:726
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1160
Signature container.
Definition: detect.h:492
#define TRUE
void * protoctx
Definition: flow.h:398
main detection engine ctx
Definition: detect.h:720
void * alstate
Definition: flow.h:436
#define DE_QUIET
Definition: detect.h:298
int DetectBufferTypeGetByName(const char *name)
uint8_t flags
Definition: detect.h:721
Data structures and function prototypes for keeping state for the detection engine.
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
#define SIG_FLAG_TOSERVER
Definition: detect.h:243
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
uint8_t flowflags
Definition: decode.h:438
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppProto alproto
Definition: detect.h:496
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
const char * desc
Definition: detect.h:1162
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1328
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
const char * url
Definition: detect.h:1163
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define PKT_HAS_FLOW
Definition: decode.h:1101
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:349
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:407
uint32_t flags
Definition: decode.h:442
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1154
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:327
#define FLOW_IPV4
Definition: flow.h:93
uint32_t flags
Definition: flow.h:377
#define PKT_STREAM_EST
Definition: decode.h:1099
void(* RegisterTests)(void)
Definition: detect.h:1152
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine