suricata
detect-http-request-line.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Implements support for the http_request_line keyword.
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 
37 #include "detect.h"
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 #include "detect-engine-prefilter.h"
43 #include "detect-engine-content-inspection.h"
44 #include "detect-content.h"
45 #include "detect-pcre.h"
46 
47 #include "flow.h"
48 #include "flow-var.h"
49 #include "flow-util.h"
50 
51 #include "util-debug.h"
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 #include "util-spm.h"
55 
56 #include "app-layer.h"
57 #include "app-layer-parser.h"
58 
59 #include "app-layer-htp.h"
60 #include "stream-tcp.h"
61 #include "detect-http-request-line.h"
62 
63 static int DetectHttpRequestLineSetup(DetectEngineCtx *, Signature *, const char *);
64 static void DetectHttpRequestLineRegisterTests(void);
65 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
66  const DetectEngineTransforms *transforms,
67  Flow *_f, const uint8_t _flow_flags,
68  void *txv, const int list_id);
69 static int g_http_request_line_buffer_id = 0;
70 
71 /**
72  * \brief Registers the keyword handlers for the "http_request_line" keyword.
73  */
74 void DetectHttpRequestLineRegister(void)
75 {
76  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].name = "http_request_line";
77  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].desc = "content modifier to match only on the HTTP request line";
78  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-request-line";
79  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Match = NULL;
80  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup;
81  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests;
82 
83  sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].flags |= SIGMATCH_NOOPT;
84 
85  DetectAppLayerInspectEngineRegister2("http_request_line",
86  ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
87  DetectEngineInspectBufferGeneric,
88  GetData);
89 
90  DetectAppLayerMpmRegister2("http_request_line", SIG_FLAG_TOSERVER, 2,
91  PrefilterGenericMpmRegister, GetData,
92  ALPROTO_HTTP, HTP_REQUEST_LINE);
93 
94  DetectBufferTypeSetDescriptionByName("http_request_line",
95  "http request line");
96 
97  g_http_request_line_buffer_id = DetectBufferTypeGetByName("http_request_line");
98 }
99 
100 /**
101  * \brief The setup function for the http_request_line keyword for a signature.
102  *
103  * \param de_ctx Pointer to the detection engine context.
104  * \param s Pointer to the signature for the current Signature being
105  * parsed from the rules.
106  * \param m Pointer to the head of the SigMatch for the current rule
107  * being parsed.
108  * \param arg Pointer to the string holding the keyword value.
109  *
110  * \retval 0 On success
111  * \retval -1 On failure
112  */
113 static int DetectHttpRequestLineSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
114 {
115  DetectBufferSetActiveList(s, g_http_request_line_buffer_id);
116  s->alproto = ALPROTO_HTTP;
117  return 0;
118 }
119 
120 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
121  const DetectEngineTransforms *transforms,
122  Flow *_f, const uint8_t _flow_flags,
123  void *txv, const int list_id)
124 {
125  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
126  if (buffer->inspect == NULL) {
127  htp_tx_t *tx = (htp_tx_t *)txv;
128  if (unlikely(tx->request_line == NULL)) {
129  return NULL;
130  }
131  const uint32_t data_len = bstr_len(tx->request_line);
132  const uint8_t *data = bstr_ptr(tx->request_line);
133 
134  InspectionBufferSetup(buffer, data, data_len);
135  InspectionBufferApplyTransforms(buffer, transforms);
136  }
137  return buffer;
138 }
139 
140 /************************************Unittests*********************************/
141 
142 #ifdef UNITTESTS
143 
144 #include "stream-tcp-reassemble.h"
145 
146 /**
147  * \test Test that a signature containting a http_request_line is correctly parsed
148  * and the keyword is registered.
149  */
150 static int DetectHttpRequestLineTest01(void)
151 {
152  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
153  FAIL_IF_NULL(de_ctx);
154 
155  de_ctx->flags |= DE_QUIET;
156  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
157  "(http_request_line; content:\"GET /\"; sid:1;)");
158  FAIL_IF_NULL(de_ctx->sig_list);
159 
160  DetectEngineCtxFree(de_ctx);
161  PASS;
162 }
163 
164 
165 /**
166  *\test Test that the http_request_line content matches against a http request
167  * which holds the content.
168  */
169 static int DetectHttpRequestLineTest02(void)
170 {
171  TcpSession ssn;
172  Packet *p = NULL;
173  ThreadVars th_v;
174  DetectEngineCtx *de_ctx = NULL;
175  DetectEngineThreadCtx *det_ctx = NULL;
176  HtpState *http_state = NULL;
177  Flow f;
178  uint8_t http_buf[] =
179  "GET /index.html HTTP/1.0\r\n"
180  "Host: www.openinfosecfoundation.org\r\n"
181  "User-Agent: This is dummy message body\r\n"
182  "Content-Type: text/html\r\n"
183  "\r\n";
184  uint32_t http_len = sizeof(http_buf) - 1;
185 
186  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
187  FAIL_IF_NULL(alp_tctx);
188 
189  memset(&th_v, 0, sizeof(th_v));
190  memset(&f, 0, sizeof(f));
191  memset(&ssn, 0, sizeof(ssn));
192 
193  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
194  FAIL_IF_NULL(p);
195 
196  FLOW_INITIALIZE(&f);
197  f.protoctx = (void *)&ssn;
198  f.proto = IPPROTO_TCP;
199  f.flags |= FLOW_IPV4;
200 
201  p->flow = &f;
202  p->flowflags |= FLOW_PKT_TOSERVER;
203  p->flowflags |= FLOW_PKT_ESTABLISHED;
204  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
205  f.alproto = ALPROTO_HTTP;
206 
207  StreamTcpInitConfig(TRUE);
208 
209  de_ctx = DetectEngineCtxInit();
210  FAIL_IF_NULL(de_ctx);
211 
212  de_ctx->flags |= DE_QUIET;
213 
214  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
215  "(http_request_line; content:\"GET /index.html HTTP/1.0\"; "
216  "sid:1;)");
217  FAIL_IF_NULL(de_ctx->sig_list);
218 
219  SigGroupBuild(de_ctx);
220  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
221 
222  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
223  FAIL_IF(r != 0);
224 
225  http_state = f.alstate;
226  FAIL_IF_NULL(http_state);
227 
228  /* do detect */
229  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
230 
231  FAIL_IF(!(PacketAlertCheck(p, 1)));
232 
233  AppLayerParserThreadCtxFree(alp_tctx);
234  DetectEngineCtxFree(de_ctx);
235 
236  StreamTcpFreeConfig(TRUE);
237  FLOW_DESTROY(&f);
238  UTHFreePackets(&p, 1);
239  PASS;
240 }
241 
242 static int DetectHttpRequestLineWrapper(const char *sig, const int expectation)
243 {
244  TcpSession ssn;
245  Packet *p = NULL;
246  ThreadVars th_v;
247  DetectEngineCtx *de_ctx = NULL;
248  DetectEngineThreadCtx *det_ctx = NULL;
249  HtpState *http_state = NULL;
250  Flow f;
251  uint8_t http_buf[] =
252  "GET /index.html HTTP/1.0\r\n"
253  "Host: www.openinfosecfoundation.org\r\n"
254  "User-Agent: This is dummy message body\r\n"
255  "Content-Type: text/html\r\n"
256  "\r\n";
257  uint32_t http_len = sizeof(http_buf) - 1;
258 
259  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
260  FAIL_IF_NULL(alp_tctx);
261 
262  memset(&th_v, 0, sizeof(th_v));
263  memset(&f, 0, sizeof(f));
264  memset(&ssn, 0, sizeof(ssn));
265 
266  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
267  FAIL_IF_NULL(p);
268 
269  FLOW_INITIALIZE(&f);
270  f.protoctx = (void *)&ssn;
271  f.proto = IPPROTO_TCP;
272  f.flags |= FLOW_IPV4;
273 
274  p->flow = &f;
275  p->flowflags |= FLOW_PKT_TOSERVER;
276  p->flowflags |= FLOW_PKT_ESTABLISHED;
277  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
278  f.alproto = ALPROTO_HTTP;
279 
280  StreamTcpInitConfig(TRUE);
281 
282  de_ctx = DetectEngineCtxInit();
283  FAIL_IF_NULL(de_ctx);
284 
285  de_ctx->flags |= DE_QUIET;
286 
287  de_ctx->sig_list = SigInit(de_ctx, sig);
288  FAIL_IF_NULL(de_ctx->sig_list);
289  int sid = de_ctx->sig_list->id;
290 
291  SigGroupBuild(de_ctx);
292  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
293 
294  int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
295  FAIL_IF(r != 0);
296 
297  http_state = f.alstate;
298  FAIL_IF_NULL(http_state);
299 
300  /* do detect */
301  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
302 
303  r = PacketAlertCheck(p, sid);
304  FAIL_IF_NOT(r == expectation);
305 
306  AppLayerParserThreadCtxFree(alp_tctx);
307  DetectEngineCtxFree(de_ctx);
308 
309  StreamTcpFreeConfig(TRUE);
310  FLOW_DESTROY(&f);
311  UTHFreePackets(&p, 1);
312  PASS;
313 }
314 
315 static int DetectHttpRequestLineTest03(void)
316 {
317  FAIL_IF_NOT(DetectHttpRequestLineWrapper("alert http any any -> any any (http_request_line; bsize:>10; sid:1;)", true));
318  FAIL_IF_NOT(DetectHttpRequestLineWrapper("alert http any any -> any any (http_request_line; bsize:<100; sid:2;)", true));
319  FAIL_IF_NOT(DetectHttpRequestLineWrapper("alert http any any -> any any (http_request_line; bsize:10<>100; sid:3;)", true));
320  FAIL_IF_NOT(DetectHttpRequestLineWrapper("alert http any any -> any any (http_request_line; bsize:>100; sid:3;)", false));
321  PASS;
322 }
323 
324 #endif /* UNITTESTS */
325 
326 static void DetectHttpRequestLineRegisterTests(void)
327 {
328 #ifdef UNITTESTS
329  UtRegisterTest("DetectHttpRequestLineTest01", DetectHttpRequestLineTest01);
330  UtRegisterTest("DetectHttpRequestLineTest02", DetectHttpRequestLineTest02);
331  UtRegisterTest("DetectHttpRequestLineTest03", DetectHttpRequestLineTest03);
332 #endif /* UNITTESTS */
333 
334  return;
335 }
336 /**
337  * @}
338  */
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
TcpSession_
Definition: stream-tcp-private.h:257
detect-content.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:443
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:343
Signature_::id
uint32_t id
Definition: detect.h:528
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1920
DetectHttpRequestLineRegister
void DetectHttpRequestLineRegister(void)
Registers the keyword handlers for the "http_request_line" keyword.
Definition: detect-http-request-line.c:74
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:729
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:608
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:271
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:82
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:871
SigTableElmt_::name
const char * name
Definition: detect.h:1163
Signature_
Signature container.
Definition: detect.h:495
TRUE
#define TRUE
Definition: suricata-common.h:33
Flow_::protoctx
void * protoctx
Definition: flow.h:395
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:723
Flow_::alstate
void * alstate
Definition: flow.h:433
DE_QUIET
#define DE_QUIET
Definition: detect.h:296
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:698
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:724
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1892
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:241
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:183
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
Signature_::alproto
AppProto alproto
Definition: detect.h:499
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:245
DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1242
Packet_
Definition: decode.h:405
SigTableElmt_::desc
const char * desc
Definition: detect.h:1165
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:930
detect-engine-content-inspection.h
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:978
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1331
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
SigTableElmt_::url
const char * url
Definition: detect.h:1166
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092
HtpState_
Definition: app-layer-htp.h:225
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:810
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:347
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:726
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:965
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:404
Packet_::flags
uint32_t flags
Definition: decode.h:441
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1157
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:324
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:93
Flow_::flags
uint32_t flags
Definition: flow.h:374
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1155
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1130
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:85