suricata
detect-uricontent.c
Go to the documentation of this file.
1
/* Copyright (C) 2007-2022 Open Information Security Foundation
2
*
3
* You can copy, redistribute or modify this Program under the terms of
4
* the GNU General Public License version 2 as published by the Free
5
* Software Foundation.
6
*
7
* This program is distributed in the hope that it will be useful,
8
* but WITHOUT ANY WARRANTY; without even the implied warranty of
9
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
* GNU General Public License for more details.
11
*
12
* You should have received a copy of the GNU General Public License
13
* version 2 along with this program; if not, write to the Free Software
14
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
* 02110-1301, USA.
16
*/
17
18
/**
19
* \file
20
*
21
* \author Victor Julien <victor@inliniac.net>
22
* \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
23
*
24
* Simple uricontent match part of the detection engine.
25
*/
26
27
#include "
suricata-common.h
"
28
#include "
decode.h
"
29
#include "
detect.h
"
30
#include "
detect-content.h
"
31
#include "
detect-http-uri.h
"
32
#include "
detect-uricontent.h
"
33
#include "
detect-engine-mpm.h
"
34
#include "
detect-parse.h
"
35
#include "
detect-engine.h
"
36
#include "
detect-engine-state.h
"
37
#include "
flow.h
"
38
#include "
detect-flow.h
"
39
#include "
flow-var.h
"
40
#include "
flow-util.h
"
41
#include "
threads.h
"
42
43
#include "
stream-tcp.h
"
44
#include "
stream.h
"
45
#include "
app-layer.h
"
46
#include "
app-layer-parser.h
"
47
#include "
app-layer-protos.h
"
48
#include "
app-layer-htp.h
"
49
50
#include "
util-mpm.h
"
51
#include "
util-print.h
"
52
#include "
util-debug.h
"
53
#include "
util-unittest.h
"
54
#include "
util-unittest-helper.h
"
55
#include "
util-spm.h
"
56
#include "
conf.h
"
57
58
/* prototypes */
59
static
int
DetectUricontentSetup(
DetectEngineCtx
*,
Signature
*,
const
char
*);
60
static
void
DetectUricontentFree(
DetectEngineCtx
*
de_ctx
,
void
*);
61
62
static
int
g_http_uri_buffer_id = 0;
63
64
/**
65
* \brief Registration function for uricontent: keyword
66
*/
67
void
DetectUricontentRegister
(
void
)
68
{
69
sigmatch_table
[
DETECT_URICONTENT
].
name
=
"uricontent"
;
70
sigmatch_table
[
DETECT_URICONTENT
].
desc
=
"legacy keyword to match on the request URI buffer"
;
71
sigmatch_table
[
DETECT_URICONTENT
].
url
=
"/rules/http-keywords.html#uricontent"
;
72
sigmatch_table
[
DETECT_URICONTENT
].
Match
= NULL;
73
sigmatch_table
[
DETECT_URICONTENT
].
Setup
= DetectUricontentSetup;
74
sigmatch_table
[
DETECT_URICONTENT
].
Free
= DetectUricontentFree;
75
sigmatch_table
[
DETECT_URICONTENT
].
flags
= (
SIGMATCH_QUOTES_MANDATORY
|
SIGMATCH_HANDLE_NEGATION
);
76
sigmatch_table
[
DETECT_URICONTENT
].
alternative
=
DETECT_HTTP_URI
;
77
78
g_http_uri_buffer_id =
DetectBufferTypeRegister
(
"http_uri"
);
79
}
80
81
/**
82
* \brief this function will Free memory associated with DetectContentData
83
*
84
* \param cd pointer to DetectUricontentData
85
*/
86
void
DetectUricontentFree(
DetectEngineCtx
*
de_ctx
,
void
*ptr)
87
{
88
SCEnter
();
89
DetectContentData
*cd = (
DetectContentData
*)ptr;
90
91
if
(cd == NULL)
92
SCReturn
;
93
94
SpmDestroyCtx
(cd->
spm_ctx
);
95
SCFree
(cd);
96
97
SCReturn
;
98
}
99
100
/**
101
* \brief Creates a SigMatch for the uricontent keyword being sent as argument,
102
* and appends it to the Signature(s).
103
*
104
* \param de_ctx Pointer to the detection engine context
105
* \param s Pointer to signature for the current Signature being parsed
106
* from the rules
107
* \param contentstr Pointer to the string holding the keyword value
108
*
109
* \retval 0 on success, -1 on failure
110
*/
111
int
DetectUricontentSetup(
DetectEngineCtx
*
de_ctx
,
Signature
*s,
const
char
*contentstr)
112
{
113
SCEnter
();
114
115
const
char
*legacy = NULL;
116
if
(
ConfGet
(
"legacy.uricontent"
, &legacy) == 1) {
117
if
(strcasecmp(
"disabled"
, legacy) == 0) {
118
SCLogError
(
"uricontent deprecated. To "
119
"use a rule with \"uricontent\", either set the "
120
"option - \"legacy.uricontent\" in the conf to "
121
"\"enabled\" OR replace uricontent with "
122
"\'content:%s; http_uri;\'."
,
123
contentstr);
124
goto
error;
125
}
else
if
(strcasecmp(
"enabled"
, legacy) == 0) {
126
;
127
}
else
{
128
SCLogError
(
"Invalid value found "
129
"for legacy.uricontent - \"%s\". Valid values are "
130
"\"enabled\" OR \"disabled\"."
,
131
legacy);
132
goto
error;
133
}
134
}
135
136
if
(
DetectContentSetup
(
de_ctx
, s, contentstr) < 0)
137
goto
error;
138
139
if
(
DetectHttpUriSetup
(
de_ctx
, s, NULL) < 0)
140
goto
error;
141
142
SCReturnInt
(0);
143
error:
144
SCReturnInt
(-1);
145
}
SigTableElmt_::url
const char * url
Definition:
detect.h:1312
detect-content.h
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition:
detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition:
detect-parse.c:128
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition:
detect.h:1299
flow-util.h
SigTableElmt_::name
const char * name
Definition:
detect.h:1309
stream-tcp.h
threads.h
SigTableElmt_::flags
uint16_t flags
Definition:
detect.h:1303
DetectEngineCtx_
main detection engine ctx
Definition:
detect.h:843
DetectContentData_
Definition:
detect-content.h:93
DetectUricontentRegister
void DetectUricontentRegister(void)
Registration function for uricontent: keyword.
Definition:
detect-uricontent.c:67
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition:
detect.h:1294
util-unittest.h
util-unittest-helper.h
DetectHttpUriSetup
int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
this function setups the http_uri modifier keyword used in the rule
Definition:
detect-http-uri.c:184
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition:
conf.c:335
SIGMATCH_QUOTES_MANDATORY
#define SIGMATCH_QUOTES_MANDATORY
Definition:
detect.h:1509
app-layer-htp.h
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition:
fuzz_siginit.c:17
DetectContentSetup
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
Definition:
detect-content.c:328
DETECT_URICONTENT
@ DETECT_URICONTENT
Definition:
detect-engine-register.h:73
util-print.h
SCEnter
#define SCEnter(...)
Definition:
util-debug.h:271
detect-engine-mpm.h
detect.h
detect-http-uri.h
SigTableElmt_::alternative
uint16_t alternative
Definition:
detect.h:1307
app-layer-parser.h
SCReturn
#define SCReturn
Definition:
util-debug.h:273
stream.h
conf.h
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition:
detect.h:1513
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition:
detect.h:1277
util-mpm.h
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition:
detect-engine.c:1030
suricata-common.h
util-spm.h
detect-flow.h
DetectContentData_::spm_ctx
SpmCtx * spm_ctx
Definition:
detect-content.h:111
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition:
util-debug.h:261
SCFree
#define SCFree(p)
Definition:
util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition:
detect.h:603
app-layer-protos.h
detect-uricontent.h
flow.h
SpmDestroyCtx
void SpmDestroyCtx(SpmCtx *ctx)
Definition:
util-spm.c:183
SCReturnInt
#define SCReturnInt(x)
Definition:
util-debug.h:275
flow-var.h
DETECT_HTTP_URI
@ DETECT_HTTP_URI
Definition:
detect-engine-register.h:174
app-layer.h
src
detect-uricontent.c
Generated on Wed Dec 25 2024 23:30:33 for suricata by
1.8.18