22550902417

Committed 01 Mar 2026 07:32PM UTC coverage: 68.401% (-5.3%) from 73.687%

Build # 22550902417

Build Type

Pull #14922

github

Committed by

web-flow

Commit Message

github-actions: bump actions/upload-artifact from 6.0.0 to 7.0.0

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Pull Request Pull Request #14922: github-actions: bump actions/upload-artifact from 6.0.0 to 7.0.0

Coverage Stats

218243 of 319063 relevant lines covered (68.4%)

3284926.58 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

95.98

/src/detect-http-host.c

/* Copyright (C) 2007-2019 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \ingroup httplayer
 *
 * @{
 */


/**
 * \file
 *
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 *
 * Implements support for the http_host keyword.
 */

#include "suricata-common.h"
#include "threads.h"
#include "decode.h"

#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "detect-engine-mpm.h"
#include "detect-engine-prefilter.h"
#include "detect-content.h"
#include "detect-pcre.h"

#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"

#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-spm.h"

#include "app-layer.h"
#include "app-layer-parser.h"

#include "app-layer-htp.h"
#include "stream-tcp.h"
#include "detect-http-host.h"

static int DetectHttpHHSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectHttpHHRegisterTests(void);
#endif
static bool DetectHttpHostValidateCallback(
        const Signature *s, const char **sigerror, const DetectBufferType *dbt);
static int DetectHttpHostSetup(DetectEngineCtx *, Signature *, const char *);
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *_f, const uint8_t _flow_flags,
        void *txv, const int list_id);
static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id);
static int DetectHttpHRHSetup(DetectEngineCtx *, Signature *, const char *);
static int g_http_raw_host_buffer_id = 0;
static int DetectHttpHostRawSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t _flow_flags, void *txv, const int list_id);
static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id);
static int g_http_host_buffer_id = 0;

/**
 * \brief Registers the keyword handlers for the "http_host" keyword.
 */
void DetectHttpHHRegister(void)
{
    /* http_host content modifier */
    sigmatch_table[DETECT_HTTP_HOST_CM].name = "http_host";
    sigmatch_table[DETECT_HTTP_HOST_CM].desc = "content modifier to match on the HTTP hostname";
    sigmatch_table[DETECT_HTTP_HOST_CM].url =
            "/rules/http-keywords.html#http-host-and-http-raw-host";
    sigmatch_table[DETECT_HTTP_HOST_CM].Setup = DetectHttpHHSetup;
#ifdef UNITTESTS
    sigmatch_table[DETECT_HTTP_HOST_CM].RegisterTests = DetectHttpHHRegisterTests;
#endif
    sigmatch_table[DETECT_HTTP_HOST_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
    sigmatch_table[DETECT_HTTP_HOST_CM].alternative = DETECT_HTTP_HOST;

    /* http.host sticky buffer */
    sigmatch_table[DETECT_HTTP_HOST].name = "http.host";
    sigmatch_table[DETECT_HTTP_HOST].desc = "sticky buffer to match on the HTTP Host buffer";
    sigmatch_table[DETECT_HTTP_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host";
    sigmatch_table[DETECT_HTTP_HOST].Setup = DetectHttpHostSetup;
    sigmatch_table[DETECT_HTTP_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
            HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetData);

    DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);

    DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
            HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);

    DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);

    DetectBufferTypeRegisterValidateCallback("http_host",
            DetectHttpHostValidateCallback);

    DetectBufferTypeSetDescriptionByName("http_host",
            "http host");

    g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");

    /* http_raw_host content modifier */
    sigmatch_table[DETECT_HTTP_RAW_HOST].name = "http_raw_host";
    sigmatch_table[DETECT_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header "
                                                "or the raw hostname from the HTTP uri";
    sigmatch_table[DETECT_HTTP_RAW_HOST].url =
            "/rules/http-keywords.html#http-host-and-http-raw-host";
    sigmatch_table[DETECT_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;
    sigmatch_table[DETECT_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
    sigmatch_table[DETECT_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;

    /* http.host sticky buffer */
    sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw";
    sigmatch_table[DETECT_HTTP_HOST_RAW].desc = "sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri";
    sigmatch_table[DETECT_HTTP_HOST_RAW].url = "/rules/http-keywords.html#http-host-and-http-raw-host";
    sigmatch_table[DETECT_HTTP_HOST_RAW].Setup = DetectHttpHostRawSetupSticky;
    sigmatch_table[DETECT_HTTP_HOST_RAW].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
            HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetRawData);

    DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetRawData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);

    DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
            HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetRawData2);

    DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetRawData2, ALPROTO_HTTP2, HTTP2StateDataClient);

    DetectBufferTypeSetDescriptionByName("http_raw_host",
            "http raw host header");

    g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
}

/**
 * \brief The setup function for the http_host keyword for a signature.
 *
 * \param de_ctx Pointer to the detection engine context.
 * \param s      Pointer to the signature for the current Signature being
 *               parsed from the rules.
 * \param m      Pointer to the head of the SigMatch for the current rule
 *               being parsed.
 * \param arg    Pointer to the string holding the keyword value.
 *
 * \retval  0 On success
 * \retval -1 On failure
 */
static int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
    return DetectEngineContentModifierBufferSetup(
            de_ctx, s, arg, DETECT_HTTP_HOST_CM, g_http_host_buffer_id, ALPROTO_HTTP1);
}

static bool DetectHttpHostValidateCallback(
        const Signature *s, const char **sigerror, const DetectBufferType *dbt)
{
    for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
        if (s->init_data->buffers[x].id != (uint32_t)dbt->id)
            continue;
        const SigMatch *sm = s->init_data->buffers[x].head;
        for (; sm != NULL; sm = sm->next) {
            if (sm->type == DETECT_CONTENT) {
                DetectContentData *cd = (DetectContentData *)sm->ctx;
                if (cd->flags & DETECT_CONTENT_NOCASE) {
                    *sigerror = "http.host keyword "
                                "specified along with \"nocase\". "
                                "The hostname buffer is normalized "
                                "to lowercase, specifying "
                                "nocase is redundant.";
                    SCLogWarning("rule %u: %s", s->id, *sigerror);
                    return false;
                } else {
                    uint32_t u;
                    for (u = 0; u < cd->content_len; u++) {
                        if (isupper(cd->content[u]))
                            break;
                    }
                    if (u != cd->content_len) {
                        *sigerror = "A pattern with "
                                    "uppercase characters detected for http.host. "
                                    "The hostname buffer is normalized to lowercase, "
                                    "please specify a lowercase pattern.";
                        SCLogWarning("rule %u: %s", s->id, *sigerror);
                        return false;
                    }
                }
            }
        }
    }

    return true;
}

/**
 * \brief this function setup the http.host keyword used in the rule
 *
 * \param de_ctx   Pointer to the Detection Engine Context
 * \param s        Pointer to the Signature to which the current keyword belongs
 * \param str      Should hold an empty string always
 *
 * \retval 0       On success
 */
static int DetectHttpHostSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_http_host_buffer_id) < 0)
        return -1;
    if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
        return -1;
    return 0;
}

static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t _flow_flags, void *txv, const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        htp_tx_t *tx = (htp_tx_t *)txv;

        if (htp_tx_request_hostname(tx) == NULL)
            return NULL;

        const uint32_t data_len = (uint32_t)bstr_len(htp_tx_request_hostname(tx));
        const uint8_t *data = bstr_ptr(htp_tx_request_hostname(tx));

        InspectionBufferSetupAndApplyTransforms(
                det_ctx, list_id, buffer, data, data_len, transforms);
    }

    return buffer;
}

static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        uint32_t b_len = 0;
        const uint8_t *b = NULL;

        if (SCHttp2TxGetHostNorm(txv, &b, &b_len) != 1)
            return NULL;
        if (b == NULL || b_len == 0)
            return NULL;

        InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
    }

    return buffer;
}

static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        uint32_t b_len = 0;
        const uint8_t *b = NULL;

        if (SCHttp2TxGetHost(txv, &b, &b_len) != 1)
            return NULL;
        if (b == NULL || b_len == 0)
            return NULL;

        InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
    }

    return buffer;
}

/**
 * \brief The setup function for the http_raw_host keyword for a signature.
 *
 * \param de_ctx Pointer to the detection engine context.
 * \param s      Pointer to the signature for the current Signature being
 *               parsed from the rules.
 * \param m      Pointer to the head of the SigMatch for the current rule
 *               being parsed.
 * \param arg    Pointer to the string holding the keyword value.
 *
 * \retval  0 On success
 * \retval -1 On failure
 */
int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
    return DetectEngineContentModifierBufferSetup(
            de_ctx, s, arg, DETECT_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1);
}

/**
 * \brief this function setup the http.host keyword used in the rule
 *
 * \param de_ctx   Pointer to the Detection Engine Context
 * \param s        Pointer to the Signature to which the current keyword belongs
 * \param str      Should hold an empty string always
 *
 * \retval 0       On success
 */
static int DetectHttpHostRawSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_http_raw_host_buffer_id) < 0)
        return -1;
    if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
        return -1;
    return 0;
}

static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t _flow_flags, void *txv, const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        htp_tx_t *tx = (htp_tx_t *)txv;

        const uint8_t *data = NULL;
        uint32_t data_len = 0;

        if (htp_uri_hostname(htp_tx_parsed_uri(tx)) == NULL) {
            if (htp_tx_request_headers(tx) == NULL)
                return NULL;

            const htp_header_t *h = htp_tx_request_header(tx, "Host");
            if (h == NULL || htp_header_value(h) == NULL)
                return NULL;

            data = htp_header_value_ptr(h);
            data_len = (uint32_t)htp_header_value_len(h);
        } else {
            data = (const uint8_t *)bstr_ptr(htp_uri_hostname(htp_tx_parsed_uri(tx)));
            data_len = (uint32_t)bstr_len(htp_uri_hostname(htp_tx_parsed_uri(tx)));
        }

        InspectionBufferSetupAndApplyTransforms(
                det_ctx, list_id, buffer, data, data_len, transforms);
    }

    return buffer;
}

/************************************Unittests*********************************/

#ifdef UNITTESTS
#include "tests/detect-http-host.c"
#endif /* UNITTESTS */

/**
 * @}
 */

1	/* Copyright (C) 2007-2019 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	* \ingroup httplayer
20	*
21	* @{
22	*/
23
24
25	/**
26	* \file
27	*
28	* \author Anoop Saldanha <anoopsaldanha@gmail.com>
29	*
30	* Implements support for the http_host keyword.
31	*/
32
33	#include "suricata-common.h"
34	#include "threads.h"
35	#include "decode.h"
36
37	#include "detect.h"
38	#include "detect-parse.h"
39	#include "detect-engine.h"
40	#include "detect-engine-buffer.h"
41	#include "detect-engine-mpm.h"
42	#include "detect-engine-prefilter.h"
43	#include "detect-content.h"
44	#include "detect-pcre.h"
45
46	#include "flow.h"
47	#include "flow-var.h"
48	#include "flow-util.h"
49
50	#include "util-debug.h"
51	#include "util-unittest.h"
52	#include "util-unittest-helper.h"
53	#include "util-spm.h"
54
55	#include "app-layer.h"
56	#include "app-layer-parser.h"
57
58	#include "app-layer-htp.h"
59	#include "stream-tcp.h"
60	#include "detect-http-host.h"
61
62	static int DetectHttpHHSetup(DetectEngineCtx , Signature , const char *);
63	#ifdef UNITTESTS
64	static void DetectHttpHHRegisterTests(void);
65	#endif
66	static bool DetectHttpHostValidateCallback(
67	const Signature s, const char sigerror, const DetectBufferType dbt);
68	static int DetectHttpHostSetup(DetectEngineCtx , Signature , const char *);
69	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
70	const DetectEngineTransforms *transforms,
71	Flow *_f, const uint8_t _flow_flags,
72	void *txv, const int list_id);
73	static InspectionBuffer GetData2(DetectEngineThreadCtx det_ctx,
74	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
75	const int list_id);
76	static int DetectHttpHRHSetup(DetectEngineCtx , Signature , const char *);
77	static int g_http_raw_host_buffer_id = 0;
78	static int DetectHttpHostRawSetupSticky(DetectEngineCtx de_ctx, Signature s, const char *str);
79	static InspectionBuffer GetRawData(DetectEngineThreadCtx det_ctx,
80	const DetectEngineTransforms transforms, Flow _f,
81	const uint8_t _flow_flags, void *txv, const int list_id);
82	static InspectionBuffer GetRawData2(DetectEngineThreadCtx det_ctx,
83	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
84	const int list_id);
85	static int g_http_host_buffer_id = 0;
86
87	/**
88	* \brief Registers the keyword handlers for the "http_host" keyword.
89	*/
90	void DetectHttpHHRegister(void)
91	{	37✔
92	/* http_host content modifier */
93	sigmatch_table[DETECT_HTTP_HOST_CM].name = "http_host";	37✔
94	sigmatch_table[DETECT_HTTP_HOST_CM].desc = "content modifier to match on the HTTP hostname";	37✔
95	sigmatch_table[DETECT_HTTP_HOST_CM].url =	37✔
96	"/rules/http-keywords.html#http-host-and-http-raw-host";	37✔
97	sigmatch_table[DETECT_HTTP_HOST_CM].Setup = DetectHttpHHSetup;	37✔
98	#ifdef UNITTESTS	3✔
99	sigmatch_table[DETECT_HTTP_HOST_CM].RegisterTests = DetectHttpHHRegisterTests;	3✔
100	#endif	3✔
101	sigmatch_table[DETECT_HTTP_HOST_CM].flags \|= SIGMATCH_NOOPT \| SIGMATCH_INFO_CONTENT_MODIFIER;	37✔
102	sigmatch_table[DETECT_HTTP_HOST_CM].alternative = DETECT_HTTP_HOST;	37✔
103
104	/* http.host sticky buffer */
105	sigmatch_table[DETECT_HTTP_HOST].name = "http.host";	37✔
106	sigmatch_table[DETECT_HTTP_HOST].desc = "sticky buffer to match on the HTTP Host buffer";	37✔
107	sigmatch_table[DETECT_HTTP_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host";	37✔
108	sigmatch_table[DETECT_HTTP_HOST].Setup = DetectHttpHostSetup;	37✔
109	sigmatch_table[DETECT_HTTP_HOST].flags \|= SIGMATCH_NOOPT\|SIGMATCH_INFO_STICKY_BUFFER;	37✔
110
111	DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,	37✔
112	HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetData);	37✔
113
114	DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	37✔
115	GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);	37✔
116
117	DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,	37✔
118	HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);	37✔
119
120	DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	37✔
121	GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);	37✔
122
123	DetectBufferTypeRegisterValidateCallback("http_host",	37✔
124	DetectHttpHostValidateCallback);	37✔
125
126	DetectBufferTypeSetDescriptionByName("http_host",	37✔
127	"http host");	37✔
128
129	g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");	37✔
130
131	/* http_raw_host content modifier */
132	sigmatch_table[DETECT_HTTP_RAW_HOST].name = "http_raw_host";	37✔
133	sigmatch_table[DETECT_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header "	37✔
134	"or the raw hostname from the HTTP uri";	37✔
135	sigmatch_table[DETECT_HTTP_RAW_HOST].url =	37✔
136	"/rules/http-keywords.html#http-host-and-http-raw-host";	37✔
137	sigmatch_table[DETECT_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;	37✔
138	sigmatch_table[DETECT_HTTP_RAW_HOST].flags \|= SIGMATCH_NOOPT \| SIGMATCH_INFO_CONTENT_MODIFIER;	37✔
139	sigmatch_table[DETECT_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;	37✔
140
141	/* http.host sticky buffer */
142	sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw";	37✔
143	sigmatch_table[DETECT_HTTP_HOST_RAW].desc = "sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri";	37✔
144	sigmatch_table[DETECT_HTTP_HOST_RAW].url = "/rules/http-keywords.html#http-host-and-http-raw-host";	37✔
145	sigmatch_table[DETECT_HTTP_HOST_RAW].Setup = DetectHttpHostRawSetupSticky;	37✔
146	sigmatch_table[DETECT_HTTP_HOST_RAW].flags \|= SIGMATCH_NOOPT\|SIGMATCH_INFO_STICKY_BUFFER;	37✔
147
148	DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,	37✔
149	HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetRawData);	37✔
150
151	DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	37✔
152	GetRawData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);	37✔
153
154	DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,	37✔
155	HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetRawData2);	37✔
156
157	DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	37✔
158	GetRawData2, ALPROTO_HTTP2, HTTP2StateDataClient);	37✔
159
160	DetectBufferTypeSetDescriptionByName("http_raw_host",	37✔
161	"http raw host header");	37✔
162
163	g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");	37✔
164	}	37✔
165
166	/**
167	* \brief The setup function for the http_host keyword for a signature.
168	*
169	* \param de_ctx Pointer to the detection engine context.
170	* \param s Pointer to the signature for the current Signature being
171	* parsed from the rules.
172	* \param m Pointer to the head of the SigMatch for the current rule
173	* being parsed.
174	* \param arg Pointer to the string holding the keyword value.
175	*
176	* \retval 0 On success
177	* \retval -1 On failure
178	*/
179	static int DetectHttpHHSetup(DetectEngineCtx de_ctx, Signature s, const char *arg)
180	{	96✔
181	return DetectEngineContentModifierBufferSetup(	96✔
182	de_ctx, s, arg, DETECT_HTTP_HOST_CM, g_http_host_buffer_id, ALPROTO_HTTP1);	96✔
183	}	96✔
184
185	static bool DetectHttpHostValidateCallback(
186	const Signature s, const char sigerror, const DetectBufferType dbt)
187	{	3,056✔
188	for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {	8,512✔
189	if (s->init_data->buffers[x].id != (uint32_t)dbt->id)	5,458✔
190	continue;	2,402✔
191	const SigMatch *sm = s->init_data->buffers[x].head;	3,056✔
192	for (; sm != NULL; sm = sm->next) {	6,674✔
193	if (sm->type == DETECT_CONTENT) {	3,620✔
194	DetectContentData cd = (DetectContentData )sm->ctx;	3,137✔
195	if (cd->flags & DETECT_CONTENT_NOCASE) {	3,137✔
196	*sigerror = "http.host keyword "	1✔
197	"specified along with \"nocase\". "	1✔
198	"The hostname buffer is normalized "	1✔
199	"to lowercase, specifying "	1✔
200	"nocase is redundant.";	1✔
201	SCLogWarning("rule %u: %s", s->id, *sigerror);	1✔
202	return false;	1✔
203	} else {	3,136✔
204	uint32_t u;	3,136✔
205	for (u = 0; u < cd->content_len; u++) {	43,523✔
206	if (isupper(cd->content[u]))	40,388✔
207	break;	1✔
208	}	40,388✔
209	if (u != cd->content_len) {	3,136✔
210	*sigerror = "A pattern with "	1✔
211	"uppercase characters detected for http.host. "	1✔
212	"The hostname buffer is normalized to lowercase, "	1✔
213	"please specify a lowercase pattern.";	1✔
214	SCLogWarning("rule %u: %s", s->id, *sigerror);	1✔
215	return false;	1✔
216	}	1✔
217	}	3,136✔
218	}	3,137✔
219	}	3,620✔
220	}	3,056✔
221
222	return true;	3,054✔
223	}	3,056✔
224
225	/**
226	* \brief this function setup the http.host keyword used in the rule
227	*
228	* \param de_ctx Pointer to the Detection Engine Context
229	* \param s Pointer to the Signature to which the current keyword belongs
230	* \param str Should hold an empty string always
231	*
232	* \retval 0 On success
233	*/
234	static int DetectHttpHostSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
235	{	3,024✔
236	if (SCDetectBufferSetActiveList(de_ctx, s, g_http_host_buffer_id) < 0)	3,024✔
237	return -1;	×
238	if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)	3,024✔
239	return -1;	×
240	return 0;	3,024✔
241	}	3,024✔
242
243	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
244	const DetectEngineTransforms transforms, Flow _f,
245	const uint8_t _flow_flags, void *txv, const int list_id)
246	{	5,163✔
247	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	5,163✔
248	if (buffer->inspect == NULL) {	5,163✔
249	htp_tx_t tx = (htp_tx_t )txv;	4,968✔
250
251	if (htp_tx_request_hostname(tx) == NULL)	4,968✔
252	return NULL;	375✔
253
254	const uint32_t data_len = (uint32_t)bstr_len(htp_tx_request_hostname(tx));	4,593✔
255	const uint8_t *data = bstr_ptr(htp_tx_request_hostname(tx));	4,593✔
256
257	InspectionBufferSetupAndApplyTransforms(	4,593✔
258	det_ctx, list_id, buffer, data, data_len, transforms);	4,593✔
259	}	4,593✔
260
261	return buffer;	4,788✔
262	}	5,163✔
263
264	static InspectionBuffer GetData2(DetectEngineThreadCtx det_ctx,
265	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
266	const int list_id)
267	{	340✔
268	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	340✔
269	if (buffer->inspect == NULL) {	340✔
270	uint32_t b_len = 0;	336✔
271	const uint8_t *b = NULL;	336✔
272
273	if (SCHttp2TxGetHostNorm(txv, &b, &b_len) != 1)	336✔
274	return NULL;	198✔
275	if (b == NULL \|\| b_len == 0)	138✔
276	return NULL;	×
277
278	InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);	138✔
279	}	138✔
280
281	return buffer;	142✔
282	}	340✔
283
284	static InspectionBuffer GetRawData2(DetectEngineThreadCtx det_ctx,
285	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
286	const int list_id)
287	{	28✔
288	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	28✔
289	if (buffer->inspect == NULL) {	28✔
290	uint32_t b_len = 0;	28✔
291	const uint8_t *b = NULL;	28✔
292
293	if (SCHttp2TxGetHost(txv, &b, &b_len) != 1)	28✔
294	return NULL;	19✔
295	if (b == NULL \|\| b_len == 0)	9✔
296	return NULL;	×
297
298	InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);	9✔
299	}	9✔
300
301	return buffer;	9✔
302	}	28✔
303
304	/**
305	* \brief The setup function for the http_raw_host keyword for a signature.
306	*
307	* \param de_ctx Pointer to the detection engine context.
308	* \param s Pointer to the signature for the current Signature being
309	* parsed from the rules.
310	* \param m Pointer to the head of the SigMatch for the current rule
311	* being parsed.
312	* \param arg Pointer to the string holding the keyword value.
313	*
314	* \retval 0 On success
315	* \retval -1 On failure
316	*/
317	int DetectHttpHRHSetup(DetectEngineCtx de_ctx, Signature s, const char *arg)
318	{	91✔
319	return DetectEngineContentModifierBufferSetup(	91✔
320	de_ctx, s, arg, DETECT_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1);	91✔
321	}	91✔
322
323	/**
324	* \brief this function setup the http.host keyword used in the rule
325	*
326	* \param de_ctx Pointer to the Detection Engine Context
327	* \param s Pointer to the Signature to which the current keyword belongs
328	* \param str Should hold an empty string always
329	*
330	* \retval 0 On success
331	*/
332	static int DetectHttpHostRawSetupSticky(DetectEngineCtx de_ctx, Signature s, const char *str)
333	{	18✔
334	if (SCDetectBufferSetActiveList(de_ctx, s, g_http_raw_host_buffer_id) < 0)	18✔
335	return -1;	×
336	if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)	18✔
337	return -1;	×
338	return 0;	18✔
339	}	18✔
340
341	static InspectionBuffer GetRawData(DetectEngineThreadCtx det_ctx,
342	const DetectEngineTransforms transforms, Flow _f,
343	const uint8_t _flow_flags, void *txv, const int list_id)
344	{	319✔
345	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	319✔
346	if (buffer->inspect == NULL) {	319✔
347	htp_tx_t tx = (htp_tx_t )txv;	291✔
348
349	const uint8_t *data = NULL;	291✔
350	uint32_t data_len = 0;	291✔
351
352	if (htp_uri_hostname(htp_tx_parsed_uri(tx)) == NULL) {	291✔
353	if (htp_tx_request_headers(tx) == NULL)	273✔
354	return NULL;	×
355
356	const htp_header_t *h = htp_tx_request_header(tx, "Host");	273✔
357	if (h == NULL \|\| htp_header_value(h) == NULL)	273✔
358	return NULL;	69✔
359
360	data = htp_header_value_ptr(h);	204✔
361	data_len = (uint32_t)htp_header_value_len(h);	204✔
362	} else {	204✔
363	data = (const uint8_t *)bstr_ptr(htp_uri_hostname(htp_tx_parsed_uri(tx)));	18✔
364	data_len = (uint32_t)bstr_len(htp_uri_hostname(htp_tx_parsed_uri(tx)));	18✔
365	}	18✔
366
367	InspectionBufferSetupAndApplyTransforms(	222✔
368	det_ctx, list_id, buffer, data, data_len, transforms);	222✔
369	}	222✔
370
371	return buffer;	250✔
372	}	319✔
373
374	/**********************************Unittests*******************************/
375
376	#ifdef UNITTESTS
377	#include "tests/detect-http-host.c"
378	#endif /* UNITTESTS */
379
380	/**
381	* @}
382	*/

OISF / suricata / 22550902417

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous