23019292042

Committed 12 Mar 2026 07:08PM UTC coverage: 79.245% (-0.004%) from 79.249%

Build # 23019292042

Build Type

push

github

Committed by

jasonish

Commit Message

github-ci: add schema ordering check for yaml schema

Run Details

266163 of 335873 relevant lines covered (79.25%)

4877167.7 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

97.83

/src/detect-http-host.c

/* Copyright (C) 2007-2019 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \ingroup httplayer
 *
 * @{
 */


/**
 * \file
 *
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 *
 * Implements support for the http_host keyword.
 */

#include "suricata-common.h"
#include "threads.h"
#include "decode.h"

#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "detect-engine-mpm.h"
#include "detect-engine-prefilter.h"
#include "detect-content.h"
#include "detect-pcre.h"

#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"

#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-spm.h"

#include "app-layer.h"
#include "app-layer-parser.h"

#include "app-layer-htp.h"
#include "stream-tcp.h"
#include "detect-http-host.h"

static int DetectHttpHHSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectHttpHHRegisterTests(void);
#endif
static bool DetectHttpHostValidateCallback(
        const Signature *s, const char **sigerror, const DetectBufferType *dbt);
static int DetectHttpHostSetup(DetectEngineCtx *, Signature *, const char *);
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *_f, const uint8_t _flow_flags,
        void *txv, const int list_id);
static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id);
static int DetectHttpHRHSetup(DetectEngineCtx *, Signature *, const char *);
static int g_http_raw_host_buffer_id = 0;
static int DetectHttpHostRawSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t _flow_flags, void *txv, const int list_id);
static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id);
static int g_http_host_buffer_id = 0;
static int g_http2_thread_id = 0;
static int g_http2_raw_thread_id = 0;

/**
 * \brief Registers the keyword handlers for the "http_host" keyword.
 */
void DetectHttpHHRegister(void)
{
    /* http_host content modifier */
    sigmatch_table[DETECT_HTTP_HOST_CM].name = "http_host";
    sigmatch_table[DETECT_HTTP_HOST_CM].desc = "content modifier to match on the HTTP hostname";
    sigmatch_table[DETECT_HTTP_HOST_CM].url =
            "/rules/http-keywords.html#http-host-and-http-raw-host";
    sigmatch_table[DETECT_HTTP_HOST_CM].Setup = DetectHttpHHSetup;
#ifdef UNITTESTS
    sigmatch_table[DETECT_HTTP_HOST_CM].RegisterTests = DetectHttpHHRegisterTests;
#endif
    sigmatch_table[DETECT_HTTP_HOST_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
    sigmatch_table[DETECT_HTTP_HOST_CM].alternative = DETECT_HTTP_HOST;

    /* http.host sticky buffer */
    sigmatch_table[DETECT_HTTP_HOST].name = "http.host";
    sigmatch_table[DETECT_HTTP_HOST].desc = "sticky buffer to match on the HTTP Host buffer";
    sigmatch_table[DETECT_HTTP_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host";
    sigmatch_table[DETECT_HTTP_HOST].Setup = DetectHttpHostSetup;
    sigmatch_table[DETECT_HTTP_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
            HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetData);

    DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);

    DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
            HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);

    DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);

    DetectBufferTypeRegisterValidateCallback("http_host",
            DetectHttpHostValidateCallback);

    DetectBufferTypeSetDescriptionByName("http_host",
            "http host");

    g_http2_thread_id = DetectRegisterThreadCtxGlobalFuncs(
            "http_host", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);

    g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");

    /* http_raw_host content modifier */
    sigmatch_table[DETECT_HTTP_RAW_HOST].name = "http_raw_host";
    sigmatch_table[DETECT_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header "
                                                "or the raw hostname from the HTTP uri";
    sigmatch_table[DETECT_HTTP_RAW_HOST].url =
            "/rules/http-keywords.html#http-host-and-http-raw-host";
    sigmatch_table[DETECT_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;
    sigmatch_table[DETECT_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
    sigmatch_table[DETECT_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;

    /* http.host sticky buffer */
    sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw";
    sigmatch_table[DETECT_HTTP_HOST_RAW].desc = "sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri";
    sigmatch_table[DETECT_HTTP_HOST_RAW].url = "/rules/http-keywords.html#http-host-and-http-raw-host";
    sigmatch_table[DETECT_HTTP_HOST_RAW].Setup = DetectHttpHostRawSetupSticky;
    sigmatch_table[DETECT_HTTP_HOST_RAW].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
            HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetRawData);

    DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetRawData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);

    DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
            HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetRawData2);

    DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetRawData2, ALPROTO_HTTP2, HTTP2StateDataClient);

    DetectBufferTypeSetDescriptionByName("http_raw_host",
            "http raw host header");

    g_http2_raw_thread_id = DetectRegisterThreadCtxGlobalFuncs(
            "http_raw_host", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);

    g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
}

/**
 * \brief The setup function for the http_host keyword for a signature.
 *
 * \param de_ctx Pointer to the detection engine context.
 * \param s      Pointer to the signature for the current Signature being
 *               parsed from the rules.
 * \param m      Pointer to the head of the SigMatch for the current rule
 *               being parsed.
 * \param arg    Pointer to the string holding the keyword value.
 *
 * \retval  0 On success
 * \retval -1 On failure
 */
static int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
    return DetectEngineContentModifierBufferSetup(
            de_ctx, s, arg, DETECT_HTTP_HOST_CM, g_http_host_buffer_id, ALPROTO_HTTP1);
}

static bool DetectHttpHostValidateCallback(
        const Signature *s, const char **sigerror, const DetectBufferType *dbt)
{
    for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
        if (s->init_data->buffers[x].id != (uint32_t)dbt->id)
            continue;
        const SigMatch *sm = s->init_data->buffers[x].head;
        for (; sm != NULL; sm = sm->next) {
            if (sm->type == DETECT_CONTENT) {
                DetectContentData *cd = (DetectContentData *)sm->ctx;
                if (cd->flags & DETECT_CONTENT_NOCASE) {
                    *sigerror = "http.host keyword "
                                "specified along with \"nocase\". "
                                "The hostname buffer is normalized "
                                "to lowercase, specifying "
                                "nocase is redundant.";
                    SCLogWarning("rule %u: %s", s->id, *sigerror);
                    return false;
                } else {
                    uint32_t u;
                    for (u = 0; u < cd->content_len; u++) {
                        if (isupper(cd->content[u]))
                            break;
                    }
                    if (u != cd->content_len) {
                        *sigerror = "A pattern with "
                                    "uppercase characters detected for http.host. "
                                    "The hostname buffer is normalized to lowercase, "
                                    "please specify a lowercase pattern.";
                        SCLogWarning("rule %u: %s", s->id, *sigerror);
                        return false;
                    }
                }
            }
        }
    }

    return true;
}

/**
 * \brief this function setup the http.host keyword used in the rule
 *
 * \param de_ctx   Pointer to the Detection Engine Context
 * \param s        Pointer to the Signature to which the current keyword belongs
 * \param str      Should hold an empty string always
 *
 * \retval 0       On success
 */
static int DetectHttpHostSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_http_host_buffer_id) < 0)
        return -1;
    if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
        return -1;
    return 0;
}

static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t _flow_flags, void *txv, const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        htp_tx_t *tx = (htp_tx_t *)txv;

        if (htp_tx_request_hostname(tx) == NULL)
            return NULL;

        const uint32_t data_len = (uint32_t)bstr_len(htp_tx_request_hostname(tx));
        const uint8_t *data = bstr_ptr(htp_tx_request_hostname(tx));

        InspectionBufferSetupAndApplyTransforms(
                det_ctx, list_id, buffer, data, data_len, transforms);
    }

    return buffer;
}

static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        uint32_t b_len = 0;
        const uint8_t *b = NULL;
        void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_thread_id);
        if (thread_buf == NULL)
            return NULL;
        if (SCHttp2TxGetHostNorm(txv, &b, &b_len, thread_buf) != 1)
            return NULL;
        if (b == NULL || b_len == 0)
            return NULL;

        InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
    }

    return buffer;
}

static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        uint32_t b_len = 0;
        const uint8_t *b = NULL;
        void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_raw_thread_id);
        if (thread_buf == NULL)
            return NULL;

        if (SCHttp2TxGetHost(txv, &b, &b_len, thread_buf) != 1)
            return NULL;
        if (b == NULL || b_len == 0)
            return NULL;

        InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
    }

    return buffer;
}

/**
 * \brief The setup function for the http_raw_host keyword for a signature.
 *
 * \param de_ctx Pointer to the detection engine context.
 * \param s      Pointer to the signature for the current Signature being
 *               parsed from the rules.
 * \param m      Pointer to the head of the SigMatch for the current rule
 *               being parsed.
 * \param arg    Pointer to the string holding the keyword value.
 *
 * \retval  0 On success
 * \retval -1 On failure
 */
int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
    return DetectEngineContentModifierBufferSetup(
            de_ctx, s, arg, DETECT_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1);
}

/**
 * \brief this function setup the http.host keyword used in the rule
 *
 * \param de_ctx   Pointer to the Detection Engine Context
 * \param s        Pointer to the Signature to which the current keyword belongs
 * \param str      Should hold an empty string always
 *
 * \retval 0       On success
 */
static int DetectHttpHostRawSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_http_raw_host_buffer_id) < 0)
        return -1;
    if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
        return -1;
    return 0;
}

static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t _flow_flags, void *txv, const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        htp_tx_t *tx = (htp_tx_t *)txv;

        const uint8_t *data = NULL;
        uint32_t data_len = 0;

        if (htp_uri_hostname(htp_tx_parsed_uri(tx)) == NULL) {
            if (htp_tx_request_headers(tx) == NULL)
                return NULL;

            const htp_header_t *h = htp_tx_request_header(tx, "Host");
            if (h == NULL || htp_header_value(h) == NULL)
                return NULL;

            data = htp_header_value_ptr(h);
            data_len = (uint32_t)htp_header_value_len(h);
        } else {
            data = (const uint8_t *)bstr_ptr(htp_uri_hostname(htp_tx_parsed_uri(tx)));
            data_len = (uint32_t)bstr_len(htp_uri_hostname(htp_tx_parsed_uri(tx)));
        }

        InspectionBufferSetupAndApplyTransforms(
                det_ctx, list_id, buffer, data, data_len, transforms);
    }

    return buffer;
}

/************************************Unittests*********************************/

#ifdef UNITTESTS
#include "tests/detect-http-host.c"
#endif /* UNITTESTS */

/**
 * @}
 */

1	/* Copyright (C) 2007-2019 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	* \ingroup httplayer
20	*
21	* @{
22	*/
23
24
25	/**
26	* \file
27	*
28	* \author Anoop Saldanha <anoopsaldanha@gmail.com>
29	*
30	* Implements support for the http_host keyword.
31	*/
32
33	#include "suricata-common.h"
34	#include "threads.h"
35	#include "decode.h"
36
37	#include "detect.h"
38	#include "detect-parse.h"
39	#include "detect-engine.h"
40	#include "detect-engine-buffer.h"
41	#include "detect-engine-mpm.h"
42	#include "detect-engine-prefilter.h"
43	#include "detect-content.h"
44	#include "detect-pcre.h"
45
46	#include "flow.h"
47	#include "flow-var.h"
48	#include "flow-util.h"
49
50	#include "util-debug.h"
51	#include "util-unittest.h"
52	#include "util-unittest-helper.h"
53	#include "util-spm.h"
54
55	#include "app-layer.h"
56	#include "app-layer-parser.h"
57
58	#include "app-layer-htp.h"
59	#include "stream-tcp.h"
60	#include "detect-http-host.h"
61
62	static int DetectHttpHHSetup(DetectEngineCtx , Signature , const char *);
63	#ifdef UNITTESTS
64	static void DetectHttpHHRegisterTests(void);
65	#endif
66	static bool DetectHttpHostValidateCallback(
67	const Signature s, const char sigerror, const DetectBufferType dbt);
68	static int DetectHttpHostSetup(DetectEngineCtx , Signature , const char *);
69	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
70	const DetectEngineTransforms *transforms,
71	Flow *_f, const uint8_t _flow_flags,
72	void *txv, const int list_id);
73	static InspectionBuffer GetData2(DetectEngineThreadCtx det_ctx,
74	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
75	const int list_id);
76	static int DetectHttpHRHSetup(DetectEngineCtx , Signature , const char *);
77	static int g_http_raw_host_buffer_id = 0;
78	static int DetectHttpHostRawSetupSticky(DetectEngineCtx de_ctx, Signature s, const char *str);
79	static InspectionBuffer GetRawData(DetectEngineThreadCtx det_ctx,
80	const DetectEngineTransforms transforms, Flow _f,
81	const uint8_t _flow_flags, void *txv, const int list_id);
82	static InspectionBuffer GetRawData2(DetectEngineThreadCtx det_ctx,
83	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
84	const int list_id);
85	static int g_http_host_buffer_id = 0;
86	static int g_http2_thread_id = 0;
87	static int g_http2_raw_thread_id = 0;
88
89	/**
90	* \brief Registers the keyword handlers for the "http_host" keyword.
91	*/
92	void DetectHttpHHRegister(void)
93	{	2,223✔
94	/* http_host content modifier */
95	sigmatch_table[DETECT_HTTP_HOST_CM].name = "http_host";	2,223✔
96	sigmatch_table[DETECT_HTTP_HOST_CM].desc = "content modifier to match on the HTTP hostname";	2,223✔
97	sigmatch_table[DETECT_HTTP_HOST_CM].url =	2,223✔
98	"/rules/http-keywords.html#http-host-and-http-raw-host";	2,223✔
99	sigmatch_table[DETECT_HTTP_HOST_CM].Setup = DetectHttpHHSetup;	2,223✔
100	#ifdef UNITTESTS	3✔
101	sigmatch_table[DETECT_HTTP_HOST_CM].RegisterTests = DetectHttpHHRegisterTests;	3✔
102	#endif	3✔
103	sigmatch_table[DETECT_HTTP_HOST_CM].flags \|= SIGMATCH_NOOPT \| SIGMATCH_INFO_CONTENT_MODIFIER;	2,223✔
104	sigmatch_table[DETECT_HTTP_HOST_CM].alternative = DETECT_HTTP_HOST;	2,223✔
105
106	/* http.host sticky buffer */
107	sigmatch_table[DETECT_HTTP_HOST].name = "http.host";	2,223✔
108	sigmatch_table[DETECT_HTTP_HOST].desc = "sticky buffer to match on the HTTP Host buffer";	2,223✔
109	sigmatch_table[DETECT_HTTP_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host";	2,223✔
110	sigmatch_table[DETECT_HTTP_HOST].Setup = DetectHttpHostSetup;	2,223✔
111	sigmatch_table[DETECT_HTTP_HOST].flags \|= SIGMATCH_NOOPT\|SIGMATCH_INFO_STICKY_BUFFER;	2,223✔
112
113	DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,	2,223✔
114	HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetData);	2,223✔
115
116	DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	2,223✔
117	GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);	2,223✔
118
119	DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,	2,223✔
120	HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);	2,223✔
121
122	DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	2,223✔
123	GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);	2,223✔
124
125	DetectBufferTypeRegisterValidateCallback("http_host",	2,223✔
126	DetectHttpHostValidateCallback);	2,223✔
127
128	DetectBufferTypeSetDescriptionByName("http_host",	2,223✔
129	"http host");	2,223✔
130
131	g_http2_thread_id = DetectRegisterThreadCtxGlobalFuncs(	2,223✔
132	"http_host", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);	2,223✔
133
134	g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");	2,223✔
135
136	/* http_raw_host content modifier */
137	sigmatch_table[DETECT_HTTP_RAW_HOST].name = "http_raw_host";	2,223✔
138	sigmatch_table[DETECT_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header "	2,223✔
139	"or the raw hostname from the HTTP uri";	2,223✔
140	sigmatch_table[DETECT_HTTP_RAW_HOST].url =	2,223✔
141	"/rules/http-keywords.html#http-host-and-http-raw-host";	2,223✔
142	sigmatch_table[DETECT_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;	2,223✔
143	sigmatch_table[DETECT_HTTP_RAW_HOST].flags \|= SIGMATCH_NOOPT \| SIGMATCH_INFO_CONTENT_MODIFIER;	2,223✔
144	sigmatch_table[DETECT_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;	2,223✔
145
146	/* http.host sticky buffer */
147	sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw";	2,223✔
148	sigmatch_table[DETECT_HTTP_HOST_RAW].desc = "sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri";	2,223✔
149	sigmatch_table[DETECT_HTTP_HOST_RAW].url = "/rules/http-keywords.html#http-host-and-http-raw-host";	2,223✔
150	sigmatch_table[DETECT_HTTP_HOST_RAW].Setup = DetectHttpHostRawSetupSticky;	2,223✔
151	sigmatch_table[DETECT_HTTP_HOST_RAW].flags \|= SIGMATCH_NOOPT\|SIGMATCH_INFO_STICKY_BUFFER;	2,223✔
152
153	DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,	2,223✔
154	HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetRawData);	2,223✔
155
156	DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	2,223✔
157	GetRawData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);	2,223✔
158
159	DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,	2,223✔
160	HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetRawData2);	2,223✔
161
162	DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	2,223✔
163	GetRawData2, ALPROTO_HTTP2, HTTP2StateDataClient);	2,223✔
164
165	DetectBufferTypeSetDescriptionByName("http_raw_host",	2,223✔
166	"http raw host header");	2,223✔
167
168	g_http2_raw_thread_id = DetectRegisterThreadCtxGlobalFuncs(	2,223✔
169	"http_raw_host", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);	2,223✔
170
171	g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");	2,223✔
172	}	2,223✔
173
174	/**
175	* \brief The setup function for the http_host keyword for a signature.
176	*
177	* \param de_ctx Pointer to the detection engine context.
178	* \param s Pointer to the signature for the current Signature being
179	* parsed from the rules.
180	* \param m Pointer to the head of the SigMatch for the current rule
181	* being parsed.
182	* \param arg Pointer to the string holding the keyword value.
183	*
184	* \retval 0 On success
185	* \retval -1 On failure
186	*/
187	static int DetectHttpHHSetup(DetectEngineCtx de_ctx, Signature s, const char *arg)
188	{	1,286✔
189	return DetectEngineContentModifierBufferSetup(	1,286✔
190	de_ctx, s, arg, DETECT_HTTP_HOST_CM, g_http_host_buffer_id, ALPROTO_HTTP1);	1,286✔
191	}	1,286✔
192
193	static bool DetectHttpHostValidateCallback(
194	const Signature s, const char sigerror, const DetectBufferType dbt)
195	{	16,806✔
196	for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {	39,387✔
197	if (s->init_data->buffers[x].id != (uint32_t)dbt->id)	22,841✔
198	continue;	6,035✔
199	const SigMatch *sm = s->init_data->buffers[x].head;	16,806✔
200	for (; sm != NULL; sm = sm->next) {	38,413✔
201	if (sm->type == DETECT_CONTENT) {	21,867✔
202	DetectContentData cd = (DetectContentData )sm->ctx;	9,094✔
203	if (cd->flags & DETECT_CONTENT_NOCASE) {	9,094✔
204	*sigerror = "http.host keyword "	14✔
205	"specified along with \"nocase\". "	14✔
206	"The hostname buffer is normalized "	14✔
207	"to lowercase, specifying "	14✔
208	"nocase is redundant.";	14✔
209	SCLogWarning("rule %u: %s", s->id, *sigerror);	14✔
210	return false;	14✔
211	} else {	9,080✔
212	uint32_t u;	9,080✔
213	for (u = 0; u < cd->content_len; u++) {	103,425✔
214	if (isupper(cd->content[u]))	94,591✔
215	break;	246✔
216	}	94,591✔
217	if (u != cd->content_len) {	9,080✔
218	*sigerror = "A pattern with "	246✔
219	"uppercase characters detected for http.host. "	246✔
220	"The hostname buffer is normalized to lowercase, "	246✔
221	"please specify a lowercase pattern.";	246✔
222	SCLogWarning("rule %u: %s", s->id, *sigerror);	246✔
223	return false;	246✔
224	}	246✔
225	}	9,080✔
226	}	9,094✔
227	}	21,867✔
228	}	16,806✔
229
230	return true;	16,546✔
231	}	16,806✔
232
233	/**
234	* \brief this function setup the http.host keyword used in the rule
235	*
236	* \param de_ctx Pointer to the Detection Engine Context
237	* \param s Pointer to the Signature to which the current keyword belongs
238	* \param str Should hold an empty string always
239	*
240	* \retval 0 On success
241	*/
242	static int DetectHttpHostSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
243	{	38,840✔
244	if (SCDetectBufferSetActiveList(de_ctx, s, g_http_host_buffer_id) < 0)	38,840✔
245	return -1;	401✔
246	if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)	38,439✔
247	return -1;	418✔
248	return 0;	38,021✔
249	}	38,439✔
250
251	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
252	const DetectEngineTransforms transforms, Flow _f,
253	const uint8_t _flow_flags, void *txv, const int list_id)
254	{	5,524✔
255	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	5,524✔
256	if (buffer->inspect == NULL) {	5,524✔
257	htp_tx_t tx = (htp_tx_t )txv;	5,285✔
258
259	if (htp_tx_request_hostname(tx) == NULL)	5,285✔
260	return NULL;	479✔
261
262	const uint32_t data_len = (uint32_t)bstr_len(htp_tx_request_hostname(tx));	4,806✔
263	const uint8_t *data = bstr_ptr(htp_tx_request_hostname(tx));	4,806✔
264
265	InspectionBufferSetupAndApplyTransforms(	4,806✔
266	det_ctx, list_id, buffer, data, data_len, transforms);	4,806✔
267	}	4,806✔
268
269	return buffer;	5,045✔
270	}	5,524✔
271
272	static InspectionBuffer GetData2(DetectEngineThreadCtx det_ctx,
273	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
274	const int list_id)
275	{	1,474✔
276	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	1,474✔
277	if (buffer->inspect == NULL) {	1,474✔
278	uint32_t b_len = 0;	1,295✔
279	const uint8_t *b = NULL;	1,295✔
280	void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_thread_id);	1,295✔
281	if (thread_buf == NULL)	1,295✔
282	return NULL;	×
283	if (SCHttp2TxGetHostNorm(txv, &b, &b_len, thread_buf) != 1)	1,295✔
284	return NULL;	963✔
285	if (b == NULL \|\| b_len == 0)	332✔
286	return NULL;	1✔
287
288	InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);	331✔
289	}	331✔
290
291	return buffer;	510✔
292	}	1,474✔
293
294	static InspectionBuffer GetRawData2(DetectEngineThreadCtx det_ctx,
295	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
296	const int list_id)
297	{	433✔
298	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	433✔
299	if (buffer->inspect == NULL) {	433✔
300	uint32_t b_len = 0;	396✔
301	const uint8_t *b = NULL;	396✔
302	void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_raw_thread_id);	396✔
303	if (thread_buf == NULL)	396✔
304	return NULL;	×
305
306	if (SCHttp2TxGetHost(txv, &b, &b_len, thread_buf) != 1)	396✔
307	return NULL;	225✔
308	if (b == NULL \|\| b_len == 0)	171✔
309	return NULL;	×
310
311	InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);	171✔
312	}	171✔
313
314	return buffer;	208✔
315	}	433✔
316
317	/**
318	* \brief The setup function for the http_raw_host keyword for a signature.
319	*
320	* \param de_ctx Pointer to the detection engine context.
321	* \param s Pointer to the signature for the current Signature being
322	* parsed from the rules.
323	* \param m Pointer to the head of the SigMatch for the current rule
324	* being parsed.
325	* \param arg Pointer to the string holding the keyword value.
326	*
327	* \retval 0 On success
328	* \retval -1 On failure
329	*/
330	int DetectHttpHRHSetup(DetectEngineCtx de_ctx, Signature s, const char *arg)
331	{	518✔
332	return DetectEngineContentModifierBufferSetup(	518✔
333	de_ctx, s, arg, DETECT_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1);	518✔
334	}	518✔
335
336	/**
337	* \brief this function setup the http.host keyword used in the rule
338	*
339	* \param de_ctx Pointer to the Detection Engine Context
340	* \param s Pointer to the Signature to which the current keyword belongs
341	* \param str Should hold an empty string always
342	*
343	* \retval 0 On success
344	*/
345	static int DetectHttpHostRawSetupSticky(DetectEngineCtx de_ctx, Signature s, const char *str)
346	{	2,914✔
347	if (SCDetectBufferSetActiveList(de_ctx, s, g_http_raw_host_buffer_id) < 0)	2,914✔
348	return -1;	1✔
349	if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)	2,913✔
350	return -1;	1✔
351	return 0;	2,912✔
352	}	2,913✔
353
354	static InspectionBuffer GetRawData(DetectEngineThreadCtx det_ctx,
355	const DetectEngineTransforms transforms, Flow _f,
356	const uint8_t _flow_flags, void *txv, const int list_id)
357	{	325✔
358	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	325✔
359	if (buffer->inspect == NULL) {	325✔
360	htp_tx_t tx = (htp_tx_t )txv;	296✔
361
362	const uint8_t *data = NULL;	296✔
363	uint32_t data_len = 0;	296✔
364
365	if (htp_uri_hostname(htp_tx_parsed_uri(tx)) == NULL) {	296✔
366	if (htp_tx_request_headers(tx) == NULL)	275✔
367	return NULL;	×
368
369	const htp_header_t *h = htp_tx_request_header(tx, "Host");	275✔
370	if (h == NULL \|\| htp_header_value(h) == NULL)	275✔
371	return NULL;	69✔
372
373	data = htp_header_value_ptr(h);	206✔
374	data_len = (uint32_t)htp_header_value_len(h);	206✔
375	} else {	207✔
376	data = (const uint8_t *)bstr_ptr(htp_uri_hostname(htp_tx_parsed_uri(tx)));	21✔
377	data_len = (uint32_t)bstr_len(htp_uri_hostname(htp_tx_parsed_uri(tx)));	21✔
378	}	21✔
379
380	InspectionBufferSetupAndApplyTransforms(	227✔
381	det_ctx, list_id, buffer, data, data_len, transforms);	227✔
382	}	227✔
383
384	return buffer;	256✔
385	}	325✔
386
387	/**********************************Unittests*******************************/
388
389	#ifdef UNITTESTS
390	#include "tests/detect-http-host.c"
391	#endif /* UNITTESTS */
392
393	/**
394	* @}
395	*/

jasonish / suricata / 23019292042

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous