23019292042

Committed 12 Mar 2026 07:08PM UTC coverage: 79.245% (-0.004%) from 79.249%

Build # 23019292042

Build Type

push

github

Committed by

jasonish

Commit Message

github-ci: add schema ordering check for yaml schema

Run Details

266163 of 335873 relevant lines covered (79.25%)

4877167.7 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

91.4

/src/detect-http-raw-header.c

/* Copyright (C) 2007-2022 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \ingroup httplayer
 *
 * @{
 */


/**
 * \file
 *
 * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
 *
 * Implements support for http_raw_header keyword.
 */

#include "suricata-common.h"
#include "threads.h"
#include "decode.h"

#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "detect-engine-mpm.h"
#include "detect-engine-prefilter.h"
#include "detect-content.h"

#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"

#include "util-debug.h"
#include "util-profiling.h"

#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-htp.h"
#include "detect-http-raw-header.h"

static int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, const char *);
static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
#ifdef UNITTESTS
static void DetectHttpRawHeaderRegisterTests(void);
#endif
static bool DetectHttpRawHeaderValidateCallback(
        const Signature *s, const char **sigerror, const DetectBufferType *dbt);
static int g_http_raw_header_buffer_id = 0;
static int g_http2_thread_id = 0;

static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t flow_flags, void *txv, const int list_id);
static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv,
        const int list_id);

static int PrefilterMpmHttpHeaderRawRequestRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
        MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id);
static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
        MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id);

/**
 * \brief Registers the keyword handlers for the "http_raw_header" keyword.
 */
void DetectHttpRawHeaderRegister(void)
{
    /* http_raw_header content modifier */
    sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].name = "http_raw_header";
    sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].desc =
            "content modifier to match the raw HTTP header buffer";
    sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].url =
            "/rules/http-keywords.html#http-header-and-http-raw-header";
    sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].Setup = DetectHttpRawHeaderSetup;
#ifdef UNITTESTS
    sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].RegisterTests = DetectHttpRawHeaderRegisterTests;
#endif
    sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].flags |=
            SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
    sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].alternative = DETECT_HTTP_RAW_HEADER;

    /* http.header.raw sticky buffer */
    sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw";
    sigmatch_table[DETECT_HTTP_RAW_HEADER].desc = "sticky buffer to match the raw HTTP header buffer";
    sigmatch_table[DETECT_HTTP_RAW_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
    sigmatch_table[DETECT_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetupSticky;
    sigmatch_table[DETECT_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister("http_raw_header", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
            HTP_REQUEST_PROGRESS_HEADERS + 1, DetectEngineInspectBufferGeneric, GetData);
    DetectAppLayerInspectEngineRegister("http_raw_header", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
            HTP_RESPONSE_PROGRESS_HEADERS + 1, DetectEngineInspectBufferGeneric, GetData);

    DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOSERVER, 2,
            PrefilterMpmHttpHeaderRawRequestRegister, NULL, ALPROTO_HTTP1,
            0); /* progress handled in register */
    DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOCLIENT, 2,
            PrefilterMpmHttpHeaderRawResponseRegister, NULL, ALPROTO_HTTP1,
            0); /* progress handled in register */

    DetectAppLayerInspectEngineRegister("http_raw_header", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
            HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);
    DetectAppLayerInspectEngineRegister("http_raw_header", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT,
            HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetData2);

    DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
            GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);
    DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
            GetData2, ALPROTO_HTTP2, HTTP2StateDataServer);

    DetectBufferTypeSetDescriptionByName("http_raw_header",
            "raw http headers");

    DetectBufferTypeRegisterValidateCallback("http_raw_header",
            DetectHttpRawHeaderValidateCallback);
    g_http2_thread_id = DetectRegisterThreadCtxGlobalFuncs(
            "http2.raw_header", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);

    g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
}

/**
 * \brief The setup function for the http_raw_header keyword for a signature.
 *
 * \param de_ctx Pointer to the detection engine context.
 * \param s      Pointer to signature for the current Signature being parsed
 *               from the rules.
 * \param m      Pointer to the head of the SigMatchs for the current rule
 *               being parsed.
 * \param arg    Pointer to the string holding the keyword value.
 *
 * \retval  0 On success.
 * \retval -1 On failure.
 */
int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
    return DetectEngineContentModifierBufferSetup(
            de_ctx, s, arg, DETECT_HTTP_RAW_HEADER_CM, g_http_raw_header_buffer_id, ALPROTO_HTTP1);
}

/**
 * \brief this function setup the http.header.raw keyword used in the rule
 *
 * \param de_ctx   Pointer to the Detection Engine Context
 * \param s        Pointer to the Signature to which the current keyword belongs
 * \param str      Should hold an empty string always
 *
 * \retval 0       On success
 */
static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_http_raw_header_buffer_id) < 0)
        return -1;
    if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
        return -1;
    return 0;
}

static bool DetectHttpRawHeaderValidateCallback(
        const Signature *s, const char **sigerror, const DetectBufferType *dbt)
{
    if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) {
        *sigerror = "http_raw_header signature "
                "without a flow direction. Use flow:to_server for "
                "inspecting request headers or flow:to_client for "
                "inspecting response headers.";

        SCLogError("%s", *sigerror);
        SCReturnInt(false);
    }
    return true;
}

static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f,
        const uint8_t flow_flags, void *txv, const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        htp_tx_t *tx = (htp_tx_t *)txv;

        HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);

        const bool ts = ((flow_flags & STREAM_TOSERVER) != 0);
        const uint8_t *data = ts ?
            tx_ud->request_headers_raw : tx_ud->response_headers_raw;
        if (data == NULL)
            return NULL;
        const uint32_t data_len = ts ?
            tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len;

        InspectionBufferSetupAndApplyTransforms(
                det_ctx, list_id, buffer, data, data_len, transforms);
    }

    return buffer;
}

static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv,
        const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        uint32_t b_len = 0;
        const uint8_t *b = NULL;

        void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_thread_id);
        if (thread_buf == NULL)
            return NULL;
        if (SCHttp2TxGetHeadersRaw(txv, flow_flags, &b, &b_len, thread_buf) != 1)
            return NULL;
        if (b == NULL || b_len == 0)
            return NULL;

        InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
    }

    return buffer;
}

typedef struct PrefilterMpmHttpHeaderRawCtx {
    int list_id;
    const MpmCtx *mpm_ctx;
    const DetectEngineTransforms *transforms;
} PrefilterMpmHttpHeaderRawCtx;

/** \brief Generic Mpm prefilter callback
 *
 *  \param det_ctx detection engine thread ctx
 *  \param p packet to inspect
 *  \param f flow to inspect
 *  \param txv tx to inspect
 *  \param pectx inspection context
 */
static void PrefilterMpmHttpHeaderRaw(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
        Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
{
    SCEnter();

    const PrefilterMpmHttpHeaderRawCtx *ctx = pectx;
    const MpmCtx *mpm_ctx = ctx->mpm_ctx;
    SCLogDebug("running on list %d", ctx->list_id);

    const int list_id = ctx->list_id;

    InspectionBuffer *buffer = GetData(det_ctx, ctx->transforms, f,
            flags, txv, list_id);
    if (buffer == NULL)
        return;

    const uint32_t data_len = buffer->inspect_len;
    const uint8_t *data = buffer->inspect;

    SCLogDebug("mpm'ing buffer:");
    //PrintRawDataFp(stdout, data, data_len);

    if (data != NULL && data_len >= mpm_ctx->minlen) {
        (void)mpm_table[mpm_ctx->mpm_type].Search(
                mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len);
        PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len);
    }
}

static void PrefilterMpmHttpTrailerRaw(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
        Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
{
    SCEnter();

    htp_tx_t *tx = txv;
    const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
    /* if the request wasn't flagged as having a trailer, we skip */
    if (((flags & STREAM_TOSERVER) && !htud->request_has_trailers) ||
            ((flags & STREAM_TOCLIENT) && !htud->response_has_trailers)) {
        SCReturn;
    }
    PrefilterMpmHttpHeaderRaw(det_ctx, pectx, p, f, txv, idx, _txd, flags);
    SCReturn;
}

static void PrefilterMpmHttpHeaderRawFree(void *ptr)
{
    SCFree(ptr);
}

static int PrefilterMpmHttpHeaderRawRequestRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
        MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
{
    SCEnter();

    /* header */
    PrefilterMpmHttpHeaderRawCtx *pectx = SCCalloc(1, sizeof(*pectx));
    if (pectx == NULL)
        return -1;
    pectx->list_id = list_id;
    pectx->mpm_ctx = mpm_ctx;
    pectx->transforms = &mpm_reg->transforms;

    int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeaderRaw, mpm_reg->app_v2.alproto,
            HTP_REQUEST_PROGRESS_HEADERS + 1, pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
    if (r != 0) {
        SCFree(pectx);
        return r;
    }

    /* trailer */
    pectx = SCCalloc(1, sizeof(*pectx));
    if (pectx == NULL)
        return -1;
    pectx->list_id = list_id;
    pectx->mpm_ctx = mpm_ctx;
    pectx->transforms = &mpm_reg->transforms;

    r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailerRaw, mpm_reg->app_v2.alproto,
            HTP_REQUEST_PROGRESS_TRAILER + 1, pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
    if (r != 0) {
        SCFree(pectx);
    }
    return r;
}

static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
        MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
{
    SCEnter();

    /* header */
    PrefilterMpmHttpHeaderRawCtx *pectx = SCCalloc(1, sizeof(*pectx));
    if (pectx == NULL)
        return -1;
    pectx->list_id = list_id;
    pectx->mpm_ctx = mpm_ctx;
    pectx->transforms = &mpm_reg->transforms;

    int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeaderRaw, mpm_reg->app_v2.alproto,
            HTP_RESPONSE_PROGRESS_HEADERS, pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
    if (r != 0) {
        SCFree(pectx);
        return r;
    }

    /* trailer */
    pectx = SCCalloc(1, sizeof(*pectx));
    if (pectx == NULL)
        return -1;
    pectx->list_id = list_id;
    pectx->mpm_ctx = mpm_ctx;
    pectx->transforms = &mpm_reg->transforms;

    r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailerRaw, mpm_reg->app_v2.alproto,
            HTP_RESPONSE_PROGRESS_TRAILER, pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
    if (r != 0) {
        SCFree(pectx);
    }
    return r;
}

/************************************Unittests*********************************/

#ifdef UNITTESTS
#include "tests/detect-http-raw-header.c"
#endif

/**
 * @}
 */

1	/* Copyright (C) 2007-2022 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	* \ingroup httplayer
20	*
21	* @{
22	*/
23
24
25	/**
26	* \file
27	*
28	* \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29	*
30	* Implements support for http_raw_header keyword.
31	*/
32
33	#include "suricata-common.h"
34	#include "threads.h"
35	#include "decode.h"
36
37	#include "detect.h"
38	#include "detect-parse.h"
39	#include "detect-engine.h"
40	#include "detect-engine-buffer.h"
41	#include "detect-engine-mpm.h"
42	#include "detect-engine-prefilter.h"
43	#include "detect-content.h"
44
45	#include "flow.h"
46	#include "flow-var.h"
47	#include "flow-util.h"
48
49	#include "util-debug.h"
50	#include "util-profiling.h"
51
52	#include "app-layer.h"
53	#include "app-layer-parser.h"
54	#include "app-layer-htp.h"
55	#include "detect-http-raw-header.h"
56
57	static int DetectHttpRawHeaderSetup(DetectEngineCtx , Signature , const char *);
58	static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx de_ctx, Signature s, const char *str);
59	#ifdef UNITTESTS
60	static void DetectHttpRawHeaderRegisterTests(void);
61	#endif
62	static bool DetectHttpRawHeaderValidateCallback(
63	const Signature s, const char sigerror, const DetectBufferType dbt);
64	static int g_http_raw_header_buffer_id = 0;
65	static int g_http2_thread_id = 0;
66
67	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
68	const DetectEngineTransforms transforms, Flow _f,
69	const uint8_t flow_flags, void *txv, const int list_id);
70	static InspectionBuffer GetData2(DetectEngineThreadCtx det_ctx,
71	const DetectEngineTransforms transforms, Flow _f, const uint8_t flow_flags, void *txv,
72	const int list_id);
73
74	static int PrefilterMpmHttpHeaderRawRequestRegister(DetectEngineCtx de_ctx, SigGroupHead sgh,
75	MpmCtx mpm_ctx, const DetectBufferMpmRegistry mpm_reg, int list_id);
76	static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx de_ctx, SigGroupHead sgh,
77	MpmCtx mpm_ctx, const DetectBufferMpmRegistry mpm_reg, int list_id);
78
79	/**
80	* \brief Registers the keyword handlers for the "http_raw_header" keyword.
81	*/
82	void DetectHttpRawHeaderRegister(void)
83	{	2,223✔
84	/* http_raw_header content modifier */
85	sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].name = "http_raw_header";	2,223✔
86	sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].desc =	2,223✔
87	"content modifier to match the raw HTTP header buffer";	2,223✔
88	sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].url =	2,223✔
89	"/rules/http-keywords.html#http-header-and-http-raw-header";	2,223✔
90	sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].Setup = DetectHttpRawHeaderSetup;	2,223✔
91	#ifdef UNITTESTS	3✔
92	sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].RegisterTests = DetectHttpRawHeaderRegisterTests;	3✔
93	#endif	3✔
94	sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].flags \|=	2,223✔
95	SIGMATCH_NOOPT \| SIGMATCH_INFO_CONTENT_MODIFIER;	2,223✔
96	sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].alternative = DETECT_HTTP_RAW_HEADER;	2,223✔
97
98	/* http.header.raw sticky buffer */
99	sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw";	2,223✔
100	sigmatch_table[DETECT_HTTP_RAW_HEADER].desc = "sticky buffer to match the raw HTTP header buffer";	2,223✔
101	sigmatch_table[DETECT_HTTP_RAW_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";	2,223✔
102	sigmatch_table[DETECT_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetupSticky;	2,223✔
103	sigmatch_table[DETECT_HTTP_RAW_HEADER].flags \|= SIGMATCH_NOOPT\|SIGMATCH_INFO_STICKY_BUFFER;	2,223✔
104
105	DetectAppLayerInspectEngineRegister("http_raw_header", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,	2,223✔
106	HTP_REQUEST_PROGRESS_HEADERS + 1, DetectEngineInspectBufferGeneric, GetData);	2,223✔
107	DetectAppLayerInspectEngineRegister("http_raw_header", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,	2,223✔
108	HTP_RESPONSE_PROGRESS_HEADERS + 1, DetectEngineInspectBufferGeneric, GetData);	2,223✔
109
110	DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOSERVER, 2,	2,223✔
111	PrefilterMpmHttpHeaderRawRequestRegister, NULL, ALPROTO_HTTP1,	2,223✔
112	0); /* progress handled in register */	2,223✔
113	DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOCLIENT, 2,	2,223✔
114	PrefilterMpmHttpHeaderRawResponseRegister, NULL, ALPROTO_HTTP1,	2,223✔
115	0); /* progress handled in register */	2,223✔
116
117	DetectAppLayerInspectEngineRegister("http_raw_header", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,	2,223✔
118	HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);	2,223✔
119	DetectAppLayerInspectEngineRegister("http_raw_header", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT,	2,223✔
120	HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetData2);	2,223✔
121
122	DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,	2,223✔
123	GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);	2,223✔
124	DetectAppLayerMpmRegister("http_raw_header", SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,	2,223✔
125	GetData2, ALPROTO_HTTP2, HTTP2StateDataServer);	2,223✔
126
127	DetectBufferTypeSetDescriptionByName("http_raw_header",	2,223✔
128	"raw http headers");	2,223✔
129
130	DetectBufferTypeRegisterValidateCallback("http_raw_header",	2,223✔
131	DetectHttpRawHeaderValidateCallback);	2,223✔
132	g_http2_thread_id = DetectRegisterThreadCtxGlobalFuncs(	2,223✔
133	"http2.raw_header", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);	2,223✔
134
135	g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");	2,223✔
136	}	2,223✔
137
138	/**
139	* \brief The setup function for the http_raw_header keyword for a signature.
140	*
141	* \param de_ctx Pointer to the detection engine context.
142	* \param s Pointer to signature for the current Signature being parsed
143	* from the rules.
144	* \param m Pointer to the head of the SigMatchs for the current rule
145	* being parsed.
146	* \param arg Pointer to the string holding the keyword value.
147	*
148	* \retval 0 On success.
149	* \retval -1 On failure.
150	*/
151	int DetectHttpRawHeaderSetup(DetectEngineCtx de_ctx, Signature s, const char *arg)
152	{	346✔
153	return DetectEngineContentModifierBufferSetup(	346✔
154	de_ctx, s, arg, DETECT_HTTP_RAW_HEADER_CM, g_http_raw_header_buffer_id, ALPROTO_HTTP1);	346✔
155	}	346✔
156
157	/**
158	* \brief this function setup the http.header.raw keyword used in the rule
159	*
160	* \param de_ctx Pointer to the Detection Engine Context
161	* \param s Pointer to the Signature to which the current keyword belongs
162	* \param str Should hold an empty string always
163	*
164	* \retval 0 On success
165	*/
166	static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx de_ctx, Signature s, const char *str)
167	{	2,767✔
168	if (SCDetectBufferSetActiveList(de_ctx, s, g_http_raw_header_buffer_id) < 0)	2,767✔
169	return -1;	28✔
170	if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)	2,739✔
171	return -1;	15✔
172	return 0;	2,724✔
173	}	2,739✔
174
175	static bool DetectHttpRawHeaderValidateCallback(
176	const Signature s, const char sigerror, const DetectBufferType dbt)
177	{	3,273✔
178	if ((s->flags & (SIG_FLAG_TOCLIENT\|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT\|SIG_FLAG_TOSERVER)) {	3,273✔
179	*sigerror = "http_raw_header signature "	611✔
180	"without a flow direction. Use flow:to_server for "	611✔
181	"inspecting request headers or flow:to_client for "	611✔
182	"inspecting response headers.";	611✔
183
184	SCLogError("%s", *sigerror);	611✔
185	SCReturnInt(false);	611✔
186	}	611✔
187	return true;	2,662✔
188	}	3,273✔
189
190	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
191	const DetectEngineTransforms transforms, Flow _f,
192	const uint8_t flow_flags, void *txv, const int list_id)
193	{	5,248✔
194	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	5,248✔
195	if (buffer->inspect == NULL) {	5,248✔
196	htp_tx_t tx = (htp_tx_t )txv;	4,818✔
197
198	HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);	4,818✔
199
200	const bool ts = ((flow_flags & STREAM_TOSERVER) != 0);	4,818✔
201	const uint8_t *data = ts ?	4,818✔
202	tx_ud->request_headers_raw : tx_ud->response_headers_raw;	2,548✔
203	if (data == NULL)	4,818✔
204	return NULL;	133✔
205	const uint32_t data_len = ts ?	4,685✔
206	tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len;	2,491✔
207
208	InspectionBufferSetupAndApplyTransforms(	4,685✔
209	det_ctx, list_id, buffer, data, data_len, transforms);	4,685✔
210	}	4,685✔
211
212	return buffer;	5,115✔
213	}	5,248✔
214
215	static InspectionBuffer GetData2(DetectEngineThreadCtx det_ctx,
216	const DetectEngineTransforms transforms, Flow _f, const uint8_t flow_flags, void *txv,
217	const int list_id)
218	{	497✔
219	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	497✔
220	if (buffer->inspect == NULL) {	497✔
221	uint32_t b_len = 0;	492✔
222	const uint8_t *b = NULL;	492✔
223
224	void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_thread_id);	492✔
225	if (thread_buf == NULL)	492✔
226	return NULL;	×
227	if (SCHttp2TxGetHeadersRaw(txv, flow_flags, &b, &b_len, thread_buf) != 1)	492✔
228	return NULL;	286✔
229	if (b == NULL \|\| b_len == 0)	206✔
230	return NULL;	×
231
232	InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);	206✔
233	}	206✔
234
235	return buffer;	211✔
236	}	497✔
237
238	typedef struct PrefilterMpmHttpHeaderRawCtx {
239	int list_id;
240	const MpmCtx *mpm_ctx;
241	const DetectEngineTransforms *transforms;
242	} PrefilterMpmHttpHeaderRawCtx;
243
244	/** \brief Generic Mpm prefilter callback
245	*
246	* \param det_ctx detection engine thread ctx
247	* \param p packet to inspect
248	* \param f flow to inspect
249	* \param txv tx to inspect
250	* \param pectx inspection context
251	*/
252	static void PrefilterMpmHttpHeaderRaw(DetectEngineThreadCtx det_ctx, const void pectx, Packet *p,
253	Flow f, void txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
254	{	5,050✔
255	SCEnter();	5,050✔
256
257	const PrefilterMpmHttpHeaderRawCtx *ctx = pectx;	5,050✔
258	const MpmCtx *mpm_ctx = ctx->mpm_ctx;	5,050✔
259	SCLogDebug("running on list %d", ctx->list_id);	5,050✔
260
261	const int list_id = ctx->list_id;	5,050✔
262
263	InspectionBuffer *buffer = GetData(det_ctx, ctx->transforms, f,	5,050✔
264	flags, txv, list_id);	5,050✔
265	if (buffer == NULL)	5,050✔
266	return;	133✔
267
268	const uint32_t data_len = buffer->inspect_len;	4,917✔
269	const uint8_t *data = buffer->inspect;	4,917✔
270
271	SCLogDebug("mpm'ing buffer:");	4,917✔
272	//PrintRawDataFp(stdout, data, data_len);
273
274	if (data != NULL && data_len >= mpm_ctx->minlen) {	4,917✔
275	(void)mpm_table[mpm_ctx->mpm_type].Search(	4,754✔
276	mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len);	4,754✔
277	PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len);	4,754✔
278	}	4,754✔
279	}	4,917✔
280
281	static void PrefilterMpmHttpTrailerRaw(DetectEngineThreadCtx det_ctx, const void pectx, Packet *p,
282	Flow f, void txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
283	{	4,630✔
284	SCEnter();	4,630✔
285
286	htp_tx_t *tx = txv;	4,630✔
287	const HtpTxUserData htud = (const HtpTxUserData )htp_tx_get_user_data(tx);	4,630✔
288	/* if the request wasn't flagged as having a trailer, we skip */
289	if (((flags & STREAM_TOSERVER) && !htud->request_has_trailers) \|\|	4,630✔
290	((flags & STREAM_TOCLIENT) && !htud->response_has_trailers)) {	4,630✔
291	SCReturn;	4,302✔
292	}	4,302✔
293	PrefilterMpmHttpHeaderRaw(det_ctx, pectx, p, f, txv, idx, _txd, flags);	328✔
294	SCReturn;	328✔
295	}	4,630✔
296
297	static void PrefilterMpmHttpHeaderRawFree(void *ptr)
298	{	1,482✔
299	SCFree(ptr);	1,482✔
300	}	1,482✔
301
302	static int PrefilterMpmHttpHeaderRawRequestRegister(DetectEngineCtx de_ctx, SigGroupHead sgh,
303	MpmCtx mpm_ctx, const DetectBufferMpmRegistry mpm_reg, int list_id)
304	{	459✔
305	SCEnter();	459✔
306
307	/* header */
308	PrefilterMpmHttpHeaderRawCtx pectx = SCCalloc(1, sizeof(pectx));	459✔
309	if (pectx == NULL)	459✔
310	return -1;	×
311	pectx->list_id = list_id;	459✔
312	pectx->mpm_ctx = mpm_ctx;	459✔
313	pectx->transforms = &mpm_reg->transforms;	459✔
314
315	int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeaderRaw, mpm_reg->app_v2.alproto,	459✔
316	HTP_REQUEST_PROGRESS_HEADERS + 1, pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);	459✔
317	if (r != 0) {	459✔
318	SCFree(pectx);	×
319	return r;	×
320	}	×
321
322	/* trailer */
323	pectx = SCCalloc(1, sizeof(*pectx));	459✔
324	if (pectx == NULL)	459✔
325	return -1;	×
326	pectx->list_id = list_id;	459✔
327	pectx->mpm_ctx = mpm_ctx;	459✔
328	pectx->transforms = &mpm_reg->transforms;	459✔
329
330	r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailerRaw, mpm_reg->app_v2.alproto,	459✔
331	HTP_REQUEST_PROGRESS_TRAILER + 1, pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);	459✔
332	if (r != 0) {	459✔
333	SCFree(pectx);	×
334	}	×
335	return r;	459✔
336	}	459✔
337
338	static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx de_ctx, SigGroupHead sgh,
339	MpmCtx mpm_ctx, const DetectBufferMpmRegistry mpm_reg, int list_id)
340	{	45✔
341	SCEnter();	45✔
342
343	/* header */
344	PrefilterMpmHttpHeaderRawCtx pectx = SCCalloc(1, sizeof(pectx));	45✔
345	if (pectx == NULL)	45✔
346	return -1;	×
347	pectx->list_id = list_id;	45✔
348	pectx->mpm_ctx = mpm_ctx;	45✔
349	pectx->transforms = &mpm_reg->transforms;	45✔
350
351	int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeaderRaw, mpm_reg->app_v2.alproto,	45✔
352	HTP_RESPONSE_PROGRESS_HEADERS, pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);	45✔
353	if (r != 0) {	45✔
354	SCFree(pectx);	×
355	return r;	×
356	}	×
357
358	/* trailer */
359	pectx = SCCalloc(1, sizeof(*pectx));	45✔
360	if (pectx == NULL)	45✔
361	return -1;	×
362	pectx->list_id = list_id;	45✔
363	pectx->mpm_ctx = mpm_ctx;	45✔
364	pectx->transforms = &mpm_reg->transforms;	45✔
365
366	r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailerRaw, mpm_reg->app_v2.alproto,	45✔
367	HTP_RESPONSE_PROGRESS_TRAILER, pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);	45✔
368	if (r != 0) {	45✔
369	SCFree(pectx);	×
370	}	×
371	return r;	45✔
372	}	45✔
373
374	/**********************************Unittests*******************************/
375
376	#ifdef UNITTESTS
377	#include "tests/detect-http-raw-header.c"
378	#endif
379
380	/**
381	* @}
382	*/

jasonish / suricata / 23019292042

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous