23338889526

Committed 20 Mar 2026 10:29AM UTC coverage: 76.331% (-3.0%) from 79.315%

Build # 23338889526

Build Type

Pull #15053

github

Committed by

web-flow

Commit Message

Merge 00ac1dd14 into 6587e363a

Pull Request Pull Request #15053: Flow queue/v3

Coverage Stats

106 of 127 new or added lines in 8 files covered. (83.46%)

9913 existing lines in 468 files now uncovered.

255689 of 334972 relevant lines covered (76.33%)

4170649.82 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.44

/src/detect-http-request-line.c

/* Copyright (C) 2007-2022 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \ingroup httplayer
 *
 * @{
 */


/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 *
 * Implements support for the http_request_line keyword.
 */

#include "suricata-common.h"
#include "threads.h"
#include "decode.h"

#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-content-inspection.h"
#include "detect-content.h"
#include "detect-pcre.h"

#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"

#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-spm.h"

#include "app-layer.h"
#include "app-layer-parser.h"

#include "app-layer-htp.h"
#include "stream-tcp.h"
#include "detect-http-request-line.h"

static int DetectHttpRequestLineSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectHttpRequestLineRegisterTests(void);
#endif
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *_f, const uint8_t _flow_flags,
        void *txv, const int list_id);
static int g_http_request_line_buffer_id = 0;

static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
        const int list_id)
{
    SCEnter();

    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        uint32_t b_len = 0;
        const uint8_t *b = NULL;

        if (SCHttp2TxGetRequestLine(txv, &b, &b_len) != 1)
            return NULL;
        if (b == NULL || b_len == 0)
            return NULL;

        InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
    }

    return buffer;
}

/**
 * \brief Registers the keyword handlers for the "http_request_line" keyword.
 */
void DetectHttpRequestLineRegister(void)
{
    sigmatch_table[DETECT_HTTP_REQUEST_LINE].name = "http.request_line";
    sigmatch_table[DETECT_HTTP_REQUEST_LINE].alias = "http_request_line";
    sigmatch_table[DETECT_HTTP_REQUEST_LINE].desc =
            "sticky buffer to match on the HTTP request line";
    sigmatch_table[DETECT_HTTP_REQUEST_LINE].url = "/rules/http-keywords.html#http-request-line";
    sigmatch_table[DETECT_HTTP_REQUEST_LINE].Match = NULL;
    sigmatch_table[DETECT_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup;
#ifdef UNITTESTS
    sigmatch_table[DETECT_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests;
#endif
    sigmatch_table[DETECT_HTTP_REQUEST_LINE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister("http_request_line", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
            HTP_REQUEST_PROGRESS_LINE, DetectEngineInspectBufferGeneric, GetData);

    DetectAppLayerMpmRegister("http_request_line", SIG_FLAG_TOSERVER, 2,
            PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_LINE);

    DetectAppLayerInspectEngineRegister("http_request_line", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
            HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);
    DetectAppLayerMpmRegister("http_request_line", SIG_FLAG_TOSERVER, 2,
            PrefilterGenericMpmRegister, GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);

    DetectBufferTypeSetDescriptionByName("http_request_line",
            "http request line");

    g_http_request_line_buffer_id = DetectBufferTypeGetByName("http_request_line");
}

/**
 * \brief The setup function for the http_request_line keyword for a signature.
 *
 * \param de_ctx Pointer to the detection engine context.
 * \param s      Pointer to the signature for the current Signature being
 *               parsed from the rules.
 * \param m      Pointer to the head of the SigMatch for the current rule
 *               being parsed.
 * \param arg    Pointer to the string holding the keyword value.
 *
 * \retval  0 On success
 * \retval -1 On failure
 */
static int DetectHttpRequestLineSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_http_request_line_buffer_id) < 0)
        return -1;

    if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
        return -1;

    return 0;
}

static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *_f, const uint8_t _flow_flags,
        void *txv, const int list_id)
{
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
    if (buffer->inspect == NULL) {
        htp_tx_t *tx = (htp_tx_t *)txv;
        if (unlikely(htp_tx_request_line(tx) == NULL)) {
            return NULL;
        }
        const uint32_t data_len = (uint32_t)bstr_len(htp_tx_request_line(tx));
        const uint8_t *data = bstr_ptr(htp_tx_request_line(tx));

        InspectionBufferSetupAndApplyTransforms(
                det_ctx, list_id, buffer, data, data_len, transforms);
    }
    return buffer;
}

/************************************Unittests*********************************/

#ifdef UNITTESTS

#include "stream-tcp-reassemble.h"

/**
 * \test Test that a signature containing a http_request_line is correctly parsed
 *       and the keyword is registered.
 */
static int DetectHttpRequestLineTest01(void)
{
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    de_ctx->flags |= DE_QUIET;
    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
                               "(http_request_line; content:\"GET /\"; sid:1;)");
    FAIL_IF_NULL(de_ctx->sig_list);

    DetectEngineCtxFree(de_ctx);
    PASS;
}

static void DetectHttpRequestLineRegisterTests(void)
{
    UtRegisterTest("DetectHttpRequestLineTest01", DetectHttpRequestLineTest01);
}
#endif /* UNITTESTS */
/**
 * @}
 */

1	/* Copyright (C) 2007-2022 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	* \ingroup httplayer
20	*
21	* @{
22	*/
23
24
25	/**
26	* \file
27	*
28	* \author Victor Julien <victor@inliniac.net>
29	*
30	* Implements support for the http_request_line keyword.
31	*/
32
33	#include "suricata-common.h"
34	#include "threads.h"
35	#include "decode.h"
36
37	#include "detect.h"
38	#include "detect-parse.h"
39	#include "detect-engine.h"
40	#include "detect-engine-buffer.h"
41	#include "detect-engine-mpm.h"
42	#include "detect-engine-state.h"
43	#include "detect-engine-prefilter.h"
44	#include "detect-engine-content-inspection.h"
45	#include "detect-content.h"
46	#include "detect-pcre.h"
47
48	#include "flow.h"
49	#include "flow-var.h"
50	#include "flow-util.h"
51
52	#include "util-debug.h"
53	#include "util-unittest.h"
54	#include "util-unittest-helper.h"
55	#include "util-spm.h"
56
57	#include "app-layer.h"
58	#include "app-layer-parser.h"
59
60	#include "app-layer-htp.h"
61	#include "stream-tcp.h"
62	#include "detect-http-request-line.h"
63
64	static int DetectHttpRequestLineSetup(DetectEngineCtx , Signature , const char *);
65	#ifdef UNITTESTS
66	static void DetectHttpRequestLineRegisterTests(void);
67	#endif
68	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
69	const DetectEngineTransforms *transforms,
70	Flow *_f, const uint8_t _flow_flags,
71	void *txv, const int list_id);
72	static int g_http_request_line_buffer_id = 0;
73
74	static InspectionBuffer GetData2(DetectEngineThreadCtx det_ctx,
75	const DetectEngineTransforms transforms, Flow _f, const uint8_t _flow_flags, void *txv,
76	const int list_id)
77	{	176✔
78	SCEnter();	176✔
79
80	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	176✔
81	if (buffer->inspect == NULL) {	176✔
82	uint32_t b_len = 0;	174✔
83	const uint8_t *b = NULL;	174✔
84
85	if (SCHttp2TxGetRequestLine(txv, &b, &b_len) != 1)	174✔
86	return NULL;	×
87	if (b == NULL \|\| b_len == 0)	174✔
88	return NULL;	×
89
90	InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);	174✔
91	}	174✔
92
93	return buffer;	176✔
94	}	176✔
95
96	/**
97	* \brief Registers the keyword handlers for the "http_request_line" keyword.
98	*/
99	void DetectHttpRequestLineRegister(void)
100	{	2,216✔
101	sigmatch_table[DETECT_HTTP_REQUEST_LINE].name = "http.request_line";	2,216✔
102	sigmatch_table[DETECT_HTTP_REQUEST_LINE].alias = "http_request_line";	2,216✔
103	sigmatch_table[DETECT_HTTP_REQUEST_LINE].desc =	2,216✔
104	"sticky buffer to match on the HTTP request line";	2,216✔
105	sigmatch_table[DETECT_HTTP_REQUEST_LINE].url = "/rules/http-keywords.html#http-request-line";	2,216✔
106	sigmatch_table[DETECT_HTTP_REQUEST_LINE].Match = NULL;	2,216✔
107	sigmatch_table[DETECT_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup;	2,216✔
108	#ifdef UNITTESTS	3✔
109	sigmatch_table[DETECT_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests;	3✔
110	#endif	3✔
111	sigmatch_table[DETECT_HTTP_REQUEST_LINE].flags \|= SIGMATCH_NOOPT \| SIGMATCH_INFO_STICKY_BUFFER;	2,216✔
112
113	DetectAppLayerInspectEngineRegister("http_request_line", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,	2,216✔
114	HTP_REQUEST_PROGRESS_LINE, DetectEngineInspectBufferGeneric, GetData);	2,216✔
115
116	DetectAppLayerMpmRegister("http_request_line", SIG_FLAG_TOSERVER, 2,	2,216✔
117	PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_LINE);	2,216✔
118
119	DetectAppLayerInspectEngineRegister("http_request_line", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,	2,216✔
120	HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);	2,216✔
121	DetectAppLayerMpmRegister("http_request_line", SIG_FLAG_TOSERVER, 2,	2,216✔
122	PrefilterGenericMpmRegister, GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);	2,216✔
123
124	DetectBufferTypeSetDescriptionByName("http_request_line",	2,216✔
125	"http request line");	2,216✔
126
127	g_http_request_line_buffer_id = DetectBufferTypeGetByName("http_request_line");	2,216✔
128	}	2,216✔
129
130	/**
131	* \brief The setup function for the http_request_line keyword for a signature.
132	*
133	* \param de_ctx Pointer to the detection engine context.
134	* \param s Pointer to the signature for the current Signature being
135	* parsed from the rules.
136	* \param m Pointer to the head of the SigMatch for the current rule
137	* being parsed.
138	* \param arg Pointer to the string holding the keyword value.
139	*
140	* \retval 0 On success
141	* \retval -1 On failure
142	*/
143	static int DetectHttpRequestLineSetup(DetectEngineCtx de_ctx, Signature s, const char *arg)
144	{	710✔
145	if (SCDetectBufferSetActiveList(de_ctx, s, g_http_request_line_buffer_id) < 0)	710✔
UNCOV 146	return -1;	×
147
148	if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)	710✔
UNCOV 149	return -1;	×
150
151	return 0;	710✔
152	}	710✔
153
154	static InspectionBuffer GetData(DetectEngineThreadCtx det_ctx,
155	const DetectEngineTransforms *transforms,
156	Flow *_f, const uint8_t _flow_flags,
157	void *txv, const int list_id)
158	{	2,704✔
159	InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);	2,704✔
160	if (buffer->inspect == NULL) {	2,704✔
161	htp_tx_t tx = (htp_tx_t )txv;	2,371✔
162	if (unlikely(htp_tx_request_line(tx) == NULL)) {	2,371✔
163	return NULL;	78✔
164	}	78✔
165	const uint32_t data_len = (uint32_t)bstr_len(htp_tx_request_line(tx));	2,293✔
166	const uint8_t *data = bstr_ptr(htp_tx_request_line(tx));	2,293✔
167
168	InspectionBufferSetupAndApplyTransforms(	2,293✔
169	det_ctx, list_id, buffer, data, data_len, transforms);	2,293✔
170	}	2,293✔
171	return buffer;	2,626✔
172	}	2,704✔
173
174	/**********************************Unittests*******************************/
175
176	#ifdef UNITTESTS
177
178	#include "stream-tcp-reassemble.h"
179
180	/**
181	* \test Test that a signature containing a http_request_line is correctly parsed
182	* and the keyword is registered.
183	*/
184	static int DetectHttpRequestLineTest01(void)
185	{	1✔
186	DetectEngineCtx *de_ctx = DetectEngineCtxInit();	1✔
187	FAIL_IF_NULL(de_ctx);	1✔
188
189	de_ctx->flags \|= DE_QUIET;	1✔
190	de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "	1✔
191	"(http_request_line; content:\"GET /\"; sid:1;)");	1✔
192	FAIL_IF_NULL(de_ctx->sig_list);	1✔
193
194	DetectEngineCtxFree(de_ctx);	1✔
195	PASS;	1✔
196	}	1✔
197
198	static void DetectHttpRequestLineRegisterTests(void)
199	{	1✔
200	UtRegisterTest("DetectHttpRequestLineTest01", DetectHttpRequestLineTest01);	1✔
201	}	1✔
202	#endif /* UNITTESTS */
203	/**
204	* @}
205	*/

OISF / suricata / 23338889526

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous