/** * \brief Registration function for keyword: http_uri */ void DetectHttpUriRegister (void) { sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri"; sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer"; sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri"; sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL; sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup; sigmatch_table[DETECT_AL_HTTP_URI].Free = NULL; sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests; sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT; DetectAppLayerMpmRegister("http_uri", SIG_FLAG_TOSERVER, 2, PrefilterTxUriRegister); DetectAppLayerInspectEngineRegister("http_uri", ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE, DetectEngineInspectHttpUri); DetectBufferTypeSetDescriptionByName("http_uri", "http request uri"); DetectBufferTypeRegisterSetupCallback("http_uri", DetectHttpUriSetupCallback); DetectBufferTypeRegisterValidateCallback("http_uri", DetectHttpUriValidateCallback); g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); }
/** * \brief Registration function for keyword: http_stat_msg */ void DetectHttpStatMsgRegister (void) { sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg"; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer"; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_stat-msg"; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Match = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT; DetectAppLayerMpmRegister("http_stat_msg", SIG_FLAG_TOCLIENT, 3, PrefilterTxHttpStatMsgRegister); DetectAppLayerInspectEngineRegister("http_stat_msg", ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_LINE, DetectEngineInspectHttpStatMsg); DetectBufferTypeSetDescriptionByName("http_stat_msg", "http response status message"); DetectBufferTypeRegisterSetupCallback("http_stat_msg", DetectHttpStatMsgSetupCallback); g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg"); }
/** * \brief Registration function for keyword: file_data */ void DetectFiledataRegister(void) { sigmatch_table[DETECT_FILE_DATA].name = "file_data"; sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on HTTP response body"; sigmatch_table[DETECT_FILE_DATA].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#file-data"; sigmatch_table[DETECT_FILE_DATA].Match = NULL; sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup; sigmatch_table[DETECT_FILE_DATA].Free = NULL; sigmatch_table[DETECT_FILE_DATA].RegisterTests = DetectFiledataRegisterTests; sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT; DetectAppLayerMpmRegister("file_data", SIG_FLAG_TOSERVER, 2, PrefilterTxSmtpFiledataRegister); DetectAppLayerMpmRegister("file_data", SIG_FLAG_TOCLIENT, 2, PrefilterTxHttpResponseBodyRegister); DetectAppLayerInspectEngineRegister("file_data", ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_BODY, DetectEngineInspectHttpServerBody); DetectAppLayerInspectEngineRegister("file_data", ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectSMTPFiledata); DetectBufferTypeRegisterSetupCallback("file_data", DetectFiledataSetupCallback); DetectBufferTypeSetDescriptionByName("file_data", "http response body or smtp attachments data"); g_file_data_buffer_id = DetectBufferTypeGetByName("file_data"); }
/** * \brief Registration function for keywords: http_uri and http.uri */ void DetectHttpUriRegister (void) { /* http_uri content modifier */ sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri"; sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer"; sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri"; sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup; #ifdef UNITTESTS sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests; #endif sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT; /* http.uri sticky buffer */ sigmatch_table[DETECT_HTTP_URI].name = "http.uri"; sigmatch_table[DETECT_HTTP_URI].alias = "http.uri.normalized"; sigmatch_table[DETECT_HTTP_URI].desc = "sticky buffer to match specifically and only on the normalized HTTP URI buffer"; sigmatch_table[DETECT_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri"; sigmatch_table[DETECT_HTTP_URI].Setup = DetectHttpUriSetupSticky; sigmatch_table[DETECT_HTTP_URI].flags |= SIGMATCH_NOOPT; DetectAppLayerInspectEngineRegister2("http_uri", ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE, DetectEngineInspectBufferGeneric, GetData); DetectAppLayerMpmRegister2("http_uri", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP, HTP_REQUEST_LINE); DetectBufferTypeSetDescriptionByName("http_uri", "http request uri"); DetectBufferTypeRegisterSetupCallback("http_uri", DetectHttpUriSetupCallback); DetectBufferTypeRegisterValidateCallback("http_uri", DetectHttpUriValidateCallback); g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); /* http_raw_uri content modifier */ sigmatch_table[DETECT_AL_HTTP_RAW_URI].name = "http_raw_uri"; sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "content modifier to match on the raw HTTP uri"; sigmatch_table[DETECT_AL_HTTP_RAW_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_uri-and-http_raw-uri"; sigmatch_table[DETECT_AL_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup; sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT; /* http.uri.raw sticky buffer */ sigmatch_table[DETECT_HTTP_URI_RAW].name = "http.uri.raw"; sigmatch_table[DETECT_HTTP_URI_RAW].desc = "sticky buffer to match specifically and only on the raw HTTP URI buffer"; sigmatch_table[DETECT_HTTP_URI_RAW].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri"; sigmatch_table[DETECT_HTTP_URI_RAW].Setup = DetectHttpRawUriSetupSticky; sigmatch_table[DETECT_HTTP_URI_RAW].flags |= SIGMATCH_NOOPT; DetectAppLayerInspectEngineRegister2("http_raw_uri", ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE, DetectEngineInspectBufferGeneric, GetRawData); DetectAppLayerMpmRegister2("http_raw_uri", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetRawData, ALPROTO_HTTP, HTP_REQUEST_LINE); DetectBufferTypeSetDescriptionByName("http_raw_uri", "raw http uri"); DetectBufferTypeRegisterSetupCallback("http_raw_uri", DetectHttpRawUriSetupCallback); DetectBufferTypeRegisterValidateCallback("http_raw_uri", DetectHttpRawUriValidateCallback); g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri"); }