/**
* Parses Cookie request header in v0 format.
*
* @param[in] connp
* @return HTP_OK on success, HTP_ERROR on error
*/
htp_status_t htp_parse_cookies_v0(htp_connp_t *connp) {
htp_header_t *cookie_header = htp_table_get_c(connp->in_tx->request_headers, "cookie");
if (cookie_header == NULL) return HTP_OK;
// Create a new table to store cookies
connp->in_tx->request_cookies = htp_table_create(4);
if (connp->in_tx->request_cookies == NULL) return HTP_ERROR;
unsigned char *data = bstr_ptr(cookie_header->value);
size_t len = bstr_len(cookie_header->value);
size_t pos = 0;
while (pos < len) {
// Ignore whitespace at the beginning
while ((pos < len) && (isspace((int)data[pos]))) pos++;
if (pos == len) return HTP_OK;
size_t start = pos;
// Find the end of the cookie
while ((pos < len) && (data[pos] != ';')) pos++;
if (htp_parse_single_cookie_v0(connp, data + start, pos - start) != HTP_OK) {
return HTP_ERROR;
}
// Go over the semicolon
if (pos != len) pos++;
}
return HTP_OK;
}
/**
* Determines protocol number from a textual representation (i.e., "HTTP/1.1"). This
* function will only understand a properly formatted protocol information. It does
* not try to be flexible.
*
* @param[in] protocol
* @return Protocol version or PROTOCOL_UNKNOWN.
*/
int htp_parse_protocol(bstr *protocol) {
if (protocol == NULL) {
return HTP_PROTOCOL_UNKNOWN;
}
// TODO This function uses a very strict approach to parsing, whereas
// browsers will typically be more flexible, allowing whitespace
// before and after the forward slash, as well as allowing leading
// zeroes in the numbers. We should be able to parse such malformed
// content correctly (but emit a warning).
if (bstr_len(protocol) == 8) {
unsigned char *ptr = bstr_ptr(protocol);
if ((ptr[0] == 'H') && (ptr[1] == 'T') && (ptr[2] == 'T') && (ptr[3] == 'P')
&& (ptr[4] == '/') && (ptr[6] == '.')) {
// Check the version numbers
if (ptr[5] == '0') {
if (ptr[7] == '9') {
return HTP_PROTOCOL_0_9;
}
} else if (ptr[5] == '1') {
if (ptr[7] == '0') {
return HTP_PROTOCOL_1_0;
} else if (ptr[7] == '1') {
return HTP_PROTOCOL_1_1;
}
}
}
}
return HTP_PROTOCOL_UNKNOWN;
}
/**
* Generic request line parser.
*
* @param connp
* @return HTP_OK or HTP_ERROR
*/
int htp_parse_request_line_generic(htp_connp_t *connp) {
htp_tx_t *tx = connp->in_tx;
unsigned char *data = (unsigned char *)bstr_ptr(tx->request_line);
size_t len = bstr_len(tx->request_line);
size_t pos = 0;
// The request method starts at the beginning of the
// line and ends with the first whitespace character.
while ((pos < len) && (!htp_is_space(data[pos]))) {
pos++;
}
// No, we don't care if the method is empty.
tx->request_method = bstr_memdup((char *)data, pos);
if (tx->request_method == NULL) {
return HTP_ERROR;
}
tx->request_method_number = htp_convert_method_to_number(tx->request_method);
// Ignore whitespace after request method. The RFC allows
// for only one SP, but then suggests any number of SP and HT
// should be permitted.
while ((pos < len) && (isspace(data[pos]))) {
pos++;
}
size_t start = pos;
// The URI ends with the first whitespace.
while ((pos < len) && (!htp_is_space(data[pos]))) {
pos++;
}
tx->request_uri = bstr_memdup((char *)data + start, pos - start);
if (tx->request_uri == NULL) {
return HTP_ERROR;
}
// Ignore whitespace after URI
while ((pos < len) && (htp_is_space(data[pos]))) {
pos++;
}
// Is there protocol information available?
if (pos == len) {
// No, this looks like a HTTP/0.9 request.
tx->protocol_is_simple = 1;
return HTP_OK;
}
// The protocol information spreads until the end of the line.
tx->request_protocol = bstr_memdup((char *)data + pos, len - pos);
if (tx->request_protocol == NULL) {
return HTP_ERROR;
}
tx->request_protocol_number = htp_parse_protocol(tx->request_protocol);
return HTP_OK;
}
TEST(BstrTest, Alloc) {
bstr *p1;
p1 = bstr_alloc(10);
EXPECT_EQ(10, bstr_size(p1));
EXPECT_EQ(0, bstr_len(p1));
bstr_free(p1);
}
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f,
const uint8_t _flow_flags, void *txv, const int list_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
htp_tx_t *tx = (htp_tx_t *)txv;
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) {
SCLogDebug("no tx_id or uri");
return NULL;
}
const uint32_t data_len = bstr_len(tx_ud->request_uri_normalized);
const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized);
InspectionBufferSetup(buffer, data, data_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
void cwmsg_addelem_80211_add_wlan(struct cwmsg *cwmsg,struct cwwlan *wlan)
{
uint16_t capab=htons(wlan->capab);
uint16_t keylen=htons(wlan->key_length);
cwmsg_vaddelem(cwmsg,CW_ELEM_80211_ADD_WLAN,
&wlan->rid,1,
&wlan->wid,1,
&capab,2,
&wlan->key_index,1,
&wlan->key_status,1,
&keylen,2,
wlan->key,wlan->key_length,
wlan->group_tsc,6,
&wlan->qos,1,
&wlan->auth_type,1,
&wlan->mac_mode,1,
&wlan->tunnel_mode,1,
&wlan->suppress_ssid,1,
bstr_data(wlan->ssid),bstr_len(wlan->ssid),
NULL
);
}
TEST(BstrTest, CharAtEnd) {
bstr *str = bstr_dup_mem("ABCDEFGHIJKL\000NOPQRSTUVWXYZ", 20);
EXPECT_EQ('T', bstr_char_at_end(str, 0));
EXPECT_EQ('\000', bstr_char_at_end(str, 7));
EXPECT_EQ(-1, bstr_char_at_end(str, bstr_len(str)));
bstr_free(str);
}
/* Another special case callback. This one takes a htp_file_data_t pointer. */
int htpy_request_file_data_callback(htp_file_data_t *file_data) {
long i;
PyObject *res;
PyObject *arglist;
PyObject *data_key, *data_val;
PyObject *filename_key, *filename_val;
PyObject *tmpname_key, *tmpname_val;
PyObject *dict = PyDict_New();
if (!dict) {
PyErr_SetString(htpy_error, "Unable to create dictionary.");
return HTP_ERROR;
}
data_key = Py_BuildValue("s", "data");
data_val = Py_BuildValue("s#", file_data->data, file_data->len);
if (!data_key || !data_val) {
Py_DECREF(dict);
return HTP_ERROR;
}
if (PyDict_SetItem(dict, data_key, data_val) == -1) {
Py_DECREF(dict);
return HTP_ERROR;
}
if (file_data->file->filename) {
filename_key = Py_BuildValue("s", "filename");
filename_val = Py_BuildValue("s#", bstr_ptr(file_data->file->filename), bstr_len(file_data->file->filename));
if (PyDict_SetItem(dict, filename_key, filename_val) == -1) {
Py_DECREF(dict);
return HTP_ERROR;
}
}
if (file_data->file->tmpname) {
tmpname_key = Py_BuildValue("s", "tmpname");
tmpname_val = Py_BuildValue("s", file_data->file->tmpname);
if (PyDict_SetItem(dict, tmpname_key, tmpname_val) == -1) {
Py_DECREF(dict);
return HTP_ERROR;
}
}
arglist = Py_BuildValue("(O)", dict);
if (!arglist)
return HTP_ERROR;
res = PyObject_CallObject(request_file_data_callback, arglist);
Py_DECREF(arglist);
if (PyErr_Occurred() != NULL) {
PyErr_PrintEx(0);
return HTP_ERROR;
}
i = PyInt_AsLong(res);
Py_DECREF(res);
return((int) i);
}
/**
* \brief Do the http_method content inspection for a signature.
*
* \param de_ctx Detection engine context.
* \param det_ctx Detection engine thread context.
* \param s Signature to inspect.
* \param f Flow.
* \param flags App layer flags.
* \param state App layer state.
*
* \retval 0 No match.
* \retval 1 Match.
*/
int DetectEngineInspectHttpMethod(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate)
{
SCEnter();
int r = 0;
HtpState *htp_state = NULL;
htp_tx_t *tx = NULL;
int idx;
FLOWLOCK_RDLOCK(f);
htp_state = (HtpState *)alstate;
if (htp_state == NULL) {
SCLogDebug("no HTTP state");
goto end;
}
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
SCLogDebug("HTP state has no conn(p)");
goto end;
}
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++) {
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL || tx->request_method == NULL)
continue;
det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],
f,
(uint8_t *)bstr_ptr(tx->request_method),
bstr_len(tx->request_method),
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, NULL);
//r = DoInspectHttpMethod(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],
//(uint8_t *)bstr_ptr(tx->request_method),
//bstr_len(tx->request_method));
if (r == 1) {
break;
}
}
end:
FLOWLOCK_UNLOCK(f);
SCReturnInt(r);
}
TEST(BstrTest, AdjustLen) {
bstr *p1 = bstr_dup_c("abcdef");
bstr_adjust_len(p1, 3);
EXPECT_EQ(3, bstr_len(p1));
EXPECT_EQ(0, bstr_cmp_c(p1,"abc"));
bstr_free(p1);
}
TEST(BstrTest, DupC) {
bstr *p1;
p1 = bstr_dup_c("arfarf");
EXPECT_EQ(6, bstr_size(p1));
EXPECT_EQ(6, bstr_len(p1));
EXPECT_EQ(0, memcmp("arfarf", bstr_ptr(p1), 6));
bstr_free(p1);
}
TEST(BstrTest, ExpandLocal) {
bstr *p1;
bstr *p2;
p1 = bstr_alloc(10);
p2 = bstr_expand(p1, 100);
ASSERT_NE(reinterpret_cast<bstr*>(NULL), p2);
EXPECT_EQ(100, bstr_size(p2));
EXPECT_EQ(0, bstr_len(p2));
bstr_free(p2);
}
TEST(BstrTest, Chop) {
bstr *p1 = bstr_dup_c("abcdef");
bstr *p2 = bstr_alloc(10);
bstr_chop(p1);
EXPECT_EQ(0, bstr_cmp_c(p1,"abcde"));
bstr_chop(p2);
EXPECT_EQ(0, bstr_len(p2));
bstr_free(p1);
bstr_free(p2);
}
TEST(BstrTest, DupEx) {
bstr *p1;
bstr *p2;
p1 = bstr_dup_c("0123456789abcdefghijkl");
p2 = bstr_dup_ex(p1, 4, 10);
EXPECT_EQ(10, bstr_size(p2));
EXPECT_EQ(10, bstr_len(p2));
EXPECT_EQ(0, memcmp("456789abcd", bstr_ptr(p2),10));
bstr_free(p1);
bstr_free(p2);
}
static int HttpGetRequestUriNormalized(lua_State *luastate)
{
if (!(LuaStateNeedProto(luastate, ALPROTO_HTTP)))
return LuaCallbackError(luastate, "error: protocol not http");
htp_tx_t *tx = LuaStateGetTX(luastate);
if (tx == NULL)
return LuaCallbackError(luastate, "internal error: no tx");
HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
if (htud == NULL)
return LuaCallbackError(luastate, "no htud in tx");
if (htud->request_uri_normalized == NULL ||
bstr_ptr(htud->request_uri_normalized) == NULL ||
bstr_len(htud->request_uri_normalized) == 0)
return LuaCallbackError(luastate, "no normalized uri");
return LuaPushStringBuffer(luastate,
bstr_ptr(htud->request_uri_normalized),
bstr_len(htud->request_uri_normalized));
}
static void LogFileMetaGetHost(FILE *fp, Packet *p, File *ff) {
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL && tx->request_hostname != NULL) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(tx->request_hostname),
bstr_len(tx->request_hostname));
return;
}
}
fprintf(fp, "<unknown>");
}
static void LogFilestoreMetaGetUri(FILE *fp, Packet *p, File *ff) {
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, ff->txid);
if (tx != NULL && tx->request_uri_normalized != NULL) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(tx->request_uri_normalized),
bstr_len(tx->request_uri_normalized));
return;
}
}
fprintf(fp, "<unknown>");
}
/**
* \brief Do the content inspection & validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param sm SigMatch to inspect
* \param f Flow
* \param flags app layer flags
* \param state App layer state
*
* \retval 0 no match.
* \retval 1 match.
* \retval 2 Sig can't match.
*/
int DetectEngineInspectHttpResponseLine(ThreadVars *tv,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate,
void *txv, uint64_t tx_id)
{
htp_tx_t *tx = (htp_tx_t *)txv;
if (tx->response_line == NULL) {
if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, txv, flags) > HTP_RESPONSE_LINE)
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
else
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}
det_ctx->discontinue_matching = 0;
det_ctx->buffer_offset = 0;
det_ctx->inspection_recursion_counter = 0;
#if 0
PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->response_line),
bstr_len(tx->response_line));
#endif
/* run the inspection against the buffer */
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HTTP_RESLINEMATCH],
f,
bstr_ptr(tx->response_line),
bstr_len(tx->response_line),
0,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
}
}
/*
* XXX: Not sure I like mucking around in the transaction to get the status,
* but I'm not sure of a better way.
*/
static PyObject *htpy_connp_get_response_status_string(PyObject *self, PyObject *args) {
PyObject *ret;
htp_tx_t *tx = NULL;
tx = htp_list_get(((htpy_connp *) self)->connp->conn->transactions, htp_list_size(((htpy_connp *) self)->connp->conn->transactions) - 1);
if (!tx) {
PyErr_SetString(htpy_error, "Missing transaction.");
return NULL;
}
ret = Py_BuildValue("s#", bstr_ptr(tx->response_status), bstr_len(tx->response_status));
return ret;
}
static void LogFilestoreMetaGetReferer(FILE *fp, Packet *p, File *ff) {
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, ff->txid);
if (tx != NULL) {
table_t *headers;
headers = tx->request_headers;
htp_header_t *h = NULL;
table_iterator_reset(headers);
while (table_iterator_next(headers, (void **)&h) != NULL) {
if (bstr_len(h->name) >= 7 &&
SCMemcmpLowercase((uint8_t *)"referer", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) {
PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}
}
fprintf(fp, "<unknown>");
}
/**
* Parses Basic Authorization request header.
*
* @param[in] connp
* @param[in] auth_header
*/
int htp_parse_authorization_basic(htp_connp_t *connp, htp_header_t *auth_header) {
unsigned char *data = bstr_ptr(auth_header->value);
size_t len = bstr_len(auth_header->value);
size_t pos = 5;
// Ignore whitespace
while ((pos < len) && (isspace((int) data[pos]))) pos++;
if (pos == len) return HTP_ERROR;
// Decode base64-encoded data
bstr *decoded = htp_base64_decode_mem(data + pos, len - pos);
if (decoded == NULL) return HTP_ERROR;
// Now extract the username and password
int i = bstr_index_of_c(decoded, ":");
if (i == -1) {
bstr_free(decoded);
return HTP_ERROR;
}
connp->in_tx->request_auth_username = bstr_dup_ex(decoded, 0, i);
if (connp->in_tx->request_auth_username == NULL) {
bstr_free(decoded);
return HTP_ERROR;
}
connp->in_tx->request_auth_password = bstr_dup_ex(decoded, i + 1, bstr_len(decoded) - i - 1);
if (connp->in_tx->request_auth_password) {
bstr_free(decoded);
bstr_free(connp->in_tx->request_auth_username);
return HTP_ERROR;
}
bstr_free(decoded);
return HTP_OK;
}
int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{
htp_tx_t *tx = NULL;
uint32_t cnt = 0;
int idx;
/* we need to lock because the buffers are not actually true buffers
* but are ones that point to a buffer given by libhtp */
FLOWLOCK_RDLOCK(f);
if (htp_state == NULL) {
SCLogDebug("no HTTP state");
goto end;
}
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
SCLogDebug("HTP state has no conn(p)");
goto end;
}
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++) {
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL)
continue;
htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers,
"User-Agent");
if (h == NULL) {
SCLogDebug("HTTP user agent header not present in this request");
continue;
}
cnt += HttpUAPatternSearch(det_ctx,
(uint8_t *)bstr_ptr(h->value),
bstr_len(h->value), flags);
}
end:
FLOWLOCK_UNLOCK(f);
return cnt;
}
/**
* Extract one request header. A header can span multiple lines, in
* which case they will be folded into one before parsing is attempted.
*
* @param[in] connp
* @param[in] data
* @param[in] len
* @return HTP_OK or HTP_ERROR
*/
htp_status_t htp_process_request_header_generic(htp_connp_t *connp, unsigned char *data, size_t len) {
// Create a new header structure.
htp_header_t *h = calloc(1, sizeof (htp_header_t));
if (h == NULL) return HTP_ERROR;
// Now try to parse the header.
if (htp_parse_request_header_generic(connp, h, data, len) != HTP_OK) {
free(h);
return HTP_ERROR;
}
#ifdef HTP_DEBUG
fprint_bstr(stderr, "Header name", h->name);
fprint_bstr(stderr, "Header value", h->value);
#endif
// Do we already have a header with the same name?
htp_header_t *h_existing = htp_table_get(connp->in_tx->request_headers, h->name);
if (h_existing != NULL) {
// TODO Do we want to have a list of the headers that are
// allowed to be combined in this way?
// Add to the existing header.
bstr *new_value = bstr_expand(h_existing->value, bstr_len(h_existing->value) + 2 + bstr_len(h->value));
if (new_value == NULL) {
bstr_free(h->name);
bstr_free(h->value);
free(h);
return HTP_ERROR;
}
h_existing->value = new_value;
bstr_add_mem_noex(h_existing->value, ", ", 2);
bstr_add_noex(h_existing->value, h->value);
// The new header structure is no longer needed.
bstr_free(h->name);
bstr_free(h->value);
free(h);
// Keep track of repeated same-name headers.
h_existing->flags |= HTP_FIELD_REPEATED;
} else {
// Add as a new header.
htp_table_add(connp->in_tx->request_headers, h->name, h);
}
return HTP_OK;
}
static int HttpGetRequestUriRaw(lua_State *luastate)
{
if (!(LuaStateNeedProto(luastate, ALPROTO_HTTP)))
return LuaCallbackError(luastate, "error: protocol not http");
htp_tx_t *tx = LuaStateGetTX(luastate);
if (tx == NULL)
return LuaCallbackError(luastate, "internal error: no tx");
if (tx->request_uri == NULL)
return LuaCallbackError(luastate, "no request uri");
return LuaPushStringBuffer(luastate,
bstr_ptr(tx->request_uri), bstr_len(tx->request_uri));
}
/**
* If there is any data left in the inbound data chunk, this function will preserve
* it for later consumption. The maximum amount accepted for buffering is controlled
* by htp_config_t::field_limit_hard.
*
* @param[in] connp
* @return HTP_OK, or HTP_ERROR on fatal failure.
*/
static htp_status_t htp_connp_req_buffer(htp_connp_t *connp) {
if (connp->in_current_data == NULL) return HTP_OK;
unsigned char *data = connp->in_current_data + connp->in_current_consume_offset;
size_t len = connp->in_current_read_offset - connp->in_current_consume_offset;
if (len == 0)
return HTP_OK;
// Check the hard (buffering) limit.
size_t newlen = connp->in_buf_size + len;
// When calculating the size of the buffer, take into account the
// space we're using for the request header buffer.
if (connp->in_header != NULL) {
newlen += bstr_len(connp->in_header);
}
if (newlen > connp->in_tx->cfg->field_limit_hard) {
htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Request buffer over the limit: size %zd limit %zd.",
newlen, connp->in_tx->cfg->field_limit_hard);
return HTP_ERROR;
}
// Copy the data remaining in the buffer.
if (connp->in_buf == NULL) {
connp->in_buf = malloc(len);
if (connp->in_buf == NULL) return HTP_ERROR;
memcpy(connp->in_buf, data, len);
connp->in_buf_size = len;
} else {
size_t newsize = connp->in_buf_size + len;
unsigned char *newbuf = realloc(connp->in_buf, newsize);
if (newbuf == NULL) return HTP_ERROR;
connp->in_buf = newbuf;
memcpy(connp->in_buf + connp->in_buf_size, data, len);
connp->in_buf_size = newsize;
}
// Reset the consumer position.
connp->in_current_consume_offset = connp->in_current_read_offset;
return HTP_OK;
}
static void LogFilestoreMetaGetUri(FILE *fp, const Packet *p, const File *ff)
{
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud->request_uri_normalized != NULL) {
PrintRawUriFp(fp, bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized));
}
return;
}
}
fprintf(fp, "<unknown>");
}
void append_message(std::ostream & o,
const char *label, const char *expected, bstr *actual) {
o << label << " missmatch: ";
if (expected != NULL) {
o << "'" << expected << "'";
} else {
o << "<NULL>";
}
o << " != ";
if (actual != NULL) {
o << "'";
o.write((const char *)bstr_ptr(actual), bstr_len(actual));
o << "'";
} else {
o << "<NULL>";
}
o << std:: endl;
}
static void LogFileMetaGetUserAgent(FILE *fp, Packet *p, File *ff) {
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
htp_header_t *h = NULL;
h = (htp_header_t *)htp_table_get_c(tx->request_headers,
"User-Agent");
if (h != NULL) {
PrintRawJsonFp(fp, (uint8_t *)bstr_ptr(h->value),
bstr_len(h->value));
return;
}
}
}
fprintf(fp, "<unknown>");
}
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms,
Flow *_f, const uint8_t _flow_flags,
void *txv, const int list_id)
{
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
htp_tx_t *tx = (htp_tx_t *)txv;
if (unlikely(tx->request_line == NULL)) {
return NULL;
}
const uint32_t data_len = bstr_len(tx->request_line);
const uint8_t *data = bstr_ptr(tx->request_line);
InspectionBufferSetup(buffer, data, data_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
/**
* Parses Digest Authorization request header.
*
* @param[in] connp
* @param[in] auth_header
*/
int htp_parse_authorization_digest(htp_connp_t *connp, htp_header_t *auth_header) {
// Extract the username
int i = bstr_index_of_c(auth_header->value, "username="******"') {
connp->in_tx->request_auth_username = htp_extract_quoted_string_as_bstr(data + pos, len - pos, NULL);
} else {
return HTP_ERROR;
}
return HTP_OK;
}
