static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, const int list_id) { SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { htp_tx_t *tx = (htp_tx_t *)txv; HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) { SCLogDebug("no tx_id or uri"); return NULL; } const uint32_t data_len = bstr_len(tx_ud->request_uri_normalized); const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized); InspectionBufferSetup(buffer, data, data_len); InspectionBufferApplyTransforms(buffer, transforms); } return buffer; }
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { htp_tx_t *tx = (htp_tx_t *)txv; HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); if (tx_ud == NULL) return NULL; const bool ts = ((flow_flags & STREAM_TOSERVER) != 0); const uint8_t *data = ts ? tx_ud->request_headers_raw : tx_ud->response_headers_raw; if (data == NULL) return NULL; const uint8_t data_len = ts ? tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len; InspectionBufferSetup(buffer, data, data_len); InspectionBufferApplyTransforms(buffer, transforms); } return buffer; }
static int HttpGetRawHeaders(lua_State *luastate, int dir) { if (!(LuaStateNeedProto(luastate, ALPROTO_HTTP))) return LuaCallbackError(luastate, "error: protocol not http"); htp_tx_t *tx = LuaStateGetTX(luastate); if (tx == NULL) return LuaCallbackError(luastate, "internal error: no tx"); HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); if (htud == NULL) return LuaCallbackError(luastate, "no htud in tx"); uint8_t *raw = htud->request_headers_raw; uint32_t raw_len = htud->request_headers_raw_len; if (dir == 1) { raw = htud->response_headers_raw; raw_len = htud->response_headers_raw_len; } if (raw == NULL || raw_len == 0) return LuaCallbackError(luastate, "no raw headers"); return LuaPushStringBuffer(luastate, raw, raw_len); }
static int HttpGetBody(lua_State *luastate, int dir) { HtpBody *body = NULL; if (!(LuaStateNeedProto(luastate, ALPROTO_HTTP))) return LuaCallbackError(luastate, "error: protocol not http"); htp_tx_t *tx = LuaStateGetTX(luastate); if (tx == NULL) return LuaCallbackError(luastate, "internal error: no tx"); HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); if (htud == NULL) return LuaCallbackError(luastate, "no htud in tx"); if (dir == 0) body = &htud->request_body; else body = &htud->response_body; if (body->first == NULL) return LuaCallbackError(luastate, "no body"); int index = 1; HtpBodyChunk *chunk = body->first; lua_newtable(luastate); while (chunk != NULL) { lua_pushinteger(luastate, index); const uint8_t *data = NULL; uint32_t data_len = 0; StreamingBufferSegmentGetData(body->sb, &chunk->sbseg, &data, &data_len); LuaPushStringBuffer(luastate, data, data_len); lua_settable(luastate, -3); chunk = chunk->next; index++; } if (body->first && body->last) { lua_pushinteger(luastate, body->first->sbseg.stream_offset); lua_pushinteger(luastate, body->last->sbseg.stream_offset + body->last->sbseg.segment_len); return 3; } else { return 1; } }
static void LogFilestoreMetaGetUri(FILE *fp, const Packet *p, const File *ff) { HtpState *htp_state = (HtpState *)p->flow->alstate; if (htp_state != NULL) { htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid); if (tx != NULL) { HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); if (tx_ud->request_uri_normalized != NULL) { PrintRawUriFp(fp, bstr_ptr(tx_ud->request_uri_normalized), bstr_len(tx_ud->request_uri_normalized)); } return; } } fprintf(fp, "<unknown>"); }
static void PrefilterMpmHttpTrailerRaw(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *txv, const uint64_t idx, const uint8_t flags) { SCEnter(); htp_tx_t *tx = txv; const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx); /* if the request wasn't flagged as having a trailer, we skip */ if (htud && ( ((flags & STREAM_TOSERVER) && !htud->request_has_trailers) || ((flags & STREAM_TOCLIENT) && !htud->response_has_trailers))) { SCReturn; } PrefilterMpmHttpHeaderRaw(det_ctx, pectx, p, f, txv, idx, flags); SCReturn; }
static json_t *LogFileMetaGetUri(const Packet *p, const File *ff) { HtpState *htp_state = (HtpState *)p->flow->alstate; json_t *js = NULL; if (htp_state != NULL) { htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid); if (tx != NULL) { HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); if (tx_ud->request_uri_normalized != NULL) { char *s = bstr_util_strdup_to_c(tx_ud->request_uri_normalized); if (s != NULL) { js = json_string(s); SCFree(s); } } return js; } } return json_string("<unknown>"); }
static int HttpGetRequestUriNormalized(lua_State *luastate) { if (!(LuaStateNeedProto(luastate, ALPROTO_HTTP))) return LuaCallbackError(luastate, "error: protocol not http"); htp_tx_t *tx = LuaStateGetTX(luastate); if (tx == NULL) return LuaCallbackError(luastate, "internal error: no tx"); HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); if (htud == NULL) return LuaCallbackError(luastate, "no htud in tx"); if (htud->request_uri_normalized == NULL || bstr_ptr(htud->request_uri_normalized) == NULL || bstr_len(htud->request_uri_normalized) == 0) return LuaCallbackError(luastate, "no normalized uri"); return LuaPushStringBuffer(luastate, bstr_ptr(htud->request_uri_normalized), bstr_len(htud->request_uri_normalized)); }
int HttpBodyIterator(Flow *f, int close, void *cbdata, uint8_t iflags) { SCLogDebug("called with %p, %d, %p, %02x", f, close, cbdata, iflags); HtpState *s = f->alstate; if (s != NULL && s->conn != NULL) { int tx_progress_done_value_ts = AppLayerParserGetStateProgressCompletionStatus(IPPROTO_TCP, ALPROTO_HTTP, STREAM_TOSERVER); int tx_progress_done_value_tc = AppLayerParserGetStateProgressCompletionStatus(IPPROTO_TCP, ALPROTO_HTTP, STREAM_TOCLIENT); // for each tx uint64_t tx_id = 0; uint64_t total_txs = AppLayerParserGetTxCnt(f->proto, f->alproto, f->alstate); SCLogDebug("s->conn %p", s->conn); for (tx_id = 0; tx_id < total_txs; tx_id++) { // TODO optimization store log tx htp_tx_t *tx = AppLayerParserGetTx(f->proto, f->alproto, f->alstate, tx_id); if (tx != NULL) { int tx_done = 0; int tx_logged = 0; int tx_progress_ts = AppLayerParserGetStateProgress( IPPROTO_TCP, ALPROTO_HTTP, tx, FlowGetDisruptionFlags(f, STREAM_TOSERVER)); if (tx_progress_ts >= tx_progress_done_value_ts) { int tx_progress_tc = AppLayerParserGetStateProgress( IPPROTO_TCP, ALPROTO_HTTP, tx, FlowGetDisruptionFlags(f, STREAM_TOCLIENT)); if (tx_progress_tc >= tx_progress_done_value_tc) { tx_done = 1; } } SCLogDebug("tx %p", tx); HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); if (htud != NULL) { SCLogDebug("htud %p", htud); HtpBody *body = NULL; if (iflags & OUTPUT_STREAMING_FLAG_TOCLIENT) body = &htud->request_body; else if (iflags & OUTPUT_STREAMING_FLAG_TOSERVER) body = &htud->response_body; if (body == NULL) { SCLogDebug("no body"); goto next; } if (body->first == NULL) { SCLogDebug("no body chunks"); goto next; } if (body->last->logged == 1) { SCLogDebug("all logged already"); goto next; } // for each chunk HtpBodyChunk *chunk = body->first; for ( ; chunk != NULL; chunk = chunk->next) { if (chunk->logged) { SCLogDebug("logged %d", chunk->logged); continue; } uint8_t flags = iflags | OUTPUT_STREAMING_FLAG_TRANSACTION; if (chunk->stream_offset == 0) flags |= OUTPUT_STREAMING_FLAG_OPEN; /* if we need to close and we're at the last segment in the list * we add the 'close' flag so the logger can close up. */ if ((tx_done || close) && chunk->next == NULL) { flags |= OUTPUT_STREAMING_FLAG_CLOSE; } // invoke Streamer Streamer(cbdata, f, chunk->data, (uint32_t)chunk->len, tx_id, flags); //PrintRawDataFp(stdout, chunk->data, chunk->len); chunk->logged = 1; tx_logged = 1; } next: /* if we need to close we need to invoke the Streamer for sure. If we * logged no chunks, we call the Streamer with NULL data so it can * close up. */ if (tx_logged == 0 && (close||tx_done)) { Streamer(cbdata, f, NULL, 0, tx_id, OUTPUT_STREAMING_FLAG_CLOSE|OUTPUT_STREAMING_FLAG_TRANSACTION); } } } } } return 0; }
static htp_status_t GUnzip_decompressor_callback(htp_tx_data_t *d) { bstr **output = (bstr **) htp_tx_get_user_data(d->tx); *output = bstr_dup_mem(d->data, d->len); return HTP_OK; }