static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f,
const uint8_t _flow_flags, void *txv, const int list_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
htp_tx_t *tx = (htp_tx_t *)txv;
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) {
SCLogDebug("no tx_id or uri");
return NULL;
}
const uint32_t data_len = bstr_len(tx_ud->request_uri_normalized);
const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized);
InspectionBufferSetup(buffer, data, data_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f,
const uint8_t flow_flags, void *txv, const int list_id)
{
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
htp_tx_t *tx = (htp_tx_t *)txv;
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud == NULL)
return NULL;
const bool ts = ((flow_flags & STREAM_TOSERVER) != 0);
const uint8_t *data = ts ?
tx_ud->request_headers_raw : tx_ud->response_headers_raw;
if (data == NULL)
return NULL;
const uint8_t data_len = ts ?
tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len;
InspectionBufferSetup(buffer, data, data_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
static int HttpGetRawHeaders(lua_State *luastate, int dir)
{
if (!(LuaStateNeedProto(luastate, ALPROTO_HTTP)))
return LuaCallbackError(luastate, "error: protocol not http");
htp_tx_t *tx = LuaStateGetTX(luastate);
if (tx == NULL)
return LuaCallbackError(luastate, "internal error: no tx");
HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
if (htud == NULL)
return LuaCallbackError(luastate, "no htud in tx");
uint8_t *raw = htud->request_headers_raw;
uint32_t raw_len = htud->request_headers_raw_len;
if (dir == 1) {
raw = htud->response_headers_raw;
raw_len = htud->response_headers_raw_len;
}
if (raw == NULL || raw_len == 0)
return LuaCallbackError(luastate, "no raw headers");
return LuaPushStringBuffer(luastate, raw, raw_len);
}
static int HttpGetBody(lua_State *luastate, int dir)
{
HtpBody *body = NULL;
if (!(LuaStateNeedProto(luastate, ALPROTO_HTTP)))
return LuaCallbackError(luastate, "error: protocol not http");
htp_tx_t *tx = LuaStateGetTX(luastate);
if (tx == NULL)
return LuaCallbackError(luastate, "internal error: no tx");
HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
if (htud == NULL)
return LuaCallbackError(luastate, "no htud in tx");
if (dir == 0)
body = &htud->request_body;
else
body = &htud->response_body;
if (body->first == NULL)
return LuaCallbackError(luastate, "no body");
int index = 1;
HtpBodyChunk *chunk = body->first;
lua_newtable(luastate);
while (chunk != NULL) {
lua_pushinteger(luastate, index);
const uint8_t *data = NULL;
uint32_t data_len = 0;
StreamingBufferSegmentGetData(body->sb, &chunk->sbseg, &data, &data_len);
LuaPushStringBuffer(luastate, data, data_len);
lua_settable(luastate, -3);
chunk = chunk->next;
index++;
}
if (body->first && body->last) {
lua_pushinteger(luastate, body->first->sbseg.stream_offset);
lua_pushinteger(luastate, body->last->sbseg.stream_offset + body->last->sbseg.segment_len);
return 3;
} else {
return 1;
}
}
static void LogFilestoreMetaGetUri(FILE *fp, const Packet *p, const File *ff)
{
HtpState *htp_state = (HtpState *)p->flow->alstate;
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud->request_uri_normalized != NULL) {
PrintRawUriFp(fp, bstr_ptr(tx_ud->request_uri_normalized),
bstr_len(tx_ud->request_uri_normalized));
}
return;
}
}
fprintf(fp, "<unknown>");
}
static void PrefilterMpmHttpTrailerRaw(DetectEngineThreadCtx *det_ctx,
const void *pectx,
Packet *p, Flow *f, void *txv,
const uint64_t idx, const uint8_t flags)
{
SCEnter();
htp_tx_t *tx = txv;
const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
/* if the request wasn't flagged as having a trailer, we skip */
if (htud && (
((flags & STREAM_TOSERVER) && !htud->request_has_trailers) ||
((flags & STREAM_TOCLIENT) && !htud->response_has_trailers))) {
SCReturn;
}
PrefilterMpmHttpHeaderRaw(det_ctx, pectx, p, f, txv, idx, flags);
SCReturn;
}
static json_t *LogFileMetaGetUri(const Packet *p, const File *ff) {
HtpState *htp_state = (HtpState *)p->flow->alstate;
json_t *js = NULL;
if (htp_state != NULL) {
htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid);
if (tx != NULL) {
HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
if (tx_ud->request_uri_normalized != NULL) {
char *s = bstr_util_strdup_to_c(tx_ud->request_uri_normalized);
if (s != NULL) {
js = json_string(s);
SCFree(s);
}
}
return js;
}
}
return json_string("<unknown>");
}
static int HttpGetRequestUriNormalized(lua_State *luastate)
{
if (!(LuaStateNeedProto(luastate, ALPROTO_HTTP)))
return LuaCallbackError(luastate, "error: protocol not http");
htp_tx_t *tx = LuaStateGetTX(luastate);
if (tx == NULL)
return LuaCallbackError(luastate, "internal error: no tx");
HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
if (htud == NULL)
return LuaCallbackError(luastate, "no htud in tx");
if (htud->request_uri_normalized == NULL ||
bstr_ptr(htud->request_uri_normalized) == NULL ||
bstr_len(htud->request_uri_normalized) == 0)
return LuaCallbackError(luastate, "no normalized uri");
return LuaPushStringBuffer(luastate,
bstr_ptr(htud->request_uri_normalized),
bstr_len(htud->request_uri_normalized));
}
int HttpBodyIterator(Flow *f, int close, void *cbdata, uint8_t iflags)
{
SCLogDebug("called with %p, %d, %p, %02x", f, close, cbdata, iflags);
HtpState *s = f->alstate;
if (s != NULL && s->conn != NULL) {
int tx_progress_done_value_ts =
AppLayerParserGetStateProgressCompletionStatus(IPPROTO_TCP,
ALPROTO_HTTP, STREAM_TOSERVER);
int tx_progress_done_value_tc =
AppLayerParserGetStateProgressCompletionStatus(IPPROTO_TCP,
ALPROTO_HTTP, STREAM_TOCLIENT);
// for each tx
uint64_t tx_id = 0;
uint64_t total_txs = AppLayerParserGetTxCnt(f->proto, f->alproto, f->alstate);
SCLogDebug("s->conn %p", s->conn);
for (tx_id = 0; tx_id < total_txs; tx_id++) { // TODO optimization store log tx
htp_tx_t *tx = AppLayerParserGetTx(f->proto, f->alproto, f->alstate, tx_id);
if (tx != NULL) {
int tx_done = 0;
int tx_logged = 0;
int tx_progress_ts = AppLayerParserGetStateProgress(
IPPROTO_TCP, ALPROTO_HTTP, tx, FlowGetDisruptionFlags(f, STREAM_TOSERVER));
if (tx_progress_ts >= tx_progress_done_value_ts) {
int tx_progress_tc = AppLayerParserGetStateProgress(
IPPROTO_TCP, ALPROTO_HTTP, tx, FlowGetDisruptionFlags(f, STREAM_TOCLIENT));
if (tx_progress_tc >= tx_progress_done_value_tc) {
tx_done = 1;
}
}
SCLogDebug("tx %p", tx);
HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
if (htud != NULL) {
SCLogDebug("htud %p", htud);
HtpBody *body = NULL;
if (iflags & OUTPUT_STREAMING_FLAG_TOCLIENT)
body = &htud->request_body;
else if (iflags & OUTPUT_STREAMING_FLAG_TOSERVER)
body = &htud->response_body;
if (body == NULL) {
SCLogDebug("no body");
goto next;
}
if (body->first == NULL) {
SCLogDebug("no body chunks");
goto next;
}
if (body->last->logged == 1) {
SCLogDebug("all logged already");
goto next;
}
// for each chunk
HtpBodyChunk *chunk = body->first;
for ( ; chunk != NULL; chunk = chunk->next) {
if (chunk->logged) {
SCLogDebug("logged %d", chunk->logged);
continue;
}
uint8_t flags = iflags | OUTPUT_STREAMING_FLAG_TRANSACTION;
if (chunk->stream_offset == 0)
flags |= OUTPUT_STREAMING_FLAG_OPEN;
/* if we need to close and we're at the last segment in the list
* we add the 'close' flag so the logger can close up. */
if ((tx_done || close) && chunk->next == NULL) {
flags |= OUTPUT_STREAMING_FLAG_CLOSE;
}
// invoke Streamer
Streamer(cbdata, f, chunk->data, (uint32_t)chunk->len, tx_id, flags);
//PrintRawDataFp(stdout, chunk->data, chunk->len);
chunk->logged = 1;
tx_logged = 1;
}
next:
/* if we need to close we need to invoke the Streamer for sure. If we
* logged no chunks, we call the Streamer with NULL data so it can
* close up. */
if (tx_logged == 0 && (close||tx_done)) {
Streamer(cbdata, f, NULL, 0, tx_id,
OUTPUT_STREAMING_FLAG_CLOSE|OUTPUT_STREAMING_FLAG_TRANSACTION);
}
}
}
}
}
return 0;
}
static htp_status_t GUnzip_decompressor_callback(htp_tx_data_t *d) {
bstr **output = (bstr **) htp_tx_get_user_data(d->tx);
*output = bstr_dup_mem(d->data, d->len);
return HTP_OK;
}
