/** * \brief Do the http_method content inspection for a signature. * * \param de_ctx Detection engine context. * \param det_ctx Detection engine thread context. * \param s Signature to inspect. * \param f Flow. * \param flags App layer flags. * \param state App layer state. * * \retval 0 No match. * \retval 1 Match. */ int DetectEngineInspectHttpMethod(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, void *alstate) { SCEnter(); int r = 0; HtpState *htp_state = NULL; htp_tx_t *tx = NULL; int idx; FLOWLOCK_RDLOCK(f); htp_state = (HtpState *)alstate; if (htp_state == NULL) { SCLogDebug("no HTTP state"); goto end; } if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { SCLogDebug("HTP state has no conn(p)"); goto end; } idx = AppLayerTransactionGetInspectId(f); if (idx == -1) { goto end; } int size = (int)list_size(htp_state->connp->conn->transactions); for (; idx < size; idx++) { tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL || tx->request_method == NULL) continue; det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH], f, (uint8_t *)bstr_ptr(tx->request_method), bstr_len(tx->request_method), DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, NULL); //r = DoInspectHttpMethod(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH], //(uint8_t *)bstr_ptr(tx->request_method), //bstr_len(tx->request_method)); if (r == 1) { break; } } end: FLOWLOCK_UNLOCK(f); SCReturnInt(r); }
/** * \brief This function is used to match urilen rule option with the HTTP * uricontent. * * \param t pointer to thread vars * \param det_ctx pointer to the pattern matcher thread * \param p pointer to the current packet * \param m pointer to the sigmatch that we will cast into DetectUrilenData * * \retval 0 no match * \retval 1 match */ int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) { SCEnter(); int ret = 0; int idx = 0; DetectUrilenData *urilend = (DetectUrilenData *) m->ctx; HtpState *htp_state = (HtpState *)state; if (htp_state == NULL) { SCLogDebug("no HTP state, no need to match further"); SCReturnInt(ret); } FLOWLOCK_RDLOCK(f); htp_tx_t *tx = NULL; idx = AppLayerTransactionGetInspectId(f); if (idx == -1) { goto end; } int size = (int)list_size(htp_state->connp->conn->transactions); for (; idx < size; idx++) { tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL || tx->request_uri_normalized == NULL) goto end; switch (urilend->mode) { case DETECT_URILEN_EQ: if (bstr_len(tx->request_uri_normalized) == urilend->urilen1) ret = 1; break; case DETECT_URILEN_LT: if (bstr_len(tx->request_uri_normalized) < urilend->urilen1) ret = 1; break; case DETECT_URILEN_GT: if (bstr_len(tx->request_uri_normalized) > urilend->urilen1) ret = 1; break; case DETECT_URILEN_RA: if (bstr_len(tx->request_uri_normalized) > urilend->urilen1 && bstr_len(tx->request_uri_normalized) < urilend->urilen2) ret = 1; break; } } end: FLOWLOCK_UNLOCK(f); SCReturnInt(ret); }
int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f, HtpState *htp_state, uint8_t flags) { htp_tx_t *tx = NULL; uint32_t cnt = 0; int idx; /* we need to lock because the buffers are not actually true buffers * but are ones that point to a buffer given by libhtp */ FLOWLOCK_RDLOCK(f); if (htp_state == NULL) { SCLogDebug("no HTTP state"); goto end; } if (htp_state->connp == NULL || htp_state->connp->conn == NULL) { SCLogDebug("HTP state has no conn(p)"); goto end; } idx = AppLayerTransactionGetInspectId(f); if (idx == -1) { goto end; } int size = (int)list_size(htp_state->connp->conn->transactions); for (; idx < size; idx++) { tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL) continue; htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers, "User-Agent"); if (h == NULL) { SCLogDebug("HTTP user agent header not present in this request"); continue; } cnt += HttpUAPatternSearch(det_ctx, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value), flags); } end: FLOWLOCK_UNLOCK(f); return cnt; }
/** * \brief match the specified luajit * * \param t thread local vars * \param det_ctx pattern matcher thread local data * \param p packet * \param s signature being inspected * \param m sigmatch that we will cast into DetectLuajitData * * \retval 0 no match * \retval 1 match */ static int DetectLuajitMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m) { SCEnter(); int ret = 0; DetectLuajitData *luajit = (DetectLuajitData *)m->ctx; if (luajit == NULL) SCReturnInt(0); DetectLuajitThreadData *tluajit = (DetectLuajitThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, luajit->thread_ctx_id); if (tluajit == NULL) SCReturnInt(0); if ((tluajit->flags & DATATYPE_PAYLOAD) && p->payload_len == 0) SCReturnInt(0); if ((tluajit->flags & DATATYPE_PACKET) && GET_PKT_LEN(p) == 0) SCReturnInt(0); if (tluajit->alproto != ALPROTO_UNKNOWN) { if (p->flow == NULL) SCReturnInt(0); FLOWLOCK_RDLOCK(p->flow); int alproto = p->flow->alproto; FLOWLOCK_UNLOCK(p->flow); if (tluajit->alproto != alproto) SCReturnInt(0); } lua_getglobal(tluajit->luastate, "match"); lua_newtable(tluajit->luastate); /* stack at -1 */ if ((tluajit->flags & DATATYPE_PAYLOAD) && p->payload_len) { lua_pushliteral(tluajit->luastate, "payload"); /* stack at -2 */ lua_pushlstring (tluajit->luastate, (const char *)p->payload, (size_t)p->payload_len); /* stack at -3 */ lua_settable(tluajit->luastate, -3); } if ((tluajit->flags & DATATYPE_PACKET) && GET_PKT_LEN(p)) { lua_pushliteral(tluajit->luastate, "packet"); /* stack at -2 */ lua_pushlstring (tluajit->luastate, (const char *)GET_PKT_DATA(p), (size_t)GET_PKT_LEN(p)); /* stack at -3 */ lua_settable(tluajit->luastate, -3); } if (tluajit->alproto == ALPROTO_HTTP) { FLOWLOCK_RDLOCK(p->flow); HtpState *htp_state = p->flow->alstate; if (htp_state != NULL && htp_state->connp != NULL && htp_state->connp->conn != NULL) { int idx = AppLayerTransactionGetInspectId(p->flow); if (idx != -1) { htp_tx_t *tx = NULL; int size = (int)list_size(htp_state->connp->conn->transactions); for ( ; idx < size; idx++) { tx = list_get(htp_state->connp->conn->transactions, idx); if (tx == NULL) continue; if ((tluajit->flags & DATATYPE_HTTP_REQUEST_LINE) && tx->request_line != NULL && bstr_len(tx->request_line) > 0) { lua_pushliteral(tluajit->luastate, "http.request_line"); /* stack at -2 */ lua_pushlstring (tluajit->luastate, (const char *)bstr_ptr(tx->request_line), bstr_len(tx->request_line)); lua_settable(tluajit->luastate, -3); } } } } FLOWLOCK_UNLOCK(p->flow); } int retval = lua_pcall(tluajit->luastate, 1, 1, 0); if (retval != 0) { SCLogInfo("failed to run script: %s", lua_tostring(tluajit->luastate, -1)); } /* process returns from script */ if (lua_gettop(tluajit->luastate) > 0) { /* script returns a number (return 1 or return 0) */ if (lua_type(tluajit->luastate, 1) == LUA_TNUMBER) { double script_ret = lua_tonumber(tluajit->luastate, 1); SCLogDebug("script_ret %f", script_ret); lua_pop(tluajit->luastate, 1); if (script_ret == 1.0) ret = 1; /* script returns a table */ } else if (lua_type(tluajit->luastate, 1) == LUA_TTABLE) { lua_pushnil(tluajit->luastate); const char *k, *v; while (lua_next(tluajit->luastate, -2)) { v = lua_tostring(tluajit->luastate, -1); lua_pop(tluajit->luastate, 1); k = lua_tostring(tluajit->luastate, -1); if (!k || !v) continue; SCLogDebug("k='%s', v='%s'", k, v); if (strcmp(k, "retval") == 0) { if (atoi(v) == 1) ret = 1; } else { /* set flow var? */ } } /* pop the table */ lua_pop(tluajit->luastate, 1); } } if (luajit->negated) { if (ret == 1) ret = 0; else ret = 1; } SCReturnInt(ret); }