/**
* \brief Do the http_method content inspection for a signature.
*
* \param de_ctx Detection engine context.
* \param det_ctx Detection engine thread context.
* \param s Signature to inspect.
* \param f Flow.
* \param flags App layer flags.
* \param state App layer state.
*
* \retval 0 No match.
* \retval 1 Match.
*/
int DetectEngineInspectHttpMethod(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Signature *s, Flow *f, uint8_t flags,
void *alstate)
{
SCEnter();
int r = 0;
HtpState *htp_state = NULL;
htp_tx_t *tx = NULL;
int idx;
FLOWLOCK_RDLOCK(f);
htp_state = (HtpState *)alstate;
if (htp_state == NULL) {
SCLogDebug("no HTTP state");
goto end;
}
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
SCLogDebug("HTP state has no conn(p)");
goto end;
}
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++) {
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL || tx->request_method == NULL)
continue;
det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],
f,
(uint8_t *)bstr_ptr(tx->request_method),
bstr_len(tx->request_method),
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, NULL);
//r = DoInspectHttpMethod(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],
//(uint8_t *)bstr_ptr(tx->request_method),
//bstr_len(tx->request_method));
if (r == 1) {
break;
}
}
end:
FLOWLOCK_UNLOCK(f);
SCReturnInt(r);
}
/**
* \brief This function is used to match urilen rule option with the HTTP
* uricontent.
*
* \param t pointer to thread vars
* \param det_ctx pointer to the pattern matcher thread
* \param p pointer to the current packet
* \param m pointer to the sigmatch that we will cast into DetectUrilenData
*
* \retval 0 no match
* \retval 1 match
*/
int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
int ret = 0;
int idx = 0;
DetectUrilenData *urilend = (DetectUrilenData *) m->ctx;
HtpState *htp_state = (HtpState *)state;
if (htp_state == NULL) {
SCLogDebug("no HTP state, no need to match further");
SCReturnInt(ret);
}
FLOWLOCK_RDLOCK(f);
htp_tx_t *tx = NULL;
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL || tx->request_uri_normalized == NULL)
goto end;
switch (urilend->mode) {
case DETECT_URILEN_EQ:
if (bstr_len(tx->request_uri_normalized) == urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_LT:
if (bstr_len(tx->request_uri_normalized) < urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_GT:
if (bstr_len(tx->request_uri_normalized) > urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_RA:
if (bstr_len(tx->request_uri_normalized) > urilend->urilen1 &&
bstr_len(tx->request_uri_normalized) < urilend->urilen2)
ret = 1;
break;
}
}
end:
FLOWLOCK_UNLOCK(f);
SCReturnInt(ret);
}
int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags)
{
htp_tx_t *tx = NULL;
uint32_t cnt = 0;
int idx;
/* we need to lock because the buffers are not actually true buffers
* but are ones that point to a buffer given by libhtp */
FLOWLOCK_RDLOCK(f);
if (htp_state == NULL) {
SCLogDebug("no HTTP state");
goto end;
}
if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {
SCLogDebug("HTP state has no conn(p)");
goto end;
}
idx = AppLayerTransactionGetInspectId(f);
if (idx == -1) {
goto end;
}
int size = (int)list_size(htp_state->connp->conn->transactions);
for (; idx < size; idx++) {
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL)
continue;
htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers,
"User-Agent");
if (h == NULL) {
SCLogDebug("HTTP user agent header not present in this request");
continue;
}
cnt += HttpUAPatternSearch(det_ctx,
(uint8_t *)bstr_ptr(h->value),
bstr_len(h->value), flags);
}
end:
FLOWLOCK_UNLOCK(f);
return cnt;
}
/**
* \brief match the specified luajit
*
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param p packet
* \param s signature being inspected
* \param m sigmatch that we will cast into DetectLuajitData
*
* \retval 0 no match
* \retval 1 match
*/
static int DetectLuajitMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
Packet *p, Signature *s, SigMatch *m)
{
SCEnter();
int ret = 0;
DetectLuajitData *luajit = (DetectLuajitData *)m->ctx;
if (luajit == NULL)
SCReturnInt(0);
DetectLuajitThreadData *tluajit = (DetectLuajitThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, luajit->thread_ctx_id);
if (tluajit == NULL)
SCReturnInt(0);
if ((tluajit->flags & DATATYPE_PAYLOAD) && p->payload_len == 0)
SCReturnInt(0);
if ((tluajit->flags & DATATYPE_PACKET) && GET_PKT_LEN(p) == 0)
SCReturnInt(0);
if (tluajit->alproto != ALPROTO_UNKNOWN) {
if (p->flow == NULL)
SCReturnInt(0);
FLOWLOCK_RDLOCK(p->flow);
int alproto = p->flow->alproto;
FLOWLOCK_UNLOCK(p->flow);
if (tluajit->alproto != alproto)
SCReturnInt(0);
}
lua_getglobal(tluajit->luastate, "match");
lua_newtable(tluajit->luastate); /* stack at -1 */
if ((tluajit->flags & DATATYPE_PAYLOAD) && p->payload_len) {
lua_pushliteral(tluajit->luastate, "payload"); /* stack at -2 */
lua_pushlstring (tluajit->luastate, (const char *)p->payload, (size_t)p->payload_len); /* stack at -3 */
lua_settable(tluajit->luastate, -3);
}
if ((tluajit->flags & DATATYPE_PACKET) && GET_PKT_LEN(p)) {
lua_pushliteral(tluajit->luastate, "packet"); /* stack at -2 */
lua_pushlstring (tluajit->luastate, (const char *)GET_PKT_DATA(p), (size_t)GET_PKT_LEN(p)); /* stack at -3 */
lua_settable(tluajit->luastate, -3);
}
if (tluajit->alproto == ALPROTO_HTTP) {
FLOWLOCK_RDLOCK(p->flow);
HtpState *htp_state = p->flow->alstate;
if (htp_state != NULL && htp_state->connp != NULL && htp_state->connp->conn != NULL) {
int idx = AppLayerTransactionGetInspectId(p->flow);
if (idx != -1) {
htp_tx_t *tx = NULL;
int size = (int)list_size(htp_state->connp->conn->transactions);
for ( ; idx < size; idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL)
continue;
if ((tluajit->flags & DATATYPE_HTTP_REQUEST_LINE) && tx->request_line != NULL &&
bstr_len(tx->request_line) > 0) {
lua_pushliteral(tluajit->luastate, "http.request_line"); /* stack at -2 */
lua_pushlstring (tluajit->luastate,
(const char *)bstr_ptr(tx->request_line),
bstr_len(tx->request_line));
lua_settable(tluajit->luastate, -3);
}
}
}
}
FLOWLOCK_UNLOCK(p->flow);
}
int retval = lua_pcall(tluajit->luastate, 1, 1, 0);
if (retval != 0) {
SCLogInfo("failed to run script: %s", lua_tostring(tluajit->luastate, -1));
}
/* process returns from script */
if (lua_gettop(tluajit->luastate) > 0) {
/* script returns a number (return 1 or return 0) */
if (lua_type(tluajit->luastate, 1) == LUA_TNUMBER) {
double script_ret = lua_tonumber(tluajit->luastate, 1);
SCLogDebug("script_ret %f", script_ret);
lua_pop(tluajit->luastate, 1);
if (script_ret == 1.0)
ret = 1;
/* script returns a table */
} else if (lua_type(tluajit->luastate, 1) == LUA_TTABLE) {
lua_pushnil(tluajit->luastate);
const char *k, *v;
while (lua_next(tluajit->luastate, -2)) {
v = lua_tostring(tluajit->luastate, -1);
lua_pop(tluajit->luastate, 1);
k = lua_tostring(tluajit->luastate, -1);
if (!k || !v)
continue;
SCLogDebug("k='%s', v='%s'", k, v);
if (strcmp(k, "retval") == 0) {
if (atoi(v) == 1)
ret = 1;
} else {
/* set flow var? */
}
}
/* pop the table */
lua_pop(tluajit->luastate, 1);
}
}
if (luajit->negated) {
if (ret == 1)
ret = 0;
else
ret = 1;
}
SCReturnInt(ret);
}
