static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { htp_tx_t *tx = (htp_tx_t *)txv; HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); if (tx_ud == NULL) return NULL; const bool ts = ((flow_flags & STREAM_TOSERVER) != 0); const uint8_t *data = ts ? tx_ud->request_headers_raw : tx_ud->response_headers_raw; if (data == NULL) return NULL; const uint8_t data_len = ts ? tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len; InspectionBufferSetup(buffer, data, data_len); InspectionBufferApplyTransforms(buffer, transforms); } return buffer; }
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, const int list_id) { SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { htp_tx_t *tx = (htp_tx_t *)txv; HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL) { SCLogDebug("no tx_id or uri"); return NULL; } const uint32_t data_len = bstr_len(tx_ud->request_uri_normalized); const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized); InspectionBufferSetup(buffer, data, data_len); InspectionBufferApplyTransforms(buffer, transforms); } return buffer; }
static int InspectEngineHttpStart( DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id) { const int list_id = engine->sm_list; InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { SCLogDebug("setting up inspect buffer %d", list_id); /* if prefilter didn't already run, we need to consider transformations */ const DetectEngineTransforms *transforms = NULL; if (!engine->mpm) { transforms = engine->v2.transforms; } uint32_t rawdata_len = 0; uint8_t *rawdata = GetBufferForTX(txv, tx_id, det_ctx, f, flags, &rawdata_len); if (rawdata_len == 0) { SCLogDebug("no data"); goto end; } /* setup buffer and apply transforms */ InspectionBufferSetup(buffer, rawdata, rawdata_len); InspectionBufferApplyTransforms(buffer, transforms); } const uint32_t data_len = buffer->inspect_len; const uint8_t *data = buffer->inspect; const uint64_t offset = buffer->inspect_offset; det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; end: if (flags & STREAM_TOSERVER) { if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, txv, flags) > HTP_REQUEST_HEADERS) return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH; } else { if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, txv, flags) > HTP_RESPONSE_HEADERS) return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH; } return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; }
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, const int list_id) { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { htp_tx_t *tx = (htp_tx_t *)txv; if (unlikely(tx->request_line == NULL)) { return NULL; } const uint32_t data_len = bstr_len(tx->request_line); const uint8_t *data = bstr_ptr(tx->request_line); InspectionBufferSetup(buffer, data, data_len); InspectionBufferApplyTransforms(buffer, transforms); } return buffer; }
static InspectionBuffer *GetNamedPipeData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, const int list_id) { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { uint32_t b_len = 0; uint8_t *b = NULL; if (rs_smb_tx_get_named_pipe(txv, &b, &b_len) != 1) return NULL; if (b == NULL || b_len == 0) return NULL; InspectionBufferSetup(buffer, b, b_len); InspectionBufferApplyTransforms(buffer, transforms); } return buffer; }
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, const int list_id) { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { SSLState *ssl_state = (SSLState *)_f->alstate; if (ssl_state->server_connp.cert0_issuerdn == NULL) { return NULL; } const uint32_t data_len = strlen(ssl_state->server_connp.cert0_issuerdn); const uint8_t *data = (uint8_t *)ssl_state->server_connp.cert0_issuerdn; InspectionBufferSetup(buffer, data, data_len); InspectionBufferApplyTransforms(buffer, transforms); } return buffer; }
/** \brief HTTP Headers Mpm prefilter callback * * \param det_ctx detection engine thread ctx * \param p packet to inspect * \param f flow to inspect * \param txv tx to inspect * \param pectx inspection context */ static void PrefilterTxHttpResponseStart(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *txv, const uint64_t idx, const uint8_t flags) { SCEnter(); const PrefilterMpmHttpStartCtx *ctx = pectx; const MpmCtx *mpm_ctx = ctx->mpm_ctx; SCLogDebug("running on list %d", ctx->list_id); const int list_id = ctx->list_id; InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { uint32_t rawdata_len = 0; uint8_t *rawdata = GetBufferForTX(txv, idx, det_ctx, f, flags, &rawdata_len); if (rawdata_len == 0) return; /* setup buffer and apply transforms */ InspectionBufferSetup(buffer, rawdata, rawdata_len); InspectionBufferApplyTransforms(buffer, ctx->transforms); } const uint32_t data_len = buffer->inspect_len; const uint8_t *data = buffer->inspect; SCLogDebug("mpm'ing buffer:"); //PrintRawDataFp(stdout, data, data_len); if (data != NULL && data_len >= mpm_ctx->minlen) { (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, &det_ctx->mtcu, &det_ctx->pmq, data, data_len); } }
static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *f, struct DnsQueryGetDataArgs *cbdata, int list_id, bool first) { SCEnter(); InspectionBufferMultipleForList *fb = InspectionBufferGetMulti(det_ctx, list_id); InspectionBuffer *buffer = InspectionBufferMultipleForListGet(fb, cbdata->local_id); if (buffer == NULL) return NULL; if (!first && buffer->inspect != NULL) return buffer; const uint8_t *data; uint32_t data_len; if (rs_dns_tx_get_query_name(cbdata->txv, (uint16_t)cbdata->local_id, (uint8_t **)&data, &data_len) == 0) { return NULL; } InspectionBufferSetup(buffer, data, data_len); InspectionBufferApplyTransforms(buffer, transforms); SCReturnPtr(buffer, "InspectionBuffer"); }