/**
* \brief Registration function for keyword: http_uri
*/
void DetectHttpUriRegister (void)
{
sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri";
sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
sigmatch_table[DETECT_AL_HTTP_URI].Free = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests;
sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT;
DetectAppLayerMpmRegister("http_uri", SIG_FLAG_TOSERVER, 2,
PrefilterTxUriRegister);
DetectAppLayerInspectEngineRegister("http_uri",
ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
DetectEngineInspectHttpUri);
DetectBufferTypeSetDescriptionByName("http_uri",
"http request uri");
DetectBufferTypeRegisterSetupCallback("http_uri",
DetectHttpUriSetupCallback);
DetectBufferTypeRegisterValidateCallback("http_uri",
DetectHttpUriValidateCallback);
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
}
/**
* \brief Registration function for keyword: http_method
*/
void DetectHttpMethodRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
sigmatch_table[DETECT_AL_HTTP_METHOD].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-method";
sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
sigmatch_table[DETECT_AL_HTTP_METHOD].Free = DetectHttpMethodFree;
sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT;
DetectAppLayerMpmRegister("http_method", SIG_FLAG_TOSERVER, 4,
PrefilterTxMethodRegister);
DetectAppLayerInspectEngineRegister("http_method",
ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
DetectEngineInspectHttpMethod);
DetectBufferTypeSetDescriptionByName("http_method",
"http request method");
DetectBufferTypeRegisterValidateCallback("http_method",
DetectHttpMethodValidateCallback);
g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
SCLogDebug("registering http_method rule option");
}
/**
* \brief Registers the keyword handlers for the "http_raw_header" keyword.
*/
void DetectHttpRawHeaderRegister(void)
{
/* http_raw_header content modifier */
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header";
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests;
#endif
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].alternative = DETECT_HTTP_RAW_HEADER;
/* http.header.raw sticky buffer */
sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw";
sigmatch_table[DETECT_HTTP_RAW_HEADER].desc = "sticky buffer to match the raw HTTP header buffer";
sigmatch_table[DETECT_HTTP_RAW_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-raw-header";
sigmatch_table[DETECT_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetupSticky;
sigmatch_table[DETECT_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_HTTP_RAW_HEADER].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister2("http_raw_header", ALPROTO_HTTP,
SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS+1,
DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerInspectEngineRegister2("http_raw_header", ALPROTO_HTTP,
SIG_FLAG_TOCLIENT, HTP_RESPONSE_HEADERS+1,
DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerMpmRegister2("http_raw_header", SIG_FLAG_TOSERVER, 2,
PrefilterMpmHttpHeaderRawRequestRegister, NULL, ALPROTO_HTTP,
0); /* progress handled in register */
DetectAppLayerMpmRegister2("http_raw_header", SIG_FLAG_TOCLIENT, 2,
PrefilterMpmHttpHeaderRawResponseRegister, NULL, ALPROTO_HTTP,
0); /* progress handled in register */
DetectBufferTypeSetDescriptionByName("http_raw_header",
"raw http headers");
DetectBufferTypeRegisterValidateCallback("http_raw_header",
DetectHttpRawHeaderValidateCallback);
g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
}
/**
* \brief Registration function for keyword: http_method
*/
void DetectHttpMethodRegister(void)
{
/* http_method content modifier */
sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
sigmatch_table[DETECT_AL_HTTP_METHOD].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-method";
sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
#endif
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
sigmatch_table[DETECT_AL_HTTP_METHOD].alternative = DETECT_HTTP_METHOD;
/* http.method sticky buffer */
sigmatch_table[DETECT_HTTP_METHOD].name = "http.method";
sigmatch_table[DETECT_HTTP_METHOD].desc = "sticky buffer to match specifically and only on the HTTP method buffer";
sigmatch_table[DETECT_HTTP_METHOD].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-method";
sigmatch_table[DETECT_HTTP_METHOD].Setup = DetectHttpMethodSetupSticky;
sigmatch_table[DETECT_HTTP_METHOD].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister2("http_method", ALPROTO_HTTP,
SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerMpmRegister2("http_method", SIG_FLAG_TOSERVER, 4,
PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP,
HTP_REQUEST_LINE);
DetectBufferTypeSetDescriptionByName("http_method",
"http request method");
DetectBufferTypeRegisterValidateCallback("http_method",
DetectHttpMethodValidateCallback);
g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");
SCLogDebug("registering http_method rule option");
}
/**
* \brief Registration function for keywords: http_uri and http.uri
*/
void DetectHttpUriRegister (void)
{
/* http_uri content modifier */
sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri";
sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests;
#endif
sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT;
/* http.uri sticky buffer */
sigmatch_table[DETECT_HTTP_URI].name = "http.uri";
sigmatch_table[DETECT_HTTP_URI].alias = "http.uri.normalized";
sigmatch_table[DETECT_HTTP_URI].desc = "sticky buffer to match specifically and only on the normalized HTTP URI buffer";
sigmatch_table[DETECT_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri";
sigmatch_table[DETECT_HTTP_URI].Setup = DetectHttpUriSetupSticky;
sigmatch_table[DETECT_HTTP_URI].flags |= SIGMATCH_NOOPT;
DetectAppLayerInspectEngineRegister2("http_uri", ALPROTO_HTTP,
SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerMpmRegister2("http_uri", SIG_FLAG_TOSERVER, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP,
HTP_REQUEST_LINE);
DetectBufferTypeSetDescriptionByName("http_uri",
"http request uri");
DetectBufferTypeRegisterSetupCallback("http_uri",
DetectHttpUriSetupCallback);
DetectBufferTypeRegisterValidateCallback("http_uri",
DetectHttpUriValidateCallback);
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
/* http_raw_uri content modifier */
sigmatch_table[DETECT_AL_HTTP_RAW_URI].name = "http_raw_uri";
sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "content modifier to match on the raw HTTP uri";
sigmatch_table[DETECT_AL_HTTP_RAW_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_uri-and-http_raw-uri";
sigmatch_table[DETECT_AL_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup;
sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT;
/* http.uri.raw sticky buffer */
sigmatch_table[DETECT_HTTP_URI_RAW].name = "http.uri.raw";
sigmatch_table[DETECT_HTTP_URI_RAW].desc = "sticky buffer to match specifically and only on the raw HTTP URI buffer";
sigmatch_table[DETECT_HTTP_URI_RAW].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri";
sigmatch_table[DETECT_HTTP_URI_RAW].Setup = DetectHttpRawUriSetupSticky;
sigmatch_table[DETECT_HTTP_URI_RAW].flags |= SIGMATCH_NOOPT;
DetectAppLayerInspectEngineRegister2("http_raw_uri", ALPROTO_HTTP,
SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
DetectEngineInspectBufferGeneric, GetRawData);
DetectAppLayerMpmRegister2("http_raw_uri", SIG_FLAG_TOSERVER, 2,
PrefilterGenericMpmRegister, GetRawData, ALPROTO_HTTP,
HTP_REQUEST_LINE);
DetectBufferTypeSetDescriptionByName("http_raw_uri",
"raw http uri");
DetectBufferTypeRegisterSetupCallback("http_raw_uri",
DetectHttpRawUriSetupCallback);
DetectBufferTypeRegisterValidateCallback("http_raw_uri",
DetectHttpRawUriValidateCallback);
g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri");
}