From 146b074e2b48427cf4eac2852d2ceda5858f0717 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Sat, 16 Jun 2012 14:16:10 +0530 Subject: [PATCH 2/2] cookie header now inspects Set-Cookie headers as well --- src/detect-engine-hcd.c | 40 ++++++++++++++++++++++++++++++---------- 1 files changed, 30 insertions(+), 10 deletions(-) diff --git a/src/detect-engine-hcd.c b/src/detect-engine-hcd.c index d235854..b7ad2b8 100644 --- a/src/detect-engine-hcd.c +++ b/src/detect-engine-hcd.c @@ -88,11 +88,21 @@ int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f, if (tx == NULL) continue; - htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers, - "Cookie"); - if (h == NULL) { - SCLogDebug("HTTP cookie header not present in this request"); - continue; + htp_header_t *h = NULL; + if (flags & STREAM_TOSERVER) { + h = (htp_header_t *)table_getc(tx->request_headers, + "Cookie"); + if (h == NULL) { + SCLogDebug("HTTP cookie header not present in this request"); + continue; + } + } else { + h = (htp_header_t *)table_getc(tx->response_headers, + "Set-Cookie"); + if (h == NULL) { + SCLogDebug("HTTP Set-Cookie header not present in this request"); + continue; + } } cnt += HttpCookiePatternSearch(det_ctx, @@ -153,11 +163,21 @@ int DetectEngineInspectHttpCookie(DetectEngineCtx *de_ctx, if (tx == NULL) continue; - htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers, - "Cookie"); - if (h == NULL) { - SCLogDebug("HTTP cookie header not present in this request"); - continue; + htp_header_t *h = NULL; + if (flags & STREAM_TOSERVER) { + h = (htp_header_t *)table_getc(tx->request_headers, + "Cookie"); + if (h == NULL) { + SCLogDebug("HTTP cookie header not present in this request"); + continue; + } + } else { + h = (htp_header_t *)table_getc(tx->response_headers, + "Set-Cookie"); + if (h == NULL) { + SCLogDebug("HTTP Set-Cookie header not present in this request"); + continue; + } } det_ctx->buffer_offset = 0; -- 1.7.1