From 16eeda7eb1f9da92951bede9d41f5b1c7b5f481f Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Tue, 26 Jun 2012 10:29:02 +0530 Subject: [PATCH] http header won't inspect set-cookie headers. Set-cookie part of cookie keyword now. Also update the http header inspection engine --- src/detect-engine-hhd.c | 175 +++++++++++++++++++++++++++++++++++------------ 1 files changed, 132 insertions(+), 43 deletions(-) diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index e304da9..306b3ca 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -138,9 +138,16 @@ static void DetectEngineBufferHttpHeaders(DetectEngineThreadCtx *det_ctx, Flow * size_t size1 = bstr_size(h->name); size_t size2 = bstr_size(h->value); - if (size1 == 6 && - SCMemcmpLowercase(bstr_ptr(h->name), "Cookie", 6) == 0) { - continue; + if (flags & STREAM_TOSERVER) { + if (size1 == 6 && + SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6)) { + continue; + } + } else { + if (size1 == 10 && + SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) { + continue; + } } /* the extra 4 bytes if for ": " and "\r\n" */ @@ -184,20 +191,6 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, if (det_ctx->hhd_buffers_list_len == 0) { FLOWLOCK_RDLOCK(f); - DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, - (flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER); - FLOWLOCK_UNLOCK(f); - - for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { - cnt += HttpHeaderPatternSearch(det_ctx, - det_ctx->hhd_buffers[i], - det_ctx->hhd_buffers_len[i], - flags); - } - - DetectEngineCleanHHDBuffers(det_ctx); - - FLOWLOCK_RDLOCK(f); DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags); FLOWLOCK_UNLOCK(f); @@ -214,32 +207,6 @@ int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f, det_ctx->hhd_buffers_len[i], flags); } - - uint16_t hhd_buffers_list_len = det_ctx->hhd_buffers_list_len; - uint8_t **hhd_buffers = det_ctx->hhd_buffers; - uint32_t *hhd_buffers_len = det_ctx->hhd_buffers_len; - - det_ctx->hhd_buffers_list_len = 0; - det_ctx->hhd_buffers = NULL; - det_ctx->hhd_buffers_len = NULL; - - FLOWLOCK_RDLOCK(f); - DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, - (flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER); - FLOWLOCK_UNLOCK(f); - - for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) { - cnt += HttpHeaderPatternSearch(det_ctx, - det_ctx->hhd_buffers[i], - det_ctx->hhd_buffers_len[i], - flags); - } - - DetectEngineCleanHHDBuffers(det_ctx); - - det_ctx->hhd_buffers_list_len = hhd_buffers_list_len; - det_ctx->hhd_buffers = hhd_buffers; - det_ctx->hhd_buffers_len = hhd_buffers_len; } return cnt; @@ -3173,6 +3140,126 @@ static int DetectEngineHttpHeaderTest30(void) #endif /* #if 0 */ +static int DetectEngineHttpHeaderTest30(void) +{ + TcpSession ssn; + Packet *p1 = NULL; + Packet *p2 = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + HtpState *http_state = NULL; + Flow f; + uint8_t http_buf1[] = + "GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n"; + uint32_t http_buf1_len = sizeof(http_buf1) - 1; + uint8_t http_buf2[] = + "HTTP/1.0 200 ok\r\n" + "Set-Cookie: dummycookieset\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 6\r\n" + "\r\n" + "abcdef"; + uint32_t http_buf2_len = sizeof(http_buf2) - 1; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.flags |= FLOW_IPV4; + + p1->flow = &f; + p1->flowflags |= FLOW_PKT_TOSERVER; + p1->flowflags |= FLOW_PKT_ESTABLISHED; + p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; + p2->flow = &f; + p2->flowflags |= FLOW_PKT_TOCLIENT; + p2->flowflags |= FLOW_PKT_ESTABLISHED; + p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; + f.alproto = ALPROTO_HTTP; + + StreamTcpInitConfig(TRUE); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any " + "(msg:\"http header test\"; " + "content:\"dummycookieset\"; http_header; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, + http_buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + http_state = f.alstate; + if (http_state == NULL) { + printf("no http state: \n"); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); + + if (PacketAlertCheck(p1, 1)) { + printf("sid 1 matched but shouldn't have\n"); + goto end; + } + + r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + + if (PacketAlertCheck(p2, 1)) { + printf("sid 1 matched but shouldn't have\n"); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p1, 1); + UTHFreePackets(&p2, 1); + return result; +} + #endif /* UNITTESTS */ void DetectEngineHttpHeaderRegisterTests(void) @@ -3237,6 +3324,8 @@ void DetectEngineHttpHeaderRegisterTests(void) DetectEngineHttpHeaderTest28, 1); UtRegisterTest("DetectEngineHttpHeaderTest29", DetectEngineHttpHeaderTest29, 1); + UtRegisterTest("DetectEngineHttpHeaderTest30", + DetectEngineHttpHeaderTest30, 1); #if 0 UtRegisterTest("DetectEngineHttpHeaderTest30", DetectEngineHttpHeaderTest30, 1); -- 1.7.1