62
62
* \param det_ctx Detection engine thread context
63
63
* \param s Signature to inspect
64
64
* \param sm SigMatch to inspect
66
65
* \param payload ptr to the uricontent payload to inspect
67
66
* \param payload_len length of the uricontent payload
72
71
static int DoInspectPacketUri(DetectEngineCtx *de_ctx,
73
72
DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm,
74
Packet *p, uint8_t *payload, uint32_t payload_len)
73
uint8_t *payload, uint32_t payload_len)
210
209
/* see if the next payload keywords match. If not, we will
211
210
* search for another occurence of this uricontent and see
212
211
* if the others match then until we run out of matches */
213
int r = DoInspectPacketUri(de_ctx,det_ctx,s,sm->next, p, payload, payload_len);
212
int r = DoInspectPacketUri(de_ctx,det_ctx,s,sm->next, payload, payload_len);
231
230
/* this sigmatch matched, inspect the next one. If it was the last,
232
231
* the payload portion of the signature matched. */
233
232
if (sm->next != NULL) {
234
int r = DoInspectPacketUri(de_ctx,det_ctx,s,sm->next, p, payload, payload_len);
233
int r = DoInspectPacketUri(de_ctx,det_ctx,s,sm->next, payload, payload_len);
248
247
* \param flags app layer flags
249
248
* \param state App layer state
252
250
* \retval 0 no match
253
251
* \retval 1 match
255
253
int DetectEngineInspectPacketUris(DetectEngineCtx *de_ctx,
256
254
DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags,
257
void *alstate, Packet *p)
260
258
SigMatch *sm = NULL;
262
260
HtpState *htp_state = NULL;
262
if (!(det_ctx->sgh->flags & SIG_GROUP_HAVEURICONTENT)) {
263
SCLogDebug("no uricontent in sgh");
264
267
htp_state = (HtpState *)alstate;
265
268
if (htp_state == NULL) {
266
269
SCLogDebug("no HTTP state");
270
273
/* locking the flow, we will inspect the htp state */
271
274
SCMutexLock(&f->m);
276
if (htp_state->connp == NULL) {
277
SCLogDebug("HTP state has no connp");
281
/* If we have the uricontent multi pattern matcher signatures in
282
signature list, then search the received HTTP uri(s) in the htp
283
state against those patterns */
284
if (s->flags & SIG_FLAG_MPM_URI) {
285
if (det_ctx->de_mpm_scanned_uri == FALSE) {
286
uint32_t cnt = DetectUricontentInspectMpm(det_ctx, f, htp_state);
288
/* only consider uri sigs if we've seen at least one match */
289
/** \warning when we start supporting negated uri content matches
290
* we need to update this check as well */
292
det_ctx->de_have_httpuri = TRUE;
295
SCLogDebug("uricontent cnt %"PRIu32"", cnt);
297
/* make sure we don't inspect this mpm again */
298
det_ctx->de_mpm_scanned_uri = TRUE;
273
303
/* if we don't have a uri, don't bother inspecting */
274
304
if (det_ctx->de_have_httpuri == FALSE) {
275
305
SCLogDebug("We don't have uri");
279
if (htp_state->connp == NULL) {
280
SCLogDebug("HTP state has no connp");
309
if (det_ctx->de_mpm_scanned_uri == TRUE) {
310
if (det_ctx->pmq.pattern_id_bitarray != NULL) {
311
/* filter out sigs that want pattern matches, but
313
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_uripattern_id / 8)] & (1<<(s->mpm_uripattern_id % 8))) &&
314
(s->flags & SIG_FLAG_MPM_URI) && !(s->flags & SIG_FLAG_MPM_URI_NEG)) {
315
SCLogDebug("mpm sig without matches (pat id %"PRIu32
316
" check in uri).", s->mpm_uripattern_id);
290
328
SCLogDebug("co->id %"PRIu32, co->id);
331
size_t idx = AppLayerTransactionGetInspectId(f);
294
332
htp_tx_t *tx = NULL;
296
for (idx = 0;//htp_state->new_in_tx_index;
297
idx < list_size(htp_state->connp->conn->transactions); idx++)
334
for ( ; idx < list_size(htp_state->connp->conn->transactions); idx++)
299
336
tx = list_get(htp_state->connp->conn->transactions, idx);
300
337
if (tx == NULL || tx->request_uri_normalized == NULL)
303
340
/* Inspect all the uricontents fetched on each
304
341
* transaction at the app layer */
305
r = DoInspectPacketUri(de_ctx, det_ctx, s, s->umatch, p,
342
r = DoInspectPacketUri(de_ctx, det_ctx, s, s->umatch,
306
343
(uint8_t *) bstr_ptr(tx->request_uri_normalized),
307
344
bstr_len(tx->request_uri_normalized));
added
removed
src/detect-engine-uri.c
