suricata
detect-http-host.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2019 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \ingroup httplayer
20 *
21 * @{
22 */
23
24
25/**
26 * \file
27 *
28 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
29 *
30 * Implements support for the http_host keyword.
31 */
32
33#include "suricata-common.h"
34#include "threads.h"
35#include "decode.h"
36
37#include "detect.h"
38#include "detect-parse.h"
39#include "detect-engine.h"
40#include "detect-engine-buffer.h"
41#include "detect-engine-mpm.h"
42#include "detect-engine-prefilter.h"
43#include "detect-content.h"
44#include "detect-pcre.h"
45
46#include "flow.h"
47#include "flow-var.h"
48#include "flow-util.h"
49
50#include "util-debug.h"
51#include "util-unittest.h"
52#include "util-unittest-helper.h"
53#include "util-spm.h"
54
55#include "app-layer.h"
56#include "app-layer-parser.h"
57
58#include "app-layer-htp.h"
59#include "stream-tcp.h"
60#include "detect-http-host.h"
61
62static int DetectHttpHHSetup(DetectEngineCtx *, Signature *, const char *);
63#ifdef UNITTESTS
64static void DetectHttpHHRegisterTests(void);
65#endif
66static bool DetectHttpHostValidateCallback(
67 const Signature *s, const char **sigerror, const DetectBufferType *dbt);
68static int DetectHttpHostSetup(DetectEngineCtx *, Signature *, const char *);
69static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
70 const DetectEngineTransforms *transforms,
71 Flow *_f, const uint8_t _flow_flags,
72 void *txv, const int list_id);
73static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
74 const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
75 const int list_id);
76static int DetectHttpHRHSetup(DetectEngineCtx *, Signature *, const char *);
77static int g_http_raw_host_buffer_id = 0;
78static int DetectHttpHostRawSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
79static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
80 const DetectEngineTransforms *transforms, Flow *_f,
81 const uint8_t _flow_flags, void *txv, const int list_id);
82static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx,
83 const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
84 const int list_id);
85static int g_http_host_buffer_id = 0;
86
87/**
88 * \brief Registers the keyword handlers for the "http_host" keyword.
89 */
90void DetectHttpHHRegister(void)
91{
92 /* http_host content modifier */
93 sigmatch_table[DETECT_HTTP_HOST_CM].name = "http_host";
94 sigmatch_table[DETECT_HTTP_HOST_CM].desc = "content modifier to match on the HTTP hostname";
95 sigmatch_table[DETECT_HTTP_HOST_CM].url =
96 "/rules/http-keywords.html#http-host-and-http-raw-host";
97 sigmatch_table[DETECT_HTTP_HOST_CM].Setup = DetectHttpHHSetup;
98#ifdef UNITTESTS
99 sigmatch_table[DETECT_HTTP_HOST_CM].RegisterTests = DetectHttpHHRegisterTests;
100#endif
101 sigmatch_table[DETECT_HTTP_HOST_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
102 sigmatch_table[DETECT_HTTP_HOST_CM].alternative = DETECT_HTTP_HOST;
103
104 /* http.host sticky buffer */
105 sigmatch_table[DETECT_HTTP_HOST].name = "http.host";
106 sigmatch_table[DETECT_HTTP_HOST].desc = "sticky buffer to match on the HTTP Host buffer";
107 sigmatch_table[DETECT_HTTP_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host";
108 sigmatch_table[DETECT_HTTP_HOST].Setup = DetectHttpHostSetup;
109 sigmatch_table[DETECT_HTTP_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
110
111 DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
112 HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetData);
113
114 DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
115 GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);
116
117 DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
118 HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);
119
120 DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
121 GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);
122
123 DetectBufferTypeRegisterValidateCallback("http_host",
124 DetectHttpHostValidateCallback);
125
126 DetectBufferTypeSetDescriptionByName("http_host",
127 "http host");
128
129 g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");
130
131 /* http_raw_host content modifier */
132 sigmatch_table[DETECT_HTTP_RAW_HOST].name = "http_raw_host";
133 sigmatch_table[DETECT_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header "
134 "or the raw hostname from the HTTP uri";
135 sigmatch_table[DETECT_HTTP_RAW_HOST].url =
136 "/rules/http-keywords.html#http-host-and-http-raw-host";
137 sigmatch_table[DETECT_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;
138 sigmatch_table[DETECT_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
139 sigmatch_table[DETECT_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;
140
141 /* http.host sticky buffer */
142 sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw";
143 sigmatch_table[DETECT_HTTP_HOST_RAW].desc = "sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri";
144 sigmatch_table[DETECT_HTTP_HOST_RAW].url = "/rules/http-keywords.html#http-host-and-http-raw-host";
145 sigmatch_table[DETECT_HTTP_HOST_RAW].Setup = DetectHttpHostRawSetupSticky;
146 sigmatch_table[DETECT_HTTP_HOST_RAW].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
147
148 DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
149 HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetRawData);
150
151 DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
152 GetRawData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);
153
154 DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
155 HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetRawData2);
156
157 DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
158 GetRawData2, ALPROTO_HTTP2, HTTP2StateDataClient);
159
160 DetectBufferTypeSetDescriptionByName("http_raw_host",
161 "http raw host header");
162
163 g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
164}
165
166/**
167 * \brief The setup function for the http_host keyword for a signature.
168 *
169 * \param de_ctx Pointer to the detection engine context.
170 * \param s Pointer to the signature for the current Signature being
171 * parsed from the rules.
172 * \param m Pointer to the head of the SigMatch for the current rule
173 * being parsed.
174 * \param arg Pointer to the string holding the keyword value.
175 *
176 * \retval 0 On success
177 * \retval -1 On failure
178 */
179static int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
180{
181 return DetectEngineContentModifierBufferSetup(
182 de_ctx, s, arg, DETECT_HTTP_HOST_CM, g_http_host_buffer_id, ALPROTO_HTTP1);
183}
184
185static bool DetectHttpHostValidateCallback(
186 const Signature *s, const char **sigerror, const DetectBufferType *dbt)
187{
188 for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
189 if (s->init_data->buffers[x].id != (uint32_t)dbt->id)
190 continue;
191 const SigMatch *sm = s->init_data->buffers[x].head;
192 for (; sm != NULL; sm = sm->next) {
193 if (sm->type == DETECT_CONTENT) {
194 DetectContentData *cd = (DetectContentData *)sm->ctx;
195 if (cd->flags & DETECT_CONTENT_NOCASE) {
196 *sigerror = "http.host keyword "
197 "specified along with \"nocase\". "
198 "The hostname buffer is normalized "
199 "to lowercase, specifying "
200 "nocase is redundant.";
201 SCLogWarning("rule %u: %s", s->id, *sigerror);
202 return false;
203 } else {
204 uint32_t u;
205 for (u = 0; u < cd->content_len; u++) {
206 if (isupper(cd->content[u]))
207 break;
208 }
209 if (u != cd->content_len) {
210 *sigerror = "A pattern with "
211 "uppercase characters detected for http.host. "
212 "The hostname buffer is normalized to lowercase, "
213 "please specify a lowercase pattern.";
214 SCLogWarning("rule %u: %s", s->id, *sigerror);
215 return false;
216 }
217 }
218 }
219 }
220 }
221
222 return true;
223}
224
225/**
226 * \brief this function setup the http.host keyword used in the rule
227 *
228 * \param de_ctx Pointer to the Detection Engine Context
229 * \param s Pointer to the Signature to which the current keyword belongs
230 * \param str Should hold an empty string always
231 *
232 * \retval 0 On success
233 */
234static int DetectHttpHostSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
235{
236 if (SCDetectBufferSetActiveList(de_ctx, s, g_http_host_buffer_id) < 0)
237 return -1;
238 if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
239 return -1;
240 return 0;
241}
242
243static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
244 const DetectEngineTransforms *transforms, Flow *_f,
245 const uint8_t _flow_flags, void *txv, const int list_id)
246{
247 InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
248 if (buffer->inspect == NULL) {
249 htp_tx_t *tx = (htp_tx_t *)txv;
250
251 if (htp_tx_request_hostname(tx) == NULL)
252 return NULL;
253
254 const uint32_t data_len = (uint32_t)bstr_len(htp_tx_request_hostname(tx));
255 const uint8_t *data = bstr_ptr(htp_tx_request_hostname(tx));
256
257 InspectionBufferSetupAndApplyTransforms(
258 det_ctx, list_id, buffer, data, data_len, transforms);
259 }
260
261 return buffer;
262}
263
264static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
265 const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
266 const int list_id)
267{
268 InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
269 if (buffer->inspect == NULL) {
270 uint32_t b_len = 0;
271 const uint8_t *b = NULL;
272
273 if (SCHttp2TxGetHostNorm(txv, &b, &b_len) != 1)
274 return NULL;
275 if (b == NULL || b_len == 0)
276 return NULL;
277
278 InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
279 }
280
281 return buffer;
282}
283
284static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx,
285 const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
286 const int list_id)
287{
288 InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
289 if (buffer->inspect == NULL) {
290 uint32_t b_len = 0;
291 const uint8_t *b = NULL;
292
293 if (SCHttp2TxGetHost(txv, &b, &b_len) != 1)
294 return NULL;
295 if (b == NULL || b_len == 0)
296 return NULL;
297
298 InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
299 }
300
301 return buffer;
302}
303
304/**
305 * \brief The setup function for the http_raw_host keyword for a signature.
306 *
307 * \param de_ctx Pointer to the detection engine context.
308 * \param s Pointer to the signature for the current Signature being
309 * parsed from the rules.
310 * \param m Pointer to the head of the SigMatch for the current rule
311 * being parsed.
312 * \param arg Pointer to the string holding the keyword value.
313 *
314 * \retval 0 On success
315 * \retval -1 On failure
316 */
317int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
318{
319 return DetectEngineContentModifierBufferSetup(
320 de_ctx, s, arg, DETECT_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1);
321}
322
323/**
324 * \brief this function setup the http.host keyword used in the rule
325 *
326 * \param de_ctx Pointer to the Detection Engine Context
327 * \param s Pointer to the Signature to which the current keyword belongs
328 * \param str Should hold an empty string always
329 *
330 * \retval 0 On success
331 */
332static int DetectHttpHostRawSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
333{
334 if (SCDetectBufferSetActiveList(de_ctx, s, g_http_raw_host_buffer_id) < 0)
335 return -1;
336 if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
337 return -1;
338 return 0;
339}
340
341static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
342 const DetectEngineTransforms *transforms, Flow *_f,
343 const uint8_t _flow_flags, void *txv, const int list_id)
344{
345 InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
346 if (buffer->inspect == NULL) {
347 htp_tx_t *tx = (htp_tx_t *)txv;
348
349 const uint8_t *data = NULL;
350 uint32_t data_len = 0;
351
352 if (htp_uri_hostname(htp_tx_parsed_uri(tx)) == NULL) {
353 if (htp_tx_request_headers(tx) == NULL)
354 return NULL;
355
356 const htp_header_t *h = htp_tx_request_header(tx, "Host");
357 if (h == NULL || htp_header_value(h) == NULL)
358 return NULL;
359
360 data = htp_header_value_ptr(h);
361 data_len = (uint32_t)htp_header_value_len(h);
362 } else {
363 data = (const uint8_t *)bstr_ptr(htp_uri_hostname(htp_tx_parsed_uri(tx)));
364 data_len = (uint32_t)bstr_len(htp_uri_hostname(htp_tx_parsed_uri(tx)));
365 }
366
367 InspectionBufferSetupAndApplyTransforms(
368 det_ctx, list_id, buffer, data, data_len, transforms);
369 }
370
371 return buffer;
372}
373
374/************************************Unittests*********************************/
375
376#ifdef UNITTESTS
377#include "tests/detect-http-host.c"
378#endif /* UNITTESTS */
379
380/**
381 * @}
382 */
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition app-layer-protos.h:69
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition app-layer-protos.h:76
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
detect-content.h
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition detect-content.h:29
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition detect-engine-buffer.c:29
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition detect-engine-inspect-buffer.c:197
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition detect-engine-inspect-buffer.c:56
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition detect-engine-mpm.c:152
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition detect-engine-prefilter.c:1584
DETECT_HTTP_RAW_HOST
@ DETECT_HTTP_RAW_HOST
Definition detect-engine-register.h:186
DETECT_HTTP_HOST_CM
@ DETECT_HTTP_HOST_CM
Definition detect-engine-register.h:184
DETECT_HTTP_HOST_RAW
@ DETECT_HTTP_HOST_RAW
Definition detect-engine-register.h:187
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition detect-engine.c:1374
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition detect-engine.c:2057
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition detect-engine.c:272
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror, const DetectBufferType *))
Definition detect-engine.c:1489
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition detect-engine.c:1277
DetectHttpHHRegister
void DetectHttpHHRegister(void)
Registers the keyword handlers for the "http_host" keyword.
Definition detect-http-host.c:90
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition detect-parse.c:2229
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition detect-parse.c:146
sigmatch_table
SigTableElmt * sigmatch_table
Definition detect-parse.c:79
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition detect.h:1651
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition detect.h:1676
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition detect.h:271
SIGMATCH_INFO_CONTENT_MODIFIER
#define SIGMATCH_INFO_CONTENT_MODIFIER
Definition detect.h:1674
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
DetectBufferType_
Definition detect.h:449
DetectBufferType_::id
int id
Definition detect.h:452
DetectContentData_
Definition detect-content.h:93
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineThreadCtx_
Definition detect.h:1244
Flow_
Flow data structure.
Definition flow.h:356
SigMatch_
a single match condition for a signature
Definition detect.h:356
SigMatch_::type
uint16_t type
Definition detect.h:357
SigMatch_::next
struct SigMatch_ * next
Definition detect.h:360
SigMatch_::ctx
SigMatchCtx * ctx
Definition detect.h:359
SigTableElmt_::url
const char * url
Definition detect.h:1462
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
SigTableElmt_::alternative
uint16_t alternative
Definition detect.h:1457
SigTableElmt_::flags
uint16_t flags
Definition detect.h:1450
SigTableElmt_::desc
const char * desc
Definition detect.h:1461
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition detect.h:1448
SigTableElmt_::name
const char * name
Definition detect.h:1459
SignatureInitDataBuffer_::head
SigMatch * head
Definition detect.h:534
SignatureInitDataBuffer_::id
uint32_t id
Definition detect.h:525
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition detect.h:647
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition detect.h:648
Signature_
Signature container.
Definition detect.h:668
Signature_::init_data
SignatureInitData * init_data
Definition detect.h:747
Signature_::id
uint32_t id
Definition detect.h:713
str
#define str(s)
Definition suricata-common.h:308
detect-http-host.c
Handle HTTP host header. HHHD - Http Host Header Data.
DetectHttpHHRegisterTests
void DetectHttpHHRegisterTests(void)
Definition detect-http-host.c:2544
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition util-debug.h:255