is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
| snort_httpinspect.c (snort-2.9.16.1) | : | snort_httpinspect.c (snort-2.9.17) |
|---|
| | |
| skipping to change at line 4252 | | skipping to change at line 4252 |
|---|
| { | | { |
| if(p->packet_flags & PKT_PDU_TAIL) | | if(p->packet_flags & PKT_PDU_TAIL) |
| file_data_position = SNORT_FILE_END; | | file_data_position = SNORT_FILE_END; |
| else if(processed_size) | | else if(processed_size) |
| file_data_position = SNORT_FILE_MIDDLE; | | file_data_position = SNORT_FILE_MIDDLE; |
| } | | } |
| } | | } |
| return file_data_position; | | return file_data_position; |
| } | | } |
| | |
|
| | char *convert_range_flag_to_str(uint16_t range_flag) |
| | { |
| | switch (range_flag) |
| | { |
| | case HTTP_RESP_RANGE_NONE: |
| | return "Range None"; |
| | case RANGE_WITH_RESP_FULL_CONTENT: |
| | return "Full Content"; |
| | case RANGE_WITH_RESP_PARTIAL_CONTENT: |
| | return "Partial Content"; |
| | case RANGE_WITH_RESP_ERROR: |
| | return "Error in Range Field"; |
| | case RANGE_WITH_RESP_NON_BYTE: |
| | return "Non-Byte unit"; |
| | case RANGE_WITH_UNKNOWN_CONTENT_RANGE: |
| | return "Unknown Range Content"; |
| | case RANGE_WITH_RESP_UNKNOWN_CONTENT_SIZE: |
| | return "Unknown Range Content Length"; |
| | default: |
| | return "Skip Range"; |
| | } |
| | } |
| | |
| /* | | /* |
| ** NAME | | ** NAME |
| ** SnortHttpInspect:: | | ** SnortHttpInspect:: |
| */ | | */ |
| /** | | /** |
| ** This function calls the HttpInspect function that processes an HTTP | | ** This function calls the HttpInspect function that processes an HTTP |
| ** session. | | ** session. |
| ** | | ** |
| ** We need to instantiate a pointer for the HI_SESSION that HttpInspect | | ** We need to instantiate a pointer for the HI_SESSION that HttpInspect |
| ** fills in. Right now stateless processing fills in this session, which | | ** fills in. Right now stateless processing fills in this session, which |
| | |
| skipping to change at line 4413 | | skipping to change at line 4436 |
|---|
| { | | { |
| flow_depth = Session->server_conf->client_flow_depth; | | flow_depth = Session->server_conf->client_flow_depth; |
| ApplyClientFlowDepth(p, flow_depth); | | ApplyClientFlowDepth(p, flow_depth); |
| } | | } |
| else | | else |
| { | | { |
| ApplyFlowDepth(Session->server_conf, p, hsd, 0, 1, GET_PKT_SEQ(p)); | | ApplyFlowDepth(Session->server_conf, p, hsd, 0, 1, GET_PKT_SEQ(p)); |
| } | | } |
| | |
| p->packet_flags |= PKT_HTTP_DECODE; | | p->packet_flags |= PKT_HTTP_DECODE; |
|
| | HttpLogFuncs(GlobalConf, hsd, p, iCallDetect); |
| | |
| if ( p->alt_dsize == 0 ) | | if ( p->alt_dsize == 0 ) |
| { | | { |
| DisableDetect( p ); | | DisableDetect( p ); |
| EnablePreprocessor(p, PP_SDF); | | EnablePreprocessor(p, PP_SDF); |
| return 0; | | return 0; |
| } | | } |
| // see comments on call to Detect() below | | // see comments on call to Detect() below |
| PREPROC_PROFILE_START(hiDetectPerfStats); | | PREPROC_PROFILE_START(hiDetectPerfStats); |
| Detect(p); | | Detect(p); |
| | |
| skipping to change at line 4699 | | skipping to change at line 4723 |
|---|
| ApplyClientFlowDepth(p, Session->server_conf->client_flow_depth)
; | | ApplyClientFlowDepth(p, Session->server_conf->client_flow_depth)
; |
| | |
| if( !GetHttpBufferMask() && (p->alt_dsize == 0) ) | | if( !GetHttpBufferMask() && (p->alt_dsize == 0) ) |
| { | | { |
| DisableDetect( p ); | | DisableDetect( p ); |
| EnablePreprocessor(p, PP_SDF); | | EnablePreprocessor(p, PP_SDF); |
| return 0; | | return 0; |
| } | | } |
| } | | } |
| | |
|
| | if (Session->client.request.range_flag != HTTP_RANGE_NONE) |
| | { |
| | if (Session->client.request.method != HI_GET_METHOD) |
| | { |
| | if (hi_eo_generate_event(Session, HI_EO_CLIENT_RANGE_NON_GET |
| | _METHOD)) |
| | { |
| | hi_eo_client_event_log(Session, HI_EO_CLIENT_RANGE_NON_G |
| | ET_METHOD, NULL, NULL); |
| | } |
| | } |
| | else |
| | { |
| | if (Session->client.request.range_flag == RANGE_WITH_REQ_ERR |
| | OR) |
| | { |
| | if (hi_eo_generate_event(Session, HI_EO_CLIENT_RANGE_FIE |
| | LD_ERROR)) |
| | { |
| | hi_eo_client_event_log(Session, HI_EO_CLIENT_RANGE_F |
| | IELD_ERROR, NULL, NULL); |
| | } |
| | } |
| | } |
| | } |
| } | | } |
| else /* Server mode */ | | else /* Server mode */ |
| { | | { |
| const HttpBuffer* hb; | | const HttpBuffer* hb; |
| | |
| /* | | /* |
| ** We check here to see whether this was a server response | | ** We check here to see whether this was a server response |
| ** header or not. If the header size is 0 then, we know that this | | ** header or not. If the header size is 0 then, we know that this |
| ** is not the header and don't do any detection. | | ** is not the header and don't do any detection. |
| */ | | */ |
| | |
| skipping to change at line 4823 | | skipping to change at line 4867 |
|---|
| #endif | | #endif |
| } | | } |
| | |
| if(Session->server.response.status_code) | | if(Session->server.response.status_code) |
| { | | { |
| SetHttpBuffer( | | SetHttpBuffer( |
| HTTP_BUFFER_STAT_CODE, | | HTTP_BUFFER_STAT_CODE, |
| Session->server.response.status_code, | | Session->server.response.status_code, |
| Session->server.response.status_code_size); | | Session->server.response.status_code_size); |
| | |
|
| if (!strncmp((const char*)Session->server.response.status_code,
"206", 3) && !hsd->resp_state.eoh_found) | | if (!strncmp((const char*)Session->server.response.status_code,
"206", 3)) |
| { | | { |
|
| /* If status code 206 is seen but EOH is not seen, then look | | if ((Session->server.response.range_flag == RANGE_WITH_RESP |
| for partial content | | _ERROR) && |
| * in subsequent packets | | hi_eo_generate_event(Session, HI_EO_SERVER_RANGE_FIELD_ |
| */ | | ERROR)) |
| hsd->resp_state.look_for_partial_content = true; | | { |
| | hi_eo_server_event_log(Session, HI_EO_SERVER_RANGE_FIEL |
| | D_ERROR, NULL, NULL); |
| | } |
| | |
| | if (Session->server.response.range_flag == HTTP_RESP_RANGE_ |
| | NONE) |
| | { |
| | hsd->resp_state.look_for_partial_content = CONTENT_NONE |
| | ; |
| | } |
| | else if (Session->server.response.range_flag == RANGE_WITH_ |
| | RESP_FULL_CONTENT) |
| | { |
| | hsd->resp_state.look_for_partial_content = FULL_CONTENT |
| | ; |
| | } |
| | else |
| | { |
| | hsd->resp_state.look_for_partial_content = PARTIAL_CONT |
| | ENT; |
| | } |
| | |
| | if ((Session->client.request.range_flag == HTTP_RANGE_WITH_ |
| | FULL_CONTENT_REQ) && |
| | ((Session->server.response.range_flag == RANGE_WITH_RES |
| | P_UNKNOWN_CONTENT_SIZE) || |
| | (Session->server.response.range_flag == RANGE_WITH_UNK |
| | NOWN_CONTENT_RANGE) || |
| | (Session->server.response.range_flag == RANGE_WITH_RES |
| | P_ERROR))) |
| | { |
| | hsd->resp_state.look_for_partial_content = FULL_CONTENT |
| | ; |
| | } |
| } | | } |
| | |
| #ifdef DUMP_BUFFER | | #ifdef DUMP_BUFFER |
| dumpBuffer(STAT_CODE_DUMP, Session->server.response.status_code,
Session->server.response.status_code_size); | | dumpBuffer(STAT_CODE_DUMP, Session->server.response.status_code,
Session->server.response.status_code_size); |
| #endif | | #endif |
| } | | } |
| | |
| if(Session->server.response.status_msg) | | if(Session->server.response.status_msg) |
| { | | { |
| SetHttpBuffer( | | SetHttpBuffer( |
| | |
| skipping to change at line 5085 | | skipping to change at line 5151 |
|---|
| return 0; | | return 0; |
| } | | } |
| | |
| HttpSessionData * SetNewHttpSessionData(Packet *p, void *data) | | HttpSessionData * SetNewHttpSessionData(Packet *p, void *data) |
| { | | { |
| HttpSessionData *hsd; | | HttpSessionData *hsd; |
| | |
| if (p->ssnptr == NULL) | | if (p->ssnptr == NULL) |
| return NULL; | | return NULL; |
| | |
|
| | hi_stats.session_count++; |
| | |
| hsd = (HttpSessionData *)SnortAlloc(sizeof(HttpSessionData)); | | hsd = (HttpSessionData *)SnortAlloc(sizeof(HttpSessionData)); |
|
| | hi_stats.mem_used += (sizeof(HttpSessionData) + sizeof(DECOMPRESS_STATE) + s
izeof(HTTP_LOG_STATE)); |
| init_decode_utf_state(&hsd->utf_state); | | init_decode_utf_state(&hsd->utf_state); |
| | |
| session_api->set_application_data(p->ssnptr, PP_HTTPINSPECT, hsd, FreeHttpSe
ssionData); | | session_api->set_application_data(p->ssnptr, PP_HTTPINSPECT, hsd, FreeHttpSe
ssionData); |
| | |
| hsd->fd_state = (fd_session_p_t)NULL; | | hsd->fd_state = (fd_session_p_t)NULL; |
| hsd->resp_state.eoh_found = false; | | hsd->resp_state.eoh_found = false; |
|
| hsd->resp_state.look_for_partial_content = false; | | hsd->resp_state.look_for_partial_content = CONTENT_NONE; |
| hsd->resp_state.chunk_len_state = CHUNK_LEN_DEFAULT; | | hsd->resp_state.chunk_len_state = CHUNK_LEN_DEFAULT; |
| | |
| return hsd; | | return hsd; |
| } | | } |
| | |
| void FreeHttpSessionData(void *data) | | void FreeHttpSessionData(void *data) |
| { | | { |
| HttpSessionData *hsd = (HttpSessionData *)data; | | HttpSessionData *hsd = (HttpSessionData *)data; |
| | |
| if (hsd == NULL) | | if (hsd == NULL) |
| return; | | return; |
|
| | hi_stats.session_count--; |
| | |
| if (hsd->decomp_state != NULL) | | if (hsd->decomp_state != NULL) |
| { | | { |
| inflateEnd(&(hsd->decomp_state->d_stream)); | | inflateEnd(&(hsd->decomp_state->d_stream)); |
| mempool_free(hi_gzip_mempool, hsd->decomp_state->bkt); | | mempool_free(hi_gzip_mempool, hsd->decomp_state->bkt); |
| } | | } |
| | |
| if (hsd->log_state != NULL) | | if (hsd->log_state != NULL) |
| { | | { |
| mempool_free(http_mempool, hsd->log_state->log_bucket); | | mempool_free(http_mempool, hsd->log_state->log_bucket); |
| | |
| skipping to change at line 5128 | | skipping to change at line 5198 |
|---|
| deleteNode_tList(hsd); | | deleteNode_tList(hsd); |
| | |
| file_api->free_mime_session(hsd->mime_ssn); | | file_api->free_mime_session(hsd->mime_ssn); |
| | |
| if( hsd->fd_state != 0 ) | | if( hsd->fd_state != 0 ) |
| { | | { |
| File_Decomp_StopFree(hsd->fd_state); // Stop & Stop & Free fd session
object | | File_Decomp_StopFree(hsd->fd_state); // Stop & Stop & Free fd session
object |
| hsd->fd_state = NULL; // ...just for good measure | | hsd->fd_state = NULL; // ...just for good measure |
| } | | } |
| | |
|
| | hi_stats.mem_used -= (sizeof(HttpSessionData) + sizeof(DECOMPRESS_STATE) + s
izeof(HTTP_LOG_STATE)); |
| free(hsd); | | free(hsd); |
| } | | } |
| | |
| int GetHttpTrueIP(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) | | int GetHttpTrueIP(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) |
| { | | { |
| sfaddr_t *true_ip; | | sfaddr_t *true_ip; |
| | |
| true_ip = GetTrueIPForSession(data); | | true_ip = GetTrueIPForSession(data); |
| if(!true_ip) | | if(!true_ip) |
| return 0; | | return 0; |
| | |
| skipping to change at line 5412 | | skipping to change at line 5483 |
|---|
| //Only for POST | | //Only for POST |
| flow_depth = serverConf->post_depth; | | flow_depth = serverConf->post_depth; |
| } | | } |
| else if( flags & PKT_FROM_SERVER ) | | else if( flags & PKT_FROM_SERVER ) |
| { | | { |
| flow_depth = serverConf->server_flow_depth; | | flow_depth = serverConf->server_flow_depth; |
| } | | } |
| return flow_depth; | | return flow_depth; |
| } | | } |
| | |
|
| bool isHttpRespPartialCont(void *data) | | uint8_t isHttpRespPartialCont(void *data) |
| { | | { |
| HttpSessionData *hsd = NULL; | | HttpSessionData *hsd = NULL; |
| | |
| if (data == NULL) { | | if (data == NULL) { |
|
| return false; | | return CONTENT_NONE; |
| } | | } |
| | |
| hsd = (HttpSessionData *)session_api->get_application_data(data, PP_HTTPINSP
ECT); | | hsd = (HttpSessionData *)session_api->get_application_data(data, PP_HTTPINSP
ECT); |
| if (hsd == NULL) { | | if (hsd == NULL) { |
|
| return false; | | return CONTENT_NONE; |
| } | | } |
| | |
| return hsd->resp_state.look_for_partial_content; | | return hsd->resp_state.look_for_partial_content; |
| } | | } |
| | | |
| End of changes. 13 change blocks. |
|---|
| 10 lines changed or deleted | | 98 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 