/src/suricata7/src/detect-uricontent.c

Source
/* Copyright (C) 2007-2022 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author  Victor Julien <victor@inliniac.net>
 * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
 *
 * Simple uricontent match part of the detection engine.
 */

#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-http-uri.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-state.h"
#include "flow.h"
#include "detect-flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "threads.h"

#include "stream-tcp.h"
#include "stream.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-protos.h"
#include "app-layer-htp.h"

#include "util-mpm.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-spm.h"
#include "conf.h"

/* prototypes */
static int DetectUricontentSetup(DetectEngineCtx *, Signature *, const char *);
static void DetectUricontentFree(DetectEngineCtx *de_ctx, void *);

static int g_http_uri_buffer_id = 0;

/**
 * \brief Registration function for uricontent: keyword
 */
void DetectUricontentRegister (void)
{
    sigmatch_table[DETECT_URICONTENT].name = "uricontent";
    sigmatch_table[DETECT_URICONTENT].desc = "legacy keyword to match on the request URI buffer";
    sigmatch_table[DETECT_URICONTENT].url = "/rules/http-keywords.html#uricontent";
    sigmatch_table[DETECT_URICONTENT].Match = NULL;
    sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup;
    sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree;
    sigmatch_table[DETECT_URICONTENT].flags = (SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION);
    sigmatch_table[DETECT_URICONTENT].alternative = DETECT_HTTP_URI;

    g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
}

/**
 * \brief this function will Free memory associated with DetectContentData
 *
 * \param cd pointer to DetectUricontentData
 */
void DetectUricontentFree(DetectEngineCtx *de_ctx, void *ptr)
{
    SCEnter();
    DetectContentData *cd = (DetectContentData *)ptr;

    if (cd == NULL)
        SCReturn;

    SpmDestroyCtx(cd->spm_ctx);
    SCFree(cd);

    SCReturn;
}

/**
 * \brief Creates a SigMatch for the uricontent keyword being sent as argument,
 *        and appends it to the Signature(s).
 *
 * \param de_ctx    Pointer to the detection engine context
 * \param s         Pointer to signature for the current Signature being parsed
 *                  from the rules
 * \param contentstr  Pointer to the string holding the keyword value
 *
 * \retval 0 on success, -1 on failure
 */
int DetectUricontentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
{
    SCEnter();

    const char *legacy = NULL;
    if (ConfGet("legacy.uricontent", &legacy) == 1) {
        if (strcasecmp("disabled", legacy) == 0) {
            SCLogError("uricontent deprecated.  To "
                       "use a rule with \"uricontent\", either set the "
                       "option - \"legacy.uricontent\" in the conf to "
                       "\"enabled\" OR replace uricontent with "
                       "\'content:%s; http_uri;\'.",
                    contentstr);
            goto error;
        } else if (strcasecmp("enabled", legacy) == 0) {
            ;
        } else {
            SCLogError("Invalid value found "
                       "for legacy.uricontent - \"%s\".  Valid values are "
                       "\"enabled\" OR \"disabled\".",
                    legacy);
            goto error;
        }
    }

    if (DetectContentSetup(de_ctx, s, contentstr) < 0)
        goto error;

    if (DetectHttpUriSetup(de_ctx, s, NULL) < 0)
        goto error;

    SCReturnInt(0);
error:
    SCReturnInt(-1);
}

Line	Count	Source
1		/* Copyright (C) 2007-2022 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		/**
19		* \file
20		*
21		* \author Victor Julien <victor@inliniac.net>
22		* \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
23		*
24		* Simple uricontent match part of the detection engine.
25		*/
26
27		#include "suricata-common.h"
28		#include "decode.h"
29		#include "detect.h"
30		#include "detect-content.h"
31		#include "detect-http-uri.h"
32		#include "detect-uricontent.h"
33		#include "detect-engine-mpm.h"
34		#include "detect-parse.h"
35		#include "detect-engine.h"
36		#include "detect-engine-state.h"
37		#include "flow.h"
38		#include "detect-flow.h"
39		#include "flow-var.h"
40		#include "flow-util.h"
41		#include "threads.h"
42
43		#include "stream-tcp.h"
44		#include "stream.h"
45		#include "app-layer.h"
46		#include "app-layer-parser.h"
47		#include "app-layer-protos.h"
48		#include "app-layer-htp.h"
49
50		#include "util-mpm.h"
51		#include "util-print.h"
52		#include "util-debug.h"
53		#include "util-unittest.h"
54		#include "util-unittest-helper.h"
55		#include "util-spm.h"
56		#include "conf.h"
57
58		/* prototypes */
59		static int DetectUricontentSetup(DetectEngineCtx , Signature , const char *);
60		static void DetectUricontentFree(DetectEngineCtx de_ctx, void );
61
62		static int g_http_uri_buffer_id = 0;
63
64		/**
65		* \brief Registration function for uricontent: keyword
66		*/
67		void DetectUricontentRegister (void)
68	73	{
69	73	sigmatch_table[DETECT_URICONTENT].name = "uricontent";
70	73	sigmatch_table[DETECT_URICONTENT].desc = "legacy keyword to match on the request URI buffer";
71	73	sigmatch_table[DETECT_URICONTENT].url = "/rules/http-keywords.html#uricontent";
72	73	sigmatch_table[DETECT_URICONTENT].Match = NULL;
73	73	sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup;
74	73	sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree;
75	73	sigmatch_table[DETECT_URICONTENT].flags = (SIGMATCH_QUOTES_MANDATORY\|SIGMATCH_HANDLE_NEGATION);
76	73	sigmatch_table[DETECT_URICONTENT].alternative = DETECT_HTTP_URI;
77
78	73	g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
79	73	}
80
81		/**
82		* \brief this function will Free memory associated with DetectContentData
83		*
84		* \param cd pointer to DetectUricontentData
85		*/
86		void DetectUricontentFree(DetectEngineCtx de_ctx, void ptr)
87	0	{
88	0	SCEnter();
89	0	DetectContentData cd = (DetectContentData )ptr;
90
91	0	if (cd == NULL)
92	0	SCReturn;
93
94	0	SpmDestroyCtx(cd->spm_ctx);
95	0	SCFree(cd);
96
97	0	SCReturn;
98	0	}
99
100		/**
101		* \brief Creates a SigMatch for the uricontent keyword being sent as argument,
102		* and appends it to the Signature(s).
103		*
104		* \param de_ctx Pointer to the detection engine context
105		* \param s Pointer to signature for the current Signature being parsed
106		* from the rules
107		* \param contentstr Pointer to the string holding the keyword value
108		*
109		* \retval 0 on success, -1 on failure
110		*/
111		int DetectUricontentSetup(DetectEngineCtx de_ctx, Signature s, const char *contentstr)
112	33.7k	{
113	33.7k	SCEnter();
114
115	33.7k	const char *legacy = NULL;
116	33.7k	if (ConfGet("legacy.uricontent", &legacy) == 1) {
117	0	if (strcasecmp("disabled", legacy) == 0) {
118	0	SCLogError("uricontent deprecated. To "
119	0	"use a rule with \"uricontent\", either set the "
120	0	"option - \"legacy.uricontent\" in the conf to "
121	0	"\"enabled\" OR replace uricontent with "
122	0	"\'content:%s; http_uri;\'.",
123	0	contentstr);
124	0	goto error;
125	0	} else if (strcasecmp("enabled", legacy) == 0) {
126	0	;
127	0	} else {
128	0	SCLogError("Invalid value found "
129	0	"for legacy.uricontent - \"%s\". Valid values are "
130	0	"\"enabled\" OR \"disabled\".",
131	0	legacy);
132	0	goto error;
133	0	}
134	0	}
135
136	33.7k	if (DetectContentSetup(de_ctx, s, contentstr) < 0)
137	1.10k	goto error;
138
139	32.6k	if (DetectHttpUriSetup(de_ctx, s, NULL) < 0)
140	549	goto error;
141
142	32.6k	SCReturnInt(0);
143	1.65k	error:
144	1.65k	SCReturnInt(-1);
145	32.6k	}

Coverage Report

Created: 2026-01-16 07:00