1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2016-2021 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 // http_js_norm.h author Tom Peters <thopeter@cisco.com> 19 20 #ifndef HTTP_JS_NORM_H 21 #define HTTP_JS_NORM_H 22 23 #include <cstring> 24 25 #include "search_engines/search_tool.h" 26 27 #include "http_field.h" 28 #include "http_flow_data.h" 29 #include "http_event.h" 30 #include "http_module.h" 31 32 //------------------------------------------------------------------------- 33 // HttpJsNorm class 34 //------------------------------------------------------------------------- 35 36 class HttpJsNorm 37 { 38 public: 39 HttpJsNorm(const HttpParaList::UriParam&, int64_t normalization_depth, 40 int32_t identifier_depth, uint8_t max_template_nesting, uint32_t max_bracket_depth, 41 uint32_t max_scope_depth, const std::unordered_set<std::string>& ignored_ids); 42 ~HttpJsNorm(); 43 set_detection_depth(size_t depth)44 void set_detection_depth(size_t depth) 45 { detection_depth = depth; } 46 47 void do_legacy(const Field& input, Field& output, HttpInfractions*, HttpEventGen*, 48 int max_javascript_whitespaces) const; 49 void do_inline(const Field& input, Field& output, HttpInfractions*, HttpFlowData*, bool) const; 50 void do_external(const Field& input, Field& output, HttpInfractions*, HttpFlowData*, bool) const; 51 52 void configure(); 53 54 private: 55 enum AttrId { AID_SLASH, AID_GT, AID_SRC, AID_JS, AID_ECMA, AID_VB }; 56 57 struct MatchContext 58 { 59 const char* next; 60 bool is_javascript; 61 bool is_external; 62 bool is_shortened; 63 }; 64 65 const HttpParaList::UriParam& uri_param; 66 size_t detection_depth; 67 int64_t normalization_depth; 68 int32_t identifier_depth; 69 uint8_t max_template_nesting; 70 uint32_t max_bracket_depth; 71 uint32_t max_scope_depth; 72 const std::unordered_set<std::string>& ignored_ids; 73 bool configure_once = false; 74 75 snort::SearchTool* mpse_otag; 76 snort::SearchTool* mpse_attr; 77 snort::SearchTool* mpse_type; // legacy only 78 79 static int search_js_found(void*, void*, int index, void*, void*); // legacy only 80 static int search_html_found(void* id, void*, int, void*, void*); // legacy only 81 static int match_otag(void*, void*, int, void*, void*); 82 static int match_attr(void*, void*, int, void*, void*); 83 alive_ctx(const HttpFlowData * ssn)84 bool alive_ctx(const HttpFlowData* ssn) const 85 { return ssn->js_normalizer; } 86 }; 87 88 #endif 89 90