1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 // http_msg_section.h author Tom Peters <thopeter@cisco.com> 19 20 #ifndef HTTP_MSG_SECTION_H 21 #define HTTP_MSG_SECTION_H 22 23 #include "detection/detection_util.h" 24 #include "framework/cursor.h" 25 26 #include "http_buffer_info.h" 27 #include "http_common.h" 28 #include "http_cursor_data.h" 29 #include "http_enum.h" 30 #include "http_field.h" 31 #include "http_flow_data.h" 32 #include "http_module.h" 33 #include "http_transaction.h" 34 35 //------------------------------------------------------------------------- 36 // HttpMsgSection class 37 //------------------------------------------------------------------------- 38 39 class HttpMsgSection 40 { 41 public: 42 virtual ~HttpMsgSection() = default; get_inspection_section()43 virtual HttpEnums::InspectSection get_inspection_section() const 44 { return HttpEnums::IS_NONE; } 45 virtual bool detection_required() const = 0; get_source_id()46 HttpCommon::SourceId get_source_id() const { return source_id; } get_transaction()47 HttpTransaction* get_transaction() const { return transaction; } get_params()48 const HttpParaList* get_params() const { return params; } 49 get_request()50 HttpMsgRequest* get_request() const { return request; } get_status()51 HttpMsgStatus* get_status() const { return status; } get_header(HttpCommon::SourceId source_id)52 HttpMsgHeader* get_header(HttpCommon::SourceId source_id) const { return header[source_id]; } get_trailer(HttpCommon::SourceId source_id)53 HttpMsgTrailer* get_trailer(HttpCommon::SourceId source_id) const 54 { return trailer[source_id]; } get_body()55 virtual HttpMsgBody* get_body() { return nullptr; } 56 57 // Minimum necessary processing for every message 58 virtual void analyze() = 0; 59 60 // analyze() generates many events in the course of its work. Many other events are generated 61 // by JIT normalization but only if someone asks for the item in question. gen_events() 62 // addresses a third category--things that do not come up during analysis but must be 63 // inspected for every message even if no one else asks about them. gen_events()64 virtual void gen_events() {} 65 66 // Manages the splitter and communication between message sections 67 virtual void update_flow() = 0; 68 69 const Field& get_classic_buffer(unsigned id, uint64_t sub_id, uint64_t form); 70 const Field& get_classic_buffer(Cursor& c, const HttpBufferInfo& buf); 71 get_method_id()72 HttpEnums::MethodId get_method_id() const { return method_id; } 73 get_status_code_num()74 int32_t get_status_code_num() const { return status_code_num; } 75 76 // Publish an inspection event for other modules to consume. publish()77 virtual void publish() { } 78 79 void clear(); is_clear()80 bool is_clear() { return cleared; } 81 get_transaction_id()82 uint64_t get_transaction_id() { return trans_num; } 83 int32_t get_num_headers(const HttpBufferInfo& buf) const; 84 85 HttpMsgSection* next = nullptr; 86 87 #ifdef REG_TEST 88 // Test tool prints all derived message parts 89 virtual void print_section(FILE* output) = 0; 90 #endif 91 92 protected: 93 HttpMsgSection(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_, 94 HttpCommon::SourceId source_id_, bool buf_owner, snort::Flow* flow_, const HttpParaList* 95 params_); 96 97 void get_related_sections(); 98 99 const Field msg_text; 100 HttpFlowData* const session_data; 101 snort::Flow* const flow; 102 const HttpParaList* const params; 103 HttpTransaction* const transaction; 104 uint64_t trans_num; 105 int32_t status_code_num; 106 const HttpCommon::SourceId source_id; 107 HttpEnums::VersionId version_id; 108 HttpEnums::MethodId method_id; 109 const bool tcp_close; 110 111 // Pointers to related message sections in the same transaction 112 HttpMsgRequest* request; 113 HttpMsgStatus* status; 114 HttpMsgHeader* header[2]; 115 HttpMsgTrailer* trailer[2]; 116 117 bool cleared = false; 118 119 // Convenience methods shared by multiple subclasses 120 void add_infraction(int infraction); 121 void create_event(int sid); 122 void update_depth() const; 123 static const Field& classic_normalize(const Field& raw, Field& norm, 124 bool do_path, const HttpParaList::UriParam& uri_param); 125 #ifdef REG_TEST 126 void print_section_title(FILE* output, const char* title) const; 127 void print_section_wrapup(FILE* output) const; 128 void print_peg_counts(FILE* output) const; 129 #endif 130 }; 131 132 #endif 133 134