1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation.  You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
17 //--------------------------------------------------------------------------
18 // http_msg_section.h author Tom Peters <thopeter@cisco.com>
19 
20 #ifndef HTTP_MSG_SECTION_H
21 #define HTTP_MSG_SECTION_H
22 
23 #include "detection/detection_util.h"
24 #include "framework/cursor.h"
25 
26 #include "http_buffer_info.h"
27 #include "http_common.h"
28 #include "http_cursor_data.h"
29 #include "http_enum.h"
30 #include "http_field.h"
31 #include "http_flow_data.h"
32 #include "http_module.h"
33 #include "http_transaction.h"
34 
35 //-------------------------------------------------------------------------
36 // HttpMsgSection class
37 //-------------------------------------------------------------------------
38 
39 class HttpMsgSection
40 {
41 public:
42     virtual ~HttpMsgSection() = default;
get_inspection_section()43     virtual HttpEnums::InspectSection get_inspection_section() const
44         { return HttpEnums::IS_NONE; }
45     virtual bool detection_required() const = 0;
get_source_id()46     HttpCommon::SourceId get_source_id() const { return source_id; }
get_transaction()47     HttpTransaction* get_transaction() const { return transaction; }
get_params()48     const HttpParaList* get_params() const { return params; }
49 
get_request()50     HttpMsgRequest* get_request() const { return request; }
get_status()51     HttpMsgStatus* get_status() const { return status; }
get_header(HttpCommon::SourceId source_id)52     HttpMsgHeader* get_header(HttpCommon::SourceId source_id) const { return header[source_id]; }
get_trailer(HttpCommon::SourceId source_id)53     HttpMsgTrailer* get_trailer(HttpCommon::SourceId source_id) const
54         { return trailer[source_id]; }
get_body()55     virtual HttpMsgBody* get_body() { return nullptr; }
56 
57     // Minimum necessary processing for every message
58     virtual void analyze() = 0;
59 
60     // analyze() generates many events in the course of its work. Many other events are generated
61     // by JIT normalization but only if someone asks for the item in question. gen_events()
62     // addresses a third category--things that do not come up during analysis but must be
63     // inspected for every message even if no one else asks about them.
gen_events()64     virtual void gen_events() {}
65 
66     // Manages the splitter and communication between message sections
67     virtual void update_flow() = 0;
68 
69     const Field& get_classic_buffer(unsigned id, uint64_t sub_id, uint64_t form);
70     const Field& get_classic_buffer(Cursor& c, const HttpBufferInfo& buf);
71 
get_method_id()72     HttpEnums::MethodId get_method_id() const { return method_id; }
73 
get_status_code_num()74     int32_t get_status_code_num() const { return status_code_num; }
75 
76     // Publish an inspection event for other modules to consume.
publish()77     virtual void publish() { }
78 
79     void clear();
is_clear()80     bool is_clear() { return cleared; }
81 
get_transaction_id()82     uint64_t get_transaction_id() { return trans_num; }
83     int32_t get_num_headers(const HttpBufferInfo& buf) const;
84 
85     HttpMsgSection* next = nullptr;
86 
87 #ifdef REG_TEST
88     // Test tool prints all derived message parts
89     virtual void print_section(FILE* output) = 0;
90 #endif
91 
92 protected:
93     HttpMsgSection(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
94         HttpCommon::SourceId source_id_, bool buf_owner, snort::Flow* flow_, const HttpParaList*
95         params_);
96 
97     void get_related_sections();
98 
99     const Field msg_text;
100     HttpFlowData* const session_data;
101     snort::Flow* const flow;
102     const HttpParaList* const params;
103     HttpTransaction* const transaction;
104     uint64_t trans_num;
105     int32_t status_code_num;
106     const HttpCommon::SourceId source_id;
107     HttpEnums::VersionId version_id;
108     HttpEnums::MethodId method_id;
109     const bool tcp_close;
110 
111     // Pointers to related message sections in the same transaction
112     HttpMsgRequest* request;
113     HttpMsgStatus* status;
114     HttpMsgHeader* header[2];
115     HttpMsgTrailer* trailer[2];
116 
117     bool cleared = false;
118 
119     // Convenience methods shared by multiple subclasses
120     void add_infraction(int infraction);
121     void create_event(int sid);
122     void update_depth() const;
123     static const Field& classic_normalize(const Field& raw, Field& norm,
124         bool do_path, const HttpParaList::UriParam& uri_param);
125 #ifdef REG_TEST
126     void print_section_title(FILE* output, const char* title) const;
127     void print_section_wrapup(FILE* output) const;
128     void print_peg_counts(FILE* output) const;
129 #endif
130 };
131 
132 #endif
133 
134