00001 //--------------------------------------------------------------------------
00002 // Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
00003 //
00004 // This program is free software; you can redistribute it and/or modify it
00005 // under the terms of the GNU General Public License Version 2 as published
00006 // by the Free Software Foundation. You may not use, modify or distribute
00007 // this program under any other version of the GNU General Public License.
00008 //
00009 // This program is distributed in the hope that it will be useful, but
00010 // WITHOUT ANY WARRANTY; without even the implied warranty of
00011 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
00012 // General Public License for more details.
00013 //
00014 // You should have received a copy of the GNU General Public License along
00015 // with this program; if not, write to the Free Software Foundation, Inc.,
00016 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
00017 //--------------------------------------------------------------------------
00018 // http_inspect.h author Tom Peters <thopeter@cisco.com>
00019
00020 #ifndef HTTP_INSPECT_H
00021 #define HTTP_INSPECT_H
00022
00023 //-------------------------------------------------------------------------
00024 // HttpInspect class
00025 //-------------------------------------------------------------------------
00026
00027 #include "http_enum.h"
00028 #include "http_field.h"
00029 #include "http_module.h"
00030 #include "http_msg_section.h"
00031 #include "http_stream_splitter.h"
00032 #include "log/messages.h"
00033
00034 class HttpApi;
00035
00036 class HttpInspect : public Inspector
00037 {
00038 public:
00039 HttpInspect(const HttpParaList* params_);
00040 ~HttpInspect() override { delete params; }
00041
00042 bool get_buf(InspectionBuffer::Type ibt, Packet* p, InspectionBuffer& b) override;
00043 bool get_buf(unsigned id, Packet* p, InspectionBuffer& b) override;
00044 bool http_get_buf(
00045 unsigned id, uint64_t sub_id, uint64_t form, Packet* p, InspectionBuffer& b);
00046 bool get_fp_buf(InspectionBuffer::Type ibt, Packet* p, InspectionBuffer& b) override;
00047 bool configure(SnortConfig*) override;
00048 void show(SnortConfig*) override { LogMessage("HttpInspect\n"); }
00049 void eval(Packet* p) override;
00050 void clear(Packet* p) override;
00051 void tinit() override { }
00052 void tterm() override { }
00053 HttpStreamSplitter* get_splitter(bool is_client_to_server) override
00054 {
00055 return new HttpStreamSplitter(is_client_to_server, this);
00056 }
00057 static HttpEnums::InspectSection get_latest_is(const Packet* p);
00058
00059 // Callbacks that provide "extra data"
00060 static int get_xtra_trueip(Flow*, uint8_t**, uint32_t*, uint32_t*);
00061 static int get_xtra_uri(Flow*, uint8_t**, uint32_t*, uint32_t*);
00062 static int get_xtra_host(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type);
00063 static int get_xtra_jsnorm(Flow*, uint8_t**, uint32_t*, uint32_t*);
00064
00065 private:
00066 friend HttpApi;
00067 friend HttpStreamSplitter;
00068
00069 bool process(const uint8_t* data, const uint16_t dsize, Flow* const flow,
00070 HttpEnums::SourceId source_id_, bool buf_owner, Packet* packet) const;
00071 static HttpEnums::SourceId get_latest_src(const Packet* p);
00072
00073 const HttpParaList* const params;
00074
00075 // Registrations for "extra data"
00076 static uint32_t xtra_trueip_id;
00077 static uint32_t xtra_uri_id;
00078 static uint32_t xtra_host_id;
00079 static uint32_t xtra_jsnorm_id;
00080 };
00081
00082 #endif
00083
END OF CODE