#include "util-validate.h"
-#define BUFFER_STEP 50
-
-static inline int HHDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
-{
- if (size >= (USHRT_MAX - BUFFER_STEP))
- return -1;
-
- void *ptmp;
- if (size > det_ctx->hhd_buffers_size) {
- ptmp = SCRealloc(det_ctx->hhd_buffers,
- (det_ctx->hhd_buffers_size + BUFFER_STEP) * sizeof(uint8_t *));
- if (ptmp == NULL) {
- SCFree(det_ctx->hhd_buffers);
- det_ctx->hhd_buffers = NULL;
- det_ctx->hhd_buffers_size = 0;
- det_ctx->hhd_buffers_list_len = 0;
- return -1;
- }
- det_ctx->hhd_buffers = ptmp;
-
- memset(det_ctx->hhd_buffers + det_ctx->hhd_buffers_size, 0, BUFFER_STEP * sizeof(uint8_t *));
- ptmp = SCRealloc(det_ctx->hhd_buffers_len,
- (det_ctx->hhd_buffers_size + BUFFER_STEP) * sizeof(uint32_t));
- if (ptmp == NULL) {
- SCFree(det_ctx->hhd_buffers_len);
- det_ctx->hhd_buffers_len = NULL;
- det_ctx->hhd_buffers_size = 0;
- det_ctx->hhd_buffers_list_len = 0;
- return -1;
- }
- det_ctx->hhd_buffers_len = ptmp;
-
- memset(det_ctx->hhd_buffers_len + det_ctx->hhd_buffers_size, 0, BUFFER_STEP * sizeof(uint32_t));
- det_ctx->hhd_buffers_size += BUFFER_STEP;
- }
- memset(det_ctx->hhd_buffers_len + det_ctx->hhd_buffers_list_len, 0, (size - det_ctx->hhd_buffers_list_len) * sizeof(uint32_t));
-
- return 0;
-}
-
-static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
- DetectEngineCtx *de_ctx,
- DetectEngineThreadCtx *det_ctx,
- Flow *f, HtpState *htp_state,
- uint8_t flags,
- uint32_t *buffer_len)
-{
- uint8_t *headers_buffer = NULL;
- int index = 0;
- *buffer_len = 0;
-
- if (det_ctx->hhd_buffers_list_len == 0) {
- /* get the inspect id to use as a 'base id' */
- uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
- BUG_ON(base_inspect_id > tx_id);
- /* see how many space we need for the current tx_id */
- uint64_t txs = (tx_id - base_inspect_id) + 1;
- if (HHDCreateSpace(det_ctx, txs) < 0)
- goto end;
-
- index = (tx_id - base_inspect_id);
- det_ctx->hhd_start_tx_id = base_inspect_id;
- det_ctx->hhd_buffers_list_len = txs;
- } else {
- /* tx fits in our current buffers */
- if ((tx_id - det_ctx->hhd_start_tx_id) < det_ctx->hhd_buffers_list_len) {
- /* if we previously reassembled, return that buffer */
- if (det_ctx->hhd_buffers_len[(tx_id - det_ctx->hhd_start_tx_id)] != 0) {
- *buffer_len = det_ctx->hhd_buffers_len[(tx_id - det_ctx->hhd_start_tx_id)];
- return det_ctx->hhd_buffers[(tx_id - det_ctx->hhd_start_tx_id)];
- }
- /* otherwise fall through */
- } else {
- /* not enough space, lets expand */
- uint64_t txs = (tx_id - det_ctx->hhd_start_tx_id) + 1;
- if (HHDCreateSpace(det_ctx, txs) < 0)
- goto end;
-
- det_ctx->hhd_buffers_list_len = txs;
- }
- index = (tx_id - det_ctx->hhd_start_tx_id);
- }
-
- htp_table_t *headers;
- if (flags & STREAM_TOSERVER) {
- if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) <= HTP_REQUEST_HEADERS)
- goto end;
- headers = tx->request_headers;
- } else {
- if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) <= HTP_RESPONSE_HEADERS)
- goto end;
- headers = tx->response_headers;
- }
- if (headers == NULL)
- goto end;
-
- htp_header_t *h = NULL;
- headers_buffer = det_ctx->hhd_buffers[index];
- size_t headers_buffer_len = 0;
- size_t i = 0;
-
- size_t no_of_headers = htp_table_size(headers);
- for (; i < no_of_headers; i++) {
- h = htp_table_get_index(headers, i, NULL);
- size_t size1 = bstr_size(h->name);
- size_t size2 = bstr_size(h->value);
-
- if (flags & STREAM_TOSERVER) {
- if (size1 == 6 &&
- SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6) == 0) {
- continue;
- }
- } else {
- if (size1 == 10 &&
- SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) {
- continue;
- }
- }
-
- /* the extra 4 bytes if for ": " and "\r\n" */
- uint8_t *new_headers_buffer = SCRealloc(headers_buffer, headers_buffer_len + size1 + size2 + 4);
- if (unlikely(new_headers_buffer == NULL)) {
- if (headers_buffer != NULL) {
- SCFree(headers_buffer);
- headers_buffer = NULL;
- }
- det_ctx->hhd_buffers[index] = NULL;
- det_ctx->hhd_buffers_len[index] = 0;
- goto end;
- }
- headers_buffer = new_headers_buffer;
-
- memcpy(headers_buffer + headers_buffer_len, bstr_ptr(h->name), size1);
- headers_buffer_len += size1;
- headers_buffer[headers_buffer_len] = ':';
- headers_buffer[headers_buffer_len + 1] = ' ';
- headers_buffer_len += 2;
- memcpy(headers_buffer + headers_buffer_len, bstr_ptr(h->value), size2);
- headers_buffer_len += size2 + 2;
- /* \r */
- headers_buffer[headers_buffer_len - 2] = '\r';
- /* \n */
- headers_buffer[headers_buffer_len - 1] = '\n';
- }
-
- /* store the buffers. We will need it for further inspection */
- det_ctx->hhd_buffers[index] = headers_buffer;
- det_ctx->hhd_buffers_len[index] = headers_buffer_len;
-
- *buffer_len = (uint32_t)headers_buffer_len;
- end:
- return headers_buffer;
-}
-
-/** \brief HTTP Headers Mpm prefilter callback
- *
- * \param det_ctx detection engine thread ctx
- * \param p packet to inspect
- * \param f flow to inspect
- * \param txv tx to inspect
- * \param pectx inspection context
- */
-static void PrefilterTxHttpRequestHeaders(DetectEngineThreadCtx *det_ctx,
- const void *pectx,
- Packet *p, Flow *f, void *txv,
- const uint64_t idx, const uint8_t flags)
-{
- SCEnter();
-
- const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
- htp_tx_t *tx = (htp_tx_t *)txv;
-
- if (tx->request_headers == NULL)
- return;
-
- HtpState *htp_state = f->alstate;
- uint32_t buffer_len = 0;
- const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
- NULL, det_ctx,
- f, htp_state,
- flags,
- &buffer_len);
-
- if (buffer_len >= mpm_ctx->minlen) {
- (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
- &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
- }
-}
-#if 0
-static void PrefilterTxHttpRequestTrailers(DetectEngineThreadCtx *det_ctx,
- const void *pectx,
- Packet *p, Flow *f, void *txv,
- const uint64_t idx, const uint8_t flags)
-{
- SCEnter();
-
- const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
- htp_tx_t *tx = (htp_tx_t *)txv;
-
- if (tx->request_headers == NULL)
- return;
- const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
- /* if the request wasn't flagged as having a trailer, we skip */
- if (htud && !htud->request_has_trailers)
- return;
-
- HtpState *htp_state = f->alstate;
- uint32_t buffer_len = 0;
- const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
- NULL, det_ctx,
- f, htp_state,
- flags,
- &buffer_len);
-
- if (buffer_len >= mpm_ctx->minlen) {
- (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
- &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
- }
-}
-#endif
-int PrefilterTxHttpRequestHeadersRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
-{
- SCEnter();
-
- int r = PrefilterAppendTxEngine(sgh, PrefilterTxHttpRequestHeaders,
- ALPROTO_HTTP, HTP_REQUEST_HEADERS,
- mpm_ctx, NULL, "http_header (request)");
- return r;
-#if 0
- if (r != 0)
- return r;
- return PrefilterAppendTxEngine(sgh, PrefilterTxHttpRequestTrailers,
- ALPROTO_HTTP, HTP_REQUEST_TRAILER,
- mpm_ctx, NULL, "http_header (request)");
-#endif
-}
-
-/** \brief HTTP Headers Mpm prefilter callback
- *
- * \param det_ctx detection engine thread ctx
- * \param p packet to inspect
- * \param f flow to inspect
- * \param txv tx to inspect
- * \param pectx inspection context
- */
-static void PrefilterTxHttpResponseHeaders(DetectEngineThreadCtx *det_ctx,
- const void *pectx,
- Packet *p, Flow *f, void *txv,
- const uint64_t idx, const uint8_t flags)
-{
- SCEnter();
-
- const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
- htp_tx_t *tx = (htp_tx_t *)txv;
-
- if (tx->response_headers == NULL)
- return;
-
- HtpState *htp_state = f->alstate;
- uint32_t buffer_len = 0;
- const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
- NULL, det_ctx,
- f, htp_state,
- flags,
- &buffer_len);
-
- if (buffer_len >= mpm_ctx->minlen) {
- (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
- &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
- }
-}
-#if 0
-static void PrefilterTxHttpResponseTrailers(DetectEngineThreadCtx *det_ctx,
- const void *pectx,
- Packet *p, Flow *f, void *txv,
- const uint64_t idx, const uint8_t flags)
-{
- SCEnter();
-
- const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
- htp_tx_t *tx = (htp_tx_t *)txv;
-
- if (tx->response_headers == NULL)
- return;
- const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
- /* if the request wasn't flagged as having a trailer, we skip */
- if (htud && !htud->response_has_trailers)
- return;
-
- HtpState *htp_state = f->alstate;
- uint32_t buffer_len = 0;
- const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
- NULL, det_ctx,
- f, htp_state,
- flags,
- &buffer_len);
-
- if (buffer_len >= mpm_ctx->minlen) {
- (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
- &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
- }
-}
-#endif
-int PrefilterTxHttpResponseHeadersRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
-{
- SCEnter();
-
- int r = PrefilterAppendTxEngine(sgh, PrefilterTxHttpResponseHeaders,
- ALPROTO_HTTP, HTP_RESPONSE_HEADERS,
- mpm_ctx, NULL, "http_header (response)");
- return r;
-#if 0
- if (r != 0)
- return r;
- return PrefilterAppendTxEngine(sgh, PrefilterTxHttpResponseTrailers,
- ALPROTO_HTTP, HTP_RESPONSE_TRAILER,
- mpm_ctx, NULL, "http_header (response)");
-#endif
-}
-
-int DetectEngineInspectHttpHeader(ThreadVars *tv,
- DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
- const Signature *s, const SigMatchData *smd,
- Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
-{
- HtpState *htp_state = (HtpState *)alstate;
- uint32_t buffer_len = 0;
- uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, tx_id,
- de_ctx, det_ctx,
- f, htp_state,
- flags,
- &buffer_len);
- if (buffer_len == 0)
- goto end;
-
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
- int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
- f,
- buffer,
- buffer_len,
- 0,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
- if (r == 1)
- return DETECT_ENGINE_INSPECT_SIG_MATCH;
-
- end:
- if (flags & STREAM_TOSERVER) {
- if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_HEADERS)
- return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
- } else {
- if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_HEADERS)
- return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
- }
- return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
-}
-
-void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *det_ctx)
-{
- if (det_ctx->hhd_buffers_list_len != 0) {
- int i;
- for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
- det_ctx->hhd_buffers_len[i] = 0;
- }
- det_ctx->hhd_buffers_list_len = 0;
- }
- det_ctx->hhd_start_tx_id = 0;
-
- return;
-}
-
/***********************************Unittests**********************************/
#ifdef UNITTESTS
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest01(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest02(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; depth:15; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest03(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:!\"one\"; depth:5; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest04(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; depth:5; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest05(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:!\"one\"; depth:15; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest06(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; offset:10; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest07(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:!\"one\"; offset:15; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest08(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; offset:15; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest09(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:!\"one\"; offset:10; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest10(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; content:\"three\"; http_header; within:10; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest11(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; content:!\"three\"; http_header; within:5; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest12(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; content:!\"three\"; http_header; within:10; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest13(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; content:\"three\"; http_header; within:5; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest14(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; content:\"five\"; http_header; distance:7; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest15(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; content:!\"five\"; http_header; distance:15; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest16(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; content:!\"five\"; http_header; distance:7; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- *\test Test that the http_header content matches against a http request
- * which holds the content.
- */
-static int DetectEngineHttpHeaderTest17(void)
-{
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
- uint32_t http_len = sizeof(http_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"one\"; http_header; content:\"five\"; http_header; distance:15; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf, http_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- printf("sid 1 matched but shouldn't have: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest20(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: This_is_dummy_body1";
- uint8_t http2_buf[] =
- "This_is_dummy_message_body2\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http client body test\"; "
- "pcre:/body1/H; "
- "content:!\"dummy\"; http_header; within:7; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (!PacketAlertCheck(p2, 1)) {
- printf("sid 1 didn't match but shouldn't have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest21(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: This_is_dummy_body1";
- uint8_t http2_buf[] =
- "This_is_dummy_message_body2\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http client body test\"; "
- "pcre:/body1/H; "
- "content:!\"dummy\"; within:7; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (!PacketAlertCheck(p2, 1)) {
- printf("sid 1 didn't match but shouldn't have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest22(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: This_is_dummy_body1";
- uint8_t http2_buf[] =
- "This_is_dummy_message_body2\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http client body test\"; "
- "pcre:/body1/H; "
- "content:!\"dummy\"; distance:3; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (PacketAlertCheck(p2, 1)) {
- printf("sid 1 matched but shouldn't have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest23(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: This_is_dummy_body1";
- uint8_t http2_buf[] =
- "This_is_dummy_message_body2\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http client body test\"; "
- "pcre:/body1/H; "
- "content:!\"dummy\"; distance:13; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (!PacketAlertCheck(p2, 1)) {
- printf("sid 1 didn't match but should have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest24(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: This_is_dummy_body1";
- uint8_t http2_buf[] =
- "This_is_dummy_message_body2\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http client body test\"; "
- "pcre:/body1/H; "
- "content:\"dummy\"; within:15; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (!PacketAlertCheck(p2, 1)) {
- printf("sid 1 didn't match but should have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest25(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: This_is_dummy_body1";
- uint8_t http2_buf[] =
- "This_is_dummy_message_body2\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http client body test\"; "
- "pcre:/body1/H; "
- "content:\"dummy\"; within:10; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (PacketAlertCheck(p2, 1)) {
- printf("sid 1 matched but shouldn't have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest26(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: This_is_dummy_body1";
- uint8_t http2_buf[] =
- "This_is_dummy_message_body2\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http client body test\"; "
- "pcre:/body1/H; "
- "content:\"dummy\"; distance:8; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (!PacketAlertCheck(p2, 1)) {
- printf("sid 1 didn't match but should have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest27(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: This_is_dummy_body1";
- uint8_t http2_buf[] =
- "This_is_dummy_message_body2\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http client body test\"; "
- "pcre:/body1/H; "
- "content:\"dummy\"; distance:14; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (PacketAlertCheck(p2, 1)) {
- printf("sid 1 matched but shouldn't have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest28(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf1[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.openinfosecfoundation.org\r\n"
- "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
- "\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] =
- "HTTP/1.0 200 ok\r\n"
- "Content-Type: text/html\r\n"
- "Content-Length: 6\r\n"
- "\r\n"
- "abcdef";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOCLIENT;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"Content-Length: 6\"; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOCLIENT, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- FAIL_IF(!PacketAlertCheck(p2, 1));
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectEngineHttpHeaderTest29(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf1[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.openinfosecfoundation.org\r\n"
- "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
- "\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] =
- "HTTP/1.0 200 ok\r\n"
- "Content-Type: text/html\r\n"
- "Content-Length: 6\r\n"
- "\r\n"
- "abcdef";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOCLIENT;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"Content-Length: 7\"; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOCLIENT, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (PacketAlertCheck(p2, 1)) {
- printf("sid 1 matched but shouldn't have");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-#if 0
-
-static int DetectEngineHttpHeaderTest30(void)
-{
- int result = 0;
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
-
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"Content-Length: 6\"; http_header; "
- "content:\"User-Agent: Mozilla\"; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list != NULL) {
- goto end;
- }
-
- result = 1;
-
- end:
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-#endif /* #if 0 */
-
-static int DetectEngineHttpHeaderTest30(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http_buf1[] =
- "GET /index.html HTTP/1.0\r\n"
- "Host: www.openinfosecfoundation.org\r\n"
- "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
- "\r\n";
- uint32_t http_buf1_len = sizeof(http_buf1) - 1;
- uint8_t http_buf2[] =
- "HTTP/1.0 200 ok\r\n"
- "Set-Cookie: dummycookieset\r\n"
- "Content-Type: text/html\r\n"
- "Content-Length: 6\r\n"
- "\r\n"
- "abcdef";
- uint32_t http_buf2_len = sizeof(http_buf2) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOCLIENT;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(msg:\"http header test\"; "
- "content:\"dummycookieset\"; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http_buf1, http_buf1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOCLIENT, http_buf2, http_buf2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (PacketAlertCheck(p2, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-/** \test reassembly bug where headers with names of length 6 were
- * skipped
- */
-static int DetectEngineHttpHeaderTest31(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "Accept: blah\r\n"
- "Cookie: blah\r\n"
- "Crazy6: blah\r\n"
- "SixZix: blah\r\n\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(content:\"Accept|3a|\"; http_header; "
- "content:!\"Cookie|3a|\"; http_header; "
- "content:\"Crazy6|3a|\"; http_header; "
- "content:\"SixZix|3a|\"; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (!(PacketAlertCheck(p1, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- return result;
-}
-
-/**
- * \test Trailing headers.
- */
-static int DetectEngineHttpHeaderTest32(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "host: boom\r\n"
- "Transfer-Encoding: chunked\r\n"
- "\r\n"
- "13\r\n"
- "This is dummy body1\r\n"
- "0\r\n"
- "Dummy-Header: kaboom\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(content:\"Dummy\"; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (!(PacketAlertCheck(p1, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- return result;
-}
-
-/**
- * \test Trailing headers.
- */
-static int DetectEngineHttpHeaderTest33(void)
-{
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- ThreadVars th_v;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- Flow f;
- uint8_t http1_buf[] =
- "GET /index.html HTTP/1.0\r\n"
- "host: boom\r\n"
- "Transfer-Encoding: chunked\r\n"
- "\r\n"
- "13\r\n"
- "This is dummy body1\r\n"
- "0\r\n";
- uint8_t http2_buf[] =
- "Dummy-Header: kaboom\r\n"
- "\r\n";
- uint32_t http1_len = sizeof(http1_buf) - 1;
- uint32_t http2_len = sizeof(http2_buf) - 1;
- int result = 0;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(content:\"Dummy\"; http_header; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http1_buf, http1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: \n");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- if (PacketAlertCheck(p1, 1)) {
- printf("sid 1 matched but shouldn't have\n");
- goto end;
- }
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, http2_buf, http2_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- if (!PacketAlertCheck(p2, 1)) {
- printf("sid 1 didn't match but should have\n");
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- SigGroupCleanup(de_ctx);
- if (de_ctx != NULL)
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(TRUE);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
#endif /* UNITTESTS */
void DetectEngineHttpHeaderRegisterTests(void)
{
#ifdef UNITTESTS
- UtRegisterTest("DetectEngineHttpHeaderTest01",
- DetectEngineHttpHeaderTest01);
- UtRegisterTest("DetectEngineHttpHeaderTest02",
- DetectEngineHttpHeaderTest02);
- UtRegisterTest("DetectEngineHttpHeaderTest03",
- DetectEngineHttpHeaderTest03);
- UtRegisterTest("DetectEngineHttpHeaderTest04",
- DetectEngineHttpHeaderTest04);
- UtRegisterTest("DetectEngineHttpHeaderTest05",
- DetectEngineHttpHeaderTest05);
- UtRegisterTest("DetectEngineHttpHeaderTest06",
- DetectEngineHttpHeaderTest06);
- UtRegisterTest("DetectEngineHttpHeaderTest07",
- DetectEngineHttpHeaderTest07);
- UtRegisterTest("DetectEngineHttpHeaderTest08",
- DetectEngineHttpHeaderTest08);
- UtRegisterTest("DetectEngineHttpHeaderTest09",
- DetectEngineHttpHeaderTest09);
- UtRegisterTest("DetectEngineHttpHeaderTest10",
- DetectEngineHttpHeaderTest10);
- UtRegisterTest("DetectEngineHttpHeaderTest11",
- DetectEngineHttpHeaderTest11);
- UtRegisterTest("DetectEngineHttpHeaderTest12",
- DetectEngineHttpHeaderTest12);
- UtRegisterTest("DetectEngineHttpHeaderTest13",
- DetectEngineHttpHeaderTest13);
- UtRegisterTest("DetectEngineHttpHeaderTest14",
- DetectEngineHttpHeaderTest14);
- UtRegisterTest("DetectEngineHttpHeaderTest15",
- DetectEngineHttpHeaderTest15);
- UtRegisterTest("DetectEngineHttpHeaderTest16",
- DetectEngineHttpHeaderTest16);
- UtRegisterTest("DetectEngineHttpHeaderTest17",
- DetectEngineHttpHeaderTest17);
- UtRegisterTest("DetectEngineHttpHeaderTest20",
- DetectEngineHttpHeaderTest20);
- UtRegisterTest("DetectEngineHttpHeaderTest21",
- DetectEngineHttpHeaderTest21);
- UtRegisterTest("DetectEngineHttpHeaderTest22",
- DetectEngineHttpHeaderTest22);
- UtRegisterTest("DetectEngineHttpHeaderTest23",
- DetectEngineHttpHeaderTest23);
- UtRegisterTest("DetectEngineHttpHeaderTest24",
- DetectEngineHttpHeaderTest24);
- UtRegisterTest("DetectEngineHttpHeaderTest25",
- DetectEngineHttpHeaderTest25);
- UtRegisterTest("DetectEngineHttpHeaderTest26",
- DetectEngineHttpHeaderTest26);
- UtRegisterTest("DetectEngineHttpHeaderTest27",
- DetectEngineHttpHeaderTest27);
- UtRegisterTest("DetectEngineHttpHeaderTest28",
- DetectEngineHttpHeaderTest28);
- UtRegisterTest("DetectEngineHttpHeaderTest29",
- DetectEngineHttpHeaderTest29);
- UtRegisterTest("DetectEngineHttpHeaderTest30",
- DetectEngineHttpHeaderTest30);
- UtRegisterTest("DetectEngineHttpHeaderTest31",
- DetectEngineHttpHeaderTest31);
-#if 0
- UtRegisterTest("DetectEngineHttpHeaderTest30",
- DetectEngineHttpHeaderTest30, 1);
-#endif
- UtRegisterTest("DetectEngineHttpHeaderTest32",
- DetectEngineHttpHeaderTest32);
- UtRegisterTest("DetectEngineHttpHeaderTest33",
- DetectEngineHttpHeaderTest33);
#endif /* UNITTESTS */
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+#include "detect-engine-content-inspection.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "util-unittest-helper.h"
#include "util-spm.h"
#include "util-print.h"
+#include "util-memcmp.h"
#include "app-layer.h"
#include "app-layer-parser.h"
static int DetectHttpHeaderSetup(DetectEngineCtx *, Signature *, char *);
static void DetectHttpHeaderRegisterTests(void);
-static void DetectHttpHeaderFree(void *);
static void DetectHttpHeaderSetupCallback(Signature *);
static int g_http_header_buffer_id = 0;
-/**
- * \brief Registers the keyword handlers for the "http_header" keyword.
+#define BUFFER_STEP 50
+
+static inline int HHDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
+{
+ if (size >= (USHRT_MAX - BUFFER_STEP))
+ return -1;
+
+ void *ptmp;
+ if (size > det_ctx->hhd_buffers_size) {
+ ptmp = SCRealloc(det_ctx->hhd_buffers,
+ (det_ctx->hhd_buffers_size + BUFFER_STEP) * sizeof(uint8_t *));
+ if (ptmp == NULL) {
+ SCFree(det_ctx->hhd_buffers);
+ det_ctx->hhd_buffers = NULL;
+ det_ctx->hhd_buffers_size = 0;
+ det_ctx->hhd_buffers_list_len = 0;
+ return -1;
+ }
+ det_ctx->hhd_buffers = ptmp;
+
+ memset(det_ctx->hhd_buffers + det_ctx->hhd_buffers_size, 0, BUFFER_STEP * sizeof(uint8_t *));
+ ptmp = SCRealloc(det_ctx->hhd_buffers_len,
+ (det_ctx->hhd_buffers_size + BUFFER_STEP) * sizeof(uint32_t));
+ if (ptmp == NULL) {
+ SCFree(det_ctx->hhd_buffers_len);
+ det_ctx->hhd_buffers_len = NULL;
+ det_ctx->hhd_buffers_size = 0;
+ det_ctx->hhd_buffers_list_len = 0;
+ return -1;
+ }
+ det_ctx->hhd_buffers_len = ptmp;
+
+ memset(det_ctx->hhd_buffers_len + det_ctx->hhd_buffers_size, 0, BUFFER_STEP * sizeof(uint32_t));
+ det_ctx->hhd_buffers_size += BUFFER_STEP;
+ }
+ memset(det_ctx->hhd_buffers_len + det_ctx->hhd_buffers_list_len, 0, (size - det_ctx->hhd_buffers_list_len) * sizeof(uint32_t));
+
+ return 0;
+}
+
+static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
+ DetectEngineCtx *de_ctx,
+ DetectEngineThreadCtx *det_ctx,
+ Flow *f, HtpState *htp_state,
+ uint8_t flags,
+ uint32_t *buffer_len)
+{
+ uint8_t *headers_buffer = NULL;
+ int index = 0;
+ *buffer_len = 0;
+
+ if (det_ctx->hhd_buffers_list_len == 0) {
+ /* get the inspect id to use as a 'base id' */
+ uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
+ BUG_ON(base_inspect_id > tx_id);
+ /* see how many space we need for the current tx_id */
+ uint64_t txs = (tx_id - base_inspect_id) + 1;
+ if (HHDCreateSpace(det_ctx, txs) < 0)
+ goto end;
+
+ index = (tx_id - base_inspect_id);
+ det_ctx->hhd_start_tx_id = base_inspect_id;
+ det_ctx->hhd_buffers_list_len = txs;
+ } else {
+ /* tx fits in our current buffers */
+ if ((tx_id - det_ctx->hhd_start_tx_id) < det_ctx->hhd_buffers_list_len) {
+ /* if we previously reassembled, return that buffer */
+ if (det_ctx->hhd_buffers_len[(tx_id - det_ctx->hhd_start_tx_id)] != 0) {
+ *buffer_len = det_ctx->hhd_buffers_len[(tx_id - det_ctx->hhd_start_tx_id)];
+ return det_ctx->hhd_buffers[(tx_id - det_ctx->hhd_start_tx_id)];
+ }
+ /* otherwise fall through */
+ } else {
+ /* not enough space, lets expand */
+ uint64_t txs = (tx_id - det_ctx->hhd_start_tx_id) + 1;
+ if (HHDCreateSpace(det_ctx, txs) < 0)
+ goto end;
+
+ det_ctx->hhd_buffers_list_len = txs;
+ }
+ index = (tx_id - det_ctx->hhd_start_tx_id);
+ }
+
+ htp_table_t *headers;
+ if (flags & STREAM_TOSERVER) {
+ if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) <= HTP_REQUEST_HEADERS)
+ goto end;
+ headers = tx->request_headers;
+ } else {
+ if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) <= HTP_RESPONSE_HEADERS)
+ goto end;
+ headers = tx->response_headers;
+ }
+ if (headers == NULL)
+ goto end;
+
+ htp_header_t *h = NULL;
+ headers_buffer = det_ctx->hhd_buffers[index];
+ size_t headers_buffer_len = 0;
+ size_t i = 0;
+
+ size_t no_of_headers = htp_table_size(headers);
+ for (; i < no_of_headers; i++) {
+ h = htp_table_get_index(headers, i, NULL);
+ size_t size1 = bstr_size(h->name);
+ size_t size2 = bstr_size(h->value);
+
+ if (flags & STREAM_TOSERVER) {
+ if (size1 == 6 &&
+ SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6) == 0) {
+ continue;
+ }
+ } else {
+ if (size1 == 10 &&
+ SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) {
+ continue;
+ }
+ }
+
+ /* the extra 4 bytes if for ": " and "\r\n" */
+ uint8_t *new_headers_buffer = SCRealloc(headers_buffer, headers_buffer_len + size1 + size2 + 4);
+ if (unlikely(new_headers_buffer == NULL)) {
+ if (headers_buffer != NULL) {
+ SCFree(headers_buffer);
+ headers_buffer = NULL;
+ }
+ det_ctx->hhd_buffers[index] = NULL;
+ det_ctx->hhd_buffers_len[index] = 0;
+ goto end;
+ }
+ headers_buffer = new_headers_buffer;
+
+ memcpy(headers_buffer + headers_buffer_len, bstr_ptr(h->name), size1);
+ headers_buffer_len += size1;
+ headers_buffer[headers_buffer_len] = ':';
+ headers_buffer[headers_buffer_len + 1] = ' ';
+ headers_buffer_len += 2;
+ memcpy(headers_buffer + headers_buffer_len, bstr_ptr(h->value), size2);
+ headers_buffer_len += size2 + 2;
+ /* \r */
+ headers_buffer[headers_buffer_len - 2] = '\r';
+ /* \n */
+ headers_buffer[headers_buffer_len - 1] = '\n';
+ }
+
+ /* store the buffers. We will need it for further inspection */
+ det_ctx->hhd_buffers[index] = headers_buffer;
+ det_ctx->hhd_buffers_len[index] = headers_buffer_len;
+
+ *buffer_len = (uint32_t)headers_buffer_len;
+ end:
+ return headers_buffer;
+}
+
+/** \brief HTTP Headers Mpm prefilter callback
+ *
+ * \param det_ctx detection engine thread ctx
+ * \param p packet to inspect
+ * \param f flow to inspect
+ * \param txv tx to inspect
+ * \param pectx inspection context
*/
-void DetectHttpHeaderRegister(void)
+static void PrefilterTxHttpRequestHeaders(DetectEngineThreadCtx *det_ctx,
+ const void *pectx,
+ Packet *p, Flow *f, void *txv,
+ const uint64_t idx, const uint8_t flags)
{
- sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
- sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
- sigmatch_table[DETECT_AL_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header";
- sigmatch_table[DETECT_AL_HTTP_HEADER].Match = NULL;
- sigmatch_table[DETECT_AL_HTTP_HEADER].AppLayerMatch = NULL;
- sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup;
- sigmatch_table[DETECT_AL_HTTP_HEADER].Free = DetectHttpHeaderFree;
- sigmatch_table[DETECT_AL_HTTP_HEADER].RegisterTests = DetectHttpHeaderRegisterTests;
+ SCEnter();
- sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_NOOPT ;
- sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_PAYLOAD ;
+ const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
+ htp_tx_t *tx = (htp_tx_t *)txv;
- DetectAppLayerMpmRegister("http_header", SIG_FLAG_TOSERVER, 2,
- PrefilterTxHttpRequestHeadersRegister);
- DetectAppLayerMpmRegister("http_header", SIG_FLAG_TOCLIENT, 2,
- PrefilterTxHttpResponseHeadersRegister);
+ if (tx->request_headers == NULL)
+ return;
- DetectAppLayerInspectEngineRegister("http_header",
- ALPROTO_HTTP, SIG_FLAG_TOSERVER,
- DetectEngineInspectHttpHeader);
- DetectAppLayerInspectEngineRegister("http_header",
- ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
- DetectEngineInspectHttpHeader);
+ HtpState *htp_state = f->alstate;
+ uint32_t buffer_len = 0;
+ const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
+ NULL, det_ctx,
+ f, htp_state,
+ flags,
+ &buffer_len);
+
+ if (buffer_len >= mpm_ctx->minlen) {
+ (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+ &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
+ }
+}
+#if 0
+static void PrefilterTxHttpRequestTrailers(DetectEngineThreadCtx *det_ctx,
+ const void *pectx,
+ Packet *p, Flow *f, void *txv,
+ const uint64_t idx, const uint8_t flags)
+{
+ SCEnter();
- DetectBufferTypeSetDescriptionByName("http_header",
- "http headers");
+ const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
+ htp_tx_t *tx = (htp_tx_t *)txv;
- DetectBufferTypeRegisterSetupCallback("http_header",
- DetectHttpHeaderSetupCallback);
+ if (tx->request_headers == NULL)
+ return;
+ const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
+ /* if the request wasn't flagged as having a trailer, we skip */
+ if (htud && !htud->request_has_trailers)
+ return;
- g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
+ HtpState *htp_state = f->alstate;
+ uint32_t buffer_len = 0;
+ const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
+ NULL, det_ctx,
+ f, htp_state,
+ flags,
+ &buffer_len);
+
+ if (buffer_len >= mpm_ctx->minlen) {
+ (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+ &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
+ }
+}
+#endif
+static int PrefilterTxHttpRequestHeadersRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
+{
+ SCEnter();
+
+ int r = PrefilterAppendTxEngine(sgh, PrefilterTxHttpRequestHeaders,
+ ALPROTO_HTTP, HTP_REQUEST_HEADERS,
+ mpm_ctx, NULL, "http_header (request)");
+ return r;
+#if 0
+ if (r != 0)
+ return r;
+ return PrefilterAppendTxEngine(sgh, PrefilterTxHttpRequestTrailers,
+ ALPROTO_HTTP, HTP_REQUEST_TRAILER,
+ mpm_ctx, NULL, "http_header (request)");
+#endif
}
-/**
- * \brief this function clears the memory of http_header modifier keyword
+/** \brief HTTP Headers Mpm prefilter callback
*
- * \param ptr Pointer to the Detection Header Data
+ * \param det_ctx detection engine thread ctx
+ * \param p packet to inspect
+ * \param f flow to inspect
+ * \param txv tx to inspect
+ * \param pectx inspection context
*/
-void DetectHttpHeaderFree(void *ptr)
+static void PrefilterTxHttpResponseHeaders(DetectEngineThreadCtx *det_ctx,
+ const void *pectx,
+ Packet *p, Flow *f, void *txv,
+ const uint64_t idx, const uint8_t flags)
{
- DetectContentData *hhd = (DetectContentData *)ptr;
- if (hhd == NULL)
+ SCEnter();
+
+ const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
+ htp_tx_t *tx = (htp_tx_t *)txv;
+
+ if (tx->response_headers == NULL)
+ return;
+
+ HtpState *htp_state = f->alstate;
+ uint32_t buffer_len = 0;
+ const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
+ NULL, det_ctx,
+ f, htp_state,
+ flags,
+ &buffer_len);
+
+ if (buffer_len >= mpm_ctx->minlen) {
+ (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+ &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
+ }
+}
+#if 0
+static void PrefilterTxHttpResponseTrailers(DetectEngineThreadCtx *det_ctx,
+ const void *pectx,
+ Packet *p, Flow *f, void *txv,
+ const uint64_t idx, const uint8_t flags)
+{
+ SCEnter();
+
+ const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
+ htp_tx_t *tx = (htp_tx_t *)txv;
+
+ if (tx->response_headers == NULL)
+ return;
+ const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
+ /* if the request wasn't flagged as having a trailer, we skip */
+ if (htud && !htud->response_has_trailers)
return;
- if (hhd->content != NULL)
- SCFree(hhd->content);
- SCFree(hhd);
+ HtpState *htp_state = f->alstate;
+ uint32_t buffer_len = 0;
+ const uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, idx,
+ NULL, det_ctx,
+ f, htp_state,
+ flags,
+ &buffer_len);
+
+ if (buffer_len >= mpm_ctx->minlen) {
+ (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+ &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
+ }
+}
+#endif
+static int PrefilterTxHttpResponseHeadersRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
+{
+ SCEnter();
+
+ int r = PrefilterAppendTxEngine(sgh, PrefilterTxHttpResponseHeaders,
+ ALPROTO_HTTP, HTP_RESPONSE_HEADERS,
+ mpm_ctx, NULL, "http_header (response)");
+ return r;
+#if 0
+ if (r != 0)
+ return r;
+ return PrefilterAppendTxEngine(sgh, PrefilterTxHttpResponseTrailers,
+ ALPROTO_HTTP, HTP_RESPONSE_TRAILER,
+ mpm_ctx, NULL, "http_header (response)");
+#endif
+}
+
+static int DetectEngineInspectHttpHeader(ThreadVars *tv,
+ DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+ const Signature *s, const SigMatchData *smd,
+ Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
+{
+ HtpState *htp_state = (HtpState *)alstate;
+ uint32_t buffer_len = 0;
+ uint8_t *buffer = DetectEngineHHDGetBufferForTX(tx, tx_id,
+ de_ctx, det_ctx,
+ f, htp_state,
+ flags,
+ &buffer_len);
+ if (buffer_len == 0)
+ goto end;
+
+ det_ctx->buffer_offset = 0;
+ det_ctx->discontinue_matching = 0;
+ det_ctx->inspection_recursion_counter = 0;
+ int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
+ f,
+ buffer,
+ buffer_len,
+ 0,
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ if (r == 1)
+ return DETECT_ENGINE_INSPECT_SIG_MATCH;
+
+ end:
+ if (flags & STREAM_TOSERVER) {
+ if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_HEADERS)
+ return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
+ } else {
+ if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_HEADERS)
+ return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
+ }
+ return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+}
+
+void DetectEngineCleanHHDBuffers(DetectEngineThreadCtx *det_ctx)
+{
+ if (det_ctx->hhd_buffers_list_len != 0) {
+ int i;
+ for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
+ det_ctx->hhd_buffers_len[i] = 0;
+ }
+ det_ctx->hhd_buffers_list_len = 0;
+ }
+ det_ctx->hhd_start_tx_id = 0;
return;
}
* \retval 0 On success.
* \retval -1 On failure.
*/
-int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
+static int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, arg,
DETECT_AL_HTTP_HEADER,
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
}
+/**
+ * \brief Registers the keyword handlers for the "http_header" keyword.
+ */
+void DetectHttpHeaderRegister(void)
+{
+ sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
+ sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
+ sigmatch_table[DETECT_AL_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header";
+ sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup;
+ sigmatch_table[DETECT_AL_HTTP_HEADER].RegisterTests = DetectHttpHeaderRegisterTests;
+
+ sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_NOOPT ;
+ sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_PAYLOAD ;
+
+ DetectAppLayerMpmRegister("http_header", SIG_FLAG_TOSERVER, 2,
+ PrefilterTxHttpRequestHeadersRegister);
+ DetectAppLayerMpmRegister("http_header", SIG_FLAG_TOCLIENT, 2,
+ PrefilterTxHttpResponseHeadersRegister);
+
+ DetectAppLayerInspectEngineRegister("http_header",
+ ALPROTO_HTTP, SIG_FLAG_TOSERVER,
+ DetectEngineInspectHttpHeader);
+ DetectAppLayerInspectEngineRegister("http_header",
+ ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
+ DetectEngineInspectHttpHeader);
+
+ DetectBufferTypeSetDescriptionByName("http_header",
+ "http headers");
+
+ DetectBufferTypeRegisterSetupCallback("http_header",
+ DetectHttpHeaderSetupCallback);
+
+ g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
+}
+
/************************************Unittests*********************************/
#ifdef UNITTESTS
PASS;
}
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest01(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest02(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; depth:15; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest03(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:!\"one\"; depth:5; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest04(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; depth:5; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 matched but shouldn't have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest05(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:!\"one\"; depth:15; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 matched but shouldn't have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest06(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; offset:10; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest07(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:!\"one\"; offset:15; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest08(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; offset:15; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 matched but shouldn't have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest09(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:!\"one\"; offset:10; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 matched but shouldn't have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest10(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; content:\"three\"; http_header; within:10; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest11(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; content:!\"three\"; http_header; within:5; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest12(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; content:!\"three\"; http_header; within:10; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 matched but shouldn't have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest13(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; content:\"three\"; http_header; within:5; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 matched but shouldn't have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest14(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; content:\"five\"; http_header; distance:7; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest15(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; content:!\"five\"; http_header; distance:15; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest16(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; content:!\"five\"; http_header; distance:7; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 matched but shouldn't have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ *\test Test that the http_header content matches against a http request
+ * which holds the content.
+ */
+static int DetectEngineHttpHeaderTest17(void)
+{
+ TcpSession ssn;
+ Packet *p = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
+ uint32_t http_len = sizeof(http_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"one\"; http_header; content:\"five\"; http_header; distance:15; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf, http_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 matched but shouldn't have: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest20(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: This_is_dummy_body1";
+ uint8_t http2_buf[] =
+ "This_is_dummy_message_body2\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http client body test\"; "
+ "pcre:/body1/H; "
+ "content:!\"dummy\"; http_header; within:7; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (!PacketAlertCheck(p2, 1)) {
+ printf("sid 1 didn't match but shouldn't have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest21(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: This_is_dummy_body1";
+ uint8_t http2_buf[] =
+ "This_is_dummy_message_body2\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http client body test\"; "
+ "pcre:/body1/H; "
+ "content:!\"dummy\"; within:7; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (!PacketAlertCheck(p2, 1)) {
+ printf("sid 1 didn't match but shouldn't have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest22(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: This_is_dummy_body1";
+ uint8_t http2_buf[] =
+ "This_is_dummy_message_body2\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http client body test\"; "
+ "pcre:/body1/H; "
+ "content:!\"dummy\"; distance:3; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (PacketAlertCheck(p2, 1)) {
+ printf("sid 1 matched but shouldn't have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest23(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: This_is_dummy_body1";
+ uint8_t http2_buf[] =
+ "This_is_dummy_message_body2\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http client body test\"; "
+ "pcre:/body1/H; "
+ "content:!\"dummy\"; distance:13; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (!PacketAlertCheck(p2, 1)) {
+ printf("sid 1 didn't match but should have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest24(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: This_is_dummy_body1";
+ uint8_t http2_buf[] =
+ "This_is_dummy_message_body2\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http client body test\"; "
+ "pcre:/body1/H; "
+ "content:\"dummy\"; within:15; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (!PacketAlertCheck(p2, 1)) {
+ printf("sid 1 didn't match but should have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest25(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: This_is_dummy_body1";
+ uint8_t http2_buf[] =
+ "This_is_dummy_message_body2\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http client body test\"; "
+ "pcre:/body1/H; "
+ "content:\"dummy\"; within:10; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (PacketAlertCheck(p2, 1)) {
+ printf("sid 1 matched but shouldn't have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest26(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: This_is_dummy_body1";
+ uint8_t http2_buf[] =
+ "This_is_dummy_message_body2\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http client body test\"; "
+ "pcre:/body1/H; "
+ "content:\"dummy\"; distance:8; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (!PacketAlertCheck(p2, 1)) {
+ printf("sid 1 didn't match but should have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest27(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: This_is_dummy_body1";
+ uint8_t http2_buf[] =
+ "This_is_dummy_message_body2\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http client body test\"; "
+ "pcre:/body1/H; "
+ "content:\"dummy\"; distance:14; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (PacketAlertCheck(p2, 1)) {
+ printf("sid 1 matched but shouldn't have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest28(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf1[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.openinfosecfoundation.org\r\n"
+ "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
+ "\r\n";
+ uint32_t http_buf1_len = sizeof(http_buf1) - 1;
+ uint8_t http_buf2[] =
+ "HTTP/1.0 200 ok\r\n"
+ "Content-Type: text/html\r\n"
+ "Content-Length: 6\r\n"
+ "\r\n"
+ "abcdef";
+ uint32_t http_buf2_len = sizeof(http_buf2) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOCLIENT;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"Content-Length: 6\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf1, http_buf1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOCLIENT, http_buf2, http_buf2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ FAIL_IF(!PacketAlertCheck(p2, 1));
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectEngineHttpHeaderTest29(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf1[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.openinfosecfoundation.org\r\n"
+ "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
+ "\r\n";
+ uint32_t http_buf1_len = sizeof(http_buf1) - 1;
+ uint8_t http_buf2[] =
+ "HTTP/1.0 200 ok\r\n"
+ "Content-Type: text/html\r\n"
+ "Content-Length: 6\r\n"
+ "\r\n"
+ "abcdef";
+ uint32_t http_buf2_len = sizeof(http_buf2) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOCLIENT;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"Content-Length: 7\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf1, http_buf1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOCLIENT, http_buf2, http_buf2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (PacketAlertCheck(p2, 1)) {
+ printf("sid 1 matched but shouldn't have");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+#if 0
+
+static int DetectEngineHttpHeaderTest30(void)
+{
+ int result = 0;
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"Content-Length: 6\"; http_header; "
+ "content:\"User-Agent: Mozilla\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list != NULL) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+ return result;
+}
+
+#endif /* #if 0 */
+
+static int DetectEngineHttpHeaderTest30(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf1[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.openinfosecfoundation.org\r\n"
+ "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
+ "\r\n";
+ uint32_t http_buf1_len = sizeof(http_buf1) - 1;
+ uint8_t http_buf2[] =
+ "HTTP/1.0 200 ok\r\n"
+ "Set-Cookie: dummycookieset\r\n"
+ "Content-Type: text/html\r\n"
+ "Content-Length: 6\r\n"
+ "\r\n"
+ "abcdef";
+ uint32_t http_buf2_len = sizeof(http_buf2) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOCLIENT;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"dummycookieset\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http_buf1, http_buf1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOCLIENT, http_buf2, http_buf2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (PacketAlertCheck(p2, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+/** \test reassembly bug where headers with names of length 6 were
+ * skipped
+ */
+static int DetectEngineHttpHeaderTest31(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Accept: blah\r\n"
+ "Cookie: blah\r\n"
+ "Crazy6: blah\r\n"
+ "SixZix: blah\r\n\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(content:\"Accept|3a|\"; http_header; "
+ "content:!\"Cookie|3a|\"; http_header; "
+ "content:\"Crazy6|3a|\"; http_header; "
+ "content:\"SixZix|3a|\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (!(PacketAlertCheck(p1, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ return result;
+}
+
+/**
+ * \test Trailing headers.
+ */
+static int DetectEngineHttpHeaderTest32(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "host: boom\r\n"
+ "Transfer-Encoding: chunked\r\n"
+ "\r\n"
+ "13\r\n"
+ "This is dummy body1\r\n"
+ "0\r\n"
+ "Dummy-Header: kaboom\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(content:\"Dummy\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (!(PacketAlertCheck(p1, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ return result;
+}
+
+/**
+ * \test Trailing headers.
+ */
+static int DetectEngineHttpHeaderTest33(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http1_buf[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "host: boom\r\n"
+ "Transfer-Encoding: chunked\r\n"
+ "\r\n"
+ "13\r\n"
+ "This is dummy body1\r\n"
+ "0\r\n";
+ uint8_t http2_buf[] =
+ "Dummy-Header: kaboom\r\n"
+ "\r\n";
+ uint32_t http1_len = sizeof(http1_buf) - 1;
+ uint32_t http2_len = sizeof(http2_buf) - 1;
+ int result = 0;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOSERVER;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(content:\"Dummy\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http1_buf, http1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, http2_buf, http2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (!PacketAlertCheck(p2, 1)) {
+ printf("sid 1 didn't match but should have\n");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
#endif /* UNITTESTS */
void DetectHttpHeaderRegisterTests(void)
UtRegisterTest("DetectHttpHeaderIsdataatParseTest",
DetectHttpHeaderIsdataatParseTest);
+ UtRegisterTest("DetectEngineHttpHeaderTest01",
+ DetectEngineHttpHeaderTest01);
+ UtRegisterTest("DetectEngineHttpHeaderTest02",
+ DetectEngineHttpHeaderTest02);
+ UtRegisterTest("DetectEngineHttpHeaderTest03",
+ DetectEngineHttpHeaderTest03);
+ UtRegisterTest("DetectEngineHttpHeaderTest04",
+ DetectEngineHttpHeaderTest04);
+ UtRegisterTest("DetectEngineHttpHeaderTest05",
+ DetectEngineHttpHeaderTest05);
+ UtRegisterTest("DetectEngineHttpHeaderTest06",
+ DetectEngineHttpHeaderTest06);
+ UtRegisterTest("DetectEngineHttpHeaderTest07",
+ DetectEngineHttpHeaderTest07);
+ UtRegisterTest("DetectEngineHttpHeaderTest08",
+ DetectEngineHttpHeaderTest08);
+ UtRegisterTest("DetectEngineHttpHeaderTest09",
+ DetectEngineHttpHeaderTest09);
+ UtRegisterTest("DetectEngineHttpHeaderTest10",
+ DetectEngineHttpHeaderTest10);
+ UtRegisterTest("DetectEngineHttpHeaderTest11",
+ DetectEngineHttpHeaderTest11);
+ UtRegisterTest("DetectEngineHttpHeaderTest12",
+ DetectEngineHttpHeaderTest12);
+ UtRegisterTest("DetectEngineHttpHeaderTest13",
+ DetectEngineHttpHeaderTest13);
+ UtRegisterTest("DetectEngineHttpHeaderTest14",
+ DetectEngineHttpHeaderTest14);
+ UtRegisterTest("DetectEngineHttpHeaderTest15",
+ DetectEngineHttpHeaderTest15);
+ UtRegisterTest("DetectEngineHttpHeaderTest16",
+ DetectEngineHttpHeaderTest16);
+ UtRegisterTest("DetectEngineHttpHeaderTest17",
+ DetectEngineHttpHeaderTest17);
+ UtRegisterTest("DetectEngineHttpHeaderTest20",
+ DetectEngineHttpHeaderTest20);
+ UtRegisterTest("DetectEngineHttpHeaderTest21",
+ DetectEngineHttpHeaderTest21);
+ UtRegisterTest("DetectEngineHttpHeaderTest22",
+ DetectEngineHttpHeaderTest22);
+ UtRegisterTest("DetectEngineHttpHeaderTest23",
+ DetectEngineHttpHeaderTest23);
+ UtRegisterTest("DetectEngineHttpHeaderTest24",
+ DetectEngineHttpHeaderTest24);
+ UtRegisterTest("DetectEngineHttpHeaderTest25",
+ DetectEngineHttpHeaderTest25);
+ UtRegisterTest("DetectEngineHttpHeaderTest26",
+ DetectEngineHttpHeaderTest26);
+ UtRegisterTest("DetectEngineHttpHeaderTest27",
+ DetectEngineHttpHeaderTest27);
+ UtRegisterTest("DetectEngineHttpHeaderTest28",
+ DetectEngineHttpHeaderTest28);
+ UtRegisterTest("DetectEngineHttpHeaderTest29",
+ DetectEngineHttpHeaderTest29);
+ UtRegisterTest("DetectEngineHttpHeaderTest30",
+ DetectEngineHttpHeaderTest30);
+ UtRegisterTest("DetectEngineHttpHeaderTest31",
+ DetectEngineHttpHeaderTest31);
+#if 0
+ UtRegisterTest("DetectEngineHttpHeaderTest30",
+ DetectEngineHttpHeaderTest30, 1);
+#endif
+ UtRegisterTest("DetectEngineHttpHeaderTest32",
+ DetectEngineHttpHeaderTest32);
+ UtRegisterTest("DetectEngineHttpHeaderTest33",
+ DetectEngineHttpHeaderTest33);
#endif /* UNITTESTS */
return;
projects / thirdparty / suricata.git / commitdiff
