-/* Copyright (C) 2007-2021 Open Information Security Foundation
+/* Copyright (C) 2007-2022 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
static int DetectPcreTestSig01(void)
{
- uint8_t *buf = (uint8_t *)
- "GET /one/ HTTP/1.1\r\n"
- "Host: one.example.org\r\n"
- "\r\n\r\n"
- "GET /two/ HTTP/1.1\r\n"
- "Host: two.example.org\r\n"
- "\r\n\r\n";
+ uint8_t *buf = (uint8_t *)"lalala lalala\\ lala\n";
uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
-
- StreamTcpInitConfig(true);
-
- p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
- FAIL_IF_NULL(p);
- p->tcph->th_seq = htonl(1000);
- Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
- FAIL_IF_NULL(f);
- f->proto = IPPROTO_TCP;
- UTHAddSessionToFlow(f, 1000, 1000);
- UTHAddStreamToFlow(f, 0, buf, buflen);
-
- p->flow = f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f->alproto = ALPROTO_HTTP1;
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; pcre:\"/^gEt/i\"; pcre:\"/\\/two\\//U\"; pcre:\"/GET \\/two\\//\"; pcre:\"/\\s+HTTP/R\"; sid:1;)");
- FAIL_IF(de_ctx->sig_list == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- int r = AppLayerParserParse(
- NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, buf, buflen);
- FAIL_IF(r != 0);
-
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- FAIL_IF_NOT(PacketAlertCheck(p, 1) == 1);
-
- AppLayerParserThreadCtxFree(alp_tctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
-
- UTHRemoveSessionFromFlow(f);
- UTHFreeFlow(f);
-
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-static int DetectPcreTestSig02(void)
-{
- uint8_t *buf = (uint8_t *)
- "GET /one/ HTTP/1.1\r\n"
- "Host: one.example.org\r\n"
- "\r\n\r\n"
- "GET /two/ HTTP/1.1\r\n"
- "Host: two.example.org\r\n"
- "\r\n\r\n";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- Flow f;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx;
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
-
- FLOW_INITIALIZE(&f);
-
- p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
-
- pcre_match_limit = 100;
- pcre_match_limit_recursion = 100;
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; pcre:\"/two/O\"; sid:2;)");
- FAIL_IF(de_ctx->sig_list == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- FAIL_IF_NOT(PacketAlertCheck(p, 2) == 1);
-
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
-
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- FLOW_DESTROY(&f);
-
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/**
- * \test DetectPcreTestSig03Real negation test ! outside of "" this sig should not match
- */
-static int DetectPcreTestSig03(void)
-{
- uint8_t *buf = (uint8_t *)
- "GET /one/ HTTP/1.1\r\n"
- "Host: one.example.org\r\n"
- "\r\n\r\n"
- "GET /two/ HTTP/1.1\r\n"
- "Host: two.example.org\r\n"
- "\r\n\r\n";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx;
-
- memset(&th_v, 0, sizeof(th_v));
-
- p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"GET\"; pcre:!\"/two/\"; sid:1;)");
- FAIL_IF(de_ctx->sig_list == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- FAIL_IF(PacketAlertCheck(p, 1));
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
-
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
-
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/**
- * \test Check the signature with pcre modifier P (match with L7 to http body data)
- */
-static int DetectPcreModifPTest04(void)
-{
- uint8_t httpbuf1[] =
- "GET / HTTP/1.1\r\n"
- "Host: www.emergingthreats.net\r\n"
- "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n"
- "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n"
- "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
- "Accept-Encoding: gzip,deflate\r\n"
- "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
- "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n"
- "Server: Apache\r\n"
- "X-Powered-By: PHP/5.2.5\r\n"
- "P3P: CP=\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\"\r\n"
- "Expires: Mon, 1 Jan 2001 00:00:00 GMT\r\n"
- "Last-Modified: Tue, 22 Sep 2009 19:24:48 GMT\r\n"
- "Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\n"
- "Pragma: no-cache\r\n"
- "Keep-Alive: timeout=15, max=100\r\n"
- "Connection: Keep-Alive\r\n"
- "Transfer-Encoding: chunked\r\n"
- "Content-Type: text/html; charset=utf-8\r\n"
- "\r\n"
- "15"
- "\r\n"
- "<!DOCTYPE html PUBLIC\r\n"
- "0\r\n\r\n";
-
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Flow f;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"Pcre modifier P\"; pcre:\"/DOCTYPE/P\"; "
- "sid:1;)");
- FAIL_IF(s == NULL);
-
- s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\""
- "Pcre modifier P (no match)\"; pcre:\"/blah/P\"; sid:2;)");
- FAIL_IF(s->next == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- HtpState *http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- FAIL_IF(!(PacketAlertCheck(p, 1)));
- FAIL_IF(PacketAlertCheck(p, 2));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL) SigGroupCleanup(de_ctx);
- if (de_ctx != NULL) SigCleanSignatures(de_ctx);
- if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(true);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/**
- * \test Check the signature with pcre modifier P (match with L7 to http body data)
- * over fragmented chunks (DOCTYPE fragmented)
- */
-static int DetectPcreModifPTest05(void)
-{
- uint8_t httpbuf1[] =
- "GET / HTTP/1.1\r\n"
- "Host: www.emergingthreats.net\r\n"
- "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n"
- "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n"
- "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
- "Accept-Encoding: gzip,deflate\r\n"
- "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
- "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n"
- "Server: Apache\r\n"
- "X-Powered-By: PHP/5.2.5\r\n"
- "P3P: CP=\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\"\r\n"
- "Expires: Mon, 1 Jan 2001 00:00:00 GMT\r\n"
- "Last-Modified: Tue, 22 Sep 2009 19:24:48 GMT\r\n"
- "Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\n"
- "Pragma: no-cache\r\n"
- "Keep-Alive: timeout=15, max=100\r\n"
- "Connection: Keep-Alive\r\n"
- "Transfer-Encoding: chunked\r\n"
- "Content-Type: text/html; charset=utf-8\r\n"
- "\r\n"
- "15"
- "\r\n"
- "<!DOC";
-
- uint8_t httpbuf2[] = "<!DOCTYPE html PUBLIC\r\n0\r\n\r\n";
-
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p1 = NULL;
- Packet *p2 = NULL;
- Flow f;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOSERVER;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"Pcre modifier P\"; pcre:\"/DOC/P\"; "
- "sid:1;)");
- FAIL_IF(s == NULL);
-
- s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\""
- "Pcre modifier P (no match)\"; pcre:\"/DOCTYPE/P\"; sid:2;)");
- FAIL_IF(s->next == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect for p1 */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- HtpState *http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- FAIL_IF(PacketAlertCheck(p1, 1));
-
- FAIL_IF(PacketAlertCheck(p1, 2));
-
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect for p2 */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-
- FAIL_IF(!(PacketAlertCheck(p2, 1)));
-
- FAIL_IF(!(PacketAlertCheck(p2, 2)));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL) SigGroupCleanup(de_ctx);
- if (de_ctx != NULL) SigCleanSignatures(de_ctx);
- if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(true);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- PASS;
-}
-
-static int DetectPcreTestSig06(void)
-{
- uint8_t *buf = (uint8_t *)
- "lalala lalala\\ lala\n";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
+ Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
int result = 0;
- char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ lalala\\\\/\"; sid:1;)";
+ char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ "
+ "lalala\\\\/\"; sid:1;)";
if (UTHPacketMatchSig(p, sig) == 0) {
result = 0;
goto end;
}
result = 1;
-end:
- if (p != NULL)
- UTHFreePacket(p);
- return result;
-}
-
-/** \test anchored pcre */
-static int DetectPcreTestSig07(void)
-{
- uint8_t *buf = (uint8_t *)
- "lalala\n";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
-
- char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/^(la)+$/\"; sid:1;)";
- FAIL_IF(UTHPacketMatchSig(p, sig) == 0);
-
- if (p != NULL)
- UTHFreePacket(p);
- PASS;
-}
-
-/** \test anchored pcre */
-static int DetectPcreTestSig08(void)
-{
- /* test it also without ending in a newline "\n" */
- uint8_t *buf = (uint8_t *)
- "lalala";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
-
- char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/^(la)+$/\"; sid:1;)";
- FAIL_IF(UTHPacketMatchSig(p, sig) == 0);
-
- if (p != NULL)
- UTHFreePacket(p);
- PASS;
-}
-
-/** \test Check the signature working to alert when cookie modifier is
- * passed to pcre
- */
-static int DetectPcreTestSig09(void)
-{
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummy\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; pcre:\"/dummy/C\"; "
- " sid:1;)");
- FAIL_IF(s == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- FAIL_IF(!PacketAlertCheck(p, 1));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/** \test Check the signature working to alert when cookie modifier is
- * passed to a negated pcre
- */
-static int DetectPcreTestSig10(void)
-{
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummoOOooooO\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; pcre:!\"/dummy/C\"; "
- " sid:1;)");
- FAIL_IF(s == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- FAIL_IF(!PacketAlertCheck(p, 1));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/** \test Check the signature working to alert when method modifier is
- * passed to pcre
- */
-static int DetectPcreTestSig11(void)
-{
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummy\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP method\"; pcre:\"/POST/M\"; "
- " sid:1;)");
- FAIL_IF(s == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- FAIL_IF(!PacketAlertCheck(p, 1));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/** \test Check the signature working to alert when method modifier is
- * passed to a negated pcre
- */
-static int DetectPcreTestSig12(void)
-{
- Flow f;
- uint8_t httpbuf1[] = "GET / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummoOOooooO\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP method\"; pcre:!\"/POST/M\"; "
- " sid:1;)");
- FAIL_IF(s == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- FAIL_IF(!PacketAlertCheck(p, 1));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/** \test Check the signature working to alert when header modifier is
- * passed to pcre
- */
-static int DetectPcreTestSig13(void)
-{
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummy\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP header\"; pcre:\"/User[-_]Agent[:]?\\sMozilla/H\"; "
- " sid:1;)");
- FAIL_IF(s == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- FAIL_IF(!PacketAlertCheck(p, 1));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/** \test Check the signature working to alert when header modifier is
- * passed to a negated pcre
- */
-static int DetectPcreTestSig14(void)
-{
- Flow f;
- uint8_t httpbuf1[] = "GET / HTTP/1.0\r\nUser-Agent: IEXPLORER/1.0\r\n"
- "Cookie: dummoOOooooO\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP header\"; pcre:!\"/User-Agent[:]?\\s+Mozilla/H\"; "
- " sid:1;)");
- FAIL_IF(s == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- FAIL_IF(!PacketAlertCheck(p, 1));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
- PASS;
-}
-
-/** \test Check the signature working to alert when cookie and relative modifiers are
- * passed to pcre
- */
-static int DetectPcreTestSig15(void)
-{
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummy 1234\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"pcre relative HTTP cookie\"; content:\"dummy\";"
- " http_cookie; pcre:\"/1234/RC\"; "
- " sid:1;)");
- FAIL_IF(s == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- FAIL_IF(!PacketAlertCheck(p, 1));
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
- PASS;
+end:
+ if (p != NULL)
+ UTHFreePacket(p);
+ return result;
}
-/** \test Check the signature working to alert when method and relative modifiers are
- * passed to pcre
- */
-static int DetectPcreTestSig16(void)
+/** \test anchored pcre */
+static int DetectPcreTestSig02(void)
{
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummy 1234\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP1;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"pcre relative HTTP method\"; content:\"PO\";"
- " http_method; pcre:\"/ST/RM\"; "
- " sid:1;)");
- FAIL_IF(s == NULL);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
+ uint8_t *buf = (uint8_t *)"lalala\n";
+ uint16_t buflen = strlen((char *)buf);
+ Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
- http_state = f.alstate;
- FAIL_IF(http_state == NULL);
+ char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
+ "pcre:\"/^(la)+$/\"; sid:1;)";
+ FAIL_IF(UTHPacketMatchSig(p, sig) == 0);
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+ if (p != NULL)
+ UTHFreePacket(p);
+ PASS;
+}
- FAIL_IF(!PacketAlertCheck(p, 1));
+/** \test anchored pcre */
+static int DetectPcreTestSig03(void)
+{
+ /* test it also without ending in a newline "\n" */
+ uint8_t *buf = (uint8_t *)"lalala";
+ uint16_t buflen = strlen((char *)buf);
+ Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
+ char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
+ "pcre:\"/^(la)+$/\"; sid:1;)";
+ FAIL_IF(UTHPacketMatchSig(p, sig) == 0);
- StreamTcpFreeConfig(true);
- UTHFreePackets(&p, 1);
+ if (p != NULL)
+ UTHFreePacket(p);
PASS;
}
PASS;
}
-/**
- * \test flowvar capture on http buffer
- */
-static int DetectPcreFlowvarCapture01(void)
-{
- uint8_t uabuf1[] =
- "Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13";
- uint32_t ualen1 = sizeof(uabuf1) - 1; /* minus the \0 */
- uint8_t httpbuf1[] =
- "GET / HTTP/1.1\r\n"
- "Host: www.emergingthreats.net\r\n"
- "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n"
- "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n"
- "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
- "Accept-Encoding: gzip,deflate\r\n"
- "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
- "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n"
- "Server: Apache\r\n"
- "\r\n"
- "<!DOCTYPE html PUBLIC\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p1 = NULL;
- Flow f;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- f.alproto = ALPROTO_HTTP1;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
- de_ctx->flags |= DE_QUIET;
-
- s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; sid:1;)");
- FAIL_IF(s == NULL);
-
- FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
- DetectPcreData *pd = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- HtpState *http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect for p1 */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- FAIL_IF(!(PacketAlertCheck(p1, 1)));
-
- FlowVar *fv = FlowVarGet(&f, pd->capids[0]);
- FAIL_IF(fv == NULL);
-
- FAIL_IF(fv->data.fv_str.value_len != ualen1);
-
- if (memcmp(fv->data.fv_str.value, uabuf1, ualen1) != 0) {
- PrintRawDataFp(stdout, fv->data.fv_str.value, fv->data.fv_str.value_len);
- PrintRawDataFp(stdout, uabuf1, ualen1);
-
- printf("buffer mismatch: ");
- FAIL;
- }
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(true);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- PASS;
-}
-
-/**
- * \test flowvar capture on http buffer, capture overwrite
- */
-static int DetectPcreFlowvarCapture02(void)
-{
- uint8_t uabuf1[] =
- "Apache";
- uint32_t ualen1 = sizeof(uabuf1) - 1; /* minus the \0 */
- uint8_t httpbuf1[] =
- "GET / HTTP/1.1\r\n"
- "Host: www.emergingthreats.net\r\n"
- "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n"
- "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n"
- "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
- "Accept-Encoding: gzip,deflate\r\n"
- "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
- "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n"
- "Server: Apache\r\n"
- "\r\n"
- "<!DOCTYPE html PUBLIC\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p1 = NULL;
- Flow f;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- f.alproto = ALPROTO_HTTP1;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
- de_ctx->flags |= DE_QUIET;
-
- s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; priority:1; sid:1;)");
- FAIL_IF(s == NULL);
-
- FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
- DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
-
- s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; priority:3; sid:2;)");
- FAIL_IF(s == NULL);
-
- FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
- DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
-
- FAIL_IF(pd1->capids[0] != pd2->capids[0]);
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
- SCSigSignatureOrderingModuleCleanup(de_ctx);
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- HtpState *http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect for p1 */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- FAIL_IF(!(PacketAlertCheck(p1, 1)));
-
- FlowVar *fv = FlowVarGet(&f, pd1->capids[0]);
- FAIL_IF(fv == NULL);
-
- if (fv->data.fv_str.value_len != ualen1) {
- PrintRawDataFp(stdout, fv->data.fv_str.value, fv->data.fv_str.value_len);
- PrintRawDataFp(stdout, uabuf1, ualen1);
- printf("%u != %u: ", fv->data.fv_str.value_len, ualen1);
- FAIL;
- }
-
- if (memcmp(fv->data.fv_str.value, uabuf1, ualen1) != 0) {
- PrintRawDataFp(stdout, fv->data.fv_str.value, fv->data.fv_str.value_len);
- PrintRawDataFp(stdout, uabuf1, ualen1);
-
- printf("buffer mismatch: ");
- FAIL;
- }
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(true);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- PASS;
-}
-
-/**
- * \test flowvar capture on http buffer, capture overwrite + no matching sigs, so flowvars should not be set.
- */
-static int DetectPcreFlowvarCapture03(void)
-{
- uint8_t httpbuf1[] =
- "GET / HTTP/1.1\r\n"
- "Host: www.emergingthreats.net\r\n"
- "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n"
- "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n"
- "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
- "Accept-Encoding: gzip,deflate\r\n"
- "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
- "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n"
- "Server: Apache\r\n"
- "\r\n"
- "<!DOCTYPE html PUBLIC\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p1 = NULL;
- Flow f;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- f.alproto = ALPROTO_HTTP1;
-
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
-
- StreamTcpInitConfig(true);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF(de_ctx == NULL);
- de_ctx->flags |= DE_QUIET;
-
- s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:1; sid:1;)");
- FAIL_IF(s == NULL);
-
- FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
- DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
-
- s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:3; sid:2;)");
- FAIL_IF(s == NULL);
-
- FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next == NULL ||
- s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE);
- DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx;
-
- FAIL_IF(pd1->capids[0] != pd2->capids[0]);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(
- NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
- FAIL_IF(r != 0);
- FLOWLOCK_UNLOCK(&f);
-
- HtpState *http_state = f.alstate;
- FAIL_IF(http_state == NULL);
-
- /* do detect for p1 */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-
- FAIL_IF(PacketAlertCheck(p1, 1));
-
- FlowVar *fv = FlowVarGet(&f, pd1->capids[0]);
- FAIL_IF(fv != NULL);
-
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
-
- StreamTcpFreeConfig(true);
- FLOW_DESTROY(&f);
- UTHFreePackets(&p1, 1);
- PASS;
-}
-
/**
* \brief Test parsing of pcre's with the W modifier set.
*/
UtRegisterTest("DetectPcreParseTest27", DetectPcreParseTest27);
UtRegisterTest("DetectPcreParseTest28", DetectPcreParseTest28);
- UtRegisterTest("DetectPcreTestSig01 -- pcre test", DetectPcreTestSig01);
- UtRegisterTest("DetectPcreTestSig02 -- pcre test", DetectPcreTestSig02);
- UtRegisterTest("DetectPcreTestSig03 -- negated pcre test",
- DetectPcreTestSig03);
-
- UtRegisterTest("DetectPcreModifPTest04 -- Modifier P",
- DetectPcreModifPTest04);
- UtRegisterTest("DetectPcreModifPTest05 -- Modifier P fragmented",
- DetectPcreModifPTest05);
- UtRegisterTest("DetectPcreTestSig06", DetectPcreTestSig06);
- UtRegisterTest("DetectPcreTestSig07 -- anchored pcre",
- DetectPcreTestSig07);
- UtRegisterTest("DetectPcreTestSig08 -- anchored pcre",
- DetectPcreTestSig08);
- UtRegisterTest("DetectPcreTestSig09 -- Cookie modifier",
- DetectPcreTestSig09);
- UtRegisterTest("DetectPcreTestSig10 -- negated Cookie modifier",
- DetectPcreTestSig10);
- UtRegisterTest("DetectPcreTestSig11 -- Method modifier",
- DetectPcreTestSig11);
- UtRegisterTest("DetectPcreTestSig12 -- negated Method modifier",
- DetectPcreTestSig12);
- UtRegisterTest("DetectPcreTestSig13 -- Header modifier",
- DetectPcreTestSig13);
- UtRegisterTest("DetectPcreTestSig14 -- negated Header modifier",
- DetectPcreTestSig14);
- UtRegisterTest("DetectPcreTestSig15 -- relative Cookie modifier",
- DetectPcreTestSig15);
- UtRegisterTest("DetectPcreTestSig16 -- relative Method modifier",
- DetectPcreTestSig16);
+ UtRegisterTest("DetectPcreTestSig01", DetectPcreTestSig01);
+ UtRegisterTest("DetectPcreTestSig02 -- anchored pcre", DetectPcreTestSig02);
+ UtRegisterTest("DetectPcreTestSig03 -- anchored pcre", DetectPcreTestSig03);
UtRegisterTest("DetectPcreTxBodyChunksTest01",
DetectPcreTxBodyChunksTest01);
UtRegisterTest("DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx",
DetectPcreTxBodyChunksTest03);
- UtRegisterTest("DetectPcreFlowvarCapture01 -- capture for http_header",
- DetectPcreFlowvarCapture01);
- UtRegisterTest("DetectPcreFlowvarCapture02 -- capture for http_header",
- DetectPcreFlowvarCapture02);
- UtRegisterTest("DetectPcreFlowvarCapture03 -- capture for http_header",
- DetectPcreFlowvarCapture03);
-
UtRegisterTest("DetectPcreParseHttpHost", DetectPcreParseHttpHost);
UtRegisterTest("DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);
projects / thirdparty / suricata.git / commitdiff
