return result;
}
-/**
- * \test Test that a signature containting a http_header is correctly parsed
- * and the keyword is registered.
- */
-static int DetectHttpRawHeaderTest01(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- SigMatch *sm = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_header\"; flow:to_server; "
- "content:\"one\"; http_raw_header; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- result = 1;
- } else {
- printf("Error parsing signature: ");
- goto end;
- }
-
- sm = de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id];
- if (sm != NULL) {
- result &= (sm->type == DETECT_CONTENT);
- result &= (sm->next == NULL);
- } else {
- result = 0;
- printf("Error updating content pattern to http_header pattern: ");
- }
-
-
- end:
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test that a signature containing an valid http_header entry is
- * parsed.
- */
-static int DetectHttpRawHeaderTest02(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_header\"; flow:to_server; "
- "content:\"one\"; http_raw_header:; sid:1;)");
- if (de_ctx->sig_list != NULL)
- result = 1;
- else
- printf("Error parsing signature: ");
-
- end:
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test that an invalid signature containing no content but a http_header
- * is invalidated.
- */
-static int DetectHttpRawHeaderTest03(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_header\"; flow:to_server; "
- "http_raw_header; sid:1;)");
- if (de_ctx->sig_list == NULL)
- result = 1;
- else
- printf("Error parsing signature: ");
-
- end:
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test that an invalid signature containing a rawbytes along with a
- * http_header is invalidated.
- */
-static int DetectHttpRawHeaderTest04(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_header\"; flow:to_server; "
- "content:\"one\"; rawbytes; http_raw_header; sid:1;)");
- if (de_ctx->sig_list == NULL)
- result = 1;
- else
- printf("Error parsing signature: ");
-
- end:
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test that an invalid signature containing a rawbytes along with a
- * http_header is invalidated.
- */
-static int DetectHttpRawHeaderTest05(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_header\"; flow:to_server; "
- "content:\"one\"; nocase; http_raw_header; sid:1;)");
- if (de_ctx->sig_list != NULL)
- result = 1;
- else
- printf("Error parsing signature: ");
-
- end:
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
/**
*\test Test that the http_header content matches against a http request
* which holds the content.
return result;
}
-static int DetectHttpRawHeaderTest20(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(flow:to_server; content:\"one\"; http_raw_header; "
- "content:\"two\"; distance:0; http_raw_header; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
- printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
- goto end;
- }
-
- DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
- DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
- if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
- memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 ||
- hrhd2->flags != DETECT_CONTENT_DISTANCE ||
- memcmp(hrhd2->content, "two", hrhd1->content_len) != 0) {
- goto end;
- }
-
- result = 1;
-
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-static int DetectHttpRawHeaderTest21(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(flow:to_server; content:\"one\"; http_raw_header; "
- "content:\"two\"; within:5; http_raw_header; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
- printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
- goto end;
- }
-
- DetectContentData *hrhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
- DetectContentData *hrhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
- if (hrhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
- memcmp(hrhd1->content, "one", hrhd1->content_len) != 0 ||
- hrhd2->flags != DETECT_CONTENT_WITHIN ||
- memcmp(hrhd2->content, "two", hrhd1->content_len) != 0) {
- goto end;
- }
-
- result = 1;
-
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-static int DetectHttpRawHeaderTest22(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(flow:to_server; content:\"one\"; within:5; http_raw_header; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL\n");
- goto end;
- }
-
- result = 1;
-
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-static int DetectHttpRawHeaderTest23(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(flow:to_server; content:\"one\"; http_raw_header; within:5; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL\n");
- goto end;
- }
-
- result = 1;
-
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-static int DetectHttpRawHeaderTest24(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(flow:to_server; content:\"one\"; within:5; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL\n");
- goto end;
- }
-
- result = 1;
-
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-static int DetectHttpRawHeaderTest25(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(flow:to_server; pcre:/one/D; "
- "content:\"two\"; within:5; http_raw_header; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
- printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) {
-
- goto end;
- }
-
- DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
- DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
- if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
- hhd2->flags != DETECT_CONTENT_WITHIN ||
- memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
- goto end;
- }
-
- result = 1;
-
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-static int DetectHttpRawHeaderTest26(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(flow:to_server; content:\"two\"; http_raw_header; "
- "pcre:/one/DR; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
- printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_PCRE ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_CONTENT) {
-
- goto end;
- }
-
- DetectContentData *hhd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
- DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
- if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
- hhd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
- memcmp(hhd1->content, "two", hhd1->content_len) != 0) {
- goto end;
- }
-
- result = 1;
-
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-static int DetectHttpRawHeaderTest27(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
- "(flow:to_server; pcre:/one/D; "
- "content:\"two\"; distance:5; http_raw_header; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL) {
- printf("de_ctx->sig_list->sm_lists[g_http_raw_header_buffer_id] == NULL\n");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id] == NULL ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->type != DETECT_CONTENT ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev == NULL ||
- de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->type != DETECT_PCRE) {
-
- goto end;
- }
-
- DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->prev->ctx;
- DetectContentData *hhd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_raw_header_buffer_id]->ctx;
- if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
- hhd2->flags != DETECT_CONTENT_DISTANCE ||
- memcmp(hhd2->content, "two", hhd2->content_len) != 0) {
- goto end;
- }
-
- result = 1;
-
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-static int DetectHttpRawHeaderIsdataatParseTest(void)
-{
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF_NULL(de_ctx);
- de_ctx->flags |= DE_QUIET;
-
- Signature *s = DetectEngineAppendSig(de_ctx,
- "alert tcp any any -> any any ("
- "flow:to_server; "
- "content:\"one\"; http_raw_header; "
- "isdataat:!4,relative; sid:1;)");
- FAIL_IF_NULL(s);
-
- SigMatch *sm = s->init_data->smlists_tail[g_http_raw_header_buffer_id];
- FAIL_IF_NULL(sm);
- FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
-
- DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
- FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
- FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
- FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
-
- DetectEngineCtxFree(de_ctx);
- PASS;
-}
-
void DetectHttpRawHeaderRegisterTests(void)
{
UtRegisterTest("DetectHttpRawHeaderParserTest01",
UtRegisterTest("DetectEngineHttpRawHeaderTest32",
DetectEngineHttpRawHeaderTest32);
- UtRegisterTest("DetectHttpRawHeaderTest01", DetectHttpRawHeaderTest01);
- UtRegisterTest("DetectHttpRawHeaderTest02", DetectHttpRawHeaderTest02);
- UtRegisterTest("DetectHttpRawHeaderTest03", DetectHttpRawHeaderTest03);
- UtRegisterTest("DetectHttpRawHeaderTest04", DetectHttpRawHeaderTest04);
- UtRegisterTest("DetectHttpRawHeaderTest05", DetectHttpRawHeaderTest05);
UtRegisterTest("DetectHttpRawHeaderTest06", DetectHttpRawHeaderTest06);
UtRegisterTest("DetectHttpRawHeaderTest07", DetectHttpRawHeaderTest07);
UtRegisterTest("DetectHttpRawHeaderTest08", DetectHttpRawHeaderTest08);
UtRegisterTest("DetectHttpRawHeaderTest11", DetectHttpRawHeaderTest11);
UtRegisterTest("DetectHttpRawHeaderTest12", DetectHttpRawHeaderTest12);
UtRegisterTest("DetectHttpRawHeaderTest13", DetectHttpRawHeaderTest13);
- UtRegisterTest("DetectHttpRawHeaderTest20", DetectHttpRawHeaderTest20);
- UtRegisterTest("DetectHttpRawHeaderTest21", DetectHttpRawHeaderTest21);
- UtRegisterTest("DetectHttpRawHeaderTest22", DetectHttpRawHeaderTest22);
- UtRegisterTest("DetectHttpRawHeaderTest23", DetectHttpRawHeaderTest23);
- UtRegisterTest("DetectHttpRawHeaderTest24", DetectHttpRawHeaderTest24);
- UtRegisterTest("DetectHttpRawHeaderTest25", DetectHttpRawHeaderTest25);
- UtRegisterTest("DetectHttpRawHeaderTest26", DetectHttpRawHeaderTest26);
- UtRegisterTest("DetectHttpRawHeaderTest27", DetectHttpRawHeaderTest27);
-
- UtRegisterTest("DetectHttpRawHeaderIsdataatParseTest",
- DetectHttpRawHeaderIsdataatParseTest);
-
-
- return;
}
#endif /* UNITTESTS */
projects / thirdparty / suricata.git / commitdiff
