detect-engine-file.c detect-engine-file.h \
detect-engine-filedata.c detect-engine-filedata.h \
detect-engine-hcbd.c detect-engine-hcbd.h \
-detect-engine-hcd.c detect-engine-hcd.h \
detect-engine-hrhd.c detect-engine-hrhd.h \
detect-engine-hsbd.c detect-engine-hsbd.h \
detect-engine-iponly.c detect-engine-iponly.h \
#include "detect-engine-hcbd.h"
#include "detect-engine-hrhd.h"
-#include "detect-engine-hcd.h"
#include "detect-engine-dcepayload.h"
#include "detect-engine-file.h"
+++ /dev/null
-/* Copyright (C) 2007-2010 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/** \file
- *
- * \author Anoop Saldanha <anoopsaldanha@gmail.com>
- */
-
-#ifndef __DETECT_ENGINE_HCD_H__
-#define __DETECT_ENGINE_HCD_H__
-
-void DetectEngineHttpCookieRegisterTests(void);
-
-#endif /* __DETECT_ENGINE_HCD_H__ */
#include "detect-engine-payload.h"
#include "detect-engine-hrhd.h"
-#include "detect-engine-hcd.h"
#include "detect-engine-hcbd.h"
#include "detect-engine-hsbd.h"
#include "detect-engine-dns.h"
#include "detect-engine-hcbd.h"
#include "detect-engine-hsbd.h"
#include "detect-engine-hrhd.h"
-#include "detect-engine-hcd.h"
#include "detect-byte-extract.h"
#include "detect-file-data.h"
#include "detect-pkt-data.h"
#include "app-layer-htp.h"
#include "detect-http-cookie.h"
-#include "detect-engine-hcd.h"
#include "stream-tcp.h"
static int DetectHttpCookieSetup (DetectEngineCtx *, Signature *, const char *);
+#ifdef UNITTESTS
static void DetectHttpCookieRegisterTests(void);
+#endif
static int g_http_cookie_buffer_id = 0;
static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx,
sigmatch_table[DETECT_AL_HTTP_COOKIE].desc = "content modifier to match only on the HTTP cookie-buffer";
sigmatch_table[DETECT_AL_HTTP_COOKIE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-cookie";
sigmatch_table[DETECT_AL_HTTP_COOKIE].Setup = DetectHttpCookieSetup;
+#ifdef UNITTESTS
sigmatch_table[DETECT_AL_HTTP_COOKIE].RegisterTests = DetectHttpCookieRegisterTests;
+#endif
sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_NOOPT;
DetectAppLayerInspectEngineRegister2("http_cookie", ALPROTO_HTTP,
/******************************** UNITESTS **********************************/
#ifdef UNITTESTS
-
-#include "detect-isdataat.h"
-#include "stream-tcp-reassemble.h"
-
-static int g_http_uri_buffer_id = 0;
-
-/**
- * \test Checks if a http_cookie is registered in a Signature, if content is not
- * specified in the signature
- */
-static int DetectHttpCookieTest01(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
- if (de_ctx->sig_list == NULL)
- result = 1;
-
-end:
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-/**
- * \test Checks if a http_cookie is registered in a Signature, if some parameter
- * is specified with http_cookie in the signature
- */
-static int DetectHttpCookieTest02(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_cookie\"; content:\"me\"; "
- "http_cookie:woo; sid:1;)");
- if (de_ctx->sig_list == NULL)
- result = 1;
-
-end:
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-/**
- * \test Checks if a http_cookie is registered in a Signature
- */
-static int DetectHttpCookieTest03(void)
-{
- SigMatch *sm = NULL;
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_cookie\"; content:\"one\"; "
- "http_cookie; content:\"two\"; http_cookie; "
- "content:\"two\"; http_cookie; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
-
- result = 0;
- sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
- if (sm == NULL) {
- printf("no sigmatch(es): ");
- goto end;
- }
-
- while (sm != NULL) {
- if (sm->type == DETECT_CONTENT) {
- result = 1;
- } else {
- printf("expected DETECT_CONTENT for http_cookie, got %d: ", sm->type);
- goto end;
- }
- sm = sm->next;
- }
-
-end:
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-/**
- * \test Checks if a http_cookie is registered in a Signature, when fast_pattern
- * is also specified in the signature (now it should)
- */
-static int DetectHttpCookieTest04(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_cookie\"; content:\"one\"; "
- "fast_pattern; http_cookie; sid:1;)");
- if (de_ctx->sig_list != NULL)
- result = 1;
-
-end:
- if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-/**
- * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
- * also specified in the signature
- */
-static int DetectHttpCookieTest05(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_cookie\"; content:\"one\"; "
- "rawbytes; http_cookie; sid:1;)");
- if (de_ctx->sig_list == NULL)
- result = 1;
-
- end:
- if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-/**
- * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
- * also specified in the signature
- */
-static int DetectHttpCookieTest06(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing http_cookie\"; content:\"one\"; "
- "http_cookie; uricontent:\"abc\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
-
- Signature *s = de_ctx->sig_list;
-
- BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL);
-
- if (s->sm_lists[g_http_cookie_buffer_id]->type != DETECT_CONTENT)
- goto end;
-
- if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
- printf("expected another SigMatch, got NULL: ");
- goto end;
- }
-
- if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
- goto end;
- }
-
- result = 1;
-end:
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
- return result;
-}
-
-/** \test Check the signature working to alert when http_cookie is matched . */
-static int DetectHttpCookieSigTest01(void)
-{
- int result = 0;
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
- " hellocatchme\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; content:\"me\"; "
- "http_cookie; sid:1;)");
- if (s == NULL) {
- goto end;
- }
-
- s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
- "cookie\"; content:\"go\"; http_cookie; sid:2;)");
- if (s->next == NULL) {
- goto end;
- }
-
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf1, httplen1);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have: ");
- goto end;
- }
- if (PacketAlertCheck(p, 2)) {
- printf("sid 2 matched but shouldn't: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
-
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/** \test Check the signature working to alert when http_cookie is not present */
-static int DetectHttpCookieSigTest02(void)
-{
- int result = 0;
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; content:\"me\"; "
- "http_cookie; sid:1;)");
- if (s == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf1, httplen1);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if ((PacketAlertCheck(p, 1))) {
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
- StreamTcpFreeConfig(TRUE);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/** \test Check the signature working to alert when http_cookie is not present */
-static int DetectHttpCookieSigTest03(void)
-{
- int result = 0;
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummy\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; content:\"boo\"; "
- "http_cookie; sid:1;)");
- if (s == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf1, httplen1);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if ((PacketAlertCheck(p, 1))) {
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/** \test Check the signature working to alert when http_cookie is not present */
-static int DetectHttpCookieSigTest04(void)
-{
- int result = 0;
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummy\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; content:!\"boo\"; "
- "http_cookie; sid:1;)");
- if (s == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf1, httplen1);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!PacketAlertCheck(p, 1)) {
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/** \test Check the signature working to alert when http_cookie is not present */
-static int DetectHttpCookieSigTest05(void)
-{
- int result = 0;
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: DuMmY\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; content:\"dummy\"; nocase; "
- "http_cookie; sid:1;)");
- if (s == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf1, httplen1);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!PacketAlertCheck(p, 1)) {
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/** \test Check the signature working to alert when http_cookie is not present */
-static int DetectHttpCookieSigTest06(void)
-{
- int result = 0;
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: DuMmY\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&p, 0, sizeof(p));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; content:\"dummy\"; "
- "http_cookie; nocase; sid:1;)");
- if (s == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf1, httplen1);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (!PacketAlertCheck(p, 1)) {
- printf("sig 1 failed to match: ");
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/** \test Check the signature working to alert when http_cookie is not present */
-static int DetectHttpCookieSigTest07(void)
-{
- int result = 0;
- Flow f;
- uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
- "Cookie: dummy\r\n\r\n";
- uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
- TcpSession ssn;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
-
- p->flow = &f;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- f.alproto = ALPROTO_HTTP;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
- "\"HTTP cookie\"; content:!\"dummy\"; "
- "http_cookie; sid:1;)");
- if (s == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf1, httplen1);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- result = 0;
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
-
- if (PacketAlertCheck(p, 1)) {
- goto end;
- }
-
- result = 1;
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- * \test Check the signature working to alert against set-cookie
- */
-static int DetectHttpCookieSigTest08(void)
-{
- int result = 0;
- Flow f;
-
- uint8_t httpbuf_request[] =
- "GET / HTTP/1.1\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "\r\n";
- uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
-
- uint8_t httpbuf_response[] =
- "HTTP/1.1 200 OK\r\n"
- "Set-Cookie: response_user_agent\r\n"
- "\r\n";
- uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
-
- TcpSession ssn;
- Packet *p1 = NULL, *p2 = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- f.alproto = ALPROTO_HTTP;
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
-
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOCLIENT;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(flow:to_client; content:\"response_user_agent\"; "
- "http_cookie; sid:1;)");
- if (s == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- /* request */
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf_request,
- httpbuf_request_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
- if (PacketAlertCheck(p1, 1)) {
- goto end;
- }
-
- /* response */
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOCLIENT, httpbuf_response,
- httpbuf_response_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
- if (!PacketAlertCheck(p2, 1)) {
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-/**
- * \test Check the signature working to alert against cookie/set-cookie
- */
-static int DetectHttpCookieSigTest09(void)
-{
- int result = 0;
- Flow f;
-
- uint8_t httpbuf_request[] =
- "GET / HTTP/1.1\r\n"
- "Cookie: request_user_agent\r\n"
- "User-Agent: Mozilla/1.0\r\n"
- "\r\n";
- uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
-
- uint8_t httpbuf_response[] =
- "HTTP/1.1 200 OK\r\n"
- "Set-Cookie: response_user_agent\r\n"
- "\r\n";
- uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
-
- TcpSession ssn;
- Packet *p1 = NULL, *p2 = NULL;
- Signature *s = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- HtpState *http_state = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- memset(&th_v, 0, sizeof(th_v));
- memset(&f, 0, sizeof(f));
- memset(&ssn, 0, sizeof(ssn));
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.proto = IPPROTO_TCP;
- f.flags |= FLOW_IPV4;
- f.alproto = ALPROTO_HTTP;
-
- p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p1->flow = &f;
- p1->flowflags |= FLOW_PKT_TOSERVER;
- p1->flowflags |= FLOW_PKT_ESTABLISHED;
- p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
-
- p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p2->flow = &f;
- p2->flowflags |= FLOW_PKT_TOCLIENT;
- p2->flowflags |= FLOW_PKT_ESTABLISHED;
- p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
-
- StreamTcpInitConfig(TRUE);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
- "(flow:to_server; content:\"request_user_agent\"; "
- "http_cookie; sid:1;)");
- if (s == NULL) {
- goto end;
- }
- s = de_ctx->sig_list->next = SigInit(de_ctx,"alert http any any -> any any "
- "(flow:to_client; content:\"response_user_agent\"; "
- "http_cookie; sid:2;)");
- if (s == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- /* request */
- FLOWLOCK_WRLOCK(&f);
- int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOSERVER, httpbuf_request,
- httpbuf_request_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- http_state = f.alstate;
- if (http_state == NULL) {
- printf("no http state: ");
- goto end;
- }
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
- if (!PacketAlertCheck(p1, 1) || PacketAlertCheck(p1, 2)) {
- goto end;
- }
-
- /* response */
- FLOWLOCK_WRLOCK(&f);
- r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
- STREAM_TOCLIENT, httpbuf_response,
- httpbuf_response_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- FLOWLOCK_UNLOCK(&f);
- goto end;
- }
- FLOWLOCK_UNLOCK(&f);
-
- /* do detect */
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
- if (PacketAlertCheck(p2, 1) || !PacketAlertCheck(p2, 2)) {
- goto end;
- }
-
- result = 1;
-
-end:
- if (alp_tctx != NULL)
- AppLayerParserThreadCtxFree(alp_tctx);
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
- UTHFreePackets(&p1, 1);
- UTHFreePackets(&p2, 1);
- return result;
-}
-
-static int DetectHttpCookieIsdataatParseTest(void)
-{
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF_NULL(de_ctx);
- de_ctx->flags |= DE_QUIET;
-
- Signature *s = DetectEngineAppendSig(de_ctx,
- "alert tcp any any -> any any ("
- "content:\"one\"; http_cookie; "
- "isdataat:!4,relative; sid:1;)");
- FAIL_IF_NULL(s);
-
- SigMatch *sm = s->init_data->smlists_tail[g_http_cookie_buffer_id];
- FAIL_IF_NULL(sm);
- FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
-
- DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
- FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
- FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
- FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
-
- DetectEngineCtxFree(de_ctx);
- PASS;
-}
-
-#endif /* UNITTESTS */
-
-/**
- * \brief Register the UNITTESTS for the http_cookie keyword
- */
-void DetectHttpCookieRegisterTests (void)
-{
-#ifdef UNITTESTS /* UNITTESTS */
- g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
-
- UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
- UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
- UtRegisterTest("DetectHttpCookieTest03", DetectHttpCookieTest03);
- UtRegisterTest("DetectHttpCookieTest04", DetectHttpCookieTest04);
- UtRegisterTest("DetectHttpCookieTest05", DetectHttpCookieTest05);
- UtRegisterTest("DetectHttpCookieTest06", DetectHttpCookieTest06);
- UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
- UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
- UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
- UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
- UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
- UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
- UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
- UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
- UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
- UtRegisterTest("DetectHttpCookieIsdataatParseTest",
- DetectHttpCookieIsdataatParseTest);
+#include "tests/detect-http-cookie.c"
#endif /* UNITTESTS */
-}
/**
* @}
*/
#include "detect-engine-hcbd.h"
#include "detect-engine-hsbd.h"
#include "detect-engine-hrhd.h"
-#include "detect-engine-hcd.h"
#include "detect-engine-state.h"
#include "detect-engine-tag.h"
#include "detect-engine-modbus.h"
DetectEngineHttpClientBodyRegisterTests();
DetectEngineHttpServerBodyRegisterTests();
DetectEngineHttpRawHeaderRegisterTests();
- DetectEngineHttpCookieRegisterTests();
DetectEngineInspectModbusRegisterTests();
DetectEngineRegisterTests();
DetectEngineSMTPFiledataRegisterTests();
*
*/
-#include "suricata-common.h"
-#include "suricata.h"
-#include "decode.h"
-
-#include "detect.h"
-#include "detect-engine.h"
-#include "detect-engine-hcd.h"
-#include "detect-engine-mpm.h"
-#include "detect-parse.h"
-#include "detect-engine-state.h"
-#include "detect-engine-content-inspection.h"
-#include "detect-engine-prefilter.h"
-
-#include "flow-util.h"
-#include "util-debug.h"
-#include "util-print.h"
-#include "flow.h"
-
-#include "stream-tcp.h"
-
-#include "app-layer-parser.h"
-
-#include "util-unittest.h"
-#include "util-unittest-helper.h"
-#include "app-layer.h"
-#include "app-layer-htp.h"
-#include "app-layer-protos.h"
-#include "util-validate.h"
+#include "../suricata-common.h"
+#include "../suricata.h"
+#include "../flow-util.h"
+#include "../flow.h"
+#include "../app-layer-parser.h"
+#include "../util-unittest.h"
+#include "../util-unittest-helper.h"
+#include "../app-layer.h"
+#include "../app-layer-htp.h"
+#include "../app-layer-protos.h"
+#include "../detect-isdataat.h"
/***********************************Unittests**********************************/
-#ifdef UNITTESTS
+static int g_http_uri_buffer_id = 0;
/**
* \test Test that the http_cookie content matches against a http request
return result;
}
-#endif /* UNITTESTS */
+/**
+ * \test Checks if a http_cookie is registered in a Signature, if content is not
+ * specified in the signature
+ */
+static int DetectHttpCookieTest01(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+
+ if ( (de_ctx = DetectEngineCtxInit()) == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ result = 1;
+
+end:
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+ return result;
+}
+
+/**
+ * \test Checks if a http_cookie is registered in a Signature, if some parameter
+ * is specified with http_cookie in the signature
+ */
+static int DetectHttpCookieTest02(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+
+ if ( (de_ctx = DetectEngineCtxInit()) == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing http_cookie\"; content:\"me\"; "
+ "http_cookie:woo; sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ result = 1;
+
+end:
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+ return result;
+}
+
+/**
+ * \test Checks if a http_cookie is registered in a Signature
+ */
+static int DetectHttpCookieTest03(void)
+{
+ SigMatch *sm = NULL;
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+
+ if ( (de_ctx = DetectEngineCtxInit()) == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing http_cookie\"; content:\"one\"; "
+ "http_cookie; content:\"two\"; http_cookie; "
+ "content:\"two\"; http_cookie; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ printf("sig parse failed: ");
+ goto end;
+ }
+
+ result = 0;
+ sm = de_ctx->sig_list->sm_lists[g_http_cookie_buffer_id];
+ if (sm == NULL) {
+ printf("no sigmatch(es): ");
+ goto end;
+ }
+
+ while (sm != NULL) {
+ if (sm->type == DETECT_CONTENT) {
+ result = 1;
+ } else {
+ printf("expected DETECT_CONTENT for http_cookie, got %d: ", sm->type);
+ goto end;
+ }
+ sm = sm->next;
+ }
+
+end:
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+ return result;
+}
+
+/**
+ * \test Checks if a http_cookie is registered in a Signature, when fast_pattern
+ * is also specified in the signature (now it should)
+ */
+static int DetectHttpCookieTest04(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+
+ if ( (de_ctx = DetectEngineCtxInit()) == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing http_cookie\"; content:\"one\"; "
+ "fast_pattern; http_cookie; sid:1;)");
+ if (de_ctx->sig_list != NULL)
+ result = 1;
+
+end:
+ if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
+ return result;
+}
+
+/**
+ * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
+ * also specified in the signature
+ */
+static int DetectHttpCookieTest05(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+
+ if ( (de_ctx = DetectEngineCtxInit()) == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing http_cookie\"; content:\"one\"; "
+ "rawbytes; http_cookie; sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ result = 1;
+
+ end:
+ if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
+ return result;
+}
+
+/**
+ * \test Checks if a http_cookie is registered in a Signature, when rawbytes is
+ * also specified in the signature
+ */
+static int DetectHttpCookieTest06(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+
+ if ( (de_ctx = DetectEngineCtxInit()) == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing http_cookie\"; content:\"one\"; "
+ "http_cookie; uricontent:\"abc\"; sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ Signature *s = de_ctx->sig_list;
+
+ BUG_ON(s->sm_lists[g_http_cookie_buffer_id] == NULL);
+
+ if (s->sm_lists[g_http_cookie_buffer_id]->type != DETECT_CONTENT)
+ goto end;
+
+ if (s->sm_lists[g_http_uri_buffer_id] == NULL) {
+ printf("expected another SigMatch, got NULL: ");
+ goto end;
+ }
+
+ if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) {
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+ return result;
+}
+
+/** \test Check the signature working to alert when http_cookie is matched . */
+static int DetectHttpCookieSigTest01(void)
+{
+ int result = 0;
+ Flow f;
+ uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
+ " hellocatchme\r\n\r\n";
+ uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
+ TcpSession ssn;
+ Packet *p = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
+ "\"HTTP cookie\"; content:\"me\"; "
+ "http_cookie; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
+ "cookie\"; content:\"go\"; http_cookie; sid:2;)");
+ if (s->next == NULL) {
+ goto end;
+ }
+
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf1, httplen1);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!(PacketAlertCheck(p, 1))) {
+ printf("sid 1 didn't match but should have: ");
+ goto end;
+ }
+ if (PacketAlertCheck(p, 2)) {
+ printf("sid 2 matched but shouldn't: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+
+ StreamTcpFreeConfig(TRUE);
+
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/** \test Check the signature working to alert when http_cookie is not present */
+static int DetectHttpCookieSigTest02(void)
+{
+ int result = 0;
+ Flow f;
+ uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
+ uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
+ TcpSession ssn;
+ Packet *p = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&p, 0, sizeof(p));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
+ "\"HTTP cookie\"; content:\"me\"; "
+ "http_cookie; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf1, httplen1);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if ((PacketAlertCheck(p, 1))) {
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+ StreamTcpFreeConfig(TRUE);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/** \test Check the signature working to alert when http_cookie is not present */
+static int DetectHttpCookieSigTest03(void)
+{
+ int result = 0;
+ Flow f;
+ uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
+ "Cookie: dummy\r\n\r\n";
+ uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
+ TcpSession ssn;
+ Packet *p = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
+ "\"HTTP cookie\"; content:\"boo\"; "
+ "http_cookie; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf1, httplen1);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if ((PacketAlertCheck(p, 1))) {
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+
+ StreamTcpFreeConfig(TRUE);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/** \test Check the signature working to alert when http_cookie is not present */
+static int DetectHttpCookieSigTest04(void)
+{
+ int result = 0;
+ Flow f;
+ uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
+ "Cookie: dummy\r\n\r\n";
+ uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
+ TcpSession ssn;
+ Packet *p = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&p, 0, sizeof(p));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
+ "\"HTTP cookie\"; content:!\"boo\"; "
+ "http_cookie; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf1, httplen1);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!PacketAlertCheck(p, 1)) {
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+
+ StreamTcpFreeConfig(TRUE);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/** \test Check the signature working to alert when http_cookie is not present */
+static int DetectHttpCookieSigTest05(void)
+{
+ int result = 0;
+ Flow f;
+ uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
+ "Cookie: DuMmY\r\n\r\n";
+ uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
+ TcpSession ssn;
+ Packet *p = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&p, 0, sizeof(p));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
+ "\"HTTP cookie\"; content:\"dummy\"; nocase; "
+ "http_cookie; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf1, httplen1);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!PacketAlertCheck(p, 1)) {
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+
+ StreamTcpFreeConfig(TRUE);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/** \test Check the signature working to alert when http_cookie is not present */
+static int DetectHttpCookieSigTest06(void)
+{
+ int result = 0;
+ Flow f;
+ uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
+ "Cookie: DuMmY\r\n\r\n";
+ uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
+ TcpSession ssn;
+ Packet *p = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&p, 0, sizeof(p));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
+ "\"HTTP cookie\"; content:\"dummy\"; "
+ "http_cookie; nocase; sid:1;)");
+ if (s == NULL) {
+ printf("sig parse failed: ");
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf1, httplen1);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (!PacketAlertCheck(p, 1)) {
+ printf("sig 1 failed to match: ");
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+
+ StreamTcpFreeConfig(TRUE);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/** \test Check the signature working to alert when http_cookie is not present */
+static int DetectHttpCookieSigTest07(void)
+{
+ int result = 0;
+ Flow f;
+ uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
+ "Cookie: dummy\r\n\r\n";
+ uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
+ TcpSession ssn;
+ Packet *p = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+
+ p->flow = &f;
+ p->flowflags |= FLOW_PKT_TOSERVER;
+ p->flowflags |= FLOW_PKT_ESTABLISHED;
+ p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
+ "\"HTTP cookie\"; content:!\"dummy\"; "
+ "http_cookie; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf1, httplen1);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+ if (PacketAlertCheck(p, 1)) {
+ goto end;
+ }
+
+ result = 1;
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+
+ StreamTcpFreeConfig(TRUE);
+ UTHFreePackets(&p, 1);
+ return result;
+}
+
+/**
+ * \test Check the signature working to alert against set-cookie
+ */
+static int DetectHttpCookieSigTest08(void)
+{
+ int result = 0;
+ Flow f;
+
+ uint8_t httpbuf_request[] =
+ "GET / HTTP/1.1\r\n"
+ "User-Agent: Mozilla/1.0\r\n"
+ "\r\n";
+ uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
+
+ uint8_t httpbuf_response[] =
+ "HTTP/1.1 200 OK\r\n"
+ "Set-Cookie: response_user_agent\r\n"
+ "\r\n";
+ uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
+
+ TcpSession ssn;
+ Packet *p1 = NULL, *p2 = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ f.alproto = ALPROTO_HTTP;
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOCLIENT;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(flow:to_client; content:\"response_user_agent\"; "
+ "http_cookie; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ /* request */
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf_request,
+ httpbuf_request_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+ if (PacketAlertCheck(p1, 1)) {
+ goto end;
+ }
+
+ /* response */
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOCLIENT, httpbuf_response,
+ httpbuf_response_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+ if (!PacketAlertCheck(p2, 1)) {
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+
+ StreamTcpFreeConfig(TRUE);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+/**
+ * \test Check the signature working to alert against cookie/set-cookie
+ */
+static int DetectHttpCookieSigTest09(void)
+{
+ int result = 0;
+ Flow f;
+
+ uint8_t httpbuf_request[] =
+ "GET / HTTP/1.1\r\n"
+ "Cookie: request_user_agent\r\n"
+ "User-Agent: Mozilla/1.0\r\n"
+ "\r\n";
+ uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
+
+ uint8_t httpbuf_response[] =
+ "HTTP/1.1 200 OK\r\n"
+ "Set-Cookie: response_user_agent\r\n"
+ "\r\n";
+ uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
+
+ TcpSession ssn;
+ Packet *p1 = NULL, *p2 = NULL;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.proto = IPPROTO_TCP;
+ f.flags |= FLOW_IPV4;
+ f.alproto = ALPROTO_HTTP;
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOCLIENT;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+
+ StreamTcpInitConfig(TRUE);
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
-void DetectEngineHttpCookieRegisterTests(void)
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(flow:to_server; content:\"request_user_agent\"; "
+ "http_cookie; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+ s = de_ctx->sig_list->next = SigInit(de_ctx,"alert http any any -> any any "
+ "(flow:to_client; content:\"response_user_agent\"; "
+ "http_cookie; sid:2;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ /* request */
+ FLOWLOCK_WRLOCK(&f);
+ int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOSERVER, httpbuf_request,
+ httpbuf_request_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: ");
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+ if (!PacketAlertCheck(p1, 1) || PacketAlertCheck(p1, 2)) {
+ goto end;
+ }
+
+ /* response */
+ FLOWLOCK_WRLOCK(&f);
+ r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
+ STREAM_TOCLIENT, httpbuf_response,
+ httpbuf_response_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ FLOWLOCK_UNLOCK(&f);
+ goto end;
+ }
+ FLOWLOCK_UNLOCK(&f);
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+ if (PacketAlertCheck(p2, 1) || !PacketAlertCheck(p2, 2)) {
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (alp_tctx != NULL)
+ AppLayerParserThreadCtxFree(alp_tctx);
+ if (det_ctx != NULL) {
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ }
+ if (de_ctx != NULL) {
+ DetectEngineCtxFree(de_ctx);
+ }
+
+ StreamTcpFreeConfig(TRUE);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
+static int DetectHttpCookieIsdataatParseTest(void)
{
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ FAIL_IF_NULL(de_ctx);
+ de_ctx->flags |= DE_QUIET;
+
+ Signature *s = DetectEngineAppendSig(de_ctx,
+ "alert tcp any any -> any any ("
+ "content:\"one\"; http_cookie; "
+ "isdataat:!4,relative; sid:1;)");
+ FAIL_IF_NULL(s);
-#ifdef UNITTESTS
+ SigMatch *sm = s->init_data->smlists_tail[g_http_cookie_buffer_id];
+ FAIL_IF_NULL(sm);
+ FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
+
+ DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
+ FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
+ FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
+ FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
+
+ DetectEngineCtxFree(de_ctx);
+ PASS;
+}
+
+/**
+ * \brief Register the UNITTESTS for the http_cookie keyword
+ */
+void DetectHttpCookieRegisterTests (void)
+{
+ g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
+
+ UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
+ UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
+ UtRegisterTest("DetectHttpCookieTest03", DetectHttpCookieTest03);
+ UtRegisterTest("DetectHttpCookieTest04", DetectHttpCookieTest04);
+ UtRegisterTest("DetectHttpCookieTest05", DetectHttpCookieTest05);
+ UtRegisterTest("DetectHttpCookieTest06", DetectHttpCookieTest06);
+ UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
+ UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
+ UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
+ UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
+ UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
+ UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
+ UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
+ UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
+ UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
+ UtRegisterTest("DetectHttpCookieIsdataatParseTest",
+ DetectHttpCookieIsdataatParseTest);
UtRegisterTest("DetectEngineHttpCookieTest01",
DetectEngineHttpCookieTest01);
UtRegisterTest("DetectEngineHttpCookieTest02",
DetectEngineHttpCookieTest16);
UtRegisterTest("DetectEngineHttpCookieTest17",
DetectEngineHttpCookieTest17);
-#endif /* UNITTESTS */
-
- return;
}
/**
* @}
projects / thirdparty / suricata.git / commitdiff
