From: Giuseppe Longo Date: Mon, 8 Jun 2015 12:06:24 +0000 (+0200) Subject: http: rework UT X-Git-Tag: suricata-3.0RC1~306 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32563d51d155decb77fea6af8f3616feb7f01e7d;p=thirdparty%2Fsuricata.git http: rework UT This reworks UT based on commit 320355570863dfa6376c9d2af875495ccc8a199f --- diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index de37099f21..beba23966b 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -393,6 +393,123 @@ void DetectEngineCleanHSBDBuffers(DetectEngineThreadCtx *det_ctx) #ifdef UNITTESTS +struct TestSteps { + const uint8_t *input; + size_t input_size; /**< if 0 strlen will be used */ + int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */ + int expect; +}; + +static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml) +{ + TcpSession ssn; + Flow f; + Packet *p = NULL; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + int result = 0; + int i = 0; + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + if (yaml) { + ConfCreateContextBackup(); + ConfInit(); + HtpConfigCreateBackup(); + + ConfYamlLoadString(yaml, strlen(yaml)); + HTPConfigure(); + EngineModeSetIPS(); + } + + StreamTcpInitConfig(TRUE); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.proto = IPPROTO_TCP; + f.flags |= FLOW_IPV4; + f.alproto = ALPROTO_HTTP; + + SCLogDebug("sig %s", sig); + DetectEngineAppendSig(de_ctx, (char *)sig); + + de_ctx->flags |= DE_QUIET; + + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + struct TestSteps *b = steps; + i = 0; + while (b->input != NULL) { + SCLogDebug("chunk %p %d", b, i); + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + if (p == NULL) + goto end; + p->flow = &f; + p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; + + SCMutexLock(&f.m); + int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, b->direction, + (uint8_t *)b->input, + b->input_size ? b->input_size : strlen((const char *)b->input)); + if (r != 0) { + printf("toserver chunk %d returned %" PRId32 ", expected 0: ", i+1, r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + SCMutexUnlock(&f.m); + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + int match = PacketAlertCheck(p, 1); + if (b->expect != match) { + printf("rule matching mismatch: "); + goto end; + } + + UTHFreePackets(&p, 1); + p = NULL; + b++; + i++; + } + result = 1; + + end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + + if (yaml) { + HtpConfigRestoreBackup(); + ConfRestoreContextBackup(); + EngineModeSetIDS(); + } + return result; +} + static int DetectEngineHttpServerBodyTest01(void) { TcpSession ssn; @@ -3723,19 +3840,10 @@ end: return result; } -/* - * Tests buffer inspection like in ips mode, - * here all chunks size are smaller than the window_size. - - * in: buffer: - * [ab] [ab] - * [cd] [abcd] - * [ef] [cdef] -*/ static int DetectEngineHttpServerBodyFileDataTest04(void) { - char input[] = "\ + const char yaml[] = "\ %YAML 1.1\n\ ---\n\ libhtp:\n\ @@ -3743,999 +3851,265 @@ libhtp:\n\ default-config:\n\ \n\ http-body-inline: yes\n\ - response-body-minimal-inspect-size: 4\n\ - response-body-inspect-window: 4\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ "; - ConfCreateContextBackup(); - ConfInit(); - HtpConfigCreateBackup(); - - ConfYamlLoadString(input, strlen(input)); - HTPConfigure(); - EngineModeSetIPS(); - TcpSession ssn; - Packet *p1 = NULL; - Packet *p2 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - Flow f; - uint8_t http_buf1[] = - "GET /index.html HTTP/1.0\r\n" - "Host: www.openinfosecfoundation.org\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" - "\r\n"; - uint32_t http_len1 = sizeof(http_buf1) - 1; - uint8_t http_buf2[] = - "HTTP/1.0 200 ok\r\n" - "Content-Type: text/html\r\n" - "Content-Length: 6\r\n" - "\r\n" - "ab"; - uint32_t http_len2 = sizeof(http_buf2) - 1; - uint8_t http_buf3[] = "cd"; - uint32_t http_len3 = sizeof(http_buf3) - 1; - uint8_t http_buf4[] = "ef"; - uint32_t http_len4 = sizeof(http_buf4) - 1; + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 6\r\n" + "\r\n" + "ab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"cd", + 0, STREAM_TOCLIENT, 1 }, + { (const uint8_t *)"ef", + 0, STREAM_TOCLIENT, 0 }, + { NULL, 0, 0, 0 }, + }; - int result = 0; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)"; + return RunTest(steps, sig, yaml); +} - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); +static int DetectEngineHttpServerBodyFileDataTest05(void) +{ - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 6\r\n" + "\r\n" + "ab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"cd", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"ef", + 0, STREAM_TOCLIENT, 1 }, + { NULL, 0, 0, 0 }, + }; - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p2->flow = &f; - p2->flowflags |= FLOW_PKT_TOCLIENT; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; + const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)"; + return RunTest(steps, sig, yaml); +} - StreamTcpInitConfig(TRUE); +static int DetectEngineHttpServerBodyFileDataTest06(void) +{ - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - de_ctx->flags |= DE_QUIET; + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 6\r\n" + "\r\n" + "ab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"cd", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"ef", + 0, STREAM_TOCLIENT, 1 }, + { NULL, 0, 0, 0 }, + }; - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"ab\"; sid:1;)"))) - goto end; - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"bc\"; sid:2;)"))) - goto end; - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"cdef\"; sid:3;)"))) - goto end; - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"ef\"; sid:4;)"))) - goto end; + const char *sig = "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)"; + return RunTest(steps, sig, yaml); +} - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); +static int DetectEngineHttpServerBodyFileDataTest07(void) +{ - SCMutexLock(&f.m); - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - http_state = f.alstate; - if (http_state == NULL) { - printf("no http state: \n"); - result = 0; - goto end; - } + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 13\r\n" + "\r\n" + "ab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"cd", + 0, STREAM_TOCLIENT, 1 }, + { (const uint8_t *)"123456789", + 0, STREAM_TOCLIENT, 0 }, + { NULL, 0, 0, 0 }, + }; - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); + const char *sig = "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)"; + return RunTest(steps, sig, yaml); +} - if (PacketAlertCheck(p1, 1)) { - printf("sid 1 matched but shouldn't have: "); - goto end; - } +static int DetectEngineHttpServerBodyFileDataTest08(void) +{ - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 14\r\n" + "\r\n" + "ab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"cd", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"1234567890", + 0, STREAM_TOCLIENT, 1 }, + { NULL, 0, 0, 0 }, + }; - if (!PacketAlertCheck(p2, 1)) { - printf("sid 1 did not match but should have: "); - goto end; - } + const char *sig = "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)"; + return RunTest(steps, sig, yaml); +} - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf3, http_len3); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); +static int DetectEngineHttpServerBodyFileDataTest09(void) +{ - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - if (!PacketAlertCheck(p2, 2)) { - printf("sid 2 did not match but should have: "); - goto end; - } + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 13\r\n" + "\r\n" + "ab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"cd", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"123456789", + 0, STREAM_TOCLIENT, 1 }, + { NULL, 0, 0, 0 }, + }; - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf4, http_len4); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); + const char *sig = "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)"; + return RunTest(steps, sig, yaml); +} - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); +static int DetectEngineHttpServerBodyFileDataTest10(void) +{ - if (!PacketAlertCheck(p2, 3)) { - printf("sid 3 did not match but should have: "); - goto end; - } - - if (!PacketAlertCheck(p2, 4)) { - printf("sid 4 did not match but should have: "); - goto end; - } - result = 1; - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - UTHFreePackets(&p2, 1); - EngineModeSetIDS(); - ConfDeInit(); - ConfRestoreContextBackup(); - return result; -} - -/* - * Tests buffer inspection like in ips mode, - * here the last chunk size is greater than the window size. - - * in: buffer: - * [ab] [ab] - * [cd] [abcd] - * [12345678] [d12345678] -*/ -static int DetectEngineHttpServerBodyFileDataTest05(void) -{ - - char input[] = "\ -%YAML 1.1\n\ ----\n\ -libhtp:\n\ -\n\ - default-config:\n\ -\n\ - http-body-inline: yes\n\ - response-body-minimal-inspect-size: 1\n\ - response-body-inspect-window: 4\n\ -"; - - ConfCreateContextBackup(); - ConfInit(); - HtpConfigCreateBackup(); - - ConfYamlLoadString(input, strlen(input)); - HTPConfigure(); - EngineModeSetIPS(); - TcpSession ssn; - Packet *p1 = NULL; - Packet *p2 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - Flow f; - uint8_t http_buf1[] = - "GET /index.html HTTP/1.0\r\n" - "Host: www.openinfosecfoundation.org\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" - "\r\n"; - uint32_t http_len1 = sizeof(http_buf1) - 1; - uint8_t http_buf2[] = - "HTTP/1.0 200 ok\r\n" - "Content-Type: text/html\r\n" - "Content-Length: 12\r\n" - "\r\n" - "ab"; - uint32_t http_len2 = sizeof(http_buf2) - 1; - uint8_t http_buf3[] = "cd"; - uint32_t http_len3 = sizeof(http_buf3) - 1; - uint8_t http_buf4[] = "12345678"; - uint32_t http_len4 = sizeof(http_buf4) - 1; - - int result = 0; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p2->flow = &f; - p2->flowflags |= FLOW_PKT_TOCLIENT; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"ab\"; sid:1;)"))) - goto end; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"abcd\"; sid:2;)"))) - goto end; - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"d12345678\"; sid:3;)"))) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SCMutexLock(&f.m); - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - http_state = f.alstate; - if (http_state == NULL) { - printf("no http state: \n"); - result = 0; - goto end; - } - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - - if (PacketAlertCheck(p1, 1)) { - printf("sid 1 matched but shouldn't have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - - if (!PacketAlertCheck(p2, 1)) { - printf("sid 1 did not match but should have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf3, http_len3); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - if (!PacketAlertCheck(p2, 2)) { - printf("sid 2 did not match but should have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf4, http_len4); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - if (!PacketAlertCheck(p2, 3)) { - printf("sid 3 did not match but should have: "); - goto end; - } - - result = 1; - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - UTHFreePackets(&p2, 1); - EngineModeSetIDS(); - HTPFreeConfig(); - ConfDeInit(); - ConfRestoreContextBackup(); - HtpConfigRestoreBackup(); - return result; -} - -/** - * in: buffer: - * [123] [123] - * [456] [3456] - */ -static int DetectEngineHttpServerBodyFileDataTest06(void) -{ - - char input[] = "\ -%YAML 1.1\n\ ----\n\ -libhtp:\n\ -\n\ - default-config:\n\ -\n\ - http-body-inline: yes\n\ - response-body-minimal-inspect-size: 1\n\ - response-body-inspect-window: 4\n\ -"; - - ConfCreateContextBackup(); - ConfInit(); - HtpConfigCreateBackup(); - - ConfYamlLoadString(input, strlen(input)); - HTPConfigure(); - EngineModeSetIPS(); - TcpSession ssn; - Packet *p1 = NULL; - Packet *p2 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - Flow f; - uint8_t http_buf1[] = - "GET /index.html HTTP/1.0\r\n" - "Host: www.openinfosecfoundation.org\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" - "\r\n"; - uint32_t http_len1 = sizeof(http_buf1) - 1; - uint8_t http_buf2[] = - "HTTP/1.0 200 ok\r\n" - "Content-Type: text/html\r\n" - "Content-Length: 6\r\n" - "\r\n" - "123"; - uint32_t http_len2 = sizeof(http_buf2) - 1; - uint8_t http_buf3[] = "456"; - uint32_t http_len3 = sizeof(http_buf3) - 1; - - int result = 0; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p2->flow = &f; - p2->flowflags |= FLOW_PKT_TOCLIENT; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"123\"; sid:1;)"))) - goto end; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"3456\"; sid:2;)"))) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SCMutexLock(&f.m); - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - http_state = f.alstate; - if (http_state == NULL) { - printf("no http state: \n"); - result = 0; - goto end; - } - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - - if (PacketAlertCheck(p1, 1)) { - printf("sid 1 matched but shouldn't have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - - if (!PacketAlertCheck(p2, 1)) { - printf("sid 1 did not match but should have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf3, http_len3); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - if (!PacketAlertCheck(p2, 2)) { - printf("sid 2 did not match but should have: "); - goto end; - } - - result = 1; - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - UTHFreePackets(&p2, 1); - EngineModeSetIDS(); - HTPFreeConfig(); - ConfDeInit(); - ConfRestoreContextBackup(); - HtpConfigRestoreBackup(); - return result; -} - -/** - * in: buffer: - * [ab] [ab] - * [c] [abc] - * [de] [bcde] - */ -static int DetectEngineHttpServerBodyFileDataTest07(void) -{ - - char input[] = "\ -%YAML 1.1\n\ ----\n\ -libhtp:\n\ -\n\ - default-config:\n\ -\n\ - http-body-inline: yes\n\ - response-body-minimal-inspect-size: 1\n\ - response-body-inspect-window: 4\n\ -"; - - ConfCreateContextBackup(); - ConfInit(); - HtpConfigCreateBackup(); - - ConfYamlLoadString(input, strlen(input)); - HTPConfigure(); - EngineModeSetIPS(); - TcpSession ssn; - Packet *p1 = NULL; - Packet *p2 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - Flow f; - uint8_t http_buf1[] = - "GET /index.html HTTP/1.0\r\n" - "Host: www.openinfosecfoundation.org\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" - "\r\n"; - uint32_t http_len1 = sizeof(http_buf1) - 1; - uint8_t http_buf2[] = - "HTTP/1.0 200 ok\r\n" - "Content-Type: text/html\r\n" - "Content-Length: 5\r\n" - "\r\n" - "ab"; - uint32_t http_len2 = sizeof(http_buf2) - 1; - uint8_t http_buf3[] = "c"; - uint32_t http_len3 = sizeof(http_buf3) - 1; - uint8_t http_buf4[] = "de"; - uint32_t http_len4 = sizeof(http_buf4) - 1; - - int result = 0; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p2->flow = &f; - p2->flowflags |= FLOW_PKT_TOCLIENT; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"ab\"; sid:1;)"))) - goto end; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"abc\"; sid:2;)"))) - goto end; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"bcde\"; sid:3;)"))) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SCMutexLock(&f.m); - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - http_state = f.alstate; - if (http_state == NULL) { - printf("no http state: \n"); - result = 0; - goto end; - } - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - - if (PacketAlertCheck(p1, 1)) { - printf("sid 1 matched but shouldn't have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - - if (!PacketAlertCheck(p2, 1)) { - printf("sid 1 did not match but should have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf3, http_len3); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - if (!PacketAlertCheck(p2, 2)) { - printf("sid 2 did not match but should have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf4, http_len4); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - if (!PacketAlertCheck(p2, 3)) { - printf("sid 2 did not match but should have: "); - goto end; - } - - result = 1; - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - UTHFreePackets(&p2, 1); - EngineModeSetIDS(); - HTPFreeConfig(); - ConfDeInit(); - ConfRestoreContextBackup(); - HtpConfigRestoreBackup(); - return result; -} - -/** - * in: buffer: - * [abcd] [abcd] - * [efgh] [defgh] - */ -static int DetectEngineHttpServerBodyFileDataTest08(void) -{ - - char input[] = "\ + const char yaml[] = "\ %YAML 1.1\n\ ---\n\ libhtp:\n\ \n\ default-config:\n\ -\n\ - http-body-inline: yes\n\ - response-body-minimal-inspect-size: 1\n\ - response-body-inspect-window: 4\n\ -"; - - ConfCreateContextBackup(); - ConfInit(); - HtpConfigCreateBackup(); - - ConfYamlLoadString(input, strlen(input)); - HTPConfigure(); - EngineModeSetIPS(); - TcpSession ssn; - Packet *p1 = NULL; - Packet *p2 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - Flow f; - uint8_t http_buf1[] = - "GET /index.html HTTP/1.0\r\n" - "Host: www.openinfosecfoundation.org\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" - "\r\n"; - uint32_t http_len1 = sizeof(http_buf1) - 1; - uint8_t http_buf2[] = - "HTTP/1.0 200 ok\r\n" - "Content-Type: text/html\r\n" - "Content-Length: 8\r\n" - "\r\n" - "abcd"; - uint32_t http_len2 = sizeof(http_buf2) - 1; - uint8_t http_buf3[] = "efgh"; - uint32_t http_len3 = sizeof(http_buf3) - 1; - - int result = 0; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p2->flow = &f; - p2->flowflags |= FLOW_PKT_TOCLIENT; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"abcd\"; sid:1;)"))) - goto end; - - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"defgh\"; sid:2;)"))) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SCMutexLock(&f.m); - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - http_state = f.alstate; - if (http_state == NULL) { - printf("no http state: \n"); - result = 0; - goto end; - } - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - - if (PacketAlertCheck(p1, 1)) { - printf("sid 1 matched but shouldn't have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - - if (!PacketAlertCheck(p2, 1)) { - printf("sid 1 did not match but should have: "); - goto end; - } - - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf3, http_len3); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - if (!PacketAlertCheck(p2, 2)) { - printf("sid 2 did not match but should have: "); - goto end; - } - - result = 1; +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 5\r\n" + "\r\n" + "ab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"c", + 0, STREAM_TOCLIENT, 1 }, + { (const uint8_t *)"de", + 0, STREAM_TOCLIENT, 0 }, + { NULL, 0, 0, 0 }, + }; - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - UTHFreePackets(&p2, 1); - EngineModeSetIDS(); - HTPFreeConfig(); - ConfDeInit(); - ConfRestoreContextBackup(); - HtpConfigRestoreBackup(); - return result; + const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)"; + return RunTest(steps, sig, yaml); } -/** - * in: buffer: - * [a] [a] - * [b] [ab] - * [c] [abc] - * [d] [abcd] - * [efghijklm] [defghijklm] - */ -static int DetectEngineHttpServerBodyFileDataTest09(void) +static int DetectEngineHttpServerBodyFileDataTest11(void) { - char input[] = "\ + const char yaml[] = "\ %YAML 1.1\n\ ---\n\ libhtp:\n\ @@ -4743,206 +4117,307 @@ libhtp:\n\ default-config:\n\ \n\ http-body-inline: yes\n\ - response-body-minimal-inspect-size: 1\n\ - response-body-inspect-window: 4\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ "; - ConfCreateContextBackup(); - ConfInit(); - HtpConfigCreateBackup(); + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 5\r\n" + "\r\n" + "ab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"c", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"de", + 0, STREAM_TOCLIENT, 1 }, + { NULL, 0, 0, 0 }, + }; - ConfYamlLoadString(input, strlen(input)); - HTPConfigure(); - EngineModeSetIPS(); - TcpSession ssn; - Packet *p1 = NULL; - Packet *p2 = NULL; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - Flow f; - uint8_t http_buf1[] = - "GET /index.html HTTP/1.0\r\n" - "Host: www.openinfosecfoundation.org\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" - "\r\n"; - uint32_t http_len1 = sizeof(http_buf1) - 1; - uint8_t http_buf2[] = - "HTTP/1.0 200 ok\r\n" - "Content-Type: text/html\r\n" - "Content-Length: 13\r\n" - "\r\n" - "a"; - uint32_t http_len2 = sizeof(http_buf2) - 1; - uint8_t http_buf3[] = "b"; - uint32_t http_len3 = sizeof(http_buf3) - 1; - uint8_t http_buf4[] = "c"; - uint32_t http_len4 = sizeof(http_buf4) - 1; - uint8_t http_buf5[] = "d"; - uint32_t http_len5 = sizeof(http_buf5) - 1; - uint8_t http_buf6[] = "efghijklm"; - uint32_t http_len6 = sizeof(http_buf6) - 1; + const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; depth:4; sid:1;)"; + return RunTest(steps, sig, yaml); +} - int result = 0; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); +static int DetectEngineHttpServerBodyFileDataTest12(void) +{ - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 13\r\n" + "\r\n" + "a", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"b", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"c", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"d", + 0, STREAM_TOCLIENT, 1 }, + { (const uint8_t *)"efghijklm", + 0, STREAM_TOCLIENT, 0 }, + { NULL, 0, 0, 0 }, + }; - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; + const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)"; + return RunTest(steps, sig, yaml); +} - p1->flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p2->flow = &f; - p2->flowflags |= FLOW_PKT_TOCLIENT; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP; +static int DetectEngineHttpServerBodyFileDataTest13(void) +{ - StreamTcpInitConfig(TRUE); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 13\r\n" + "\r\n" + "a", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"b", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"c", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"d", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"efghijklm", + 0, STREAM_TOCLIENT, 1 }, + { NULL, 0, 0, 0 }, + }; - de_ctx->flags |= DE_QUIET; + const char *sig = "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)"; + return RunTest(steps, sig, yaml); +} - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"abcd\"; sid:1;)"))) - goto end; +static int DetectEngineHttpServerBodyFileDataTest14(void) +{ - if (!(DetectEngineAppendSig(de_ctx, "alert http any any -> any any " - "(msg:\"http server body test\"; " - "file_data; content:\"defghijklm\"; sid:2;)"))) - goto end; + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 20\r\n" + "\r\n" + "1234567890", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"abcdefghi", + 0, STREAM_TOCLIENT, 1 }, + { NULL, 0, 0, 0 }, + }; - SCMutexLock(&f.m); - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); + const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)"; + return RunTest(steps, sig, yaml); +} - http_state = f.alstate; - if (http_state == NULL) { - printf("no http state: \n"); - result = 0; - goto end; - } +static int DetectEngineHttpServerBodyFileDataTest15(void) +{ - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - if (PacketAlertCheck(p1, 1)) { - printf("sid 1 matched but shouldn't have: "); - goto end; - } + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 20\r\n" + "\r\n" + "1234567890", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"abcdefghi", + 0, STREAM_TOCLIENT, 0 }, + { NULL, 0, 0, 0 }, + }; - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); + const char *sig = "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)"; + return RunTest(steps, sig, yaml); +} - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf3, http_len3); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); +static int DetectEngineHttpServerBodyFileDataTest16(void) +{ - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf4, http_len4); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf5, http_len5); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 20\r\n" + "\r\n" + "aaaab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"bbbbc", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"ccccd", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"dddde", + 0, STREAM_TOCLIENT, 0 }, + { NULL, 0, 0, 0 }, + }; - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + const char *sig = "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)"; + return RunTest(steps, sig, yaml); +} - if (!PacketAlertCheck(p2, 1)) { - printf("sid 1 did not match but should have: "); - goto end; - } +static int DetectEngineHttpServerBodyFileDataTest17(void) +{ - SCMutexLock(&f.m); - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf6, http_len6); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r); - result = 0; - SCMutexUnlock(&f.m); - goto end; - } - SCMutexUnlock(&f.m); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 20\r\n" + "\r\n" + "aaaab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"bbbbc", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"ccccd", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"dddde", + 0, STREAM_TOCLIENT, 0 }, + { NULL, 0, 0, 0 }, + }; - if (!PacketAlertCheck(p2, 2)) { - printf("sid 1 did not match but should have: "); - goto end; - } + const char *sig = "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)"; + return RunTest(steps, sig, yaml); +} - result = 1; +static int DetectEngineHttpServerBodyFileDataTest18(void) +{ -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); + const char yaml[] = "\ +%YAML 1.1\n\ +---\n\ +libhtp:\n\ +\n\ + default-config:\n\ +\n\ + http-body-inline: yes\n\ + response-body-minimal-inspect-size: 6\n\ + response-body-inspect-window: 3\n\ +"; - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - UTHFreePackets(&p2, 1); - EngineModeSetIDS(); - HTPFreeConfig(); - ConfDeInit(); - ConfRestoreContextBackup(); - HtpConfigRestoreBackup(); - return result; + struct TestSteps steps[] = { + { (const uint8_t *)"GET /index.html HTTP/1.0\r\n" + "Host: www.openinfosecfoundation.org\r\n" + "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n" + "\r\n", + 0, STREAM_TOSERVER, 0 }, + { (const uint8_t *)"HTTP/1.0 200 ok\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 20\r\n" + "\r\n" + "aaaab", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"bbbbc", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"ccccd", + 0, STREAM_TOCLIENT, 0 }, + { (const uint8_t *)"dddde", + 0, STREAM_TOCLIENT, 0 }, + { NULL, 0, 0, 0 }, + }; + + const char *sig = "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)"; + return RunTest(steps, sig, yaml); } #endif /* UNITTESTS */ @@ -5013,6 +4488,25 @@ void DetectEngineHttpServerBodyRegisterTests(void) DetectEngineHttpServerBodyFileDataTest08, 1); UtRegisterTest("DetectEngineHttpServerBodyFileDataTest09", DetectEngineHttpServerBodyFileDataTest09, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest10", + DetectEngineHttpServerBodyFileDataTest10, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest11", + DetectEngineHttpServerBodyFileDataTest11, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest12", + DetectEngineHttpServerBodyFileDataTest12, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest13", + DetectEngineHttpServerBodyFileDataTest13, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest14", + DetectEngineHttpServerBodyFileDataTest14, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest15", + DetectEngineHttpServerBodyFileDataTest15, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest16", + DetectEngineHttpServerBodyFileDataTest16, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest17", + DetectEngineHttpServerBodyFileDataTest17, 1); + UtRegisterTest("DetectEngineHttpServerBodyFileDataTest18", + DetectEngineHttpServerBodyFileDataTest18, 1); + #endif /* UNITTESTS */ return;