From: Modupe Falodun Date: Fri, 4 Mar 2022 13:10:54 +0000 (+0100) Subject: detect-pcre: remove unittests X-Git-Tag: suricata-7.0.0-beta1~808 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54bc43d3edd130bf08fd052670fd826a86f2bcdb;p=thirdparty%2Fsuricata.git detect-pcre: remove unittests These tests are reimplemented in Suricata-Verify Task: 4911 --- diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 933361f85a..0ce9cdda80 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2021 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -1656,1076 +1656,54 @@ static int DetectPcreParseTest28(void) static int DetectPcreTestSig01(void) { - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n\r\n" - "GET /two/ HTTP/1.1\r\n" - "Host: two.example.org\r\n" - "\r\n\r\n"; + uint8_t *buf = (uint8_t *)"lalala lalala\\ lala\n"; uint16_t buflen = strlen((char *)buf); - Packet *p = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - - StreamTcpInitConfig(true); - - p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); - FAIL_IF_NULL(p); - p->tcph->th_seq = htonl(1000); - Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80); - FAIL_IF_NULL(f); - f->proto = IPPROTO_TCP; - UTHAddSessionToFlow(f, 1000, 1000); - UTHAddStreamToFlow(f, 0, buf, buflen); - - p->flow = f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f->alproto = ALPROTO_HTTP1; - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; pcre:\"/^gEt/i\"; pcre:\"/\\/two\\//U\"; pcre:\"/GET \\/two\\//\"; pcre:\"/\\s+HTTP/R\"; sid:1;)"); - FAIL_IF(de_ctx->sig_list == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse( - NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, buf, buflen); - FAIL_IF(r != 0); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - FAIL_IF_NOT(PacketAlertCheck(p, 1) == 1); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - UTHRemoveSessionFromFlow(f); - UTHFreeFlow(f); - - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); - PASS; -} - -static int DetectPcreTestSig02(void) -{ - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n\r\n" - "GET /two/ HTTP/1.1\r\n" - "Host: two.example.org\r\n" - "\r\n\r\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = NULL; - Flow f; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx; - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - - FLOW_INITIALIZE(&f); - - p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); - p->flow = &f; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - - pcre_match_limit = 100; - pcre_match_limit_recursion = 100; - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; pcre:\"/two/O\"; sid:2;)"); - FAIL_IF(de_ctx->sig_list == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - FAIL_IF_NOT(PacketAlertCheck(p, 2) == 1); - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - FLOW_DESTROY(&f); - - UTHFreePackets(&p, 1); - PASS; -} - -/** - * \test DetectPcreTestSig03Real negation test ! outside of "" this sig should not match - */ -static int DetectPcreTestSig03(void) -{ - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n\r\n" - "GET /two/ HTTP/1.1\r\n" - "Host: two.example.org\r\n" - "\r\n\r\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx; - - memset(&th_v, 0, sizeof(th_v)); - - p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"GET\"; pcre:!\"/two/\"; sid:1;)"); - FAIL_IF(de_ctx->sig_list == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - FAIL_IF(PacketAlertCheck(p, 1)); - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - UTHFreePackets(&p, 1); - PASS; -} - -/** - * \test Check the signature with pcre modifier P (match with L7 to http body data) - */ -static int DetectPcreModifPTest04(void) -{ - uint8_t httpbuf1[] = - "GET / HTTP/1.1\r\n" - "Host: www.emergingthreats.net\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" - "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" - "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" - "Accept-Encoding: gzip,deflate\r\n" - "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" - "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" - "Server: Apache\r\n" - "X-Powered-By: PHP/5.2.5\r\n" - "P3P: CP=\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\"\r\n" - "Expires: Mon, 1 Jan 2001 00:00:00 GMT\r\n" - "Last-Modified: Tue, 22 Sep 2009 19:24:48 GMT\r\n" - "Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\n" - "Pragma: no-cache\r\n" - "Keep-Alive: timeout=15, max=100\r\n" - "Connection: Keep-Alive\r\n" - "Transfer-Encoding: chunked\r\n" - "Content-Type: text/html; charset=utf-8\r\n" - "\r\n" - "15" - "\r\n" - "flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"Pcre modifier P\"; pcre:\"/DOCTYPE/P\"; " - "sid:1;)"); - FAIL_IF(s == NULL); - - s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"" - "Pcre modifier P (no match)\"; pcre:\"/blah/P\"; sid:2;)"); - FAIL_IF(s->next == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - HtpState *http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!(PacketAlertCheck(p, 1))); - FAIL_IF(PacketAlertCheck(p, 2)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) SigGroupCleanup(de_ctx); - if (de_ctx != NULL) SigCleanSignatures(de_ctx); - if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p, 1); - PASS; -} - -/** - * \test Check the signature with pcre modifier P (match with L7 to http body data) - * over fragmented chunks (DOCTYPE fragmented) - */ -static int DetectPcreModifPTest05(void) -{ - uint8_t httpbuf1[] = - "GET / HTTP/1.1\r\n" - "Host: www.emergingthreats.net\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" - "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" - "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" - "Accept-Encoding: gzip,deflate\r\n" - "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" - "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" - "Server: Apache\r\n" - "X-Powered-By: PHP/5.2.5\r\n" - "P3P: CP=\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\"\r\n" - "Expires: Mon, 1 Jan 2001 00:00:00 GMT\r\n" - "Last-Modified: Tue, 22 Sep 2009 19:24:48 GMT\r\n" - "Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\n" - "Pragma: no-cache\r\n" - "Keep-Alive: timeout=15, max=100\r\n" - "Connection: Keep-Alive\r\n" - "Transfer-Encoding: chunked\r\n" - "Content-Type: text/html; charset=utf-8\r\n" - "\r\n" - "15" - "\r\n" - "flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p2->flow = &f; - p2->flowflags |= FLOW_PKT_TOSERVER; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"Pcre modifier P\"; pcre:\"/DOC/P\"; " - "sid:1;)"); - FAIL_IF(s == NULL); - - s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"" - "Pcre modifier P (no match)\"; pcre:\"/DOCTYPE/P\"; sid:2;)"); - FAIL_IF(s->next == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - /* do detect for p1 */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - - HtpState *http_state = f.alstate; - FAIL_IF(http_state == NULL); - - FAIL_IF(PacketAlertCheck(p1, 1)); - - FAIL_IF(PacketAlertCheck(p1, 2)); - - FLOWLOCK_WRLOCK(&f); - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - /* do detect for p2 */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - - FAIL_IF(!(PacketAlertCheck(p2, 1))); - - FAIL_IF(!(PacketAlertCheck(p2, 2))); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) SigGroupCleanup(de_ctx); - if (de_ctx != NULL) SigCleanSignatures(de_ctx); - if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - UTHFreePackets(&p2, 1); - PASS; -} - -static int DetectPcreTestSig06(void) -{ - uint8_t *buf = (uint8_t *) - "lalala lalala\\ lala\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP); + Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); int result = 0; - char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ lalala\\\\/\"; sid:1;)"; + char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ " + "lalala\\\\/\"; sid:1;)"; if (UTHPacketMatchSig(p, sig) == 0) { result = 0; goto end; } result = 1; -end: - if (p != NULL) - UTHFreePacket(p); - return result; -} - -/** \test anchored pcre */ -static int DetectPcreTestSig07(void) -{ - uint8_t *buf = (uint8_t *) - "lalala\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP); - - char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/^(la)+$/\"; sid:1;)"; - FAIL_IF(UTHPacketMatchSig(p, sig) == 0); - - if (p != NULL) - UTHFreePacket(p); - PASS; -} - -/** \test anchored pcre */ -static int DetectPcreTestSig08(void) -{ - /* test it also without ending in a newline "\n" */ - uint8_t *buf = (uint8_t *) - "lalala"; - uint16_t buflen = strlen((char *)buf); - Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP); - - char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/^(la)+$/\"; sid:1;)"; - FAIL_IF(UTHPacketMatchSig(p, sig) == 0); - - if (p != NULL) - UTHFreePacket(p); - PASS; -} - -/** \test Check the signature working to alert when cookie modifier is - * passed to pcre - */ -static int DetectPcreTestSig09(void) -{ - Flow f; - uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" - "Cookie: dummy\r\n\r\n"; - uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"HTTP cookie\"; pcre:\"/dummy/C\"; " - " sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); - PASS; -} - -/** \test Check the signature working to alert when cookie modifier is - * passed to a negated pcre - */ -static int DetectPcreTestSig10(void) -{ - Flow f; - uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" - "Cookie: dummoOOooooO\r\n\r\n"; - uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"HTTP cookie\"; pcre:!\"/dummy/C\"; " - " sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); - PASS; -} - -/** \test Check the signature working to alert when method modifier is - * passed to pcre - */ -static int DetectPcreTestSig11(void) -{ - Flow f; - uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" - "Cookie: dummy\r\n\r\n"; - uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"HTTP method\"; pcre:\"/POST/M\"; " - " sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); - PASS; -} - -/** \test Check the signature working to alert when method modifier is - * passed to a negated pcre - */ -static int DetectPcreTestSig12(void) -{ - Flow f; - uint8_t httpbuf1[] = "GET / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" - "Cookie: dummoOOooooO\r\n\r\n"; - uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"HTTP method\"; pcre:!\"/POST/M\"; " - " sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); - PASS; -} - -/** \test Check the signature working to alert when header modifier is - * passed to pcre - */ -static int DetectPcreTestSig13(void) -{ - Flow f; - uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" - "Cookie: dummy\r\n\r\n"; - uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"HTTP header\"; pcre:\"/User[-_]Agent[:]?\\sMozilla/H\"; " - " sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); - PASS; -} - -/** \test Check the signature working to alert when header modifier is - * passed to a negated pcre - */ -static int DetectPcreTestSig14(void) -{ - Flow f; - uint8_t httpbuf1[] = "GET / HTTP/1.0\r\nUser-Agent: IEXPLORER/1.0\r\n" - "Cookie: dummoOOooooO\r\n\r\n"; - uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"HTTP header\"; pcre:!\"/User-Agent[:]?\\s+Mozilla/H\"; " - " sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); - PASS; -} - -/** \test Check the signature working to alert when cookie and relative modifiers are - * passed to pcre - */ -static int DetectPcreTestSig15(void) -{ - Flow f; - uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" - "Cookie: dummy 1234\r\n\r\n"; - uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"pcre relative HTTP cookie\"; content:\"dummy\";" - " http_cookie; pcre:\"/1234/RC\"; " - " sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); - PASS; +end: + if (p != NULL) + UTHFreePacket(p); + return result; } -/** \test Check the signature working to alert when method and relative modifiers are - * passed to pcre - */ -static int DetectPcreTestSig16(void) +/** \test anchored pcre */ +static int DetectPcreTestSig02(void) { - Flow f; - uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" - "Cookie: dummy 1234\r\n\r\n"; - uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - HtpState *http_state = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_HTTP1; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:" - "\"pcre relative HTTP method\"; content:\"PO\";" - " http_method; pcre:\"/ST/RM\"; " - " sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); + uint8_t *buf = (uint8_t *)"lalala\n"; + uint16_t buflen = strlen((char *)buf); + Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); - http_state = f.alstate; - FAIL_IF(http_state == NULL); + char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; " + "pcre:\"/^(la)+$/\"; sid:1;)"; + FAIL_IF(UTHPacketMatchSig(p, sig) == 0); - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + if (p != NULL) + UTHFreePacket(p); + PASS; +} - FAIL_IF(!PacketAlertCheck(p, 1)); +/** \test anchored pcre */ +static int DetectPcreTestSig03(void) +{ + /* test it also without ending in a newline "\n" */ + uint8_t *buf = (uint8_t *)"lalala"; + uint16_t buflen = strlen((char *)buf); + Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - DetectEngineCtxFree(de_ctx); - } + char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; " + "pcre:\"/^(la)+$/\"; sid:1;)"; + FAIL_IF(UTHPacketMatchSig(p, sig) == 0); - StreamTcpFreeConfig(true); - UTHFreePackets(&p, 1); + if (p != NULL) + UTHFreePacket(p); PASS; } @@ -3151,324 +2129,6 @@ static int DetectPcreTxBodyChunksTest03(void) PASS; } -/** - * \test flowvar capture on http buffer - */ -static int DetectPcreFlowvarCapture01(void) -{ - uint8_t uabuf1[] = - "Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13"; - uint32_t ualen1 = sizeof(uabuf1) - 1; /* minus the \0 */ - uint8_t httpbuf1[] = - "GET / HTTP/1.1\r\n" - "Host: www.emergingthreats.net\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" - "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" - "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" - "Accept-Encoding: gzip,deflate\r\n" - "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" - "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" - "Server: Apache\r\n" - "\r\n" - "flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - de_ctx->flags |= DE_QUIET; - - s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; sid:1;)"); - FAIL_IF(s == NULL); - - FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || - s->sm_lists[g_http_header_buffer_id]->next == NULL || - s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); - DetectPcreData *pd = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - HtpState *http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect for p1 */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - - FAIL_IF(!(PacketAlertCheck(p1, 1))); - - FlowVar *fv = FlowVarGet(&f, pd->capids[0]); - FAIL_IF(fv == NULL); - - FAIL_IF(fv->data.fv_str.value_len != ualen1); - - if (memcmp(fv->data.fv_str.value, uabuf1, ualen1) != 0) { - PrintRawDataFp(stdout, fv->data.fv_str.value, fv->data.fv_str.value_len); - PrintRawDataFp(stdout, uabuf1, ualen1); - - printf("buffer mismatch: "); - FAIL; - } - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - PASS; -} - -/** - * \test flowvar capture on http buffer, capture overwrite - */ -static int DetectPcreFlowvarCapture02(void) -{ - uint8_t uabuf1[] = - "Apache"; - uint32_t ualen1 = sizeof(uabuf1) - 1; /* minus the \0 */ - uint8_t httpbuf1[] = - "GET / HTTP/1.1\r\n" - "Host: www.emergingthreats.net\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" - "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" - "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" - "Accept-Encoding: gzip,deflate\r\n" - "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" - "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" - "Server: Apache\r\n" - "\r\n" - "flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - de_ctx->flags |= DE_QUIET; - - s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; priority:1; sid:1;)"); - FAIL_IF(s == NULL); - - FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || - s->sm_lists[g_http_header_buffer_id]->next == NULL || - s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); - DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; - - s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; priority:3; sid:2;)"); - FAIL_IF(s == NULL); - - FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || - s->sm_lists[g_http_header_buffer_id]->next == NULL || - s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); - DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; - - FAIL_IF(pd1->capids[0] != pd2->capids[0]); - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - SCSigSignatureOrderingModuleCleanup(de_ctx); - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - HtpState *http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect for p1 */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - - FAIL_IF(!(PacketAlertCheck(p1, 1))); - - FlowVar *fv = FlowVarGet(&f, pd1->capids[0]); - FAIL_IF(fv == NULL); - - if (fv->data.fv_str.value_len != ualen1) { - PrintRawDataFp(stdout, fv->data.fv_str.value, fv->data.fv_str.value_len); - PrintRawDataFp(stdout, uabuf1, ualen1); - printf("%u != %u: ", fv->data.fv_str.value_len, ualen1); - FAIL; - } - - if (memcmp(fv->data.fv_str.value, uabuf1, ualen1) != 0) { - PrintRawDataFp(stdout, fv->data.fv_str.value, fv->data.fv_str.value_len); - PrintRawDataFp(stdout, uabuf1, ualen1); - - printf("buffer mismatch: "); - FAIL; - } - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - PASS; -} - -/** - * \test flowvar capture on http buffer, capture overwrite + no matching sigs, so flowvars should not be set. - */ -static int DetectPcreFlowvarCapture03(void) -{ - uint8_t httpbuf1[] = - "GET / HTTP/1.1\r\n" - "Host: www.emergingthreats.net\r\n" - "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" - "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" - "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" - "Accept-Encoding: gzip,deflate\r\n" - "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" - "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" - "Server: Apache\r\n" - "\r\n" - "flow = &f; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - de_ctx->flags |= DE_QUIET; - - s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:1; sid:1;)"); - FAIL_IF(s == NULL); - - FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || - s->sm_lists[g_http_header_buffer_id]->next == NULL || - s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); - DetectPcreData *pd1 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; - - s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:3; sid:2;)"); - FAIL_IF(s == NULL); - - FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL || - s->sm_lists[g_http_header_buffer_id]->next == NULL || - s->sm_lists[g_http_header_buffer_id]->next->type != DETECT_PCRE); - DetectPcreData *pd2 = (DetectPcreData *)s->sm_lists[g_http_header_buffer_id]->next->ctx; - - FAIL_IF(pd1->capids[0] != pd2->capids[0]); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse( - NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1); - FAIL_IF(r != 0); - FLOWLOCK_UNLOCK(&f); - - HtpState *http_state = f.alstate; - FAIL_IF(http_state == NULL); - - /* do detect for p1 */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - - FAIL_IF(PacketAlertCheck(p1, 1)); - - FlowVar *fv = FlowVarGet(&f, pd1->capids[0]); - FAIL_IF(fv != NULL); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p1, 1); - PASS; -} - /** * \brief Test parsing of pcre's with the W modifier set. */ @@ -3576,36 +2236,9 @@ static void DetectPcreRegisterTests(void) UtRegisterTest("DetectPcreParseTest27", DetectPcreParseTest27); UtRegisterTest("DetectPcreParseTest28", DetectPcreParseTest28); - UtRegisterTest("DetectPcreTestSig01 -- pcre test", DetectPcreTestSig01); - UtRegisterTest("DetectPcreTestSig02 -- pcre test", DetectPcreTestSig02); - UtRegisterTest("DetectPcreTestSig03 -- negated pcre test", - DetectPcreTestSig03); - - UtRegisterTest("DetectPcreModifPTest04 -- Modifier P", - DetectPcreModifPTest04); - UtRegisterTest("DetectPcreModifPTest05 -- Modifier P fragmented", - DetectPcreModifPTest05); - UtRegisterTest("DetectPcreTestSig06", DetectPcreTestSig06); - UtRegisterTest("DetectPcreTestSig07 -- anchored pcre", - DetectPcreTestSig07); - UtRegisterTest("DetectPcreTestSig08 -- anchored pcre", - DetectPcreTestSig08); - UtRegisterTest("DetectPcreTestSig09 -- Cookie modifier", - DetectPcreTestSig09); - UtRegisterTest("DetectPcreTestSig10 -- negated Cookie modifier", - DetectPcreTestSig10); - UtRegisterTest("DetectPcreTestSig11 -- Method modifier", - DetectPcreTestSig11); - UtRegisterTest("DetectPcreTestSig12 -- negated Method modifier", - DetectPcreTestSig12); - UtRegisterTest("DetectPcreTestSig13 -- Header modifier", - DetectPcreTestSig13); - UtRegisterTest("DetectPcreTestSig14 -- negated Header modifier", - DetectPcreTestSig14); - UtRegisterTest("DetectPcreTestSig15 -- relative Cookie modifier", - DetectPcreTestSig15); - UtRegisterTest("DetectPcreTestSig16 -- relative Method modifier", - DetectPcreTestSig16); + UtRegisterTest("DetectPcreTestSig01", DetectPcreTestSig01); + UtRegisterTest("DetectPcreTestSig02 -- anchored pcre", DetectPcreTestSig02); + UtRegisterTest("DetectPcreTestSig03 -- anchored pcre", DetectPcreTestSig03); UtRegisterTest("DetectPcreTxBodyChunksTest01", DetectPcreTxBodyChunksTest01); @@ -3614,13 +2247,6 @@ static void DetectPcreRegisterTests(void) UtRegisterTest("DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx", DetectPcreTxBodyChunksTest03); - UtRegisterTest("DetectPcreFlowvarCapture01 -- capture for http_header", - DetectPcreFlowvarCapture01); - UtRegisterTest("DetectPcreFlowvarCapture02 -- capture for http_header", - DetectPcreFlowvarCapture02); - UtRegisterTest("DetectPcreFlowvarCapture03 -- capture for http_header", - DetectPcreFlowvarCapture03); - UtRegisterTest("DetectPcreParseHttpHost", DetectPcreParseHttpHost); UtRegisterTest("DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);