Add unittest to test for http ambiguous host header.

Previously we would not check the port part of the host from the uri
hostname, while we did use the port part from the host header, leading
to FPs.

diff --git a/src/detect-http-header.c b/src/detect-http-header.c
index 064591b0757df6ac65d46a5da3d036f823a90550..3abbb375cf43f73a57ceecc913a001b5941fa624 100644 (file)
--- a/src/detect-http-header.c
+++ b/src/detect-http-header.c
@@ -1490,6 +1490,87 @@ int DetectHttpHeaderTest27(void)
     return result;
 }
 
+static int DetectHttpHeaderTest28(void)
+{
+    TcpSession ssn;
+    Packet *p = NULL;
+    ThreadVars th_v;
+    DetectEngineCtx *de_ctx = NULL;
+    DetectEngineThreadCtx *det_ctx = NULL;
+    Flow f;
+    uint8_t http_buf[] =
+        "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
+        "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
+        "Host: xxx.intranet.local:8000\r\n"
+        "\r\n";
+    uint32_t http_len = sizeof(http_buf) - 1;
+    int result = 0;
+
+    memset(&th_v, 0, sizeof(th_v));
+    memset(&f, 0, sizeof(f));
+    memset(&ssn, 0, sizeof(ssn));
+
+    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+    FLOW_INITIALIZE(&f);
+    f.protoctx = (void *)&ssn;
+    f.flags |= FLOW_IPV4;
+    p->flow = &f;
+    p->flowflags |= FLOW_PKT_TOSERVER;
+    p->flowflags |= FLOW_PKT_ESTABLISHED;
+    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
+    f.alproto = ALPROTO_HTTP;
+
+    StreamTcpInitConfig(TRUE);
+
+    de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    de_ctx->flags |= DE_QUIET;
+
+    de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+                               "(app-layer-event:http.host_header_ambiguous; "
+                               "sid:1;)");
+    if (de_ctx->sig_list == NULL)
+        goto end;
+
+    SigGroupBuild(de_ctx);
+    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+    SCMutexLock(&f.m);
+    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
+    if (r != 0) {
+        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+        result = 0;
+        SCMutexUnlock(&f.m);
+        goto end;
+    }
+    SCMutexUnlock(&f.m);
+
+    /* do detect */
+    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+
+    if (PacketAlertCheck(p, 1)) {
+        printf("sid 1 didn't match but should have: ");
+        goto end;
+    }
+
+    result = 1;
+ end:
+    if (de_ctx != NULL)
+        SigGroupCleanup(de_ctx);
+    if (de_ctx != NULL)
+        SigCleanSignatures(de_ctx);
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+
+    StreamTcpFreeConfig(TRUE);
+    FLOW_DESTROY(&f);
+    UTHFreePackets(&p, 1);
+    return result;
+}
+
 #endif /* UNITTESTS */
 
 void DetectHttpHeaderRegisterTests(void)
@@ -1516,6 +1597,7 @@ void DetectHttpHeaderRegisterTests(void)
     UtRegisterTest("DetectHttpHeaderTest25", DetectHttpHeaderTest25, 1);
     UtRegisterTest("DetectHttpHeaderTest26", DetectHttpHeaderTest26, 1);
     UtRegisterTest("DetectHttpHeaderTest27", DetectHttpHeaderTest27, 1);
+    UtRegisterTest("DetectHttpHeaderTest28", DetectHttpHeaderTest28, 1);
 #endif /* UNITTESTS */
 
     return;