suricata
detect-http-cookie.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2016 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \ingroup httplayer
20 *
21 * @{
22 */
23
24
25/** \file
26 *
27 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28 * \author Victor Julien <victor@inliniac.net>
29 *
30 * \brief Handle HTTP cookie match
31 *
32 */
33
34#include "../suricata-common.h"
35#include "../suricata.h"
36#include "../flow-util.h"
37#include "../flow.h"
38#include "../app-layer-parser.h"
39#include "../util-unittest.h"
40#include "../util-unittest-helper.h"
41#include "../app-layer.h"
42#include "../app-layer-htp.h"
43#include "../app-layer-protos.h"
44#include "../detect-isdataat.h"
45#include "../detect-engine-build.h"
46#include "../detect-engine-alert.h"
47
48/***********************************Unittests**********************************/
49
50/**
51 * \test Test that the http_cookie content matches against a http request
52 * which holds the content.
53 */
54static int DetectEngineHttpCookieTest01(void)
55{
56 TcpSession ssn;
57 Packet *p = NULL;
58 ThreadVars th_v;
59 DetectEngineCtx *de_ctx = NULL;
60 DetectEngineThreadCtx *det_ctx = NULL;
61 HtpState *http_state = NULL;
62 Flow f;
63 uint8_t http_buf[] =
64 "GET /index.html HTTP/1.0\r\n"
65 "Cookie: CONNECT\r\n"
66 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
67 uint32_t http_len = sizeof(http_buf) - 1;
68 int result = 0;
69 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
70
71 memset(&th_v, 0, sizeof(th_v));
72 memset(&f, 0, sizeof(f));
73 memset(&ssn, 0, sizeof(ssn));
74
75 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
76
77 FLOW_INITIALIZE(&f);
78 f.protoctx = (void *)&ssn;
79 f.proto = IPPROTO_TCP;
80 f.flags |= FLOW_IPV4;
81 p->flow = &f;
82 p->flowflags |= FLOW_PKT_TOSERVER;
83 p->flowflags |= FLOW_PKT_ESTABLISHED;
84 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
85 f.alproto = ALPROTO_HTTP1;
86
87 StreamTcpInitConfig(true);
88
89 de_ctx = DetectEngineCtxInit();
90 if (de_ctx == NULL)
91 goto end;
92
93 de_ctx->flags |= DE_QUIET;
94
95 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
96 "(msg:\"http header test\"; "
97 "content:\"CONNECT\"; http_cookie; "
98 "sid:1;)");
99 if (de_ctx->sig_list == NULL)
100 goto end;
101
102 SigGroupBuild(de_ctx);
103 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
104
105 int r = AppLayerParserParse(
106 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
107 if (r != 0) {
108 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
109 result = 0;
110 goto end;
111 }
112
113 http_state = f.alstate;
114 if (http_state == NULL) {
115 printf("no http state: ");
116 result = 0;
117 goto end;
118 }
119
120 /* do detect */
121 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
122
123 if (!(PacketAlertCheck(p, 1))) {
124 printf("sid 1 didn't match but should have: ");
125 goto end;
126 }
127
128 result = 1;
129
130end:
131 if (alp_tctx != NULL)
132 AppLayerParserThreadCtxFree(alp_tctx);
133 if (de_ctx != NULL)
134 DetectEngineCtxFree(de_ctx);
135
136 StreamTcpFreeConfig(true);
137 FLOW_DESTROY(&f);
138 UTHFreePackets(&p, 1);
139 return result;
140}
141
142/**
143 * \test Test that the http_cookie content matches against a http request
144 * which holds the content.
145 */
146static int DetectEngineHttpCookieTest02(void)
147{
148 TcpSession ssn;
149 Packet *p = NULL;
150 ThreadVars th_v;
151 DetectEngineCtx *de_ctx = NULL;
152 DetectEngineThreadCtx *det_ctx = NULL;
153 HtpState *http_state = NULL;
154 Flow f;
155 uint8_t http_buf[] =
156 "CONNECT /index.html HTTP/1.0\r\n"
157 "Cookie: CONNECT\r\n"
158 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
159 uint32_t http_len = sizeof(http_buf) - 1;
160 int result = 0;
161 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
162
163 memset(&th_v, 0, sizeof(th_v));
164 memset(&f, 0, sizeof(f));
165 memset(&ssn, 0, sizeof(ssn));
166
167 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
168
169 FLOW_INITIALIZE(&f);
170 f.protoctx = (void *)&ssn;
171 f.proto = IPPROTO_TCP;
172 f.flags |= FLOW_IPV4;
173 p->flow = &f;
174 p->flowflags |= FLOW_PKT_TOSERVER;
175 p->flowflags |= FLOW_PKT_ESTABLISHED;
176 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
177 f.alproto = ALPROTO_HTTP1;
178
179 StreamTcpInitConfig(true);
180
181 de_ctx = DetectEngineCtxInit();
182 if (de_ctx == NULL)
183 goto end;
184
185 de_ctx->flags |= DE_QUIET;
186
187 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
188 "(msg:\"http header test\"; "
189 "content:\"CO\"; depth:4; http_cookie; "
190 "sid:1;)");
191 if (de_ctx->sig_list == NULL)
192 goto end;
193
194 SigGroupBuild(de_ctx);
195 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
196
197 int r = AppLayerParserParse(
198 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
199 if (r != 0) {
200 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
201 result = 0;
202 goto end;
203 }
204
205 http_state = f.alstate;
206 if (http_state == NULL) {
207 printf("no http state: ");
208 result = 0;
209 goto end;
210 }
211
212 /* do detect */
213 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
214
215 if (!(PacketAlertCheck(p, 1))) {
216 printf("sid 1 didn't match but should have: ");
217 goto end;
218 }
219
220 result = 1;
221
222end:
223 if (alp_tctx != NULL)
224 AppLayerParserThreadCtxFree(alp_tctx);
225 if (de_ctx != NULL)
226 DetectEngineCtxFree(de_ctx);
227
228 StreamTcpFreeConfig(true);
229 FLOW_DESTROY(&f);
230 UTHFreePackets(&p, 1);
231 return result;
232}
233
234/**
235 * \test Test that the http_cookie content matches against a http request
236 * which holds the content.
237 */
238static int DetectEngineHttpCookieTest03(void)
239{
240 TcpSession ssn;
241 Packet *p = NULL;
242 ThreadVars th_v;
243 DetectEngineCtx *de_ctx = NULL;
244 DetectEngineThreadCtx *det_ctx = NULL;
245 HtpState *http_state = NULL;
246 Flow f;
247 uint8_t http_buf[] =
248 "CONNECT /index.html HTTP/1.0\r\n"
249 "Cookie: CONNECT\r\n"
250 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
251 uint32_t http_len = sizeof(http_buf) - 1;
252 int result = 0;
253 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
254
255 memset(&th_v, 0, sizeof(th_v));
256 memset(&f, 0, sizeof(f));
257 memset(&ssn, 0, sizeof(ssn));
258
259 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
260
261 FLOW_INITIALIZE(&f);
262 f.protoctx = (void *)&ssn;
263 f.proto = IPPROTO_TCP;
264 f.flags |= FLOW_IPV4;
265 p->flow = &f;
266 p->flowflags |= FLOW_PKT_TOSERVER;
267 p->flowflags |= FLOW_PKT_ESTABLISHED;
268 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
269 f.alproto = ALPROTO_HTTP1;
270
271 StreamTcpInitConfig(true);
272
273 de_ctx = DetectEngineCtxInit();
274 if (de_ctx == NULL)
275 goto end;
276
277 de_ctx->flags |= DE_QUIET;
278
279 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
280 "(msg:\"http header test\"; "
281 "content:!\"ECT\"; depth:4; http_cookie; "
282 "sid:1;)");
283 if (de_ctx->sig_list == NULL)
284 goto end;
285
286 SigGroupBuild(de_ctx);
287 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
288
289 int r = AppLayerParserParse(
290 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
291 if (r != 0) {
292 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
293 result = 0;
294 goto end;
295 }
296
297 http_state = f.alstate;
298 if (http_state == NULL) {
299 printf("no http state: ");
300 result = 0;
301 goto end;
302 }
303
304 /* do detect */
305 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
306
307 if (!(PacketAlertCheck(p, 1))) {
308 printf("sid 1 didn't match but should have: ");
309 goto end;
310 }
311
312 result = 1;
313
314end:
315 if (alp_tctx != NULL)
316 AppLayerParserThreadCtxFree(alp_tctx);
317 if (de_ctx != NULL)
318 DetectEngineCtxFree(de_ctx);
319
320 StreamTcpFreeConfig(true);
321 FLOW_DESTROY(&f);
322 UTHFreePackets(&p, 1);
323 return result;
324}
325
326/**
327 * \test Test that the http_cookie content matches against a http request
328 * which holds the content.
329 */
330static int DetectEngineHttpCookieTest04(void)
331{
332 TcpSession ssn;
333 Packet *p = NULL;
334 ThreadVars th_v;
335 DetectEngineCtx *de_ctx = NULL;
336 DetectEngineThreadCtx *det_ctx = NULL;
337 HtpState *http_state = NULL;
338 Flow f;
339 uint8_t http_buf[] =
340 "CONNECT /index.html HTTP/1.0\r\n"
341 "Cookie: CONNECT\r\n"
342 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
343 uint32_t http_len = sizeof(http_buf) - 1;
344 int result = 0;
345 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
346
347 memset(&th_v, 0, sizeof(th_v));
348 memset(&f, 0, sizeof(f));
349 memset(&ssn, 0, sizeof(ssn));
350
351 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
352
353 FLOW_INITIALIZE(&f);
354 f.protoctx = (void *)&ssn;
355 f.proto = IPPROTO_TCP;
356 f.flags |= FLOW_IPV4;
357 p->flow = &f;
358 p->flowflags |= FLOW_PKT_TOSERVER;
359 p->flowflags |= FLOW_PKT_ESTABLISHED;
360 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
361 f.alproto = ALPROTO_HTTP1;
362
363 StreamTcpInitConfig(true);
364
365 de_ctx = DetectEngineCtxInit();
366 if (de_ctx == NULL)
367 goto end;
368
369 de_ctx->flags |= DE_QUIET;
370
371 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
372 "(msg:\"http header test\"; "
373 "content:\"ECT\"; depth:4; http_cookie; "
374 "sid:1;)");
375 if (de_ctx->sig_list == NULL)
376 goto end;
377
378 SigGroupBuild(de_ctx);
379 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
380
381 int r = AppLayerParserParse(
382 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
383 if (r != 0) {
384 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
385 result = 0;
386 goto end;
387 }
388
389 http_state = f.alstate;
390 if (http_state == NULL) {
391 printf("no http state: ");
392 result = 0;
393 goto end;
394 }
395
396 /* do detect */
397 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
398
399 if (PacketAlertCheck(p, 1)) {
400 printf("sid 1 matched but shouldn't have: ");
401 goto end;
402 }
403
404 result = 1;
405
406end:
407 if (alp_tctx != NULL)
408 AppLayerParserThreadCtxFree(alp_tctx);
409 if (de_ctx != NULL)
410 DetectEngineCtxFree(de_ctx);
411
412 StreamTcpFreeConfig(true);
413 FLOW_DESTROY(&f);
414 UTHFreePackets(&p, 1);
415 return result;
416}
417
418/**
419 * \test Test that the http_cookie content matches against a http request
420 * which holds the content.
421 */
422static int DetectEngineHttpCookieTest05(void)
423{
424 TcpSession ssn;
425 Packet *p = NULL;
426 ThreadVars th_v;
427 DetectEngineCtx *de_ctx = NULL;
428 DetectEngineThreadCtx *det_ctx = NULL;
429 HtpState *http_state = NULL;
430 Flow f;
431 uint8_t http_buf[] =
432 "CONNECT /index.html HTTP/1.0\r\n"
433 "Cookie: CONNECT\r\n"
434 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
435 uint32_t http_len = sizeof(http_buf) - 1;
436 int result = 0;
437 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
438
439 memset(&th_v, 0, sizeof(th_v));
440 memset(&f, 0, sizeof(f));
441 memset(&ssn, 0, sizeof(ssn));
442
443 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
444
445 FLOW_INITIALIZE(&f);
446 f.protoctx = (void *)&ssn;
447 f.proto = IPPROTO_TCP;
448 f.flags |= FLOW_IPV4;
449 p->flow = &f;
450 p->flowflags |= FLOW_PKT_TOSERVER;
451 p->flowflags |= FLOW_PKT_ESTABLISHED;
452 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
453 f.alproto = ALPROTO_HTTP1;
454
455 StreamTcpInitConfig(true);
456
457 de_ctx = DetectEngineCtxInit();
458 if (de_ctx == NULL)
459 goto end;
460
461 de_ctx->flags |= DE_QUIET;
462
463 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
464 "(msg:\"http header test\"; "
465 "content:!\"CON\"; depth:4; http_cookie; "
466 "sid:1;)");
467 if (de_ctx->sig_list == NULL)
468 goto end;
469
470 SigGroupBuild(de_ctx);
471 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
472
473 int r = AppLayerParserParse(
474 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
475 if (r != 0) {
476 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
477 result = 0;
478 goto end;
479 }
480
481 http_state = f.alstate;
482 if (http_state == NULL) {
483 printf("no http state: ");
484 result = 0;
485 goto end;
486 }
487
488 /* do detect */
489 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
490
491 if (PacketAlertCheck(p, 1)) {
492 printf("sid 1 matched but shouldn't have: ");
493 goto end;
494 }
495
496 result = 1;
497
498end:
499 if (alp_tctx != NULL)
500 AppLayerParserThreadCtxFree(alp_tctx);
501 if (de_ctx != NULL)
502 DetectEngineCtxFree(de_ctx);
503
504 StreamTcpFreeConfig(true);
505 FLOW_DESTROY(&f);
506 UTHFreePackets(&p, 1);
507 return result;
508}
509
510/**
511 * \test Test that the http_cookie content matches against a http request
512 * which holds the content.
513 */
514static int DetectEngineHttpCookieTest06(void)
515{
516 TcpSession ssn;
517 Packet *p = NULL;
518 ThreadVars th_v;
519 DetectEngineCtx *de_ctx = NULL;
520 DetectEngineThreadCtx *det_ctx = NULL;
521 HtpState *http_state = NULL;
522 Flow f;
523 uint8_t http_buf[] =
524 "CONNECT /index.html HTTP/1.0\r\n"
525 "Cookie: CONNECT\r\n"
526 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
527 uint32_t http_len = sizeof(http_buf) - 1;
528 int result = 0;
529 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
530
531 memset(&th_v, 0, sizeof(th_v));
532 memset(&f, 0, sizeof(f));
533 memset(&ssn, 0, sizeof(ssn));
534
535 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
536
537 FLOW_INITIALIZE(&f);
538 f.protoctx = (void *)&ssn;
539 f.proto = IPPROTO_TCP;
540 f.flags |= FLOW_IPV4;
541 p->flow = &f;
542 p->flowflags |= FLOW_PKT_TOSERVER;
543 p->flowflags |= FLOW_PKT_ESTABLISHED;
544 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
545 f.alproto = ALPROTO_HTTP1;
546
547 StreamTcpInitConfig(true);
548
549 de_ctx = DetectEngineCtxInit();
550 if (de_ctx == NULL)
551 goto end;
552
553 de_ctx->flags |= DE_QUIET;
554
555 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
556 "(msg:\"http header test\"; "
557 "content:\"ECT\"; offset:3; http_cookie; "
558 "sid:1;)");
559 if (de_ctx->sig_list == NULL)
560 goto end;
561
562 SigGroupBuild(de_ctx);
563 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
564
565 int r = AppLayerParserParse(
566 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
567 if (r != 0) {
568 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
569 result = 0;
570 goto end;
571 }
572
573 http_state = f.alstate;
574 if (http_state == NULL) {
575 printf("no http state: ");
576 result = 0;
577 goto end;
578 }
579
580 /* do detect */
581 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
582
583 if (!(PacketAlertCheck(p, 1))) {
584 printf("sid 1 didn't match but should have: ");
585 goto end;
586 }
587
588 result = 1;
589
590end:
591 if (alp_tctx != NULL)
592 AppLayerParserThreadCtxFree(alp_tctx);
593 if (de_ctx != NULL)
594 DetectEngineCtxFree(de_ctx);
595
596 StreamTcpFreeConfig(true);
597 FLOW_DESTROY(&f);
598 UTHFreePackets(&p, 1);
599 return result;
600}
601
602/**
603 * \test Test that the http_cookie content matches against a http request
604 * which holds the content.
605 */
606static int DetectEngineHttpCookieTest07(void)
607{
608 TcpSession ssn;
609 Packet *p = NULL;
610 ThreadVars th_v;
611 DetectEngineCtx *de_ctx = NULL;
612 DetectEngineThreadCtx *det_ctx = NULL;
613 HtpState *http_state = NULL;
614 Flow f;
615 uint8_t http_buf[] =
616 "CONNECT /index.html HTTP/1.0\r\n"
617 "Cookie: CONNECT\r\n"
618 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
619 uint32_t http_len = sizeof(http_buf) - 1;
620 int result = 0;
621 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
622
623 memset(&th_v, 0, sizeof(th_v));
624 memset(&f, 0, sizeof(f));
625 memset(&ssn, 0, sizeof(ssn));
626
627 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
628
629 FLOW_INITIALIZE(&f);
630 f.protoctx = (void *)&ssn;
631 f.proto = IPPROTO_TCP;
632 f.flags |= FLOW_IPV4;
633 p->flow = &f;
634 p->flowflags |= FLOW_PKT_TOSERVER;
635 p->flowflags |= FLOW_PKT_ESTABLISHED;
636 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
637 f.alproto = ALPROTO_HTTP1;
638
639 StreamTcpInitConfig(true);
640
641 de_ctx = DetectEngineCtxInit();
642 if (de_ctx == NULL)
643 goto end;
644
645 de_ctx->flags |= DE_QUIET;
646
647 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
648 "(msg:\"http header test\"; "
649 "content:!\"CO\"; offset:3; http_cookie; "
650 "sid:1;)");
651 if (de_ctx->sig_list == NULL)
652 goto end;
653
654 SigGroupBuild(de_ctx);
655 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
656
657 int r = AppLayerParserParse(
658 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
659 if (r != 0) {
660 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
661 result = 0;
662 goto end;
663 }
664
665 http_state = f.alstate;
666 if (http_state == NULL) {
667 printf("no http state: ");
668 result = 0;
669 goto end;
670 }
671
672 /* do detect */
673 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
674
675 if (!(PacketAlertCheck(p, 1))) {
676 printf("sid 1 didn't match but should have: ");
677 goto end;
678 }
679
680 result = 1;
681
682end:
683 if (alp_tctx != NULL)
684 AppLayerParserThreadCtxFree(alp_tctx);
685 if (de_ctx != NULL)
686 DetectEngineCtxFree(de_ctx);
687
688 StreamTcpFreeConfig(true);
689 FLOW_DESTROY(&f);
690 UTHFreePackets(&p, 1);
691 return result;
692}
693
694/**
695 * \test Test that the http_cookie content matches against a http request
696 * which holds the content.
697 */
698static int DetectEngineHttpCookieTest08(void)
699{
700 TcpSession ssn;
701 Packet *p = NULL;
702 ThreadVars th_v;
703 DetectEngineCtx *de_ctx = NULL;
704 DetectEngineThreadCtx *det_ctx = NULL;
705 HtpState *http_state = NULL;
706 Flow f;
707 uint8_t http_buf[] =
708 "CONNECT /index.html HTTP/1.0\r\n"
709 "Cookie: CONNECT\r\n"
710 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
711 uint32_t http_len = sizeof(http_buf) - 1;
712 int result = 0;
713 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
714
715 memset(&th_v, 0, sizeof(th_v));
716 memset(&f, 0, sizeof(f));
717 memset(&ssn, 0, sizeof(ssn));
718
719 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
720
721 FLOW_INITIALIZE(&f);
722 f.protoctx = (void *)&ssn;
723 f.proto = IPPROTO_TCP;
724 f.flags |= FLOW_IPV4;
725 p->flow = &f;
726 p->flowflags |= FLOW_PKT_TOSERVER;
727 p->flowflags |= FLOW_PKT_ESTABLISHED;
728 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
729 f.alproto = ALPROTO_HTTP1;
730
731 StreamTcpInitConfig(true);
732
733 de_ctx = DetectEngineCtxInit();
734 if (de_ctx == NULL)
735 goto end;
736
737 de_ctx->flags |= DE_QUIET;
738
739 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
740 "(msg:\"http header test\"; "
741 "content:!\"ECT\"; offset:3; http_cookie; "
742 "sid:1;)");
743 if (de_ctx->sig_list == NULL)
744 goto end;
745
746 SigGroupBuild(de_ctx);
747 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
748
749 int r = AppLayerParserParse(
750 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
751 if (r != 0) {
752 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
753 result = 0;
754 goto end;
755 }
756
757 http_state = f.alstate;
758 if (http_state == NULL) {
759 printf("no http state: ");
760 result = 0;
761 goto end;
762 }
763
764 /* do detect */
765 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
766
767 if (PacketAlertCheck(p, 1)) {
768 printf("sid 1 matched but shouldn't have: ");
769 goto end;
770 }
771
772 result = 1;
773
774end:
775 if (alp_tctx != NULL)
776 AppLayerParserThreadCtxFree(alp_tctx);
777 if (de_ctx != NULL)
778 DetectEngineCtxFree(de_ctx);
779
780 StreamTcpFreeConfig(true);
781 FLOW_DESTROY(&f);
782 UTHFreePackets(&p, 1);
783 return result;
784}
785
786/**
787 * \test Test that the http_cookie content matches against a http request
788 * which holds the content.
789 */
790static int DetectEngineHttpCookieTest09(void)
791{
792 TcpSession ssn;
793 Packet *p = NULL;
794 ThreadVars th_v;
795 DetectEngineCtx *de_ctx = NULL;
796 DetectEngineThreadCtx *det_ctx = NULL;
797 HtpState *http_state = NULL;
798 Flow f;
799 uint8_t http_buf[] =
800 "CONNECT /index.html HTTP/1.0\r\n"
801 "Cookie: CONNECT\r\n"
802 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
803 uint32_t http_len = sizeof(http_buf) - 1;
804 int result = 0;
805 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
806
807 memset(&th_v, 0, sizeof(th_v));
808 memset(&f, 0, sizeof(f));
809 memset(&ssn, 0, sizeof(ssn));
810
811 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
812
813 FLOW_INITIALIZE(&f);
814 f.protoctx = (void *)&ssn;
815 f.proto = IPPROTO_TCP;
816 f.flags |= FLOW_IPV4;
817 p->flow = &f;
818 p->flowflags |= FLOW_PKT_TOSERVER;
819 p->flowflags |= FLOW_PKT_ESTABLISHED;
820 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
821 f.alproto = ALPROTO_HTTP1;
822
823 StreamTcpInitConfig(true);
824
825 de_ctx = DetectEngineCtxInit();
826 if (de_ctx == NULL)
827 goto end;
828
829 de_ctx->flags |= DE_QUIET;
830
831 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
832 "(msg:\"http header test\"; "
833 "content:\"CON\"; offset:3; http_cookie; "
834 "sid:1;)");
835 if (de_ctx->sig_list == NULL)
836 goto end;
837
838 SigGroupBuild(de_ctx);
839 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
840
841 int r = AppLayerParserParse(
842 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
843 if (r != 0) {
844 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
845 result = 0;
846 goto end;
847 }
848
849 http_state = f.alstate;
850 if (http_state == NULL) {
851 printf("no http state: ");
852 result = 0;
853 goto end;
854 }
855
856 /* do detect */
857 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
858
859 if (PacketAlertCheck(p, 1)) {
860 printf("sid 1 matched but shouldn't have: ");
861 goto end;
862 }
863
864 result = 1;
865
866end:
867 if (alp_tctx != NULL)
868 AppLayerParserThreadCtxFree(alp_tctx);
869 if (de_ctx != NULL)
870 DetectEngineCtxFree(de_ctx);
871
872 StreamTcpFreeConfig(true);
873 FLOW_DESTROY(&f);
874 UTHFreePackets(&p, 1);
875 return result;
876}
877
878/**
879 * \test Test that the http_cookie content matches against a http request
880 * which holds the content.
881 */
882static int DetectEngineHttpCookieTest10(void)
883{
884 TcpSession ssn;
885 Packet *p = NULL;
886 ThreadVars th_v;
887 DetectEngineCtx *de_ctx = NULL;
888 DetectEngineThreadCtx *det_ctx = NULL;
889 HtpState *http_state = NULL;
890 Flow f;
891 uint8_t http_buf[] =
892 "CONNECT /index.html HTTP/1.0\r\n"
893 "Cookie: CONNECT\r\n"
894 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
895 uint32_t http_len = sizeof(http_buf) - 1;
896 int result = 0;
897 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
898
899 memset(&th_v, 0, sizeof(th_v));
900 memset(&f, 0, sizeof(f));
901 memset(&ssn, 0, sizeof(ssn));
902
903 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
904
905 FLOW_INITIALIZE(&f);
906 f.protoctx = (void *)&ssn;
907 f.proto = IPPROTO_TCP;
908 f.flags |= FLOW_IPV4;
909 p->flow = &f;
910 p->flowflags |= FLOW_PKT_TOSERVER;
911 p->flowflags |= FLOW_PKT_ESTABLISHED;
912 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
913 f.alproto = ALPROTO_HTTP1;
914
915 StreamTcpInitConfig(true);
916
917 de_ctx = DetectEngineCtxInit();
918 if (de_ctx == NULL)
919 goto end;
920
921 de_ctx->flags |= DE_QUIET;
922
923 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
924 "(msg:\"http header test\"; "
925 "content:\"CO\"; http_cookie; "
926 "content:\"EC\"; within:4; http_cookie; "
927 "sid:1;)");
928 if (de_ctx->sig_list == NULL)
929 goto end;
930
931 SigGroupBuild(de_ctx);
932 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
933
934 int r = AppLayerParserParse(
935 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
936 if (r != 0) {
937 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
938 result = 0;
939 goto end;
940 }
941
942 http_state = f.alstate;
943 if (http_state == NULL) {
944 printf("no http state: ");
945 result = 0;
946 goto end;
947 }
948
949 /* do detect */
950 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
951
952 if (!PacketAlertCheck(p, 1)) {
953 printf("sid 1 didn't match but should have: ");
954 goto end;
955 }
956
957 result = 1;
958
959end:
960 if (alp_tctx != NULL)
961 AppLayerParserThreadCtxFree(alp_tctx);
962 if (de_ctx != NULL)
963 DetectEngineCtxFree(de_ctx);
964
965 StreamTcpFreeConfig(true);
966 FLOW_DESTROY(&f);
967 UTHFreePackets(&p, 1);
968 return result;
969}
970
971/**
972 * \test Test that the http_cookie content matches against a http request
973 * which holds the content.
974 */
975static int DetectEngineHttpCookieTest11(void)
976{
977 TcpSession ssn;
978 Packet *p = NULL;
979 ThreadVars th_v;
980 DetectEngineCtx *de_ctx = NULL;
981 DetectEngineThreadCtx *det_ctx = NULL;
982 HtpState *http_state = NULL;
983 Flow f;
984 uint8_t http_buf[] =
985 "CONNECT /index.html HTTP/1.0\r\n"
986 "Cookie: CONNECT\r\n"
987 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
988 uint32_t http_len = sizeof(http_buf) - 1;
989 int result = 0;
990 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
991
992 memset(&th_v, 0, sizeof(th_v));
993 memset(&f, 0, sizeof(f));
994 memset(&ssn, 0, sizeof(ssn));
995
996 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
997
998 FLOW_INITIALIZE(&f);
999 f.protoctx = (void *)&ssn;
1000 f.proto = IPPROTO_TCP;
1001 f.flags |= FLOW_IPV4;
1002 p->flow = &f;
1003 p->flowflags |= FLOW_PKT_TOSERVER;
1004 p->flowflags |= FLOW_PKT_ESTABLISHED;
1005 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1006 f.alproto = ALPROTO_HTTP1;
1007
1008 StreamTcpInitConfig(true);
1009
1010 de_ctx = DetectEngineCtxInit();
1011 if (de_ctx == NULL)
1012 goto end;
1013
1014 de_ctx->flags |= DE_QUIET;
1015
1016 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1017 "(msg:\"http header test\"; "
1018 "content:\"CO\"; http_cookie; "
1019 "content:!\"EC\"; within:3; http_cookie; "
1020 "sid:1;)");
1021 if (de_ctx->sig_list == NULL)
1022 goto end;
1023
1024 SigGroupBuild(de_ctx);
1025 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1026
1027 int r = AppLayerParserParse(
1028 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1029 if (r != 0) {
1030 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1031 result = 0;
1032 goto end;
1033 }
1034
1035 http_state = f.alstate;
1036 if (http_state == NULL) {
1037 printf("no http state: ");
1038 result = 0;
1039 goto end;
1040 }
1041
1042 /* do detect */
1043 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1044
1045 if (!PacketAlertCheck(p, 1)) {
1046 printf("sid 1 didn't match but should have: ");
1047 goto end;
1048 }
1049
1050 result = 1;
1051
1052end:
1053 if (alp_tctx != NULL)
1054 AppLayerParserThreadCtxFree(alp_tctx);
1055 if (de_ctx != NULL)
1056 DetectEngineCtxFree(de_ctx);
1057
1058 StreamTcpFreeConfig(true);
1059 FLOW_DESTROY(&f);
1060 UTHFreePackets(&p, 1);
1061 return result;
1062}
1063
1064/**
1065 * \test Test that the http_cookie content matches against a http request
1066 * which holds the content.
1067 */
1068static int DetectEngineHttpCookieTest12(void)
1069{
1070 TcpSession ssn;
1071 Packet *p = NULL;
1072 ThreadVars th_v;
1073 DetectEngineCtx *de_ctx = NULL;
1074 DetectEngineThreadCtx *det_ctx = NULL;
1075 HtpState *http_state = NULL;
1076 Flow f;
1077 uint8_t http_buf[] =
1078 "CONNECT /index.html HTTP/1.0\r\n"
1079 "Cookie: CONNECT\r\n"
1080 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1081 uint32_t http_len = sizeof(http_buf) - 1;
1082 int result = 0;
1083 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1084
1085 memset(&th_v, 0, sizeof(th_v));
1086 memset(&f, 0, sizeof(f));
1087 memset(&ssn, 0, sizeof(ssn));
1088
1089 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1090
1091 FLOW_INITIALIZE(&f);
1092 f.protoctx = (void *)&ssn;
1093 f.proto = IPPROTO_TCP;
1094 f.flags |= FLOW_IPV4;
1095 p->flow = &f;
1096 p->flowflags |= FLOW_PKT_TOSERVER;
1097 p->flowflags |= FLOW_PKT_ESTABLISHED;
1098 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1099 f.alproto = ALPROTO_HTTP1;
1100
1101 StreamTcpInitConfig(true);
1102
1103 de_ctx = DetectEngineCtxInit();
1104 if (de_ctx == NULL)
1105 goto end;
1106
1107 de_ctx->flags |= DE_QUIET;
1108
1109 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1110 "(msg:\"http header test\"; "
1111 "content:\"CO\"; http_cookie; "
1112 "content:\"EC\"; within:3; http_cookie; "
1113 "sid:1;)");
1114 if (de_ctx->sig_list == NULL)
1115 goto end;
1116
1117 SigGroupBuild(de_ctx);
1118 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1119
1120 int r = AppLayerParserParse(
1121 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1122 if (r != 0) {
1123 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1124 result = 0;
1125 goto end;
1126 }
1127
1128 http_state = f.alstate;
1129 if (http_state == NULL) {
1130 printf("no http state: ");
1131 result = 0;
1132 goto end;
1133 }
1134
1135 /* do detect */
1136 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1137
1138 if (PacketAlertCheck(p, 1)) {
1139 printf("sid 1 matched but shouldn't have: ");
1140 goto end;
1141 }
1142
1143 result = 1;
1144
1145end:
1146 if (alp_tctx != NULL)
1147 AppLayerParserThreadCtxFree(alp_tctx);
1148 if (de_ctx != NULL)
1149 DetectEngineCtxFree(de_ctx);
1150
1151 StreamTcpFreeConfig(true);
1152 FLOW_DESTROY(&f);
1153 UTHFreePackets(&p, 1);
1154 return result;
1155}
1156
1157/**
1158 * \test Test that the http_cookie content matches against a http request
1159 * which holds the content.
1160 */
1161static int DetectEngineHttpCookieTest13(void)
1162{
1163 TcpSession ssn;
1164 Packet *p = NULL;
1165 ThreadVars th_v;
1166 DetectEngineCtx *de_ctx = NULL;
1167 DetectEngineThreadCtx *det_ctx = NULL;
1168 HtpState *http_state = NULL;
1169 Flow f;
1170 uint8_t http_buf[] =
1171 "CONNECT /index.html HTTP/1.0\r\n"
1172 "Cookie: CONNECT\r\n"
1173 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1174 uint32_t http_len = sizeof(http_buf) - 1;
1175 int result = 0;
1176 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1177
1178 memset(&th_v, 0, sizeof(th_v));
1179 memset(&f, 0, sizeof(f));
1180 memset(&ssn, 0, sizeof(ssn));
1181
1182 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1183
1184 FLOW_INITIALIZE(&f);
1185 f.protoctx = (void *)&ssn;
1186 f.proto = IPPROTO_TCP;
1187 f.flags |= FLOW_IPV4;
1188 p->flow = &f;
1189 p->flowflags |= FLOW_PKT_TOSERVER;
1190 p->flowflags |= FLOW_PKT_ESTABLISHED;
1191 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1192 f.alproto = ALPROTO_HTTP1;
1193
1194 StreamTcpInitConfig(true);
1195
1196 de_ctx = DetectEngineCtxInit();
1197 if (de_ctx == NULL)
1198 goto end;
1199
1200 de_ctx->flags |= DE_QUIET;
1201
1202 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1203 "(msg:\"http header test\"; "
1204 "content:\"CO\"; http_cookie; "
1205 "content:!\"EC\"; within:4; http_cookie; "
1206 "sid:1;)");
1207 if (de_ctx->sig_list == NULL)
1208 goto end;
1209
1210 SigGroupBuild(de_ctx);
1211 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1212
1213 int r = AppLayerParserParse(
1214 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1215 if (r != 0) {
1216 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1217 result = 0;
1218 goto end;
1219 }
1220
1221 http_state = f.alstate;
1222 if (http_state == NULL) {
1223 printf("no http state: ");
1224 result = 0;
1225 goto end;
1226 }
1227
1228 /* do detect */
1229 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1230
1231 if (PacketAlertCheck(p, 1)) {
1232 printf("sid 1 matched but shouldn't have: ");
1233 goto end;
1234 }
1235
1236 result = 1;
1237
1238end:
1239 if (alp_tctx != NULL)
1240 AppLayerParserThreadCtxFree(alp_tctx);
1241 if (de_ctx != NULL)
1242 DetectEngineCtxFree(de_ctx);
1243
1244 StreamTcpFreeConfig(true);
1245 FLOW_DESTROY(&f);
1246 UTHFreePackets(&p, 1);
1247 return result;
1248}
1249
1250/**
1251 * \test Test that the http_cookie content matches against a http request
1252 * which holds the content.
1253 */
1254static int DetectEngineHttpCookieTest14(void)
1255{
1256 TcpSession ssn;
1257 Packet *p = NULL;
1258 ThreadVars th_v;
1259 DetectEngineCtx *de_ctx = NULL;
1260 DetectEngineThreadCtx *det_ctx = NULL;
1261 HtpState *http_state = NULL;
1262 Flow f;
1263 uint8_t http_buf[] =
1264 "CONNECT /index.html HTTP/1.0\r\n"
1265 "Cookie: CONNECT\r\n"
1266 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1267 uint32_t http_len = sizeof(http_buf) - 1;
1268 int result = 0;
1269 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1270
1271 memset(&th_v, 0, sizeof(th_v));
1272 memset(&f, 0, sizeof(f));
1273 memset(&ssn, 0, sizeof(ssn));
1274
1275 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1276
1277 FLOW_INITIALIZE(&f);
1278 f.protoctx = (void *)&ssn;
1279 f.proto = IPPROTO_TCP;
1280 f.flags |= FLOW_IPV4;
1281 p->flow = &f;
1282 p->flowflags |= FLOW_PKT_TOSERVER;
1283 p->flowflags |= FLOW_PKT_ESTABLISHED;
1284 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1285 f.alproto = ALPROTO_HTTP1;
1286
1287 StreamTcpInitConfig(true);
1288
1289 de_ctx = DetectEngineCtxInit();
1290 if (de_ctx == NULL)
1291 goto end;
1292
1293 de_ctx->flags |= DE_QUIET;
1294
1295 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1296 "(msg:\"http header test\"; "
1297 "content:\"CO\"; http_cookie; "
1298 "content:\"EC\"; distance:2; http_cookie; "
1299 "sid:1;)");
1300 if (de_ctx->sig_list == NULL)
1301 goto end;
1302
1303 SigGroupBuild(de_ctx);
1304 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1305
1306 int r = AppLayerParserParse(
1307 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1308 if (r != 0) {
1309 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1310 result = 0;
1311 goto end;
1312 }
1313
1314 http_state = f.alstate;
1315 if (http_state == NULL) {
1316 printf("no http state: ");
1317 result = 0;
1318 goto end;
1319 }
1320
1321 /* do detect */
1322 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1323
1324 if (!PacketAlertCheck(p, 1)) {
1325 printf("sid 1 didn't match but should have: ");
1326 goto end;
1327 }
1328
1329 result = 1;
1330
1331end:
1332 if (alp_tctx != NULL)
1333 AppLayerParserThreadCtxFree(alp_tctx);
1334 if (de_ctx != NULL)
1335 DetectEngineCtxFree(de_ctx);
1336
1337 StreamTcpFreeConfig(true);
1338 FLOW_DESTROY(&f);
1339 UTHFreePackets(&p, 1);
1340 return result;
1341}
1342
1343/**
1344 * \test Test that the http_cookie content matches against a http request
1345 * which holds the content.
1346 */
1347static int DetectEngineHttpCookieTest15(void)
1348{
1349 TcpSession ssn;
1350 Packet *p = NULL;
1351 ThreadVars th_v;
1352 DetectEngineCtx *de_ctx = NULL;
1353 DetectEngineThreadCtx *det_ctx = NULL;
1354 HtpState *http_state = NULL;
1355 Flow f;
1356 uint8_t http_buf[] =
1357 "CONNECT /index.html HTTP/1.0\r\n"
1358 "Cookie: CONNECT\r\n"
1359 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1360 uint32_t http_len = sizeof(http_buf) - 1;
1361 int result = 0;
1362 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1363
1364 memset(&th_v, 0, sizeof(th_v));
1365 memset(&f, 0, sizeof(f));
1366 memset(&ssn, 0, sizeof(ssn));
1367
1368 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1369
1370 FLOW_INITIALIZE(&f);
1371 f.protoctx = (void *)&ssn;
1372 f.proto = IPPROTO_TCP;
1373 f.flags |= FLOW_IPV4;
1374 p->flow = &f;
1375 p->flowflags |= FLOW_PKT_TOSERVER;
1376 p->flowflags |= FLOW_PKT_ESTABLISHED;
1377 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1378 f.alproto = ALPROTO_HTTP1;
1379
1380 StreamTcpInitConfig(true);
1381
1382 de_ctx = DetectEngineCtxInit();
1383 if (de_ctx == NULL)
1384 goto end;
1385
1386 de_ctx->flags |= DE_QUIET;
1387
1388 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1389 "(msg:\"http header test\"; "
1390 "content:\"CO\"; http_cookie; "
1391 "content:!\"EC\"; distance:3; http_cookie; "
1392 "sid:1;)");
1393 if (de_ctx->sig_list == NULL)
1394 goto end;
1395
1396 SigGroupBuild(de_ctx);
1397 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1398
1399 int r = AppLayerParserParse(
1400 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1401 if (r != 0) {
1402 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1403 result = 0;
1404 goto end;
1405 }
1406
1407 http_state = f.alstate;
1408 if (http_state == NULL) {
1409 printf("no http state: ");
1410 result = 0;
1411 goto end;
1412 }
1413
1414 /* do detect */
1415 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1416
1417 if (!PacketAlertCheck(p, 1)) {
1418 printf("sid 1 didn't match but should have: ");
1419 goto end;
1420 }
1421
1422 result = 1;
1423
1424end:
1425 if (alp_tctx != NULL)
1426 AppLayerParserThreadCtxFree(alp_tctx);
1427 if (de_ctx != NULL)
1428 DetectEngineCtxFree(de_ctx);
1429
1430 StreamTcpFreeConfig(true);
1431 FLOW_DESTROY(&f);
1432 UTHFreePackets(&p, 1);
1433 return result;
1434}
1435
1436/**
1437 * \test Test that the http_cookie content matches against a http request
1438 * which holds the content.
1439 */
1440static int DetectEngineHttpCookieTest16(void)
1441{
1442 TcpSession ssn;
1443 Packet *p = NULL;
1444 ThreadVars th_v;
1445 DetectEngineCtx *de_ctx = NULL;
1446 DetectEngineThreadCtx *det_ctx = NULL;
1447 HtpState *http_state = NULL;
1448 Flow f;
1449 uint8_t http_buf[] =
1450 "CONNECT /index.html HTTP/1.0\r\n"
1451 "Cookie: CONNECT\r\n"
1452 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1453 uint32_t http_len = sizeof(http_buf) - 1;
1454 int result = 0;
1455 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1456
1457 memset(&th_v, 0, sizeof(th_v));
1458 memset(&f, 0, sizeof(f));
1459 memset(&ssn, 0, sizeof(ssn));
1460
1461 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1462
1463 FLOW_INITIALIZE(&f);
1464 f.protoctx = (void *)&ssn;
1465 f.proto = IPPROTO_TCP;
1466 f.flags |= FLOW_IPV4;
1467 p->flow = &f;
1468 p->flowflags |= FLOW_PKT_TOSERVER;
1469 p->flowflags |= FLOW_PKT_ESTABLISHED;
1470 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1471 f.alproto = ALPROTO_HTTP1;
1472
1473 StreamTcpInitConfig(true);
1474
1475 de_ctx = DetectEngineCtxInit();
1476 if (de_ctx == NULL)
1477 goto end;
1478
1479 de_ctx->flags |= DE_QUIET;
1480
1481 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1482 "(msg:\"http header test\"; "
1483 "content:\"CO\"; http_cookie; "
1484 "content:\"EC\"; distance:3; http_cookie; "
1485 "sid:1;)");
1486 if (de_ctx->sig_list == NULL)
1487 goto end;
1488
1489 SigGroupBuild(de_ctx);
1490 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1491
1492 int r = AppLayerParserParse(
1493 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1494 if (r != 0) {
1495 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1496 result = 0;
1497 goto end;
1498 }
1499
1500 http_state = f.alstate;
1501 if (http_state == NULL) {
1502 printf("no http state: ");
1503 result = 0;
1504 goto end;
1505 }
1506
1507 /* do detect */
1508 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1509
1510 if (PacketAlertCheck(p, 1)) {
1511 printf("sid 1 matched but shouldn't have: ");
1512 goto end;
1513 }
1514
1515 result = 1;
1516
1517end:
1518 if (alp_tctx != NULL)
1519 AppLayerParserThreadCtxFree(alp_tctx);
1520 if (de_ctx != NULL)
1521 DetectEngineCtxFree(de_ctx);
1522
1523 StreamTcpFreeConfig(true);
1524 FLOW_DESTROY(&f);
1525 UTHFreePackets(&p, 1);
1526 return result;
1527}
1528
1529/**
1530 * \test Test that the http_cookie content matches against a http request
1531 * which holds the content.
1532 */
1533static int DetectEngineHttpCookieTest17(void)
1534{
1535 TcpSession ssn;
1536 Packet *p = NULL;
1537 ThreadVars th_v;
1538 DetectEngineCtx *de_ctx = NULL;
1539 DetectEngineThreadCtx *det_ctx = NULL;
1540 HtpState *http_state = NULL;
1541 Flow f;
1542 uint8_t http_buf[] =
1543 "CONNECT /index.html HTTP/1.0\r\n"
1544 "Cookie: CONNECT\r\n"
1545 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1546 uint32_t http_len = sizeof(http_buf) - 1;
1547 int result = 0;
1548 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1549
1550 memset(&th_v, 0, sizeof(th_v));
1551 memset(&f, 0, sizeof(f));
1552 memset(&ssn, 0, sizeof(ssn));
1553
1554 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1555
1556 FLOW_INITIALIZE(&f);
1557 f.protoctx = (void *)&ssn;
1558 f.proto = IPPROTO_TCP;
1559 f.flags |= FLOW_IPV4;
1560 p->flow = &f;
1561 p->flowflags |= FLOW_PKT_TOSERVER;
1562 p->flowflags |= FLOW_PKT_ESTABLISHED;
1563 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1564 f.alproto = ALPROTO_HTTP1;
1565
1566 StreamTcpInitConfig(true);
1567
1568 de_ctx = DetectEngineCtxInit();
1569 if (de_ctx == NULL)
1570 goto end;
1571
1572 de_ctx->flags |= DE_QUIET;
1573
1574 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1575 "(msg:\"http header test\"; "
1576 "content:\"CO\"; http_cookie; "
1577 "content:!\"EC\"; distance:2; http_cookie; "
1578 "sid:1;)");
1579 if (de_ctx->sig_list == NULL)
1580 goto end;
1581
1582 SigGroupBuild(de_ctx);
1583 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1584
1585 int r = AppLayerParserParse(
1586 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1587 if (r != 0) {
1588 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1589 result = 0;
1590 goto end;
1591 }
1592
1593 http_state = f.alstate;
1594 if (http_state == NULL) {
1595 printf("no http state: ");
1596 result = 0;
1597 goto end;
1598 }
1599
1600 /* do detect */
1601 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1602
1603 if (PacketAlertCheck(p, 1)) {
1604 printf("sid 1 matched but shouldn't have: ");
1605 goto end;
1606 }
1607
1608 result = 1;
1609
1610end:
1611 if (alp_tctx != NULL)
1612 AppLayerParserThreadCtxFree(alp_tctx);
1613 if (de_ctx != NULL)
1614 DetectEngineCtxFree(de_ctx);
1615
1616 StreamTcpFreeConfig(true);
1617 FLOW_DESTROY(&f);
1618 UTHFreePackets(&p, 1);
1619 return result;
1620}
1621
1622/**
1623 * \test Checks if a http_cookie is registered in a Signature, if content is not
1624 * specified in the signature
1625 */
1626static int DetectHttpCookieTest01(void)
1627{
1628 DetectEngineCtx *de_ctx = NULL;
1629 int result = 0;
1630
1631 if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1632 goto end;
1633
1634 de_ctx->flags |= DE_QUIET;
1635 de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1636 "(msg:\"Testing http_cookie\"; http_cookie;sid:1;)");
1637 if (de_ctx->sig_list == NULL)
1638 result = 1;
1639
1640end:
1641 if (de_ctx != NULL)
1642 DetectEngineCtxFree(de_ctx);
1643 return result;
1644}
1645
1646/**
1647 * \test Checks if a http_cookie is registered in a Signature, if some parameter
1648 * is specified with http_cookie in the signature
1649 */
1650static int DetectHttpCookieTest02(void)
1651{
1652 DetectEngineCtx *de_ctx = NULL;
1653 int result = 0;
1654
1655 if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1656 goto end;
1657
1658 de_ctx->flags |= DE_QUIET;
1659 de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1660 "(msg:\"Testing http_cookie\"; content:\"me\"; "
1661 "http_cookie:woo; sid:1;)");
1662 if (de_ctx->sig_list == NULL)
1663 result = 1;
1664
1665end:
1666 if (de_ctx != NULL)
1667 DetectEngineCtxFree(de_ctx);
1668 return result;
1669}
1670
1671/** \test Check the signature working to alert when http_cookie is matched . */
1672static int DetectHttpCookieSigTest01(void)
1673{
1674 int result = 0;
1675 Flow f;
1676 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1677 " hellocatchme\r\n\r\n";
1678 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1679 TcpSession ssn;
1680 Packet *p = NULL;
1681 Signature *s = NULL;
1682 ThreadVars th_v;
1683 DetectEngineThreadCtx *det_ctx = NULL;
1684 HtpState *http_state = NULL;
1685 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1686
1687 memset(&th_v, 0, sizeof(th_v));
1688 memset(&f, 0, sizeof(f));
1689 memset(&ssn, 0, sizeof(ssn));
1690
1691 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1692
1693 FLOW_INITIALIZE(&f);
1694 f.protoctx = (void *)&ssn;
1695 f.proto = IPPROTO_TCP;
1696 f.flags |= FLOW_IPV4;
1697
1698 p->flow = &f;
1699 p->flowflags |= FLOW_PKT_TOSERVER;
1700 p->flowflags |= FLOW_PKT_ESTABLISHED;
1701 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1702 f.alproto = ALPROTO_HTTP1;
1703
1704 StreamTcpInitConfig(true);
1705
1706 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1707 if (de_ctx == NULL) {
1708 goto end;
1709 }
1710
1711 de_ctx->flags |= DE_QUIET;
1712
1713 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1714 "\"HTTP cookie\"; content:\"me\"; "
1715 "http_cookie; sid:1;)");
1716 if (s == NULL) {
1717 goto end;
1718 }
1719
1720 s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
1721 "cookie\"; content:\"go\"; http_cookie; sid:2;)");
1722 if (s->next == NULL) {
1723 goto end;
1724 }
1725
1726
1727 SigGroupBuild(de_ctx);
1728 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1729
1730 int r = AppLayerParserParse(
1731 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1732 if (r != 0) {
1733 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1734 result = 0;
1735 goto end;
1736 }
1737
1738 http_state = f.alstate;
1739 if (http_state == NULL) {
1740 printf("no http state: ");
1741 result = 0;
1742 goto end;
1743 }
1744
1745 /* do detect */
1746 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1747
1748 if (!(PacketAlertCheck(p, 1))) {
1749 printf("sid 1 didn't match but should have: ");
1750 goto end;
1751 }
1752 if (PacketAlertCheck(p, 2)) {
1753 printf("sid 2 matched but shouldn't: ");
1754 goto end;
1755 }
1756
1757 result = 1;
1758end:
1759 if (alp_tctx != NULL)
1760 AppLayerParserThreadCtxFree(alp_tctx);
1761 if (det_ctx != NULL) {
1762 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1763 }
1764 if (de_ctx != NULL) {
1765 DetectEngineCtxFree(de_ctx);
1766 }
1767
1768 StreamTcpFreeConfig(true);
1769
1770 UTHFreePackets(&p, 1);
1771 return result;
1772}
1773
1774/** \test Check the signature working to alert when http_cookie is not present */
1775static int DetectHttpCookieSigTest02(void)
1776{
1777 int result = 0;
1778 Flow f;
1779 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1780 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1781 TcpSession ssn;
1782 Packet *p = NULL;
1783 Signature *s = NULL;
1784 ThreadVars th_v;
1785 DetectEngineThreadCtx *det_ctx = NULL;
1786 HtpState *http_state = NULL;
1787 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1788
1789 memset(&th_v, 0, sizeof(th_v));
1790 memset(&p, 0, sizeof(p));
1791 memset(&f, 0, sizeof(f));
1792 memset(&ssn, 0, sizeof(ssn));
1793
1794 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1795
1796 FLOW_INITIALIZE(&f);
1797 f.protoctx = (void *)&ssn;
1798 f.proto = IPPROTO_TCP;
1799 f.flags |= FLOW_IPV4;
1800
1801 p->flow = &f;
1802 p->flowflags |= FLOW_PKT_TOSERVER;
1803 p->flowflags |= FLOW_PKT_ESTABLISHED;
1804 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1805 f.alproto = ALPROTO_HTTP1;
1806
1807 StreamTcpInitConfig(true);
1808
1809 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1810 if (de_ctx == NULL) {
1811 goto end;
1812 }
1813
1814 de_ctx->flags |= DE_QUIET;
1815
1816 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1817 "\"HTTP cookie\"; content:\"me\"; "
1818 "http_cookie; sid:1;)");
1819 if (s == NULL) {
1820 goto end;
1821 }
1822
1823 SigGroupBuild(de_ctx);
1824 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1825
1826 int r = AppLayerParserParse(
1827 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1828 if (r != 0) {
1829 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1830 result = 0;
1831 goto end;
1832 }
1833
1834 http_state = f.alstate;
1835 if (http_state == NULL) {
1836 printf("no http state: ");
1837 result = 0;
1838 goto end;
1839 }
1840
1841 /* do detect */
1842 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1843
1844 if ((PacketAlertCheck(p, 1))) {
1845 goto end;
1846 }
1847
1848 result = 1;
1849
1850end:
1851 if (alp_tctx != NULL)
1852 AppLayerParserThreadCtxFree(alp_tctx);
1853 if (det_ctx != NULL) {
1854 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1855 }
1856 if (de_ctx != NULL) {
1857 DetectEngineCtxFree(de_ctx);
1858 }
1859 StreamTcpFreeConfig(true);
1860 UTHFreePackets(&p, 1);
1861 return result;
1862}
1863
1864/** \test Check the signature working to alert when http_cookie is not present */
1865static int DetectHttpCookieSigTest03(void)
1866{
1867 int result = 0;
1868 Flow f;
1869 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1870 "Cookie: dummy\r\n\r\n";
1871 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1872 TcpSession ssn;
1873 Packet *p = NULL;
1874 Signature *s = NULL;
1875 ThreadVars th_v;
1876 DetectEngineThreadCtx *det_ctx = NULL;
1877 HtpState *http_state = NULL;
1878 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1879
1880 memset(&th_v, 0, sizeof(th_v));
1881 memset(&f, 0, sizeof(f));
1882 memset(&ssn, 0, sizeof(ssn));
1883
1884 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1885
1886 FLOW_INITIALIZE(&f);
1887 f.protoctx = (void *)&ssn;
1888 f.proto = IPPROTO_TCP;
1889 f.flags |= FLOW_IPV4;
1890
1891 p->flow = &f;
1892 p->flowflags |= FLOW_PKT_TOSERVER;
1893 p->flowflags |= FLOW_PKT_ESTABLISHED;
1894 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1895 f.alproto = ALPROTO_HTTP1;
1896
1897 StreamTcpInitConfig(true);
1898
1899 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1900 if (de_ctx == NULL) {
1901 goto end;
1902 }
1903
1904 de_ctx->flags |= DE_QUIET;
1905
1906 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1907 "\"HTTP cookie\"; content:\"boo\"; "
1908 "http_cookie; sid:1;)");
1909 if (s == NULL) {
1910 goto end;
1911 }
1912
1913 SigGroupBuild(de_ctx);
1914 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1915
1916 int r = AppLayerParserParse(
1917 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1918 if (r != 0) {
1919 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1920 result = 0;
1921 goto end;
1922 }
1923
1924 http_state = f.alstate;
1925 if (http_state == NULL) {
1926 printf("no http state: ");
1927 result = 0;
1928 goto end;
1929 }
1930
1931 /* do detect */
1932 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1933
1934 if ((PacketAlertCheck(p, 1))) {
1935 goto end;
1936 }
1937
1938 result = 1;
1939end:
1940 if (alp_tctx != NULL)
1941 AppLayerParserThreadCtxFree(alp_tctx);
1942 if (det_ctx != NULL) {
1943 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1944 }
1945 if (de_ctx != NULL) {
1946 DetectEngineCtxFree(de_ctx);
1947 }
1948
1949 StreamTcpFreeConfig(true);
1950 UTHFreePackets(&p, 1);
1951 return result;
1952}
1953
1954/** \test Check the signature working to alert when http_cookie is not present */
1955static int DetectHttpCookieSigTest04(void)
1956{
1957 int result = 0;
1958 Flow f;
1959 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
1960 "Cookie: dummy\r\n\r\n";
1961 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1962 TcpSession ssn;
1963 Packet *p = NULL;
1964 Signature *s = NULL;
1965 ThreadVars th_v;
1966 DetectEngineThreadCtx *det_ctx = NULL;
1967 HtpState *http_state = NULL;
1968 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1969
1970 memset(&th_v, 0, sizeof(th_v));
1971 memset(&p, 0, sizeof(p));
1972 memset(&f, 0, sizeof(f));
1973 memset(&ssn, 0, sizeof(ssn));
1974
1975 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1976
1977 FLOW_INITIALIZE(&f);
1978 f.protoctx = (void *)&ssn;
1979 f.proto = IPPROTO_TCP;
1980 f.flags |= FLOW_IPV4;
1981
1982 p->flow = &f;
1983 p->flowflags |= FLOW_PKT_TOSERVER;
1984 p->flowflags |= FLOW_PKT_ESTABLISHED;
1985 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1986 f.alproto = ALPROTO_HTTP1;
1987
1988 StreamTcpInitConfig(true);
1989
1990 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1991 if (de_ctx == NULL) {
1992 goto end;
1993 }
1994
1995 de_ctx->flags |= DE_QUIET;
1996
1997 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1998 "\"HTTP cookie\"; content:!\"boo\"; "
1999 "http_cookie; sid:1;)");
2000 if (s == NULL) {
2001 goto end;
2002 }
2003
2004 SigGroupBuild(de_ctx);
2005 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2006
2007 int r = AppLayerParserParse(
2008 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2009 if (r != 0) {
2010 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2011 result = 0;
2012 goto end;
2013 }
2014
2015 http_state = f.alstate;
2016 if (http_state == NULL) {
2017 printf("no http state: ");
2018 result = 0;
2019 goto end;
2020 }
2021
2022 /* do detect */
2023 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2024
2025 if (!PacketAlertCheck(p, 1)) {
2026 goto end;
2027 }
2028
2029 result = 1;
2030end:
2031 if (alp_tctx != NULL)
2032 AppLayerParserThreadCtxFree(alp_tctx);
2033 if (det_ctx != NULL) {
2034 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2035 }
2036 if (de_ctx != NULL) {
2037 DetectEngineCtxFree(de_ctx);
2038 }
2039
2040 StreamTcpFreeConfig(true);
2041 UTHFreePackets(&p, 1);
2042 return result;
2043}
2044
2045/** \test Check the signature working to alert when http_cookie is not present */
2046static int DetectHttpCookieSigTest05(void)
2047{
2048 int result = 0;
2049 Flow f;
2050 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2051 "Cookie: DuMmY\r\n\r\n";
2052 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2053 TcpSession ssn;
2054 Packet *p = NULL;
2055 Signature *s = NULL;
2056 ThreadVars th_v;
2057 DetectEngineThreadCtx *det_ctx = NULL;
2058 HtpState *http_state = NULL;
2059 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2060
2061 memset(&th_v, 0, sizeof(th_v));
2062 memset(&p, 0, sizeof(p));
2063 memset(&f, 0, sizeof(f));
2064 memset(&ssn, 0, sizeof(ssn));
2065
2066 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2067
2068 FLOW_INITIALIZE(&f);
2069 f.protoctx = (void *)&ssn;
2070 f.proto = IPPROTO_TCP;
2071 f.flags |= FLOW_IPV4;
2072
2073 p->flow = &f;
2074 p->flowflags |= FLOW_PKT_TOSERVER;
2075 p->flowflags |= FLOW_PKT_ESTABLISHED;
2076 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2077 f.alproto = ALPROTO_HTTP1;
2078
2079 StreamTcpInitConfig(true);
2080
2081 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2082 if (de_ctx == NULL) {
2083 goto end;
2084 }
2085
2086 de_ctx->flags |= DE_QUIET;
2087
2088 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2089 "\"HTTP cookie\"; content:\"dummy\"; nocase; "
2090 "http_cookie; sid:1;)");
2091 if (s == NULL) {
2092 goto end;
2093 }
2094
2095 SigGroupBuild(de_ctx);
2096 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2097
2098 int r = AppLayerParserParse(
2099 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2100 if (r != 0) {
2101 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2102 result = 0;
2103 goto end;
2104 }
2105
2106 http_state = f.alstate;
2107 if (http_state == NULL) {
2108 printf("no http state: ");
2109 result = 0;
2110 goto end;
2111 }
2112
2113 /* do detect */
2114 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2115
2116 if (!PacketAlertCheck(p, 1)) {
2117 goto end;
2118 }
2119
2120 result = 1;
2121end:
2122 if (alp_tctx != NULL)
2123 AppLayerParserThreadCtxFree(alp_tctx);
2124 if (det_ctx != NULL) {
2125 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2126 }
2127 if (de_ctx != NULL) {
2128 DetectEngineCtxFree(de_ctx);
2129 }
2130
2131 StreamTcpFreeConfig(true);
2132 UTHFreePackets(&p, 1);
2133 return result;
2134}
2135
2136/** \test Check the signature working to alert when http_cookie is not present */
2137static int DetectHttpCookieSigTest06(void)
2138{
2139 int result = 0;
2140 Flow f;
2141 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2142 "Cookie: DuMmY\r\n\r\n";
2143 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2144 TcpSession ssn;
2145 Packet *p = NULL;
2146 Signature *s = NULL;
2147 ThreadVars th_v;
2148 DetectEngineThreadCtx *det_ctx = NULL;
2149 HtpState *http_state = NULL;
2150 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2151
2152 memset(&th_v, 0, sizeof(th_v));
2153 memset(&p, 0, sizeof(p));
2154 memset(&f, 0, sizeof(f));
2155 memset(&ssn, 0, sizeof(ssn));
2156
2157 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2158
2159 FLOW_INITIALIZE(&f);
2160 f.protoctx = (void *)&ssn;
2161 f.proto = IPPROTO_TCP;
2162 f.flags |= FLOW_IPV4;
2163
2164 p->flow = &f;
2165 p->flowflags |= FLOW_PKT_TOSERVER;
2166 p->flowflags |= FLOW_PKT_ESTABLISHED;
2167 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2168 f.alproto = ALPROTO_HTTP1;
2169
2170 StreamTcpInitConfig(true);
2171
2172 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2173 if (de_ctx == NULL) {
2174 goto end;
2175 }
2176
2177 de_ctx->flags |= DE_QUIET;
2178
2179 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2180 "\"HTTP cookie\"; content:\"dummy\"; "
2181 "http_cookie; nocase; sid:1;)");
2182 if (s == NULL) {
2183 printf("sig parse failed: ");
2184 goto end;
2185 }
2186
2187 SigGroupBuild(de_ctx);
2188 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2189
2190 int r = AppLayerParserParse(
2191 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2192 if (r != 0) {
2193 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2194 goto end;
2195 }
2196
2197 http_state = f.alstate;
2198 if (http_state == NULL) {
2199 printf("no http state: ");
2200 goto end;
2201 }
2202
2203 /* do detect */
2204 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2205
2206 if (!PacketAlertCheck(p, 1)) {
2207 printf("sig 1 failed to match: ");
2208 goto end;
2209 }
2210
2211 result = 1;
2212end:
2213 if (alp_tctx != NULL)
2214 AppLayerParserThreadCtxFree(alp_tctx);
2215 if (det_ctx != NULL) {
2216 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2217 }
2218 if (de_ctx != NULL) {
2219 DetectEngineCtxFree(de_ctx);
2220 }
2221
2222 StreamTcpFreeConfig(true);
2223 UTHFreePackets(&p, 1);
2224 return result;
2225}
2226
2227/** \test Check the signature working to alert when http_cookie is not present */
2228static int DetectHttpCookieSigTest07(void)
2229{
2230 int result = 0;
2231 Flow f;
2232 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
2233 "Cookie: dummy\r\n\r\n";
2234 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2235 TcpSession ssn;
2236 Packet *p = NULL;
2237 Signature *s = NULL;
2238 ThreadVars th_v;
2239 DetectEngineThreadCtx *det_ctx = NULL;
2240 HtpState *http_state = NULL;
2241 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2242
2243 memset(&th_v, 0, sizeof(th_v));
2244 memset(&f, 0, sizeof(f));
2245 memset(&ssn, 0, sizeof(ssn));
2246
2247 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2248
2249 FLOW_INITIALIZE(&f);
2250 f.protoctx = (void *)&ssn;
2251 f.proto = IPPROTO_TCP;
2252 f.flags |= FLOW_IPV4;
2253
2254 p->flow = &f;
2255 p->flowflags |= FLOW_PKT_TOSERVER;
2256 p->flowflags |= FLOW_PKT_ESTABLISHED;
2257 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2258 f.alproto = ALPROTO_HTTP1;
2259
2260 StreamTcpInitConfig(true);
2261
2262 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2263 if (de_ctx == NULL) {
2264 goto end;
2265 }
2266
2267 de_ctx->flags |= DE_QUIET;
2268
2269 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2270 "\"HTTP cookie\"; content:!\"dummy\"; "
2271 "http_cookie; sid:1;)");
2272 if (s == NULL) {
2273 goto end;
2274 }
2275
2276 SigGroupBuild(de_ctx);
2277 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2278
2279 int r = AppLayerParserParse(
2280 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2281 if (r != 0) {
2282 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2283 result = 0;
2284 goto end;
2285 }
2286
2287 http_state = f.alstate;
2288 if (http_state == NULL) {
2289 printf("no http state: ");
2290 result = 0;
2291 goto end;
2292 }
2293
2294 /* do detect */
2295 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2296
2297 if (PacketAlertCheck(p, 1)) {
2298 goto end;
2299 }
2300
2301 result = 1;
2302end:
2303 if (alp_tctx != NULL)
2304 AppLayerParserThreadCtxFree(alp_tctx);
2305 if (det_ctx != NULL) {
2306 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2307 }
2308 if (de_ctx != NULL) {
2309 DetectEngineCtxFree(de_ctx);
2310 }
2311
2312 StreamTcpFreeConfig(true);
2313 UTHFreePackets(&p, 1);
2314 return result;
2315}
2316
2317/**
2318 * \test Check the signature working to alert against set-cookie
2319 */
2320static int DetectHttpCookieSigTest08(void)
2321{
2322 int result = 0;
2323 Flow f;
2324
2325 uint8_t httpbuf_request[] =
2326 "GET / HTTP/1.1\r\n"
2327 "User-Agent: Mozilla/1.0\r\n"
2328 "\r\n";
2329 uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2330
2331 uint8_t httpbuf_response[] =
2332 "HTTP/1.1 200 OK\r\n"
2333 "Set-Cookie: response_user_agent\r\n"
2334 "\r\n";
2335 uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2336
2337 TcpSession ssn;
2338 Packet *p1 = NULL, *p2 = NULL;
2339 Signature *s = NULL;
2340 ThreadVars th_v;
2341 DetectEngineThreadCtx *det_ctx = NULL;
2342 HtpState *http_state = NULL;
2343 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2344
2345 memset(&th_v, 0, sizeof(th_v));
2346 memset(&f, 0, sizeof(f));
2347 memset(&ssn, 0, sizeof(ssn));
2348
2349 FLOW_INITIALIZE(&f);
2350 f.protoctx = (void *)&ssn;
2351 f.proto = IPPROTO_TCP;
2352 f.flags |= FLOW_IPV4;
2353 f.alproto = ALPROTO_HTTP1;
2354
2355 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2356 p1->flow = &f;
2357 p1->flowflags |= FLOW_PKT_TOSERVER;
2358 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2359 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2360
2361 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2362 p2->flow = &f;
2363 p2->flowflags |= FLOW_PKT_TOCLIENT;
2364 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2365 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2366
2367 StreamTcpInitConfig(true);
2368
2369 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2370 if (de_ctx == NULL) {
2371 goto end;
2372 }
2373
2374 de_ctx->flags |= DE_QUIET;
2375
2376 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2377 "(flow:to_client; content:\"response_user_agent\"; "
2378 "http_cookie; sid:1;)");
2379 if (s == NULL) {
2380 goto end;
2381 }
2382
2383 SigGroupBuild(de_ctx);
2384 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2385
2386 /* request */
2387 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
2388 httpbuf_request_len);
2389 if (r != 0) {
2390 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2391 result = 0;
2392 goto end;
2393 }
2394
2395 http_state = f.alstate;
2396 if (http_state == NULL) {
2397 printf("no http state: ");
2398 goto end;
2399 }
2400
2401 /* do detect */
2402 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2403 if (PacketAlertCheck(p1, 1)) {
2404 goto end;
2405 }
2406
2407 /* response */
2408 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
2409 httpbuf_response_len);
2410 if (r != 0) {
2411 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2412 result = 0;
2413 goto end;
2414 }
2415
2416 /* do detect */
2417 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2418 if (!PacketAlertCheck(p2, 1)) {
2419 goto end;
2420 }
2421
2422 result = 1;
2423
2424end:
2425 if (alp_tctx != NULL)
2426 AppLayerParserThreadCtxFree(alp_tctx);
2427 if (det_ctx != NULL) {
2428 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2429 }
2430 if (de_ctx != NULL) {
2431 DetectEngineCtxFree(de_ctx);
2432 }
2433
2434 StreamTcpFreeConfig(true);
2435 UTHFreePackets(&p1, 1);
2436 UTHFreePackets(&p2, 1);
2437 return result;
2438}
2439
2440/**
2441 * \test Check the signature working to alert against cookie/set-cookie
2442 */
2443static int DetectHttpCookieSigTest09(void)
2444{
2445 int result = 0;
2446 Flow f;
2447
2448 uint8_t httpbuf_request[] =
2449 "GET / HTTP/1.1\r\n"
2450 "Cookie: request_user_agent\r\n"
2451 "User-Agent: Mozilla/1.0\r\n"
2452 "\r\n";
2453 uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
2454
2455 uint8_t httpbuf_response[] =
2456 "HTTP/1.1 200 OK\r\n"
2457 "Set-Cookie: response_user_agent\r\n"
2458 "\r\n";
2459 uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
2460
2461 TcpSession ssn;
2462 Packet *p1 = NULL, *p2 = NULL;
2463 Signature *s = NULL;
2464 ThreadVars th_v;
2465 DetectEngineThreadCtx *det_ctx = NULL;
2466 HtpState *http_state = NULL;
2467 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2468
2469 memset(&th_v, 0, sizeof(th_v));
2470 memset(&f, 0, sizeof(f));
2471 memset(&ssn, 0, sizeof(ssn));
2472
2473 FLOW_INITIALIZE(&f);
2474 f.protoctx = (void *)&ssn;
2475 f.proto = IPPROTO_TCP;
2476 f.flags |= FLOW_IPV4;
2477 f.alproto = ALPROTO_HTTP1;
2478
2479 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2480 p1->flow = &f;
2481 p1->flowflags |= FLOW_PKT_TOSERVER;
2482 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2483 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2484
2485 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2486 p2->flow = &f;
2487 p2->flowflags |= FLOW_PKT_TOCLIENT;
2488 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2489 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2490
2491 StreamTcpInitConfig(true);
2492
2493 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2494 if (de_ctx == NULL) {
2495 goto end;
2496 }
2497
2498 de_ctx->flags |= DE_QUIET;
2499
2500 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2501 "(flow:to_server; content:\"request_user_agent\"; "
2502 "http_cookie; sid:1;)");
2503 if (s == NULL) {
2504 goto end;
2505 }
2506 s = de_ctx->sig_list->next = SigInit(de_ctx,"alert http any any -> any any "
2507 "(flow:to_client; content:\"response_user_agent\"; "
2508 "http_cookie; sid:2;)");
2509 if (s == NULL) {
2510 goto end;
2511 }
2512
2513 SigGroupBuild(de_ctx);
2514 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2515
2516 /* request */
2517 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf_request,
2518 httpbuf_request_len);
2519 if (r != 0) {
2520 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2521 result = 0;
2522 goto end;
2523 }
2524
2525 http_state = f.alstate;
2526 if (http_state == NULL) {
2527 printf("no http state: ");
2528 goto end;
2529 }
2530
2531 /* do detect */
2532 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2533 if (!PacketAlertCheck(p1, 1) || PacketAlertCheck(p1, 2)) {
2534 goto end;
2535 }
2536
2537 /* response */
2538 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf_response,
2539 httpbuf_response_len);
2540 if (r != 0) {
2541 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2542 result = 0;
2543 goto end;
2544 }
2545
2546 /* do detect */
2547 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2548 if (PacketAlertCheck(p2, 1) || !PacketAlertCheck(p2, 2)) {
2549 goto end;
2550 }
2551
2552 result = 1;
2553
2554end:
2555 if (alp_tctx != NULL)
2556 AppLayerParserThreadCtxFree(alp_tctx);
2557 if (det_ctx != NULL) {
2558 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2559 }
2560 if (de_ctx != NULL) {
2561 DetectEngineCtxFree(de_ctx);
2562 }
2563
2564 StreamTcpFreeConfig(true);
2565 UTHFreePackets(&p1, 1);
2566 UTHFreePackets(&p2, 1);
2567 return result;
2568}
2569
2570/**
2571 * \brief Register the UNITTESTS for the http_cookie keyword
2572 */
2573void DetectHttpCookieRegisterTests (void)
2574{
2575 UtRegisterTest("DetectHttpCookieTest01", DetectHttpCookieTest01);
2576 UtRegisterTest("DetectHttpCookieTest02", DetectHttpCookieTest02);
2577 UtRegisterTest("DetectHttpCookieSigTest01", DetectHttpCookieSigTest01);
2578 UtRegisterTest("DetectHttpCookieSigTest02", DetectHttpCookieSigTest02);
2579 UtRegisterTest("DetectHttpCookieSigTest03", DetectHttpCookieSigTest03);
2580 UtRegisterTest("DetectHttpCookieSigTest04", DetectHttpCookieSigTest04);
2581 UtRegisterTest("DetectHttpCookieSigTest05", DetectHttpCookieSigTest05);
2582 UtRegisterTest("DetectHttpCookieSigTest06", DetectHttpCookieSigTest06);
2583 UtRegisterTest("DetectHttpCookieSigTest07", DetectHttpCookieSigTest07);
2584 UtRegisterTest("DetectHttpCookieSigTest08", DetectHttpCookieSigTest08);
2585 UtRegisterTest("DetectHttpCookieSigTest09", DetectHttpCookieSigTest09);
2586 UtRegisterTest("DetectEngineHttpCookieTest01",
2587 DetectEngineHttpCookieTest01);
2588 UtRegisterTest("DetectEngineHttpCookieTest02",
2589 DetectEngineHttpCookieTest02);
2590 UtRegisterTest("DetectEngineHttpCookieTest03",
2591 DetectEngineHttpCookieTest03);
2592 UtRegisterTest("DetectEngineHttpCookieTest04",
2593 DetectEngineHttpCookieTest04);
2594 UtRegisterTest("DetectEngineHttpCookieTest05",
2595 DetectEngineHttpCookieTest05);
2596 UtRegisterTest("DetectEngineHttpCookieTest06",
2597 DetectEngineHttpCookieTest06);
2598 UtRegisterTest("DetectEngineHttpCookieTest07",
2599 DetectEngineHttpCookieTest07);
2600 UtRegisterTest("DetectEngineHttpCookieTest08",
2601 DetectEngineHttpCookieTest08);
2602 UtRegisterTest("DetectEngineHttpCookieTest09",
2603 DetectEngineHttpCookieTest09);
2604 UtRegisterTest("DetectEngineHttpCookieTest10",
2605 DetectEngineHttpCookieTest10);
2606 UtRegisterTest("DetectEngineHttpCookieTest11",
2607 DetectEngineHttpCookieTest11);
2608 UtRegisterTest("DetectEngineHttpCookieTest12",
2609 DetectEngineHttpCookieTest12);
2610 UtRegisterTest("DetectEngineHttpCookieTest13",
2611 DetectEngineHttpCookieTest13);
2612 UtRegisterTest("DetectEngineHttpCookieTest14",
2613 DetectEngineHttpCookieTest14);
2614 UtRegisterTest("DetectEngineHttpCookieTest15",
2615 DetectEngineHttpCookieTest15);
2616 UtRegisterTest("DetectEngineHttpCookieTest16",
2617 DetectEngineHttpCookieTest16);
2618 UtRegisterTest("DetectEngineHttpCookieTest17",
2619 DetectEngineHttpCookieTest17);
2620}
2621/**
2622 * @}
2623 */
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition flow-util.h:119
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition flow.h:234
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineThreadCtx_
Definition detect.h:1244
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::alstate
void * alstate
Definition flow.h:479
Flow_::protoctx
void * protoctx
Definition flow.h:441
HtpState_
Definition app-layer-htp.h:181
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::flags
uint32_t flags
Definition decode.h:544
Signature_
Signature container.
Definition detect.h:668
Signature_::next
struct Signature_ * next
Definition detect.h:750
TcpSession_
Definition stream-tcp-private.h:283
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365