suricata
detect-http-header.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2018 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \ingroup httplayer
20 *
21 * @{
22 */
23
24
25/**
26 * \file
27 *
28 * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29 *
30 * Implements support for http_header keyword.
31 */
32
33#include "../suricata-common.h"
34#include "../flow.h"
35#include "../flow-var.h"
36#include "../flow-util.h"
37
38#include "../app-layer.h"
39#include "../app-layer-parser.h"
40
41#include "../app-layer-htp.h"
42#include "../detect-http-header.h"
43#include "../detect-http-header-common.h"
44#include "../detect-engine-build.h"
45#include "../detect-engine-alert.h"
46
47#include "../detect-isdataat.h"
48
49#include "../stream-tcp.h"
50
51#include "../util-unittest.h"
52#include "../util-unittest-helper.h"
53
54/**
55 * \test Test parser accepting valid rules and rejecting invalid rules
56 */
57static int DetectHttpHeaderParserTest01(void)
58{
59 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; http_header; sid:1;)", true));
60 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; nocase; http_header; sid:1;)", true));
61 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; endswith; http_header; sid:1;)", true));
62 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; startswith; http_header; sid:1;)", true));
63 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; startswith; endswith; http_header; sid:1;)", true));
64
65 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (content:\"abc\"; rawbytes; http_header; sid:1;)", false));
66 FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http_header; sid:1;)", false));
67 FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (content:\"abc\"; http_header; sid:1;)", false));
68 PASS;
69}
70
71/**
72 * \test Test parser accepting valid rules and rejecting invalid rules
73 */
74static int DetectHttpHeaderParserTest02(void)
75{
76 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; sid:1;)", true));
77 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; nocase; sid:1;)", true));
78 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; endswith; sid:1;)", true));
79 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; sid:1;)", true));
80 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; startswith; endswith; sid:1;)", true));
81 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; bsize:10; sid:1;)", true));
82
83 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (http.header; content:\"abc\"; rawbytes; sid:1;)", false));
84 FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (http.header; sid:1;)", false));
85 FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (http.header; content:\"abc\"; sid:1;)", false));
86 PASS;
87}
88
89/**
90 *\test Test that the http_header content matches against a http request
91 * which holds the content.
92 */
93static int DetectHttpHeaderTest06(void)
94{
95 TcpSession ssn;
96 Packet *p = NULL;
97 ThreadVars th_v;
98 DetectEngineCtx *de_ctx = NULL;
99 DetectEngineThreadCtx *det_ctx = NULL;
100 HtpState *http_state = NULL;
101 Flow f;
102 uint8_t http_buf[] =
103 "GET /index.html HTTP/1.0\r\n"
104 "Host: www.openinfosecfoundation.org\r\n"
105 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
106 "Content-Type: text/html\r\n"
107 "Content-Length: 26\r\n"
108 "\r\n"
109 "This is dummy message body\r\n";
110 uint32_t http_len = sizeof(http_buf) - 1;
111 int result = 0;
112 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
113
114 memset(&th_v, 0, sizeof(th_v));
115 memset(&f, 0, sizeof(f));
116 memset(&ssn, 0, sizeof(ssn));
117
118 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
119
120 FLOW_INITIALIZE(&f);
121 f.protoctx = (void *)&ssn;
122 f.proto = IPPROTO_TCP;
123 f.flags |= FLOW_IPV4;
124 p->flow = &f;
125 p->flowflags |= FLOW_PKT_TOSERVER;
126 p->flowflags |= FLOW_PKT_ESTABLISHED;
127 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
128 f.alproto = ALPROTO_HTTP1;
129
130 StreamTcpInitConfig(true);
131
132 de_ctx = DetectEngineCtxInit();
133 if (de_ctx == NULL)
134 goto end;
135
136 de_ctx->flags |= DE_QUIET;
137
138 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
139 "(msg:\"http header test\"; "
140 "content:\"Content-Type: text/html\"; http_header; "
141 "sid:1;)");
142 if (de_ctx->sig_list == NULL)
143 goto end;
144
145 SigGroupBuild(de_ctx);
146 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
147
148 int r = AppLayerParserParse(
149 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
150 if (r != 0) {
151 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
152 result = 0;
153 goto end;
154 }
155
156 http_state = f.alstate;
157 if (http_state == NULL) {
158 printf("no http state: ");
159 result = 0;
160 goto end;
161 }
162
163 /* do detect */
164 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
165
166 if (!(PacketAlertCheck(p, 1))) {
167 printf("sid 1 didn't match but should have: ");
168 goto end;
169 }
170
171 result = 1;
172end:
173 if (alp_tctx != NULL)
174 AppLayerParserThreadCtxFree(alp_tctx);
175 if (de_ctx != NULL)
176 DetectEngineCtxFree(de_ctx);
177
178 StreamTcpFreeConfig(true);
179 FLOW_DESTROY(&f);
180 UTHFreePackets(&p, 1);
181 return result;
182}
183
184/**
185 *\test Test that the http_header content matches against a http request
186 * which holds the content.
187 */
188static int DetectHttpHeaderTest07(void)
189{
190 TcpSession ssn;
191 Packet *p1 = NULL;
192 Packet *p2 = NULL;
193 ThreadVars th_v;
194 DetectEngineThreadCtx *det_ctx = NULL;
195 Flow f;
196 uint8_t http1_buf[] =
197 "GET /index.html HTTP/1.0\r\n"
198 "Host: www.openinfosecfoundation.org\r\n"
199 "User-Agent: Mozi";
200 uint8_t http2_buf[] =
201 "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n"
202 "Content-Length: 67\r\n"
203 "\r\n"
204 "This is dummy message body1";
205 uint32_t http1_len = sizeof(http1_buf) - 1;
206 uint32_t http2_len = sizeof(http2_buf) - 1;
207
208 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
209 FAIL_IF_NULL(alp_tctx);
210
211 memset(&th_v, 0, sizeof(th_v));
212 memset(&f, 0, sizeof(f));
213 memset(&ssn, 0, sizeof(ssn));
214
215 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
216 FAIL_IF_NULL(p1);
217 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
218 FAIL_IF_NULL(p2);
219
220 FLOW_INITIALIZE(&f);
221 f.protoctx = (void *)&ssn;
222 f.proto = IPPROTO_TCP;
223 f.flags |= FLOW_IPV4;
224 p1->flow = &f;
225 p1->flowflags |= FLOW_PKT_TOSERVER;
226 p1->flowflags |= FLOW_PKT_ESTABLISHED;
227 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
228 p2->flow = &f;
229 p2->flowflags |= FLOW_PKT_TOSERVER;
230 p2->flowflags |= FLOW_PKT_ESTABLISHED;
231 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
232 f.alproto = ALPROTO_HTTP1;
233
234 StreamTcpInitConfig(true);
235
236 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
237 FAIL_IF_NULL(de_ctx);
238 de_ctx->flags |= DE_QUIET;
239
240 Signature *s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any "
241 "(msg:\"http header test\"; "
242 "content:\"Mozilla\"; http_header; "
243 "sid:1;)");
244 FAIL_IF_NULL(s);
245
246 SigGroupBuild(de_ctx);
247 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
248 FAIL_IF_NULL(det_ctx);
249
250 int r = AppLayerParserParse(
251 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
252 FAIL_IF(r != 0);
253
254 HtpState *http_state = f.alstate;
255 FAIL_IF_NULL(http_state);
256
257 /* do detect */
258 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
259 FAIL_IF( (PacketAlertCheck(p1, 1)));
260
261 r = AppLayerParserParse(
262 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
263 FAIL_IF(r != 0);
264
265 /* do detect */
266 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
267
268 FAIL_IF(!(PacketAlertCheck(p2, 1)));
269
270 AppLayerParserThreadCtxFree(alp_tctx);
271 DetectEngineCtxFree(de_ctx);
272
273 StreamTcpFreeConfig(true);
274 FLOW_DESTROY(&f);
275 UTHFreePackets(&p1, 1);
276 UTHFreePackets(&p2, 1);
277 PASS;
278}
279
280/**
281 *\test Test that the http_header content matches against a http request
282 * which holds the content.
283 */
284static int DetectHttpHeaderTest08(void)
285{
286 TcpSession ssn;
287 Packet *p1 = NULL;
288 Packet *p2 = NULL;
289 ThreadVars th_v;
290 DetectEngineCtx *de_ctx = NULL;
291 DetectEngineThreadCtx *det_ctx = NULL;
292 HtpState *http_state = NULL;
293 Flow f;
294 uint8_t http1_buf[] =
295 "GET /index.html HTTP/1.0\r\n"
296 "Host: www.openinfosecfoundation.org\r\n";
297 uint8_t http2_buf[] =
298 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
299 "Content-Type: text/html\r\n"
300 "Content-Length: 67\r\n"
301 "\r\n";
302 uint32_t http1_len = sizeof(http1_buf) - 1;
303 uint32_t http2_len = sizeof(http2_buf) - 1;
304 int result = 0;
305 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
306
307 memset(&th_v, 0, sizeof(th_v));
308 memset(&f, 0, sizeof(f));
309 memset(&ssn, 0, sizeof(ssn));
310
311 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
312 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
313
314 FLOW_INITIALIZE(&f);
315 f.protoctx = (void *)&ssn;
316 f.proto = IPPROTO_TCP;
317 f.flags |= FLOW_IPV4;
318 p1->flow = &f;
319 p1->flowflags |= FLOW_PKT_TOSERVER;
320 p1->flowflags |= FLOW_PKT_ESTABLISHED;
321 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
322 p2->flow = &f;
323 p2->flowflags |= FLOW_PKT_TOSERVER;
324 p2->flowflags |= FLOW_PKT_ESTABLISHED;
325 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
326 f.alproto = ALPROTO_HTTP1;
327
328 StreamTcpInitConfig(true);
329
330 de_ctx = DetectEngineCtxInit();
331 if (de_ctx == NULL)
332 goto end;
333
334 de_ctx->flags |= DE_QUIET;
335
336 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
337 "(msg:\"http header test\"; "
338 "content:\"Gecko/20091221 Firefox/3.5.7\"; http_header; "
339 "sid:1;)");
340 if (de_ctx->sig_list == NULL)
341 goto end;
342
343 SigGroupBuild(de_ctx);
344 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
345
346 int r = AppLayerParserParse(
347 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
348 if (r != 0) {
349 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
350 result = 0;
351 goto end;
352 }
353
354 http_state = f.alstate;
355 if (http_state == NULL) {
356 printf("no http state: ");
357 result = 0;
358 goto end;
359 }
360
361 /* do detect */
362 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
363
364 if ((PacketAlertCheck(p1, 1))) {
365 printf("sid 1 didn't match but should have: ");
366 goto end;
367 }
368
369 r = AppLayerParserParse(
370 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
371 if (r != 0) {
372 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
373 result = 0;
374 goto end;
375 }
376
377 /* do detect */
378 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
379
380 if (!(PacketAlertCheck(p2, 1))) {
381 printf("sid 1 didn't match but should have: ");
382 goto end;
383 }
384
385 result = 1;
386end:
387 if (alp_tctx != NULL)
388 AppLayerParserThreadCtxFree(alp_tctx);
389 if (de_ctx != NULL)
390 DetectEngineCtxFree(de_ctx);
391
392 StreamTcpFreeConfig(true);
393 FLOW_DESTROY(&f);
394 UTHFreePackets(&p1, 1);
395 UTHFreePackets(&p2, 1);
396 return result;
397}
398
399/**
400 *\test Test that the http_header content matches against a http request
401 * which holds the content, against a cross boundary present pattern.
402 */
403static int DetectHttpHeaderTest09(void)
404{
405 TcpSession ssn;
406 Packet *p1 = NULL;
407 Packet *p2 = NULL;
408 ThreadVars th_v;
409 DetectEngineCtx *de_ctx = NULL;
410 DetectEngineThreadCtx *det_ctx = NULL;
411 HtpState *http_state = NULL;
412 Flow f;
413 uint8_t http1_buf[] =
414 "GET /index.html HTTP/1.0\r\n"
415 "Host: www.openinfosecfoundation.org\r\n"
416 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
417 uint8_t http2_buf[] =
418 "Content-Type: text/html\r\n"
419 "Content-Length: 67\r\n"
420 "\r\n"
421 "This is dummy body\r\n";
422 uint32_t http1_len = sizeof(http1_buf) - 1;
423 uint32_t http2_len = sizeof(http2_buf) - 1;
424 int result = 0;
425 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
426
427 memset(&th_v, 0, sizeof(th_v));
428 memset(&f, 0, sizeof(f));
429 memset(&ssn, 0, sizeof(ssn));
430
431 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
432 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
433
434 FLOW_INITIALIZE(&f);
435 f.protoctx = (void *)&ssn;
436 f.proto = IPPROTO_TCP;
437 f.flags |= FLOW_IPV4;
438 p1->flow = &f;
439 p1->flowflags |= FLOW_PKT_TOSERVER;
440 p1->flowflags |= FLOW_PKT_ESTABLISHED;
441 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
442 p2->flow = &f;
443 p2->flowflags |= FLOW_PKT_TOSERVER;
444 p2->flowflags |= FLOW_PKT_ESTABLISHED;
445 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
446 f.alproto = ALPROTO_HTTP1;
447
448 StreamTcpInitConfig(true);
449
450 de_ctx = DetectEngineCtxInit();
451 if (de_ctx == NULL)
452 goto end;
453
454 de_ctx->flags |= DE_QUIET;
455 de_ctx->mpm_matcher = mpm_default_matcher;
456
457 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
458 "(msg:\"http header test\"; "
459 "content:\"Firefox/3.5.7|0D 0A|Content\"; http_header; "
460 "sid:1;)");
461 if (de_ctx->sig_list == NULL)
462 goto end;
463
464 SigGroupBuild(de_ctx);
465 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
466
467 int r = AppLayerParserParse(
468 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
469 if (r != 0) {
470 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
471 result = 0;
472 goto end;
473 }
474
475 http_state = f.alstate;
476 if (http_state == NULL) {
477 printf("no http state: ");
478 result = 0;
479 goto end;
480 }
481
482 /* do detect */
483 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
484
485 if ((PacketAlertCheck(p1, 1))) {
486 printf("sid 1 matched but shouldn't have: ");
487 goto end;
488 }
489
490 r = AppLayerParserParse(
491 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
492 if (r != 0) {
493 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
494 result = 0;
495 goto end;
496 }
497
498 /* do detect */
499 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
500
501 if (!(PacketAlertCheck(p2, 1))) {
502 printf("sid 1 didn't match but should have: ");
503 goto end;
504 }
505
506 result = 1;
507end:
508 if (alp_tctx != NULL)
509 AppLayerParserThreadCtxFree(alp_tctx);
510 if (de_ctx != NULL)
511 DetectEngineCtxFree(de_ctx);
512
513 StreamTcpFreeConfig(true);
514 FLOW_DESTROY(&f);
515 UTHFreePackets(&p1, 1);
516 UTHFreePackets(&p2, 1);
517 return result;
518}
519
520/**
521 *\test Test that the http_header content matches against a http request
522 * against a case insensitive pattern.
523 */
524static int DetectHttpHeaderTest10(void)
525{
526 TcpSession ssn;
527 Packet *p1 = NULL;
528 Packet *p2 = NULL;
529 ThreadVars th_v;
530 DetectEngineCtx *de_ctx = NULL;
531 DetectEngineThreadCtx *det_ctx = NULL;
532 HtpState *http_state = NULL;
533 Flow f;
534 uint8_t http1_buf[] =
535 "GET /index.html HTTP/1.0\r\n"
536 "Host: www.openinfosecfoundation.org\r\n"
537 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
538 uint8_t http2_buf[] =
539 "Content-Type: text/html\r\n"
540 "Content-Length: 67\r\n"
541 "\r\n"
542 "This is dummy body";
543 uint32_t http1_len = sizeof(http1_buf) - 1;
544 uint32_t http2_len = sizeof(http2_buf) - 1;
545 int result = 0;
546 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
547
548 memset(&th_v, 0, sizeof(th_v));
549 memset(&f, 0, sizeof(f));
550 memset(&ssn, 0, sizeof(ssn));
551
552 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
553 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
554
555 FLOW_INITIALIZE(&f);
556 f.protoctx = (void *)&ssn;
557 f.proto = IPPROTO_TCP;
558 f.flags |= FLOW_IPV4;
559 p1->flow = &f;
560 p1->flowflags |= FLOW_PKT_TOSERVER;
561 p1->flowflags |= FLOW_PKT_ESTABLISHED;
562 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
563 p2->flow = &f;
564 p2->flowflags |= FLOW_PKT_TOSERVER;
565 p2->flowflags |= FLOW_PKT_ESTABLISHED;
566 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
567 f.alproto = ALPROTO_HTTP1;
568
569 StreamTcpInitConfig(true);
570
571 de_ctx = DetectEngineCtxInit();
572 if (de_ctx == NULL)
573 goto end;
574
575 de_ctx->flags |= DE_QUIET;
576
577 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
578 "(msg:\"http header test\"; "
579 "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_header;"
580 "sid:1;)");
581 if (de_ctx->sig_list == NULL)
582 goto end;
583
584 SigGroupBuild(de_ctx);
585 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
586
587 int r = AppLayerParserParse(
588 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
589 if (r != 0) {
590 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
591 result = 0;
592 goto end;
593 }
594
595 http_state = f.alstate;
596 if (http_state == NULL) {
597 printf("no http state: ");
598 result = 0;
599 goto end;
600 }
601
602 /* do detect */
603 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
604
605 if ((PacketAlertCheck(p1, 1))) {
606 printf("sid 1 didn't match but should have: ");
607 goto end;
608 }
609
610 r = AppLayerParserParse(
611 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
612 if (r != 0) {
613 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
614 result = 0;
615 goto end;
616 }
617
618 /* do detect */
619 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
620
621 if (!(PacketAlertCheck(p2, 1))) {
622 printf("sid 1 didn't match but should have: ");
623 goto end;
624 }
625
626 result = 1;
627end:
628 if (alp_tctx != NULL)
629 AppLayerParserThreadCtxFree(alp_tctx);
630 if (de_ctx != NULL)
631 DetectEngineCtxFree(de_ctx);
632
633 StreamTcpFreeConfig(true);
634 FLOW_DESTROY(&f);
635 UTHFreePackets(&p1, 1);
636 UTHFreePackets(&p2, 1);
637 return result;
638}
639
640/**
641 *\test Test that the negated http_header content matches against a
642 * http request which doesn't hold the content.
643 */
644static int DetectHttpHeaderTest11(void)
645{
646 TcpSession ssn;
647 Packet *p = NULL;
648 ThreadVars th_v;
649 DetectEngineCtx *de_ctx = NULL;
650 DetectEngineThreadCtx *det_ctx = NULL;
651 HtpState *http_state = NULL;
652 Flow f;
653 uint8_t http_buf[] =
654 "GET /index.html HTTP/1.0\r\n"
655 "Host: www.openinfosecfoundation.org\r\n"
656 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
657 "Content-Type: text/html\r\n"
658 "Content-Length: 26\r\n"
659 "\r\n"
660 "This is dummy message body\r\n";
661 uint32_t http_len = sizeof(http_buf) - 1;
662 int result = 0;
663 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
664
665 memset(&th_v, 0, sizeof(th_v));
666 memset(&f, 0, sizeof(f));
667 memset(&ssn, 0, sizeof(ssn));
668
669 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
670
671 FLOW_INITIALIZE(&f);
672 f.protoctx = (void *)&ssn;
673 f.proto = IPPROTO_TCP;
674 f.flags |= FLOW_IPV4;
675 p->flow = &f;
676 p->flowflags |= FLOW_PKT_TOSERVER;
677 p->flowflags |= FLOW_PKT_ESTABLISHED;
678 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
679 f.alproto = ALPROTO_HTTP1;
680
681 StreamTcpInitConfig(true);
682
683 de_ctx = DetectEngineCtxInit();
684 if (de_ctx == NULL)
685 goto end;
686
687 de_ctx->flags |= DE_QUIET;
688
689 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
690 "(msg:\"http header test\"; "
691 "content:!\"lalalalala\"; http_header; "
692 "sid:1;)");
693 if (de_ctx->sig_list == NULL)
694 goto end;
695
696 SigGroupBuild(de_ctx);
697 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
698
699 int r = AppLayerParserParse(
700 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
701 if (r != 0) {
702 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
703 result = 0;
704 goto end;
705 }
706
707 http_state = f.alstate;
708 if (http_state == NULL) {
709 printf("no http state: ");
710 result = 0;
711 goto end;
712 }
713
714 /* do detect */
715 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
716
717 if (!(PacketAlertCheck(p, 1))) {
718 printf("sid 1 didn't match but should have: ");
719 goto end;
720 }
721
722 result = 1;
723end:
724 if (alp_tctx != NULL)
725 AppLayerParserThreadCtxFree(alp_tctx);
726 if (de_ctx != NULL)
727 DetectEngineCtxFree(de_ctx);
728
729 StreamTcpFreeConfig(true);
730 FLOW_DESTROY(&f);
731 UTHFreePackets(&p, 1);
732 return result;
733}
734
735/**
736 *\test Negative test that the negated http_header content matches against a
737 * http request which holds hold the content.
738 */
739static int DetectHttpHeaderTest12(void)
740{
741 TcpSession ssn;
742 Packet *p = NULL;
743 ThreadVars th_v;
744 DetectEngineCtx *de_ctx = NULL;
745 DetectEngineThreadCtx *det_ctx = NULL;
746 HtpState *http_state = NULL;
747 Flow f;
748 uint8_t http_buf[] =
749 "GET /index.html HTTP/1.0\r\n"
750 "Host: www.openinfosecfoundation.org\r\n"
751 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
752 "Content-Type: text/html\r\n"
753 "Content-Length: 26\r\n"
754 "\r\n"
755 "This is dummy message body\r\n";
756 uint32_t http_len = sizeof(http_buf) - 1;
757 int result = 0;
758 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
759
760 memset(&th_v, 0, sizeof(th_v));
761 memset(&f, 0, sizeof(f));
762 memset(&ssn, 0, sizeof(ssn));
763
764 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
765
766 FLOW_INITIALIZE(&f);
767 f.protoctx = (void *)&ssn;
768 f.proto = IPPROTO_TCP;
769 f.flags |= FLOW_IPV4;
770 p->flow = &f;
771 p->flowflags |= FLOW_PKT_TOSERVER;
772 p->flowflags |= FLOW_PKT_ESTABLISHED;
773 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
774 f.alproto = ALPROTO_HTTP1;
775
776 StreamTcpInitConfig(true);
777
778 de_ctx = DetectEngineCtxInit();
779 if (de_ctx == NULL)
780 goto end;
781
782 de_ctx->flags |= DE_QUIET;
783
784 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
785 "(msg:\"http header test\"; "
786 "content:!\"User-Agent: Mozilla/5.0 \"; http_header; "
787 "sid:1;)");
788 if (de_ctx->sig_list == NULL)
789 goto end;
790
791 SigGroupBuild(de_ctx);
792 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
793
794 int r = AppLayerParserParse(
795 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
796 if (r != 0) {
797 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
798 result = 0;
799 goto end;
800 }
801
802 http_state = f.alstate;
803 if (http_state == NULL) {
804 printf("no http state: ");
805 result = 0;
806 goto end;
807 }
808
809 /* do detect */
810 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
811
812 if ((PacketAlertCheck(p, 1))) {
813 printf("sid 1 didn't match but should have: ");
814 goto end;
815 }
816
817 result = 1;
818end:
819 if (alp_tctx != NULL)
820 AppLayerParserThreadCtxFree(alp_tctx);
821 if (de_ctx != NULL)
822 DetectEngineCtxFree(de_ctx);
823
824 StreamTcpFreeConfig(true);
825 FLOW_DESTROY(&f);
826 UTHFreePackets(&p, 1);
827 return result;
828}
829
830/**
831 *\test Test that the http_header content matches against a http request
832 * which holds the content.
833 */
834static int DetectHttpHeaderTest13(void)
835{
836 TcpSession ssn;
837 Packet *p = NULL;
838 ThreadVars th_v;
839 DetectEngineCtx *de_ctx = NULL;
840 DetectEngineThreadCtx *det_ctx = NULL;
841 HtpState *http_state = NULL;
842 Flow f;
843 uint8_t http_buf[] =
844 "GET /index.html HTTP/1.0\r\n"
845 "Host: www.openinfosecfoundation.org\r\n"
846 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
847 "Content-Type: text/html\r\n"
848 "Content-Length: 100\r\n"
849 "\r\n"
850 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
851 uint32_t http_len = sizeof(http_buf) - 1;
852 int result = 0;
853 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
854
855 memset(&th_v, 0, sizeof(th_v));
856 memset(&f, 0, sizeof(f));
857 memset(&ssn, 0, sizeof(ssn));
858
859 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
860
861 FLOW_INITIALIZE(&f);
862 f.protoctx = (void *)&ssn;
863 f.proto = IPPROTO_TCP;
864 f.flags |= FLOW_IPV4;
865
866 p->flow = &f;
867 p->flowflags |= FLOW_PKT_TOSERVER;
868 p->flowflags |= FLOW_PKT_ESTABLISHED;
869 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
870 f.alproto = ALPROTO_HTTP1;
871
872 StreamTcpInitConfig(true);
873
874 de_ctx = DetectEngineCtxInit();
875 if (de_ctx == NULL)
876 goto end;
877
878 de_ctx->flags |= DE_QUIET;
879
880 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
881 "(msg:\"http header test\"; "
882 "content:\"Host: www.openinfosecfoundation.org\"; http_header; "
883 "sid:1;)");
884 if (de_ctx->sig_list == NULL)
885 goto end;
886
887 SigGroupBuild(de_ctx);
888 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
889
890 int r = AppLayerParserParse(
891 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
892 if (r != 0) {
893 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
894 result = 0;
895 goto end;
896 }
897
898 http_state = f.alstate;
899 if (http_state == NULL) {
900 printf("no http state: ");
901 result = 0;
902 goto end;
903 }
904
905 /* do detect */
906 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
907
908 if (!(PacketAlertCheck(p, 1))) {
909 printf("sid 1 didn't match but should have: ");
910 goto end;
911 }
912
913 result = 1;
914end:
915 if (alp_tctx != NULL)
916 AppLayerParserThreadCtxFree(alp_tctx);
917 if (de_ctx != NULL)
918 DetectEngineCtxFree(de_ctx);
919
920 StreamTcpFreeConfig(true);
921 FLOW_DESTROY(&f);
922 UTHFreePackets(&p, 1);
923 return result;
924}
925
926/** \test app-layer-event:http.host_header_ambiguous should not be set
927 * \bug 640*/
928static int DetectHttpHeaderTest28(void)
929{
930 TcpSession ssn;
931 Packet *p = NULL;
932 ThreadVars th_v;
933 DetectEngineCtx *de_ctx = NULL;
934 DetectEngineThreadCtx *det_ctx = NULL;
935 Flow f;
936 uint8_t http_buf[] =
937 "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
938 "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
939 "Host: xxx.intranet.local:8000\r\n"
940 "\r\n";
941 uint32_t http_len = sizeof(http_buf) - 1;
942 int result = 0;
943 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
944
945 memset(&th_v, 0, sizeof(th_v));
946 memset(&f, 0, sizeof(f));
947 memset(&ssn, 0, sizeof(ssn));
948
949 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
950
951 FLOW_INITIALIZE(&f);
952 f.protoctx = (void *)&ssn;
953 f.proto = IPPROTO_TCP;
954 f.flags |= FLOW_IPV4;
955 p->flow = &f;
956 p->flowflags |= FLOW_PKT_TOSERVER;
957 p->flowflags |= FLOW_PKT_ESTABLISHED;
958 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
959 f.alproto = ALPROTO_HTTP1;
960
961 StreamTcpInitConfig(true);
962
963 de_ctx = DetectEngineCtxInit();
964 if (de_ctx == NULL)
965 goto end;
966
967 de_ctx->flags |= DE_QUIET;
968
969 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
970 "(app-layer-event:http.host_header_ambiguous; "
971 "sid:1;)");
972 if (de_ctx->sig_list == NULL)
973 goto end;
974
975 SigGroupBuild(de_ctx);
976 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
977
978 int r = AppLayerParserParse(
979 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
980 if (r != 0) {
981 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
982 result = 0;
983 goto end;
984 }
985
986 /* do detect */
987 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
988
989 if (PacketAlertCheck(p, 1)) {
990 printf("sid 1 matched but shouldnt have: ");
991 goto end;
992 }
993
994 result = 1;
995 end:
996 if (alp_tctx != NULL)
997 AppLayerParserThreadCtxFree(alp_tctx);
998 if (de_ctx != NULL)
999 DetectEngineCtxFree(de_ctx);
1000
1001 StreamTcpFreeConfig(true);
1002 FLOW_DESTROY(&f);
1003 UTHFreePackets(&p, 1);
1004 return result;
1005}
1006
1007/** \test app-layer-event:http.host_header_ambiguous should be set
1008 * \bug 640*/
1009static int DetectHttpHeaderTest29(void)
1010{
1011 TcpSession ssn;
1012 Packet *p = NULL;
1013 ThreadVars th_v;
1014 DetectEngineCtx *de_ctx = NULL;
1015 DetectEngineThreadCtx *det_ctx = NULL;
1016 Flow f;
1017 uint8_t http_buf[] =
1018 "POST http://xxx.intranet.local:8001/xxx HTTP/1.1\r\n"
1019 "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
1020 "Host: xxx.intranet.local:8000\r\n"
1021 "\r\n";
1022 uint32_t http_len = sizeof(http_buf) - 1;
1023 int result = 0;
1024 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1025
1026 memset(&th_v, 0, sizeof(th_v));
1027 memset(&f, 0, sizeof(f));
1028 memset(&ssn, 0, sizeof(ssn));
1029
1030 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1031
1032 FLOW_INITIALIZE(&f);
1033 f.protoctx = (void *)&ssn;
1034 f.proto = IPPROTO_TCP;
1035 f.flags |= FLOW_IPV4;
1036 p->flow = &f;
1037 p->flowflags |= FLOW_PKT_TOSERVER;
1038 p->flowflags |= FLOW_PKT_ESTABLISHED;
1039 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1040 f.alproto = ALPROTO_HTTP1;
1041
1042 StreamTcpInitConfig(true);
1043
1044 de_ctx = DetectEngineCtxInit();
1045 if (de_ctx == NULL)
1046 goto end;
1047
1048 de_ctx->flags |= DE_QUIET;
1049
1050 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1051 "(app-layer-event:http.host_header_ambiguous; "
1052 "sid:1;)");
1053 if (de_ctx->sig_list == NULL)
1054 goto end;
1055
1056 SigGroupBuild(de_ctx);
1057 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1058
1059 int r = AppLayerParserParse(
1060 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1061 if (r != 0) {
1062 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1063 result = 0;
1064 goto end;
1065 }
1066
1067 /* do detect */
1068 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1069
1070 if (!(PacketAlertCheck(p, 1))) {
1071 printf("sid 1 didn't match but should have: ");
1072 goto end;
1073 }
1074
1075 result = 1;
1076 end:
1077 if (alp_tctx != NULL)
1078 AppLayerParserThreadCtxFree(alp_tctx);
1079 if (de_ctx != NULL)
1080 DetectEngineCtxFree(de_ctx);
1081
1082 StreamTcpFreeConfig(true);
1083 FLOW_DESTROY(&f);
1084 UTHFreePackets(&p, 1);
1085 return result;
1086}
1087
1088/** \test app-layer-event:http.host_header_ambiguous should be set
1089 * \bug 640*/
1090static int DetectHttpHeaderTest30(void)
1091{
1092 TcpSession ssn;
1093 Packet *p = NULL;
1094 ThreadVars th_v;
1095 DetectEngineCtx *de_ctx = NULL;
1096 DetectEngineThreadCtx *det_ctx = NULL;
1097 Flow f;
1098 uint8_t http_buf[] =
1099 "POST http://xxx.intranet.local:8000/xxx HTTP/1.1\r\n"
1100 "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29\r\n"
1101 "Host: xyz.intranet.local:8000\r\n"
1102 "\r\n";
1103 uint32_t http_len = sizeof(http_buf) - 1;
1104 int result = 0;
1105 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1106
1107 memset(&th_v, 0, sizeof(th_v));
1108 memset(&f, 0, sizeof(f));
1109 memset(&ssn, 0, sizeof(ssn));
1110
1111 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1112
1113 FLOW_INITIALIZE(&f);
1114 f.protoctx = (void *)&ssn;
1115 f.proto = IPPROTO_TCP;
1116 f.flags |= FLOW_IPV4;
1117 p->flow = &f;
1118 p->flowflags |= FLOW_PKT_TOSERVER;
1119 p->flowflags |= FLOW_PKT_ESTABLISHED;
1120 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1121 f.alproto = ALPROTO_HTTP1;
1122
1123 StreamTcpInitConfig(true);
1124
1125 de_ctx = DetectEngineCtxInit();
1126 if (de_ctx == NULL)
1127 goto end;
1128
1129 de_ctx->flags |= DE_QUIET;
1130
1131 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1132 "(app-layer-event:http.host_header_ambiguous; "
1133 "sid:1;)");
1134 if (de_ctx->sig_list == NULL)
1135 goto end;
1136
1137 SigGroupBuild(de_ctx);
1138 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1139
1140 int r = AppLayerParserParse(
1141 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1142 if (r != 0) {
1143 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1144 result = 0;
1145 goto end;
1146 }
1147
1148 /* do detect */
1149 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1150
1151 if (!(PacketAlertCheck(p, 1))) {
1152 printf("sid 1 didn't match but should have: ");
1153 goto end;
1154 }
1155
1156 result = 1;
1157 end:
1158 if (alp_tctx != NULL)
1159 AppLayerParserThreadCtxFree(alp_tctx);
1160 if (de_ctx != NULL)
1161 DetectEngineCtxFree(de_ctx);
1162
1163 StreamTcpFreeConfig(true);
1164 FLOW_DESTROY(&f);
1165 UTHFreePackets(&p, 1);
1166 return result;
1167}
1168
1169static int DetectHttpHeaderIsdataatParseTest(void)
1170{
1171 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1172 FAIL_IF_NULL(de_ctx);
1173 de_ctx->flags |= DE_QUIET;
1174
1175 Signature *s = DetectEngineAppendSig(de_ctx,
1176 "alert tcp any any -> any any ("
1177 "flow:to_server; "
1178 "content:\"one\"; http_header; "
1179 "isdataat:!4,relative; sid:1;)");
1180 FAIL_IF_NULL(s);
1181
1182 SigMatch *sm = DetectBufferGetLastSigMatch(s, g_http_header_buffer_id);
1183 FAIL_IF_NULL(sm);
1184 FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
1185
1186 DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
1187 FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
1188 FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
1189 FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
1190
1191 DetectEngineCtxFree(de_ctx);
1192 PASS;
1193}
1194
1195/**
1196 *\test Test that the http_header content matches against a http request
1197 * which holds the content.
1198 */
1199static int DetectEngineHttpHeaderTest01(void)
1200{
1201 TcpSession ssn;
1202 Packet *p = NULL;
1203 ThreadVars th_v;
1204 DetectEngineCtx *de_ctx = NULL;
1205 DetectEngineThreadCtx *det_ctx = NULL;
1206 HtpState *http_state = NULL;
1207 Flow f;
1208 uint8_t http_buf[] =
1209 "GET /index.html HTTP/1.0\r\n"
1210 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1211 uint32_t http_len = sizeof(http_buf) - 1;
1212 int result = 0;
1213 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1214
1215 memset(&th_v, 0, sizeof(th_v));
1216 memset(&f, 0, sizeof(f));
1217 memset(&ssn, 0, sizeof(ssn));
1218
1219 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1220
1221 FLOW_INITIALIZE(&f);
1222 f.protoctx = (void *)&ssn;
1223 f.proto = IPPROTO_TCP;
1224 f.flags |= FLOW_IPV4;
1225 p->flow = &f;
1226 p->flowflags |= FLOW_PKT_TOSERVER;
1227 p->flowflags |= FLOW_PKT_ESTABLISHED;
1228 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1229 f.alproto = ALPROTO_HTTP1;
1230
1231 StreamTcpInitConfig(true);
1232
1233 de_ctx = DetectEngineCtxInit();
1234 if (de_ctx == NULL)
1235 goto end;
1236
1237 de_ctx->flags |= DE_QUIET;
1238
1239 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1240 "(msg:\"http header test\"; "
1241 "content:\"one\"; http_header; "
1242 "sid:1;)");
1243 if (de_ctx->sig_list == NULL)
1244 goto end;
1245
1246 SigGroupBuild(de_ctx);
1247 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1248
1249 int r = AppLayerParserParse(
1250 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1251 if (r != 0) {
1252 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1253 result = 0;
1254 goto end;
1255 }
1256
1257 http_state = f.alstate;
1258 if (http_state == NULL) {
1259 printf("no http state: ");
1260 result = 0;
1261 goto end;
1262 }
1263
1264 /* do detect */
1265 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1266
1267 if (!(PacketAlertCheck(p, 1))) {
1268 printf("sid 1 didn't match but should have: ");
1269 goto end;
1270 }
1271
1272 result = 1;
1273end:
1274 if (alp_tctx != NULL)
1275 AppLayerParserThreadCtxFree(alp_tctx);
1276 if (de_ctx != NULL)
1277 DetectEngineCtxFree(de_ctx);
1278
1279 StreamTcpFreeConfig(true);
1280 FLOW_DESTROY(&f);
1281 UTHFreePackets(&p, 1);
1282 return result;
1283}
1284
1285/**
1286 *\test Test that the http_header content matches against a http request
1287 * which holds the content.
1288 */
1289static int DetectEngineHttpHeaderTest02(void)
1290{
1291 TcpSession ssn;
1292 Packet *p = NULL;
1293 ThreadVars th_v;
1294 DetectEngineCtx *de_ctx = NULL;
1295 DetectEngineThreadCtx *det_ctx = NULL;
1296 HtpState *http_state = NULL;
1297 Flow f;
1298 uint8_t http_buf[] =
1299 "GET /index.html HTTP/1.0\r\n"
1300 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1301 uint32_t http_len = sizeof(http_buf) - 1;
1302 int result = 0;
1303 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1304
1305 memset(&th_v, 0, sizeof(th_v));
1306 memset(&f, 0, sizeof(f));
1307 memset(&ssn, 0, sizeof(ssn));
1308
1309 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1310
1311 FLOW_INITIALIZE(&f);
1312 f.protoctx = (void *)&ssn;
1313 f.proto = IPPROTO_TCP;
1314 f.flags |= FLOW_IPV4;
1315 p->flow = &f;
1316 p->flowflags |= FLOW_PKT_TOSERVER;
1317 p->flowflags |= FLOW_PKT_ESTABLISHED;
1318 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1319 f.alproto = ALPROTO_HTTP1;
1320
1321 StreamTcpInitConfig(true);
1322
1323 de_ctx = DetectEngineCtxInit();
1324 if (de_ctx == NULL)
1325 goto end;
1326
1327 de_ctx->flags |= DE_QUIET;
1328
1329 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1330 "(msg:\"http header test\"; "
1331 "content:\"one\"; depth:15; http_header; "
1332 "sid:1;)");
1333 if (de_ctx->sig_list == NULL)
1334 goto end;
1335
1336 SigGroupBuild(de_ctx);
1337 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1338
1339 int r = AppLayerParserParse(
1340 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1341 if (r != 0) {
1342 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1343 result = 0;
1344 goto end;
1345 }
1346
1347 http_state = f.alstate;
1348 if (http_state == NULL) {
1349 printf("no http state: ");
1350 result = 0;
1351 goto end;
1352 }
1353
1354 /* do detect */
1355 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1356
1357 if (!(PacketAlertCheck(p, 1))) {
1358 printf("sid 1 didn't match but should have: ");
1359 goto end;
1360 }
1361
1362 result = 1;
1363end:
1364 if (alp_tctx != NULL)
1365 AppLayerParserThreadCtxFree(alp_tctx);
1366 if (de_ctx != NULL)
1367 DetectEngineCtxFree(de_ctx);
1368
1369 StreamTcpFreeConfig(true);
1370 FLOW_DESTROY(&f);
1371 UTHFreePackets(&p, 1);
1372 return result;
1373}
1374
1375/**
1376 *\test Test that the http_header content matches against a http request
1377 * which holds the content.
1378 */
1379static int DetectEngineHttpHeaderTest03(void)
1380{
1381 TcpSession ssn;
1382 Packet *p = NULL;
1383 ThreadVars th_v;
1384 DetectEngineCtx *de_ctx = NULL;
1385 DetectEngineThreadCtx *det_ctx = NULL;
1386 HtpState *http_state = NULL;
1387 Flow f;
1388 uint8_t http_buf[] =
1389 "GET /index.html HTTP/1.0\r\n"
1390 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1391 uint32_t http_len = sizeof(http_buf) - 1;
1392 int result = 0;
1393 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1394
1395 memset(&th_v, 0, sizeof(th_v));
1396 memset(&f, 0, sizeof(f));
1397 memset(&ssn, 0, sizeof(ssn));
1398
1399 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1400
1401 FLOW_INITIALIZE(&f);
1402 f.protoctx = (void *)&ssn;
1403 f.proto = IPPROTO_TCP;
1404 f.flags |= FLOW_IPV4;
1405 p->flow = &f;
1406 p->flowflags |= FLOW_PKT_TOSERVER;
1407 p->flowflags |= FLOW_PKT_ESTABLISHED;
1408 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1409 f.alproto = ALPROTO_HTTP1;
1410
1411 StreamTcpInitConfig(true);
1412
1413 de_ctx = DetectEngineCtxInit();
1414 if (de_ctx == NULL)
1415 goto end;
1416
1417 de_ctx->flags |= DE_QUIET;
1418
1419 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1420 "(msg:\"http header test\"; "
1421 "content:!\"one\"; depth:5; http_header; "
1422 "sid:1;)");
1423 if (de_ctx->sig_list == NULL)
1424 goto end;
1425
1426 SigGroupBuild(de_ctx);
1427 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1428
1429 int r = AppLayerParserParse(
1430 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1431 if (r != 0) {
1432 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1433 result = 0;
1434 goto end;
1435 }
1436
1437 http_state = f.alstate;
1438 if (http_state == NULL) {
1439 printf("no http state: ");
1440 result = 0;
1441 goto end;
1442 }
1443
1444 /* do detect */
1445 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1446
1447 if (!(PacketAlertCheck(p, 1))) {
1448 printf("sid 1 didn't match but should have: ");
1449 goto end;
1450 }
1451
1452 result = 1;
1453end:
1454 if (alp_tctx != NULL)
1455 AppLayerParserThreadCtxFree(alp_tctx);
1456 if (de_ctx != NULL)
1457 DetectEngineCtxFree(de_ctx);
1458
1459 StreamTcpFreeConfig(true);
1460 FLOW_DESTROY(&f);
1461 UTHFreePackets(&p, 1);
1462 return result;
1463}
1464
1465/**
1466 *\test Test that the http_header content matches against a http request
1467 * which holds the content.
1468 */
1469static int DetectEngineHttpHeaderTest04(void)
1470{
1471 TcpSession ssn;
1472 Packet *p = NULL;
1473 ThreadVars th_v;
1474 DetectEngineCtx *de_ctx = NULL;
1475 DetectEngineThreadCtx *det_ctx = NULL;
1476 HtpState *http_state = NULL;
1477 Flow f;
1478 uint8_t http_buf[] =
1479 "GET /index.html HTTP/1.0\r\n"
1480 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1481 uint32_t http_len = sizeof(http_buf) - 1;
1482 int result = 0;
1483 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1484
1485 memset(&th_v, 0, sizeof(th_v));
1486 memset(&f, 0, sizeof(f));
1487 memset(&ssn, 0, sizeof(ssn));
1488
1489 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1490
1491 FLOW_INITIALIZE(&f);
1492 f.protoctx = (void *)&ssn;
1493 f.proto = IPPROTO_TCP;
1494 f.flags |= FLOW_IPV4;
1495 p->flow = &f;
1496 p->flowflags |= FLOW_PKT_TOSERVER;
1497 p->flowflags |= FLOW_PKT_ESTABLISHED;
1498 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1499 f.alproto = ALPROTO_HTTP1;
1500
1501 StreamTcpInitConfig(true);
1502
1503 de_ctx = DetectEngineCtxInit();
1504 if (de_ctx == NULL)
1505 goto end;
1506
1507 de_ctx->flags |= DE_QUIET;
1508
1509 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1510 "(msg:\"http header test\"; "
1511 "content:\"one\"; depth:5; http_header; "
1512 "sid:1;)");
1513 if (de_ctx->sig_list == NULL)
1514 goto end;
1515
1516 SigGroupBuild(de_ctx);
1517 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1518
1519 int r = AppLayerParserParse(
1520 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1521 if (r != 0) {
1522 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1523 result = 0;
1524 goto end;
1525 }
1526
1527 http_state = f.alstate;
1528 if (http_state == NULL) {
1529 printf("no http state: ");
1530 result = 0;
1531 goto end;
1532 }
1533
1534 /* do detect */
1535 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1536
1537 if (PacketAlertCheck(p, 1)) {
1538 printf("sid 1 matched but shouldn't have: ");
1539 goto end;
1540 }
1541
1542 result = 1;
1543end:
1544 if (alp_tctx != NULL)
1545 AppLayerParserThreadCtxFree(alp_tctx);
1546 if (de_ctx != NULL)
1547 DetectEngineCtxFree(de_ctx);
1548
1549 StreamTcpFreeConfig(true);
1550 FLOW_DESTROY(&f);
1551 UTHFreePackets(&p, 1);
1552 return result;
1553}
1554
1555/**
1556 *\test Test that the http_header content matches against a http request
1557 * which holds the content.
1558 */
1559static int DetectEngineHttpHeaderTest05(void)
1560{
1561 TcpSession ssn;
1562 Packet *p = NULL;
1563 ThreadVars th_v;
1564 DetectEngineCtx *de_ctx = NULL;
1565 DetectEngineThreadCtx *det_ctx = NULL;
1566 HtpState *http_state = NULL;
1567 Flow f;
1568 uint8_t http_buf[] =
1569 "GET /index.html HTTP/1.0\r\n"
1570 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1571 uint32_t http_len = sizeof(http_buf) - 1;
1572 int result = 0;
1573 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1574
1575 memset(&th_v, 0, sizeof(th_v));
1576 memset(&f, 0, sizeof(f));
1577 memset(&ssn, 0, sizeof(ssn));
1578
1579 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1580
1581 FLOW_INITIALIZE(&f);
1582 f.protoctx = (void *)&ssn;
1583 f.proto = IPPROTO_TCP;
1584 f.flags |= FLOW_IPV4;
1585 p->flow = &f;
1586 p->flowflags |= FLOW_PKT_TOSERVER;
1587 p->flowflags |= FLOW_PKT_ESTABLISHED;
1588 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1589 f.alproto = ALPROTO_HTTP1;
1590
1591 StreamTcpInitConfig(true);
1592
1593 de_ctx = DetectEngineCtxInit();
1594 if (de_ctx == NULL)
1595 goto end;
1596
1597 de_ctx->flags |= DE_QUIET;
1598
1599 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1600 "(msg:\"http header test\"; "
1601 "content:!\"one\"; depth:15; http_header; "
1602 "sid:1;)");
1603 if (de_ctx->sig_list == NULL)
1604 goto end;
1605
1606 SigGroupBuild(de_ctx);
1607 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1608
1609 int r = AppLayerParserParse(
1610 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1611 if (r != 0) {
1612 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1613 result = 0;
1614 goto end;
1615 }
1616
1617 http_state = f.alstate;
1618 if (http_state == NULL) {
1619 printf("no http state: ");
1620 result = 0;
1621 goto end;
1622 }
1623
1624 /* do detect */
1625 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1626
1627 if (PacketAlertCheck(p, 1)) {
1628 printf("sid 1 matched but shouldn't have: ");
1629 goto end;
1630 }
1631
1632 result = 1;
1633end:
1634 if (alp_tctx != NULL)
1635 AppLayerParserThreadCtxFree(alp_tctx);
1636 if (de_ctx != NULL)
1637 DetectEngineCtxFree(de_ctx);
1638
1639 StreamTcpFreeConfig(true);
1640 FLOW_DESTROY(&f);
1641 UTHFreePackets(&p, 1);
1642 return result;
1643}
1644
1645/**
1646 *\test Test that the http_header content matches against a http request
1647 * which holds the content.
1648 */
1649static int DetectEngineHttpHeaderTest06(void)
1650{
1651 TcpSession ssn;
1652 Packet *p = NULL;
1653 ThreadVars th_v;
1654 DetectEngineCtx *de_ctx = NULL;
1655 DetectEngineThreadCtx *det_ctx = NULL;
1656 HtpState *http_state = NULL;
1657 Flow f;
1658 uint8_t http_buf[] =
1659 "GET /index.html HTTP/1.0\r\n"
1660 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1661 uint32_t http_len = sizeof(http_buf) - 1;
1662 int result = 0;
1663 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1664
1665 memset(&th_v, 0, sizeof(th_v));
1666 memset(&f, 0, sizeof(f));
1667 memset(&ssn, 0, sizeof(ssn));
1668
1669 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1670
1671 FLOW_INITIALIZE(&f);
1672 f.protoctx = (void *)&ssn;
1673 f.proto = IPPROTO_TCP;
1674 f.flags |= FLOW_IPV4;
1675 p->flow = &f;
1676 p->flowflags |= FLOW_PKT_TOSERVER;
1677 p->flowflags |= FLOW_PKT_ESTABLISHED;
1678 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1679 f.alproto = ALPROTO_HTTP1;
1680
1681 StreamTcpInitConfig(true);
1682
1683 de_ctx = DetectEngineCtxInit();
1684 if (de_ctx == NULL)
1685 goto end;
1686
1687 de_ctx->flags |= DE_QUIET;
1688
1689 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1690 "(msg:\"http header test\"; "
1691 "content:\"one\"; offset:10; http_header; "
1692 "sid:1;)");
1693 if (de_ctx->sig_list == NULL)
1694 goto end;
1695
1696 SigGroupBuild(de_ctx);
1697 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1698
1699 int r = AppLayerParserParse(
1700 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1701 if (r != 0) {
1702 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1703 result = 0;
1704 goto end;
1705 }
1706
1707 http_state = f.alstate;
1708 if (http_state == NULL) {
1709 printf("no http state: ");
1710 result = 0;
1711 goto end;
1712 }
1713
1714 /* do detect */
1715 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1716
1717 if (!(PacketAlertCheck(p, 1))) {
1718 printf("sid 1 didn't match but should have: ");
1719 goto end;
1720 }
1721
1722 result = 1;
1723end:
1724 if (alp_tctx != NULL)
1725 AppLayerParserThreadCtxFree(alp_tctx);
1726 if (de_ctx != NULL)
1727 DetectEngineCtxFree(de_ctx);
1728
1729 StreamTcpFreeConfig(true);
1730 FLOW_DESTROY(&f);
1731 UTHFreePackets(&p, 1);
1732 return result;
1733}
1734
1735/**
1736 *\test Test that the http_header content matches against a http request
1737 * which holds the content.
1738 */
1739static int DetectEngineHttpHeaderTest07(void)
1740{
1741 TcpSession ssn;
1742 Packet *p = NULL;
1743 ThreadVars th_v;
1744 DetectEngineCtx *de_ctx = NULL;
1745 DetectEngineThreadCtx *det_ctx = NULL;
1746 HtpState *http_state = NULL;
1747 Flow f;
1748 uint8_t http_buf[] =
1749 "GET /index.html HTTP/1.0\r\n"
1750 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1751 uint32_t http_len = sizeof(http_buf) - 1;
1752 int result = 0;
1753 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1754
1755 memset(&th_v, 0, sizeof(th_v));
1756 memset(&f, 0, sizeof(f));
1757 memset(&ssn, 0, sizeof(ssn));
1758
1759 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1760
1761 FLOW_INITIALIZE(&f);
1762 f.protoctx = (void *)&ssn;
1763 f.proto = IPPROTO_TCP;
1764 f.flags |= FLOW_IPV4;
1765 p->flow = &f;
1766 p->flowflags |= FLOW_PKT_TOSERVER;
1767 p->flowflags |= FLOW_PKT_ESTABLISHED;
1768 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1769 f.alproto = ALPROTO_HTTP1;
1770
1771 StreamTcpInitConfig(true);
1772
1773 de_ctx = DetectEngineCtxInit();
1774 if (de_ctx == NULL)
1775 goto end;
1776
1777 de_ctx->flags |= DE_QUIET;
1778
1779 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1780 "(msg:\"http header test\"; "
1781 "content:!\"one\"; offset:15; http_header; "
1782 "sid:1;)");
1783 if (de_ctx->sig_list == NULL)
1784 goto end;
1785
1786 SigGroupBuild(de_ctx);
1787 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1788
1789 int r = AppLayerParserParse(
1790 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1791 if (r != 0) {
1792 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1793 result = 0;
1794 goto end;
1795 }
1796
1797 http_state = f.alstate;
1798 if (http_state == NULL) {
1799 printf("no http state: ");
1800 result = 0;
1801 goto end;
1802 }
1803
1804 /* do detect */
1805 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1806
1807 if (!(PacketAlertCheck(p, 1))) {
1808 printf("sid 1 didn't match but should have: ");
1809 goto end;
1810 }
1811
1812 result = 1;
1813end:
1814 if (alp_tctx != NULL)
1815 AppLayerParserThreadCtxFree(alp_tctx);
1816 if (de_ctx != NULL)
1817 DetectEngineCtxFree(de_ctx);
1818
1819 StreamTcpFreeConfig(true);
1820 FLOW_DESTROY(&f);
1821 UTHFreePackets(&p, 1);
1822 return result;
1823}
1824
1825/**
1826 *\test Test that the http_header content matches against a http request
1827 * which holds the content.
1828 */
1829static int DetectEngineHttpHeaderTest08(void)
1830{
1831 TcpSession ssn;
1832 Packet *p = NULL;
1833 ThreadVars th_v;
1834 DetectEngineCtx *de_ctx = NULL;
1835 DetectEngineThreadCtx *det_ctx = NULL;
1836 HtpState *http_state = NULL;
1837 Flow f;
1838 uint8_t http_buf[] =
1839 "GET /index.html HTTP/1.0\r\n"
1840 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1841 uint32_t http_len = sizeof(http_buf) - 1;
1842 int result = 0;
1843 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1844
1845 memset(&th_v, 0, sizeof(th_v));
1846 memset(&f, 0, sizeof(f));
1847 memset(&ssn, 0, sizeof(ssn));
1848
1849 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1850
1851 FLOW_INITIALIZE(&f);
1852 f.protoctx = (void *)&ssn;
1853 f.proto = IPPROTO_TCP;
1854 f.flags |= FLOW_IPV4;
1855 p->flow = &f;
1856 p->flowflags |= FLOW_PKT_TOSERVER;
1857 p->flowflags |= FLOW_PKT_ESTABLISHED;
1858 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1859 f.alproto = ALPROTO_HTTP1;
1860
1861 StreamTcpInitConfig(true);
1862
1863 de_ctx = DetectEngineCtxInit();
1864 if (de_ctx == NULL)
1865 goto end;
1866
1867 de_ctx->flags |= DE_QUIET;
1868
1869 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1870 "(msg:\"http header test\"; "
1871 "content:\"one\"; offset:15; http_header; "
1872 "sid:1;)");
1873 if (de_ctx->sig_list == NULL)
1874 goto end;
1875
1876 SigGroupBuild(de_ctx);
1877 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1878
1879 int r = AppLayerParserParse(
1880 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1881 if (r != 0) {
1882 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1883 result = 0;
1884 goto end;
1885 }
1886
1887 http_state = f.alstate;
1888 if (http_state == NULL) {
1889 printf("no http state: ");
1890 result = 0;
1891 goto end;
1892 }
1893
1894 /* do detect */
1895 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1896
1897 if (PacketAlertCheck(p, 1)) {
1898 printf("sid 1 matched but shouldn't have: ");
1899 goto end;
1900 }
1901
1902 result = 1;
1903end:
1904 if (alp_tctx != NULL)
1905 AppLayerParserThreadCtxFree(alp_tctx);
1906 if (de_ctx != NULL)
1907 DetectEngineCtxFree(de_ctx);
1908
1909 StreamTcpFreeConfig(true);
1910 FLOW_DESTROY(&f);
1911 UTHFreePackets(&p, 1);
1912 return result;
1913}
1914
1915/**
1916 *\test Test that the http_header content matches against a http request
1917 * which holds the content.
1918 */
1919static int DetectEngineHttpHeaderTest09(void)
1920{
1921 TcpSession ssn;
1922 Packet *p = NULL;
1923 ThreadVars th_v;
1924 DetectEngineCtx *de_ctx = NULL;
1925 DetectEngineThreadCtx *det_ctx = NULL;
1926 HtpState *http_state = NULL;
1927 Flow f;
1928 uint8_t http_buf[] =
1929 "GET /index.html HTTP/1.0\r\n"
1930 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1931 uint32_t http_len = sizeof(http_buf) - 1;
1932 int result = 0;
1933 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1934
1935 memset(&th_v, 0, sizeof(th_v));
1936 memset(&f, 0, sizeof(f));
1937 memset(&ssn, 0, sizeof(ssn));
1938
1939 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1940
1941 FLOW_INITIALIZE(&f);
1942 f.protoctx = (void *)&ssn;
1943 f.proto = IPPROTO_TCP;
1944 f.flags |= FLOW_IPV4;
1945 p->flow = &f;
1946 p->flowflags |= FLOW_PKT_TOSERVER;
1947 p->flowflags |= FLOW_PKT_ESTABLISHED;
1948 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1949 f.alproto = ALPROTO_HTTP1;
1950
1951 StreamTcpInitConfig(true);
1952
1953 de_ctx = DetectEngineCtxInit();
1954 if (de_ctx == NULL)
1955 goto end;
1956
1957 de_ctx->flags |= DE_QUIET;
1958
1959 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1960 "(msg:\"http header test\"; "
1961 "content:!\"one\"; offset:10; http_header; "
1962 "sid:1;)");
1963 if (de_ctx->sig_list == NULL)
1964 goto end;
1965
1966 SigGroupBuild(de_ctx);
1967 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1968
1969 int r = AppLayerParserParse(
1970 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1971 if (r != 0) {
1972 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1973 result = 0;
1974 goto end;
1975 }
1976
1977 http_state = f.alstate;
1978 if (http_state == NULL) {
1979 printf("no http state: ");
1980 result = 0;
1981 goto end;
1982 }
1983
1984 /* do detect */
1985 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1986
1987 if (PacketAlertCheck(p, 1)) {
1988 printf("sid 1 matched but shouldn't have: ");
1989 goto end;
1990 }
1991
1992 result = 1;
1993end:
1994 if (alp_tctx != NULL)
1995 AppLayerParserThreadCtxFree(alp_tctx);
1996 if (de_ctx != NULL)
1997 DetectEngineCtxFree(de_ctx);
1998
1999 StreamTcpFreeConfig(true);
2000 FLOW_DESTROY(&f);
2001 UTHFreePackets(&p, 1);
2002 return result;
2003}
2004
2005/**
2006 *\test Test that the http_header content matches against a http request
2007 * which holds the content.
2008 */
2009static int DetectEngineHttpHeaderTest10(void)
2010{
2011 TcpSession ssn;
2012 Packet *p = NULL;
2013 ThreadVars th_v;
2014 DetectEngineCtx *de_ctx = NULL;
2015 DetectEngineThreadCtx *det_ctx = NULL;
2016 HtpState *http_state = NULL;
2017 Flow f;
2018 uint8_t http_buf[] =
2019 "GET /index.html HTTP/1.0\r\n"
2020 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2021 uint32_t http_len = sizeof(http_buf) - 1;
2022 int result = 0;
2023 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2024
2025 memset(&th_v, 0, sizeof(th_v));
2026 memset(&f, 0, sizeof(f));
2027 memset(&ssn, 0, sizeof(ssn));
2028
2029 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2030
2031 FLOW_INITIALIZE(&f);
2032 f.protoctx = (void *)&ssn;
2033 f.proto = IPPROTO_TCP;
2034 f.flags |= FLOW_IPV4;
2035 p->flow = &f;
2036 p->flowflags |= FLOW_PKT_TOSERVER;
2037 p->flowflags |= FLOW_PKT_ESTABLISHED;
2038 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2039 f.alproto = ALPROTO_HTTP1;
2040
2041 StreamTcpInitConfig(true);
2042
2043 de_ctx = DetectEngineCtxInit();
2044 if (de_ctx == NULL)
2045 goto end;
2046
2047 de_ctx->flags |= DE_QUIET;
2048
2049 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2050 "(msg:\"http header test\"; "
2051 "content:\"one\"; http_header; content:\"three\"; http_header; within:10; "
2052 "sid:1;)");
2053 if (de_ctx->sig_list == NULL)
2054 goto end;
2055
2056 SigGroupBuild(de_ctx);
2057 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2058
2059 int r = AppLayerParserParse(
2060 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2061 if (r != 0) {
2062 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2063 result = 0;
2064 goto end;
2065 }
2066
2067 http_state = f.alstate;
2068 if (http_state == NULL) {
2069 printf("no http state: ");
2070 result = 0;
2071 goto end;
2072 }
2073
2074 /* do detect */
2075 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2076
2077 if (!(PacketAlertCheck(p, 1))) {
2078 printf("sid 1 didn't match but should have: ");
2079 goto end;
2080 }
2081
2082 result = 1;
2083end:
2084 if (alp_tctx != NULL)
2085 AppLayerParserThreadCtxFree(alp_tctx);
2086 if (de_ctx != NULL)
2087 DetectEngineCtxFree(de_ctx);
2088
2089 StreamTcpFreeConfig(true);
2090 FLOW_DESTROY(&f);
2091 UTHFreePackets(&p, 1);
2092 return result;
2093}
2094
2095/**
2096 *\test Test that the http_header content matches against a http request
2097 * which holds the content.
2098 */
2099static int DetectEngineHttpHeaderTest11(void)
2100{
2101 TcpSession ssn;
2102 Packet *p = NULL;
2103 ThreadVars th_v;
2104 DetectEngineCtx *de_ctx = NULL;
2105 DetectEngineThreadCtx *det_ctx = NULL;
2106 HtpState *http_state = NULL;
2107 Flow f;
2108 uint8_t http_buf[] =
2109 "GET /index.html HTTP/1.0\r\n"
2110 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2111 uint32_t http_len = sizeof(http_buf) - 1;
2112 int result = 0;
2113 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2114
2115 memset(&th_v, 0, sizeof(th_v));
2116 memset(&f, 0, sizeof(f));
2117 memset(&ssn, 0, sizeof(ssn));
2118
2119 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2120
2121 FLOW_INITIALIZE(&f);
2122 f.protoctx = (void *)&ssn;
2123 f.proto = IPPROTO_TCP;
2124 f.flags |= FLOW_IPV4;
2125 p->flow = &f;
2126 p->flowflags |= FLOW_PKT_TOSERVER;
2127 p->flowflags |= FLOW_PKT_ESTABLISHED;
2128 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2129 f.alproto = ALPROTO_HTTP1;
2130
2131 StreamTcpInitConfig(true);
2132
2133 de_ctx = DetectEngineCtxInit();
2134 if (de_ctx == NULL)
2135 goto end;
2136
2137 de_ctx->flags |= DE_QUIET;
2138
2139 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2140 "(msg:\"http header test\"; "
2141 "content:\"one\"; http_header; content:!\"three\"; http_header; within:5; "
2142 "sid:1;)");
2143 if (de_ctx->sig_list == NULL)
2144 goto end;
2145
2146 SigGroupBuild(de_ctx);
2147 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2148
2149 int r = AppLayerParserParse(
2150 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2151 if (r != 0) {
2152 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2153 result = 0;
2154 goto end;
2155 }
2156
2157 http_state = f.alstate;
2158 if (http_state == NULL) {
2159 printf("no http state: ");
2160 result = 0;
2161 goto end;
2162 }
2163
2164 /* do detect */
2165 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2166
2167 if (!(PacketAlertCheck(p, 1))) {
2168 printf("sid 1 didn't match but should have: ");
2169 goto end;
2170 }
2171
2172 result = 1;
2173end:
2174 if (alp_tctx != NULL)
2175 AppLayerParserThreadCtxFree(alp_tctx);
2176 if (de_ctx != NULL)
2177 DetectEngineCtxFree(de_ctx);
2178
2179 StreamTcpFreeConfig(true);
2180 FLOW_DESTROY(&f);
2181 UTHFreePackets(&p, 1);
2182 return result;
2183}
2184
2185/**
2186 *\test Test that the http_header content matches against a http request
2187 * which holds the content.
2188 */
2189static int DetectEngineHttpHeaderTest12(void)
2190{
2191 TcpSession ssn;
2192 Packet *p = NULL;
2193 ThreadVars th_v;
2194 DetectEngineCtx *de_ctx = NULL;
2195 DetectEngineThreadCtx *det_ctx = NULL;
2196 HtpState *http_state = NULL;
2197 Flow f;
2198 uint8_t http_buf[] =
2199 "GET /index.html HTTP/1.0\r\n"
2200 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2201 uint32_t http_len = sizeof(http_buf) - 1;
2202 int result = 0;
2203 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2204
2205 memset(&th_v, 0, sizeof(th_v));
2206 memset(&f, 0, sizeof(f));
2207 memset(&ssn, 0, sizeof(ssn));
2208
2209 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2210
2211 FLOW_INITIALIZE(&f);
2212 f.protoctx = (void *)&ssn;
2213 f.proto = IPPROTO_TCP;
2214 f.flags |= FLOW_IPV4;
2215 p->flow = &f;
2216 p->flowflags |= FLOW_PKT_TOSERVER;
2217 p->flowflags |= FLOW_PKT_ESTABLISHED;
2218 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2219 f.alproto = ALPROTO_HTTP1;
2220
2221 StreamTcpInitConfig(true);
2222
2223 de_ctx = DetectEngineCtxInit();
2224 if (de_ctx == NULL)
2225 goto end;
2226
2227 de_ctx->flags |= DE_QUIET;
2228
2229 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2230 "(msg:\"http header test\"; "
2231 "content:\"one\"; http_header; content:!\"three\"; http_header; within:10; "
2232 "sid:1;)");
2233 if (de_ctx->sig_list == NULL)
2234 goto end;
2235
2236 SigGroupBuild(de_ctx);
2237 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2238
2239 int r = AppLayerParserParse(
2240 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2241 if (r != 0) {
2242 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2243 result = 0;
2244 goto end;
2245 }
2246
2247 http_state = f.alstate;
2248 if (http_state == NULL) {
2249 printf("no http state: ");
2250 result = 0;
2251 goto end;
2252 }
2253
2254 /* do detect */
2255 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2256
2257 if (PacketAlertCheck(p, 1)) {
2258 printf("sid 1 matched but shouldn't have: ");
2259 goto end;
2260 }
2261
2262 result = 1;
2263end:
2264 if (alp_tctx != NULL)
2265 AppLayerParserThreadCtxFree(alp_tctx);
2266 if (de_ctx != NULL)
2267 DetectEngineCtxFree(de_ctx);
2268
2269 StreamTcpFreeConfig(true);
2270 FLOW_DESTROY(&f);
2271 UTHFreePackets(&p, 1);
2272 return result;
2273}
2274
2275/**
2276 *\test Test that the http_header content matches against a http request
2277 * which holds the content.
2278 */
2279static int DetectEngineHttpHeaderTest13(void)
2280{
2281 TcpSession ssn;
2282 Packet *p = NULL;
2283 ThreadVars th_v;
2284 DetectEngineCtx *de_ctx = NULL;
2285 DetectEngineThreadCtx *det_ctx = NULL;
2286 HtpState *http_state = NULL;
2287 Flow f;
2288 uint8_t http_buf[] =
2289 "GET /index.html HTTP/1.0\r\n"
2290 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2291 uint32_t http_len = sizeof(http_buf) - 1;
2292 int result = 0;
2293 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2294
2295 memset(&th_v, 0, sizeof(th_v));
2296 memset(&f, 0, sizeof(f));
2297 memset(&ssn, 0, sizeof(ssn));
2298
2299 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2300
2301 FLOW_INITIALIZE(&f);
2302 f.protoctx = (void *)&ssn;
2303 f.proto = IPPROTO_TCP;
2304 f.flags |= FLOW_IPV4;
2305 p->flow = &f;
2306 p->flowflags |= FLOW_PKT_TOSERVER;
2307 p->flowflags |= FLOW_PKT_ESTABLISHED;
2308 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2309 f.alproto = ALPROTO_HTTP1;
2310
2311 StreamTcpInitConfig(true);
2312
2313 de_ctx = DetectEngineCtxInit();
2314 if (de_ctx == NULL)
2315 goto end;
2316
2317 de_ctx->flags |= DE_QUIET;
2318
2319 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2320 "(msg:\"http header test\"; "
2321 "content:\"one\"; http_header; content:\"three\"; http_header; within:5; "
2322 "sid:1;)");
2323 if (de_ctx->sig_list == NULL)
2324 goto end;
2325
2326 SigGroupBuild(de_ctx);
2327 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2328
2329 int r = AppLayerParserParse(
2330 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2331 if (r != 0) {
2332 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2333 result = 0;
2334 goto end;
2335 }
2336
2337 http_state = f.alstate;
2338 if (http_state == NULL) {
2339 printf("no http state: ");
2340 result = 0;
2341 goto end;
2342 }
2343
2344 /* do detect */
2345 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2346
2347 if (PacketAlertCheck(p, 1)) {
2348 printf("sid 1 matched but shouldn't have: ");
2349 goto end;
2350 }
2351
2352 result = 1;
2353end:
2354 if (alp_tctx != NULL)
2355 AppLayerParserThreadCtxFree(alp_tctx);
2356 if (de_ctx != NULL)
2357 DetectEngineCtxFree(de_ctx);
2358
2359 StreamTcpFreeConfig(true);
2360 FLOW_DESTROY(&f);
2361 UTHFreePackets(&p, 1);
2362 return result;
2363}
2364
2365/**
2366 *\test Test that the http_header content matches against a http request
2367 * which holds the content.
2368 */
2369static int DetectEngineHttpHeaderTest14(void)
2370{
2371 TcpSession ssn;
2372 Packet *p = NULL;
2373 ThreadVars th_v;
2374 DetectEngineCtx *de_ctx = NULL;
2375 DetectEngineThreadCtx *det_ctx = NULL;
2376 HtpState *http_state = NULL;
2377 Flow f;
2378 uint8_t http_buf[] =
2379 "GET /index.html HTTP/1.0\r\n"
2380 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2381 uint32_t http_len = sizeof(http_buf) - 1;
2382 int result = 0;
2383 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2384
2385 memset(&th_v, 0, sizeof(th_v));
2386 memset(&f, 0, sizeof(f));
2387 memset(&ssn, 0, sizeof(ssn));
2388
2389 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2390
2391 FLOW_INITIALIZE(&f);
2392 f.protoctx = (void *)&ssn;
2393 f.proto = IPPROTO_TCP;
2394 f.flags |= FLOW_IPV4;
2395 p->flow = &f;
2396 p->flowflags |= FLOW_PKT_TOSERVER;
2397 p->flowflags |= FLOW_PKT_ESTABLISHED;
2398 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2399 f.alproto = ALPROTO_HTTP1;
2400
2401 StreamTcpInitConfig(true);
2402
2403 de_ctx = DetectEngineCtxInit();
2404 if (de_ctx == NULL)
2405 goto end;
2406
2407 de_ctx->flags |= DE_QUIET;
2408
2409 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2410 "(msg:\"http header test\"; "
2411 "content:\"one\"; http_header; content:\"five\"; http_header; distance:7; "
2412 "sid:1;)");
2413 if (de_ctx->sig_list == NULL)
2414 goto end;
2415
2416 SigGroupBuild(de_ctx);
2417 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2418
2419 int r = AppLayerParserParse(
2420 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2421 if (r != 0) {
2422 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2423 result = 0;
2424 goto end;
2425 }
2426
2427 http_state = f.alstate;
2428 if (http_state == NULL) {
2429 printf("no http state: ");
2430 result = 0;
2431 goto end;
2432 }
2433
2434 /* do detect */
2435 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2436
2437 if (!(PacketAlertCheck(p, 1))) {
2438 printf("sid 1 didn't match but should have: ");
2439 goto end;
2440 }
2441
2442 result = 1;
2443end:
2444 if (alp_tctx != NULL)
2445 AppLayerParserThreadCtxFree(alp_tctx);
2446 if (de_ctx != NULL)
2447 DetectEngineCtxFree(de_ctx);
2448
2449 StreamTcpFreeConfig(true);
2450 FLOW_DESTROY(&f);
2451 UTHFreePackets(&p, 1);
2452 return result;
2453}
2454
2455/**
2456 *\test Test that the http_header content matches against a http request
2457 * which holds the content.
2458 */
2459static int DetectEngineHttpHeaderTest15(void)
2460{
2461 TcpSession ssn;
2462 Packet *p = NULL;
2463 ThreadVars th_v;
2464 DetectEngineCtx *de_ctx = NULL;
2465 DetectEngineThreadCtx *det_ctx = NULL;
2466 HtpState *http_state = NULL;
2467 Flow f;
2468 uint8_t http_buf[] =
2469 "GET /index.html HTTP/1.0\r\n"
2470 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2471 uint32_t http_len = sizeof(http_buf) - 1;
2472 int result = 0;
2473 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2474
2475 memset(&th_v, 0, sizeof(th_v));
2476 memset(&f, 0, sizeof(f));
2477 memset(&ssn, 0, sizeof(ssn));
2478
2479 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2480
2481 FLOW_INITIALIZE(&f);
2482 f.protoctx = (void *)&ssn;
2483 f.proto = IPPROTO_TCP;
2484 f.flags |= FLOW_IPV4;
2485 p->flow = &f;
2486 p->flowflags |= FLOW_PKT_TOSERVER;
2487 p->flowflags |= FLOW_PKT_ESTABLISHED;
2488 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2489 f.alproto = ALPROTO_HTTP1;
2490
2491 StreamTcpInitConfig(true);
2492
2493 de_ctx = DetectEngineCtxInit();
2494 if (de_ctx == NULL)
2495 goto end;
2496
2497 de_ctx->flags |= DE_QUIET;
2498
2499 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2500 "(msg:\"http header test\"; "
2501 "content:\"one\"; http_header; content:!\"five\"; http_header; distance:15; "
2502 "sid:1;)");
2503 if (de_ctx->sig_list == NULL)
2504 goto end;
2505
2506 SigGroupBuild(de_ctx);
2507 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2508
2509 int r = AppLayerParserParse(
2510 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2511 if (r != 0) {
2512 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2513 result = 0;
2514 goto end;
2515 }
2516
2517 http_state = f.alstate;
2518 if (http_state == NULL) {
2519 printf("no http state: ");
2520 result = 0;
2521 goto end;
2522 }
2523
2524 /* do detect */
2525 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2526
2527 if (!(PacketAlertCheck(p, 1))) {
2528 printf("sid 1 didn't match but should have: ");
2529 goto end;
2530 }
2531
2532 result = 1;
2533end:
2534 if (alp_tctx != NULL)
2535 AppLayerParserThreadCtxFree(alp_tctx);
2536 if (de_ctx != NULL)
2537 DetectEngineCtxFree(de_ctx);
2538
2539 StreamTcpFreeConfig(true);
2540 FLOW_DESTROY(&f);
2541 UTHFreePackets(&p, 1);
2542 return result;
2543}
2544
2545/**
2546 *\test Test that the http_header content matches against a http request
2547 * which holds the content.
2548 */
2549static int DetectEngineHttpHeaderTest16(void)
2550{
2551 TcpSession ssn;
2552 Packet *p = NULL;
2553 ThreadVars th_v;
2554 DetectEngineCtx *de_ctx = NULL;
2555 DetectEngineThreadCtx *det_ctx = NULL;
2556 HtpState *http_state = NULL;
2557 Flow f;
2558 uint8_t http_buf[] =
2559 "GET /index.html HTTP/1.0\r\n"
2560 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2561 uint32_t http_len = sizeof(http_buf) - 1;
2562 int result = 0;
2563 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2564
2565 memset(&th_v, 0, sizeof(th_v));
2566 memset(&f, 0, sizeof(f));
2567 memset(&ssn, 0, sizeof(ssn));
2568
2569 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2570
2571 FLOW_INITIALIZE(&f);
2572 f.protoctx = (void *)&ssn;
2573 f.proto = IPPROTO_TCP;
2574 f.flags |= FLOW_IPV4;
2575 p->flow = &f;
2576 p->flowflags |= FLOW_PKT_TOSERVER;
2577 p->flowflags |= FLOW_PKT_ESTABLISHED;
2578 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2579 f.alproto = ALPROTO_HTTP1;
2580
2581 StreamTcpInitConfig(true);
2582
2583 de_ctx = DetectEngineCtxInit();
2584 if (de_ctx == NULL)
2585 goto end;
2586
2587 de_ctx->flags |= DE_QUIET;
2588
2589 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2590 "(msg:\"http header test\"; "
2591 "content:\"one\"; http_header; content:!\"five\"; http_header; distance:7; "
2592 "sid:1;)");
2593 if (de_ctx->sig_list == NULL)
2594 goto end;
2595
2596 SigGroupBuild(de_ctx);
2597 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2598
2599 int r = AppLayerParserParse(
2600 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2601 if (r != 0) {
2602 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2603 result = 0;
2604 goto end;
2605 }
2606
2607 http_state = f.alstate;
2608 if (http_state == NULL) {
2609 printf("no http state: ");
2610 result = 0;
2611 goto end;
2612 }
2613
2614 /* do detect */
2615 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2616
2617 if (PacketAlertCheck(p, 1)) {
2618 printf("sid 1 matched but shouldn't have: ");
2619 goto end;
2620 }
2621
2622 result = 1;
2623end:
2624 if (alp_tctx != NULL)
2625 AppLayerParserThreadCtxFree(alp_tctx);
2626 if (de_ctx != NULL)
2627 DetectEngineCtxFree(de_ctx);
2628
2629 StreamTcpFreeConfig(true);
2630 FLOW_DESTROY(&f);
2631 UTHFreePackets(&p, 1);
2632 return result;
2633}
2634
2635/**
2636 *\test Test that the http_header content matches against a http request
2637 * which holds the content.
2638 */
2639static int DetectEngineHttpHeaderTest17(void)
2640{
2641 TcpSession ssn;
2642 Packet *p = NULL;
2643 ThreadVars th_v;
2644 DetectEngineCtx *de_ctx = NULL;
2645 DetectEngineThreadCtx *det_ctx = NULL;
2646 HtpState *http_state = NULL;
2647 Flow f;
2648 uint8_t http_buf[] =
2649 "GET /index.html HTTP/1.0\r\n"
2650 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
2651 uint32_t http_len = sizeof(http_buf) - 1;
2652 int result = 0;
2653 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2654
2655 memset(&th_v, 0, sizeof(th_v));
2656 memset(&f, 0, sizeof(f));
2657 memset(&ssn, 0, sizeof(ssn));
2658
2659 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2660
2661 FLOW_INITIALIZE(&f);
2662 f.protoctx = (void *)&ssn;
2663 f.proto = IPPROTO_TCP;
2664 f.flags |= FLOW_IPV4;
2665 p->flow = &f;
2666 p->flowflags |= FLOW_PKT_TOSERVER;
2667 p->flowflags |= FLOW_PKT_ESTABLISHED;
2668 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2669 f.alproto = ALPROTO_HTTP1;
2670
2671 StreamTcpInitConfig(true);
2672
2673 de_ctx = DetectEngineCtxInit();
2674 if (de_ctx == NULL)
2675 goto end;
2676
2677 de_ctx->flags |= DE_QUIET;
2678
2679 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2680 "(msg:\"http header test\"; "
2681 "content:\"one\"; http_header; content:\"five\"; http_header; distance:15; "
2682 "sid:1;)");
2683 if (de_ctx->sig_list == NULL)
2684 goto end;
2685
2686 SigGroupBuild(de_ctx);
2687 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2688
2689 int r = AppLayerParserParse(
2690 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
2691 if (r != 0) {
2692 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2693 result = 0;
2694 goto end;
2695 }
2696
2697 http_state = f.alstate;
2698 if (http_state == NULL) {
2699 printf("no http state: ");
2700 result = 0;
2701 goto end;
2702 }
2703
2704 /* do detect */
2705 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2706
2707 if (PacketAlertCheck(p, 1)) {
2708 printf("sid 1 matched but shouldn't have: ");
2709 goto end;
2710 }
2711
2712 result = 1;
2713end:
2714 if (alp_tctx != NULL)
2715 AppLayerParserThreadCtxFree(alp_tctx);
2716 if (de_ctx != NULL)
2717 DetectEngineCtxFree(de_ctx);
2718
2719 StreamTcpFreeConfig(true);
2720 FLOW_DESTROY(&f);
2721 UTHFreePackets(&p, 1);
2722 return result;
2723}
2724
2725static int DetectEngineHttpHeaderTest20(void)
2726{
2727 TcpSession ssn;
2728 Packet *p1 = NULL;
2729 Packet *p2 = NULL;
2730 ThreadVars th_v;
2731 DetectEngineCtx *de_ctx = NULL;
2732 DetectEngineThreadCtx *det_ctx = NULL;
2733 HtpState *http_state = NULL;
2734 Flow f;
2735 uint8_t http1_buf[] =
2736 "GET /index.html HTTP/1.0\r\n"
2737 "Host: This_is_dummy_body1";
2738 uint8_t http2_buf[] =
2739 "This_is_dummy_message_body2\r\n"
2740 "\r\n";
2741 uint32_t http1_len = sizeof(http1_buf) - 1;
2742 uint32_t http2_len = sizeof(http2_buf) - 1;
2743 int result = 0;
2744 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2745
2746 memset(&th_v, 0, sizeof(th_v));
2747 memset(&f, 0, sizeof(f));
2748 memset(&ssn, 0, sizeof(ssn));
2749
2750 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2751 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2752
2753 FLOW_INITIALIZE(&f);
2754 f.protoctx = (void *)&ssn;
2755 f.proto = IPPROTO_TCP;
2756 f.flags |= FLOW_IPV4;
2757
2758 p1->flow = &f;
2759 p1->flowflags |= FLOW_PKT_TOSERVER;
2760 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2761 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2762 p2->flow = &f;
2763 p2->flowflags |= FLOW_PKT_TOSERVER;
2764 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2765 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2766 f.alproto = ALPROTO_HTTP1;
2767
2768 StreamTcpInitConfig(true);
2769
2770 de_ctx = DetectEngineCtxInit();
2771 if (de_ctx == NULL)
2772 goto end;
2773
2774 de_ctx->flags |= DE_QUIET;
2775
2776 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2777 "(msg:\"http client body test\"; "
2778 "pcre:/body1/H; "
2779 "content:!\"dummy\"; http_header; within:7; "
2780 "sid:1;)");
2781 if (de_ctx->sig_list == NULL)
2782 goto end;
2783
2784 SigGroupBuild(de_ctx);
2785 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2786
2787 int r = AppLayerParserParse(
2788 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2789 if (r != 0) {
2790 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2791 result = 0;
2792 goto end;
2793 }
2794
2795 http_state = f.alstate;
2796 if (http_state == NULL) {
2797 printf("no http state: \n");
2798 result = 0;
2799 goto end;
2800 }
2801
2802 /* do detect */
2803 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2804
2805 if (PacketAlertCheck(p1, 1)) {
2806 printf("sid 1 matched but shouldn't have\n");
2807 goto end;
2808 }
2809
2810 r = AppLayerParserParse(
2811 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2812 if (r != 0) {
2813 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2814 result = 0;
2815 goto end;
2816 }
2817
2818 /* do detect */
2819 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2820
2821 if (!PacketAlertCheck(p2, 1)) {
2822 printf("sid 1 didn't match but shouldn't have");
2823 goto end;
2824 }
2825
2826 result = 1;
2827
2828end:
2829 if (alp_tctx != NULL)
2830 AppLayerParserThreadCtxFree(alp_tctx);
2831 if (de_ctx != NULL)
2832 DetectEngineCtxFree(de_ctx);
2833
2834 StreamTcpFreeConfig(true);
2835 FLOW_DESTROY(&f);
2836 UTHFreePackets(&p1, 1);
2837 UTHFreePackets(&p2, 1);
2838 return result;
2839}
2840
2841static int DetectEngineHttpHeaderTest21(void)
2842{
2843 TcpSession ssn;
2844 Packet *p1 = NULL;
2845 Packet *p2 = NULL;
2846 ThreadVars th_v;
2847 DetectEngineCtx *de_ctx = NULL;
2848 DetectEngineThreadCtx *det_ctx = NULL;
2849 HtpState *http_state = NULL;
2850 Flow f;
2851 uint8_t http1_buf[] =
2852 "GET /index.html HTTP/1.0\r\n"
2853 "Host: This_is_dummy_body1";
2854 uint8_t http2_buf[] =
2855 "This_is_dummy_message_body2\r\n"
2856 "\r\n";
2857 uint32_t http1_len = sizeof(http1_buf) - 1;
2858 uint32_t http2_len = sizeof(http2_buf) - 1;
2859 int result = 0;
2860 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2861
2862 memset(&th_v, 0, sizeof(th_v));
2863 memset(&f, 0, sizeof(f));
2864 memset(&ssn, 0, sizeof(ssn));
2865
2866 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2867 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2868
2869 FLOW_INITIALIZE(&f);
2870 f.protoctx = (void *)&ssn;
2871 f.proto = IPPROTO_TCP;
2872 f.flags |= FLOW_IPV4;
2873
2874 p1->flow = &f;
2875 p1->flowflags |= FLOW_PKT_TOSERVER;
2876 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2877 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2878 p2->flow = &f;
2879 p2->flowflags |= FLOW_PKT_TOSERVER;
2880 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2881 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2882 f.alproto = ALPROTO_HTTP1;
2883
2884 StreamTcpInitConfig(true);
2885
2886 de_ctx = DetectEngineCtxInit();
2887 if (de_ctx == NULL)
2888 goto end;
2889
2890 de_ctx->flags |= DE_QUIET;
2891
2892 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2893 "(msg:\"http client body test\"; "
2894 "pcre:/body1/H; "
2895 "content:!\"dummy\"; within:7; http_header; "
2896 "sid:1;)");
2897 if (de_ctx->sig_list == NULL)
2898 goto end;
2899
2900 SigGroupBuild(de_ctx);
2901 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2902
2903 int r = AppLayerParserParse(
2904 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2905 if (r != 0) {
2906 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2907 result = 0;
2908 goto end;
2909 }
2910
2911 http_state = f.alstate;
2912 if (http_state == NULL) {
2913 printf("no http state: \n");
2914 result = 0;
2915 goto end;
2916 }
2917
2918 /* do detect */
2919 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2920
2921 if (PacketAlertCheck(p1, 1)) {
2922 printf("sid 1 matched but shouldn't have\n");
2923 goto end;
2924 }
2925
2926 r = AppLayerParserParse(
2927 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2928 if (r != 0) {
2929 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2930 result = 0;
2931 goto end;
2932 }
2933
2934 /* do detect */
2935 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2936
2937 if (!PacketAlertCheck(p2, 1)) {
2938 printf("sid 1 didn't match but shouldn't have");
2939 goto end;
2940 }
2941
2942 result = 1;
2943
2944end:
2945 if (alp_tctx != NULL)
2946 AppLayerParserThreadCtxFree(alp_tctx);
2947 if (de_ctx != NULL)
2948 DetectEngineCtxFree(de_ctx);
2949
2950 StreamTcpFreeConfig(true);
2951 FLOW_DESTROY(&f);
2952 UTHFreePackets(&p1, 1);
2953 UTHFreePackets(&p2, 1);
2954 return result;
2955}
2956
2957static int DetectEngineHttpHeaderTest22(void)
2958{
2959 TcpSession ssn;
2960 Packet *p1 = NULL;
2961 Packet *p2 = NULL;
2962 ThreadVars th_v;
2963 DetectEngineCtx *de_ctx = NULL;
2964 DetectEngineThreadCtx *det_ctx = NULL;
2965 HtpState *http_state = NULL;
2966 Flow f;
2967 uint8_t http1_buf[] =
2968 "GET /index.html HTTP/1.0\r\n"
2969 "Host: This_is_dummy_body1";
2970 uint8_t http2_buf[] =
2971 "This_is_dummy_message_body2\r\n"
2972 "\r\n";
2973 uint32_t http1_len = sizeof(http1_buf) - 1;
2974 uint32_t http2_len = sizeof(http2_buf) - 1;
2975 int result = 0;
2976 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2977
2978 memset(&th_v, 0, sizeof(th_v));
2979 memset(&f, 0, sizeof(f));
2980 memset(&ssn, 0, sizeof(ssn));
2981
2982 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2983 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2984
2985 FLOW_INITIALIZE(&f);
2986 f.protoctx = (void *)&ssn;
2987 f.proto = IPPROTO_TCP;
2988 f.flags |= FLOW_IPV4;
2989
2990 p1->flow = &f;
2991 p1->flowflags |= FLOW_PKT_TOSERVER;
2992 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2993 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2994 p2->flow = &f;
2995 p2->flowflags |= FLOW_PKT_TOSERVER;
2996 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2997 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2998 f.alproto = ALPROTO_HTTP1;
2999
3000 StreamTcpInitConfig(true);
3001
3002 de_ctx = DetectEngineCtxInit();
3003 if (de_ctx == NULL)
3004 goto end;
3005
3006 de_ctx->flags |= DE_QUIET;
3007
3008 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3009 "(msg:\"http client body test\"; "
3010 "pcre:/body1/H; "
3011 "content:!\"dummy\"; distance:3; http_header; "
3012 "sid:1;)");
3013 if (de_ctx->sig_list == NULL)
3014 goto end;
3015
3016 SigGroupBuild(de_ctx);
3017 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3018
3019 int r = AppLayerParserParse(
3020 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3021 if (r != 0) {
3022 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3023 result = 0;
3024 goto end;
3025 }
3026
3027 http_state = f.alstate;
3028 if (http_state == NULL) {
3029 printf("no http state: \n");
3030 result = 0;
3031 goto end;
3032 }
3033
3034 /* do detect */
3035 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3036
3037 if (PacketAlertCheck(p1, 1)) {
3038 printf("sid 1 matched but shouldn't have\n");
3039 goto end;
3040 }
3041
3042 r = AppLayerParserParse(
3043 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3044 if (r != 0) {
3045 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3046 result = 0;
3047 goto end;
3048 }
3049
3050 /* do detect */
3051 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3052
3053 if (PacketAlertCheck(p2, 1)) {
3054 printf("sid 1 matched but shouldn't have");
3055 goto end;
3056 }
3057
3058 result = 1;
3059
3060end:
3061 if (alp_tctx != NULL)
3062 AppLayerParserThreadCtxFree(alp_tctx);
3063 if (de_ctx != NULL)
3064 DetectEngineCtxFree(de_ctx);
3065
3066 StreamTcpFreeConfig(true);
3067 FLOW_DESTROY(&f);
3068 UTHFreePackets(&p1, 1);
3069 UTHFreePackets(&p2, 1);
3070 return result;
3071}
3072
3073static int DetectEngineHttpHeaderTest23(void)
3074{
3075 TcpSession ssn;
3076 Packet *p1 = NULL;
3077 Packet *p2 = NULL;
3078 ThreadVars th_v;
3079 DetectEngineCtx *de_ctx = NULL;
3080 DetectEngineThreadCtx *det_ctx = NULL;
3081 HtpState *http_state = NULL;
3082 Flow f;
3083 uint8_t http1_buf[] =
3084 "GET /index.html HTTP/1.0\r\n"
3085 "Host: This_is_dummy_body1";
3086 uint8_t http2_buf[] =
3087 "This_is_dummy_message_body2\r\n"
3088 "\r\n";
3089 uint32_t http1_len = sizeof(http1_buf) - 1;
3090 uint32_t http2_len = sizeof(http2_buf) - 1;
3091 int result = 0;
3092 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3093
3094 memset(&th_v, 0, sizeof(th_v));
3095 memset(&f, 0, sizeof(f));
3096 memset(&ssn, 0, sizeof(ssn));
3097
3098 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3099 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3100
3101 FLOW_INITIALIZE(&f);
3102 f.protoctx = (void *)&ssn;
3103 f.proto = IPPROTO_TCP;
3104 f.flags |= FLOW_IPV4;
3105
3106 p1->flow = &f;
3107 p1->flowflags |= FLOW_PKT_TOSERVER;
3108 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3109 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3110 p2->flow = &f;
3111 p2->flowflags |= FLOW_PKT_TOSERVER;
3112 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3113 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3114 f.alproto = ALPROTO_HTTP1;
3115
3116 StreamTcpInitConfig(true);
3117
3118 de_ctx = DetectEngineCtxInit();
3119 if (de_ctx == NULL)
3120 goto end;
3121
3122 de_ctx->flags |= DE_QUIET;
3123
3124 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3125 "(msg:\"http client body test\"; "
3126 "pcre:/body1/H; "
3127 "content:!\"dummy\"; distance:13; http_header; "
3128 "sid:1;)");
3129 if (de_ctx->sig_list == NULL)
3130 goto end;
3131
3132 SigGroupBuild(de_ctx);
3133 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3134
3135 int r = AppLayerParserParse(
3136 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3137 if (r != 0) {
3138 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3139 result = 0;
3140 goto end;
3141 }
3142
3143 http_state = f.alstate;
3144 if (http_state == NULL) {
3145 printf("no http state: \n");
3146 result = 0;
3147 goto end;
3148 }
3149
3150 /* do detect */
3151 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3152
3153 if (PacketAlertCheck(p1, 1)) {
3154 printf("sid 1 matched but shouldn't have\n");
3155 goto end;
3156 }
3157
3158 r = AppLayerParserParse(
3159 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3160 if (r != 0) {
3161 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3162 result = 0;
3163 goto end;
3164 }
3165
3166 /* do detect */
3167 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3168
3169 if (!PacketAlertCheck(p2, 1)) {
3170 printf("sid 1 didn't match but should have");
3171 goto end;
3172 }
3173
3174 result = 1;
3175
3176end:
3177 if (alp_tctx != NULL)
3178 AppLayerParserThreadCtxFree(alp_tctx);
3179 if (de_ctx != NULL)
3180 DetectEngineCtxFree(de_ctx);
3181
3182 StreamTcpFreeConfig(true);
3183 FLOW_DESTROY(&f);
3184 UTHFreePackets(&p1, 1);
3185 UTHFreePackets(&p2, 1);
3186 return result;
3187}
3188
3189static int DetectEngineHttpHeaderTest24(void)
3190{
3191 TcpSession ssn;
3192 Packet *p1 = NULL;
3193 Packet *p2 = NULL;
3194 ThreadVars th_v;
3195 DetectEngineCtx *de_ctx = NULL;
3196 DetectEngineThreadCtx *det_ctx = NULL;
3197 HtpState *http_state = NULL;
3198 Flow f;
3199 uint8_t http1_buf[] =
3200 "GET /index.html HTTP/1.0\r\n"
3201 "Host: This_is_dummy_body1";
3202 uint8_t http2_buf[] =
3203 "This_is_dummy_message_body2\r\n"
3204 "\r\n";
3205 uint32_t http1_len = sizeof(http1_buf) - 1;
3206 uint32_t http2_len = sizeof(http2_buf) - 1;
3207 int result = 0;
3208 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3209
3210 memset(&th_v, 0, sizeof(th_v));
3211 memset(&f, 0, sizeof(f));
3212 memset(&ssn, 0, sizeof(ssn));
3213
3214 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3215 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3216
3217 FLOW_INITIALIZE(&f);
3218 f.protoctx = (void *)&ssn;
3219 f.proto = IPPROTO_TCP;
3220 f.flags |= FLOW_IPV4;
3221
3222 p1->flow = &f;
3223 p1->flowflags |= FLOW_PKT_TOSERVER;
3224 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3225 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3226 p2->flow = &f;
3227 p2->flowflags |= FLOW_PKT_TOSERVER;
3228 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3229 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3230 f.alproto = ALPROTO_HTTP1;
3231
3232 StreamTcpInitConfig(true);
3233
3234 de_ctx = DetectEngineCtxInit();
3235 if (de_ctx == NULL)
3236 goto end;
3237
3238 de_ctx->flags |= DE_QUIET;
3239
3240 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3241 "(msg:\"http client body test\"; "
3242 "pcre:/body1/H; "
3243 "content:\"dummy\"; within:15; http_header; "
3244 "sid:1;)");
3245 if (de_ctx->sig_list == NULL)
3246 goto end;
3247
3248 SigGroupBuild(de_ctx);
3249 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3250
3251 int r = AppLayerParserParse(
3252 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3253 if (r != 0) {
3254 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3255 result = 0;
3256 goto end;
3257 }
3258
3259 http_state = f.alstate;
3260 if (http_state == NULL) {
3261 printf("no http state: \n");
3262 result = 0;
3263 goto end;
3264 }
3265
3266 /* do detect */
3267 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3268
3269 if (PacketAlertCheck(p1, 1)) {
3270 printf("sid 1 matched but shouldn't have\n");
3271 goto end;
3272 }
3273
3274 r = AppLayerParserParse(
3275 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3276 if (r != 0) {
3277 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3278 result = 0;
3279 goto end;
3280 }
3281
3282 /* do detect */
3283 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3284
3285 if (!PacketAlertCheck(p2, 1)) {
3286 printf("sid 1 didn't match but should have");
3287 goto end;
3288 }
3289
3290 result = 1;
3291
3292end:
3293 if (alp_tctx != NULL)
3294 AppLayerParserThreadCtxFree(alp_tctx);
3295 if (de_ctx != NULL)
3296 DetectEngineCtxFree(de_ctx);
3297
3298 StreamTcpFreeConfig(true);
3299 FLOW_DESTROY(&f);
3300 UTHFreePackets(&p1, 1);
3301 UTHFreePackets(&p2, 1);
3302 return result;
3303}
3304
3305static int DetectEngineHttpHeaderTest25(void)
3306{
3307 TcpSession ssn;
3308 Packet *p1 = NULL;
3309 Packet *p2 = NULL;
3310 ThreadVars th_v;
3311 DetectEngineCtx *de_ctx = NULL;
3312 DetectEngineThreadCtx *det_ctx = NULL;
3313 HtpState *http_state = NULL;
3314 Flow f;
3315 uint8_t http1_buf[] =
3316 "GET /index.html HTTP/1.0\r\n"
3317 "Host: This_is_dummy_body1";
3318 uint8_t http2_buf[] =
3319 "This_is_dummy_message_body2\r\n"
3320 "\r\n";
3321 uint32_t http1_len = sizeof(http1_buf) - 1;
3322 uint32_t http2_len = sizeof(http2_buf) - 1;
3323 int result = 0;
3324 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3325
3326 memset(&th_v, 0, sizeof(th_v));
3327 memset(&f, 0, sizeof(f));
3328 memset(&ssn, 0, sizeof(ssn));
3329
3330 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3331 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3332
3333 FLOW_INITIALIZE(&f);
3334 f.protoctx = (void *)&ssn;
3335 f.proto = IPPROTO_TCP;
3336 f.flags |= FLOW_IPV4;
3337
3338 p1->flow = &f;
3339 p1->flowflags |= FLOW_PKT_TOSERVER;
3340 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3341 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3342 p2->flow = &f;
3343 p2->flowflags |= FLOW_PKT_TOSERVER;
3344 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3345 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3346 f.alproto = ALPROTO_HTTP1;
3347
3348 StreamTcpInitConfig(true);
3349
3350 de_ctx = DetectEngineCtxInit();
3351 if (de_ctx == NULL)
3352 goto end;
3353
3354 de_ctx->flags |= DE_QUIET;
3355
3356 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3357 "(msg:\"http client body test\"; "
3358 "pcre:/body1/H; "
3359 "content:\"dummy\"; within:10; http_header; "
3360 "sid:1;)");
3361 if (de_ctx->sig_list == NULL)
3362 goto end;
3363
3364 SigGroupBuild(de_ctx);
3365 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3366
3367 int r = AppLayerParserParse(
3368 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3369 if (r != 0) {
3370 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3371 result = 0;
3372 goto end;
3373 }
3374
3375 http_state = f.alstate;
3376 if (http_state == NULL) {
3377 printf("no http state: \n");
3378 result = 0;
3379 goto end;
3380 }
3381
3382 /* do detect */
3383 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3384
3385 if (PacketAlertCheck(p1, 1)) {
3386 printf("sid 1 matched but shouldn't have\n");
3387 goto end;
3388 }
3389
3390 r = AppLayerParserParse(
3391 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3392 if (r != 0) {
3393 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3394 result = 0;
3395 goto end;
3396 }
3397
3398 /* do detect */
3399 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3400
3401 if (PacketAlertCheck(p2, 1)) {
3402 printf("sid 1 matched but shouldn't have");
3403 goto end;
3404 }
3405
3406 result = 1;
3407
3408end:
3409 if (alp_tctx != NULL)
3410 AppLayerParserThreadCtxFree(alp_tctx);
3411 if (de_ctx != NULL)
3412 DetectEngineCtxFree(de_ctx);
3413
3414 StreamTcpFreeConfig(true);
3415 FLOW_DESTROY(&f);
3416 UTHFreePackets(&p1, 1);
3417 UTHFreePackets(&p2, 1);
3418 return result;
3419}
3420
3421static int DetectEngineHttpHeaderTest26(void)
3422{
3423 TcpSession ssn;
3424 Packet *p1 = NULL;
3425 Packet *p2 = NULL;
3426 ThreadVars th_v;
3427 DetectEngineCtx *de_ctx = NULL;
3428 DetectEngineThreadCtx *det_ctx = NULL;
3429 HtpState *http_state = NULL;
3430 Flow f;
3431 uint8_t http1_buf[] =
3432 "GET /index.html HTTP/1.0\r\n"
3433 "Host: This_is_dummy_body1";
3434 uint8_t http2_buf[] =
3435 "This_is_dummy_message_body2\r\n"
3436 "\r\n";
3437 uint32_t http1_len = sizeof(http1_buf) - 1;
3438 uint32_t http2_len = sizeof(http2_buf) - 1;
3439 int result = 0;
3440 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3441
3442 memset(&th_v, 0, sizeof(th_v));
3443 memset(&f, 0, sizeof(f));
3444 memset(&ssn, 0, sizeof(ssn));
3445
3446 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3447 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3448
3449 FLOW_INITIALIZE(&f);
3450 f.protoctx = (void *)&ssn;
3451 f.proto = IPPROTO_TCP;
3452 f.flags |= FLOW_IPV4;
3453
3454 p1->flow = &f;
3455 p1->flowflags |= FLOW_PKT_TOSERVER;
3456 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3457 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3458 p2->flow = &f;
3459 p2->flowflags |= FLOW_PKT_TOSERVER;
3460 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3461 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3462 f.alproto = ALPROTO_HTTP1;
3463
3464 StreamTcpInitConfig(true);
3465
3466 de_ctx = DetectEngineCtxInit();
3467 if (de_ctx == NULL)
3468 goto end;
3469
3470 de_ctx->flags |= DE_QUIET;
3471
3472 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3473 "(msg:\"http client body test\"; "
3474 "pcre:/body1/H; "
3475 "content:\"dummy\"; distance:8; http_header; "
3476 "sid:1;)");
3477 if (de_ctx->sig_list == NULL)
3478 goto end;
3479
3480 SigGroupBuild(de_ctx);
3481 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3482
3483 int r = AppLayerParserParse(
3484 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3485 if (r != 0) {
3486 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3487 result = 0;
3488 goto end;
3489 }
3490
3491 http_state = f.alstate;
3492 if (http_state == NULL) {
3493 printf("no http state: \n");
3494 result = 0;
3495 goto end;
3496 }
3497
3498 /* do detect */
3499 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3500
3501 if (PacketAlertCheck(p1, 1)) {
3502 printf("sid 1 matched but shouldn't have\n");
3503 goto end;
3504 }
3505
3506 r = AppLayerParserParse(
3507 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3508 if (r != 0) {
3509 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3510 result = 0;
3511 goto end;
3512 }
3513
3514 /* do detect */
3515 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3516
3517 if (!PacketAlertCheck(p2, 1)) {
3518 printf("sid 1 didn't match but should have");
3519 goto end;
3520 }
3521
3522 result = 1;
3523
3524end:
3525 if (alp_tctx != NULL)
3526 AppLayerParserThreadCtxFree(alp_tctx);
3527 if (de_ctx != NULL)
3528 DetectEngineCtxFree(de_ctx);
3529
3530 StreamTcpFreeConfig(true);
3531 FLOW_DESTROY(&f);
3532 UTHFreePackets(&p1, 1);
3533 UTHFreePackets(&p2, 1);
3534 return result;
3535}
3536
3537static int DetectEngineHttpHeaderTest27(void)
3538{
3539 TcpSession ssn;
3540 Packet *p1 = NULL;
3541 Packet *p2 = NULL;
3542 ThreadVars th_v;
3543 DetectEngineCtx *de_ctx = NULL;
3544 DetectEngineThreadCtx *det_ctx = NULL;
3545 HtpState *http_state = NULL;
3546 Flow f;
3547 uint8_t http1_buf[] =
3548 "GET /index.html HTTP/1.0\r\n"
3549 "Host: This_is_dummy_body1";
3550 uint8_t http2_buf[] =
3551 "This_is_dummy_message_body2\r\n"
3552 "\r\n";
3553 uint32_t http1_len = sizeof(http1_buf) - 1;
3554 uint32_t http2_len = sizeof(http2_buf) - 1;
3555 int result = 0;
3556 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3557
3558 memset(&th_v, 0, sizeof(th_v));
3559 memset(&f, 0, sizeof(f));
3560 memset(&ssn, 0, sizeof(ssn));
3561
3562 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3563 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3564
3565 FLOW_INITIALIZE(&f);
3566 f.protoctx = (void *)&ssn;
3567 f.proto = IPPROTO_TCP;
3568 f.flags |= FLOW_IPV4;
3569
3570 p1->flow = &f;
3571 p1->flowflags |= FLOW_PKT_TOSERVER;
3572 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3573 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3574 p2->flow = &f;
3575 p2->flowflags |= FLOW_PKT_TOSERVER;
3576 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3577 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3578 f.alproto = ALPROTO_HTTP1;
3579
3580 StreamTcpInitConfig(true);
3581
3582 de_ctx = DetectEngineCtxInit();
3583 if (de_ctx == NULL)
3584 goto end;
3585
3586 de_ctx->flags |= DE_QUIET;
3587
3588 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3589 "(msg:\"http client body test\"; "
3590 "pcre:/body1/H; "
3591 "content:\"dummy\"; distance:14; http_header; "
3592 "sid:1;)");
3593 if (de_ctx->sig_list == NULL)
3594 goto end;
3595
3596 SigGroupBuild(de_ctx);
3597 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3598
3599 int r = AppLayerParserParse(
3600 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3601 if (r != 0) {
3602 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3603 result = 0;
3604 goto end;
3605 }
3606
3607 http_state = f.alstate;
3608 if (http_state == NULL) {
3609 printf("no http state: \n");
3610 result = 0;
3611 goto end;
3612 }
3613
3614 /* do detect */
3615 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3616
3617 if (PacketAlertCheck(p1, 1)) {
3618 printf("sid 1 matched but shouldn't have\n");
3619 goto end;
3620 }
3621
3622 r = AppLayerParserParse(
3623 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3624 if (r != 0) {
3625 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3626 result = 0;
3627 goto end;
3628 }
3629
3630 /* do detect */
3631 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3632
3633 if (PacketAlertCheck(p2, 1)) {
3634 printf("sid 1 matched but shouldn't have");
3635 goto end;
3636 }
3637
3638 result = 1;
3639
3640end:
3641 if (alp_tctx != NULL)
3642 AppLayerParserThreadCtxFree(alp_tctx);
3643 if (de_ctx != NULL)
3644 DetectEngineCtxFree(de_ctx);
3645
3646 StreamTcpFreeConfig(true);
3647 FLOW_DESTROY(&f);
3648 UTHFreePackets(&p1, 1);
3649 UTHFreePackets(&p2, 1);
3650 return result;
3651}
3652
3653static int DetectEngineHttpHeaderTest28(void)
3654{
3655 TcpSession ssn;
3656 Packet *p1 = NULL;
3657 Packet *p2 = NULL;
3658 ThreadVars th_v;
3659 DetectEngineCtx *de_ctx = NULL;
3660 DetectEngineThreadCtx *det_ctx = NULL;
3661 HtpState *http_state = NULL;
3662 Flow f;
3663 uint8_t http_buf1[] =
3664 "GET /index.html HTTP/1.0\r\n"
3665 "Host: www.openinfosecfoundation.org\r\n"
3666 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3667 "\r\n";
3668 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3669 uint8_t http_buf2[] =
3670 "HTTP/1.0 200 ok\r\n"
3671 "Content-Type: text/html\r\n"
3672 "Content-Length: 6\r\n"
3673 "\r\n"
3674 "abcdef";
3675 uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3676 int result = 0;
3677 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3678
3679 memset(&th_v, 0, sizeof(th_v));
3680 memset(&f, 0, sizeof(f));
3681 memset(&ssn, 0, sizeof(ssn));
3682
3683 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3684 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3685
3686 FLOW_INITIALIZE(&f);
3687 f.protoctx = (void *)&ssn;
3688 f.proto = IPPROTO_TCP;
3689 f.flags |= FLOW_IPV4;
3690
3691 p1->flow = &f;
3692 p1->flowflags |= FLOW_PKT_TOSERVER;
3693 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3694 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3695 p2->flow = &f;
3696 p2->flowflags |= FLOW_PKT_TOCLIENT;
3697 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3698 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3699 f.alproto = ALPROTO_HTTP1;
3700
3701 StreamTcpInitConfig(true);
3702
3703 de_ctx = DetectEngineCtxInit();
3704 if (de_ctx == NULL)
3705 goto end;
3706
3707 de_ctx->flags |= DE_QUIET;
3708
3709 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3710 "(msg:\"http header test\"; "
3711 "content:\"Content-Length: 6\"; http_header; "
3712 "sid:1;)");
3713 if (de_ctx->sig_list == NULL)
3714 goto end;
3715
3716 SigGroupBuild(de_ctx);
3717 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3718
3719 int r = AppLayerParserParse(
3720 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3721 if (r != 0) {
3722 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3723 result = 0;
3724 goto end;
3725 }
3726
3727 http_state = f.alstate;
3728 if (http_state == NULL) {
3729 printf("no http state: \n");
3730 result = 0;
3731 goto end;
3732 }
3733
3734 /* do detect */
3735 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3736
3737 if (PacketAlertCheck(p1, 1)) {
3738 printf("sid 1 matched but shouldn't have\n");
3739 goto end;
3740 }
3741
3742 r = AppLayerParserParse(
3743 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
3744 if (r != 0) {
3745 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3746 result = 0;
3747 goto end;
3748 }
3749
3750 /* do detect */
3751 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3752
3753 FAIL_IF(!PacketAlertCheck(p2, 1));
3754
3755 result = 1;
3756
3757end:
3758 if (alp_tctx != NULL)
3759 AppLayerParserThreadCtxFree(alp_tctx);
3760 if (de_ctx != NULL)
3761 DetectEngineCtxFree(de_ctx);
3762
3763 StreamTcpFreeConfig(true);
3764 FLOW_DESTROY(&f);
3765 UTHFreePackets(&p1, 1);
3766 UTHFreePackets(&p2, 1);
3767 return result;
3768}
3769
3770static int DetectEngineHttpHeaderTest29(void)
3771{
3772 TcpSession ssn;
3773 Packet *p1 = NULL;
3774 Packet *p2 = NULL;
3775 ThreadVars th_v;
3776 DetectEngineCtx *de_ctx = NULL;
3777 DetectEngineThreadCtx *det_ctx = NULL;
3778 HtpState *http_state = NULL;
3779 Flow f;
3780 uint8_t http_buf1[] =
3781 "GET /index.html HTTP/1.0\r\n"
3782 "Host: www.openinfosecfoundation.org\r\n"
3783 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3784 "\r\n";
3785 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3786 uint8_t http_buf2[] =
3787 "HTTP/1.0 200 ok\r\n"
3788 "Content-Type: text/html\r\n"
3789 "Content-Length: 6\r\n"
3790 "\r\n"
3791 "abcdef";
3792 uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3793 int result = 0;
3794 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3795
3796 memset(&th_v, 0, sizeof(th_v));
3797 memset(&f, 0, sizeof(f));
3798 memset(&ssn, 0, sizeof(ssn));
3799
3800 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3801 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3802
3803 FLOW_INITIALIZE(&f);
3804 f.protoctx = (void *)&ssn;
3805 f.proto = IPPROTO_TCP;
3806 f.flags |= FLOW_IPV4;
3807
3808 p1->flow = &f;
3809 p1->flowflags |= FLOW_PKT_TOSERVER;
3810 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3811 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3812 p2->flow = &f;
3813 p2->flowflags |= FLOW_PKT_TOCLIENT;
3814 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3815 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3816 f.alproto = ALPROTO_HTTP1;
3817
3818 StreamTcpInitConfig(true);
3819
3820 de_ctx = DetectEngineCtxInit();
3821 if (de_ctx == NULL)
3822 goto end;
3823
3824 de_ctx->flags |= DE_QUIET;
3825
3826 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3827 "(msg:\"http header test\"; "
3828 "content:\"Content-Length: 7\"; http_header; "
3829 "sid:1;)");
3830 if (de_ctx->sig_list == NULL)
3831 goto end;
3832
3833 SigGroupBuild(de_ctx);
3834 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3835
3836 int r = AppLayerParserParse(
3837 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3838 if (r != 0) {
3839 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3840 result = 0;
3841 goto end;
3842 }
3843
3844 http_state = f.alstate;
3845 if (http_state == NULL) {
3846 printf("no http state: \n");
3847 result = 0;
3848 goto end;
3849 }
3850
3851 /* do detect */
3852 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3853
3854 if (PacketAlertCheck(p1, 1)) {
3855 printf("sid 1 matched but shouldn't have\n");
3856 goto end;
3857 }
3858
3859 r = AppLayerParserParse(
3860 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
3861 if (r != 0) {
3862 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
3863 result = 0;
3864 goto end;
3865 }
3866
3867 /* do detect */
3868 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3869
3870 if (PacketAlertCheck(p2, 1)) {
3871 printf("sid 1 matched but shouldn't have");
3872 goto end;
3873 }
3874
3875 result = 1;
3876
3877end:
3878 if (alp_tctx != NULL)
3879 AppLayerParserThreadCtxFree(alp_tctx);
3880 if (de_ctx != NULL)
3881 DetectEngineCtxFree(de_ctx);
3882
3883 StreamTcpFreeConfig(true);
3884 FLOW_DESTROY(&f);
3885 UTHFreePackets(&p1, 1);
3886 UTHFreePackets(&p2, 1);
3887 return result;
3888}
3889
3890#if 0
3891
3892static int DetectEngineHttpHeaderTest30(void)
3893{
3894 int result = 0;
3895 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3896
3897 if (de_ctx == NULL) {
3898 goto end;
3899 }
3900
3901 de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
3902 "(msg:\"http header test\"; "
3903 "content:\"Content-Length: 6\"; http_header; "
3904 "content:\"User-Agent: Mozilla\"; http_header; "
3905 "sid:1;)");
3906 if (de_ctx->sig_list != NULL) {
3907 goto end;
3908 }
3909
3910 result = 1;
3911
3912 end:
3913 if (de_ctx != NULL)
3914 DetectEngineCtxFree(de_ctx);
3915 return result;
3916}
3917
3918#endif /* #if 0 */
3919
3920static int DetectEngineHttpHeaderTest30(void)
3921{
3922 TcpSession ssn;
3923 Packet *p1 = NULL;
3924 Packet *p2 = NULL;
3925 ThreadVars th_v;
3926 DetectEngineCtx *de_ctx = NULL;
3927 DetectEngineThreadCtx *det_ctx = NULL;
3928 HtpState *http_state = NULL;
3929 Flow f;
3930 uint8_t http_buf1[] =
3931 "GET /index.html HTTP/1.0\r\n"
3932 "Host: www.openinfosecfoundation.org\r\n"
3933 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3934 "\r\n";
3935 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
3936 uint8_t http_buf2[] =
3937 "HTTP/1.0 200 ok\r\n"
3938 "Set-Cookie: dummycookieset\r\n"
3939 "Content-Type: text/html\r\n"
3940 "Content-Length: 6\r\n"
3941 "\r\n"
3942 "abcdef";
3943 uint32_t http_buf2_len = sizeof(http_buf2) - 1;
3944 int result = 0;
3945 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3946
3947 memset(&th_v, 0, sizeof(th_v));
3948 memset(&f, 0, sizeof(f));
3949 memset(&ssn, 0, sizeof(ssn));
3950
3951 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3952 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3953
3954 FLOW_INITIALIZE(&f);
3955 f.protoctx = (void *)&ssn;
3956 f.proto = IPPROTO_TCP;
3957 f.flags |= FLOW_IPV4;
3958
3959 p1->flow = &f;
3960 p1->flowflags |= FLOW_PKT_TOSERVER;
3961 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3962 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3963 p2->flow = &f;
3964 p2->flowflags |= FLOW_PKT_TOCLIENT;
3965 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3966 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
3967 f.alproto = ALPROTO_HTTP1;
3968
3969 StreamTcpInitConfig(true);
3970
3971 de_ctx = DetectEngineCtxInit();
3972 if (de_ctx == NULL)
3973 goto end;
3974
3975 de_ctx->flags |= DE_QUIET;
3976
3977 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3978 "(msg:\"http header test\"; "
3979 "content:\"dummycookieset\"; http_header; "
3980 "sid:1;)");
3981 if (de_ctx->sig_list == NULL)
3982 goto end;
3983
3984 SigGroupBuild(de_ctx);
3985 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3986
3987 int r = AppLayerParserParse(
3988 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
3989 if (r != 0) {
3990 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3991 result = 0;
3992 goto end;
3993 }
3994
3995 http_state = f.alstate;
3996 if (http_state == NULL) {
3997 printf("no http state: \n");
3998 result = 0;
3999 goto end;
4000 }
4001
4002 /* do detect */
4003 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4004
4005 if (PacketAlertCheck(p1, 1)) {
4006 printf("sid 1 matched but shouldn't have\n");
4007 goto end;
4008 }
4009
4010 r = AppLayerParserParse(
4011 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
4012 if (r != 0) {
4013 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
4014 result = 0;
4015 goto end;
4016 }
4017
4018 /* do detect */
4019 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4020
4021 if (PacketAlertCheck(p2, 1)) {
4022 printf("sid 1 matched but shouldn't have\n");
4023 goto end;
4024 }
4025
4026 result = 1;
4027
4028end:
4029 if (alp_tctx != NULL)
4030 AppLayerParserThreadCtxFree(alp_tctx);
4031 if (de_ctx != NULL)
4032 DetectEngineCtxFree(de_ctx);
4033
4034 StreamTcpFreeConfig(true);
4035 FLOW_DESTROY(&f);
4036 UTHFreePackets(&p1, 1);
4037 UTHFreePackets(&p2, 1);
4038 return result;
4039}
4040
4041/** \test reassembly bug where headers with names of length 6 were
4042 * skipped
4043 */
4044static int DetectEngineHttpHeaderTest31(void)
4045{
4046 TcpSession ssn;
4047 Packet *p1 = NULL;
4048 ThreadVars th_v;
4049 DetectEngineCtx *de_ctx = NULL;
4050 DetectEngineThreadCtx *det_ctx = NULL;
4051 HtpState *http_state = NULL;
4052 Flow f;
4053 uint8_t http1_buf[] =
4054 "GET /index.html HTTP/1.0\r\n"
4055 "Accept: blah\r\n"
4056 "Cookie: blah\r\n"
4057 "Crazy6: blah\r\n"
4058 "SixZix: blah\r\n\r\n";
4059 uint32_t http1_len = sizeof(http1_buf) - 1;
4060 int result = 0;
4061 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4062
4063 memset(&th_v, 0, sizeof(th_v));
4064 memset(&f, 0, sizeof(f));
4065 memset(&ssn, 0, sizeof(ssn));
4066
4067 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4068
4069 FLOW_INITIALIZE(&f);
4070 f.protoctx = (void *)&ssn;
4071 f.proto = IPPROTO_TCP;
4072 f.flags |= FLOW_IPV4;
4073
4074 p1->flow = &f;
4075 p1->flowflags |= FLOW_PKT_TOSERVER;
4076 p1->flowflags |= FLOW_PKT_ESTABLISHED;
4077 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4078 f.alproto = ALPROTO_HTTP1;
4079
4080 StreamTcpInitConfig(true);
4081
4082 de_ctx = DetectEngineCtxInit();
4083 if (de_ctx == NULL)
4084 goto end;
4085
4086 de_ctx->flags |= DE_QUIET;
4087
4088 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4089 "(content:\"Accept|3a|\"; http_header; "
4090 "content:!\"Cookie|3a|\"; http_header; "
4091 "content:\"Crazy6|3a|\"; http_header; "
4092 "content:\"SixZix|3a|\"; http_header; "
4093 "sid:1;)");
4094 if (de_ctx->sig_list == NULL)
4095 goto end;
4096
4097 SigGroupBuild(de_ctx);
4098 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4099
4100 int r = AppLayerParserParse(
4101 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4102 if (r != 0) {
4103 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4104 result = 0;
4105 goto end;
4106 }
4107
4108 http_state = f.alstate;
4109 if (http_state == NULL) {
4110 printf("no http state: \n");
4111 result = 0;
4112 goto end;
4113 }
4114
4115 /* do detect */
4116 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4117
4118 if (!(PacketAlertCheck(p1, 1))) {
4119 printf("sid 1 didn't match but should have: ");
4120 goto end;
4121 }
4122
4123 result = 1;
4124
4125end:
4126 if (alp_tctx != NULL)
4127 AppLayerParserThreadCtxFree(alp_tctx);
4128 if (de_ctx != NULL)
4129 DetectEngineCtxFree(de_ctx);
4130
4131 StreamTcpFreeConfig(true);
4132 FLOW_DESTROY(&f);
4133 UTHFreePackets(&p1, 1);
4134 return result;
4135}
4136
4137/**
4138 * \test Trailing headers.
4139 */
4140static int DetectEngineHttpHeaderTest32(void)
4141{
4142 TcpSession ssn;
4143 Packet *p1 = NULL;
4144 ThreadVars th_v;
4145 DetectEngineCtx *de_ctx = NULL;
4146 DetectEngineThreadCtx *det_ctx = NULL;
4147 HtpState *http_state = NULL;
4148 Flow f;
4149 uint8_t http1_buf[] =
4150 "GET /index.html HTTP/1.0\r\n"
4151 "host: boom\r\n"
4152 "Transfer-Encoding: chunked\r\n"
4153 "\r\n"
4154 "13\r\n"
4155 "This is dummy body1\r\n"
4156 "0\r\n"
4157 "Dummy-Header: kaboom\r\n"
4158 "\r\n";
4159 uint32_t http1_len = sizeof(http1_buf) - 1;
4160 int result = 0;
4161 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4162
4163 memset(&th_v, 0, sizeof(th_v));
4164 memset(&f, 0, sizeof(f));
4165 memset(&ssn, 0, sizeof(ssn));
4166
4167 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4168
4169 FLOW_INITIALIZE(&f);
4170 f.protoctx = (void *)&ssn;
4171 f.proto = IPPROTO_TCP;
4172 f.flags |= FLOW_IPV4;
4173
4174 p1->flow = &f;
4175 p1->flowflags |= FLOW_PKT_TOSERVER;
4176 p1->flowflags |= FLOW_PKT_ESTABLISHED;
4177 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4178 f.alproto = ALPROTO_HTTP1;
4179
4180 StreamTcpInitConfig(true);
4181
4182 de_ctx = DetectEngineCtxInit();
4183 if (de_ctx == NULL)
4184 goto end;
4185
4186 de_ctx->flags |= DE_QUIET;
4187
4188 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4189 "(content:\"Dummy\"; http_header; "
4190 "sid:1;)");
4191 if (de_ctx->sig_list == NULL)
4192 goto end;
4193
4194 SigGroupBuild(de_ctx);
4195 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4196
4197 int r = AppLayerParserParse(
4198 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4199 if (r != 0) {
4200 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4201 result = 0;
4202 goto end;
4203 }
4204
4205 http_state = f.alstate;
4206 if (http_state == NULL) {
4207 printf("no http state: \n");
4208 result = 0;
4209 goto end;
4210 }
4211
4212 /* do detect */
4213 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4214
4215 if (!(PacketAlertCheck(p1, 1))) {
4216 printf("sid 1 didn't match but should have: ");
4217 goto end;
4218 }
4219
4220 result = 1;
4221
4222end:
4223 if (alp_tctx != NULL)
4224 AppLayerParserThreadCtxFree(alp_tctx);
4225 if (de_ctx != NULL)
4226 DetectEngineCtxFree(de_ctx);
4227
4228 StreamTcpFreeConfig(true);
4229 FLOW_DESTROY(&f);
4230 UTHFreePackets(&p1, 1);
4231 return result;
4232}
4233
4234/**
4235 * \test Trailing headers.
4236 */
4237static int DetectEngineHttpHeaderTest33(void)
4238{
4239 TcpSession ssn;
4240 Packet *p1 = NULL;
4241 Packet *p2 = NULL;
4242 ThreadVars th_v;
4243 DetectEngineCtx *de_ctx = NULL;
4244 DetectEngineThreadCtx *det_ctx = NULL;
4245 HtpState *http_state = NULL;
4246 Flow f;
4247 uint8_t http1_buf[] =
4248 "GET /index.html HTTP/1.0\r\n"
4249 "host: boom\r\n"
4250 "Transfer-Encoding: chunked\r\n"
4251 "\r\n"
4252 "13\r\n"
4253 "This is dummy body1\r\n"
4254 "0\r\n";
4255 uint8_t http2_buf[] =
4256 "Dummy-Header: kaboom\r\n"
4257 "\r\n";
4258 uint32_t http1_len = sizeof(http1_buf) - 1;
4259 uint32_t http2_len = sizeof(http2_buf) - 1;
4260
4261 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4262 FAIL_IF_NULL(alp_tctx);
4263
4264 memset(&th_v, 0, sizeof(th_v));
4265 memset(&f, 0, sizeof(f));
4266 memset(&ssn, 0, sizeof(ssn));
4267
4268 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4269 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4270
4271 FLOW_INITIALIZE(&f);
4272 f.protoctx = (void *)&ssn;
4273 f.proto = IPPROTO_TCP;
4274 f.flags |= FLOW_IPV4;
4275
4276 p1->flow = &f;
4277 p1->flowflags |= FLOW_PKT_TOSERVER;
4278 p1->flowflags |= FLOW_PKT_ESTABLISHED;
4279 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4280 p2->flow = &f;
4281 p2->flowflags |= FLOW_PKT_TOSERVER;
4282 p2->flowflags |= FLOW_PKT_ESTABLISHED;
4283 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4284 f.alproto = ALPROTO_HTTP1;
4285
4286 StreamTcpInitConfig(true);
4287
4288 de_ctx = DetectEngineCtxInit();
4289 FAIL_IF(de_ctx == NULL);
4290 de_ctx->flags |= DE_QUIET;
4291
4292 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4293 "(content:\"Dummy\"; http_header; "
4294 "sid:1;)");
4295 FAIL_IF(de_ctx->sig_list == NULL);
4296
4297 SigGroupBuild(de_ctx);
4298 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4299
4300 int r = AppLayerParserParse(
4301 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4302 FAIL_IF_NOT(r == 0);
4303
4304 http_state = f.alstate;
4305 FAIL_IF(http_state == NULL);
4306
4307 /* do detect */
4308 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4309
4310 FAIL_IF(PacketAlertCheck(p1, 1));
4311
4312 r = AppLayerParserParse(
4313 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4314 FAIL_IF_NOT(r == 0);
4315
4316 /* do detect */
4317 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4318
4319 FAIL_IF(!PacketAlertCheck(p2, 1));
4320
4321 AppLayerParserThreadCtxFree(alp_tctx);
4322 DetectEngineCtxFree(de_ctx);
4323
4324 StreamTcpFreeConfig(true);
4325 FLOW_DESTROY(&f);
4326 UTHFreePackets(&p1, 1);
4327 UTHFreePackets(&p2, 1);
4328 PASS;
4329}
4330
4331/**
4332 * \test Trailing headers.
4333 */
4334static int DetectEngineHttpHeaderTest34(void)
4335{
4336 TcpSession ssn;
4337 ThreadVars th_v;
4338 DetectEngineCtx *de_ctx = NULL;
4339 DetectEngineThreadCtx *det_ctx = NULL;
4340 HtpState *http_state = NULL;
4341 Flow f;
4342 uint8_t http1_buf[] =
4343 "GET /index.html HTTP/1.0\r\n"
4344 "host: boom\r\n"
4345 "Dummy-Header1: blah\r\n"
4346 "Transfer-Encoding: chunked\r\n"
4347 "\r\n";
4348 uint8_t http2_buf[] =
4349 "13\r\n"
4350 "This is dummy body1\r\n"
4351 "0\r\n";
4352 uint8_t http3_buf[] =
4353 "Dummy-Header2: kaboom\r\n"
4354 "\r\n";
4355 uint32_t http1_len = sizeof(http1_buf) - 1;
4356 uint32_t http2_len = sizeof(http2_buf) - 1;
4357 uint32_t http3_len = sizeof(http3_buf) - 1;
4358
4359 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4360 FAIL_IF_NULL(alp_tctx);
4361
4362 memset(&th_v, 0, sizeof(th_v));
4363 memset(&f, 0, sizeof(f));
4364 memset(&ssn, 0, sizeof(ssn));
4365
4366 Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4367 Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4368 Packet *p3 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4369
4370 FLOW_INITIALIZE(&f);
4371 f.protoctx = (void *)&ssn;
4372 f.proto = IPPROTO_TCP;
4373 f.flags |= FLOW_IPV4;
4374
4375 p1->flow = &f;
4376 p1->flowflags |= FLOW_PKT_TOSERVER;
4377 p1->flowflags |= FLOW_PKT_ESTABLISHED;
4378 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4379 p1->pcap_cnt = 1;
4380 p2->flow = &f;
4381 p2->flowflags |= FLOW_PKT_TOSERVER;
4382 p2->flowflags |= FLOW_PKT_ESTABLISHED;
4383 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4384 p2->pcap_cnt = 2;
4385 p3->flow = &f;
4386 p3->flowflags |= FLOW_PKT_TOSERVER;
4387 p3->flowflags |= FLOW_PKT_ESTABLISHED;
4388 p3->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4389 p3->pcap_cnt = 3;
4390 f.alproto = ALPROTO_HTTP1;
4391
4392 StreamTcpInitConfig(true);
4393
4394 de_ctx = DetectEngineCtxInit();
4395 FAIL_IF(de_ctx == NULL);
4396 de_ctx->flags |= DE_QUIET;
4397
4398 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4399 "(content:\"Dummy\"; http_header; content:\"Header2\"; http_header; within:8; "
4400 "sid:1;)");
4401 FAIL_IF(de_ctx->sig_list == NULL);
4402
4403 SigGroupBuild(de_ctx);
4404 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4405
4406 int r = AppLayerParserParse(
4407 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4408 FAIL_IF_NOT(r == 0);
4409
4410 http_state = f.alstate;
4411 FAIL_IF(http_state == NULL);
4412
4413 /* do detect */
4414 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4415 FAIL_IF(PacketAlertCheck(p1, 1));
4416
4417 r = AppLayerParserParse(
4418 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4419 FAIL_IF_NOT(r == 0);
4420
4421 /* do detect */
4422 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4423 FAIL_IF(PacketAlertCheck(p2, 1));
4424
4425 r = AppLayerParserParse(
4426 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http3_buf, http3_len);
4427 FAIL_IF_NOT(r == 0);
4428
4429 /* do detect */
4430 SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4431 FAIL_IF(!PacketAlertCheck(p3, 1)); /* should match in trailer */
4432
4433 AppLayerParserThreadCtxFree(alp_tctx);
4434 DetectEngineCtxFree(de_ctx);
4435
4436 StreamTcpFreeConfig(true);
4437 FLOW_DESTROY(&f);
4438 UTHFreePackets(&p1, 1);
4439 UTHFreePackets(&p2, 1);
4440 UTHFreePackets(&p3, 1);
4441 PASS;
4442}
4443
4444/**
4445 * \test Trailing headers.
4446 */
4447static int DetectEngineHttpHeaderTest35(void)
4448{
4449 TcpSession ssn;
4450 ThreadVars th_v;
4451 DetectEngineCtx *de_ctx = NULL;
4452 DetectEngineThreadCtx *det_ctx = NULL;
4453 HtpState *http_state = NULL;
4454 Flow f;
4455 uint8_t http1_buf[] =
4456 "GET /index.html HTTP/1.0\r\n"
4457 "host: boom\r\n"
4458 "Dummy-Header1: blah\r\n"
4459 "Transfer-Encoding: chunked\r\n"
4460 "\r\n";
4461 uint8_t http2_buf[] =
4462 "13\r\n"
4463 "This is dummy body1\r\n"
4464 "0\r\n";
4465 uint8_t http3_buf[] =
4466 "Dummy-Header2: kaboom\r\n"
4467 "\r\n";
4468 uint32_t http1_len = sizeof(http1_buf) - 1;
4469 uint32_t http2_len = sizeof(http2_buf) - 1;
4470 uint32_t http3_len = sizeof(http3_buf) - 1;
4471
4472 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4473 FAIL_IF_NULL(alp_tctx);
4474
4475 memset(&th_v, 0, sizeof(th_v));
4476 memset(&f, 0, sizeof(f));
4477 memset(&ssn, 0, sizeof(ssn));
4478
4479 Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4480 Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4481 Packet *p3 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4482
4483 FLOW_INITIALIZE(&f);
4484 f.protoctx = (void *)&ssn;
4485 f.proto = IPPROTO_TCP;
4486 f.flags |= FLOW_IPV4;
4487
4488 p1->flow = &f;
4489 p1->flowflags |= FLOW_PKT_TOSERVER;
4490 p1->flowflags |= FLOW_PKT_ESTABLISHED;
4491 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4492 p1->pcap_cnt = 1;
4493 p2->flow = &f;
4494 p2->flowflags |= FLOW_PKT_TOSERVER;
4495 p2->flowflags |= FLOW_PKT_ESTABLISHED;
4496 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4497 p2->pcap_cnt = 2;
4498 p3->flow = &f;
4499 p3->flowflags |= FLOW_PKT_TOSERVER;
4500 p3->flowflags |= FLOW_PKT_ESTABLISHED;
4501 p3->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4502 p3->pcap_cnt = 3;
4503 f.alproto = ALPROTO_HTTP1;
4504
4505 StreamTcpInitConfig(true);
4506
4507 de_ctx = DetectEngineCtxInit();
4508 FAIL_IF(de_ctx == NULL);
4509 de_ctx->flags |= DE_QUIET;
4510
4511 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
4512 "(content:\"Dummy\"; http_header; fast_pattern; content:\"Header2\"; http_header; within:8; "
4513 "sid:1;)");
4514 FAIL_IF(de_ctx->sig_list == NULL);
4515
4516 SigGroupBuild(de_ctx);
4517 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4518
4519 int r = AppLayerParserParse(
4520 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
4521 FAIL_IF_NOT(r == 0);
4522
4523 http_state = f.alstate;
4524 FAIL_IF(http_state == NULL);
4525
4526 /* do detect */
4527 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4528 FAIL_IF(PacketAlertCheck(p1, 1));
4529
4530 r = AppLayerParserParse(
4531 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
4532 FAIL_IF_NOT(r == 0);
4533
4534 /* do detect */
4535 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4536 FAIL_IF(PacketAlertCheck(p2, 1));
4537
4538 r = AppLayerParserParse(
4539 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http3_buf, http3_len);
4540 FAIL_IF_NOT(r == 0);
4541
4542 /* do detect */
4543 SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4544 FAIL_IF(!PacketAlertCheck(p3, 1)); /* should match in trailer */
4545
4546 AppLayerParserThreadCtxFree(alp_tctx);
4547 DetectEngineCtxFree(de_ctx);
4548
4549 StreamTcpFreeConfig(true);
4550 FLOW_DESTROY(&f);
4551 UTHFreePackets(&p1, 1);
4552 UTHFreePackets(&p2, 1);
4553 UTHFreePackets(&p3, 1);
4554 PASS;
4555}
4556
4557void DetectHttpHeaderRegisterTests(void)
4558{
4559 UtRegisterTest("DetectHttpHeaderParserTest01", DetectHttpHeaderParserTest01);
4560 UtRegisterTest("DetectHttpHeaderParserTest02", DetectHttpHeaderParserTest02);
4561
4562 UtRegisterTest("DetectHttpHeaderTest06", DetectHttpHeaderTest06);
4563 UtRegisterTest("DetectHttpHeaderTest07", DetectHttpHeaderTest07);
4564 UtRegisterTest("DetectHttpHeaderTest08", DetectHttpHeaderTest08);
4565 UtRegisterTest("DetectHttpHeaderTest09", DetectHttpHeaderTest09);
4566 UtRegisterTest("DetectHttpHeaderTest10", DetectHttpHeaderTest10);
4567 UtRegisterTest("DetectHttpHeaderTest11", DetectHttpHeaderTest11);
4568 UtRegisterTest("DetectHttpHeaderTest12", DetectHttpHeaderTest12);
4569 UtRegisterTest("DetectHttpHeaderTest13", DetectHttpHeaderTest13);
4570 UtRegisterTest("DetectHttpHeaderTest28", DetectHttpHeaderTest28);
4571 UtRegisterTest("DetectHttpHeaderTest29", DetectHttpHeaderTest29);
4572 UtRegisterTest("DetectHttpHeaderTest30", DetectHttpHeaderTest30);
4573
4574 UtRegisterTest("DetectHttpHeaderIsdataatParseTest",
4575 DetectHttpHeaderIsdataatParseTest);
4576
4577 UtRegisterTest("DetectEngineHttpHeaderTest01",
4578 DetectEngineHttpHeaderTest01);
4579 UtRegisterTest("DetectEngineHttpHeaderTest02",
4580 DetectEngineHttpHeaderTest02);
4581 UtRegisterTest("DetectEngineHttpHeaderTest03",
4582 DetectEngineHttpHeaderTest03);
4583 UtRegisterTest("DetectEngineHttpHeaderTest04",
4584 DetectEngineHttpHeaderTest04);
4585 UtRegisterTest("DetectEngineHttpHeaderTest05",
4586 DetectEngineHttpHeaderTest05);
4587 UtRegisterTest("DetectEngineHttpHeaderTest06",
4588 DetectEngineHttpHeaderTest06);
4589 UtRegisterTest("DetectEngineHttpHeaderTest07",
4590 DetectEngineHttpHeaderTest07);
4591 UtRegisterTest("DetectEngineHttpHeaderTest08",
4592 DetectEngineHttpHeaderTest08);
4593 UtRegisterTest("DetectEngineHttpHeaderTest09",
4594 DetectEngineHttpHeaderTest09);
4595 UtRegisterTest("DetectEngineHttpHeaderTest10",
4596 DetectEngineHttpHeaderTest10);
4597 UtRegisterTest("DetectEngineHttpHeaderTest11",
4598 DetectEngineHttpHeaderTest11);
4599 UtRegisterTest("DetectEngineHttpHeaderTest12",
4600 DetectEngineHttpHeaderTest12);
4601 UtRegisterTest("DetectEngineHttpHeaderTest13",
4602 DetectEngineHttpHeaderTest13);
4603 UtRegisterTest("DetectEngineHttpHeaderTest14",
4604 DetectEngineHttpHeaderTest14);
4605 UtRegisterTest("DetectEngineHttpHeaderTest15",
4606 DetectEngineHttpHeaderTest15);
4607 UtRegisterTest("DetectEngineHttpHeaderTest16",
4608 DetectEngineHttpHeaderTest16);
4609 UtRegisterTest("DetectEngineHttpHeaderTest17",
4610 DetectEngineHttpHeaderTest17);
4611 UtRegisterTest("DetectEngineHttpHeaderTest20",
4612 DetectEngineHttpHeaderTest20);
4613 UtRegisterTest("DetectEngineHttpHeaderTest21",
4614 DetectEngineHttpHeaderTest21);
4615 UtRegisterTest("DetectEngineHttpHeaderTest22",
4616 DetectEngineHttpHeaderTest22);
4617 UtRegisterTest("DetectEngineHttpHeaderTest23",
4618 DetectEngineHttpHeaderTest23);
4619 UtRegisterTest("DetectEngineHttpHeaderTest24",
4620 DetectEngineHttpHeaderTest24);
4621 UtRegisterTest("DetectEngineHttpHeaderTest25",
4622 DetectEngineHttpHeaderTest25);
4623 UtRegisterTest("DetectEngineHttpHeaderTest26",
4624 DetectEngineHttpHeaderTest26);
4625 UtRegisterTest("DetectEngineHttpHeaderTest27",
4626 DetectEngineHttpHeaderTest27);
4627 UtRegisterTest("DetectEngineHttpHeaderTest28",
4628 DetectEngineHttpHeaderTest28);
4629 UtRegisterTest("DetectEngineHttpHeaderTest29",
4630 DetectEngineHttpHeaderTest29);
4631 UtRegisterTest("DetectEngineHttpHeaderTest30",
4632 DetectEngineHttpHeaderTest30);
4633 UtRegisterTest("DetectEngineHttpHeaderTest31",
4634 DetectEngineHttpHeaderTest31);
4635#if 0
4636 UtRegisterTest("DetectEngineHttpHeaderTest30",
4637 DetectEngineHttpHeaderTest30, 1);
4638#endif
4639 UtRegisterTest("DetectEngineHttpHeaderTest32",
4640 DetectEngineHttpHeaderTest32);
4641 UtRegisterTest("DetectEngineHttpHeaderTest33 -- Trailer",
4642 DetectEngineHttpHeaderTest33);
4643 UtRegisterTest("DetectEngineHttpHeaderTest34 -- Trailer",
4644 DetectEngineHttpHeaderTest34);
4645 UtRegisterTest("DetectEngineHttpHeaderTest35 -- Trailer",
4646 DetectEngineHttpHeaderTest35);
4647}
4648
4649/**
4650 * @}
4651 */
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
DetectBufferGetLastSigMatch
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
Definition detect-engine-buffer.c:167
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition detect-engine-register.h:93
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition detect-isdataat.h:27
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition detect-isdataat.h:29
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition detect-isdataat.h:28
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition flow-util.h:119
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition flow.h:234
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition detect.h:935
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineThreadCtx_
Definition detect.h:1244
DetectIsdataatData_
Definition detect-isdataat.h:32
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::alstate
void * alstate
Definition flow.h:479
Flow_::protoctx
void * protoctx
Definition flow.h:441
HtpState_
Definition app-layer-htp.h:181
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition decode.h:626
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::flags
uint32_t flags
Definition decode.h:544
SigMatch_
a single match condition for a signature
Definition detect.h:356
SigMatch_::type
uint16_t type
Definition detect.h:357
SigMatch_::ctx
SigMatchCtx * ctx
Definition detect.h:359
Signature_
Signature container.
Definition detect.h:668
TcpSession_
Definition stream-tcp-private.h:283
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
mpm_default_matcher
uint8_t mpm_default_matcher
Definition util-mpm.c:48
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition util-unittest-helper.c:898