suricata
detect-http-host.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2024 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \ingroup httplayer
20 *
21 * @{
22 */
23
24
25/** \file
26 *
27 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28 * \author Victor Julien <victor@inliniac.net>
29 *
30 * \brief Handle HTTP host header.
31 * HHHD - Http Host Header Data
32 *
33 */
34
35#include "suricata-common.h"
36#include "suricata.h"
37#include "flow-util.h"
38#include "flow.h"
39#include "app-layer-parser.h"
40#include "util-unittest.h"
41#include "util-unittest-helper.h"
42#include "app-layer.h"
43#include "app-layer-htp.h"
44#include "app-layer-protos.h"
45#include "detect-engine-build.h"
46#include "detect-engine-alert.h"
47
48static int RunTest(const uint8_t *buf, const uint32_t size, const char *sig_str, const int expect)
49{
50 TcpSession ssn;
51 ThreadVars th_v;
52 DetectEngineThreadCtx *det_ctx = NULL;
53 Flow f;
54 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
55
56 memset(&th_v, 0, sizeof(th_v));
57 memset(&f, 0, sizeof(f));
58 memset(&ssn, 0, sizeof(ssn));
59
60 Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
61 FAIL_IF_NULL(p);
62
63 FLOW_INITIALIZE(&f);
64 f.protoctx = (void *)&ssn;
65 f.proto = IPPROTO_TCP;
66 f.flags |= FLOW_IPV4;
67 p->flow = &f;
68 p->flowflags |= FLOW_PKT_TOSERVER;
69 p->flowflags |= FLOW_PKT_ESTABLISHED;
70 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
71 f.alproto = ALPROTO_HTTP1;
72
73 StreamTcpInitConfig(true);
74
75 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
76 FAIL_IF_NULL(de_ctx);
77 de_ctx->flags |= DE_QUIET;
78
79 Signature *s = DetectEngineAppendSig(de_ctx, sig_str);
80 FAIL_IF_NULL(s);
81
82 SigGroupBuild(de_ctx);
83 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
84
85 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, size);
86 FAIL_IF(r != 0);
87
88 HtpState *http_state = f.alstate;
89 FAIL_IF_NULL(http_state);
90
91 /* do detect */
92 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
93
94 FAIL_IF(PacketAlertCheck(p, 1) != expect);
95
96 AppLayerParserThreadCtxFree(alp_tctx);
97 DetectEngineCtxFree(de_ctx);
98
99 StreamTcpFreeConfig(true);
100 FLOW_DESTROY(&f);
101 UTHFreePackets(&p, 1);
102 PASS;
103}
104/**
105 * \test Test that the http_host content matches against a http request
106 * which holds the content.
107 */
108static int DetectEngineHttpHHTest01(void)
109{
110 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
111 "Host: CONNECT\r\n"
112 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
113 uint32_t http_len = sizeof(http_buf) - 1;
114 return RunTest(http_buf, http_len,
115 "alert http any any -> any any "
116 "(msg:\"http host header test\"; "
117 "content:\"connect\"; http_host; "
118 "sid:1;)",
119 1);
120}
121
122/**
123 * \test Test that the http_host content matches against a http request
124 * which holds the content.
125 */
126static int DetectEngineHttpHHTest02(void)
127{
128 uint8_t http_buf[] =
129 "GET /index.html HTTP/1.0\r\n"
130 "Host: CONNECT\r\n"
131 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
132 uint32_t http_len = sizeof(http_buf) - 1;
133 return RunTest(http_buf, http_len,
134 "alert http any any -> any any "
135 "(msg:\"http host header test\"; "
136 "content:\"co\"; depth:4; http_host; "
137 "sid:1;)",
138 1);
139}
140
141/**
142 * \test Test that the http_host content matches against a http request
143 * which holds the content.
144 */
145static int DetectEngineHttpHHTest03(void)
146{
147 uint8_t http_buf[] =
148 "GET /index.html HTTP/1.0\r\n"
149 "Host: CONNECT\r\n"
150 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
151 uint32_t http_len = sizeof(http_buf) - 1;
152 return RunTest(http_buf, http_len,
153 "alert http any any -> any any "
154 "(msg:\"http_host header test\"; "
155 "content:!\"ect\"; depth:4; http_host; "
156 "sid:1;)",
157 1);
158}
159
160/**
161 * \test Test that the http_host content matches against a http request
162 * which holds the content.
163 */
164static int DetectEngineHttpHHTest04(void)
165{
166 uint8_t http_buf[] =
167 "GET /index.html HTTP/1.0\r\n"
168 "Host: CONNECT\r\n"
169 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
170 uint32_t http_len = sizeof(http_buf) - 1;
171 return RunTest(http_buf, http_len,
172 "alert http any any -> any any "
173 "(msg:\"http host header test\"; "
174 "content:\"ect\"; depth:4; http_host; "
175 "sid:1;)",
176 0);
177}
178
179/**
180 * \test Test that the http_host content matches against a http request
181 * which holds the content.
182 */
183static int DetectEngineHttpHHTest05(void)
184{
185 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
186 "Host: CONNECT\r\n"
187 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
188 uint32_t http_len = sizeof(http_buf) - 1;
189 return RunTest(http_buf, http_len,
190 "alert http any any -> any any "
191 "(msg:\"http host header test\"; "
192 "content:!\"con\"; depth:4; http_host; "
193 "sid:1;)",
194 0);
195}
196
197/**
198 * \test Test that the http_host header content matches against a http request
199 * which holds the content.
200 */
201static int DetectEngineHttpHHTest06(void)
202{
203 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
204 "Host: CONNECT\r\n"
205 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
206 uint32_t http_len = sizeof(http_buf) - 1;
207 return RunTest(http_buf, http_len,
208 "alert http any any -> any any "
209 "(msg:\"http host header test\"; "
210 "content:\"ect\"; offset:3; http_host; "
211 "sid:1;)",
212 1);
213}
214
215/**
216 * \test Test that the http_host content matches against a http request
217 * which holds the content.
218 */
219static int DetectEngineHttpHHTest07(void)
220{
221 uint8_t http_buf[] =
222 "GET /index.html HTTP/1.0\r\n"
223 "Host: CONNECT\r\n"
224 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
225 uint32_t http_len = sizeof(http_buf) - 1;
226 return RunTest(http_buf, http_len,
227 "alert http any any -> any any "
228 "(msg:\"http host header test\"; "
229 "content:!\"co\"; offset:3; http_host; "
230 "sid:1;)",
231 1);
232}
233
234/**
235 * \test Test that the http_host header content matches against a http request
236 * which holds the content.
237 */
238static int DetectEngineHttpHHTest08(void)
239{
240 uint8_t http_buf[] =
241 "GET /index.html HTTP/1.0\r\n"
242 "Host: CONNECT\r\n"
243 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
244 uint32_t http_len = sizeof(http_buf) - 1;
245 return RunTest(http_buf, http_len,
246 "alert http any any -> any any "
247 "(msg:\"http host header test\"; "
248 "content:!\"ect\"; offset:3; http_host; "
249 "sid:1;)",
250 0);
251}
252
253/**
254 * \test Test that the http_host header content matches against a http request
255 * which holds the content.
256 */
257static int DetectEngineHttpHHTest09(void)
258{
259 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
260 "Host: CONNECT\r\n"
261 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
262 uint32_t http_len = sizeof(http_buf) - 1;
263 return RunTest(http_buf, http_len,
264 "alert http any any -> any any "
265 "(msg:\"http host header test\"; "
266 "content:\"con\"; offset:3; http_host; "
267 "sid:1;)",
268 0);
269}
270
271/**
272 * \test Test that the http_host header content matches against a http request
273 * which holds the content.
274 */
275static int DetectEngineHttpHHTest10(void)
276{
277 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
278 "Host: CONNECT\r\n"
279 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
280 uint32_t http_len = sizeof(http_buf) - 1;
281 return RunTest(http_buf, http_len,
282 "alert http any any -> any any "
283 "(msg:\"http_host header test\"; "
284 "content:\"co\"; http_host; "
285 "content:\"ec\"; within:4; http_host; "
286 "sid:1;)",
287 1);
288}
289
290/**
291 * \test Test that the http_host header content matches against a http request
292 * which holds the content.
293 */
294static int DetectEngineHttpHHTest11(void)
295{
296 uint8_t http_buf[] =
297 "GET /index.html HTTP/1.0\r\n"
298 "Host: CONNECT\r\n"
299 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
300 uint32_t http_len = sizeof(http_buf) - 1;
301 return RunTest(http_buf, http_len,
302 "alert http any any -> any any "
303 "(msg:\"http_host header test\"; "
304 "content:\"co\"; http_host; "
305 "content:!\"ec\"; within:3; http_host; "
306 "sid:1;)",
307 1);
308}
309
310/**
311 * \test Test that the http_host header content matches against a http request
312 * which holds the content.
313 */
314static int DetectEngineHttpHHTest12(void)
315{
316 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
317 "Host: CONNECT\r\n"
318 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
319 uint32_t http_len = sizeof(http_buf) - 1;
320 return RunTest(http_buf, http_len,
321 "alert http any any -> any any "
322 "(msg:\"http_host header test\"; "
323 "content:\"co\"; http_host; "
324 "content:\"ec\"; within:3; http_host; "
325 "sid:1;)",
326 0);
327}
328
329/**
330 * \test Test that the http_host header content matches against a http request
331 * which holds the content.
332 */
333static int DetectEngineHttpHHTest13(void)
334{
335 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
336 "Host: CONNECT\r\n"
337 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
338 uint32_t http_len = sizeof(http_buf) - 1;
339 return RunTest(http_buf, http_len,
340 "alert http any any -> any any "
341 "(msg:\"http_host header test\"; "
342 "content:\"co\"; http_host; "
343 "content:!\"ec\"; within:4; http_host; "
344 "sid:1;)",
345 0);
346}
347
348/**
349 * \test Test that the http_host header content matches against a http request
350 * which holds the content.
351 */
352static int DetectEngineHttpHHTest14(void)
353{
354 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
355 "Host: CONNECT\r\n"
356 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
357 uint32_t http_len = sizeof(http_buf) - 1;
358 return RunTest(http_buf, http_len,
359 "alert http any any -> any any "
360 "(msg:\"http_host header test\"; "
361 "content:\"co\"; http_host; "
362 "content:\"ec\"; distance:2; http_host; "
363 "sid:1;)",
364 1);
365}
366
367/**
368 * \test Test that the http_host header content matches against a http request
369 * which holds the content.
370 */
371static int DetectEngineHttpHHTest15(void)
372{
373 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
374 "Host: CONNECT\r\n"
375 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
376 uint32_t http_len = sizeof(http_buf) - 1;
377 return RunTest(http_buf, http_len,
378 "alert http any any -> any any "
379 "(msg:\"http_host header test\"; "
380 "content:\"co\"; http_host; "
381 "content:!\"ec\"; distance:3; http_host; "
382 "sid:1;)",
383 1);
384}
385
386/**
387 * \test Test that the http_host header content matches against a http request
388 * which holds the content.
389 */
390static int DetectEngineHttpHHTest16(void)
391{
392 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
393 "Host: CONNECT\r\n"
394 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
395 uint32_t http_len = sizeof(http_buf) - 1;
396 return RunTest(http_buf, http_len,
397 "alert http any any -> any any "
398 "(msg:\"http_host header test\"; "
399 "content:\"co\"; http_host; "
400 "content:\"ec\"; distance:3; http_host; "
401 "sid:1;)",
402 0);
403}
404
405/**
406 * \test Test that the http_host header content matches against a http request
407 * which holds the content.
408 */
409static int DetectEngineHttpHHTest17(void)
410{
411 uint8_t http_buf[] =
412 "GET /index.html HTTP/1.0\r\n"
413 "Host: CONNECT\r\n"
414 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
415 uint32_t http_len = sizeof(http_buf) - 1;
416 return RunTest(http_buf, http_len,
417 "alert http any any -> any any "
418 "(msg:\"http_host header test\"; "
419 "content:\"co\"; http_host; "
420 "content:!\"ec\"; distance:2; http_host; "
421 "sid:1;)",
422 0);
423}
424
425static int DetectEngineHttpHHTest18(void)
426{
427 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
428 "Host: www.kaboom.com\r\n"
429 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
430 uint32_t http_len = sizeof(http_buf) - 1;
431 return RunTest(http_buf, http_len,
432 "alert http any any -> any any "
433 "(msg:\"http_host header test\"; "
434 "content:\"kaboom\"; http_host; "
435 "sid:1;)",
436 1);
437}
438
439static int DetectEngineHttpHHTest19(void)
440{
441 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
442 "Host: www.kaboom.com:8080\r\n"
443 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
444 uint32_t http_len = sizeof(http_buf) - 1;
445 return RunTest(http_buf, http_len,
446 "alert http any any -> any any "
447 "(msg:\"http_host header test\"; "
448 "content:\"kaboom\"; http_host; "
449 "sid:1;)",
450 1);
451}
452
453static int DetectEngineHttpHHTest20(void)
454{
455 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
456 "Host: www.kaboom.com:8080\r\n"
457 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
458 uint32_t http_len = sizeof(http_buf) - 1;
459 return RunTest(http_buf, http_len,
460 "alert http any any -> any any "
461 "(msg:\"http_host header test\"; "
462 "content:\"8080\"; http_host; "
463 "sid:1;)",
464 0);
465}
466
467static int DetectEngineHttpHHTest21(void)
468{
469 uint8_t http_buf[] = "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
470 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
471 uint32_t http_len = sizeof(http_buf) - 1;
472 return RunTest(http_buf, http_len,
473 "alert http any any -> any any "
474 "(msg:\"http_host header test\"; "
475 "content:\"kaboom\"; http_host; "
476 "sid:1;)",
477 1);
478}
479
480static int DetectEngineHttpHHTest22(void)
481{
482 uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
483 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
484 uint32_t http_len = sizeof(http_buf) - 1;
485 return RunTest(http_buf, http_len,
486 "alert http any any -> any any "
487 "(msg:\"http_host header test\"; "
488 "content:\"kaboom\"; http_host; "
489 "sid:1;)",
490 1);
491}
492
493static int DetectEngineHttpHHTest23(void)
494{
495 uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
496 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
497 uint32_t http_len = sizeof(http_buf) - 1;
498 return RunTest(http_buf, http_len,
499 "alert http any any -> any any "
500 "(msg:\"http_host header test\"; "
501 "content:\"8080\"; http_host; "
502 "sid:1;)",
503 0);
504}
505
506static int DetectEngineHttpHHTest24(void)
507{
508 uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
509 "Host: www.rabbit.com\r\n"
510 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
511 uint32_t http_len = sizeof(http_buf) - 1;
512 return RunTest(http_buf, http_len,
513 "alert http any any -> any any "
514 "(msg:\"http_host header test\"; "
515 "content:\"kaboom\"; http_host; "
516 "sid:1;)",
517 1);
518}
519
520static int DetectEngineHttpHHTest25(void)
521{
522 uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
523 "Host: www.rabbit.com\r\n"
524 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
525 uint32_t http_len = sizeof(http_buf) - 1;
526 return RunTest(http_buf, http_len,
527 "alert http any any -> any any "
528 "(msg:\"http_host header test\"; "
529 "content:\"rabbit\"; http_host; "
530 "sid:1;)",
531 0);
532}
533
534/**
535 * \test Test that a signature containing a http_host is correctly parsed
536 * and the keyword is registered.
537 */
538static int DetectHttpHHTest01(void)
539{
540 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
541 FAIL_IF_NULL(de_ctx);
542 de_ctx->flags |= DE_QUIET;
543 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
544 "content:\"one\"; http_host; sid:1;)");
545 FAIL_IF_NULL(s);
546 DetectEngineCtxFree(de_ctx);
547 PASS;
548}
549
550/**
551 * \test Test that an invalid signature containing no content but a
552 * http_host is invalidated.
553 */
554static int DetectHttpHHTest03(void)
555{
556 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
557 FAIL_IF_NULL(de_ctx);
558 de_ctx->flags |= DE_QUIET;
559 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
560 "http_host; sid:1;)");
561 FAIL_IF_NOT_NULL(s);
562 DetectEngineCtxFree(de_ctx);
563 PASS;
564}
565
566/**
567 * \test Test that an invalid signature containing a rawbytes along with a
568 * http_host is invalidated.
569 */
570static int DetectHttpHHTest04(void)
571{
572 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
573 FAIL_IF_NULL(de_ctx);
574 de_ctx->flags |= DE_QUIET;
575 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
576 "content:\"one\"; rawbytes; http_host; sid:1;)");
577 FAIL_IF_NOT_NULL(s);
578 DetectEngineCtxFree(de_ctx);
579 PASS;
580}
581
582/**
583 * \test Test that a http_host with nocase is parsed.
584 */
585static int DetectHttpHHTest05(void)
586{
587 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
588 FAIL_IF_NULL(de_ctx);
589 de_ctx->flags |= DE_QUIET;
590 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
591 "content:\"one\"; http_host; nocase; sid:1;)");
592 FAIL_IF_NOT_NULL(s);
593 DetectEngineCtxFree(de_ctx);
594 PASS;
595}
596
597/** \test invalid sig: uppercase content */
598static int DetectHttpHHTest05a(void)
599{
600 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
601 FAIL_IF_NULL(de_ctx);
602 de_ctx->flags |= DE_QUIET;
603
604 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
605 "(content:\"ABC\"; http_host; sid:1;)");
606 FAIL_IF_NOT_NULL(s);
607
608 DetectEngineCtxFree(de_ctx);
609 PASS;
610}
611
612/**
613 *\test Test that the http_host content matches against a http request
614 * which holds the content.
615 */
616static int DetectHttpHHTest06(void)
617{
618 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
619 "User-Agent: www.openinfosecfoundation.org\r\n"
620 "Host: This is dummy message body\r\n"
621 "Content-Type: text/html\r\n"
622 "\r\n";
623 uint32_t http_len = sizeof(http_buf) - 1;
624 return RunTest(http_buf, http_len,
625 "alert http any any -> any any "
626 "(msg:\"http host test\"; "
627 "content:\"message\"; http_host; "
628 "sid:1;)",
629 1);
630}
631
632/**
633 *\test Test that the http_host content matches against a http request
634 * which holds the content.
635 */
636static int DetectHttpHHTest07(void)
637{
638 TcpSession ssn;
639 Packet *p1 = NULL;
640 Packet *p2 = NULL;
641 ThreadVars th_v;
642 DetectEngineThreadCtx *det_ctx = NULL;
643 HtpState *http_state = NULL;
644 Flow f;
645 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
646 "User-Agent: www.openinfosecfoundation.org\r\n"
647 "Host: This is dummy message";
648 uint8_t http2_buf[] = "body1\r\n\r\n";
649 uint32_t http1_len = sizeof(http1_buf) - 1;
650 uint32_t http2_len = sizeof(http2_buf) - 1;
651 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
652
653 memset(&th_v, 0, sizeof(th_v));
654 memset(&f, 0, sizeof(f));
655 memset(&ssn, 0, sizeof(ssn));
656
657 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
658 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
659
660 FLOW_INITIALIZE(&f);
661 f.protoctx = (void *)&ssn;
662 f.proto = IPPROTO_TCP;
663 f.flags |= FLOW_IPV4;
664
665 p1->flow = &f;
666 p1->flowflags |= FLOW_PKT_TOSERVER;
667 p1->flowflags |= FLOW_PKT_ESTABLISHED;
668 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
669 p2->flow = &f;
670 p2->flowflags |= FLOW_PKT_TOSERVER;
671 p2->flowflags |= FLOW_PKT_ESTABLISHED;
672 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
673 f.alproto = ALPROTO_HTTP1;
674
675 StreamTcpInitConfig(true);
676
677 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
678 FAIL_IF_NULL(de_ctx);
679 de_ctx->flags |= DE_QUIET;
680
681 Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
682 "(msg:\"http host test\"; "
683 "content:\"message\"; http_host; "
684 "sid:1;)");
685 FAIL_IF_NULL(s);
686
687 SigGroupBuild(de_ctx);
688 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
689
690 int r = AppLayerParserParse(
691 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
692 FAIL_IF(r != 0);
693
694 http_state = f.alstate;
695 FAIL_IF_NULL(http_state);
696
697 /* do detect */
698 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
699
700 FAIL_IF(PacketAlertCheck(p1, 1));
701
702 r = AppLayerParserParse(
703 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
704 FAIL_IF(r != 0);
705
706 /* do detect */
707 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
708 FAIL_IF(!(PacketAlertCheck(p2, 1)));
709
710 AppLayerParserThreadCtxFree(alp_tctx);
711 DetectEngineCtxFree(de_ctx);
712
713 StreamTcpFreeConfig(true);
714 FLOW_DESTROY(&f);
715 UTHFreePackets(&p1, 1);
716 UTHFreePackets(&p2, 1);
717 PASS;
718}
719
720/**
721 *\test Test that the http_host content matches against a http request
722 * which holds the content.
723 */
724static int DetectHttpHHTest08(void)
725{
726 TcpSession ssn;
727 Packet *p1 = NULL;
728 Packet *p2 = NULL;
729 ThreadVars th_v;
730 DetectEngineThreadCtx *det_ctx = NULL;
731 HtpState *http_state = NULL;
732 Flow f;
733 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
734 "User-Agent: www.openinfosecfoundation.org\r\n"
735 "host: This is dummy mess";
736 uint8_t http2_buf[] = "age body\r\n\r\n";
737 uint32_t http1_len = sizeof(http1_buf) - 1;
738 uint32_t http2_len = sizeof(http2_buf) - 1;
739 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
740
741 memset(&th_v, 0, sizeof(th_v));
742 memset(&f, 0, sizeof(f));
743 memset(&ssn, 0, sizeof(ssn));
744
745 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
746 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
747
748 FLOW_INITIALIZE(&f);
749 f.protoctx = (void *)&ssn;
750 f.proto = IPPROTO_TCP;
751 f.flags |= FLOW_IPV4;
752
753 p1->flow = &f;
754 p1->flowflags |= FLOW_PKT_TOSERVER;
755 p1->flowflags |= FLOW_PKT_ESTABLISHED;
756 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
757 p2->flow = &f;
758 p2->flowflags |= FLOW_PKT_TOSERVER;
759 p2->flowflags |= FLOW_PKT_ESTABLISHED;
760 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
761 f.alproto = ALPROTO_HTTP1;
762
763 StreamTcpInitConfig(true);
764
765 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
766 FAIL_IF_NULL(de_ctx);
767 de_ctx->flags |= DE_QUIET;
768
769 Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
770 "(msg:\"http host test\"; "
771 "content:\"message\"; http_host; "
772 "sid:1;)");
773 FAIL_IF_NULL(s);
774
775 SigGroupBuild(de_ctx);
776 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
777
778 int r = AppLayerParserParse(
779 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
780 FAIL_IF(r != 0);
781
782 http_state = f.alstate;
783 FAIL_IF_NULL(http_state);
784
785 /* do detect */
786 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
787
788 FAIL_IF((PacketAlertCheck(p1, 1)));
789
790 r = AppLayerParserParse(
791 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
792 FAIL_IF(r != 0);
793
794 /* do detect */
795 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
796
797 FAIL_IF(!(PacketAlertCheck(p2, 1)));
798
799 AppLayerParserThreadCtxFree(alp_tctx);
800 DetectEngineCtxFree(de_ctx);
801
802 StreamTcpFreeConfig(true);
803 FLOW_DESTROY(&f);
804 UTHFreePackets(&p1, 1);
805 UTHFreePackets(&p2, 1);
806 PASS;
807}
808
809/**
810 *\test Test that the http_host content matches against a http request
811 * which holds the content, against a cross boundary present pattern.
812 */
813static int DetectHttpHHTest09(void)
814{
815 TcpSession ssn;
816 Packet *p1 = NULL;
817 Packet *p2 = NULL;
818 ThreadVars th_v;
819 DetectEngineThreadCtx *det_ctx = NULL;
820 HtpState *http_state = NULL;
821 Flow f;
822 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
823 "User-Agent: www.openinfosecfoundation.org\r\n"
824 "Host: This is dummy body1";
825 uint8_t http2_buf[] = "This is dummy message body2\r\n"
826 "Content-Type: text/html\r\n"
827 "Content-Length: 46\r\n"
828 "\r\n"
829 "This is dummy body1";
830 uint32_t http1_len = sizeof(http1_buf) - 1;
831 uint32_t http2_len = sizeof(http2_buf) - 1;
832 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
833
834 memset(&th_v, 0, sizeof(th_v));
835 memset(&f, 0, sizeof(f));
836 memset(&ssn, 0, sizeof(ssn));
837
838 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
839 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
840
841 FLOW_INITIALIZE(&f);
842 f.protoctx = (void *)&ssn;
843 f.proto = IPPROTO_TCP;
844 f.flags |= FLOW_IPV4;
845
846 p1->flow = &f;
847 p1->flowflags |= FLOW_PKT_TOSERVER;
848 p1->flowflags |= FLOW_PKT_ESTABLISHED;
849 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
850 p2->flow = &f;
851 p2->flowflags |= FLOW_PKT_TOSERVER;
852 p2->flowflags |= FLOW_PKT_ESTABLISHED;
853 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
854 f.alproto = ALPROTO_HTTP1;
855
856 StreamTcpInitConfig(true);
857
858 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
859 FAIL_IF_NULL(de_ctx);
860 de_ctx->flags |= DE_QUIET;
861
862 Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
863 "(msg:\"http host test\"; "
864 "content:\"body1this\"; http_host; "
865 "sid:1;)");
866 FAIL_IF_NULL(s);
867
868 SigGroupBuild(de_ctx);
869 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
870
871 int r = AppLayerParserParse(
872 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
873 FAIL_IF(r != 0);
874
875 http_state = f.alstate;
876 FAIL_IF_NULL(http_state);
877
878 /* do detect */
879 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
880
881 FAIL_IF((PacketAlertCheck(p1, 1)));
882
883 r = AppLayerParserParse(
884 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
885 FAIL_IF(r != 0);
886
887 /* do detect */
888 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
889
890 FAIL_IF(!(PacketAlertCheck(p2, 1)));
891
892 AppLayerParserThreadCtxFree(alp_tctx);
893 DetectEngineCtxFree(de_ctx);
894
895 StreamTcpFreeConfig(true);
896 FLOW_DESTROY(&f);
897 UTHFreePackets(&p1, 1);
898 UTHFreePackets(&p2, 1);
899 PASS;
900}
901
902/**
903 *\test Test that the http_host content matches against a http request
904 * against a case insensitive pattern.
905 */
906static int DetectHttpHHTest10(void)
907{
908 TcpSession ssn;
909 Packet *p1 = NULL;
910 Packet *p2 = NULL;
911 ThreadVars th_v;
912 DetectEngineCtx *de_ctx = NULL;
913 DetectEngineThreadCtx *det_ctx = NULL;
914 HtpState *http_state = NULL;
915 Flow f;
916 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
917 "User-Agent: www.openinfosecfoundation.org\r\n"
918 "Host: This is dummy bodY1";
919 uint8_t http2_buf[] = "This is dummy message body2\r\n"
920 "Content-Type: text/html\r\n"
921 "Content-Length: 46\r\n"
922 "\r\n"
923 "This is dummy bodY1";
924 uint32_t http1_len = sizeof(http1_buf) - 1;
925 uint32_t http2_len = sizeof(http2_buf) - 1;
926 int result = 0;
927 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
928
929 memset(&th_v, 0, sizeof(th_v));
930 memset(&f, 0, sizeof(f));
931 memset(&ssn, 0, sizeof(ssn));
932
933 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
934 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
935
936 FLOW_INITIALIZE(&f);
937 f.protoctx = (void *)&ssn;
938 f.proto = IPPROTO_TCP;
939 f.flags |= FLOW_IPV4;
940
941 p1->flow = &f;
942 p1->flowflags |= FLOW_PKT_TOSERVER;
943 p1->flowflags |= FLOW_PKT_ESTABLISHED;
944 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
945 p2->flow = &f;
946 p2->flowflags |= FLOW_PKT_TOSERVER;
947 p2->flowflags |= FLOW_PKT_ESTABLISHED;
948 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
949 f.alproto = ALPROTO_HTTP1;
950
951 StreamTcpInitConfig(true);
952
953 de_ctx = DetectEngineCtxInit();
954 if (de_ctx == NULL)
955 goto end;
956
957 de_ctx->flags |= DE_QUIET;
958
959 de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
960 "(msg:\"http host test\"; "
961 "content:\"body1this\"; http_host; "
962 "sid:1;)");
963 if (de_ctx->sig_list == NULL)
964 goto end;
965
966 SigGroupBuild(de_ctx);
967 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
968
969 int r = AppLayerParserParse(
970 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
971 if (r != 0) {
972 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
973 result = 0;
974 goto end;
975 }
976
977 http_state = f.alstate;
978 if (http_state == NULL) {
979 printf("no http state: \n");
980 result = 0;
981 goto end;
982 }
983
984 /* do detect */
985 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
986
987 if ((PacketAlertCheck(p1, 1))) {
988 printf("sid 1 didn't match but should have\n");
989 goto end;
990 }
991
992 r = AppLayerParserParse(
993 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
994 if (r != 0) {
995 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
996 result = 0;
997 goto end;
998 }
999
1000 /* do detect */
1001 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1002
1003 if (!(PacketAlertCheck(p2, 1))) {
1004 printf("sid 1 didn't match but should have");
1005 goto end;
1006 }
1007
1008 result = 1;
1009end:
1010 if (alp_tctx != NULL)
1011 AppLayerParserThreadCtxFree(alp_tctx);
1012 if (de_ctx != NULL)
1013 DetectEngineCtxFree(de_ctx);
1014
1015 StreamTcpFreeConfig(true);
1016 FLOW_DESTROY(&f);
1017 UTHFreePackets(&p1, 1);
1018 UTHFreePackets(&p2, 1);
1019 return result;
1020}
1021
1022/**
1023 *\test Test that the negated http_host content matches against a
1024 * http request which doesn't hold the content.
1025 */
1026static int DetectHttpHHTest11(void)
1027{
1028 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1029 "User-Agent: www.openinfosecfoundation.org\r\n"
1030 "Host: This is dummy message body\r\n"
1031 "Content-Type: text/html\r\n"
1032 "\r\n";
1033 uint32_t http_len = sizeof(http_buf) - 1;
1034 return RunTest(http_buf, http_len,
1035 "alert http any any -> any any "
1036 "(msg:\"http host test\"; "
1037 "content:!\"message\"; http_host; "
1038 "sid:1;)",
1039 0);
1040}
1041
1042/**
1043 *\test Negative test that the negated http_host content matches against a
1044 * http request which holds hold the content.
1045 */
1046static int DetectHttpHHTest12(void)
1047{
1048 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1049 "User-Agent: www.openinfosecfoundation.org\r\n"
1050 "Host: This is dummy body\r\n"
1051 "\r\n";
1052 uint32_t http_len = sizeof(http_buf) - 1;
1053 return RunTest(http_buf, http_len,
1054 "alert http any any -> any any "
1055 "(msg:\"http host test\"; "
1056 "content:!\"message\"; http_host; "
1057 "sid:1;)",
1058 1);
1059}
1060
1061/**
1062 * \test Test that the http_host content matches against a http request
1063 * which holds the content.
1064 */
1065static int DetectHttpHHTest13(void)
1066{
1067 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1068 "User-Agent: www.openinfosecfoundation.org\r\n"
1069 "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1070 "Content-Type: text/html\r\n"
1071 "\r\n";
1072 uint32_t http_len = sizeof(http_buf) - 1;
1073 return RunTest(http_buf, http_len,
1074 "alert http any any -> any any "
1075 "(msg:\"http host test\"; "
1076 "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_host; "
1077 "sid:1;)",
1078 1);
1079}
1080
1081/**
1082 * \test multiple http transactions and body chunks of request handling
1083 */
1084static int DetectHttpHHTest14(void)
1085{
1086 int result = 0;
1087 Signature *s = NULL;
1088 DetectEngineThreadCtx *det_ctx = NULL;
1089 ThreadVars th_v;
1090 Flow f;
1091 TcpSession ssn;
1092 Packet *p = NULL;
1093 uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1094 uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1095 uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
1096 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1097 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1098 uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1099 uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1100 uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1101 uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
1102 uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1103 uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1104 uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1105 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1106
1107 memset(&th_v, 0, sizeof(th_v));
1108 memset(&f, 0, sizeof(f));
1109 memset(&ssn, 0, sizeof(ssn));
1110
1111 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1112
1113 FLOW_INITIALIZE(&f);
1114 f.protoctx = (void *)&ssn;
1115 f.proto = IPPROTO_TCP;
1116 f.flags |= FLOW_IPV4;
1117
1118 p->flow = &f;
1119 p->flowflags |= FLOW_PKT_TOSERVER;
1120 p->flowflags |= FLOW_PKT_ESTABLISHED;
1121 p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1122 f.alproto = ALPROTO_HTTP1;
1123
1124 StreamTcpInitConfig(true);
1125
1126 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1127 if (de_ctx == NULL) {
1128 goto end;
1129 }
1130
1131 de_ctx->flags |= DE_QUIET;
1132
1133 s = DetectEngineAppendSig(de_ctx,
1134 "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
1135 "http_cookie; content:\"body one\"; http_host; sid:1; rev:1;)");
1136 if (s == NULL) {
1137 printf("sig parse failed: ");
1138 goto end;
1139 }
1140 s = DetectEngineAppendSig(de_ctx,
1141 "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
1142 "http_cookie; content:\"body two\"; http_host; sid:2; rev:1;)");
1143 if (s == NULL) {
1144 printf("sig2 parse failed: ");
1145 goto end;
1146 }
1147
1148 SigGroupBuild(de_ctx);
1149 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1150
1151 int r = AppLayerParserParse(
1152 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1153 if (r != 0) {
1154 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1155 goto end;
1156 }
1157
1158 /* do detect */
1159 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1160 if (PacketAlertCheck(p, 1)) {
1161 printf("sig 1 alerted: ");
1162 goto end;
1163 }
1164 p->alerts.cnt = 0;
1165
1166 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1167 if (r != 0) {
1168 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1169 goto end;
1170 }
1171
1172 /* do detect */
1173 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1174 if (PacketAlertCheck(p, 1)) {
1175 printf("sig 1 alerted (2): ");
1176 goto end;
1177 }
1178 p->alerts.cnt = 0;
1179
1180 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1181 if (r != 0) {
1182 printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1183 goto end;
1184 }
1185
1186 /* do detect */
1187 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1188 if (!(PacketAlertCheck(p, 1))) {
1189 printf("sig 1 didn't alert: ");
1190 goto end;
1191 }
1192 p->alerts.cnt = 0;
1193
1194 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1195 if (r != 0) {
1196 printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1197 goto end;
1198 }
1199
1200 /* do detect */
1201 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1202 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
1203 printf("sig 1 alerted (4): ");
1204 goto end;
1205 }
1206 p->alerts.cnt = 0;
1207
1208 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1209 if (r != 0) {
1210 printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1211 goto end;
1212 }
1213
1214 /* do detect */
1215 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1216 if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1217 printf("sig 1 alerted (request 2, chunk 6): ");
1218 goto end;
1219 }
1220 p->alerts.cnt = 0;
1221
1222 SCLogDebug("sending data chunk 7");
1223
1224 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1225 if (r != 0) {
1226 printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1227 goto end;
1228 }
1229
1230 /* do detect */
1231 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1232 if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
1233 printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
1234 goto end;
1235 }
1236 p->alerts.cnt = 0;
1237
1238 HtpState *htp_state = f.alstate;
1239 if (htp_state == NULL) {
1240 printf("no http state: ");
1241 result = 0;
1242 goto end;
1243 }
1244
1245 if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
1246 printf("The http app layer doesn't have 2 transactions, but it should: ");
1247 goto end;
1248 }
1249
1250 result = 1;
1251end:
1252 if (alp_tctx != NULL)
1253 AppLayerParserThreadCtxFree(alp_tctx);
1254 if (det_ctx != NULL) {
1255 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1256 }
1257 if (de_ctx != NULL) {
1258 DetectEngineCtxFree(de_ctx);
1259 }
1260
1261 StreamTcpFreeConfig(true);
1262 FLOW_DESTROY(&f);
1263 UTHFreePacket(p);
1264 return result;
1265}
1266
1267/**
1268 *\test Test that the http_raw_host content matches against a http request
1269 * which holds the content.
1270 */
1271static int DetectHttpHRHTest06(void)
1272{
1273 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1274 "User-Agent: www.openinfosecfoundation.org\r\n"
1275 "Host: This is dummy message body\r\n"
1276 "Content-Type: text/html\r\n"
1277 "\r\n";
1278 uint32_t http_len = sizeof(http_buf) - 1;
1279 return RunTest(http_buf, http_len,
1280 "alert http any any -> any any "
1281 "(msg:\"http host test\"; "
1282 "content:\"message\"; http_raw_host; "
1283 "sid:1;)",
1284 1);
1285}
1286
1287/**
1288 *\test Test that the http_raw_host content matches against a http request
1289 * which holds the content.
1290 */
1291static int DetectHttpHRHTest07(void)
1292{
1293 TcpSession ssn;
1294 Packet *p1 = NULL;
1295 Packet *p2 = NULL;
1296 ThreadVars th_v;
1297 DetectEngineCtx *de_ctx = NULL;
1298 DetectEngineThreadCtx *det_ctx = NULL;
1299 HtpState *http_state = NULL;
1300 Flow f;
1301 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1302 "User-Agent: www.openinfosecfoundation.org\r\n"
1303 "Host: This is dummy message";
1304 uint8_t http2_buf[] = "body1\r\n\r\n";
1305 uint32_t http1_len = sizeof(http1_buf) - 1;
1306 uint32_t http2_len = sizeof(http2_buf) - 1;
1307 int result = 0;
1308 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1309
1310 memset(&th_v, 0, sizeof(th_v));
1311 memset(&f, 0, sizeof(f));
1312 memset(&ssn, 0, sizeof(ssn));
1313
1314 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1315 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1316
1317 FLOW_INITIALIZE(&f);
1318 f.protoctx = (void *)&ssn;
1319 f.proto = IPPROTO_TCP;
1320 f.flags |= FLOW_IPV4;
1321
1322 p1->flow = &f;
1323 p1->flowflags |= FLOW_PKT_TOSERVER;
1324 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1325 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1326 p2->flow = &f;
1327 p2->flowflags |= FLOW_PKT_TOSERVER;
1328 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1329 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1330 f.alproto = ALPROTO_HTTP1;
1331
1332 StreamTcpInitConfig(true);
1333
1334 de_ctx = DetectEngineCtxInit();
1335 if (de_ctx == NULL)
1336 goto end;
1337
1338 de_ctx->flags |= DE_QUIET;
1339
1340 de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1341 "(msg:\"http host test\"; "
1342 "content:\"message\"; http_raw_host; "
1343 "sid:1;)");
1344 if (de_ctx->sig_list == NULL)
1345 goto end;
1346
1347 SigGroupBuild(de_ctx);
1348 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1349
1350 int r = AppLayerParserParse(
1351 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1352 if (r != 0) {
1353 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1354 result = 0;
1355 goto end;
1356 }
1357
1358 http_state = f.alstate;
1359 if (http_state == NULL) {
1360 printf("no http state: ");
1361 goto end;
1362 }
1363
1364 /* do detect */
1365 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1366
1367 if (PacketAlertCheck(p1, 1)) {
1368 printf("sid 1 matched on p1 but shouldn't have: ");
1369 goto end;
1370 }
1371
1372 r = AppLayerParserParse(
1373 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1374 if (r != 0) {
1375 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1376 goto end;
1377 }
1378
1379 /* do detect */
1380 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1381 if (!(PacketAlertCheck(p2, 1))) {
1382 printf("sid 1 didn't match on p2 but should have: ");
1383 goto end;
1384 }
1385
1386 result = 1;
1387end:
1388 if (alp_tctx != NULL)
1389 AppLayerParserThreadCtxFree(alp_tctx);
1390 if (de_ctx != NULL)
1391 DetectEngineCtxFree(de_ctx);
1392
1393 StreamTcpFreeConfig(true);
1394 FLOW_DESTROY(&f);
1395 UTHFreePackets(&p1, 1);
1396 UTHFreePackets(&p2, 1);
1397 return result;
1398}
1399
1400/**
1401 *\test Test that the http_raw_host content matches against a http request
1402 * which holds the content.
1403 */
1404static int DetectHttpHRHTest08(void)
1405{
1406 TcpSession ssn;
1407 Packet *p1 = NULL;
1408 Packet *p2 = NULL;
1409 ThreadVars th_v;
1410 DetectEngineCtx *de_ctx = NULL;
1411 DetectEngineThreadCtx *det_ctx = NULL;
1412 HtpState *http_state = NULL;
1413 Flow f;
1414 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1415 "User-Agent: www.openinfosecfoundation.org\r\n"
1416 "host: This is dummy mess";
1417 uint8_t http2_buf[] = "age body\r\n\r\n";
1418 uint32_t http1_len = sizeof(http1_buf) - 1;
1419 uint32_t http2_len = sizeof(http2_buf) - 1;
1420 int result = 0;
1421 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1422
1423 memset(&th_v, 0, sizeof(th_v));
1424 memset(&f, 0, sizeof(f));
1425 memset(&ssn, 0, sizeof(ssn));
1426
1427 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1428 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1429
1430 FLOW_INITIALIZE(&f);
1431 f.protoctx = (void *)&ssn;
1432 f.proto = IPPROTO_TCP;
1433 f.flags |= FLOW_IPV4;
1434
1435 p1->flow = &f;
1436 p1->flowflags |= FLOW_PKT_TOSERVER;
1437 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1438 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1439 p2->flow = &f;
1440 p2->flowflags |= FLOW_PKT_TOSERVER;
1441 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1442 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1443 f.alproto = ALPROTO_HTTP1;
1444
1445 StreamTcpInitConfig(true);
1446
1447 de_ctx = DetectEngineCtxInit();
1448 if (de_ctx == NULL)
1449 goto end;
1450
1451 de_ctx->flags |= DE_QUIET;
1452
1453 de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1454 "(msg:\"http host test\"; "
1455 "content:\"message\"; http_raw_host; "
1456 "sid:1;)");
1457 if (de_ctx->sig_list == NULL)
1458 goto end;
1459
1460 SigGroupBuild(de_ctx);
1461 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1462
1463 int r = AppLayerParserParse(
1464 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1465 if (r != 0) {
1466 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1467 result = 0;
1468 goto end;
1469 }
1470
1471 http_state = f.alstate;
1472 if (http_state == NULL) {
1473 printf("no http state: ");
1474 result = 0;
1475 goto end;
1476 }
1477
1478 /* do detect */
1479 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1480
1481 if ((PacketAlertCheck(p1, 1))) {
1482 printf("sid 1 didn't match but should have");
1483 goto end;
1484 }
1485
1486 r = AppLayerParserParse(
1487 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1488 if (r != 0) {
1489 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1490 result = 0;
1491 goto end;
1492 }
1493
1494 /* do detect */
1495 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1496
1497 if (!(PacketAlertCheck(p2, 1))) {
1498 printf("sid 1 didn't match but should have");
1499 goto end;
1500 }
1501
1502 result = 1;
1503end:
1504 if (alp_tctx != NULL)
1505 AppLayerParserThreadCtxFree(alp_tctx);
1506 if (de_ctx != NULL)
1507 DetectEngineCtxFree(de_ctx);
1508
1509 StreamTcpFreeConfig(true);
1510 FLOW_DESTROY(&f);
1511 UTHFreePackets(&p1, 1);
1512 UTHFreePackets(&p2, 1);
1513 return result;
1514}
1515
1516/**
1517 *\test Test that the http_raw_host content matches against a http request
1518 * which holds the content, against a cross boundary present pattern.
1519 */
1520static int DetectHttpHRHTest09(void)
1521{
1522 TcpSession ssn;
1523 Packet *p1 = NULL;
1524 Packet *p2 = NULL;
1525 ThreadVars th_v;
1526 DetectEngineCtx *de_ctx = NULL;
1527 DetectEngineThreadCtx *det_ctx = NULL;
1528 HtpState *http_state = NULL;
1529 Flow f;
1530 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1531 "User-Agent: www.openinfosecfoundation.org\r\n"
1532 "Host: This is dummy body1";
1533 uint8_t http2_buf[] = "This is dummy message body2\r\n"
1534 "Content-Type: text/html\r\n"
1535 "Content-Length: 46\r\n"
1536 "\r\n"
1537 "This is dummy body1";
1538 uint32_t http1_len = sizeof(http1_buf) - 1;
1539 uint32_t http2_len = sizeof(http2_buf) - 1;
1540 int result = 0;
1541 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1542
1543 memset(&th_v, 0, sizeof(th_v));
1544 memset(&f, 0, sizeof(f));
1545 memset(&ssn, 0, sizeof(ssn));
1546
1547 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1548 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1549
1550 FLOW_INITIALIZE(&f);
1551 f.protoctx = (void *)&ssn;
1552 f.proto = IPPROTO_TCP;
1553 f.flags |= FLOW_IPV4;
1554
1555 p1->flow = &f;
1556 p1->flowflags |= FLOW_PKT_TOSERVER;
1557 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1558 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1559 p2->flow = &f;
1560 p2->flowflags |= FLOW_PKT_TOSERVER;
1561 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1562 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1563 f.alproto = ALPROTO_HTTP1;
1564
1565 StreamTcpInitConfig(true);
1566
1567 de_ctx = DetectEngineCtxInit();
1568 if (de_ctx == NULL)
1569 goto end;
1570
1571 de_ctx->flags |= DE_QUIET;
1572
1573 de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1574 "(msg:\"http host test\"; "
1575 "content:\"body1This\"; http_raw_host; "
1576 "sid:1;)");
1577 if (de_ctx->sig_list == NULL)
1578 goto end;
1579
1580 SigGroupBuild(de_ctx);
1581 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1582
1583 int r = AppLayerParserParse(
1584 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1585 if (r != 0) {
1586 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1587 result = 0;
1588 goto end;
1589 }
1590
1591 http_state = f.alstate;
1592 if (http_state == NULL) {
1593 printf("no http state: ");
1594 result = 0;
1595 goto end;
1596 }
1597
1598 /* do detect */
1599 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1600
1601 if ((PacketAlertCheck(p1, 1))) {
1602 printf("sid 1 didn't match but should have");
1603 goto end;
1604 }
1605
1606 r = AppLayerParserParse(
1607 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1608 if (r != 0) {
1609 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1610 result = 0;
1611 goto end;
1612 }
1613
1614 /* do detect */
1615 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1616
1617 if (!(PacketAlertCheck(p2, 1))) {
1618 printf("sid 1 didn't match but should have");
1619 goto end;
1620 }
1621
1622 result = 1;
1623end:
1624 if (alp_tctx != NULL)
1625 AppLayerParserThreadCtxFree(alp_tctx);
1626 if (de_ctx != NULL)
1627 DetectEngineCtxFree(de_ctx);
1628
1629 StreamTcpFreeConfig(true);
1630 FLOW_DESTROY(&f);
1631 UTHFreePackets(&p1, 1);
1632 UTHFreePackets(&p2, 1);
1633 return result;
1634}
1635
1636/**
1637 *\test Test that the http_raw_host content matches against a http request
1638 * against a case insensitive pattern.
1639 */
1640static int DetectHttpHRHTest10(void)
1641{
1642 TcpSession ssn;
1643 Packet *p1 = NULL;
1644 Packet *p2 = NULL;
1645 ThreadVars th_v;
1646 DetectEngineCtx *de_ctx = NULL;
1647 DetectEngineThreadCtx *det_ctx = NULL;
1648 HtpState *http_state = NULL;
1649 Flow f;
1650 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
1651 "User-Agent: www.openinfosecfoundation.org\r\n"
1652 "Host: This is dummy bodY1";
1653 uint8_t http2_buf[] = "This is dummy message body2\r\n"
1654 "Content-Type: text/html\r\n"
1655 "Content-Length: 46\r\n"
1656 "\r\n"
1657 "This is dummy bodY1";
1658 uint32_t http1_len = sizeof(http1_buf) - 1;
1659 uint32_t http2_len = sizeof(http2_buf) - 1;
1660 int result = 0;
1661 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1662
1663 memset(&th_v, 0, sizeof(th_v));
1664 memset(&f, 0, sizeof(f));
1665 memset(&ssn, 0, sizeof(ssn));
1666
1667 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1668 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1669
1670 FLOW_INITIALIZE(&f);
1671 f.protoctx = (void *)&ssn;
1672 f.proto = IPPROTO_TCP;
1673 f.flags |= FLOW_IPV4;
1674
1675 p1->flow = &f;
1676 p1->flowflags |= FLOW_PKT_TOSERVER;
1677 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1678 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1679 p2->flow = &f;
1680 p2->flowflags |= FLOW_PKT_TOSERVER;
1681 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1682 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1683 f.alproto = ALPROTO_HTTP1;
1684
1685 StreamTcpInitConfig(true);
1686
1687 de_ctx = DetectEngineCtxInit();
1688 if (de_ctx == NULL)
1689 goto end;
1690
1691 de_ctx->flags |= DE_QUIET;
1692
1693 de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
1694 "(msg:\"http host test\"; "
1695 "content:\"bodY1This\"; http_raw_host; "
1696 "sid:1;)");
1697 if (de_ctx->sig_list == NULL)
1698 goto end;
1699
1700 SigGroupBuild(de_ctx);
1701 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1702
1703 int r = AppLayerParserParse(
1704 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1705 if (r != 0) {
1706 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1707 result = 0;
1708 goto end;
1709 }
1710
1711 http_state = f.alstate;
1712 if (http_state == NULL) {
1713 printf("no http state: \n");
1714 result = 0;
1715 goto end;
1716 }
1717
1718 /* do detect */
1719 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1720
1721 if ((PacketAlertCheck(p1, 1))) {
1722 printf("sid 1 didn't match but should have\n");
1723 goto end;
1724 }
1725
1726 r = AppLayerParserParse(
1727 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1728 if (r != 0) {
1729 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1730 result = 0;
1731 goto end;
1732 }
1733
1734 /* do detect */
1735 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1736
1737 if (!(PacketAlertCheck(p2, 1))) {
1738 printf("sid 1 didn't match but should have");
1739 goto end;
1740 }
1741
1742 result = 1;
1743end:
1744 if (alp_tctx != NULL)
1745 AppLayerParserThreadCtxFree(alp_tctx);
1746 if (de_ctx != NULL)
1747 DetectEngineCtxFree(de_ctx);
1748
1749 StreamTcpFreeConfig(true);
1750 FLOW_DESTROY(&f);
1751 UTHFreePackets(&p1, 1);
1752 UTHFreePackets(&p2, 1);
1753 return result;
1754}
1755
1756/**
1757 *\test Test that the negated http_raw_host content matches against a
1758 * http request which doesn't hold the content.
1759 */
1760static int DetectHttpHRHTest11(void)
1761{
1762 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1763 "User-Agent: www.openinfosecfoundation.org\r\n"
1764 "Host: This is dummy message body\r\n"
1765 "Content-Type: text/html\r\n"
1766 "\r\n";
1767 uint32_t http_len = sizeof(http_buf) - 1;
1768 return RunTest(http_buf, http_len,
1769 "alert http any any -> any any "
1770 "(msg:\"http host test\"; "
1771 "content:!\"message\"; http_raw_host; "
1772 "sid:1;)",
1773 0);
1774}
1775
1776/**
1777 *\test Negative test that the negated http_raw_host content matches against a
1778 * http request which holds hold the content.
1779 */
1780static int DetectHttpHRHTest12(void)
1781{
1782 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1783 "User-Agent: www.openinfosecfoundation.org\r\n"
1784 "Host: This is dummy body\r\n"
1785 "\r\n";
1786 uint32_t http_len = sizeof(http_buf) - 1;
1787 return RunTest(http_buf, http_len,
1788 "alert http any any -> any any "
1789 "(msg:\"http host test\"; "
1790 "content:!\"message\"; http_raw_host; "
1791 "sid:1;)",
1792 1);
1793}
1794
1795/**
1796 * \test Test that the http_raw_host content matches against a http request
1797 * which holds the content.
1798 */
1799static int DetectHttpHRHTest13(void)
1800{
1801 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
1802 "User-Agent: www.openinfosecfoundation.org\r\n"
1803 "Host: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1804 "Content-Type: text/html\r\n"
1805 "\r\n";
1806 uint32_t http_len = sizeof(http_buf) - 1;
1807 return RunTest(http_buf, http_len,
1808 "alert http any any -> any any "
1809 "(msg:\"http host test\"; "
1810 "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_raw_host; "
1811 "sid:1;)",
1812 1);
1813}
1814
1815/**
1816 * \test multiple http transactions and body chunks of request handling
1817 */
1818static int DetectHttpHRHTest14(void)
1819{
1820 int result = 0;
1821 Signature *s = NULL;
1822 DetectEngineThreadCtx *det_ctx = NULL;
1823 ThreadVars th_v;
1824 Flow f;
1825 TcpSession ssn;
1826 Packet *p = NULL;
1827 uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1828 uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1829 uint8_t httpbuf3[] = "Host: Body one!!\r\n\r\n";
1830 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1831 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1832 uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1833 uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1834 uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1835 uint8_t httpbuf6[] = "Host: Body two\r\n\r\n";
1836 uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1837 uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1838 uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1839 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1840
1841 memset(&th_v, 0, sizeof(th_v));
1842 memset(&f, 0, sizeof(f));
1843 memset(&ssn, 0, sizeof(ssn));
1844
1845 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1846
1847 FLOW_INITIALIZE(&f);
1848 f.protoctx = (void *)&ssn;
1849 f.proto = IPPROTO_TCP;
1850 f.flags |= FLOW_IPV4;
1851
1852 p->flow = &f;
1853 p->flowflags |= FLOW_PKT_TOSERVER;
1854 p->flowflags |= FLOW_PKT_ESTABLISHED;
1855 p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1856 f.alproto = ALPROTO_HTTP1;
1857
1858 StreamTcpInitConfig(true);
1859
1860 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1861 if (de_ctx == NULL) {
1862 goto end;
1863 }
1864
1865 de_ctx->flags |= DE_QUIET;
1866
1867 s = DetectEngineAppendSig(de_ctx,
1868 "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; "
1869 "http_cookie; content:\"Body one\"; http_raw_host; sid:1; rev:1;)");
1870 if (s == NULL) {
1871 printf("sig parse failed: ");
1872 goto end;
1873 }
1874 s = DetectEngineAppendSig(de_ctx,
1875 "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; "
1876 "http_cookie; content:\"Body two\"; http_raw_host; sid:2; rev:1;)");
1877 if (s == NULL) {
1878 printf("sig2 parse failed: ");
1879 goto end;
1880 }
1881
1882 SigGroupBuild(de_ctx);
1883 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1884
1885 int r = AppLayerParserParse(
1886 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1887 if (r != 0) {
1888 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1889 goto end;
1890 }
1891
1892 /* do detect */
1893 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1894 if (PacketAlertCheck(p, 1)) {
1895 printf("sig 1 alerted: ");
1896 goto end;
1897 }
1898 p->alerts.cnt = 0;
1899
1900 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1901 if (r != 0) {
1902 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1903 goto end;
1904 }
1905
1906 /* do detect */
1907 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1908 if (PacketAlertCheck(p, 1)) {
1909 printf("sig 1 alerted (2): ");
1910 goto end;
1911 }
1912 p->alerts.cnt = 0;
1913
1914 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1915 if (r != 0) {
1916 printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1917 goto end;
1918 }
1919
1920 /* do detect */
1921 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1922 if (!(PacketAlertCheck(p, 1))) {
1923 printf("sig 1 didn't alert: ");
1924 goto end;
1925 }
1926 p->alerts.cnt = 0;
1927
1928 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1929 if (r != 0) {
1930 printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1931 goto end;
1932 }
1933
1934 /* do detect */
1935 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1936 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2)) {
1937 printf("sig 1 alerted (4): ");
1938 goto end;
1939 }
1940 p->alerts.cnt = 0;
1941
1942 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1943 if (r != 0) {
1944 printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1945 goto end;
1946 }
1947
1948 /* do detect */
1949 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1950 if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1951 printf("sig 1 alerted (request 2, chunk 6): ");
1952 goto end;
1953 }
1954 p->alerts.cnt = 0;
1955
1956 SCLogDebug("sending data chunk 7");
1957
1958 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1959 if (r != 0) {
1960 printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1961 goto end;
1962 }
1963
1964 /* do detect */
1965 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1966 if (PacketAlertCheck(p, 1) || !(PacketAlertCheck(p, 2))) {
1967 printf("signature 2 didn't match or sig 1 matched, but shouldn't have: ");
1968 goto end;
1969 }
1970 p->alerts.cnt = 0;
1971
1972 HtpState *htp_state = f.alstate;
1973 if (htp_state == NULL) {
1974 printf("no http state: ");
1975 result = 0;
1976 goto end;
1977 }
1978
1979 if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
1980 printf("The http app layer doesn't have 2 transactions, but it should: ");
1981 goto end;
1982 }
1983
1984 result = 1;
1985end:
1986 if (alp_tctx != NULL)
1987 AppLayerParserThreadCtxFree(alp_tctx);
1988 if (det_ctx != NULL) {
1989 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1990 }
1991 if (de_ctx != NULL) {
1992 DetectEngineCtxFree(de_ctx);
1993 }
1994
1995 StreamTcpFreeConfig(true);
1996 FLOW_DESTROY(&f);
1997 UTHFreePacket(p);
1998 return result;
1999}
2000
2001/**
2002 *\test Test that the http_raw_host content matches against a http request
2003 * against a case insensitive pattern.
2004 */
2005static int DetectHttpHRHTest37(void)
2006{
2007 TcpSession ssn;
2008 Packet *p1 = NULL;
2009 Packet *p2 = NULL;
2010 ThreadVars th_v;
2011 DetectEngineCtx *de_ctx = NULL;
2012 DetectEngineThreadCtx *det_ctx = NULL;
2013 HtpState *http_state = NULL;
2014 Flow f;
2015 uint8_t http1_buf[] = "GET /index.html HTTP/1.0\r\n"
2016 "User-Agent: www.openinfosecfoundation.org\r\n"
2017 "Host: This is dummy bodY1";
2018 uint8_t http2_buf[] = "This is dummy message body2\r\n"
2019 "Content-Type: text/html\r\n"
2020 "Content-Length: 46\r\n"
2021 "\r\n"
2022 "This is dummy bodY1";
2023 uint32_t http1_len = sizeof(http1_buf) - 1;
2024 uint32_t http2_len = sizeof(http2_buf) - 1;
2025 int result = 0;
2026 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2027
2028 memset(&th_v, 0, sizeof(th_v));
2029 memset(&f, 0, sizeof(f));
2030 memset(&ssn, 0, sizeof(ssn));
2031
2032 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2033 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2034
2035 FLOW_INITIALIZE(&f);
2036 f.protoctx = (void *)&ssn;
2037 f.proto = IPPROTO_TCP;
2038 f.flags |= FLOW_IPV4;
2039
2040 p1->flow = &f;
2041 p1->flowflags |= FLOW_PKT_TOSERVER;
2042 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2043 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2044 p2->flow = &f;
2045 p2->flowflags |= FLOW_PKT_TOSERVER;
2046 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2047 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2048 f.alproto = ALPROTO_HTTP1;
2049
2050 StreamTcpInitConfig(true);
2051
2052 de_ctx = DetectEngineCtxInit();
2053 if (de_ctx == NULL)
2054 goto end;
2055
2056 de_ctx->flags |= DE_QUIET;
2057
2058 de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
2059 "(msg:\"http host test\"; "
2060 "content:\"body1this\"; http_raw_host; nocase; "
2061 "sid:1;)");
2062 if (de_ctx->sig_list == NULL)
2063 goto end;
2064
2065 SigGroupBuild(de_ctx);
2066 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2067
2068 int r = AppLayerParserParse(
2069 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2070 if (r != 0) {
2071 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2072 result = 0;
2073 goto end;
2074 }
2075
2076 http_state = f.alstate;
2077 if (http_state == NULL) {
2078 printf("no http state: \n");
2079 result = 0;
2080 goto end;
2081 }
2082
2083 /* do detect */
2084 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2085
2086 if ((PacketAlertCheck(p1, 1))) {
2087 printf("sid 1 didn't match but should have\n");
2088 goto end;
2089 }
2090
2091 r = AppLayerParserParse(
2092 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2093 if (r != 0) {
2094 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2095 result = 0;
2096 goto end;
2097 }
2098
2099 /* do detect */
2100 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2101
2102 if (!(PacketAlertCheck(p2, 1))) {
2103 printf("sid 1 didn't match but should have");
2104 goto end;
2105 }
2106
2107 result = 1;
2108end:
2109 if (alp_tctx != NULL)
2110 AppLayerParserThreadCtxFree(alp_tctx);
2111 if (de_ctx != NULL)
2112 DetectEngineCtxFree(de_ctx);
2113
2114 StreamTcpFreeConfig(true);
2115 FLOW_DESTROY(&f);
2116 UTHFreePackets(&p1, 1);
2117 UTHFreePackets(&p2, 1);
2118 return result;
2119}
2120
2121/**
2122 * \test Test that the http_raw_host content matches against a http request
2123 * which holds the content.
2124 */
2125static int DetectEngineHttpHRHTest01(void)
2126{
2127 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2128 "Host: CONNECT\r\n"
2129 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2130 uint32_t http_len = sizeof(http_buf) - 1;
2131 return RunTest(http_buf, http_len,
2132 "alert http any any -> any any "
2133 "(msg:\"http host header test\"; "
2134 "content:\"CONNECT\"; http_raw_host; "
2135 "sid:1;)",
2136 1);
2137}
2138
2139/**
2140 * \test Test that the http_raw_host content matches against a http request
2141 * which holds the content.
2142 */
2143static int DetectEngineHttpHRHTest02(void)
2144{
2145 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2146 "Host: CONNECT\r\n"
2147 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2148 uint32_t http_len = sizeof(http_buf) - 1;
2149 return RunTest(http_buf, http_len,
2150 "alert http any any -> any any "
2151 "(msg:\"http host header test\"; "
2152 "content:\"CO\"; depth:4; http_raw_host; "
2153 "sid:1;)",
2154 1);
2155}
2156
2157/**
2158 * \test Test that the http_raw_host content matches against a http request
2159 * which holds the content.
2160 */
2161static int DetectEngineHttpHRHTest03(void)
2162{
2163 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2164 "Host: CONNECT\r\n"
2165 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2166 uint32_t http_len = sizeof(http_buf) - 1;
2167 return RunTest(http_buf, http_len,
2168 "alert http any any -> any any "
2169 "(msg:\"http_raw_host header test\"; "
2170 "content:!\"ECT\"; depth:4; http_raw_host; "
2171 "sid:1;)",
2172 1);
2173}
2174
2175/**
2176 * \test Test that the http_raw_host content matches against a http request
2177 * which holds the content.
2178 */
2179static int DetectEngineHttpHRHTest04(void)
2180{
2181 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2182 "Host: CONNECT\r\n"
2183 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2184 uint32_t http_len = sizeof(http_buf) - 1;
2185 return RunTest(http_buf, http_len,
2186 "alert http any any -> any any "
2187 "(msg:\"http host header test\"; "
2188 "content:\"ECT\"; depth:4; http_raw_host; "
2189 "sid:1;)",
2190 0);
2191}
2192
2193/**
2194 * \test Test that the http_raw_host content matches against a http request
2195 * which holds the content.
2196 */
2197static int DetectEngineHttpHRHTest05(void)
2198{
2199 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2200 "Host: CONNECT\r\n"
2201 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2202 uint32_t http_len = sizeof(http_buf) - 1;
2203 return RunTest(http_buf, http_len,
2204 "alert http any any -> any any "
2205 "(msg:\"http host header test\"; "
2206 "content:!\"CON\"; depth:4; http_raw_host; "
2207 "sid:1;)",
2208 0);
2209}
2210
2211/**
2212 * \test Test that the http_raw_host header content matches against a http request
2213 * which holds the content.
2214 */
2215static int DetectEngineHttpHRHTest06(void)
2216{
2217 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2218 "Host: CONNECT\r\n"
2219 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2220 uint32_t http_len = sizeof(http_buf) - 1;
2221 return RunTest(http_buf, http_len,
2222 "alert http any any -> any any "
2223 "(msg:\"http host header test\"; "
2224 "content:\"ECT\"; offset:3; http_raw_host; "
2225 "sid:1;)",
2226 1);
2227}
2228
2229/**
2230 * \test Test that the http_raw_host content matches against a http request
2231 * which holds the content.
2232 */
2233static int DetectEngineHttpHRHTest07(void)
2234{
2235 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2236 "Host: CONNECT\r\n"
2237 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2238 uint32_t http_len = sizeof(http_buf) - 1;
2239 return RunTest(http_buf, http_len,
2240 "alert http any any -> any any "
2241 "(msg:\"http host header test\"; "
2242 "content:!\"CO\"; offset:3; http_raw_host; "
2243 "sid:1;)",
2244 1);
2245}
2246
2247/**
2248 * \test Test that the http_raw_host header content matches against a http request
2249 * which holds the content.
2250 */
2251static int DetectEngineHttpHRHTest08(void)
2252{
2253 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2254 "Host: CONNECT\r\n"
2255 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2256 uint32_t http_len = sizeof(http_buf) - 1;
2257 return RunTest(http_buf, http_len,
2258 "alert http any any -> any any "
2259 "(msg:\"http host header test\"; "
2260 "content:!\"ECT\"; offset:3; http_raw_host; "
2261 "sid:1;)",
2262 0);
2263}
2264
2265/**
2266 * \test Test that the http_raw_host header content matches against a http request
2267 * which holds the content.
2268 */
2269static int DetectEngineHttpHRHTest09(void)
2270{
2271 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2272 "Host: CONNECT\r\n"
2273 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2274 uint32_t http_len = sizeof(http_buf) - 1;
2275 return RunTest(http_buf, http_len,
2276 "alert http any any -> any any "
2277 "(msg:\"http host header test\"; "
2278 "content:\"CON\"; offset:3; http_raw_host; "
2279 "sid:1;)",
2280 0);
2281}
2282
2283/**
2284 * \test Test that the http_raw_host header content matches against a http request
2285 * which holds the content.
2286 */
2287static int DetectEngineHttpHRHTest10(void)
2288{
2289 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2290 "Host: CONNECT\r\n"
2291 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2292 uint32_t http_len = sizeof(http_buf) - 1;
2293 return RunTest(http_buf, http_len,
2294 "alert http any any -> any any "
2295 "(msg:\"http_raw_host header test\"; "
2296 "content:\"CO\"; http_raw_host; "
2297 "content:\"EC\"; within:4; http_raw_host; "
2298 "sid:1;)",
2299 1);
2300}
2301
2302/**
2303 * \test Test that the http_raw_host header content matches against a http request
2304 * which holds the content.
2305 */
2306static int DetectEngineHttpHRHTest11(void)
2307{
2308 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2309 "Host: CONNECT\r\n"
2310 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2311 uint32_t http_len = sizeof(http_buf) - 1;
2312 return RunTest(http_buf, http_len,
2313 "alert http any any -> any any "
2314 "(msg:\"http_raw_host header test\"; "
2315 "content:\"CO\"; http_raw_host; "
2316 "content:!\"EC\"; within:3; http_raw_host; "
2317 "sid:1;)",
2318 1);
2319}
2320
2321/**
2322 * \test Test that the http_raw_host header content matches against a http request
2323 * which holds the content.
2324 */
2325static int DetectEngineHttpHRHTest12(void)
2326{
2327 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2328 "Host: CONNECT\r\n"
2329 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2330 uint32_t http_len = sizeof(http_buf) - 1;
2331 return RunTest(http_buf, http_len,
2332 "alert http any any -> any any "
2333 "(msg:\"http_raw_host header test\"; "
2334 "content:\"CO\"; http_raw_host; "
2335 "content:\"EC\"; within:3; http_raw_host; "
2336 "sid:1;)",
2337 0);
2338}
2339
2340/**
2341 * \test Test that the http_raw_host header content matches against a http request
2342 * which holds the content.
2343 */
2344static int DetectEngineHttpHRHTest13(void)
2345{
2346 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2347 "Host: CONNECT\r\n"
2348 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2349 uint32_t http_len = sizeof(http_buf) - 1;
2350 return RunTest(http_buf, http_len,
2351 "alert http any any -> any any "
2352 "(msg:\"http_raw_host header test\"; "
2353 "content:\"CO\"; http_raw_host; "
2354 "content:!\"EC\"; within:4; http_raw_host; "
2355 "sid:1;)",
2356 0);
2357}
2358
2359/**
2360 * \test Test that the http_raw_host header content matches against a http request
2361 * which holds the content.
2362 */
2363static int DetectEngineHttpHRHTest14(void)
2364{
2365 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2366 "Host: CONNECT\r\n"
2367 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2368 uint32_t http_len = sizeof(http_buf) - 1;
2369 return RunTest(http_buf, http_len,
2370 "alert http any any -> any any "
2371 "(msg:\"http_raw_host header test\"; "
2372 "content:\"CO\"; http_raw_host; "
2373 "content:\"EC\"; distance:2; http_raw_host; "
2374 "sid:1;)",
2375 1);
2376}
2377
2378/**
2379 * \test Test that the http_raw_host header content matches against a http request
2380 * which holds the content.
2381 */
2382static int DetectEngineHttpHRHTest15(void)
2383{
2384 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2385 "Host: CONNECT\r\n"
2386 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2387 uint32_t http_len = sizeof(http_buf) - 1;
2388 return RunTest(http_buf, http_len,
2389 "alert http any any -> any any "
2390 "(msg:\"http_raw_host header test\"; "
2391 "content:\"CO\"; http_raw_host; "
2392 "content:!\"EC\"; distance:3; http_raw_host; "
2393 "sid:1;)",
2394 1);
2395}
2396
2397/**
2398 * \test Test that the http_raw_host header content matches against a http request
2399 * which holds the content.
2400 */
2401static int DetectEngineHttpHRHTest16(void)
2402{
2403 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2404 "Host: CONNECT\r\n"
2405 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2406 uint32_t http_len = sizeof(http_buf) - 1;
2407 return RunTest(http_buf, http_len,
2408 "alert http any any -> any any "
2409 "(msg:\"http_raw_host header test\"; "
2410 "content:\"CO\"; http_raw_host; "
2411 "content:\"EC\"; distance:3; http_raw_host; "
2412 "sid:1;)",
2413 0);
2414}
2415
2416/**
2417 * \test Test that the http_raw_host header content matches against a http request
2418 * which holds the content.
2419 */
2420static int DetectEngineHttpHRHTest17(void)
2421{
2422 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2423 "Host: CONNECT\r\n"
2424 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2425 uint32_t http_len = sizeof(http_buf) - 1;
2426 return RunTest(http_buf, http_len,
2427 "alert http any any -> any any "
2428 "(msg:\"http_raw_host header test\"; "
2429 "content:\"CO\"; http_raw_host; "
2430 "content:!\"EC\"; distance:2; http_raw_host; "
2431 "sid:1;)",
2432 0);
2433}
2434
2435static int DetectEngineHttpHRHTest18(void)
2436{
2437 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2438 "Host: www.kaboom.com:8080\r\n"
2439 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2440 uint32_t http_len = sizeof(http_buf) - 1;
2441 return RunTest(http_buf, http_len,
2442 "alert http any any -> any any "
2443 "(msg:\"http_raw_host header test\"; "
2444 "content:\"kaboom\"; http_raw_host; nocase; "
2445 "sid:1;)",
2446 1);
2447}
2448
2449static int DetectEngineHttpHRHTest19(void)
2450{
2451 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2452 "Host: www.kaboom.com:8080\r\n"
2453 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2454 uint32_t http_len = sizeof(http_buf) - 1;
2455 return RunTest(http_buf, http_len,
2456 "alert http any any -> any any "
2457 "(msg:\"http_raw_host header test\"; "
2458 "content:\"kaboom\"; http_raw_host; nocase; "
2459 "sid:1;)",
2460 1);
2461}
2462
2463static int DetectEngineHttpHRHTest20(void)
2464{
2465 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2466 "Host: www.kaboom.com:8080\r\n"
2467 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2468 uint32_t http_len = sizeof(http_buf) - 1;
2469 return RunTest(http_buf, http_len,
2470 "alert http any any -> any any "
2471 "(msg:\"http_raw_host header test\"; "
2472 "content:\"8080\"; http_raw_host; nocase; "
2473 "sid:1;)",
2474 1);
2475}
2476
2477static int DetectEngineHttpHRHTest21(void)
2478{
2479 uint8_t http_buf[] = "GET http://www.kaboom.com/index.html HTTP/1.0\r\n"
2480 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2481 uint32_t http_len = sizeof(http_buf) - 1;
2482 return RunTest(http_buf, http_len,
2483 "alert http any any -> any any "
2484 "(msg:\"http_raw_host header test\"; "
2485 "content:\"kaboom\"; http_raw_host; nocase; "
2486 "sid:1;)",
2487 1);
2488}
2489
2490static int DetectEngineHttpHRHTest22(void)
2491{
2492 uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2493 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2494 uint32_t http_len = sizeof(http_buf) - 1;
2495 return RunTest(http_buf, http_len,
2496 "alert http any any -> any any "
2497 "(msg:\"http_raw_host header test\"; "
2498 "content:\"kaboom\"; http_raw_host; nocase; "
2499 "sid:1;)",
2500 1);
2501}
2502
2503static int DetectEngineHttpHRHTest23(void)
2504{
2505 uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2506 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2507 uint32_t http_len = sizeof(http_buf) - 1;
2508 return RunTest(http_buf, http_len,
2509 "alert http any any -> any any "
2510 "(msg:\"http_raw_host header test\"; "
2511 "content:\"8080\"; http_raw_host; nocase; "
2512 "sid:1;)",
2513 0);
2514}
2515
2516static int DetectEngineHttpHRHTest24(void)
2517{
2518 uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2519 "Host: www.rabbit.com\r\n"
2520 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2521 uint32_t http_len = sizeof(http_buf) - 1;
2522 return RunTest(http_buf, http_len,
2523 "alert http any any -> any any "
2524 "(msg:\"http_raw_host header test\"; "
2525 "content:\"kaboom\"; http_raw_host; nocase; "
2526 "sid:1;)",
2527 1);
2528}
2529
2530static int DetectEngineHttpHRHTest25(void)
2531{
2532 uint8_t http_buf[] = "GET http://www.kaboom.com:8080/index.html HTTP/1.0\r\n"
2533 "Host: www.rabbit.com\r\n"
2534 "User-Agent: www.onetwothreefourfivesixseven.org\r\n\r\n";
2535 uint32_t http_len = sizeof(http_buf) - 1;
2536 return RunTest(http_buf, http_len,
2537 "alert http any any -> any any "
2538 "(msg:\"http_raw_host header test\"; "
2539 "content:\"rabbit\"; http_raw_host; nocase; "
2540 "sid:1;)",
2541 0);
2542}
2543
2544void DetectHttpHHRegisterTests(void)
2545{
2546 UtRegisterTest("DetectHttpHHTest01", DetectHttpHHTest01);
2547 UtRegisterTest("DetectHttpHHTest03", DetectHttpHHTest03);
2548 UtRegisterTest("DetectHttpHHTest04", DetectHttpHHTest04);
2549 UtRegisterTest("DetectHttpHHTest05", DetectHttpHHTest05);
2550 UtRegisterTest("DetectHttpHHTest05a", DetectHttpHHTest05a);
2551 UtRegisterTest("DetectHttpHHTest06", DetectHttpHHTest06);
2552 UtRegisterTest("DetectHttpHHTest07", DetectHttpHHTest07);
2553 UtRegisterTest("DetectHttpHHTest08", DetectHttpHHTest08);
2554 UtRegisterTest("DetectHttpHHTest09", DetectHttpHHTest09);
2555 UtRegisterTest("DetectHttpHHTest10", DetectHttpHHTest10);
2556 UtRegisterTest("DetectHttpHHTest11", DetectHttpHHTest11);
2557 UtRegisterTest("DetectHttpHHTest12", DetectHttpHHTest12);
2558 UtRegisterTest("DetectHttpHHTest13", DetectHttpHHTest13);
2559 UtRegisterTest("DetectHttpHHTest14", DetectHttpHHTest14);
2560
2561 UtRegisterTest("DetectEngineHttpHHTest01", DetectEngineHttpHHTest01);
2562 UtRegisterTest("DetectEngineHttpHHTest02", DetectEngineHttpHHTest02);
2563 UtRegisterTest("DetectEngineHttpHHTest03", DetectEngineHttpHHTest03);
2564 UtRegisterTest("DetectEngineHttpHHTest04", DetectEngineHttpHHTest04);
2565 UtRegisterTest("DetectEngineHttpHHTest05", DetectEngineHttpHHTest05);
2566 UtRegisterTest("DetectEngineHttpHHTest06", DetectEngineHttpHHTest06);
2567 UtRegisterTest("DetectEngineHttpHHTest07", DetectEngineHttpHHTest07);
2568 UtRegisterTest("DetectEngineHttpHHTest08", DetectEngineHttpHHTest08);
2569 UtRegisterTest("DetectEngineHttpHHTest09", DetectEngineHttpHHTest09);
2570 UtRegisterTest("DetectEngineHttpHHTest10", DetectEngineHttpHHTest10);
2571 UtRegisterTest("DetectEngineHttpHHTest11", DetectEngineHttpHHTest11);
2572 UtRegisterTest("DetectEngineHttpHHTest12", DetectEngineHttpHHTest12);
2573 UtRegisterTest("DetectEngineHttpHHTest13", DetectEngineHttpHHTest13);
2574 UtRegisterTest("DetectEngineHttpHHTest14", DetectEngineHttpHHTest14);
2575 UtRegisterTest("DetectEngineHttpHHTest15", DetectEngineHttpHHTest15);
2576 UtRegisterTest("DetectEngineHttpHHTest16", DetectEngineHttpHHTest16);
2577 UtRegisterTest("DetectEngineHttpHHTest17", DetectEngineHttpHHTest17);
2578 UtRegisterTest("DetectEngineHttpHHTest18", DetectEngineHttpHHTest18);
2579 UtRegisterTest("DetectEngineHttpHHTest19", DetectEngineHttpHHTest19);
2580 UtRegisterTest("DetectEngineHttpHHTest20", DetectEngineHttpHHTest20);
2581 UtRegisterTest("DetectEngineHttpHHTest21", DetectEngineHttpHHTest21);
2582 UtRegisterTest("DetectEngineHttpHHTest22", DetectEngineHttpHHTest22);
2583 UtRegisterTest("DetectEngineHttpHHTest23", DetectEngineHttpHHTest23);
2584 UtRegisterTest("DetectEngineHttpHHTest24", DetectEngineHttpHHTest24);
2585 UtRegisterTest("DetectEngineHttpHHTest25", DetectEngineHttpHHTest25);
2586
2587 UtRegisterTest("DetectHttpHRHTest06", DetectHttpHRHTest06);
2588 UtRegisterTest("DetectHttpHRHTest07", DetectHttpHRHTest07);
2589 UtRegisterTest("DetectHttpHRHTest08", DetectHttpHRHTest08);
2590 UtRegisterTest("DetectHttpHRHTest09", DetectHttpHRHTest09);
2591 UtRegisterTest("DetectHttpHRHTest10", DetectHttpHRHTest10);
2592 UtRegisterTest("DetectHttpHRHTest11", DetectHttpHRHTest11);
2593 UtRegisterTest("DetectHttpHRHTest12", DetectHttpHRHTest12);
2594 UtRegisterTest("DetectHttpHRHTest13", DetectHttpHRHTest13);
2595 UtRegisterTest("DetectHttpHRHTest14", DetectHttpHRHTest14);
2596
2597 UtRegisterTest("DetectHttpHRHTest37", DetectHttpHRHTest37);
2598
2599 UtRegisterTest("DetectEngineHttpHRHTest01", DetectEngineHttpHRHTest01);
2600 UtRegisterTest("DetectEngineHttpHRHTest02", DetectEngineHttpHRHTest02);
2601 UtRegisterTest("DetectEngineHttpHRHTest03", DetectEngineHttpHRHTest03);
2602 UtRegisterTest("DetectEngineHttpHRHTest04", DetectEngineHttpHRHTest04);
2603 UtRegisterTest("DetectEngineHttpHRHTest05", DetectEngineHttpHRHTest05);
2604 UtRegisterTest("DetectEngineHttpHRHTest06", DetectEngineHttpHRHTest06);
2605 UtRegisterTest("DetectEngineHttpHRHTest07", DetectEngineHttpHRHTest07);
2606 UtRegisterTest("DetectEngineHttpHRHTest08", DetectEngineHttpHRHTest08);
2607 UtRegisterTest("DetectEngineHttpHRHTest09", DetectEngineHttpHRHTest09);
2608 UtRegisterTest("DetectEngineHttpHRHTest10", DetectEngineHttpHRHTest10);
2609 UtRegisterTest("DetectEngineHttpHRHTest11", DetectEngineHttpHRHTest11);
2610 UtRegisterTest("DetectEngineHttpHRHTest12", DetectEngineHttpHRHTest12);
2611 UtRegisterTest("DetectEngineHttpHRHTest13", DetectEngineHttpHRHTest13);
2612 UtRegisterTest("DetectEngineHttpHRHTest14", DetectEngineHttpHRHTest14);
2613 UtRegisterTest("DetectEngineHttpHRHTest15", DetectEngineHttpHRHTest15);
2614 UtRegisterTest("DetectEngineHttpHRHTest16", DetectEngineHttpHRHTest16);
2615 UtRegisterTest("DetectEngineHttpHRHTest17", DetectEngineHttpHRHTest17);
2616 UtRegisterTest("DetectEngineHttpHRHTest18", DetectEngineHttpHRHTest18);
2617 UtRegisterTest("DetectEngineHttpHRHTest19", DetectEngineHttpHRHTest19);
2618 UtRegisterTest("DetectEngineHttpHRHTest20", DetectEngineHttpHRHTest20);
2619 UtRegisterTest("DetectEngineHttpHRHTest21", DetectEngineHttpHRHTest21);
2620 UtRegisterTest("DetectEngineHttpHRHTest22", DetectEngineHttpHRHTest22);
2621 UtRegisterTest("DetectEngineHttpHRHTest23", DetectEngineHttpHRHTest23);
2622 UtRegisterTest("DetectEngineHttpHRHTest24", DetectEngineHttpHRHTest24);
2623 UtRegisterTest("DetectEngineHttpHRHTest25", DetectEngineHttpHRHTest25);
2624}
2625
2626/**
2627 * @}
2628 */
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition app-layer-parser.c:1102
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition flow-util.h:119
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition util-unittest.h:96
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineThreadCtx_
Definition detect.h:1244
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::alstate
void * alstate
Definition flow.h:479
Flow_::protoctx
void * protoctx
Definition flow.h:441
HtpState_
Definition app-layer-htp.h:181
PacketAlerts_::cnt
uint16_t cnt
Definition decode.h:287
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::alerts
PacketAlerts alerts
Definition decode.h:620
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::flags
uint32_t flags
Definition decode.h:544
Signature_
Signature container.
Definition detect.h:668
TcpSession_
Definition stream-tcp-private.h:283
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:473