suricata
detect-http-method.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2010 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \ingroup httplayer
20 *
21 * @{
22 */
23
24
25/** \file
26 *
27 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28 *
29 * \brief Handle HTTP method match
30 *
31 */
32
33#include "../suricata-common.h"
34#include "../suricata.h"
35#include "../flow-util.h"
36#include "../flow.h"
37#include "../app-layer-parser.h"
38
39#include "../util-unittest.h"
40#include "../util-unittest-helper.h"
41#include "../app-layer.h"
42#include "../app-layer-htp.h"
43#include "../app-layer-protos.h"
44#include "../detect-isdataat.h"
45#include "../detect-engine-build.h"
46#include "../detect-engine-alert.h"
47
48/**
49 * \test Test that the http_method content matches against a http request
50 * which holds the content.
51 */
52static int DetectEngineHttpMethodTest01(void)
53{
54 TcpSession ssn;
55 Packet *p = NULL;
56 ThreadVars th_v;
57 DetectEngineCtx *de_ctx = NULL;
58 DetectEngineThreadCtx *det_ctx = NULL;
59 HtpState *http_state = NULL;
60 Flow f;
61 uint8_t http_buf[] =
62 "GET /index.html HTTP/1.0\r\n"
63 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
64 uint32_t http_len = sizeof(http_buf) - 1;
65 int result = 0;
66 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
67
68 memset(&th_v, 0, sizeof(th_v));
69 memset(&f, 0, sizeof(f));
70 memset(&ssn, 0, sizeof(ssn));
71
72 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
73
74 FLOW_INITIALIZE(&f);
75 f.protoctx = (void *)&ssn;
76 f.proto = IPPROTO_TCP;
77 f.flags |= FLOW_IPV4;
78 p->flow = &f;
79 p->flowflags |= FLOW_PKT_TOSERVER;
80 p->flowflags |= FLOW_PKT_ESTABLISHED;
81 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
82 f.alproto = ALPROTO_HTTP1;
83
84 StreamTcpInitConfig(true);
85
86 de_ctx = DetectEngineCtxInit();
87 if (de_ctx == NULL)
88 goto end;
89
90 de_ctx->flags |= DE_QUIET;
91
92 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
93 "(msg:\"http header test\"; "
94 "content:\"GET\"; http_method; "
95 "sid:1;)");
96 if (de_ctx->sig_list == NULL)
97 goto end;
98
99 SigGroupBuild(de_ctx);
100 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
101
102 int r = AppLayerParserParse(
103 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
104 if (r != 0) {
105 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
106 result = 0;
107 goto end;
108 }
109
110 http_state = f.alstate;
111 if (http_state == NULL) {
112 printf("no http state: ");
113 result = 0;
114 goto end;
115 }
116
117 /* do detect */
118 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
119
120 if (!(PacketAlertCheck(p, 1))) {
121 printf("sid 1 didn't match but should have: ");
122 goto end;
123 }
124
125 result = 1;
126
127end:
128 if (alp_tctx != NULL)
129 AppLayerParserThreadCtxFree(alp_tctx);
130 if (de_ctx != NULL)
131 DetectEngineCtxFree(de_ctx);
132
133 StreamTcpFreeConfig(true);
134 FLOW_DESTROY(&f);
135 UTHFreePackets(&p, 1);
136 return result;
137}
138
139/**
140 * \test Test that the http_method content matches against a http request
141 * which holds the content.
142 */
143static int DetectEngineHttpMethodTest02(void)
144{
145 TcpSession ssn;
146 Packet *p = NULL;
147 ThreadVars th_v;
148 DetectEngineCtx *de_ctx = NULL;
149 DetectEngineThreadCtx *det_ctx = NULL;
150 HtpState *http_state = NULL;
151 Flow f;
152 uint8_t http_buf[] =
153 "CONNECT /index.html HTTP/1.0\r\n"
154 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
155 uint32_t http_len = sizeof(http_buf) - 1;
156 int result = 0;
157 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
158
159 memset(&th_v, 0, sizeof(th_v));
160 memset(&f, 0, sizeof(f));
161 memset(&ssn, 0, sizeof(ssn));
162
163 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
164
165 FLOW_INITIALIZE(&f);
166 f.protoctx = (void *)&ssn;
167 f.proto = IPPROTO_TCP;
168 f.flags |= FLOW_IPV4;
169 p->flow = &f;
170 p->flowflags |= FLOW_PKT_TOSERVER;
171 p->flowflags |= FLOW_PKT_ESTABLISHED;
172 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
173 f.alproto = ALPROTO_HTTP1;
174
175 StreamTcpInitConfig(true);
176
177 de_ctx = DetectEngineCtxInit();
178 if (de_ctx == NULL)
179 goto end;
180
181 de_ctx->flags |= DE_QUIET;
182
183 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
184 "(msg:\"http header test\"; "
185 "content:\"CO\"; depth:4; http_method; "
186 "sid:1;)");
187 if (de_ctx->sig_list == NULL)
188 goto end;
189
190 SigGroupBuild(de_ctx);
191 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
192
193 int r = AppLayerParserParse(
194 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
195 if (r != 0) {
196 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
197 result = 0;
198 goto end;
199 }
200
201 http_state = f.alstate;
202 if (http_state == NULL) {
203 printf("no http state: ");
204 result = 0;
205 goto end;
206 }
207
208 /* do detect */
209 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
210
211 if (!(PacketAlertCheck(p, 1))) {
212 printf("sid 1 didn't match but should have: ");
213 goto end;
214 }
215
216 result = 1;
217
218end:
219 if (alp_tctx != NULL)
220 AppLayerParserThreadCtxFree(alp_tctx);
221 if (de_ctx != NULL)
222 DetectEngineCtxFree(de_ctx);
223
224 StreamTcpFreeConfig(true);
225 FLOW_DESTROY(&f);
226 UTHFreePackets(&p, 1);
227 return result;
228}
229
230/**
231 * \test Test that the http_method content matches against a http request
232 * which holds the content.
233 */
234static int DetectEngineHttpMethodTest03(void)
235{
236 TcpSession ssn;
237 Packet *p = NULL;
238 ThreadVars th_v;
239 DetectEngineCtx *de_ctx = NULL;
240 DetectEngineThreadCtx *det_ctx = NULL;
241 HtpState *http_state = NULL;
242 Flow f;
243 uint8_t http_buf[] =
244 "CONNECT /index.html HTTP/1.0\r\n"
245 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
246 uint32_t http_len = sizeof(http_buf) - 1;
247 int result = 0;
248 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
249
250 memset(&th_v, 0, sizeof(th_v));
251 memset(&f, 0, sizeof(f));
252 memset(&ssn, 0, sizeof(ssn));
253
254 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
255
256 FLOW_INITIALIZE(&f);
257 f.protoctx = (void *)&ssn;
258 f.proto = IPPROTO_TCP;
259 f.flags |= FLOW_IPV4;
260 p->flow = &f;
261 p->flowflags |= FLOW_PKT_TOSERVER;
262 p->flowflags |= FLOW_PKT_ESTABLISHED;
263 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
264 f.alproto = ALPROTO_HTTP1;
265
266 StreamTcpInitConfig(true);
267
268 de_ctx = DetectEngineCtxInit();
269 if (de_ctx == NULL)
270 goto end;
271
272 de_ctx->flags |= DE_QUIET;
273
274 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
275 "(msg:\"http header test\"; "
276 "content:!\"ECT\"; depth:4; http_method; "
277 "sid:1;)");
278 if (de_ctx->sig_list == NULL)
279 goto end;
280
281 SigGroupBuild(de_ctx);
282 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
283
284 int r = AppLayerParserParse(
285 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
286 if (r != 0) {
287 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
288 result = 0;
289 goto end;
290 }
291
292 http_state = f.alstate;
293 if (http_state == NULL) {
294 printf("no http state: ");
295 result = 0;
296 goto end;
297 }
298
299 /* do detect */
300 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
301
302 if (!(PacketAlertCheck(p, 1))) {
303 printf("sid 1 didn't match but should have: ");
304 goto end;
305 }
306
307 result = 1;
308
309end:
310 if (alp_tctx != NULL)
311 AppLayerParserThreadCtxFree(alp_tctx);
312 if (de_ctx != NULL)
313 DetectEngineCtxFree(de_ctx);
314
315 StreamTcpFreeConfig(true);
316 FLOW_DESTROY(&f);
317 UTHFreePackets(&p, 1);
318 return result;
319}
320
321/**
322 * \test Test that the http_method content matches against a http request
323 * which holds the content.
324 */
325static int DetectEngineHttpMethodTest04(void)
326{
327 TcpSession ssn;
328 Packet *p = NULL;
329 ThreadVars th_v;
330 DetectEngineCtx *de_ctx = NULL;
331 DetectEngineThreadCtx *det_ctx = NULL;
332 HtpState *http_state = NULL;
333 Flow f;
334 uint8_t http_buf[] =
335 "CONNECT /index.html HTTP/1.0\r\n"
336 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
337 uint32_t http_len = sizeof(http_buf) - 1;
338 int result = 0;
339 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
340
341 memset(&th_v, 0, sizeof(th_v));
342 memset(&f, 0, sizeof(f));
343 memset(&ssn, 0, sizeof(ssn));
344
345 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
346
347 FLOW_INITIALIZE(&f);
348 f.protoctx = (void *)&ssn;
349 f.proto = IPPROTO_TCP;
350 f.flags |= FLOW_IPV4;
351 p->flow = &f;
352 p->flowflags |= FLOW_PKT_TOSERVER;
353 p->flowflags |= FLOW_PKT_ESTABLISHED;
354 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
355 f.alproto = ALPROTO_HTTP1;
356
357 StreamTcpInitConfig(true);
358
359 de_ctx = DetectEngineCtxInit();
360 if (de_ctx == NULL)
361 goto end;
362
363 de_ctx->flags |= DE_QUIET;
364
365 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
366 "(msg:\"http header test\"; "
367 "content:\"ECT\"; depth:4; http_method; "
368 "sid:1;)");
369 if (de_ctx->sig_list == NULL)
370 goto end;
371
372 SigGroupBuild(de_ctx);
373 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
374
375 int r = AppLayerParserParse(
376 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
377 if (r != 0) {
378 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
379 result = 0;
380 goto end;
381 }
382
383 http_state = f.alstate;
384 if (http_state == NULL) {
385 printf("no http state: ");
386 result = 0;
387 goto end;
388 }
389
390 /* do detect */
391 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
392
393 if (PacketAlertCheck(p, 1)) {
394 printf("sid 1 matched but shouldn't have: ");
395 goto end;
396 }
397
398 result = 1;
399
400end:
401 if (alp_tctx != NULL)
402 AppLayerParserThreadCtxFree(alp_tctx);
403 if (de_ctx != NULL)
404 DetectEngineCtxFree(de_ctx);
405
406 StreamTcpFreeConfig(true);
407 FLOW_DESTROY(&f);
408 UTHFreePackets(&p, 1);
409 return result;
410}
411
412/**
413 * \test Test that the http_method content matches against a http request
414 * which holds the content.
415 */
416static int DetectEngineHttpMethodTest05(void)
417{
418 TcpSession ssn;
419 Packet *p = NULL;
420 ThreadVars th_v;
421 DetectEngineCtx *de_ctx = NULL;
422 DetectEngineThreadCtx *det_ctx = NULL;
423 HtpState *http_state = NULL;
424 Flow f;
425 uint8_t http_buf[] =
426 "CONNECT /index.html HTTP/1.0\r\n"
427 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
428 uint32_t http_len = sizeof(http_buf) - 1;
429 int result = 0;
430 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
431
432 memset(&th_v, 0, sizeof(th_v));
433 memset(&f, 0, sizeof(f));
434 memset(&ssn, 0, sizeof(ssn));
435
436 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
437
438 FLOW_INITIALIZE(&f);
439 f.protoctx = (void *)&ssn;
440 f.proto = IPPROTO_TCP;
441 f.flags |= FLOW_IPV4;
442 p->flow = &f;
443 p->flowflags |= FLOW_PKT_TOSERVER;
444 p->flowflags |= FLOW_PKT_ESTABLISHED;
445 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
446 f.alproto = ALPROTO_HTTP1;
447
448 StreamTcpInitConfig(true);
449
450 de_ctx = DetectEngineCtxInit();
451 if (de_ctx == NULL)
452 goto end;
453
454 de_ctx->flags |= DE_QUIET;
455
456 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
457 "(msg:\"http header test\"; "
458 "content:!\"CON\"; depth:4; http_method; "
459 "sid:1;)");
460 if (de_ctx->sig_list == NULL)
461 goto end;
462
463 SigGroupBuild(de_ctx);
464 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
465
466 int r = AppLayerParserParse(
467 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
468 if (r != 0) {
469 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
470 result = 0;
471 goto end;
472 }
473
474 http_state = f.alstate;
475 if (http_state == NULL) {
476 printf("no http state: ");
477 result = 0;
478 goto end;
479 }
480
481 /* do detect */
482 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
483
484 if (PacketAlertCheck(p, 1)) {
485 printf("sid 1 matched but shouldn't have: ");
486 goto end;
487 }
488
489 result = 1;
490
491end:
492 if (alp_tctx != NULL)
493 AppLayerParserThreadCtxFree(alp_tctx);
494 if (de_ctx != NULL)
495 DetectEngineCtxFree(de_ctx);
496
497 StreamTcpFreeConfig(true);
498 FLOW_DESTROY(&f);
499 UTHFreePackets(&p, 1);
500 return result;
501}
502
503/**
504 * \test Test that the http_method content matches against a http request
505 * which holds the content.
506 */
507static int DetectEngineHttpMethodTest06(void)
508{
509 TcpSession ssn;
510 Packet *p = NULL;
511 ThreadVars th_v;
512 DetectEngineCtx *de_ctx = NULL;
513 DetectEngineThreadCtx *det_ctx = NULL;
514 HtpState *http_state = NULL;
515 Flow f;
516 uint8_t http_buf[] =
517 "CONNECT /index.html HTTP/1.0\r\n"
518 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
519 uint32_t http_len = sizeof(http_buf) - 1;
520 int result = 0;
521 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
522
523 memset(&th_v, 0, sizeof(th_v));
524 memset(&f, 0, sizeof(f));
525 memset(&ssn, 0, sizeof(ssn));
526
527 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
528
529 FLOW_INITIALIZE(&f);
530 f.protoctx = (void *)&ssn;
531 f.proto = IPPROTO_TCP;
532 f.flags |= FLOW_IPV4;
533 p->flow = &f;
534 p->flowflags |= FLOW_PKT_TOSERVER;
535 p->flowflags |= FLOW_PKT_ESTABLISHED;
536 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
537 f.alproto = ALPROTO_HTTP1;
538
539 StreamTcpInitConfig(true);
540
541 de_ctx = DetectEngineCtxInit();
542 if (de_ctx == NULL)
543 goto end;
544
545 de_ctx->flags |= DE_QUIET;
546
547 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
548 "(msg:\"http header test\"; "
549 "content:\"ECT\"; offset:3; http_method; "
550 "sid:1;)");
551 if (de_ctx->sig_list == NULL)
552 goto end;
553
554 SigGroupBuild(de_ctx);
555 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
556
557 int r = AppLayerParserParse(
558 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
559 if (r != 0) {
560 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
561 result = 0;
562 goto end;
563 }
564
565 http_state = f.alstate;
566 if (http_state == NULL) {
567 printf("no http state: ");
568 result = 0;
569 goto end;
570 }
571
572 /* do detect */
573 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
574
575 if (!(PacketAlertCheck(p, 1))) {
576 printf("sid 1 didn't match but should have: ");
577 goto end;
578 }
579
580 result = 1;
581
582end:
583 if (alp_tctx != NULL)
584 AppLayerParserThreadCtxFree(alp_tctx);
585 if (de_ctx != NULL)
586 DetectEngineCtxFree(de_ctx);
587
588 StreamTcpFreeConfig(true);
589 FLOW_DESTROY(&f);
590 UTHFreePackets(&p, 1);
591 return result;
592}
593
594/**
595 * \test Test that the http_method content matches against a http request
596 * which holds the content.
597 */
598static int DetectEngineHttpMethodTest07(void)
599{
600 TcpSession ssn;
601 Packet *p = NULL;
602 ThreadVars th_v;
603 DetectEngineCtx *de_ctx = NULL;
604 DetectEngineThreadCtx *det_ctx = NULL;
605 HtpState *http_state = NULL;
606 Flow f;
607 uint8_t http_buf[] =
608 "CONNECT /index.html HTTP/1.0\r\n"
609 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
610 uint32_t http_len = sizeof(http_buf) - 1;
611 int result = 0;
612 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
613
614 memset(&th_v, 0, sizeof(th_v));
615 memset(&f, 0, sizeof(f));
616 memset(&ssn, 0, sizeof(ssn));
617
618 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
619
620 FLOW_INITIALIZE(&f);
621 f.protoctx = (void *)&ssn;
622 f.proto = IPPROTO_TCP;
623 f.flags |= FLOW_IPV4;
624 p->flow = &f;
625 p->flowflags |= FLOW_PKT_TOSERVER;
626 p->flowflags |= FLOW_PKT_ESTABLISHED;
627 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
628 f.alproto = ALPROTO_HTTP1;
629
630 StreamTcpInitConfig(true);
631
632 de_ctx = DetectEngineCtxInit();
633 if (de_ctx == NULL)
634 goto end;
635
636 de_ctx->flags |= DE_QUIET;
637
638 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
639 "(msg:\"http header test\"; "
640 "content:!\"CO\"; offset:3; http_method; "
641 "sid:1;)");
642 if (de_ctx->sig_list == NULL)
643 goto end;
644
645 SigGroupBuild(de_ctx);
646 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
647
648 int r = AppLayerParserParse(
649 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
650 if (r != 0) {
651 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
652 result = 0;
653 goto end;
654 }
655
656 http_state = f.alstate;
657 if (http_state == NULL) {
658 printf("no http state: ");
659 result = 0;
660 goto end;
661 }
662
663 /* do detect */
664 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
665
666 if (!(PacketAlertCheck(p, 1))) {
667 printf("sid 1 didn't match but should have: ");
668 goto end;
669 }
670
671 result = 1;
672
673end:
674 if (alp_tctx != NULL)
675 AppLayerParserThreadCtxFree(alp_tctx);
676 if (de_ctx != NULL)
677 DetectEngineCtxFree(de_ctx);
678
679 StreamTcpFreeConfig(true);
680 FLOW_DESTROY(&f);
681 UTHFreePackets(&p, 1);
682 return result;
683}
684
685/**
686 * \test Test that the http_method content matches against a http request
687 * which holds the content.
688 */
689static int DetectEngineHttpMethodTest08(void)
690{
691 TcpSession ssn;
692 Packet *p = NULL;
693 ThreadVars th_v;
694 DetectEngineCtx *de_ctx = NULL;
695 DetectEngineThreadCtx *det_ctx = NULL;
696 HtpState *http_state = NULL;
697 Flow f;
698 uint8_t http_buf[] =
699 "CONNECT /index.html HTTP/1.0\r\n"
700 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
701 uint32_t http_len = sizeof(http_buf) - 1;
702 int result = 0;
703 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
704
705 memset(&th_v, 0, sizeof(th_v));
706 memset(&f, 0, sizeof(f));
707 memset(&ssn, 0, sizeof(ssn));
708
709 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
710
711 FLOW_INITIALIZE(&f);
712 f.protoctx = (void *)&ssn;
713 f.proto = IPPROTO_TCP;
714 f.flags |= FLOW_IPV4;
715 p->flow = &f;
716 p->flowflags |= FLOW_PKT_TOSERVER;
717 p->flowflags |= FLOW_PKT_ESTABLISHED;
718 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
719 f.alproto = ALPROTO_HTTP1;
720
721 StreamTcpInitConfig(true);
722
723 de_ctx = DetectEngineCtxInit();
724 if (de_ctx == NULL)
725 goto end;
726
727 de_ctx->flags |= DE_QUIET;
728
729 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
730 "(msg:\"http header test\"; "
731 "content:!\"ECT\"; offset:3; http_method; "
732 "sid:1;)");
733 if (de_ctx->sig_list == NULL)
734 goto end;
735
736 SigGroupBuild(de_ctx);
737 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
738
739 int r = AppLayerParserParse(
740 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
741 if (r != 0) {
742 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
743 result = 0;
744 goto end;
745 }
746
747 http_state = f.alstate;
748 if (http_state == NULL) {
749 printf("no http state: ");
750 result = 0;
751 goto end;
752 }
753
754 /* do detect */
755 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
756
757 if (PacketAlertCheck(p, 1)) {
758 printf("sid 1 matched but shouldn't have: ");
759 goto end;
760 }
761
762 result = 1;
763
764end:
765 if (alp_tctx != NULL)
766 AppLayerParserThreadCtxFree(alp_tctx);
767 if (de_ctx != NULL)
768 DetectEngineCtxFree(de_ctx);
769
770 StreamTcpFreeConfig(true);
771 FLOW_DESTROY(&f);
772 UTHFreePackets(&p, 1);
773 return result;
774}
775
776/**
777 * \test Test that the http_method content matches against a http request
778 * which holds the content.
779 */
780static int DetectEngineHttpMethodTest09(void)
781{
782 TcpSession ssn;
783 Packet *p = NULL;
784 ThreadVars th_v;
785 DetectEngineCtx *de_ctx = NULL;
786 DetectEngineThreadCtx *det_ctx = NULL;
787 HtpState *http_state = NULL;
788 Flow f;
789 uint8_t http_buf[] =
790 "CONNECT /index.html HTTP/1.0\r\n"
791 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
792 uint32_t http_len = sizeof(http_buf) - 1;
793 int result = 0;
794 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
795
796 memset(&th_v, 0, sizeof(th_v));
797 memset(&f, 0, sizeof(f));
798 memset(&ssn, 0, sizeof(ssn));
799
800 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
801
802 FLOW_INITIALIZE(&f);
803 f.protoctx = (void *)&ssn;
804 f.proto = IPPROTO_TCP;
805 f.flags |= FLOW_IPV4;
806 p->flow = &f;
807 p->flowflags |= FLOW_PKT_TOSERVER;
808 p->flowflags |= FLOW_PKT_ESTABLISHED;
809 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
810 f.alproto = ALPROTO_HTTP1;
811
812 StreamTcpInitConfig(true);
813
814 de_ctx = DetectEngineCtxInit();
815 if (de_ctx == NULL)
816 goto end;
817
818 de_ctx->flags |= DE_QUIET;
819
820 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
821 "(msg:\"http header test\"; "
822 "content:\"CON\"; offset:3; http_method; "
823 "sid:1;)");
824 if (de_ctx->sig_list == NULL)
825 goto end;
826
827 SigGroupBuild(de_ctx);
828 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
829
830 int r = AppLayerParserParse(
831 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
832 if (r != 0) {
833 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
834 result = 0;
835 goto end;
836 }
837
838 http_state = f.alstate;
839 if (http_state == NULL) {
840 printf("no http state: ");
841 result = 0;
842 goto end;
843 }
844
845 /* do detect */
846 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
847
848 if (PacketAlertCheck(p, 1)) {
849 printf("sid 1 matched but shouldn't have: ");
850 goto end;
851 }
852
853 result = 1;
854
855end:
856 if (alp_tctx != NULL)
857 AppLayerParserThreadCtxFree(alp_tctx);
858 if (de_ctx != NULL)
859 DetectEngineCtxFree(de_ctx);
860
861 StreamTcpFreeConfig(true);
862 FLOW_DESTROY(&f);
863 UTHFreePackets(&p, 1);
864 return result;
865}
866
867/**
868 * \test Test that the http_method content matches against a http request
869 * which holds the content.
870 */
871static int DetectEngineHttpMethodTest10(void)
872{
873 TcpSession ssn;
874 Packet *p = NULL;
875 ThreadVars th_v;
876 DetectEngineCtx *de_ctx = NULL;
877 DetectEngineThreadCtx *det_ctx = NULL;
878 HtpState *http_state = NULL;
879 Flow f;
880 uint8_t http_buf[] =
881 "CONNECT /index.html HTTP/1.0\r\n"
882 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
883 uint32_t http_len = sizeof(http_buf) - 1;
884 int result = 0;
885 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
886
887 memset(&th_v, 0, sizeof(th_v));
888 memset(&f, 0, sizeof(f));
889 memset(&ssn, 0, sizeof(ssn));
890
891 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
892
893 FLOW_INITIALIZE(&f);
894 f.protoctx = (void *)&ssn;
895 f.proto = IPPROTO_TCP;
896 f.flags |= FLOW_IPV4;
897 p->flow = &f;
898 p->flowflags |= FLOW_PKT_TOSERVER;
899 p->flowflags |= FLOW_PKT_ESTABLISHED;
900 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
901 f.alproto = ALPROTO_HTTP1;
902
903 StreamTcpInitConfig(true);
904
905 de_ctx = DetectEngineCtxInit();
906 if (de_ctx == NULL)
907 goto end;
908
909 de_ctx->flags |= DE_QUIET;
910
911 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
912 "(msg:\"http header test\"; "
913 "content:\"CO\"; http_method; "
914 "content:\"EC\"; within:4; http_method; "
915 "sid:1;)");
916 if (de_ctx->sig_list == NULL)
917 goto end;
918
919 SigGroupBuild(de_ctx);
920 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
921
922 int r = AppLayerParserParse(
923 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
924 if (r != 0) {
925 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
926 result = 0;
927 goto end;
928 }
929
930 http_state = f.alstate;
931 if (http_state == NULL) {
932 printf("no http state: ");
933 result = 0;
934 goto end;
935 }
936
937 /* do detect */
938 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
939
940 if (!PacketAlertCheck(p, 1)) {
941 printf("sid 1 didn't match but should have: ");
942 goto end;
943 }
944
945 result = 1;
946
947end:
948 if (alp_tctx != NULL)
949 AppLayerParserThreadCtxFree(alp_tctx);
950 if (de_ctx != NULL)
951 DetectEngineCtxFree(de_ctx);
952
953 StreamTcpFreeConfig(true);
954 FLOW_DESTROY(&f);
955 UTHFreePackets(&p, 1);
956 return result;
957}
958
959/**
960 * \test Test that the http_method content matches against a http request
961 * which holds the content.
962 */
963static int DetectEngineHttpMethodTest11(void)
964{
965 TcpSession ssn;
966 Packet *p = NULL;
967 ThreadVars th_v;
968 DetectEngineCtx *de_ctx = NULL;
969 DetectEngineThreadCtx *det_ctx = NULL;
970 HtpState *http_state = NULL;
971 Flow f;
972 uint8_t http_buf[] =
973 "CONNECT /index.html HTTP/1.0\r\n"
974 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
975 uint32_t http_len = sizeof(http_buf) - 1;
976 int result = 0;
977 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
978
979 memset(&th_v, 0, sizeof(th_v));
980 memset(&f, 0, sizeof(f));
981 memset(&ssn, 0, sizeof(ssn));
982
983 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
984
985 FLOW_INITIALIZE(&f);
986 f.protoctx = (void *)&ssn;
987 f.proto = IPPROTO_TCP;
988 f.flags |= FLOW_IPV4;
989 p->flow = &f;
990 p->flowflags |= FLOW_PKT_TOSERVER;
991 p->flowflags |= FLOW_PKT_ESTABLISHED;
992 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
993 f.alproto = ALPROTO_HTTP1;
994
995 StreamTcpInitConfig(true);
996
997 de_ctx = DetectEngineCtxInit();
998 if (de_ctx == NULL)
999 goto end;
1000
1001 de_ctx->flags |= DE_QUIET;
1002
1003 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1004 "(msg:\"http header test\"; "
1005 "content:\"CO\"; http_method; "
1006 "content:!\"EC\"; within:3; http_method; "
1007 "sid:1;)");
1008 if (de_ctx->sig_list == NULL)
1009 goto end;
1010
1011 SigGroupBuild(de_ctx);
1012 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1013
1014 int r = AppLayerParserParse(
1015 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1016 if (r != 0) {
1017 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1018 result = 0;
1019 goto end;
1020 }
1021
1022 http_state = f.alstate;
1023 if (http_state == NULL) {
1024 printf("no http state: ");
1025 result = 0;
1026 goto end;
1027 }
1028
1029 /* do detect */
1030 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1031
1032 if (!PacketAlertCheck(p, 1)) {
1033 printf("sid 1 didn't match but should have: ");
1034 goto end;
1035 }
1036
1037 result = 1;
1038
1039end:
1040 if (alp_tctx != NULL)
1041 AppLayerParserThreadCtxFree(alp_tctx);
1042 if (de_ctx != NULL)
1043 DetectEngineCtxFree(de_ctx);
1044
1045 StreamTcpFreeConfig(true);
1046 FLOW_DESTROY(&f);
1047 UTHFreePackets(&p, 1);
1048 return result;
1049}
1050
1051/**
1052 * \test Test that the http_method content matches against a http request
1053 * which holds the content.
1054 */
1055static int DetectEngineHttpMethodTest12(void)
1056{
1057 TcpSession ssn;
1058 Packet *p = NULL;
1059 ThreadVars th_v;
1060 DetectEngineCtx *de_ctx = NULL;
1061 DetectEngineThreadCtx *det_ctx = NULL;
1062 HtpState *http_state = NULL;
1063 Flow f;
1064 uint8_t http_buf[] =
1065 "CONNECT /index.html HTTP/1.0\r\n"
1066 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1067 uint32_t http_len = sizeof(http_buf) - 1;
1068 int result = 0;
1069 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1070
1071 memset(&th_v, 0, sizeof(th_v));
1072 memset(&f, 0, sizeof(f));
1073 memset(&ssn, 0, sizeof(ssn));
1074
1075 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1076
1077 FLOW_INITIALIZE(&f);
1078 f.protoctx = (void *)&ssn;
1079 f.proto = IPPROTO_TCP;
1080 f.flags |= FLOW_IPV4;
1081 p->flow = &f;
1082 p->flowflags |= FLOW_PKT_TOSERVER;
1083 p->flowflags |= FLOW_PKT_ESTABLISHED;
1084 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1085 f.alproto = ALPROTO_HTTP1;
1086
1087 StreamTcpInitConfig(true);
1088
1089 de_ctx = DetectEngineCtxInit();
1090 if (de_ctx == NULL)
1091 goto end;
1092
1093 de_ctx->flags |= DE_QUIET;
1094
1095 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1096 "(msg:\"http header test\"; "
1097 "content:\"CO\"; http_method; "
1098 "content:\"EC\"; within:3; http_method; "
1099 "sid:1;)");
1100 if (de_ctx->sig_list == NULL)
1101 goto end;
1102
1103 SigGroupBuild(de_ctx);
1104 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1105
1106 int r = AppLayerParserParse(
1107 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1108 if (r != 0) {
1109 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1110 result = 0;
1111 goto end;
1112 }
1113
1114 http_state = f.alstate;
1115 if (http_state == NULL) {
1116 printf("no http state: ");
1117 result = 0;
1118 goto end;
1119 }
1120
1121 /* do detect */
1122 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1123
1124 if (PacketAlertCheck(p, 1)) {
1125 printf("sid 1 matched but shouldn't have: ");
1126 goto end;
1127 }
1128
1129 result = 1;
1130
1131end:
1132 if (alp_tctx != NULL)
1133 AppLayerParserThreadCtxFree(alp_tctx);
1134 if (de_ctx != NULL)
1135 DetectEngineCtxFree(de_ctx);
1136
1137 StreamTcpFreeConfig(true);
1138 FLOW_DESTROY(&f);
1139 UTHFreePackets(&p, 1);
1140 return result;
1141}
1142
1143/**
1144 * \test Test that the http_method content matches against a http request
1145 * which holds the content.
1146 */
1147static int DetectEngineHttpMethodTest13(void)
1148{
1149 TcpSession ssn;
1150 Packet *p = NULL;
1151 ThreadVars th_v;
1152 DetectEngineCtx *de_ctx = NULL;
1153 DetectEngineThreadCtx *det_ctx = NULL;
1154 HtpState *http_state = NULL;
1155 Flow f;
1156 uint8_t http_buf[] =
1157 "CONNECT /index.html HTTP/1.0\r\n"
1158 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1159 uint32_t http_len = sizeof(http_buf) - 1;
1160 int result = 0;
1161 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1162
1163 memset(&th_v, 0, sizeof(th_v));
1164 memset(&f, 0, sizeof(f));
1165 memset(&ssn, 0, sizeof(ssn));
1166
1167 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1168
1169 FLOW_INITIALIZE(&f);
1170 f.protoctx = (void *)&ssn;
1171 f.proto = IPPROTO_TCP;
1172 f.flags |= FLOW_IPV4;
1173 p->flow = &f;
1174 p->flowflags |= FLOW_PKT_TOSERVER;
1175 p->flowflags |= FLOW_PKT_ESTABLISHED;
1176 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1177 f.alproto = ALPROTO_HTTP1;
1178
1179 StreamTcpInitConfig(true);
1180
1181 de_ctx = DetectEngineCtxInit();
1182 if (de_ctx == NULL)
1183 goto end;
1184
1185 de_ctx->flags |= DE_QUIET;
1186
1187 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1188 "(msg:\"http header test\"; "
1189 "content:\"CO\"; http_method; "
1190 "content:!\"EC\"; within:4; http_method; "
1191 "sid:1;)");
1192 if (de_ctx->sig_list == NULL)
1193 goto end;
1194
1195 SigGroupBuild(de_ctx);
1196 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1197
1198 int r = AppLayerParserParse(
1199 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1200 if (r != 0) {
1201 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1202 result = 0;
1203 goto end;
1204 }
1205
1206 http_state = f.alstate;
1207 if (http_state == NULL) {
1208 printf("no http state: ");
1209 result = 0;
1210 goto end;
1211 }
1212
1213 /* do detect */
1214 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1215
1216 if (PacketAlertCheck(p, 1)) {
1217 printf("sid 1 matched but shouldn't have: ");
1218 goto end;
1219 }
1220
1221 result = 1;
1222
1223end:
1224 if (alp_tctx != NULL)
1225 AppLayerParserThreadCtxFree(alp_tctx);
1226 if (de_ctx != NULL)
1227 DetectEngineCtxFree(de_ctx);
1228
1229 StreamTcpFreeConfig(true);
1230 FLOW_DESTROY(&f);
1231 UTHFreePackets(&p, 1);
1232 return result;
1233}
1234
1235/**
1236 * \test Test that the http_method content matches against a http request
1237 * which holds the content.
1238 */
1239static int DetectEngineHttpMethodTest14(void)
1240{
1241 TcpSession ssn;
1242 Packet *p = NULL;
1243 ThreadVars th_v;
1244 DetectEngineCtx *de_ctx = NULL;
1245 DetectEngineThreadCtx *det_ctx = NULL;
1246 HtpState *http_state = NULL;
1247 Flow f;
1248 uint8_t http_buf[] =
1249 "CONNECT /index.html HTTP/1.0\r\n"
1250 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1251 uint32_t http_len = sizeof(http_buf) - 1;
1252 int result = 0;
1253 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1254
1255 memset(&th_v, 0, sizeof(th_v));
1256 memset(&f, 0, sizeof(f));
1257 memset(&ssn, 0, sizeof(ssn));
1258
1259 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1260
1261 FLOW_INITIALIZE(&f);
1262 f.protoctx = (void *)&ssn;
1263 f.proto = IPPROTO_TCP;
1264 f.flags |= FLOW_IPV4;
1265 p->flow = &f;
1266 p->flowflags |= FLOW_PKT_TOSERVER;
1267 p->flowflags |= FLOW_PKT_ESTABLISHED;
1268 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1269 f.alproto = ALPROTO_HTTP1;
1270
1271 StreamTcpInitConfig(true);
1272
1273 de_ctx = DetectEngineCtxInit();
1274 if (de_ctx == NULL)
1275 goto end;
1276
1277 de_ctx->flags |= DE_QUIET;
1278
1279 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1280 "(msg:\"http header test\"; "
1281 "content:\"CO\"; http_method; "
1282 "content:\"EC\"; distance:2; http_method; "
1283 "sid:1;)");
1284 if (de_ctx->sig_list == NULL)
1285 goto end;
1286
1287 SigGroupBuild(de_ctx);
1288 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1289
1290 int r = AppLayerParserParse(
1291 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1292 if (r != 0) {
1293 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1294 result = 0;
1295 goto end;
1296 }
1297
1298 http_state = f.alstate;
1299 if (http_state == NULL) {
1300 printf("no http state: ");
1301 result = 0;
1302 goto end;
1303 }
1304
1305 /* do detect */
1306 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1307
1308 if (!PacketAlertCheck(p, 1)) {
1309 printf("sid 1 didn't match but should have: ");
1310 goto end;
1311 }
1312
1313 result = 1;
1314
1315end:
1316 if (alp_tctx != NULL)
1317 AppLayerParserThreadCtxFree(alp_tctx);
1318 if (de_ctx != NULL)
1319 DetectEngineCtxFree(de_ctx);
1320
1321 StreamTcpFreeConfig(true);
1322 FLOW_DESTROY(&f);
1323 UTHFreePackets(&p, 1);
1324 return result;
1325}
1326
1327/**
1328 * \test Test that the http_method content matches against a http request
1329 * which holds the content.
1330 */
1331static int DetectEngineHttpMethodTest15(void)
1332{
1333 TcpSession ssn;
1334 Packet *p = NULL;
1335 ThreadVars th_v;
1336 DetectEngineCtx *de_ctx = NULL;
1337 DetectEngineThreadCtx *det_ctx = NULL;
1338 HtpState *http_state = NULL;
1339 Flow f;
1340 uint8_t http_buf[] =
1341 "CONNECT /index.html HTTP/1.0\r\n"
1342 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1343 uint32_t http_len = sizeof(http_buf) - 1;
1344 int result = 0;
1345 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1346
1347 memset(&th_v, 0, sizeof(th_v));
1348 memset(&f, 0, sizeof(f));
1349 memset(&ssn, 0, sizeof(ssn));
1350
1351 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1352
1353 FLOW_INITIALIZE(&f);
1354 f.protoctx = (void *)&ssn;
1355 f.proto = IPPROTO_TCP;
1356 f.flags |= FLOW_IPV4;
1357 p->flow = &f;
1358 p->flowflags |= FLOW_PKT_TOSERVER;
1359 p->flowflags |= FLOW_PKT_ESTABLISHED;
1360 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1361 f.alproto = ALPROTO_HTTP1;
1362
1363 StreamTcpInitConfig(true);
1364
1365 de_ctx = DetectEngineCtxInit();
1366 if (de_ctx == NULL)
1367 goto end;
1368
1369 de_ctx->flags |= DE_QUIET;
1370
1371 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1372 "(msg:\"http header test\"; "
1373 "content:\"CO\"; http_method; "
1374 "content:!\"EC\"; distance:3; http_method; "
1375 "sid:1;)");
1376 if (de_ctx->sig_list == NULL)
1377 goto end;
1378
1379 SigGroupBuild(de_ctx);
1380 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1381
1382 int r = AppLayerParserParse(
1383 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1384 if (r != 0) {
1385 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1386 result = 0;
1387 goto end;
1388 }
1389
1390 http_state = f.alstate;
1391 if (http_state == NULL) {
1392 printf("no http state: ");
1393 result = 0;
1394 goto end;
1395 }
1396
1397 /* do detect */
1398 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1399
1400 if (!PacketAlertCheck(p, 1)) {
1401 printf("sid 1 didn't match but should have: ");
1402 goto end;
1403 }
1404
1405 result = 1;
1406
1407end:
1408 if (alp_tctx != NULL)
1409 AppLayerParserThreadCtxFree(alp_tctx);
1410 if (de_ctx != NULL)
1411 DetectEngineCtxFree(de_ctx);
1412
1413 StreamTcpFreeConfig(true);
1414 FLOW_DESTROY(&f);
1415 UTHFreePackets(&p, 1);
1416 return result;
1417}
1418
1419/**
1420 * \test Test that the http_method content matches against a http request
1421 * which holds the content.
1422 */
1423static int DetectEngineHttpMethodTest16(void)
1424{
1425 TcpSession ssn;
1426 Packet *p = NULL;
1427 ThreadVars th_v;
1428 DetectEngineCtx *de_ctx = NULL;
1429 DetectEngineThreadCtx *det_ctx = NULL;
1430 HtpState *http_state = NULL;
1431 Flow f;
1432 uint8_t http_buf[] =
1433 "CONNECT /index.html HTTP/1.0\r\n"
1434 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1435 uint32_t http_len = sizeof(http_buf) - 1;
1436 int result = 0;
1437 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1438
1439 memset(&th_v, 0, sizeof(th_v));
1440 memset(&f, 0, sizeof(f));
1441 memset(&ssn, 0, sizeof(ssn));
1442
1443 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1444
1445 FLOW_INITIALIZE(&f);
1446 f.protoctx = (void *)&ssn;
1447 f.proto = IPPROTO_TCP;
1448 f.flags |= FLOW_IPV4;
1449 p->flow = &f;
1450 p->flowflags |= FLOW_PKT_TOSERVER;
1451 p->flowflags |= FLOW_PKT_ESTABLISHED;
1452 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1453 f.alproto = ALPROTO_HTTP1;
1454
1455 StreamTcpInitConfig(true);
1456
1457 de_ctx = DetectEngineCtxInit();
1458 if (de_ctx == NULL)
1459 goto end;
1460
1461 de_ctx->flags |= DE_QUIET;
1462
1463 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1464 "(msg:\"http header test\"; "
1465 "content:\"CO\"; http_method; "
1466 "content:\"EC\"; distance:3; http_method; "
1467 "sid:1;)");
1468 if (de_ctx->sig_list == NULL)
1469 goto end;
1470
1471 SigGroupBuild(de_ctx);
1472 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1473
1474 int r = AppLayerParserParse(
1475 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1476 if (r != 0) {
1477 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1478 result = 0;
1479 goto end;
1480 }
1481
1482 http_state = f.alstate;
1483 if (http_state == NULL) {
1484 printf("no http state: ");
1485 result = 0;
1486 goto end;
1487 }
1488
1489 /* do detect */
1490 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1491
1492 if (PacketAlertCheck(p, 1)) {
1493 printf("sid 1 matched but shouldn't have: ");
1494 goto end;
1495 }
1496
1497 result = 1;
1498
1499end:
1500 if (alp_tctx != NULL)
1501 AppLayerParserThreadCtxFree(alp_tctx);
1502 if (de_ctx != NULL)
1503 DetectEngineCtxFree(de_ctx);
1504
1505 StreamTcpFreeConfig(true);
1506 FLOW_DESTROY(&f);
1507 UTHFreePackets(&p, 1);
1508 return result;
1509}
1510
1511/**
1512 * \test Test that the http_method content matches against a http request
1513 * which holds the content.
1514 */
1515static int DetectEngineHttpMethodTest17(void)
1516{
1517 TcpSession ssn;
1518 Packet *p = NULL;
1519 ThreadVars th_v;
1520 DetectEngineCtx *de_ctx = NULL;
1521 DetectEngineThreadCtx *det_ctx = NULL;
1522 HtpState *http_state = NULL;
1523 Flow f;
1524 uint8_t http_buf[] =
1525 "CONNECT /index.html HTTP/1.0\r\n"
1526 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1527 uint32_t http_len = sizeof(http_buf) - 1;
1528 int result = 0;
1529 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1530
1531 memset(&th_v, 0, sizeof(th_v));
1532 memset(&f, 0, sizeof(f));
1533 memset(&ssn, 0, sizeof(ssn));
1534
1535 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1536
1537 FLOW_INITIALIZE(&f);
1538 f.protoctx = (void *)&ssn;
1539 f.proto = IPPROTO_TCP;
1540 f.flags |= FLOW_IPV4;
1541 p->flow = &f;
1542 p->flowflags |= FLOW_PKT_TOSERVER;
1543 p->flowflags |= FLOW_PKT_ESTABLISHED;
1544 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1545 f.alproto = ALPROTO_HTTP1;
1546
1547 StreamTcpInitConfig(true);
1548
1549 de_ctx = DetectEngineCtxInit();
1550 if (de_ctx == NULL)
1551 goto end;
1552
1553 de_ctx->flags |= DE_QUIET;
1554
1555 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1556 "(msg:\"http header test\"; "
1557 "content:\"CO\"; http_method; "
1558 "content:!\"EC\"; distance:2; http_method; "
1559 "sid:1;)");
1560 if (de_ctx->sig_list == NULL)
1561 goto end;
1562
1563 SigGroupBuild(de_ctx);
1564 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1565
1566 int r = AppLayerParserParse(
1567 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1568 if (r != 0) {
1569 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1570 result = 0;
1571 goto end;
1572 }
1573
1574 http_state = f.alstate;
1575 if (http_state == NULL) {
1576 printf("no http state: ");
1577 result = 0;
1578 goto end;
1579 }
1580
1581 /* do detect */
1582 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1583
1584 if (PacketAlertCheck(p, 1)) {
1585 printf("sid 1 matched but shouldn't have: ");
1586 goto end;
1587 }
1588
1589 result = 1;
1590
1591end:
1592 if (alp_tctx != NULL)
1593 AppLayerParserThreadCtxFree(alp_tctx);
1594 if (de_ctx != NULL)
1595 DetectEngineCtxFree(de_ctx);
1596
1597 StreamTcpFreeConfig(true);
1598 FLOW_DESTROY(&f);
1599 UTHFreePackets(&p, 1);
1600 return result;
1601}
1602
1603/** \test Check a signature with content */
1604static int DetectHttpMethodTest01(void)
1605{
1606 DetectEngineCtx *de_ctx = NULL;
1607 int result = 0;
1608
1609 if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1610 goto end;
1611
1612 de_ctx->flags |= DE_QUIET;
1613 de_ctx->sig_list = SigInit(de_ctx,
1614 "alert tcp any any -> any any "
1615 "(msg:\"Testing http_method\"; "
1616 "content:\"GET\"; "
1617 "http_method; sid:1;)");
1618
1619 if (de_ctx->sig_list != NULL) {
1620 result = 1;
1621 } else {
1622 printf("sig parse failed: ");
1623 }
1624
1625 end:
1626 if (de_ctx != NULL)
1627 DetectEngineCtxFree(de_ctx);
1628 return result;
1629}
1630
1631/** \test Check a signature without content (fail) */
1632static int DetectHttpMethodTest02(void)
1633{
1634 DetectEngineCtx *de_ctx = NULL;
1635 int result = 0;
1636
1637 if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1638 goto end;
1639
1640 de_ctx->flags |= DE_QUIET;
1641 de_ctx->sig_list = SigInit(de_ctx,
1642 "alert tcp any any -> any any "
1643 "(msg:\"Testing http_method\"; "
1644 "http_method; sid:1;)");
1645
1646 if (de_ctx->sig_list == NULL) {
1647 result = 1;
1648 }
1649
1650 end:
1651 if (de_ctx != NULL)
1652 DetectEngineCtxFree(de_ctx);
1653 return result;
1654}
1655
1656/** \test Check a signature with parameter (fail) */
1657static int DetectHttpMethodTest03(void)
1658{
1659 DetectEngineCtx *de_ctx = NULL;
1660 int result = 0;
1661
1662 if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1663 goto end;
1664
1665 de_ctx->flags |= DE_QUIET;
1666 de_ctx->sig_list = SigInit(de_ctx,
1667 "alert tcp any any -> any any "
1668 "(msg:\"Testing http_method\"; "
1669 "content:\"foobar\"; "
1670 "http_method:\"GET\"; sid:1;)");
1671
1672 if (de_ctx->sig_list == NULL) {
1673 result = 1;
1674 }
1675
1676 end:
1677 if (de_ctx != NULL)
1678 DetectEngineCtxFree(de_ctx);
1679 return result;
1680}
1681
1682/** \test Check a signature with fast_pattern (should work) */
1683static int DetectHttpMethodTest04(void)
1684{
1685 DetectEngineCtx *de_ctx = NULL;
1686 int result = 0;
1687
1688 if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1689 goto end;
1690
1691 de_ctx->flags |= DE_QUIET;
1692 de_ctx->sig_list = SigInit(de_ctx,
1693 "alert tcp any any -> any any "
1694 "(msg:\"Testing http_method\"; "
1695 "content:\"GET\"; "
1696 "fast_pattern; "
1697 "http_method; sid:1;)");
1698
1699 if (de_ctx->sig_list != NULL) {
1700 result = 1;
1701 }
1702
1703 end:
1704 if (de_ctx != NULL)
1705 DetectEngineCtxFree(de_ctx);
1706 return result;
1707}
1708
1709/** \test Check a signature with rawbytes (fail) */
1710static int DetectHttpMethodTest05(void)
1711{
1712 DetectEngineCtx *de_ctx = NULL;
1713 int result = 0;
1714
1715 if ( (de_ctx = DetectEngineCtxInit()) == NULL)
1716 goto end;
1717
1718 de_ctx->flags |= DE_QUIET;
1719 de_ctx->sig_list = SigInit(de_ctx,
1720 "alert tcp any any -> any any "
1721 "(msg:\"Testing http_method\"; "
1722 "content:\"GET\"; "
1723 "rawbytes; "
1724 "http_method; sid:1;)");
1725
1726 if (de_ctx->sig_list == NULL) {
1727 result = 1;
1728 }
1729
1730 end:
1731 if (de_ctx != NULL)
1732 DetectEngineCtxFree(de_ctx);
1733 return result;
1734}
1735
1736/** \test Check a signature with an known request method */
1737static int DetectHttpMethodSigTest01(void)
1738{
1739 int result = 0;
1740 Flow f;
1741 uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
1742 "Host: foo.bar.tld\r\n"
1743 "\r\n";
1744 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1745 TcpSession ssn;
1746 Packet *p = NULL;
1747 Signature *s = NULL;
1748 ThreadVars th_v;
1749 DetectEngineThreadCtx *det_ctx;
1750 HtpState *http_state = NULL;
1751 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1752
1753 memset(&th_v, 0, sizeof(th_v));
1754 memset(&f, 0, sizeof(f));
1755 memset(&ssn, 0, sizeof(ssn));
1756
1757 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1758
1759 FLOW_INITIALIZE(&f);
1760 f.protoctx = (void *)&ssn;
1761 f.proto = IPPROTO_TCP;
1762 f.flags |= FLOW_IPV4;
1763
1764 p->flow = &f;
1765 p->flowflags |= FLOW_PKT_TOSERVER;
1766 p->flowflags |= FLOW_PKT_ESTABLISHED;
1767 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1768 f.alproto = ALPROTO_HTTP1;
1769
1770 StreamTcpInitConfig(true);
1771
1772 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1773 if (de_ctx == NULL) {
1774 goto end;
1775 }
1776
1777 de_ctx->flags |= DE_QUIET;
1778
1779 s = de_ctx->sig_list = SigInit(de_ctx,
1780 "alert tcp any any -> any any "
1781 "(msg:\"Testing http_method\"; "
1782 "content:\"GET\"; "
1783 "http_method; sid:1;)");
1784 if (s == NULL) {
1785 goto end;
1786 }
1787
1788 s = s->next = SigInit(de_ctx,
1789 "alert tcp any any -> any any "
1790 "(msg:\"Testing http_method\"; "
1791 "content:\"POST\"; "
1792 "http_method; sid:2;)");
1793 if (s == NULL) {
1794 goto end;
1795 }
1796
1797 SigGroupBuild(de_ctx);
1798 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1799
1800 int r = AppLayerParserParse(
1801 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1802 if (r != 0) {
1803 SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1804 goto end;
1805 }
1806
1807 http_state = f.alstate;
1808 if (http_state == NULL) {
1809 SCLogDebug("no http state: ");
1810 goto end;
1811 }
1812
1813 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1814
1815 if (!(PacketAlertCheck(p, 1))) {
1816 goto end;
1817 }
1818 if (PacketAlertCheck(p, 2)) {
1819 goto end;
1820 }
1821
1822 result = 1;
1823
1824end:
1825 if (alp_tctx != NULL)
1826 AppLayerParserThreadCtxFree(alp_tctx);
1827 if (de_ctx != NULL)
1828 DetectEngineCtxFree(de_ctx);
1829
1830 StreamTcpFreeConfig(true);
1831 FLOW_DESTROY(&f);
1832 UTHFreePackets(&p, 1);
1833 return result;
1834}
1835
1836/** \test Check a signature with an unknown request method */
1837static int DetectHttpMethodSigTest02(void)
1838{
1839 int result = 0;
1840 Flow f;
1841 uint8_t httpbuf1[] = "FOO / HTTP/1.0\r\n"
1842 "Host: foo.bar.tld\r\n"
1843 "\r\n";
1844 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1845 TcpSession ssn;
1846 Packet *p = NULL;
1847 Signature *s = NULL;
1848 ThreadVars th_v;
1849 DetectEngineThreadCtx *det_ctx = NULL;
1850 HtpState *http_state = NULL;
1851 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1852
1853 memset(&th_v, 0, sizeof(th_v));
1854 memset(&f, 0, sizeof(f));
1855 memset(&ssn, 0, sizeof(ssn));
1856
1857 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1858
1859 FLOW_INITIALIZE(&f);
1860 f.protoctx = (void *)&ssn;
1861 f.proto = IPPROTO_TCP;
1862 f.flags |= FLOW_IPV4;
1863
1864 p->flow = &f;
1865 p->flowflags |= FLOW_PKT_TOSERVER;
1866 p->flowflags |= FLOW_PKT_ESTABLISHED;
1867 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1868 f.alproto = ALPROTO_HTTP1;
1869
1870 StreamTcpInitConfig(true);
1871
1872 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1873 if (de_ctx == NULL) {
1874 goto end;
1875 }
1876
1877 de_ctx->flags |= DE_QUIET;
1878
1879 s = de_ctx->sig_list = SigInit(de_ctx,
1880 "alert tcp any any -> any any "
1881 "(msg:\"Testing http_method\"; "
1882 "content:\"FOO\"; "
1883 "http_method; sid:1;)");
1884 if (s == NULL) {
1885 goto end;
1886 }
1887
1888 s = s->next = SigInit(de_ctx,
1889 "alert tcp any any -> any any "
1890 "(msg:\"Testing http_method\"; "
1891 "content:\"BAR\"; "
1892 "http_method; sid:2;)");
1893 if (s == NULL) {
1894 goto end;
1895 }
1896
1897 SigGroupBuild(de_ctx);
1898 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1899
1900 int r = AppLayerParserParse(
1901 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1902 if (r != 0) {
1903 SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1904 goto end;
1905 }
1906
1907 http_state = f.alstate;
1908 if (http_state == NULL) {
1909 SCLogDebug("no http state: ");
1910 goto end;
1911 }
1912
1913 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1914
1915 if (!(PacketAlertCheck(p, 1))) {
1916 goto end;
1917 }
1918 if (PacketAlertCheck(p, 2)) {
1919 goto end;
1920 }
1921
1922 result = 1;
1923
1924end:
1925 if (alp_tctx != NULL)
1926 AppLayerParserThreadCtxFree(alp_tctx);
1927 if (det_ctx != NULL)
1928 DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
1929 if (de_ctx != NULL)
1930 DetectEngineCtxFree(de_ctx);
1931
1932 StreamTcpFreeConfig(true);
1933 FLOW_DESTROY(&f);
1934 UTHFreePackets(&p, 1);
1935 return result;
1936}
1937
1938/** \test Check a signature against an unparsable request */
1939static int DetectHttpMethodSigTest03(void)
1940{
1941 int result = 0;
1942 Flow f;
1943 uint8_t httpbuf1[] = " ";
1944 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1945 TcpSession ssn;
1946 Packet *p = NULL;
1947 Signature *s = NULL;
1948 ThreadVars th_v;
1949 DetectEngineThreadCtx *det_ctx;
1950 HtpState *http_state = NULL;
1951 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1952
1953 memset(&th_v, 0, sizeof(th_v));
1954 memset(&f, 0, sizeof(f));
1955 memset(&ssn, 0, sizeof(ssn));
1956
1957 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1958
1959 FLOW_INITIALIZE(&f);
1960 f.protoctx = (void *)&ssn;
1961 f.proto = IPPROTO_TCP;
1962 f.flags |= FLOW_IPV4;
1963
1964 p->flow = &f;
1965 p->flowflags |= FLOW_PKT_TOSERVER;
1966 p->flowflags |= FLOW_PKT_ESTABLISHED;
1967 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1968 f.alproto = ALPROTO_HTTP1;
1969
1970 StreamTcpInitConfig(true);
1971
1972 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1973 if (de_ctx == NULL) {
1974 goto end;
1975 }
1976
1977 de_ctx->flags |= DE_QUIET;
1978
1979 s = de_ctx->sig_list = SigInit(de_ctx,
1980 "alert tcp any any -> any any "
1981 "(msg:\"Testing http_method\"; "
1982 "content:\"GET\"; "
1983 "http_method; sid:1;)");
1984 if (s == NULL) {
1985 SCLogDebug("Bad signature");
1986 goto end;
1987 }
1988
1989 SigGroupBuild(de_ctx);
1990 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1991
1992 int r = AppLayerParserParse(
1993 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1994 if (r != 0) {
1995 SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1996 goto end;
1997 }
1998
1999 http_state = f.alstate;
2000 if (http_state == NULL) {
2001 SCLogDebug("no http state: ");
2002 goto end;
2003 }
2004
2005 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2006
2007 if (PacketAlertCheck(p, 1)) {
2008 goto end;
2009 }
2010
2011 result = 1;
2012
2013end:
2014 if (alp_tctx != NULL)
2015 AppLayerParserThreadCtxFree(alp_tctx);
2016 if (de_ctx != NULL)
2017 DetectEngineCtxFree(de_ctx);
2018
2019 StreamTcpFreeConfig(true);
2020 FLOW_DESTROY(&f);
2021 UTHFreePackets(&p, 1);
2022 return result;
2023}
2024
2025/** \test Check a signature with an request method and negation of the same */
2026static int DetectHttpMethodSigTest04(void)
2027{
2028 int result = 0;
2029 Flow f;
2030 uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
2031 "Host: foo.bar.tld\r\n"
2032 "\r\n";
2033 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2034 TcpSession ssn;
2035 Packet *p = NULL;
2036 Signature *s = NULL;
2037 ThreadVars th_v;
2038 DetectEngineThreadCtx *det_ctx = NULL;
2039 HtpState *http_state = NULL;
2040 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2041
2042 memset(&th_v, 0, sizeof(th_v));
2043 memset(&f, 0, sizeof(f));
2044 memset(&ssn, 0, sizeof(ssn));
2045
2046 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2047
2048 FLOW_INITIALIZE(&f);
2049 f.protoctx = (void *)&ssn;
2050 f.proto = IPPROTO_TCP;
2051 f.flags |= FLOW_IPV4;
2052
2053 p->flow = &f;
2054 p->flowflags |= FLOW_PKT_TOSERVER;
2055 p->flowflags |= FLOW_PKT_ESTABLISHED;
2056 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2057 f.alproto = ALPROTO_HTTP1;
2058
2059 StreamTcpInitConfig(true);
2060
2061 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2062 if (de_ctx == NULL) {
2063 goto end;
2064 }
2065
2066 de_ctx->flags |= DE_QUIET;
2067
2068 s = de_ctx->sig_list = SigInit(de_ctx,
2069 "alert tcp any any -> any any (msg:\"Testing http_method\"; "
2070 "content:\"GET\"; http_method; sid:1;)");
2071 if (s == NULL) {
2072 goto end;
2073 }
2074
2075 s = s->next = SigInit(de_ctx,
2076 "alert tcp any any -> any any (msg:\"Testing http_method\"; "
2077 "content:!\"GET\"; http_method; sid:2;)");
2078 if (s == NULL) {
2079 goto end;
2080 }
2081
2082 SigGroupBuild(de_ctx);
2083 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2084
2085 int r = AppLayerParserParse(
2086 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2087 if (r != 0) {
2088 SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2089 goto end;
2090 }
2091
2092 http_state = f.alstate;
2093 if (http_state == NULL) {
2094 SCLogDebug("no http state: ");
2095 goto end;
2096 }
2097
2098 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2099
2100 if (!(PacketAlertCheck(p, 1))) {
2101 printf("sid 1 didn't match but should have: ");
2102 goto end;
2103 }
2104 if (PacketAlertCheck(p, 2)) {
2105 printf("sid 2 matched but shouldn't have: ");
2106 goto end;
2107 }
2108
2109 result = 1;
2110
2111end:
2112 if (alp_tctx != NULL)
2113 AppLayerParserThreadCtxFree(alp_tctx);
2114 if (det_ctx != NULL) {
2115 DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
2116 }
2117 if (de_ctx != NULL) {
2118 DetectEngineCtxFree(de_ctx);
2119 }
2120
2121 StreamTcpFreeConfig(true);
2122 FLOW_DESTROY(&f);
2123 UTHFreePackets(&p, 1);
2124 return result;
2125}
2126
2127static int DetectHttpMethodIsdataatParseTest(void)
2128{
2129 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2130 FAIL_IF_NULL(de_ctx);
2131 de_ctx->flags |= DE_QUIET;
2132
2133 Signature *s = DetectEngineAppendSig(de_ctx,
2134 "alert tcp any any -> any any ("
2135 "content:\"one\"; http_method; "
2136 "isdataat:!4,relative; sid:1;)");
2137 FAIL_IF_NULL(s);
2138
2139 SigMatch *sm = DetectBufferGetLastSigMatch(s, g_http_method_buffer_id);
2140 FAIL_IF_NULL(sm);
2141 FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
2142
2143 DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
2144 FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
2145 FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
2146 FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
2147
2148 DetectEngineCtxFree(de_ctx);
2149 PASS;
2150}
2151
2152/**
2153 * \brief this function registers unit tests for DetectHttpMethod
2154 */
2155void DetectHttpMethodRegisterTests(void)
2156{
2157 UtRegisterTest("DetectHttpMethodTest01", DetectHttpMethodTest01);
2158 UtRegisterTest("DetectHttpMethodTest02", DetectHttpMethodTest02);
2159 UtRegisterTest("DetectHttpMethodTest03", DetectHttpMethodTest03);
2160 UtRegisterTest("DetectHttpMethodTest04", DetectHttpMethodTest04);
2161 UtRegisterTest("DetectHttpMethodTest05", DetectHttpMethodTest05);
2162 UtRegisterTest("DetectHttpMethodSigTest01", DetectHttpMethodSigTest01);
2163 UtRegisterTest("DetectHttpMethodSigTest02", DetectHttpMethodSigTest02);
2164 UtRegisterTest("DetectHttpMethodSigTest03", DetectHttpMethodSigTest03);
2165 UtRegisterTest("DetectHttpMethodSigTest04", DetectHttpMethodSigTest04);
2166
2167 UtRegisterTest("DetectHttpMethodIsdataatParseTest",
2168 DetectHttpMethodIsdataatParseTest);
2169 UtRegisterTest("DetectEngineHttpMethodTest01",
2170 DetectEngineHttpMethodTest01);
2171 UtRegisterTest("DetectEngineHttpMethodTest02",
2172 DetectEngineHttpMethodTest02);
2173 UtRegisterTest("DetectEngineHttpMethodTest03",
2174 DetectEngineHttpMethodTest03);
2175 UtRegisterTest("DetectEngineHttpMethodTest04",
2176 DetectEngineHttpMethodTest04);
2177 UtRegisterTest("DetectEngineHttpMethodTest05",
2178 DetectEngineHttpMethodTest05);
2179 UtRegisterTest("DetectEngineHttpMethodTest06",
2180 DetectEngineHttpMethodTest06);
2181 UtRegisterTest("DetectEngineHttpMethodTest07",
2182 DetectEngineHttpMethodTest07);
2183 UtRegisterTest("DetectEngineHttpMethodTest08",
2184 DetectEngineHttpMethodTest08);
2185 UtRegisterTest("DetectEngineHttpMethodTest09",
2186 DetectEngineHttpMethodTest09);
2187 UtRegisterTest("DetectEngineHttpMethodTest10",
2188 DetectEngineHttpMethodTest10);
2189 UtRegisterTest("DetectEngineHttpMethodTest11",
2190 DetectEngineHttpMethodTest11);
2191 UtRegisterTest("DetectEngineHttpMethodTest12",
2192 DetectEngineHttpMethodTest12);
2193 UtRegisterTest("DetectEngineHttpMethodTest13",
2194 DetectEngineHttpMethodTest13);
2195 UtRegisterTest("DetectEngineHttpMethodTest14",
2196 DetectEngineHttpMethodTest14);
2197 UtRegisterTest("DetectEngineHttpMethodTest15",
2198 DetectEngineHttpMethodTest15);
2199 UtRegisterTest("DetectEngineHttpMethodTest16",
2200 DetectEngineHttpMethodTest16);
2201 UtRegisterTest("DetectEngineHttpMethodTest17",
2202 DetectEngineHttpMethodTest17);
2203}
2204
2205/**
2206 * @}
2207 */
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
DetectBufferGetLastSigMatch
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
Definition detect-engine-buffer.c:167
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition detect-engine-register.h:93
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
DetectHttpMethodRegisterTests
void DetectHttpMethodRegisterTests(void)
this function registers unit tests for DetectHttpMethod
Definition detect-http-method.c:2155
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition detect-isdataat.h:27
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition detect-isdataat.h:29
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition detect-isdataat.h:28
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition flow-util.h:119
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineThreadCtx_
Definition detect.h:1244
DetectIsdataatData_
Definition detect-isdataat.h:32
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::alstate
void * alstate
Definition flow.h:479
Flow_::protoctx
void * protoctx
Definition flow.h:441
HtpState_
Definition app-layer-htp.h:181
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::flags
uint32_t flags
Definition decode.h:544
SigMatch_
a single match condition for a signature
Definition detect.h:356
SigMatch_::type
uint16_t type
Definition detect.h:357
SigMatch_::ctx
SigMatchCtx * ctx
Definition detect.h:359
Signature_
Signature container.
Definition detect.h:668
Signature_::next
struct Signature_ * next
Definition detect.h:750
TcpSession_
Definition stream-tcp-private.h:283
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365