suricata
detect-http-raw-header.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2016 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \ingroup httplayer
20 *
21 * @{
22 */
23
24
25/** \file
26 *
27 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28 * \author Victor Julien <victor@inliniac.net>
29 *
30 * \brief Handle HTTP raw header match.
31 *
32 */
33
34#include "../suricata-common.h"
35#include "../suricata.h"
36#include "../decode.h"
37
38#include "../detect.h"
39#include "../detect-engine.h"
40#include "../detect-isdataat.h"
41#include "../detect-pcre.h"
42#include "../detect-engine-build.h"
43#include "../detect-engine-alert.h"
44
45#include "../stream-tcp.h"
46#include "../app-layer.h"
47#include "../app-layer-htp.h"
48#include "../app-layer-protos.h"
49#include "../app-layer-parser.h"
50
51#include "../util-unittest.h"
52#include "../util-unittest-helper.h"
53#include "../util-validate.h"
54
55/***********************************Unittests**********************************/
56
57#ifdef UNITTESTS
58
59/**
60 * \test Test parser accepting valid rules and rejecting invalid rules
61 */
62static int DetectHttpRawHeaderParserTest01(void)
63{
64 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; http_raw_header; sid:1;)", true));
65 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_raw_header; sid:1;)", true));
66 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_raw_header; sid:1;)", true));
67 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_raw_header; sid:1;)", true));
68 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_raw_header; sid:1;)", true));
69
70 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_raw_header; sid:1;)", false));
71 FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http_raw_header; sid:1;)", false));
72 FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; content:\"abc\"; http_raw_header; sid:1;)", false));
73 PASS;
74}
75
76/**
77 * \test Test parser accepting valid rules and rejecting invalid rules
78 */
79static int DetectHttpRawHeaderParserTest02(void)
80{
81 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; sid:1;)", true));
82 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; nocase; sid:1;)", true));
83 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; endswith; sid:1;)", true));
84 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; startswith; sid:1;)", true));
85 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; startswith; endswith; sid:1;)", true));
86 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; bsize:10; sid:1;)", true));
87
88 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; rawbytes; sid:1;)", false));
89 FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http.header.raw; sid:1;)", false));
90 FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; sid:1;)", false));
91 PASS;
92}
93
94/**
95 *\test Test that the http_header content matches against a http request
96 * which holds the content.
97 */
98static int DetectEngineHttpRawHeaderTest01(void)
99{
100 TcpSession ssn;
101 Packet *p = NULL;
102 ThreadVars th_v;
103 DetectEngineCtx *de_ctx = NULL;
104 DetectEngineThreadCtx *det_ctx = NULL;
105 HtpState *http_state = NULL;
106 Flow f;
107 uint8_t http_buf[] =
108 "GET /index.html HTTP/1.0\r\n"
109 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
110 uint32_t http_len = sizeof(http_buf) - 1;
111 int result = 0;
112 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
113
114 memset(&th_v, 0, sizeof(th_v));
115 memset(&f, 0, sizeof(f));
116 memset(&ssn, 0, sizeof(ssn));
117
118 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
119
120 FLOW_INITIALIZE(&f);
121 f.protoctx = (void *)&ssn;
122 f.proto = IPPROTO_TCP;
123 f.flags |= FLOW_IPV4;
124 p->flow = &f;
125 p->flowflags |= FLOW_PKT_TOSERVER;
126 p->flowflags |= FLOW_PKT_ESTABLISHED;
127 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
128 f.alproto = ALPROTO_HTTP1;
129
130 StreamTcpInitConfig(true);
131
132 de_ctx = DetectEngineCtxInit();
133 if (de_ctx == NULL)
134 goto end;
135
136 de_ctx->flags |= DE_QUIET;
137
138 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
139 "(msg:\"http header test\"; flow:to_server; "
140 "content:\"one\"; http_raw_header; "
141 "sid:1;)");
142 if (de_ctx->sig_list == NULL)
143 goto end;
144
145 SigGroupBuild(de_ctx);
146 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
147
148 int r = AppLayerParserParse(
149 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
150 if (r != 0) {
151 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
152 result = 0;
153 goto end;
154 }
155
156 http_state = f.alstate;
157 if (http_state == NULL) {
158 printf("no http state: ");
159 result = 0;
160 goto end;
161 }
162
163 /* do detect */
164 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
165
166 if (!(PacketAlertCheck(p, 1))) {
167 printf("sid 1 didn't match but should have: ");
168 goto end;
169 }
170
171 result = 1;
172end:
173 if (alp_tctx != NULL)
174 AppLayerParserThreadCtxFree(alp_tctx);
175 if (de_ctx != NULL)
176 DetectEngineCtxFree(de_ctx);
177
178 StreamTcpFreeConfig(true);
179 FLOW_DESTROY(&f);
180 UTHFreePackets(&p, 1);
181 return result;
182}
183
184/**
185 *\test Test that the http_header content matches against a http request
186 * which holds the content.
187 */
188static int DetectEngineHttpRawHeaderTest02(void)
189{
190 TcpSession ssn;
191 Packet *p = NULL;
192 ThreadVars th_v;
193 DetectEngineCtx *de_ctx = NULL;
194 DetectEngineThreadCtx *det_ctx = NULL;
195 HtpState *http_state = NULL;
196 Flow f;
197 uint8_t http_buf[] =
198 "GET /index.html HTTP/1.0\r\n"
199 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
200 uint32_t http_len = sizeof(http_buf) - 1;
201 int result = 0;
202 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
203
204 memset(&th_v, 0, sizeof(th_v));
205 memset(&f, 0, sizeof(f));
206 memset(&ssn, 0, sizeof(ssn));
207
208 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
209
210 FLOW_INITIALIZE(&f);
211 f.protoctx = (void *)&ssn;
212 f.proto = IPPROTO_TCP;
213 f.flags |= FLOW_IPV4;
214 p->flow = &f;
215 p->flowflags |= FLOW_PKT_TOSERVER;
216 p->flowflags |= FLOW_PKT_ESTABLISHED;
217 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
218 f.alproto = ALPROTO_HTTP1;
219
220 StreamTcpInitConfig(true);
221
222 de_ctx = DetectEngineCtxInit();
223 if (de_ctx == NULL)
224 goto end;
225
226 de_ctx->flags |= DE_QUIET;
227
228 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
229 "(msg:\"http header test\"; flow:to_server; "
230 "content:\"one\"; depth:15; http_raw_header; "
231 "sid:1;)");
232 if (de_ctx->sig_list == NULL)
233 goto end;
234
235 SigGroupBuild(de_ctx);
236 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
237
238 int r = AppLayerParserParse(
239 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
240 if (r != 0) {
241 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
242 result = 0;
243 goto end;
244 }
245
246 http_state = f.alstate;
247 if (http_state == NULL) {
248 printf("no http state: ");
249 result = 0;
250 goto end;
251 }
252
253 /* do detect */
254 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
255
256 if (!(PacketAlertCheck(p, 1))) {
257 printf("sid 1 didn't match but should have: ");
258 goto end;
259 }
260
261 result = 1;
262end:
263 if (alp_tctx != NULL)
264 AppLayerParserThreadCtxFree(alp_tctx);
265 if (de_ctx != NULL)
266 DetectEngineCtxFree(de_ctx);
267
268 StreamTcpFreeConfig(true);
269 FLOW_DESTROY(&f);
270 UTHFreePackets(&p, 1);
271 return result;
272}
273
274/**
275 *\test Test that the http_header content matches against a http request
276 * which holds the content.
277 */
278static int DetectEngineHttpRawHeaderTest03(void)
279{
280 TcpSession ssn;
281 Packet *p = NULL;
282 ThreadVars th_v;
283 DetectEngineCtx *de_ctx = NULL;
284 DetectEngineThreadCtx *det_ctx = NULL;
285 HtpState *http_state = NULL;
286 Flow f;
287 uint8_t http_buf[] =
288 "GET /index.html HTTP/1.0\r\n"
289 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
290 uint32_t http_len = sizeof(http_buf) - 1;
291 int result = 0;
292 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
293
294 memset(&th_v, 0, sizeof(th_v));
295 memset(&f, 0, sizeof(f));
296 memset(&ssn, 0, sizeof(ssn));
297
298 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
299
300 FLOW_INITIALIZE(&f);
301 f.protoctx = (void *)&ssn;
302 f.proto = IPPROTO_TCP;
303 f.flags |= FLOW_IPV4;
304 p->flow = &f;
305 p->flowflags |= FLOW_PKT_TOSERVER;
306 p->flowflags |= FLOW_PKT_ESTABLISHED;
307 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
308 f.alproto = ALPROTO_HTTP1;
309
310 StreamTcpInitConfig(true);
311
312 de_ctx = DetectEngineCtxInit();
313 if (de_ctx == NULL)
314 goto end;
315
316 de_ctx->flags |= DE_QUIET;
317
318 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
319 "(msg:\"http header test\"; flow:to_server; "
320 "content:!\"one\"; depth:5; http_raw_header; "
321 "sid:1;)");
322 if (de_ctx->sig_list == NULL)
323 goto end;
324
325 SigGroupBuild(de_ctx);
326 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
327
328 int r = AppLayerParserParse(
329 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
330 if (r != 0) {
331 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
332 result = 0;
333 goto end;
334 }
335
336 http_state = f.alstate;
337 if (http_state == NULL) {
338 printf("no http state: ");
339 result = 0;
340 goto end;
341 }
342
343 /* do detect */
344 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
345
346 if (!(PacketAlertCheck(p, 1))) {
347 printf("sid 1 didn't match but should have: ");
348 goto end;
349 }
350
351 result = 1;
352end:
353 if (alp_tctx != NULL)
354 AppLayerParserThreadCtxFree(alp_tctx);
355 if (de_ctx != NULL)
356 DetectEngineCtxFree(de_ctx);
357
358 StreamTcpFreeConfig(true);
359 FLOW_DESTROY(&f);
360 UTHFreePackets(&p, 1);
361 return result;
362}
363
364/**
365 *\test Test that the http_header content matches against a http request
366 * which holds the content.
367 */
368static int DetectEngineHttpRawHeaderTest04(void)
369{
370 TcpSession ssn;
371 Packet *p = NULL;
372 ThreadVars th_v;
373 DetectEngineCtx *de_ctx = NULL;
374 DetectEngineThreadCtx *det_ctx = NULL;
375 HtpState *http_state = NULL;
376 Flow f;
377 uint8_t http_buf[] =
378 "GET /index.html HTTP/1.0\r\n"
379 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
380 uint32_t http_len = sizeof(http_buf) - 1;
381 int result = 0;
382 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
383
384 memset(&th_v, 0, sizeof(th_v));
385 memset(&f, 0, sizeof(f));
386 memset(&ssn, 0, sizeof(ssn));
387
388 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
389
390 FLOW_INITIALIZE(&f);
391 f.protoctx = (void *)&ssn;
392 f.proto = IPPROTO_TCP;
393 f.flags |= FLOW_IPV4;
394 p->flow = &f;
395 p->flowflags |= FLOW_PKT_TOSERVER;
396 p->flowflags |= FLOW_PKT_ESTABLISHED;
397 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
398 f.alproto = ALPROTO_HTTP1;
399
400 StreamTcpInitConfig(true);
401
402 de_ctx = DetectEngineCtxInit();
403 if (de_ctx == NULL)
404 goto end;
405
406 de_ctx->flags |= DE_QUIET;
407
408 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
409 "(msg:\"http header test\"; flow:to_server; "
410 "content:\"one\"; depth:5; http_raw_header; "
411 "sid:1;)");
412 if (de_ctx->sig_list == NULL)
413 goto end;
414
415 SigGroupBuild(de_ctx);
416 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
417
418 int r = AppLayerParserParse(
419 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
420 if (r != 0) {
421 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
422 result = 0;
423 goto end;
424 }
425
426 http_state = f.alstate;
427 if (http_state == NULL) {
428 printf("no http state: ");
429 result = 0;
430 goto end;
431 }
432
433 /* do detect */
434 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
435
436 if (PacketAlertCheck(p, 1)) {
437 printf("sid 1 matched but shouldn't have: ");
438 goto end;
439 }
440
441 result = 1;
442end:
443 if (alp_tctx != NULL)
444 AppLayerParserThreadCtxFree(alp_tctx);
445 if (de_ctx != NULL)
446 DetectEngineCtxFree(de_ctx);
447
448 StreamTcpFreeConfig(true);
449 FLOW_DESTROY(&f);
450 UTHFreePackets(&p, 1);
451 return result;
452}
453
454/**
455 *\test Test that the http_header content matches against a http request
456 * which holds the content.
457 */
458static int DetectEngineHttpRawHeaderTest05(void)
459{
460 TcpSession ssn;
461 Packet *p = NULL;
462 ThreadVars th_v;
463 DetectEngineCtx *de_ctx = NULL;
464 DetectEngineThreadCtx *det_ctx = NULL;
465 HtpState *http_state = NULL;
466 Flow f;
467 uint8_t http_buf[] =
468 "GET /index.html HTTP/1.0\r\n"
469 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
470 uint32_t http_len = sizeof(http_buf) - 1;
471 int result = 0;
472 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
473
474 memset(&th_v, 0, sizeof(th_v));
475 memset(&f, 0, sizeof(f));
476 memset(&ssn, 0, sizeof(ssn));
477
478 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
479
480 FLOW_INITIALIZE(&f);
481 f.protoctx = (void *)&ssn;
482 f.proto = IPPROTO_TCP;
483 f.flags |= FLOW_IPV4;
484 p->flow = &f;
485 p->flowflags |= FLOW_PKT_TOSERVER;
486 p->flowflags |= FLOW_PKT_ESTABLISHED;
487 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
488 f.alproto = ALPROTO_HTTP1;
489
490 StreamTcpInitConfig(true);
491
492 de_ctx = DetectEngineCtxInit();
493 if (de_ctx == NULL)
494 goto end;
495
496 de_ctx->flags |= DE_QUIET;
497
498 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
499 "(msg:\"http header test\"; flow:to_server; "
500 "content:!\"one\"; depth:15; http_raw_header; "
501 "sid:1;)");
502 if (de_ctx->sig_list == NULL)
503 goto end;
504
505 SigGroupBuild(de_ctx);
506 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
507
508 int r = AppLayerParserParse(
509 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
510 if (r != 0) {
511 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
512 result = 0;
513 goto end;
514 }
515
516 http_state = f.alstate;
517 if (http_state == NULL) {
518 printf("no http state: ");
519 result = 0;
520 goto end;
521 }
522
523 /* do detect */
524 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
525
526 if (PacketAlertCheck(p, 1)) {
527 printf("sid 1 matched but shouldn't have: ");
528 goto end;
529 }
530
531 result = 1;
532end:
533 if (alp_tctx != NULL)
534 AppLayerParserThreadCtxFree(alp_tctx);
535 if (de_ctx != NULL)
536 DetectEngineCtxFree(de_ctx);
537
538 StreamTcpFreeConfig(true);
539 FLOW_DESTROY(&f);
540 UTHFreePackets(&p, 1);
541 return result;
542}
543
544/**
545 *\test Test that the http_header content matches against a http request
546 * which holds the content.
547 */
548static int DetectEngineHttpRawHeaderTest06(void)
549{
550 TcpSession ssn;
551 Packet *p = NULL;
552 ThreadVars th_v;
553 DetectEngineCtx *de_ctx = NULL;
554 DetectEngineThreadCtx *det_ctx = NULL;
555 HtpState *http_state = NULL;
556 Flow f;
557 uint8_t http_buf[] =
558 "GET /index.html HTTP/1.0\r\n"
559 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
560 uint32_t http_len = sizeof(http_buf) - 1;
561 int result = 0;
562 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
563
564 memset(&th_v, 0, sizeof(th_v));
565 memset(&f, 0, sizeof(f));
566 memset(&ssn, 0, sizeof(ssn));
567
568 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
569
570 FLOW_INITIALIZE(&f);
571 f.protoctx = (void *)&ssn;
572 f.proto = IPPROTO_TCP;
573 f.flags |= FLOW_IPV4;
574 p->flow = &f;
575 p->flowflags |= FLOW_PKT_TOSERVER;
576 p->flowflags |= FLOW_PKT_ESTABLISHED;
577 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
578 f.alproto = ALPROTO_HTTP1;
579
580 StreamTcpInitConfig(true);
581
582 de_ctx = DetectEngineCtxInit();
583 if (de_ctx == NULL)
584 goto end;
585
586 de_ctx->flags |= DE_QUIET;
587
588 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
589 "(msg:\"http header test\"; flow:to_server; "
590 "content:\"one\"; offset:10; http_raw_header; "
591 "sid:1;)");
592 if (de_ctx->sig_list == NULL)
593 goto end;
594
595 SigGroupBuild(de_ctx);
596 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
597
598 int r = AppLayerParserParse(
599 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
600 if (r != 0) {
601 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
602 result = 0;
603 goto end;
604 }
605
606 http_state = f.alstate;
607 if (http_state == NULL) {
608 printf("no http state: ");
609 result = 0;
610 goto end;
611 }
612
613 /* do detect */
614 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
615
616 if (!(PacketAlertCheck(p, 1))) {
617 printf("sid 1 didn't match but should have: ");
618 goto end;
619 }
620
621 result = 1;
622end:
623 if (alp_tctx != NULL)
624 AppLayerParserThreadCtxFree(alp_tctx);
625 if (de_ctx != NULL)
626 DetectEngineCtxFree(de_ctx);
627
628 StreamTcpFreeConfig(true);
629 FLOW_DESTROY(&f);
630 UTHFreePackets(&p, 1);
631 return result;
632}
633
634/**
635 *\test Test that the http_header content matches against a http request
636 * which holds the content.
637 */
638static int DetectEngineHttpRawHeaderTest07(void)
639{
640 TcpSession ssn;
641 Packet *p = NULL;
642 ThreadVars th_v;
643 DetectEngineCtx *de_ctx = NULL;
644 DetectEngineThreadCtx *det_ctx = NULL;
645 HtpState *http_state = NULL;
646 Flow f;
647 uint8_t http_buf[] =
648 "GET /index.html HTTP/1.0\r\n"
649 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
650 uint32_t http_len = sizeof(http_buf) - 1;
651 int result = 0;
652 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
653
654 memset(&th_v, 0, sizeof(th_v));
655 memset(&f, 0, sizeof(f));
656 memset(&ssn, 0, sizeof(ssn));
657
658 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
659
660 FLOW_INITIALIZE(&f);
661 f.protoctx = (void *)&ssn;
662 f.proto = IPPROTO_TCP;
663 f.flags |= FLOW_IPV4;
664 p->flow = &f;
665 p->flowflags |= FLOW_PKT_TOSERVER;
666 p->flowflags |= FLOW_PKT_ESTABLISHED;
667 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
668 f.alproto = ALPROTO_HTTP1;
669
670 StreamTcpInitConfig(true);
671
672 de_ctx = DetectEngineCtxInit();
673 if (de_ctx == NULL)
674 goto end;
675
676 de_ctx->flags |= DE_QUIET;
677
678 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
679 "(msg:\"http header test\"; flow:to_server; "
680 "content:!\"one\"; offset:15; http_raw_header; "
681 "sid:1;)");
682 if (de_ctx->sig_list == NULL)
683 goto end;
684
685 SigGroupBuild(de_ctx);
686 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
687
688 int r = AppLayerParserParse(
689 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
690 if (r != 0) {
691 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
692 result = 0;
693 goto end;
694 }
695
696 http_state = f.alstate;
697 if (http_state == NULL) {
698 printf("no http state: ");
699 result = 0;
700 goto end;
701 }
702
703 /* do detect */
704 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
705
706 if (!(PacketAlertCheck(p, 1))) {
707 printf("sid 1 didn't match but should have: ");
708 goto end;
709 }
710
711 result = 1;
712end:
713 if (alp_tctx != NULL)
714 AppLayerParserThreadCtxFree(alp_tctx);
715 if (de_ctx != NULL)
716 DetectEngineCtxFree(de_ctx);
717
718 StreamTcpFreeConfig(true);
719 FLOW_DESTROY(&f);
720 UTHFreePackets(&p, 1);
721 return result;
722}
723
724/**
725 *\test Test that the http_header content matches against a http request
726 * which holds the content.
727 */
728static int DetectEngineHttpRawHeaderTest08(void)
729{
730 TcpSession ssn;
731 Packet *p = NULL;
732 ThreadVars th_v;
733 DetectEngineCtx *de_ctx = NULL;
734 DetectEngineThreadCtx *det_ctx = NULL;
735 HtpState *http_state = NULL;
736 Flow f;
737 uint8_t http_buf[] =
738 "GET /index.html HTTP/1.0\r\n"
739 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
740 uint32_t http_len = sizeof(http_buf) - 1;
741 int result = 0;
742 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
743
744 memset(&th_v, 0, sizeof(th_v));
745 memset(&f, 0, sizeof(f));
746 memset(&ssn, 0, sizeof(ssn));
747
748 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
749
750 FLOW_INITIALIZE(&f);
751 f.protoctx = (void *)&ssn;
752 f.proto = IPPROTO_TCP;
753 f.flags |= FLOW_IPV4;
754 p->flow = &f;
755 p->flowflags |= FLOW_PKT_TOSERVER;
756 p->flowflags |= FLOW_PKT_ESTABLISHED;
757 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
758 f.alproto = ALPROTO_HTTP1;
759
760 StreamTcpInitConfig(true);
761
762 de_ctx = DetectEngineCtxInit();
763 if (de_ctx == NULL)
764 goto end;
765
766 de_ctx->flags |= DE_QUIET;
767
768 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
769 "(msg:\"http header test\"; flow:to_server; "
770 "content:\"one\"; offset:15; http_raw_header; "
771 "sid:1;)");
772 if (de_ctx->sig_list == NULL)
773 goto end;
774
775 SigGroupBuild(de_ctx);
776 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
777
778 int r = AppLayerParserParse(
779 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
780 if (r != 0) {
781 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
782 result = 0;
783 goto end;
784 }
785
786 http_state = f.alstate;
787 if (http_state == NULL) {
788 printf("no http state: ");
789 result = 0;
790 goto end;
791 }
792
793 /* do detect */
794 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
795
796 if (PacketAlertCheck(p, 1)) {
797 printf("sid 1 matched but shouldn't have: ");
798 goto end;
799 }
800
801 result = 1;
802end:
803 if (alp_tctx != NULL)
804 AppLayerParserThreadCtxFree(alp_tctx);
805 if (de_ctx != NULL)
806 DetectEngineCtxFree(de_ctx);
807
808 StreamTcpFreeConfig(true);
809 FLOW_DESTROY(&f);
810 UTHFreePackets(&p, 1);
811 return result;
812}
813
814/**
815 *\test Test that the http_header content matches against a http request
816 * which holds the content.
817 */
818static int DetectEngineHttpRawHeaderTest09(void)
819{
820 TcpSession ssn;
821 Packet *p = NULL;
822 ThreadVars th_v;
823 DetectEngineCtx *de_ctx = NULL;
824 DetectEngineThreadCtx *det_ctx = NULL;
825 HtpState *http_state = NULL;
826 Flow f;
827 uint8_t http_buf[] =
828 "GET /index.html HTTP/1.0\r\n"
829 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
830 uint32_t http_len = sizeof(http_buf) - 1;
831 int result = 0;
832 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
833
834 memset(&th_v, 0, sizeof(th_v));
835 memset(&f, 0, sizeof(f));
836 memset(&ssn, 0, sizeof(ssn));
837
838 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
839
840 FLOW_INITIALIZE(&f);
841 f.protoctx = (void *)&ssn;
842 f.proto = IPPROTO_TCP;
843 f.flags |= FLOW_IPV4;
844 p->flow = &f;
845 p->flowflags |= FLOW_PKT_TOSERVER;
846 p->flowflags |= FLOW_PKT_ESTABLISHED;
847 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
848 f.alproto = ALPROTO_HTTP1;
849
850 StreamTcpInitConfig(true);
851
852 de_ctx = DetectEngineCtxInit();
853 if (de_ctx == NULL)
854 goto end;
855
856 de_ctx->flags |= DE_QUIET;
857
858 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
859 "(msg:\"http header test\"; flow:to_server; "
860 "content:!\"one\"; offset:10; http_raw_header; "
861 "sid:1;)");
862 if (de_ctx->sig_list == NULL)
863 goto end;
864
865 SigGroupBuild(de_ctx);
866 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
867
868 int r = AppLayerParserParse(
869 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
870 if (r != 0) {
871 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
872 result = 0;
873 goto end;
874 }
875
876 http_state = f.alstate;
877 if (http_state == NULL) {
878 printf("no http state: ");
879 result = 0;
880 goto end;
881 }
882
883 /* do detect */
884 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
885
886 if (PacketAlertCheck(p, 1)) {
887 printf("sid 1 matched but shouldn't have: ");
888 goto end;
889 }
890
891 result = 1;
892end:
893 if (alp_tctx != NULL)
894 AppLayerParserThreadCtxFree(alp_tctx);
895 if (de_ctx != NULL)
896 DetectEngineCtxFree(de_ctx);
897
898 StreamTcpFreeConfig(true);
899 FLOW_DESTROY(&f);
900 UTHFreePackets(&p, 1);
901 return result;
902}
903
904/**
905 *\test Test that the http_header content matches against a http request
906 * which holds the content.
907 */
908static int DetectEngineHttpRawHeaderTest10(void)
909{
910 TcpSession ssn;
911 Packet *p = NULL;
912 ThreadVars th_v;
913 DetectEngineCtx *de_ctx = NULL;
914 DetectEngineThreadCtx *det_ctx = NULL;
915 HtpState *http_state = NULL;
916 Flow f;
917 uint8_t http_buf[] =
918 "GET /index.html HTTP/1.0\r\n"
919 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
920 uint32_t http_len = sizeof(http_buf) - 1;
921 int result = 0;
922 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
923
924 memset(&th_v, 0, sizeof(th_v));
925 memset(&f, 0, sizeof(f));
926 memset(&ssn, 0, sizeof(ssn));
927
928 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
929
930 FLOW_INITIALIZE(&f);
931 f.protoctx = (void *)&ssn;
932 f.proto = IPPROTO_TCP;
933 f.flags |= FLOW_IPV4;
934 p->flow = &f;
935 p->flowflags |= FLOW_PKT_TOSERVER;
936 p->flowflags |= FLOW_PKT_ESTABLISHED;
937 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
938 f.alproto = ALPROTO_HTTP1;
939
940 StreamTcpInitConfig(true);
941
942 de_ctx = DetectEngineCtxInit();
943 if (de_ctx == NULL)
944 goto end;
945
946 de_ctx->flags |= DE_QUIET;
947
948 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
949 "(msg:\"http header test\"; flow:to_server; "
950 "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:10; "
951 "sid:1;)");
952 if (de_ctx->sig_list == NULL)
953 goto end;
954
955 SigGroupBuild(de_ctx);
956 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
957
958 int r = AppLayerParserParse(
959 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
960 if (r != 0) {
961 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
962 result = 0;
963 goto end;
964 }
965
966 http_state = f.alstate;
967 if (http_state == NULL) {
968 printf("no http state: ");
969 result = 0;
970 goto end;
971 }
972
973 /* do detect */
974 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
975
976 if (!(PacketAlertCheck(p, 1))) {
977 printf("sid 1 didn't match but should have: ");
978 goto end;
979 }
980
981 result = 1;
982end:
983 if (alp_tctx != NULL)
984 AppLayerParserThreadCtxFree(alp_tctx);
985 if (de_ctx != NULL)
986 DetectEngineCtxFree(de_ctx);
987
988 StreamTcpFreeConfig(true);
989 FLOW_DESTROY(&f);
990 UTHFreePackets(&p, 1);
991 return result;
992}
993
994/**
995 *\test Test that the http_header content matches against a http request
996 * which holds the content.
997 */
998static int DetectEngineHttpRawHeaderTest11(void)
999{
1000 TcpSession ssn;
1001 Packet *p = NULL;
1002 ThreadVars th_v;
1003 DetectEngineCtx *de_ctx = NULL;
1004 DetectEngineThreadCtx *det_ctx = NULL;
1005 HtpState *http_state = NULL;
1006 Flow f;
1007 uint8_t http_buf[] =
1008 "GET /index.html HTTP/1.0\r\n"
1009 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1010 uint32_t http_len = sizeof(http_buf) - 1;
1011 int result = 0;
1012 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1013
1014 memset(&th_v, 0, sizeof(th_v));
1015 memset(&f, 0, sizeof(f));
1016 memset(&ssn, 0, sizeof(ssn));
1017
1018 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1019
1020 FLOW_INITIALIZE(&f);
1021 f.protoctx = (void *)&ssn;
1022 f.proto = IPPROTO_TCP;
1023 f.flags |= FLOW_IPV4;
1024 p->flow = &f;
1025 p->flowflags |= FLOW_PKT_TOSERVER;
1026 p->flowflags |= FLOW_PKT_ESTABLISHED;
1027 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1028 f.alproto = ALPROTO_HTTP1;
1029
1030 StreamTcpInitConfig(true);
1031
1032 de_ctx = DetectEngineCtxInit();
1033 if (de_ctx == NULL)
1034 goto end;
1035
1036 de_ctx->flags |= DE_QUIET;
1037
1038 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1039 "(msg:\"http header test\"; flow:to_server; "
1040 "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:5; "
1041 "sid:1;)");
1042 if (de_ctx->sig_list == NULL)
1043 goto end;
1044
1045 SigGroupBuild(de_ctx);
1046 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1047
1048 int r = AppLayerParserParse(
1049 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1050 if (r != 0) {
1051 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1052 result = 0;
1053 goto end;
1054 }
1055
1056 http_state = f.alstate;
1057 if (http_state == NULL) {
1058 printf("no http state: ");
1059 result = 0;
1060 goto end;
1061 }
1062
1063 /* do detect */
1064 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1065
1066 if (!(PacketAlertCheck(p, 1))) {
1067 printf("sid 1 didn't match but should have: ");
1068 goto end;
1069 }
1070
1071 result = 1;
1072end:
1073 if (alp_tctx != NULL)
1074 AppLayerParserThreadCtxFree(alp_tctx);
1075 if (de_ctx != NULL)
1076 DetectEngineCtxFree(de_ctx);
1077
1078 StreamTcpFreeConfig(true);
1079 FLOW_DESTROY(&f);
1080 UTHFreePackets(&p, 1);
1081 return result;
1082}
1083
1084/**
1085 *\test Test that the http_header content matches against a http request
1086 * which holds the content.
1087 */
1088static int DetectEngineHttpRawHeaderTest12(void)
1089{
1090 TcpSession ssn;
1091 Packet *p = NULL;
1092 ThreadVars th_v;
1093 DetectEngineCtx *de_ctx = NULL;
1094 DetectEngineThreadCtx *det_ctx = NULL;
1095 HtpState *http_state = NULL;
1096 Flow f;
1097 uint8_t http_buf[] =
1098 "GET /index.html HTTP/1.0\r\n"
1099 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1100 uint32_t http_len = sizeof(http_buf) - 1;
1101 int result = 0;
1102 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1103
1104 memset(&th_v, 0, sizeof(th_v));
1105 memset(&f, 0, sizeof(f));
1106 memset(&ssn, 0, sizeof(ssn));
1107
1108 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1109
1110 FLOW_INITIALIZE(&f);
1111 f.protoctx = (void *)&ssn;
1112 f.proto = IPPROTO_TCP;
1113 f.flags |= FLOW_IPV4;
1114 p->flow = &f;
1115 p->flowflags |= FLOW_PKT_TOSERVER;
1116 p->flowflags |= FLOW_PKT_ESTABLISHED;
1117 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1118 f.alproto = ALPROTO_HTTP1;
1119
1120 StreamTcpInitConfig(true);
1121
1122 de_ctx = DetectEngineCtxInit();
1123 if (de_ctx == NULL)
1124 goto end;
1125
1126 de_ctx->flags |= DE_QUIET;
1127
1128 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1129 "(msg:\"http header test\"; flow:to_server; "
1130 "content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:10; "
1131 "sid:1;)");
1132 if (de_ctx->sig_list == NULL)
1133 goto end;
1134
1135 SigGroupBuild(de_ctx);
1136 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1137
1138 int r = AppLayerParserParse(
1139 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1140 if (r != 0) {
1141 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1142 result = 0;
1143 goto end;
1144 }
1145
1146 http_state = f.alstate;
1147 if (http_state == NULL) {
1148 printf("no http state: ");
1149 result = 0;
1150 goto end;
1151 }
1152
1153 /* do detect */
1154 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1155
1156 if (PacketAlertCheck(p, 1)) {
1157 printf("sid 1 matched but shouldn't have: ");
1158 goto end;
1159 }
1160
1161 result = 1;
1162end:
1163 if (alp_tctx != NULL)
1164 AppLayerParserThreadCtxFree(alp_tctx);
1165 if (de_ctx != NULL)
1166 DetectEngineCtxFree(de_ctx);
1167
1168 StreamTcpFreeConfig(true);
1169 FLOW_DESTROY(&f);
1170 UTHFreePackets(&p, 1);
1171 return result;
1172}
1173
1174/**
1175 *\test Test that the http_header content matches against a http request
1176 * which holds the content.
1177 */
1178static int DetectEngineHttpRawHeaderTest13(void)
1179{
1180 TcpSession ssn;
1181 Packet *p = NULL;
1182 ThreadVars th_v;
1183 DetectEngineCtx *de_ctx = NULL;
1184 DetectEngineThreadCtx *det_ctx = NULL;
1185 HtpState *http_state = NULL;
1186 Flow f;
1187 uint8_t http_buf[] =
1188 "GET /index.html HTTP/1.0\r\n"
1189 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1190 uint32_t http_len = sizeof(http_buf) - 1;
1191 int result = 0;
1192 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1193
1194 memset(&th_v, 0, sizeof(th_v));
1195 memset(&f, 0, sizeof(f));
1196 memset(&ssn, 0, sizeof(ssn));
1197
1198 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1199
1200 FLOW_INITIALIZE(&f);
1201 f.protoctx = (void *)&ssn;
1202 f.proto = IPPROTO_TCP;
1203 f.flags |= FLOW_IPV4;
1204 p->flow = &f;
1205 p->flowflags |= FLOW_PKT_TOSERVER;
1206 p->flowflags |= FLOW_PKT_ESTABLISHED;
1207 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1208 f.alproto = ALPROTO_HTTP1;
1209
1210 StreamTcpInitConfig(true);
1211
1212 de_ctx = DetectEngineCtxInit();
1213 if (de_ctx == NULL)
1214 goto end;
1215
1216 de_ctx->flags |= DE_QUIET;
1217
1218 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1219 "(msg:\"http header test\"; flow:to_server; "
1220 "content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:5; "
1221 "sid:1;)");
1222 if (de_ctx->sig_list == NULL)
1223 goto end;
1224
1225 SigGroupBuild(de_ctx);
1226 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1227
1228 int r = AppLayerParserParse(
1229 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1230 if (r != 0) {
1231 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1232 result = 0;
1233 goto end;
1234 }
1235
1236 http_state = f.alstate;
1237 if (http_state == NULL) {
1238 printf("no http state: ");
1239 result = 0;
1240 goto end;
1241 }
1242
1243 /* do detect */
1244 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1245
1246 if (PacketAlertCheck(p, 1)) {
1247 printf("sid 1 matched but shouldn't have: ");
1248 goto end;
1249 }
1250
1251 result = 1;
1252end:
1253 if (alp_tctx != NULL)
1254 AppLayerParserThreadCtxFree(alp_tctx);
1255 if (de_ctx != NULL)
1256 DetectEngineCtxFree(de_ctx);
1257
1258 StreamTcpFreeConfig(true);
1259 FLOW_DESTROY(&f);
1260 UTHFreePackets(&p, 1);
1261 return result;
1262}
1263
1264/**
1265 *\test Test that the http_header content matches against a http request
1266 * which holds the content.
1267 */
1268static int DetectEngineHttpRawHeaderTest14(void)
1269{
1270 TcpSession ssn;
1271 Packet *p = NULL;
1272 ThreadVars th_v;
1273 DetectEngineCtx *de_ctx = NULL;
1274 DetectEngineThreadCtx *det_ctx = NULL;
1275 HtpState *http_state = NULL;
1276 Flow f;
1277 uint8_t http_buf[] =
1278 "GET /index.html HTTP/1.0\r\n"
1279 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1280 uint32_t http_len = sizeof(http_buf) - 1;
1281 int result = 0;
1282 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1283
1284 memset(&th_v, 0, sizeof(th_v));
1285 memset(&f, 0, sizeof(f));
1286 memset(&ssn, 0, sizeof(ssn));
1287
1288 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1289
1290 FLOW_INITIALIZE(&f);
1291 f.protoctx = (void *)&ssn;
1292 f.proto = IPPROTO_TCP;
1293 f.flags |= FLOW_IPV4;
1294 p->flow = &f;
1295 p->flowflags |= FLOW_PKT_TOSERVER;
1296 p->flowflags |= FLOW_PKT_ESTABLISHED;
1297 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1298 f.alproto = ALPROTO_HTTP1;
1299
1300 StreamTcpInitConfig(true);
1301
1302 de_ctx = DetectEngineCtxInit();
1303 if (de_ctx == NULL)
1304 goto end;
1305
1306 de_ctx->flags |= DE_QUIET;
1307
1308 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1309 "(msg:\"http header test\"; flow:to_server; "
1310 "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:7; "
1311 "sid:1;)");
1312 if (de_ctx->sig_list == NULL)
1313 goto end;
1314
1315 SigGroupBuild(de_ctx);
1316 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1317
1318 int r = AppLayerParserParse(
1319 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1320 if (r != 0) {
1321 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1322 result = 0;
1323 goto end;
1324 }
1325
1326 http_state = f.alstate;
1327 if (http_state == NULL) {
1328 printf("no http state: ");
1329 result = 0;
1330 goto end;
1331 }
1332
1333 /* do detect */
1334 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1335
1336 if (!(PacketAlertCheck(p, 1))) {
1337 printf("sid 1 didn't match but should have: ");
1338 goto end;
1339 }
1340
1341 result = 1;
1342end:
1343 if (alp_tctx != NULL)
1344 AppLayerParserThreadCtxFree(alp_tctx);
1345 if (de_ctx != NULL)
1346 DetectEngineCtxFree(de_ctx);
1347
1348 StreamTcpFreeConfig(true);
1349 FLOW_DESTROY(&f);
1350 UTHFreePackets(&p, 1);
1351 return result;
1352}
1353
1354/**
1355 *\test Test that the http_header content matches against a http request
1356 * which holds the content.
1357 */
1358static int DetectEngineHttpRawHeaderTest15(void)
1359{
1360 TcpSession ssn;
1361 Packet *p = NULL;
1362 ThreadVars th_v;
1363 DetectEngineCtx *de_ctx = NULL;
1364 DetectEngineThreadCtx *det_ctx = NULL;
1365 HtpState *http_state = NULL;
1366 Flow f;
1367 uint8_t http_buf[] =
1368 "GET /index.html HTTP/1.0\r\n"
1369 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1370 uint32_t http_len = sizeof(http_buf) - 1;
1371 int result = 0;
1372 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1373
1374 memset(&th_v, 0, sizeof(th_v));
1375 memset(&f, 0, sizeof(f));
1376 memset(&ssn, 0, sizeof(ssn));
1377
1378 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1379
1380 FLOW_INITIALIZE(&f);
1381 f.protoctx = (void *)&ssn;
1382 f.proto = IPPROTO_TCP;
1383 f.flags |= FLOW_IPV4;
1384 p->flow = &f;
1385 p->flowflags |= FLOW_PKT_TOSERVER;
1386 p->flowflags |= FLOW_PKT_ESTABLISHED;
1387 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1388 f.alproto = ALPROTO_HTTP1;
1389
1390 StreamTcpInitConfig(true);
1391
1392 de_ctx = DetectEngineCtxInit();
1393 if (de_ctx == NULL)
1394 goto end;
1395
1396 de_ctx->flags |= DE_QUIET;
1397
1398 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1399 "(msg:\"http header test\"; flow:to_server; "
1400 "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:15; "
1401 "sid:1;)");
1402 if (de_ctx->sig_list == NULL)
1403 goto end;
1404
1405 SigGroupBuild(de_ctx);
1406 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1407
1408 int r = AppLayerParserParse(
1409 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1410 if (r != 0) {
1411 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1412 result = 0;
1413 goto end;
1414 }
1415
1416 http_state = f.alstate;
1417 if (http_state == NULL) {
1418 printf("no http state: ");
1419 result = 0;
1420 goto end;
1421 }
1422
1423 /* do detect */
1424 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1425
1426 if (!(PacketAlertCheck(p, 1))) {
1427 printf("sid 1 didn't match but should have: ");
1428 goto end;
1429 }
1430
1431 result = 1;
1432end:
1433 if (alp_tctx != NULL)
1434 AppLayerParserThreadCtxFree(alp_tctx);
1435 if (de_ctx != NULL)
1436 DetectEngineCtxFree(de_ctx);
1437
1438 StreamTcpFreeConfig(true);
1439 FLOW_DESTROY(&f);
1440 UTHFreePackets(&p, 1);
1441 return result;
1442}
1443
1444/**
1445 *\test Test that the http_header content matches against a http request
1446 * which holds the content.
1447 */
1448static int DetectEngineHttpRawHeaderTest16(void)
1449{
1450 TcpSession ssn;
1451 Packet *p = NULL;
1452 ThreadVars th_v;
1453 DetectEngineCtx *de_ctx = NULL;
1454 DetectEngineThreadCtx *det_ctx = NULL;
1455 HtpState *http_state = NULL;
1456 Flow f;
1457 uint8_t http_buf[] =
1458 "GET /index.html HTTP/1.0\r\n"
1459 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1460 uint32_t http_len = sizeof(http_buf) - 1;
1461 int result = 0;
1462 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1463
1464 memset(&th_v, 0, sizeof(th_v));
1465 memset(&f, 0, sizeof(f));
1466 memset(&ssn, 0, sizeof(ssn));
1467
1468 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1469
1470 FLOW_INITIALIZE(&f);
1471 f.protoctx = (void *)&ssn;
1472 f.proto = IPPROTO_TCP;
1473 f.flags |= FLOW_IPV4;
1474 p->flow = &f;
1475 p->flowflags |= FLOW_PKT_TOSERVER;
1476 p->flowflags |= FLOW_PKT_ESTABLISHED;
1477 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1478 f.alproto = ALPROTO_HTTP1;
1479
1480 StreamTcpInitConfig(true);
1481
1482 de_ctx = DetectEngineCtxInit();
1483 if (de_ctx == NULL)
1484 goto end;
1485
1486 de_ctx->flags |= DE_QUIET;
1487
1488 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1489 "(msg:\"http header test\"; flow:to_server; "
1490 "content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:7; "
1491 "sid:1;)");
1492 if (de_ctx->sig_list == NULL)
1493 goto end;
1494
1495 SigGroupBuild(de_ctx);
1496 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1497
1498 int r = AppLayerParserParse(
1499 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1500 if (r != 0) {
1501 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1502 result = 0;
1503 goto end;
1504 }
1505
1506 http_state = f.alstate;
1507 if (http_state == NULL) {
1508 printf("no http state: ");
1509 result = 0;
1510 goto end;
1511 }
1512
1513 /* do detect */
1514 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1515
1516 if (PacketAlertCheck(p, 1)) {
1517 printf("sid 1 matched but shouldn't have: ");
1518 goto end;
1519 }
1520
1521 result = 1;
1522end:
1523 if (alp_tctx != NULL)
1524 AppLayerParserThreadCtxFree(alp_tctx);
1525 if (de_ctx != NULL)
1526 DetectEngineCtxFree(de_ctx);
1527
1528 StreamTcpFreeConfig(true);
1529 FLOW_DESTROY(&f);
1530 UTHFreePackets(&p, 1);
1531 return result;
1532}
1533
1534/**
1535 *\test Test that the http_header content matches against a http request
1536 * which holds the content.
1537 */
1538static int DetectEngineHttpRawHeaderTest17(void)
1539{
1540 TcpSession ssn;
1541 Packet *p = NULL;
1542 ThreadVars th_v;
1543 DetectEngineCtx *de_ctx = NULL;
1544 DetectEngineThreadCtx *det_ctx = NULL;
1545 HtpState *http_state = NULL;
1546 Flow f;
1547 uint8_t http_buf[] =
1548 "GET /index.html HTTP/1.0\r\n"
1549 "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
1550 uint32_t http_len = sizeof(http_buf) - 1;
1551 int result = 0;
1552 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1553
1554 memset(&th_v, 0, sizeof(th_v));
1555 memset(&f, 0, sizeof(f));
1556 memset(&ssn, 0, sizeof(ssn));
1557
1558 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1559
1560 FLOW_INITIALIZE(&f);
1561 f.protoctx = (void *)&ssn;
1562 f.proto = IPPROTO_TCP;
1563 f.flags |= FLOW_IPV4;
1564 p->flow = &f;
1565 p->flowflags |= FLOW_PKT_TOSERVER;
1566 p->flowflags |= FLOW_PKT_ESTABLISHED;
1567 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1568 f.alproto = ALPROTO_HTTP1;
1569
1570 StreamTcpInitConfig(true);
1571
1572 de_ctx = DetectEngineCtxInit();
1573 if (de_ctx == NULL)
1574 goto end;
1575
1576 de_ctx->flags |= DE_QUIET;
1577
1578 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1579 "(msg:\"http header test\"; flow:to_server; "
1580 "content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:15; "
1581 "sid:1;)");
1582 if (de_ctx->sig_list == NULL)
1583 goto end;
1584
1585 SigGroupBuild(de_ctx);
1586 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1587
1588 int r = AppLayerParserParse(
1589 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1590 if (r != 0) {
1591 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1592 result = 0;
1593 goto end;
1594 }
1595
1596 http_state = f.alstate;
1597 if (http_state == NULL) {
1598 printf("no http state: ");
1599 result = 0;
1600 goto end;
1601 }
1602
1603 /* do detect */
1604 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1605
1606 if (PacketAlertCheck(p, 1)) {
1607 printf("sid 1 matched but shouldn't have: ");
1608 goto end;
1609 }
1610
1611 result = 1;
1612end:
1613 if (alp_tctx != NULL)
1614 AppLayerParserThreadCtxFree(alp_tctx);
1615 if (de_ctx != NULL)
1616 DetectEngineCtxFree(de_ctx);
1617
1618 StreamTcpFreeConfig(true);
1619 FLOW_DESTROY(&f);
1620 UTHFreePackets(&p, 1);
1621 return result;
1622}
1623
1624static int DetectEngineHttpRawHeaderTest20(void)
1625{
1626 TcpSession ssn;
1627 ThreadVars th_v;
1628 DetectEngineThreadCtx *det_ctx = NULL;
1629 Flow f;
1630 uint8_t http1_buf[] =
1631 "GET /index.html HTTP/1.0\r\n"
1632 "Host: This_is_dummy_body1";
1633 uint8_t http2_buf[] =
1634 "This_is_dummy_message_body2\r\n"
1635 "\r\n";
1636 uint32_t http1_len = sizeof(http1_buf) - 1;
1637 uint32_t http2_len = sizeof(http2_buf) - 1;
1638 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1639 FAIL_IF_NULL(alp_tctx);
1640
1641 memset(&th_v, 0, sizeof(th_v));
1642 memset(&f, 0, sizeof(f));
1643 memset(&ssn, 0, sizeof(ssn));
1644
1645 Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1646 FAIL_IF_NULL(p1);
1647 Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1648 FAIL_IF_NULL(p2);
1649
1650 FLOW_INITIALIZE(&f);
1651 f.protoctx = (void *)&ssn;
1652 f.proto = IPPROTO_TCP;
1653 f.flags |= FLOW_IPV4;
1654
1655 p1->flow = &f;
1656 p1->flowflags |= FLOW_PKT_TOSERVER;
1657 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1658 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1659 p2->flow = &f;
1660 p2->flowflags |= FLOW_PKT_TOSERVER;
1661 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1662 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1663 f.alproto = ALPROTO_HTTP1;
1664
1665 StreamTcpInitConfig(true);
1666
1667 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1668 FAIL_IF_NULL(de_ctx);
1669 de_ctx->flags |= DE_QUIET;
1670
1671 Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1672 "(flow:to_server; pcre:/body1/D; "
1673 "content:!\"dummy\"; http_raw_header; within:7; "
1674 "sid:1;)");
1675 FAIL_IF_NULL(s);
1676
1677 SigGroupBuild(de_ctx);
1678 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1679 FAIL_IF_NULL(det_ctx);
1680
1681 int r = AppLayerParserParse(
1682 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1683 FAIL_IF_NOT(r == 0);
1684
1685 HtpState *http_state = f.alstate;
1686 FAIL_IF_NULL(http_state);
1687
1688 /* do detect */
1689 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1690 FAIL_IF(PacketAlertCheck(p1, 1));
1691
1692 r = AppLayerParserParse(
1693 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1694 FAIL_IF_NOT(r == 0);
1695
1696 /* do detect */
1697 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1698
1699 FAIL_IF(!PacketAlertCheck(p2, 1));
1700
1701 AppLayerParserThreadCtxFree(alp_tctx);
1702 DetectEngineCtxFree(de_ctx);
1703
1704 StreamTcpFreeConfig(true);
1705 FLOW_DESTROY(&f);
1706 UTHFreePackets(&p1, 1);
1707 UTHFreePackets(&p2, 1);
1708
1709 PASS;
1710}
1711
1712static int DetectEngineHttpRawHeaderTest21(void)
1713{
1714 TcpSession ssn;
1715 Packet *p1 = NULL;
1716 Packet *p2 = NULL;
1717 ThreadVars th_v;
1718 DetectEngineCtx *de_ctx = NULL;
1719 DetectEngineThreadCtx *det_ctx = NULL;
1720 HtpState *http_state = NULL;
1721 Flow f;
1722 uint8_t http1_buf[] =
1723 "GET /index.html HTTP/1.0\r\n"
1724 "Host: This_is_dummy_body1";
1725 uint8_t http2_buf[] =
1726 "This_is_dummy_message_body2\r\n"
1727 "\r\n";
1728 uint32_t http1_len = sizeof(http1_buf) - 1;
1729 uint32_t http2_len = sizeof(http2_buf) - 1;
1730 int result = 0;
1731 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1732
1733 memset(&th_v, 0, sizeof(th_v));
1734 memset(&f, 0, sizeof(f));
1735 memset(&ssn, 0, sizeof(ssn));
1736
1737 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1738 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1739
1740 FLOW_INITIALIZE(&f);
1741 f.protoctx = (void *)&ssn;
1742 f.proto = IPPROTO_TCP;
1743 f.flags |= FLOW_IPV4;
1744
1745 p1->flow = &f;
1746 p1->flowflags |= FLOW_PKT_TOSERVER;
1747 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1748 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1749 p2->flow = &f;
1750 p2->flowflags |= FLOW_PKT_TOSERVER;
1751 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1752 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1753 f.alproto = ALPROTO_HTTP1;
1754
1755 StreamTcpInitConfig(true);
1756
1757 de_ctx = DetectEngineCtxInit();
1758 if (de_ctx == NULL)
1759 goto end;
1760
1761 de_ctx->flags |= DE_QUIET;
1762
1763 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1764 "(msg:\"http client body test\"; flow:to_server; "
1765 "pcre:/body1/D; "
1766 "content:!\"dummy\"; within:7; http_raw_header; "
1767 "sid:1;)");
1768 if (de_ctx->sig_list == NULL)
1769 goto end;
1770
1771 SigGroupBuild(de_ctx);
1772 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1773
1774 int r = AppLayerParserParse(
1775 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1776 if (r != 0) {
1777 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1778 result = 0;
1779 goto end;
1780 }
1781
1782 http_state = f.alstate;
1783 if (http_state == NULL) {
1784 printf("no http state: \n");
1785 result = 0;
1786 goto end;
1787 }
1788
1789 /* do detect */
1790 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1791
1792 if (PacketAlertCheck(p1, 1)) {
1793 printf("sid 1 matched but shouldn't have\n");
1794 goto end;
1795 }
1796
1797 r = AppLayerParserParse(
1798 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1799 if (r != 0) {
1800 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1801 result = 0;
1802 goto end;
1803 }
1804
1805 /* do detect */
1806 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1807
1808 if (!PacketAlertCheck(p2, 1)) {
1809 printf("sid 1 didn't match but shouldn't have");
1810 goto end;
1811 }
1812
1813 result = 1;
1814
1815end:
1816 if (alp_tctx != NULL)
1817 AppLayerParserThreadCtxFree(alp_tctx);
1818 if (de_ctx != NULL)
1819 DetectEngineCtxFree(de_ctx);
1820
1821 StreamTcpFreeConfig(true);
1822 FLOW_DESTROY(&f);
1823 UTHFreePackets(&p1, 1);
1824 UTHFreePackets(&p2, 1);
1825 return result;
1826}
1827
1828static int DetectEngineHttpRawHeaderTest22(void)
1829{
1830 TcpSession ssn;
1831 Packet *p1 = NULL;
1832 Packet *p2 = NULL;
1833 ThreadVars th_v;
1834 DetectEngineCtx *de_ctx = NULL;
1835 DetectEngineThreadCtx *det_ctx = NULL;
1836 HtpState *http_state = NULL;
1837 Flow f;
1838 uint8_t http1_buf[] =
1839 "GET /index.html HTTP/1.0\r\n"
1840 "Host: This_is_dummy_body1";
1841 uint8_t http2_buf[] =
1842 "This_is_dummy_message_body2\r\n"
1843 "\r\n";
1844 uint32_t http1_len = sizeof(http1_buf) - 1;
1845 uint32_t http2_len = sizeof(http2_buf) - 1;
1846 int result = 0;
1847 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1848
1849 memset(&th_v, 0, sizeof(th_v));
1850 memset(&f, 0, sizeof(f));
1851 memset(&ssn, 0, sizeof(ssn));
1852
1853 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1854 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1855
1856 FLOW_INITIALIZE(&f);
1857 f.protoctx = (void *)&ssn;
1858 f.proto = IPPROTO_TCP;
1859 f.flags |= FLOW_IPV4;
1860
1861 p1->flow = &f;
1862 p1->flowflags |= FLOW_PKT_TOSERVER;
1863 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1864 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1865 p2->flow = &f;
1866 p2->flowflags |= FLOW_PKT_TOSERVER;
1867 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1868 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1869 f.alproto = ALPROTO_HTTP1;
1870
1871 StreamTcpInitConfig(true);
1872
1873 de_ctx = DetectEngineCtxInit();
1874 if (de_ctx == NULL)
1875 goto end;
1876
1877 de_ctx->flags |= DE_QUIET;
1878
1879 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1880 "(msg:\"http client body test\"; flow:to_server; "
1881 "pcre:/body1/D; "
1882 "content:!\"dummy\"; distance:3; http_raw_header; "
1883 "sid:1;)");
1884 if (de_ctx->sig_list == NULL)
1885 goto end;
1886
1887 SigGroupBuild(de_ctx);
1888 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1889
1890 int r = AppLayerParserParse(
1891 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1892 if (r != 0) {
1893 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1894 result = 0;
1895 goto end;
1896 }
1897
1898 http_state = f.alstate;
1899 if (http_state == NULL) {
1900 printf("no http state: \n");
1901 result = 0;
1902 goto end;
1903 }
1904
1905 /* do detect */
1906 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1907
1908 if (PacketAlertCheck(p1, 1)) {
1909 printf("sid 1 matched but shouldn't have\n");
1910 goto end;
1911 }
1912
1913 r = AppLayerParserParse(
1914 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1915 if (r != 0) {
1916 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1917 result = 0;
1918 goto end;
1919 }
1920
1921 /* do detect */
1922 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1923
1924 if (PacketAlertCheck(p2, 1)) {
1925 printf("sid 1 matched but shouldn't have");
1926 goto end;
1927 }
1928
1929 result = 1;
1930
1931end:
1932 if (alp_tctx != NULL)
1933 AppLayerParserThreadCtxFree(alp_tctx);
1934 if (de_ctx != NULL)
1935 DetectEngineCtxFree(de_ctx);
1936
1937 StreamTcpFreeConfig(true);
1938 FLOW_DESTROY(&f);
1939 UTHFreePackets(&p1, 1);
1940 UTHFreePackets(&p2, 1);
1941 return result;
1942}
1943
1944static int DetectEngineHttpRawHeaderTest23(void)
1945{
1946 TcpSession ssn;
1947 Packet *p1 = NULL;
1948 Packet *p2 = NULL;
1949 ThreadVars th_v;
1950 DetectEngineCtx *de_ctx = NULL;
1951 DetectEngineThreadCtx *det_ctx = NULL;
1952 HtpState *http_state = NULL;
1953 Flow f;
1954 uint8_t http1_buf[] =
1955 "GET /index.html HTTP/1.0\r\n"
1956 "Host: This_is_dummy_body1";
1957 uint8_t http2_buf[] =
1958 "This_is_dummy_message_body2\r\n"
1959 "\r\n";
1960 uint32_t http1_len = sizeof(http1_buf) - 1;
1961 uint32_t http2_len = sizeof(http2_buf) - 1;
1962 int result = 0;
1963 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1964
1965 memset(&th_v, 0, sizeof(th_v));
1966 memset(&f, 0, sizeof(f));
1967 memset(&ssn, 0, sizeof(ssn));
1968
1969 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1970 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1971
1972 FLOW_INITIALIZE(&f);
1973 f.protoctx = (void *)&ssn;
1974 f.proto = IPPROTO_TCP;
1975 f.flags |= FLOW_IPV4;
1976
1977 p1->flow = &f;
1978 p1->flowflags |= FLOW_PKT_TOSERVER;
1979 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1980 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1981 p2->flow = &f;
1982 p2->flowflags |= FLOW_PKT_TOSERVER;
1983 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1984 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1985 f.alproto = ALPROTO_HTTP1;
1986
1987 StreamTcpInitConfig(true);
1988
1989 de_ctx = DetectEngineCtxInit();
1990 if (de_ctx == NULL)
1991 goto end;
1992
1993 de_ctx->flags |= DE_QUIET;
1994
1995 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1996 "(msg:\"http client body test\"; flow:to_server; "
1997 "pcre:/body1/D; "
1998 "content:!\"dummy\"; distance:13; http_raw_header; "
1999 "sid:1;)");
2000 if (de_ctx->sig_list == NULL)
2001 goto end;
2002
2003 SigGroupBuild(de_ctx);
2004 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2005
2006 int r = AppLayerParserParse(
2007 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2008 if (r != 0) {
2009 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2010 result = 0;
2011 goto end;
2012 }
2013
2014 http_state = f.alstate;
2015 if (http_state == NULL) {
2016 printf("no http state: \n");
2017 result = 0;
2018 goto end;
2019 }
2020
2021 /* do detect */
2022 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2023
2024 if (PacketAlertCheck(p1, 1)) {
2025 printf("sid 1 matched but shouldn't have\n");
2026 goto end;
2027 }
2028
2029 r = AppLayerParserParse(
2030 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2031 if (r != 0) {
2032 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2033 result = 0;
2034 goto end;
2035 }
2036
2037 /* do detect */
2038 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2039
2040 if (!PacketAlertCheck(p2, 1)) {
2041 printf("sid 1 didn't match but should have");
2042 goto end;
2043 }
2044
2045 result = 1;
2046
2047end:
2048 if (alp_tctx != NULL)
2049 AppLayerParserThreadCtxFree(alp_tctx);
2050 if (de_ctx != NULL)
2051 DetectEngineCtxFree(de_ctx);
2052
2053 StreamTcpFreeConfig(true);
2054 FLOW_DESTROY(&f);
2055 UTHFreePackets(&p1, 1);
2056 UTHFreePackets(&p2, 1);
2057 return result;
2058}
2059
2060static int DetectEngineHttpRawHeaderTest24(void)
2061{
2062 TcpSession ssn;
2063 Packet *p1 = NULL;
2064 Packet *p2 = NULL;
2065 ThreadVars th_v;
2066 DetectEngineCtx *de_ctx = NULL;
2067 DetectEngineThreadCtx *det_ctx = NULL;
2068 HtpState *http_state = NULL;
2069 Flow f;
2070 uint8_t http1_buf[] =
2071 "GET /index.html HTTP/1.0\r\n"
2072 "Host: This_is_dummy_body1";
2073 uint8_t http2_buf[] =
2074 "This_is_dummy_message_body2\r\n"
2075 "\r\n";
2076 uint32_t http1_len = sizeof(http1_buf) - 1;
2077 uint32_t http2_len = sizeof(http2_buf) - 1;
2078 int result = 0;
2079 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2080
2081 memset(&th_v, 0, sizeof(th_v));
2082 memset(&f, 0, sizeof(f));
2083 memset(&ssn, 0, sizeof(ssn));
2084
2085 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2086 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2087
2088 FLOW_INITIALIZE(&f);
2089 f.protoctx = (void *)&ssn;
2090 f.proto = IPPROTO_TCP;
2091 f.flags |= FLOW_IPV4;
2092
2093 p1->flow = &f;
2094 p1->flowflags |= FLOW_PKT_TOSERVER;
2095 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2096 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2097 p2->flow = &f;
2098 p2->flowflags |= FLOW_PKT_TOSERVER;
2099 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2100 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2101 f.alproto = ALPROTO_HTTP1;
2102
2103 StreamTcpInitConfig(true);
2104
2105 de_ctx = DetectEngineCtxInit();
2106 if (de_ctx == NULL)
2107 goto end;
2108
2109 de_ctx->flags |= DE_QUIET;
2110
2111 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2112 "(msg:\"http client body test\"; flow:to_server; "
2113 "pcre:/body1/D; "
2114 "content:\"dummy\"; within:15; http_raw_header; "
2115 "sid:1;)");
2116 if (de_ctx->sig_list == NULL)
2117 goto end;
2118
2119 SigGroupBuild(de_ctx);
2120 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2121
2122 int r = AppLayerParserParse(
2123 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2124 if (r != 0) {
2125 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2126 result = 0;
2127 goto end;
2128 }
2129
2130 http_state = f.alstate;
2131 if (http_state == NULL) {
2132 printf("no http state: \n");
2133 result = 0;
2134 goto end;
2135 }
2136
2137 /* do detect */
2138 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2139
2140 if (PacketAlertCheck(p1, 1)) {
2141 printf("sid 1 matched but shouldn't have\n");
2142 goto end;
2143 }
2144
2145 r = AppLayerParserParse(
2146 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2147 if (r != 0) {
2148 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2149 result = 0;
2150 goto end;
2151 }
2152
2153 /* do detect */
2154 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2155
2156 if (!PacketAlertCheck(p2, 1)) {
2157 printf("sid 1 didn't match but should have");
2158 goto end;
2159 }
2160
2161 result = 1;
2162
2163end:
2164 if (alp_tctx != NULL)
2165 AppLayerParserThreadCtxFree(alp_tctx);
2166 if (de_ctx != NULL)
2167 DetectEngineCtxFree(de_ctx);
2168
2169 StreamTcpFreeConfig(true);
2170 FLOW_DESTROY(&f);
2171 UTHFreePackets(&p1, 1);
2172 UTHFreePackets(&p2, 1);
2173 return result;
2174}
2175
2176static int DetectEngineHttpRawHeaderTest25(void)
2177{
2178 TcpSession ssn;
2179 Packet *p1 = NULL;
2180 Packet *p2 = NULL;
2181 ThreadVars th_v;
2182 DetectEngineCtx *de_ctx = NULL;
2183 DetectEngineThreadCtx *det_ctx = NULL;
2184 HtpState *http_state = NULL;
2185 Flow f;
2186 uint8_t http1_buf[] =
2187 "GET /index.html HTTP/1.0\r\n"
2188 "Host: This_is_dummy_body1";
2189 uint8_t http2_buf[] =
2190 "This_is_dummy_message_body2\r\n"
2191 "\r\n";
2192 uint32_t http1_len = sizeof(http1_buf) - 1;
2193 uint32_t http2_len = sizeof(http2_buf) - 1;
2194 int result = 0;
2195 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2196
2197 memset(&th_v, 0, sizeof(th_v));
2198 memset(&f, 0, sizeof(f));
2199 memset(&ssn, 0, sizeof(ssn));
2200
2201 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2202 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2203
2204 FLOW_INITIALIZE(&f);
2205 f.protoctx = (void *)&ssn;
2206 f.proto = IPPROTO_TCP;
2207 f.flags |= FLOW_IPV4;
2208
2209 p1->flow = &f;
2210 p1->flowflags |= FLOW_PKT_TOSERVER;
2211 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2212 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2213 p2->flow = &f;
2214 p2->flowflags |= FLOW_PKT_TOSERVER;
2215 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2216 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2217 f.alproto = ALPROTO_HTTP1;
2218
2219 StreamTcpInitConfig(true);
2220
2221 de_ctx = DetectEngineCtxInit();
2222 if (de_ctx == NULL)
2223 goto end;
2224
2225 de_ctx->flags |= DE_QUIET;
2226
2227 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2228 "(msg:\"http client body test\"; flow:to_server; "
2229 "pcre:/body1/D; "
2230 "content:\"dummy\"; within:10; http_raw_header; "
2231 "sid:1;)");
2232 if (de_ctx->sig_list == NULL)
2233 goto end;
2234
2235 SigGroupBuild(de_ctx);
2236 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2237
2238 int r = AppLayerParserParse(
2239 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2240 if (r != 0) {
2241 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2242 result = 0;
2243 goto end;
2244 }
2245
2246 http_state = f.alstate;
2247 if (http_state == NULL) {
2248 printf("no http state: \n");
2249 result = 0;
2250 goto end;
2251 }
2252
2253 /* do detect */
2254 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2255
2256 if (PacketAlertCheck(p1, 1)) {
2257 printf("sid 1 matched but shouldn't have\n");
2258 goto end;
2259 }
2260
2261 r = AppLayerParserParse(
2262 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2263 if (r != 0) {
2264 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2265 result = 0;
2266 goto end;
2267 }
2268
2269 /* do detect */
2270 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2271
2272 if (PacketAlertCheck(p2, 1)) {
2273 printf("sid 1 matched but shouldn't have");
2274 goto end;
2275 }
2276
2277 result = 1;
2278
2279end:
2280 if (alp_tctx != NULL)
2281 AppLayerParserThreadCtxFree(alp_tctx);
2282 if (de_ctx != NULL)
2283 DetectEngineCtxFree(de_ctx);
2284
2285 StreamTcpFreeConfig(true);
2286 FLOW_DESTROY(&f);
2287 UTHFreePackets(&p1, 1);
2288 UTHFreePackets(&p2, 1);
2289 return result;
2290}
2291
2292static int DetectEngineHttpRawHeaderTest26(void)
2293{
2294 TcpSession ssn;
2295 Packet *p1 = NULL;
2296 Packet *p2 = NULL;
2297 ThreadVars th_v;
2298 DetectEngineCtx *de_ctx = NULL;
2299 DetectEngineThreadCtx *det_ctx = NULL;
2300 HtpState *http_state = NULL;
2301 Flow f;
2302 uint8_t http1_buf[] =
2303 "GET /index.html HTTP/1.0\r\n"
2304 "Host: This_is_dummy_body1";
2305 uint8_t http2_buf[] =
2306 "This_is_dummy_message_body2\r\n"
2307 "\r\n";
2308 uint32_t http1_len = sizeof(http1_buf) - 1;
2309 uint32_t http2_len = sizeof(http2_buf) - 1;
2310 int result = 0;
2311 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2312
2313 memset(&th_v, 0, sizeof(th_v));
2314 memset(&f, 0, sizeof(f));
2315 memset(&ssn, 0, sizeof(ssn));
2316
2317 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2318 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2319
2320 FLOW_INITIALIZE(&f);
2321 f.protoctx = (void *)&ssn;
2322 f.proto = IPPROTO_TCP;
2323 f.flags |= FLOW_IPV4;
2324
2325 p1->flow = &f;
2326 p1->flowflags |= FLOW_PKT_TOSERVER;
2327 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2328 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2329 p2->flow = &f;
2330 p2->flowflags |= FLOW_PKT_TOSERVER;
2331 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2332 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2333 f.alproto = ALPROTO_HTTP1;
2334
2335 StreamTcpInitConfig(true);
2336
2337 de_ctx = DetectEngineCtxInit();
2338 if (de_ctx == NULL)
2339 goto end;
2340
2341 de_ctx->flags |= DE_QUIET;
2342
2343 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2344 "(msg:\"http client body test\"; flow:to_server; "
2345 "pcre:/body1/D; "
2346 "content:\"dummy\"; distance:8; http_raw_header; "
2347 "sid:1;)");
2348 if (de_ctx->sig_list == NULL)
2349 goto end;
2350
2351 SigGroupBuild(de_ctx);
2352 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2353
2354 int r = AppLayerParserParse(
2355 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2356 if (r != 0) {
2357 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2358 result = 0;
2359 goto end;
2360 }
2361
2362 http_state = f.alstate;
2363 if (http_state == NULL) {
2364 printf("no http state: \n");
2365 result = 0;
2366 goto end;
2367 }
2368
2369 /* do detect */
2370 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2371
2372 if (PacketAlertCheck(p1, 1)) {
2373 printf("sid 1 matched but shouldn't have\n");
2374 goto end;
2375 }
2376
2377 r = AppLayerParserParse(
2378 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2379 if (r != 0) {
2380 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2381 result = 0;
2382 goto end;
2383 }
2384
2385 /* do detect */
2386 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2387
2388 if (!PacketAlertCheck(p2, 1)) {
2389 printf("sid 1 didn't match but should have");
2390 goto end;
2391 }
2392
2393 result = 1;
2394
2395end:
2396 if (de_ctx != NULL)
2397 DetectEngineCtxFree(de_ctx);
2398
2399 StreamTcpFreeConfig(true);
2400 FLOW_DESTROY(&f);
2401 UTHFreePackets(&p1, 1);
2402 UTHFreePackets(&p2, 1);
2403 return result;
2404}
2405
2406static int DetectEngineHttpRawHeaderTest27(void)
2407{
2408 TcpSession ssn;
2409 Packet *p1 = NULL;
2410 Packet *p2 = NULL;
2411 ThreadVars th_v;
2412 DetectEngineCtx *de_ctx = NULL;
2413 DetectEngineThreadCtx *det_ctx = NULL;
2414 HtpState *http_state = NULL;
2415 Flow f;
2416 uint8_t http1_buf[] =
2417 "GET /index.html HTTP/1.0\r\n"
2418 "Host: This_is_dummy_body1";
2419 uint8_t http2_buf[] =
2420 "This_is_dummy_message_body2\r\n"
2421 "\r\n";
2422 uint32_t http1_len = sizeof(http1_buf) - 1;
2423 uint32_t http2_len = sizeof(http2_buf) - 1;
2424 int result = 0;
2425 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2426
2427 memset(&th_v, 0, sizeof(th_v));
2428 memset(&f, 0, sizeof(f));
2429 memset(&ssn, 0, sizeof(ssn));
2430
2431 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2432 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2433
2434 FLOW_INITIALIZE(&f);
2435 f.protoctx = (void *)&ssn;
2436 f.proto = IPPROTO_TCP;
2437 f.flags |= FLOW_IPV4;
2438
2439 p1->flow = &f;
2440 p1->flowflags |= FLOW_PKT_TOSERVER;
2441 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2442 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2443 p2->flow = &f;
2444 p2->flowflags |= FLOW_PKT_TOSERVER;
2445 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2446 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2447 f.alproto = ALPROTO_HTTP1;
2448
2449 StreamTcpInitConfig(true);
2450
2451 de_ctx = DetectEngineCtxInit();
2452 if (de_ctx == NULL)
2453 goto end;
2454
2455 de_ctx->flags |= DE_QUIET;
2456
2457 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2458 "(msg:\"http client body test\"; flow:to_server; "
2459 "pcre:/body1/D; "
2460 "content:\"dummy\"; distance:14; http_raw_header; "
2461 "sid:1;)");
2462 if (de_ctx->sig_list == NULL)
2463 goto end;
2464
2465 SigGroupBuild(de_ctx);
2466 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2467
2468 int r = AppLayerParserParse(
2469 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2470 if (r != 0) {
2471 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2472 result = 0;
2473 goto end;
2474 }
2475
2476 http_state = f.alstate;
2477 if (http_state == NULL) {
2478 printf("no http state: \n");
2479 result = 0;
2480 goto end;
2481 }
2482
2483 /* do detect */
2484 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2485
2486 if (PacketAlertCheck(p1, 1)) {
2487 printf("sid 1 matched but shouldn't have\n");
2488 goto end;
2489 }
2490
2491 r = AppLayerParserParse(
2492 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2493 if (r != 0) {
2494 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2495 result = 0;
2496 goto end;
2497 }
2498
2499 /* do detect */
2500 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2501
2502 if (PacketAlertCheck(p2, 1)) {
2503 printf("sid 1 matched but shouldn't have");
2504 goto end;
2505 }
2506
2507 result = 1;
2508
2509end:
2510 if (alp_tctx != NULL)
2511 AppLayerParserThreadCtxFree(alp_tctx);
2512 if (de_ctx != NULL)
2513 DetectEngineCtxFree(de_ctx);
2514
2515 StreamTcpFreeConfig(true);
2516 FLOW_DESTROY(&f);
2517 UTHFreePackets(&p1, 1);
2518 UTHFreePackets(&p2, 1);
2519 return result;
2520}
2521
2522static int DetectEngineHttpRawHeaderTest28(void)
2523{
2524 TcpSession ssn;
2525 Packet *p1 = NULL;
2526 Packet *p2 = NULL;
2527 ThreadVars th_v;
2528 DetectEngineCtx *de_ctx = NULL;
2529 DetectEngineThreadCtx *det_ctx = NULL;
2530 HtpState *http_state = NULL;
2531 Flow f;
2532 uint8_t http_buf1[] =
2533 "GET /index.html HTTP/1.0\r\n"
2534 "Host: www.openinfosecfoundation.org\r\n"
2535 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2536 "\r\n";
2537 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
2538 uint8_t http_buf2[] =
2539 "HTTP/1.0 200 ok\r\n"
2540 "Content-Type: text/html\r\n"
2541 "Content-Length: 6\r\n"
2542 "\r\n"
2543 "abcdef";
2544 uint32_t http_buf2_len = sizeof(http_buf2) - 1;
2545 int result = 0;
2546 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2547
2548 memset(&th_v, 0, sizeof(th_v));
2549 memset(&f, 0, sizeof(f));
2550 memset(&ssn, 0, sizeof(ssn));
2551
2552 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2553 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2554
2555 FLOW_INITIALIZE(&f);
2556 f.protoctx = (void *)&ssn;
2557 f.proto = IPPROTO_TCP;
2558 f.flags |= FLOW_IPV4;
2559
2560 p1->flow = &f;
2561 p1->flowflags |= FLOW_PKT_TOSERVER;
2562 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2563 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2564 p2->flow = &f;
2565 p2->flowflags |= FLOW_PKT_TOCLIENT;
2566 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2567 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2568 f.alproto = ALPROTO_HTTP1;
2569
2570 StreamTcpInitConfig(true);
2571
2572 de_ctx = DetectEngineCtxInit();
2573 if (de_ctx == NULL)
2574 goto end;
2575
2576 de_ctx->flags |= DE_QUIET;
2577
2578 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2579 "(msg:\"http header test\"; flow:to_client; "
2580 "content:\"Content-Length: 6\"; http_raw_header; "
2581 "sid:1;)");
2582 if (de_ctx->sig_list == NULL)
2583 goto end;
2584
2585 SigGroupBuild(de_ctx);
2586 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2587
2588 int r = AppLayerParserParse(
2589 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
2590 if (r != 0) {
2591 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2592 result = 0;
2593 goto end;
2594 }
2595
2596 http_state = f.alstate;
2597 if (http_state == NULL) {
2598 printf("no http state: \n");
2599 result = 0;
2600 goto end;
2601 }
2602
2603 /* do detect */
2604 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2605
2606 if (PacketAlertCheck(p1, 1)) {
2607 printf("sid 1 matched but shouldn't have\n");
2608 goto end;
2609 }
2610
2611 r = AppLayerParserParse(
2612 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
2613 if (r != 0) {
2614 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2615 result = 0;
2616 goto end;
2617 }
2618
2619 /* do detect */
2620 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2621
2622 if (!PacketAlertCheck(p2, 1)) {
2623 printf("sid 1 didn't match but should have");
2624 goto end;
2625 }
2626
2627 result = 1;
2628
2629end:
2630 if (alp_tctx != NULL)
2631 AppLayerParserThreadCtxFree(alp_tctx);
2632 if (de_ctx != NULL)
2633 DetectEngineCtxFree(de_ctx);
2634
2635 StreamTcpFreeConfig(true);
2636 FLOW_DESTROY(&f);
2637 UTHFreePackets(&p1, 1);
2638 UTHFreePackets(&p2, 1);
2639 return result;
2640}
2641
2642static int DetectEngineHttpRawHeaderTest29(void)
2643{
2644 TcpSession ssn;
2645 Packet *p1 = NULL;
2646 Packet *p2 = NULL;
2647 ThreadVars th_v;
2648 DetectEngineCtx *de_ctx = NULL;
2649 DetectEngineThreadCtx *det_ctx = NULL;
2650 HtpState *http_state = NULL;
2651 Flow f;
2652 uint8_t http_buf1[] =
2653 "GET /index.html HTTP/1.0\r\n"
2654 "Host: www.openinfosecfoundation.org\r\n"
2655 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
2656 "\r\n";
2657 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
2658 uint8_t http_buf2[] =
2659 "HTTP/1.0 200 ok\r\n"
2660 "Content-Type: text/html\r\n"
2661 "Content-Length: 6\r\n"
2662 "\r\n"
2663 "abcdef";
2664 uint32_t http_buf2_len = sizeof(http_buf2) - 1;
2665 int result = 0;
2666 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2667
2668 memset(&th_v, 0, sizeof(th_v));
2669 memset(&f, 0, sizeof(f));
2670 memset(&ssn, 0, sizeof(ssn));
2671
2672 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2673 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2674
2675 FLOW_INITIALIZE(&f);
2676 f.protoctx = (void *)&ssn;
2677 f.proto = IPPROTO_TCP;
2678 f.flags |= FLOW_IPV4;
2679
2680 p1->flow = &f;
2681 p1->flowflags |= FLOW_PKT_TOSERVER;
2682 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2683 p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2684 p2->flow = &f;
2685 p2->flowflags |= FLOW_PKT_TOCLIENT;
2686 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2687 p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2688 f.alproto = ALPROTO_HTTP1;
2689
2690 StreamTcpInitConfig(true);
2691
2692 de_ctx = DetectEngineCtxInit();
2693 if (de_ctx == NULL)
2694 goto end;
2695
2696 de_ctx->flags |= DE_QUIET;
2697
2698 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2699 "(msg:\"http header test\"; flow:to_client; "
2700 "content:\"Content-Length: 7\"; http_raw_header; "
2701 "sid:1;)");
2702 if (de_ctx->sig_list == NULL)
2703 goto end;
2704
2705 SigGroupBuild(de_ctx);
2706 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2707
2708 int r = AppLayerParserParse(
2709 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
2710 if (r != 0) {
2711 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2712 result = 0;
2713 goto end;
2714 }
2715
2716 http_state = f.alstate;
2717 if (http_state == NULL) {
2718 printf("no http state: \n");
2719 result = 0;
2720 goto end;
2721 }
2722
2723 /* do detect */
2724 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2725
2726 if (PacketAlertCheck(p1, 1)) {
2727 printf("sid 1 matched but shouldn't have\n");
2728 goto end;
2729 }
2730
2731 r = AppLayerParserParse(
2732 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_buf2_len);
2733 if (r != 0) {
2734 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2735 result = 0;
2736 goto end;
2737 }
2738
2739 /* do detect */
2740 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2741
2742 if (PacketAlertCheck(p2, 1)) {
2743 printf("sid 1 matched but shouldn't have");
2744 goto end;
2745 }
2746
2747 result = 1;
2748
2749end:
2750 if (alp_tctx != NULL)
2751 AppLayerParserThreadCtxFree(alp_tctx);
2752 if (de_ctx != NULL)
2753 DetectEngineCtxFree(de_ctx);
2754
2755 StreamTcpFreeConfig(true);
2756 FLOW_DESTROY(&f);
2757 UTHFreePackets(&p1, 1);
2758 UTHFreePackets(&p2, 1);
2759 return result;
2760}
2761
2762#if 0
2763
2764static int DetectEngineHttpRawHeaderTest30(void)
2765{
2766 int result = 0;
2767 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2768
2769 if (de_ctx == NULL) {
2770 goto end;
2771 }
2772
2773 de_ctx->sig_list = SigInit(de_ctx, "alert http any any -> any any "
2774 "(msg:\"http header test\"; "
2775 "content:\"Content-Length: 6\"; http_raw_header; "
2776 "content:\"User-Agent: Mozilla\"; http_raw_header; "
2777 "sid:1;)");
2778 if (de_ctx->sig_list != NULL) {
2779 goto end;
2780 }
2781
2782 result = 1;
2783
2784 end:
2785 if (de_ctx != NULL)
2786 SigCleanSignatures(de_ctx);
2787 if (de_ctx != NULL)
2788 DetectEngineCtxFree(de_ctx);
2789 return result;
2790}
2791
2792#endif /* #if 0 */
2793
2794/**
2795 * \test Trailing headers.
2796 */
2797static int DetectEngineHttpRawHeaderTest31(void)
2798{
2799 TcpSession ssn;
2800 Packet *p1 = NULL;
2801 ThreadVars th_v;
2802 DetectEngineCtx *de_ctx = NULL;
2803 DetectEngineThreadCtx *det_ctx = NULL;
2804 HtpState *http_state = NULL;
2805 Flow f;
2806 uint8_t http1_buf[] =
2807 "GET /index.html HTTP/1.0\r\n"
2808 "host: boom\r\n"
2809 "Transfer-Encoding: chunked\r\n"
2810 "\r\n"
2811 "13\r\n"
2812 "This is dummy body1\r\n"
2813 "0\r\n"
2814 "Dummy-Header: kaboom\r\n"
2815 "\r\n";
2816 uint32_t http1_len = sizeof(http1_buf) - 1;
2817 int result = 0;
2818 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2819
2820 memset(&th_v, 0, sizeof(th_v));
2821 memset(&f, 0, sizeof(f));
2822 memset(&ssn, 0, sizeof(ssn));
2823
2824 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2825
2826 FLOW_INITIALIZE(&f);
2827 f.protoctx = (void *)&ssn;
2828 f.proto = IPPROTO_TCP;
2829 f.flags |= FLOW_IPV4;
2830
2831 p1->flow = &f;
2832 p1->flowflags |= FLOW_PKT_TOSERVER;
2833 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2834 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2835 f.alproto = ALPROTO_HTTP1;
2836
2837 StreamTcpInitConfig(true);
2838
2839 de_ctx = DetectEngineCtxInit();
2840 if (de_ctx == NULL)
2841 goto end;
2842
2843 de_ctx->flags |= DE_QUIET;
2844
2845 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2846 "(flow:to_server; "
2847 "content:\"Dummy\"; http_raw_header; "
2848 "sid:1;)");
2849 if (de_ctx->sig_list == NULL)
2850 goto end;
2851
2852 SigGroupBuild(de_ctx);
2853 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2854
2855 int r = AppLayerParserParse(
2856 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2857 if (r != 0) {
2858 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2859 result = 0;
2860 goto end;
2861 }
2862
2863 http_state = f.alstate;
2864 if (http_state == NULL) {
2865 printf("no http state: \n");
2866 result = 0;
2867 goto end;
2868 }
2869
2870 /* do detect */
2871 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2872
2873 if (!(PacketAlertCheck(p1, 1))) {
2874 printf("sid 1 didn't match but should have: ");
2875 goto end;
2876 }
2877
2878 result = 1;
2879
2880end:
2881 if (alp_tctx != NULL)
2882 AppLayerParserThreadCtxFree(alp_tctx);
2883 if (de_ctx != NULL)
2884 DetectEngineCtxFree(de_ctx);
2885
2886 StreamTcpFreeConfig(true);
2887 FLOW_DESTROY(&f);
2888 UTHFreePackets(&p1, 1);
2889 return result;
2890}
2891
2892/**
2893 * \test Trailing headers.
2894 */
2895static int DetectEngineHttpRawHeaderTest32(void)
2896{
2897 TcpSession ssn;
2898 Packet *p1 = NULL;
2899 Packet *p2 = NULL;
2900 ThreadVars th_v;
2901 DetectEngineCtx *de_ctx = NULL;
2902 DetectEngineThreadCtx *det_ctx = NULL;
2903 HtpState *http_state = NULL;
2904 Flow f;
2905 uint8_t http1_buf[] =
2906 "GET /index.html HTTP/1.0\r\n"
2907 "host: boom\r\n"
2908 "Transfer-Encoding: chunked\r\n"
2909 "\r\n"
2910 "13\r\n"
2911 "This is dummy body1\r\n"
2912 "0\r\n";
2913 uint8_t http2_buf[] =
2914 "Dummy-Header: kaboom\r\n"
2915 "\r\n";
2916 uint32_t http1_len = sizeof(http1_buf) - 1;
2917 uint32_t http2_len = sizeof(http2_buf) - 1;
2918 int result = 0;
2919 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2920
2921 memset(&th_v, 0, sizeof(th_v));
2922 memset(&f, 0, sizeof(f));
2923 memset(&ssn, 0, sizeof(ssn));
2924
2925 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2926 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2927
2928 FLOW_INITIALIZE(&f);
2929 f.protoctx = (void *)&ssn;
2930 f.proto = IPPROTO_TCP;
2931 f.flags |= FLOW_IPV4;
2932
2933 p1->flow = &f;
2934 p1->flowflags |= FLOW_PKT_TOSERVER;
2935 p1->flowflags |= FLOW_PKT_ESTABLISHED;
2936 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2937 p2->flow = &f;
2938 p2->flowflags |= FLOW_PKT_TOSERVER;
2939 p2->flowflags |= FLOW_PKT_ESTABLISHED;
2940 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2941 f.alproto = ALPROTO_HTTP1;
2942
2943 StreamTcpInitConfig(true);
2944
2945 de_ctx = DetectEngineCtxInit();
2946 if (de_ctx == NULL)
2947 goto end;
2948
2949 de_ctx->flags |= DE_QUIET;
2950
2951 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
2952 "(flow:to_server; "
2953 "content:\"Dummy\"; http_raw_header; "
2954 "sid:1;)");
2955 if (de_ctx->sig_list == NULL)
2956 goto end;
2957
2958 SigGroupBuild(de_ctx);
2959 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2960
2961 int r = AppLayerParserParse(
2962 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
2963 if (r != 0) {
2964 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2965 result = 0;
2966 goto end;
2967 }
2968
2969 http_state = f.alstate;
2970 if (http_state == NULL) {
2971 printf("no http state: \n");
2972 result = 0;
2973 goto end;
2974 }
2975
2976 /* do detect */
2977 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2978
2979 if (PacketAlertCheck(p1, 1)) {
2980 printf("sid 1 matched but shouldn't have\n");
2981 goto end;
2982 }
2983
2984 r = AppLayerParserParse(
2985 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
2986 if (r != 0) {
2987 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
2988 result = 0;
2989 goto end;
2990 }
2991
2992 /* do detect */
2993 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2994
2995 if (!PacketAlertCheck(p2, 1)) {
2996 printf("sid 1 didn't match but should have\n");
2997 goto end;
2998 }
2999
3000 result = 1;
3001
3002end:
3003 if (alp_tctx != NULL)
3004 AppLayerParserThreadCtxFree(alp_tctx);
3005 if (de_ctx != NULL)
3006 DetectEngineCtxFree(de_ctx);
3007
3008 StreamTcpFreeConfig(true);
3009 FLOW_DESTROY(&f);
3010 UTHFreePackets(&p1, 1);
3011 UTHFreePackets(&p2, 1);
3012 return result;
3013}
3014
3015/**
3016 *\test Test that the http_header content matches against a http request
3017 * which holds the content.
3018 */
3019static int DetectHttpRawHeaderTest06(void)
3020{
3021 TcpSession ssn;
3022 Packet *p = NULL;
3023 ThreadVars th_v;
3024 DetectEngineCtx *de_ctx = NULL;
3025 DetectEngineThreadCtx *det_ctx = NULL;
3026 HtpState *http_state = NULL;
3027 Flow f;
3028 uint8_t http_buf[] =
3029 "GET /index.html HTTP/1.0\r\n"
3030 "Host: www.openinfosecfoundation.org\r\n"
3031 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3032 "Content-Type: text/html\r\n"
3033 "Content-Length: 26\r\n"
3034 "\r\n"
3035 "This is dummy message body\r\n";
3036 uint32_t http_len = sizeof(http_buf) - 1;
3037 int result = 0;
3038 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3039
3040 memset(&th_v, 0, sizeof(th_v));
3041 memset(&f, 0, sizeof(f));
3042 memset(&ssn, 0, sizeof(ssn));
3043
3044 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3045
3046 FLOW_INITIALIZE(&f);
3047 f.protoctx = (void *)&ssn;
3048 f.proto = IPPROTO_TCP;
3049 f.flags |= FLOW_IPV4;
3050 p->flow = &f;
3051 p->flowflags |= FLOW_PKT_TOSERVER;
3052 p->flowflags |= FLOW_PKT_ESTABLISHED;
3053 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3054 f.alproto = ALPROTO_HTTP1;
3055
3056 StreamTcpInitConfig(true);
3057
3058 de_ctx = DetectEngineCtxInit();
3059 if (de_ctx == NULL)
3060 goto end;
3061
3062 de_ctx->flags |= DE_QUIET;
3063
3064 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3065 "(msg:\"http header test\"; flow:to_server; "
3066 "content:\"Content-Type: text/html\"; http_raw_header; "
3067 "sid:1;)");
3068 if (de_ctx->sig_list == NULL)
3069 goto end;
3070
3071 SigGroupBuild(de_ctx);
3072 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3073
3074 int r = AppLayerParserParse(
3075 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3076 if (r != 0) {
3077 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3078 result = 0;
3079 goto end;
3080 }
3081
3082 http_state = f.alstate;
3083 if (http_state == NULL) {
3084 printf("no http state: ");
3085 result = 0;
3086 goto end;
3087 }
3088
3089 /* do detect */
3090 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3091
3092 if (!(PacketAlertCheck(p, 1))) {
3093 printf("sid 1 didn't match but should have: ");
3094 goto end;
3095 }
3096
3097 result = 1;
3098end:
3099 if (alp_tctx != NULL)
3100 AppLayerParserThreadCtxFree(alp_tctx);
3101 if (de_ctx != NULL)
3102 DetectEngineCtxFree(de_ctx);
3103
3104 StreamTcpFreeConfig(true);
3105 FLOW_DESTROY(&f);
3106 UTHFreePackets(&p, 1);
3107 return result;
3108}
3109
3110/**
3111 *\test Test that the http_header content matches against a http request
3112 * which holds the content.
3113 */
3114static int DetectHttpRawHeaderTest07(void)
3115{
3116 TcpSession ssn;
3117 Packet *p1 = NULL;
3118 Packet *p2 = NULL;
3119 ThreadVars th_v;
3120 DetectEngineCtx *de_ctx = NULL;
3121 DetectEngineThreadCtx *det_ctx = NULL;
3122 HtpState *http_state = NULL;
3123 Flow f;
3124 uint8_t http1_buf[] =
3125 "GET /index.html HTTP/1.0\r\n"
3126 "Host: www.openinfosecfoundation.org\r\n"
3127 "User-Agent: Mozi";
3128 uint8_t http2_buf[] =
3129 "lla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\nContent-Type: text/html\r\n"
3130 "Content-Length: 67\r\n"
3131 "\r\n"
3132 "This is dummy message body1";
3133 uint32_t http1_len = sizeof(http1_buf) - 1;
3134 uint32_t http2_len = sizeof(http2_buf) - 1;
3135 int result = 0;
3136 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3137
3138 memset(&th_v, 0, sizeof(th_v));
3139 memset(&f, 0, sizeof(f));
3140 memset(&ssn, 0, sizeof(ssn));
3141
3142 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3143 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3144
3145 FLOW_INITIALIZE(&f);
3146 f.protoctx = (void *)&ssn;
3147 f.proto = IPPROTO_TCP;
3148 f.flags |= FLOW_IPV4;
3149 p1->flow = &f;
3150 p1->flowflags |= FLOW_PKT_TOSERVER;
3151 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3152 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3153 p2->flow = &f;
3154 p2->flowflags |= FLOW_PKT_TOSERVER;
3155 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3156 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3157 f.alproto = ALPROTO_HTTP1;
3158
3159 StreamTcpInitConfig(true);
3160
3161 de_ctx = DetectEngineCtxInit();
3162 if (de_ctx == NULL)
3163 goto end;
3164
3165 de_ctx->flags |= DE_QUIET;
3166
3167 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3168 "(msg:\"http header test\"; flow:to_server; "
3169 "content:\"Mozilla\"; http_raw_header; "
3170 "sid:1;)");
3171 if (de_ctx->sig_list == NULL)
3172 goto end;
3173
3174 SigGroupBuild(de_ctx);
3175 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3176
3177 int r = AppLayerParserParse(
3178 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3179 if (r != 0) {
3180 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3181 result = 0;
3182 goto end;
3183 }
3184
3185 http_state = f.alstate;
3186 if (http_state == NULL) {
3187 printf("no http state: ");
3188 result = 0;
3189 goto end;
3190 }
3191
3192 /* do detect */
3193 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3194
3195 if ( (PacketAlertCheck(p1, 1))) {
3196 printf("sid 1 matched but shouldn't have: ");
3197 goto end;
3198 }
3199
3200 r = AppLayerParserParse(
3201 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3202 if (r != 0) {
3203 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3204 result = 0;
3205 goto end;
3206 }
3207
3208 /* do detect */
3209 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3210
3211 if (!(PacketAlertCheck(p2, 1))) {
3212 printf("sid 1 didn't match but should have: ");
3213 goto end;
3214 }
3215
3216 result = 1;
3217end:
3218 if (alp_tctx != NULL)
3219 AppLayerParserThreadCtxFree(alp_tctx);
3220 if (de_ctx != NULL)
3221 DetectEngineCtxFree(de_ctx);
3222
3223 StreamTcpFreeConfig(true);
3224 FLOW_DESTROY(&f);
3225 UTHFreePackets(&p1, 1);
3226 UTHFreePackets(&p2, 1);
3227 return result;
3228}
3229
3230/**
3231 *\test Test that the http_header content matches against a http request
3232 * which holds the content.
3233 */
3234static int DetectHttpRawHeaderTest08(void)
3235{
3236 TcpSession ssn;
3237 Packet *p1 = NULL;
3238 Packet *p2 = NULL;
3239 ThreadVars th_v;
3240 DetectEngineCtx *de_ctx = NULL;
3241 DetectEngineThreadCtx *det_ctx = NULL;
3242 HtpState *http_state = NULL;
3243 Flow f;
3244 uint8_t http1_buf[] =
3245 "GET /index.html HTTP/1.0\r\n"
3246 "Host: www.openinfosecfoundation.org\r\n";
3247 uint8_t http2_buf[] =
3248 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3249 "Content-Type: text/html\r\n"
3250 "Content-Length: 67\r\n"
3251 "\r\n";
3252 uint32_t http1_len = sizeof(http1_buf) - 1;
3253 uint32_t http2_len = sizeof(http2_buf) - 1;
3254 int result = 0;
3255 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3256
3257 memset(&th_v, 0, sizeof(th_v));
3258 memset(&f, 0, sizeof(f));
3259 memset(&ssn, 0, sizeof(ssn));
3260
3261 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3262 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3263
3264 FLOW_INITIALIZE(&f);
3265 f.protoctx = (void *)&ssn;
3266 f.proto = IPPROTO_TCP;
3267 f.flags |= FLOW_IPV4;
3268 p1->flow = &f;
3269 p1->flowflags |= FLOW_PKT_TOSERVER;
3270 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3271 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3272 p2->flow = &f;
3273 p2->flowflags |= FLOW_PKT_TOSERVER;
3274 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3275 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3276 f.alproto = ALPROTO_HTTP1;
3277
3278 StreamTcpInitConfig(true);
3279
3280 de_ctx = DetectEngineCtxInit();
3281 if (de_ctx == NULL)
3282 goto end;
3283
3284 de_ctx->flags |= DE_QUIET;
3285
3286 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3287 "(msg:\"http header test\"; flow:to_server; "
3288 "content:\"Gecko/20091221 Firefox/3.5.7\"; http_raw_header; "
3289 "sid:1;)");
3290 if (de_ctx->sig_list == NULL)
3291 goto end;
3292
3293 SigGroupBuild(de_ctx);
3294 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3295
3296 int r = AppLayerParserParse(
3297 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3298 if (r != 0) {
3299 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3300 result = 0;
3301 goto end;
3302 }
3303
3304 http_state = f.alstate;
3305 if (http_state == NULL) {
3306 printf("no http state: ");
3307 result = 0;
3308 goto end;
3309 }
3310
3311 /* do detect */
3312 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3313
3314 if ((PacketAlertCheck(p1, 1))) {
3315 printf("sid 1 didn't match but should have: ");
3316 goto end;
3317 }
3318
3319 r = AppLayerParserParse(
3320 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3321 if (r != 0) {
3322 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3323 result = 0;
3324 goto end;
3325 }
3326
3327 /* do detect */
3328 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3329
3330 if (!(PacketAlertCheck(p2, 1))) {
3331 printf("sid 1 didn't match but should have: ");
3332 goto end;
3333 }
3334
3335 result = 1;
3336end:
3337 if (alp_tctx != NULL)
3338 AppLayerParserThreadCtxFree(alp_tctx);
3339 if (de_ctx != NULL)
3340 DetectEngineCtxFree(de_ctx);
3341
3342 StreamTcpFreeConfig(true);
3343 FLOW_DESTROY(&f);
3344 UTHFreePackets(&p1, 1);
3345 UTHFreePackets(&p2, 1);
3346 return result;
3347}
3348
3349/**
3350 *\test Test that the http_header content matches against a http request
3351 * which holds the content, against a cross boundary present pattern.
3352 */
3353static int DetectHttpRawHeaderTest09(void)
3354{
3355 TcpSession ssn;
3356 Packet *p1 = NULL;
3357 Packet *p2 = NULL;
3358 ThreadVars th_v;
3359 DetectEngineCtx *de_ctx = NULL;
3360 DetectEngineThreadCtx *det_ctx = NULL;
3361 HtpState *http_state = NULL;
3362 Flow f;
3363 uint8_t http1_buf[] =
3364 "GET /index.html HTTP/1.0\r\n"
3365 "Host: www.openinfosecfoundation.org\r\n"
3366 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
3367 uint8_t http2_buf[] =
3368 "Content-Type: text/html\r\n"
3369 "Content-Length: 67\r\n"
3370 "\r\n"
3371 "This is dummy body\r\n";
3372 uint32_t http1_len = sizeof(http1_buf) - 1;
3373 uint32_t http2_len = sizeof(http2_buf) - 1;
3374 int result = 0;
3375 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3376
3377 memset(&th_v, 0, sizeof(th_v));
3378 memset(&f, 0, sizeof(f));
3379 memset(&ssn, 0, sizeof(ssn));
3380
3381 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3382 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3383
3384 FLOW_INITIALIZE(&f);
3385 f.protoctx = (void *)&ssn;
3386 f.proto = IPPROTO_TCP;
3387 f.flags |= FLOW_IPV4;
3388 p1->flow = &f;
3389 p1->flowflags |= FLOW_PKT_TOSERVER;
3390 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3391 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3392 p2->flow = &f;
3393 p2->flowflags |= FLOW_PKT_TOSERVER;
3394 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3395 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3396 f.alproto = ALPROTO_HTTP1;
3397
3398 StreamTcpInitConfig(true);
3399
3400 de_ctx = DetectEngineCtxInit();
3401 if (de_ctx == NULL)
3402 goto end;
3403
3404 de_ctx->flags |= DE_QUIET;
3405
3406 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3407 "(msg:\"http header test\"; flow:to_server; "
3408 "content:\"Firefox/3.5.7|0D 0A|Content\"; http_raw_header; "
3409 "sid:1;)");
3410 if (de_ctx->sig_list == NULL)
3411 goto end;
3412
3413 SigGroupBuild(de_ctx);
3414 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3415
3416 int r = AppLayerParserParse(
3417 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3418 if (r != 0) {
3419 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3420 result = 0;
3421 goto end;
3422 }
3423
3424 http_state = f.alstate;
3425 if (http_state == NULL) {
3426 printf("no http state: ");
3427 result = 0;
3428 goto end;
3429 }
3430
3431 /* do detect */
3432 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3433
3434 if ((PacketAlertCheck(p1, 1))) {
3435 printf("sid 1 didn't match but should have: ");
3436 goto end;
3437 }
3438
3439 r = AppLayerParserParse(
3440 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3441 if (r != 0) {
3442 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3443 result = 0;
3444 goto end;
3445 }
3446
3447 /* do detect */
3448 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3449
3450 if (!(PacketAlertCheck(p2, 1))) {
3451 printf("sid 1 didn't match but should have: ");
3452 goto end;
3453 }
3454
3455 result = 1;
3456end:
3457 if (alp_tctx != NULL)
3458 AppLayerParserThreadCtxFree(alp_tctx);
3459 if (de_ctx != NULL)
3460 DetectEngineCtxFree(de_ctx);
3461
3462 StreamTcpFreeConfig(true);
3463 FLOW_DESTROY(&f);
3464 UTHFreePackets(&p1, 1);
3465 UTHFreePackets(&p2, 1);
3466 return result;
3467}
3468
3469/**
3470 *\test Test that the http_header content matches against a http request
3471 * against a case insensitive pattern.
3472 */
3473static int DetectHttpRawHeaderTest10(void)
3474{
3475 TcpSession ssn;
3476 Packet *p1 = NULL;
3477 Packet *p2 = NULL;
3478 ThreadVars th_v;
3479 DetectEngineCtx *de_ctx = NULL;
3480 DetectEngineThreadCtx *det_ctx = NULL;
3481 HtpState *http_state = NULL;
3482 Flow f;
3483 uint8_t http1_buf[] =
3484 "GET /index.html HTTP/1.0\r\n"
3485 "Host: www.openinfosecfoundation.org\r\n"
3486 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n";
3487 uint8_t http2_buf[] =
3488 "Content-Type: text/html\r\n"
3489 "Content-Length: 67\r\n"
3490 "\r\n"
3491 "This is dummy body";
3492 uint32_t http1_len = sizeof(http1_buf) - 1;
3493 uint32_t http2_len = sizeof(http2_buf) - 1;
3494 int result = 0;
3495 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3496
3497 memset(&th_v, 0, sizeof(th_v));
3498 memset(&f, 0, sizeof(f));
3499 memset(&ssn, 0, sizeof(ssn));
3500
3501 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3502 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3503
3504 FLOW_INITIALIZE(&f);
3505 f.protoctx = (void *)&ssn;
3506 f.proto = IPPROTO_TCP;
3507 f.flags |= FLOW_IPV4;
3508 p1->flow = &f;
3509 p1->flowflags |= FLOW_PKT_TOSERVER;
3510 p1->flowflags |= FLOW_PKT_ESTABLISHED;
3511 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3512 p2->flow = &f;
3513 p2->flowflags |= FLOW_PKT_TOSERVER;
3514 p2->flowflags |= FLOW_PKT_ESTABLISHED;
3515 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3516 f.alproto = ALPROTO_HTTP1;
3517
3518 StreamTcpInitConfig(true);
3519
3520 de_ctx = DetectEngineCtxInit();
3521 if (de_ctx == NULL)
3522 goto end;
3523
3524 de_ctx->flags |= DE_QUIET;
3525
3526 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3527 "(msg:\"http header test\"; flow:to_server; "
3528 "content:\"firefox/3.5.7|0D 0A|content\"; nocase; http_raw_header;"
3529 "sid:1;)");
3530 if (de_ctx->sig_list == NULL)
3531 goto end;
3532
3533 SigGroupBuild(de_ctx);
3534 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3535
3536 int r = AppLayerParserParse(
3537 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
3538 if (r != 0) {
3539 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3540 result = 0;
3541 goto end;
3542 }
3543
3544 http_state = f.alstate;
3545 if (http_state == NULL) {
3546 printf("no http state: ");
3547 result = 0;
3548 goto end;
3549 }
3550
3551 /* do detect */
3552 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3553
3554 if ((PacketAlertCheck(p1, 1))) {
3555 printf("sid 1 didn't match but should have: ");
3556 goto end;
3557 }
3558
3559 r = AppLayerParserParse(
3560 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
3561 if (r != 0) {
3562 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3563 result = 0;
3564 goto end;
3565 }
3566
3567 /* do detect */
3568 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3569
3570 if (!(PacketAlertCheck(p2, 1))) {
3571 printf("sid 1 didn't match but should have: ");
3572 goto end;
3573 }
3574
3575 result = 1;
3576end:
3577 if (alp_tctx != NULL)
3578 AppLayerParserThreadCtxFree(alp_tctx);
3579 if (de_ctx != NULL)
3580 DetectEngineCtxFree(de_ctx);
3581
3582 StreamTcpFreeConfig(true);
3583 FLOW_DESTROY(&f);
3584 UTHFreePackets(&p1, 1);
3585 UTHFreePackets(&p2, 1);
3586 return result;
3587}
3588
3589/**
3590 *\test Test that the negated http_header content matches against a
3591 * http request which doesn't hold the content.
3592 */
3593static int DetectHttpRawHeaderTest11(void)
3594{
3595 TcpSession ssn;
3596 Packet *p = NULL;
3597 ThreadVars th_v;
3598 DetectEngineCtx *de_ctx = NULL;
3599 DetectEngineThreadCtx *det_ctx = NULL;
3600 HtpState *http_state = NULL;
3601 Flow f;
3602 uint8_t http_buf[] =
3603 "GET /index.html HTTP/1.0\r\n"
3604 "Host: www.openinfosecfoundation.org\r\n"
3605 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3606 "Content-Type: text/html\r\n"
3607 "Content-Length: 26\r\n"
3608 "\r\n"
3609 "This is dummy message body\r\n";
3610 uint32_t http_len = sizeof(http_buf) - 1;
3611 int result = 0;
3612 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3613
3614 memset(&th_v, 0, sizeof(th_v));
3615 memset(&f, 0, sizeof(f));
3616 memset(&ssn, 0, sizeof(ssn));
3617
3618 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3619
3620 FLOW_INITIALIZE(&f);
3621 f.protoctx = (void *)&ssn;
3622 f.proto = IPPROTO_TCP;
3623 f.flags |= FLOW_IPV4;
3624 p->flow = &f;
3625 p->flowflags |= FLOW_PKT_TOSERVER;
3626 p->flowflags |= FLOW_PKT_ESTABLISHED;
3627 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3628 f.alproto = ALPROTO_HTTP1;
3629
3630 StreamTcpInitConfig(true);
3631
3632 de_ctx = DetectEngineCtxInit();
3633 if (de_ctx == NULL)
3634 goto end;
3635
3636 de_ctx->flags |= DE_QUIET;
3637
3638 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3639 "(msg:\"http header test\"; flow:to_server; "
3640 "content:!\"lalalalala\"; http_raw_header; "
3641 "sid:1;)");
3642 if (de_ctx->sig_list == NULL)
3643 goto end;
3644
3645 SigGroupBuild(de_ctx);
3646 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3647
3648 int r = AppLayerParserParse(
3649 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3650 if (r != 0) {
3651 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3652 result = 0;
3653 goto end;
3654 }
3655
3656 http_state = f.alstate;
3657 if (http_state == NULL) {
3658 printf("no http state: ");
3659 result = 0;
3660 goto end;
3661 }
3662
3663 /* do detect */
3664 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3665
3666 if (!(PacketAlertCheck(p, 1))) {
3667 printf("sid 1 didn't match but should have: ");
3668 goto end;
3669 }
3670
3671 result = 1;
3672end:
3673 if (alp_tctx != NULL)
3674 AppLayerParserThreadCtxFree(alp_tctx);
3675 if (de_ctx != NULL)
3676 DetectEngineCtxFree(de_ctx);
3677
3678 StreamTcpFreeConfig(true);
3679 FLOW_DESTROY(&f);
3680 UTHFreePackets(&p, 1);
3681 return result;
3682}
3683
3684/**
3685 *\test Negative test that the negated http_header content matches against a
3686 * http request which holds hold the content.
3687 */
3688static int DetectHttpRawHeaderTest12(void)
3689{
3690 TcpSession ssn;
3691 Packet *p = NULL;
3692 ThreadVars th_v;
3693 DetectEngineCtx *de_ctx = NULL;
3694 DetectEngineThreadCtx *det_ctx = NULL;
3695 HtpState *http_state = NULL;
3696 Flow f;
3697 uint8_t http_buf[] =
3698 "GET /index.html HTTP/1.0\r\n"
3699 "Host: www.openinfosecfoundation.org\r\n"
3700 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3701 "Content-Type: text/html\r\n"
3702 "Content-Length: 26\r\n"
3703 "\r\n"
3704 "This is dummy message body\r\n";
3705 uint32_t http_len = sizeof(http_buf) - 1;
3706 int result = 0;
3707 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3708
3709 memset(&th_v, 0, sizeof(th_v));
3710 memset(&f, 0, sizeof(f));
3711 memset(&ssn, 0, sizeof(ssn));
3712
3713 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3714
3715 FLOW_INITIALIZE(&f);
3716 f.protoctx = (void *)&ssn;
3717 f.proto = IPPROTO_TCP;
3718 f.flags |= FLOW_IPV4;
3719 p->flow = &f;
3720 p->flowflags |= FLOW_PKT_TOSERVER;
3721 p->flowflags |= FLOW_PKT_ESTABLISHED;
3722 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3723 f.alproto = ALPROTO_HTTP1;
3724
3725 StreamTcpInitConfig(true);
3726
3727 de_ctx = DetectEngineCtxInit();
3728 if (de_ctx == NULL)
3729 goto end;
3730
3731 de_ctx->flags |= DE_QUIET;
3732
3733 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3734 "(msg:\"http header test\"; flow:to_server; "
3735 "content:!\"User-Agent: Mozilla/5.0 \"; http_raw_header; "
3736 "sid:1;)");
3737 if (de_ctx->sig_list == NULL)
3738 goto end;
3739
3740 SigGroupBuild(de_ctx);
3741 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3742
3743 int r = AppLayerParserParse(
3744 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3745 if (r != 0) {
3746 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3747 result = 0;
3748 goto end;
3749 }
3750
3751 http_state = f.alstate;
3752 if (http_state == NULL) {
3753 printf("no http state: ");
3754 result = 0;
3755 goto end;
3756 }
3757
3758 /* do detect */
3759 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3760
3761 if ((PacketAlertCheck(p, 1))) {
3762 printf("sid 1 didn't match but should have: ");
3763 goto end;
3764 }
3765
3766 result = 1;
3767end:
3768 if (alp_tctx != NULL)
3769 AppLayerParserThreadCtxFree(alp_tctx);
3770 if (de_ctx != NULL)
3771 DetectEngineCtxFree(de_ctx);
3772
3773 StreamTcpFreeConfig(true);
3774 FLOW_DESTROY(&f);
3775 UTHFreePackets(&p, 1);
3776 return result;
3777}
3778
3779/**
3780 *\test Test that the http_header content matches against a http request
3781 * which holds the content.
3782 */
3783static int DetectHttpRawHeaderTest13(void)
3784{
3785 TcpSession ssn;
3786 Packet *p = NULL;
3787 ThreadVars th_v;
3788 DetectEngineCtx *de_ctx = NULL;
3789 DetectEngineThreadCtx *det_ctx = NULL;
3790 HtpState *http_state = NULL;
3791 Flow f;
3792 uint8_t http_buf[] =
3793 "GET /index.html HTTP/1.0\r\n"
3794 "Host: www.openinfosecfoundation.org\r\n"
3795 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
3796 "Content-Type: text/html\r\n"
3797 "Content-Length: 100\r\n"
3798 "\r\n"
3799 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n";
3800 uint32_t http_len = sizeof(http_buf) - 1;
3801 int result = 0;
3802 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3803
3804 memset(&th_v, 0, sizeof(th_v));
3805 memset(&f, 0, sizeof(f));
3806 memset(&ssn, 0, sizeof(ssn));
3807
3808 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3809
3810 FLOW_INITIALIZE(&f);
3811 f.protoctx = (void *)&ssn;
3812 f.proto = IPPROTO_TCP;
3813 f.flags |= FLOW_IPV4;
3814
3815 p->flow = &f;
3816 p->flowflags |= FLOW_PKT_TOSERVER;
3817 p->flowflags |= FLOW_PKT_ESTABLISHED;
3818 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3819 f.alproto = ALPROTO_HTTP1;
3820
3821 StreamTcpInitConfig(true);
3822
3823 de_ctx = DetectEngineCtxInit();
3824 if (de_ctx == NULL)
3825 goto end;
3826
3827 de_ctx->flags |= DE_QUIET;
3828
3829 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
3830 "(msg:\"http header test\"; flow:to_server; "
3831 "content:\"Host: www.openinfosecfoundation.org\"; http_raw_header; "
3832 "sid:1;)");
3833 if (de_ctx->sig_list == NULL)
3834 goto end;
3835
3836 SigGroupBuild(de_ctx);
3837 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3838
3839 int r = AppLayerParserParse(
3840 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
3841 if (r != 0) {
3842 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3843 result = 0;
3844 goto end;
3845 }
3846
3847 http_state = f.alstate;
3848 if (http_state == NULL) {
3849 printf("no http state: ");
3850 result = 0;
3851 goto end;
3852 }
3853
3854 /* do detect */
3855 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3856
3857 if (!(PacketAlertCheck(p, 1))) {
3858 printf("sid 1 didn't match but should have: ");
3859 goto end;
3860 }
3861
3862 result = 1;
3863end:
3864
3865 if (alp_tctx != NULL)
3866 AppLayerParserThreadCtxFree(alp_tctx);
3867 if (de_ctx != NULL)
3868 DetectEngineCtxFree(de_ctx);
3869
3870 StreamTcpFreeConfig(true);
3871 FLOW_DESTROY(&f);
3872 UTHFreePackets(&p, 1);
3873 return result;
3874}
3875
3876void DetectHttpRawHeaderRegisterTests(void)
3877{
3878 UtRegisterTest("DetectHttpRawHeaderParserTest01",
3879 DetectHttpRawHeaderParserTest01);
3880 UtRegisterTest("DetectHttpRawHeaderParserTest02",
3881 DetectHttpRawHeaderParserTest02);
3882
3883 UtRegisterTest("DetectEngineHttpRawHeaderTest01",
3884 DetectEngineHttpRawHeaderTest01);
3885 UtRegisterTest("DetectEngineHttpRawHeaderTest02",
3886 DetectEngineHttpRawHeaderTest02);
3887 UtRegisterTest("DetectEngineHttpRawHeaderTest03",
3888 DetectEngineHttpRawHeaderTest03);
3889 UtRegisterTest("DetectEngineHttpRawHeaderTest04",
3890 DetectEngineHttpRawHeaderTest04);
3891 UtRegisterTest("DetectEngineHttpRawHeaderTest05",
3892 DetectEngineHttpRawHeaderTest05);
3893 UtRegisterTest("DetectEngineHttpRawHeaderTest06",
3894 DetectEngineHttpRawHeaderTest06);
3895 UtRegisterTest("DetectEngineHttpRawHeaderTest07",
3896 DetectEngineHttpRawHeaderTest07);
3897 UtRegisterTest("DetectEngineHttpRawHeaderTest08",
3898 DetectEngineHttpRawHeaderTest08);
3899 UtRegisterTest("DetectEngineHttpRawHeaderTest09",
3900 DetectEngineHttpRawHeaderTest09);
3901 UtRegisterTest("DetectEngineHttpRawHeaderTest10",
3902 DetectEngineHttpRawHeaderTest10);
3903 UtRegisterTest("DetectEngineHttpRawHeaderTest11",
3904 DetectEngineHttpRawHeaderTest11);
3905 UtRegisterTest("DetectEngineHttpRawHeaderTest12",
3906 DetectEngineHttpRawHeaderTest12);
3907 UtRegisterTest("DetectEngineHttpRawHeaderTest13",
3908 DetectEngineHttpRawHeaderTest13);
3909 UtRegisterTest("DetectEngineHttpRawHeaderTest14",
3910 DetectEngineHttpRawHeaderTest14);
3911 UtRegisterTest("DetectEngineHttpRawHeaderTest15",
3912 DetectEngineHttpRawHeaderTest15);
3913 UtRegisterTest("DetectEngineHttpRawHeaderTest16",
3914 DetectEngineHttpRawHeaderTest16);
3915 UtRegisterTest("DetectEngineHttpRawHeaderTest17",
3916 DetectEngineHttpRawHeaderTest17);
3917 UtRegisterTest("DetectEngineHttpRawHeaderTest20",
3918 DetectEngineHttpRawHeaderTest20);
3919 UtRegisterTest("DetectEngineHttpRawHeaderTest21",
3920 DetectEngineHttpRawHeaderTest21);
3921 UtRegisterTest("DetectEngineHttpRawHeaderTest22",
3922 DetectEngineHttpRawHeaderTest22);
3923 UtRegisterTest("DetectEngineHttpRawHeaderTest23",
3924 DetectEngineHttpRawHeaderTest23);
3925 UtRegisterTest("DetectEngineHttpRawHeaderTest24",
3926 DetectEngineHttpRawHeaderTest24);
3927 UtRegisterTest("DetectEngineHttpRawHeaderTest25",
3928 DetectEngineHttpRawHeaderTest25);
3929 UtRegisterTest("DetectEngineHttpRawHeaderTest26",
3930 DetectEngineHttpRawHeaderTest26);
3931 UtRegisterTest("DetectEngineHttpRawHeaderTest27",
3932 DetectEngineHttpRawHeaderTest27);
3933 UtRegisterTest("DetectEngineHttpRawHeaderTest28",
3934 DetectEngineHttpRawHeaderTest28);
3935 UtRegisterTest("DetectEngineHttpRawHeaderTest29",
3936 DetectEngineHttpRawHeaderTest29);
3937#if 0
3938 UtRegisterTest("DetectEngineHttpRawHeaderTest30",
3939 DetectEngineHttpRawHeaderTest30, 1);
3940#endif
3941 UtRegisterTest("DetectEngineHttpRawHeaderTest31",
3942 DetectEngineHttpRawHeaderTest31);
3943 UtRegisterTest("DetectEngineHttpRawHeaderTest32",
3944 DetectEngineHttpRawHeaderTest32);
3945
3946 UtRegisterTest("DetectHttpRawHeaderTest06", DetectHttpRawHeaderTest06);
3947 UtRegisterTest("DetectHttpRawHeaderTest07", DetectHttpRawHeaderTest07);
3948 UtRegisterTest("DetectHttpRawHeaderTest08", DetectHttpRawHeaderTest08);
3949 UtRegisterTest("DetectHttpRawHeaderTest09", DetectHttpRawHeaderTest09);
3950 UtRegisterTest("DetectHttpRawHeaderTest10", DetectHttpRawHeaderTest10);
3951 UtRegisterTest("DetectHttpRawHeaderTest11", DetectHttpRawHeaderTest11);
3952 UtRegisterTest("DetectHttpRawHeaderTest12", DetectHttpRawHeaderTest12);
3953 UtRegisterTest("DetectHttpRawHeaderTest13", DetectHttpRawHeaderTest13);
3954}
3955
3956#endif /* UNITTESTS */
3957
3958/**
3959 * @}
3960 */
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:56
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition flow-util.h:119
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition flow.h:234
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineThreadCtx_
Definition detect.h:1244
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::alstate
void * alstate
Definition flow.h:479
Flow_::protoctx
void * protoctx
Definition flow.h:441
HtpState_
Definition app-layer-htp.h:181
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::flags
uint32_t flags
Definition decode.h:544
Signature_
Signature container.
Definition detect.h:668
TcpSession_
Definition stream-tcp-private.h:283
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition util-unittest-helper.c:898