suricata
detect-http-server-body.c
Go to the documentation of this file.
1/* Copyright (C) 2017 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Giuseppe Longo <giuseppe@glongo.it>
22 *
23 * Tests for the hsbd with swf files
24 */
25
26#include "../suricata-common.h"
27#include "../conf-yaml-loader.h"
28#include "../decode.h"
29#include "../flow.h"
30#include "../detect.h"
31#include "../detect-engine-build.h"
32#include "../detect-engine-alert.h"
33
34/**
35 * \test Test parser accepting valid rules and rejecting invalid rules
36 */
37static int DetectHttpServerBodyParserTest01(void)
38{
39 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", true));
40 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; nocase; http_server_body; sid:1;)", true));
41 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; endswith; http_server_body; sid:1;)", true));
42 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; http_server_body; sid:1;)", true));
43 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; startswith; endswith; http_server_body; sid:1;)", true));
44
45 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; content:\"abc\"; rawbytes; http_server_body; sid:1;)", false));
46 FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http_server_body; sid:1;)", false));
47 FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; content:\"abc\"; http_server_body; sid:1;)", false));
48 PASS;
49}
50
51/**
52 * \test Test parser accepting valid rules and rejecting invalid rules
53 */
54static int DetectHttpServerBodyParserTest02(void)
55{
56 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", true));
57 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; nocase; sid:1;)", true));
58 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; endswith; sid:1;)", true));
59 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; sid:1;)", true));
60 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
61 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; bsize:10; sid:1;)", true));
62
63 FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; http.response_body; content:\"abc\"; rawbytes; sid:1;)", false));
64 FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; http.response_body; sid:1;)", false));
65 FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; http.response_body; content:\"abc\"; sid:1;)", false));
66 PASS;
67}
68struct TestSteps {
69 const uint8_t *input;
70 size_t input_size; /**< if 0 strlen will be used */
71 int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
72 int expect;
73};
74
75static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
76{
77 TcpSession ssn;
78 Flow f;
79 ThreadVars th_v;
80 DetectEngineThreadCtx *det_ctx = NULL;
81 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
82 FAIL_IF_NULL(alp_tctx);
83
84 memset(&th_v, 0, sizeof(th_v));
85 memset(&f, 0, sizeof(f));
86 memset(&ssn, 0, sizeof(ssn));
87
88 if (yaml) {
89 SCConfCreateContextBackup();
90 SCConfInit();
91 HtpConfigCreateBackup();
92
93 SCConfYamlLoadString(yaml, strlen(yaml));
94 HTPConfigure();
95 EngineModeSetIPS();
96 }
97
98 StreamTcpInitConfig(true);
99
100 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
101 FAIL_IF_NULL(de_ctx);
102 de_ctx->flags |= DE_QUIET;
103
104 FLOW_INITIALIZE(&f);
105 f.protoctx = (void *)&ssn;
106 f.proto = IPPROTO_TCP;
107 f.flags |= FLOW_IPV4;
108 f.alproto = ALPROTO_HTTP1;
109
110 SCLogDebug("sig %s", sig);
111 Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
112 FAIL_IF_NULL(s);
113
114 SigGroupBuild(de_ctx);
115 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
116 FAIL_IF_NULL(det_ctx);
117
118 struct TestSteps *b = steps;
119 int i = 0;
120 while (b->input != NULL) {
121 SCLogDebug("chunk %p %d", b, i);
122 (void)i;
123 Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
124 FAIL_IF_NULL(p);
125 p->flow = &f;
126 p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT;
127 p->flowflags |= FLOW_PKT_ESTABLISHED;
128 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
129
130 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, b->direction,
131 (uint8_t *)b->input,
132 b->input_size ? b->input_size : strlen((const char *)b->input));
133 FAIL_IF_NOT(r == 0);
134
135 /* do detect */
136 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
137
138 int match = PacketAlertCheck(p, 1);
139 FAIL_IF_NOT(b->expect == match);
140
141 UTHFreePackets(&p, 1);
142 b++;
143 i++;
144 }
145
146 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
147 AppLayerParserThreadCtxFree(alp_tctx);
148 DetectEngineCtxFree(de_ctx);
149
150 StreamTcpFreeConfig(true);
151 FLOW_DESTROY(&f);
152
153 if (yaml) {
154 HtpConfigRestoreBackup();
155 SCConfRestoreContextBackup();
156 EngineModeSetIDS();
157 }
158 PASS;
159}
160
161static int DetectEngineHttpServerBodyTest01(void)
162{
163 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
164 "Host: www.openinfosecfoundation.org\r\n"
165 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
166 "Gecko/20091221 Firefox/3.5.7\r\n"
167 "\r\n";
168 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
169 "Content-Type: text/html\r\n"
170 "Content-Length: 7\r\n"
171 "\r\n"
172 "message";
173 struct TestSteps steps[] = {
174 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
175 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
176 { NULL, 0, 0, 0 },
177 };
178
179 const char *sig = "alert http any any -> any any "
180 "(msg:\"http server body test\"; "
181 "content:\"message\"; http_server_body; "
182 "sid:1;)";
183 return RunTest(steps, sig, NULL);
184}
185
186static int DetectEngineHttpServerBodyTest02(void)
187{
188 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
189 "Host: www.openinfosecfoundation.org\r\n"
190 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
191 "Gecko/20091221 Firefox/3.5.7\r\n"
192 "\r\n";
193 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
194 "Content-Type: text/html\r\n"
195 "Content-Length: 7\r\n"
196 "\r\n"
197 "xxxxABC";
198 struct TestSteps steps[] = {
199 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
200 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
201 { NULL, 0, 0, 0 },
202 };
203
204 const char *sig = "alert http any any -> any any "
205 "(msg:\"http server body test\"; "
206 "content:\"ABC\"; http_server_body; offset:4; "
207 "sid:1;)";
208 return RunTest(steps, sig, NULL);
209}
210
211static int DetectEngineHttpServerBodyTest03(void)
212{
213 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
214 "Host: www.openinfosecfoundation.org\r\n"
215 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
216 "Gecko/20091221 Firefox/3.5.7\r\n"
217 "\r\n";
218 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
219 "Content-Type: text/html\r\n"
220 "Content-Length: 17\r\n"
221 "\r\n"
222 "1234567";
223 uint8_t http_buf3[] = "8901234ABC";
224 struct TestSteps steps[] = {
225 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
226 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
227 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
228 { NULL, 0, 0, 0 },
229 };
230
231 const char *sig = "alert http any any -> any any "
232 "(msg:\"http server body test\"; "
233 "content:\"ABC\"; http_server_body; offset:14; "
234 "sid:1;)";
235 return RunTest(steps, sig, NULL);
236}
237
238static int DetectEngineHttpServerBodyTest04(void)
239{
240 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
241 "Host: www.openinfosecfoundation.org\r\n"
242 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
243 "Gecko/20091221 Firefox/3.5.7\r\n"
244 "\r\n";
245 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
246 "Content-Type: text/html\r\n"
247 "Content-Length: 6\r\n"
248 "\r\n"
249 "abcdef";
250 struct TestSteps steps[] = {
251 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
252 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
253 { NULL, 0, 0, 0 },
254 };
255 const char *sig = "alert http any any -> any any "
256 "(msg:\"http server body test\"; "
257 "content:!\"abc\"; http_server_body; offset:3; "
258 "sid:1;)";
259 return RunTest(steps, sig, NULL);
260}
261
262static int DetectEngineHttpServerBodyTest05(void)
263{
264 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
265 "Host: www.openinfosecfoundation.org\r\n"
266 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
267 "Gecko/20091221 Firefox/3.5.7\r\n"
268 "\r\n";
269 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
270 "Content-Type: text/html\r\n"
271 "Content-Length: 6\r\n"
272 "\r\n"
273 "abcdef";
274 struct TestSteps steps[] = {
275 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
276 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
277 { NULL, 0, 0, 0 },
278 };
279 const char *sig = "alert http any any -> any any "
280 "(msg:\"http server body test\"; "
281 "content:\"abc\"; http_server_body; depth:3; "
282 "sid:1;)";
283 return RunTest(steps, sig, NULL);
284}
285
286static int DetectEngineHttpServerBodyTest06(void)
287{
288 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
289 "Host: www.openinfosecfoundation.org\r\n"
290 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
291 "Gecko/20091221 Firefox/3.5.7\r\n"
292 "\r\n";
293 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
294 "Content-Type: text/html\r\n"
295 "Content-Length: 6\r\n"
296 "\r\n"
297 "abcdef";
298 struct TestSteps steps[] = {
299 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
300 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
301 { NULL, 0, 0, 0 },
302 };
303 const char *sig = "alert http any any -> any any "
304 "(msg:\"http server body test\"; "
305 "content:!\"def\"; http_server_body; depth:3; "
306 "sid:1;)";
307 return RunTest(steps, sig, NULL);
308}
309
310static int DetectEngineHttpServerBodyTest07(void)
311{
312 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
313 "Host: www.openinfosecfoundation.org\r\n"
314 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
315 "Gecko/20091221 Firefox/3.5.7\r\n"
316 "\r\n";
317 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
318 "Content-Type: text/html\r\n"
319 "Content-Length: 6\r\n"
320 "\r\n"
321 "abcdef";
322 struct TestSteps steps[] = {
323 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
324 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
325 { NULL, 0, 0, 0 },
326 };
327 const char *sig = "alert http any any -> any any "
328 "(msg:\"http server body test\"; "
329 "content:!\"def\"; http_server_body; offset:3; "
330 "sid:1;)";
331 return RunTest(steps, sig, NULL);
332}
333
334static int DetectEngineHttpServerBodyTest08(void)
335{
336 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
337 "Host: www.openinfosecfoundation.org\r\n"
338 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
339 "Gecko/20091221 Firefox/3.5.7\r\n"
340 "\r\n";
341 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
342 "Content-Type: text/html\r\n"
343 "Content-Length: 6\r\n"
344 "\r\n"
345 "abcdef";
346
347 struct TestSteps steps[] = {
348 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
349 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
350 { NULL, 0, 0, 0 },
351 };
352 const char *sig = "alert http any any -> any any "
353 "(msg:\"http server body test\"; "
354 "content:!\"abc\"; http_server_body; depth:3; "
355 "sid:1;)";
356 return RunTest(steps, sig, NULL);
357}
358
359static int DetectEngineHttpServerBodyTest09(void)
360{
361 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
362 "Host: www.openinfosecfoundation.org\r\n"
363 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
364 "Gecko/20091221 Firefox/3.5.7\r\n"
365 "\r\n";
366 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
367 "Content-Type: text/html\r\n"
368 "Content-Length: 6\r\n"
369 "\r\n"
370 "abcdef";
371 struct TestSteps steps[] = {
372 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
373 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
374 { NULL, 0, 0, 0 },
375 };
376 const char *sig = "alert http any any -> any any "
377 "(msg:\"http server body test\"; "
378 "content:\"abc\"; http_server_body; depth:3; "
379 "content:\"def\"; http_server_body; within:3; "
380 "sid:1;)";
381 return RunTest(steps, sig, NULL);
382}
383
384static int DetectEngineHttpServerBodyTest10(void)
385{
386 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
387 "Host: www.openinfosecfoundation.org\r\n"
388 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
389 "Gecko/20091221 Firefox/3.5.7\r\n"
390 "\r\n";
391 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
392 "Content-Type: text/html\r\n"
393 "Content-Length: 6\r\n"
394 "\r\n"
395 "abcdef";
396 struct TestSteps steps[] = {
397 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
398 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
399 { NULL, 0, 0, 0 },
400 };
401 const char *sig = "alert http any any -> any any "
402 "(msg:\"http server body test\"; "
403 "content:\"abc\"; http_server_body; depth:3; "
404 "content:!\"xyz\"; http_server_body; within:3; "
405 "sid:1;)";
406 return RunTest(steps, sig, NULL);
407}
408
409static int DetectEngineHttpServerBodyTest11(void)
410{
411 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
412 "Host: www.openinfosecfoundation.org\r\n"
413 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
414 "Gecko/20091221 Firefox/3.5.7\r\n"
415 "\r\n";
416 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
417 "Content-Type: text/html\r\n"
418 "Content-Length: 6\r\n"
419 "\r\n"
420 "abcdef";
421 struct TestSteps steps[] = {
422 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
423 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
424 { NULL, 0, 0, 0 },
425 };
426 const char *sig = "alert http any any -> any any "
427 "(msg:\"http server body test\"; "
428 "content:\"abc\"; http_server_body; depth:3; "
429 "content:\"xyz\"; http_server_body; within:3; "
430 "sid:1;)";
431 return RunTest(steps, sig, NULL);
432}
433
434static int DetectEngineHttpServerBodyTest12(void)
435{
436 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
437 "Host: www.openinfosecfoundation.org\r\n"
438 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
439 "Gecko/20091221 Firefox/3.5.7\r\n"
440 "\r\n";
441 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
442 "Content-Type: text/html\r\n"
443 "Content-Length: 6\r\n"
444 "\r\n"
445 "abcdef";
446 struct TestSteps steps[] = {
447 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
448 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
449 { NULL, 0, 0, 0 },
450 };
451 const char *sig = "alert http any any -> any any "
452 "(msg:\"http server body test\"; "
453 "content:\"ab\"; http_server_body; depth:2; "
454 "content:\"ef\"; http_server_body; distance:2; "
455 "sid:1;)";
456 return RunTest(steps, sig, NULL);
457}
458
459static int DetectEngineHttpServerBodyTest13(void)
460{
461 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
462 "Host: www.openinfosecfoundation.org\r\n"
463 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
464 "Gecko/20091221 Firefox/3.5.7\r\n"
465 "\r\n";
466 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
467 "Content-Type: text/html\r\n"
468 "Content-Length: 6\r\n"
469 "\r\n"
470 "abcdef";
471 struct TestSteps steps[] = {
472 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
473 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
474 { NULL, 0, 0, 0 },
475 };
476 const char *sig = "alert http any any -> any any "
477 "(msg:\"http server body test\"; "
478 "content:\"ab\"; http_server_body; depth:3; "
479 "content:!\"yz\"; http_server_body; distance:2; "
480 "sid:1;)";
481 return RunTest(steps, sig, NULL);
482}
483
484static int DetectEngineHttpServerBodyTest14(void)
485{
486 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
487 "Host: www.openinfosecfoundation.org\r\n"
488 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
489 "Gecko/20091221 Firefox/3.5.7\r\n"
490 "\r\n";
491 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
492 "Content-Type: text/html\r\n"
493 "Content-Length: 6\r\n"
494 "\r\n"
495 "abcdef";
496 struct TestSteps steps[] = {
497 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
498 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
499 { NULL, 0, 0, 0 },
500 };
501 const char *sig = "alert http any any -> any any "
502 "(msg:\"http server body test\"; "
503 "pcre:/ab/Q; "
504 "content:\"ef\"; http_server_body; distance:2; "
505 "sid:1;)";
506 return RunTest(steps, sig, NULL);
507}
508
509static int DetectEngineHttpServerBodyTest15(void)
510{
511 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
512 "Host: www.openinfosecfoundation.org\r\n"
513 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
514 "Gecko/20091221 Firefox/3.5.7\r\n"
515 "\r\n";
516 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
517 "Content-Type: text/html\r\n"
518 "Content-Length: 6\r\n"
519 "\r\n"
520 "abcdef";
521 struct TestSteps steps[] = {
522 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
523 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
524 { NULL, 0, 0, 0 },
525 };
526 const char *sig = "alert http any any -> any any "
527 "(msg:\"http server body test\"; "
528 "pcre:/abc/Q; "
529 "content:!\"xyz\"; http_server_body; distance:0; within:3; "
530 "sid:1;)";
531 return RunTest(steps, sig, NULL);
532}
533
534static int DetectEngineHttpServerBodyTest16(void)
535{
536 char input[] = "\
537%YAML 1.1\n\
538---\n\
539libhtp:\n\
540\n\
541 default-config:\n\
542 personality: IDS\n\
543 request-body-limit: 0\n\
544 response-body-limit: 0\n\
545\n\
546 request-body-inspect-window: 0\n\
547 response-body-inspect-window: 0\n\
548 request-body-minimal-inspect-size: 0\n\
549 response-body-minimal-inspect-size: 0\n\
550";
551 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
552 "Host: www.openinfosecfoundation.org\r\n"
553 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
554 "Gecko/20091221 Firefox/3.5.7\r\n"
555 "\r\n";
556 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
557 "Content-Type: text/html\r\n"
558 "Content-Length: 17\r\n"
559 "\r\n"
560 "1234567";
561 uint8_t http_buf3[] = "8901234ABC";
562 struct TestSteps steps[] = {
563 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
564 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
565 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
566 { NULL, 0, 0, 0 },
567 };
568 const char *sig = "alert http any any -> any any ("
569 "content:\"890\"; within:3; http_server_body; "
570 "sid:1;)";
571 return RunTest(steps, sig, input);
572}
573
574static int DetectEngineHttpServerBodyTest17(void)
575{
576 char input[] = "\
577%YAML 1.1\n\
578---\n\
579libhtp:\n\
580\n\
581 default-config:\n\
582 personality: IDS\n\
583 request-body-limit: 0\n\
584 response-body-limit: 0\n\
585\n\
586 request-body-inspect-window: 0\n\
587 response-body-inspect-window: 0\n\
588 request-body-minimal-inspect-size: 0\n\
589 response-body-minimal-inspect-size: 0\n\
590";
591 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
592 "Host: www.openinfosecfoundation.org\r\n"
593 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
594 "Gecko/20091221 Firefox/3.5.7\r\n"
595 "\r\n";
596 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
597 "Content-Type: text/html\r\n"
598 "Content-Length: 17\r\n"
599 "\r\n"
600 "1234567";
601 uint8_t http_buf3[] = "8901234ABC";
602 struct TestSteps steps[] = {
603 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
604 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
605 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
606 { NULL, 0, 0, 0 },
607 };
608 const char *sig = "alert http any any -> any any ("
609 "content:\"890\"; depth:3; http_server_body; "
610 "sid:1;)";
611 return RunTest(steps, sig, input);
612}
613
614/*
615 * gzip stream
616 */
617static int DetectEngineHttpServerBodyTest18(void)
618{
619 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
620 "Host: www.openinfosecfoundation.org\r\n"
621 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
622 "Gecko/20091221 Firefox/3.5.7\r\n"
623 "\r\n";
624 // clang-format off
625 uint8_t http_buf2[] = {
626 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
627 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
628 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
629 'g', 'z', 'i', 'p', 0x0d, 0x0a,
630 0x0d, 0x0a,
631 0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
632 0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
633 0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
634 0x00, 0x00, 0x00,
635 };
636 // clang-format on
637 struct TestSteps steps[] = {
638 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
639 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
640 { NULL, 0, 0, 0 },
641 };
642 const char *sig = "alert http any any -> any any "
643 "(msg:\"http server body test\"; "
644 "content:\"file\"; http_server_body; "
645 "sid:1;)";
646 return RunTest(steps, sig, NULL);
647}
648
649/*
650 * deflate stream
651 */
652static int DetectEngineHttpServerBodyTest19(void)
653{
654 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
655 "Host: www.openinfosecfoundation.org\r\n"
656 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
657 "Gecko/20091221 Firefox/3.5.7\r\n"
658 "\r\n";
659 // clang-format off
660 uint8_t http_buf2[] = {
661 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
662 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
663 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
664 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
665 0x0d, 0x0a,
666 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54, 0x85, 0xcc, 0x3c,
667 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00,
668 };
669 // clang-format on
670 // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
671 struct TestSteps steps[] = {
672 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
673 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
674 { NULL, 0, 0, 0 },
675 };
676 const char *sig = "alert http any any -> any any "
677 "(msg:\"http server body test\"; "
678 "content:\"file\"; http_server_body; "
679 "sid:1;)";
680 return RunTest(steps, sig, NULL);
681}
682
683/*
684 * deflate stream with gzip set as content-encoding
685 */
686static int DetectEngineHttpServerBodyTest20(void)
687{
688 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
689 "Host: www.openinfosecfoundation.org\r\n"
690 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
691 "Gecko/20091221 Firefox/3.5.7\r\n"
692 "\r\n";
693 // clang-format off
694 uint8_t http_buf2[] = {
695 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
696 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '2', '4', 0x0d, 0x0a,
697 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
698 'g', 'z', 'i', 'p', 0x0d, 0x0a,
699 0x0d, 0x0a,
700 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54, 0x85, 0xcc, 0x3c,
701 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00,
702 };
703 // clang-format on
704 // 0xb2, 0x7d, 0xac, 0x9b, 0x19, 0x00, 0x00, 0x00,
705 struct TestSteps steps[] = {
706 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
707 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
708 { NULL, 0, 0, 0 },
709 };
710 const char *sig = "alert http any any -> any any "
711 "(msg:\"http server body test\"; "
712 "content:\"file\"; http_server_body; "
713 "sid:1;)";
714 return RunTest(steps, sig, NULL);
715}
716
717/*
718 * gzip stream with deflate set as content-encoding.
719 */
720static int DetectEngineHttpServerBodyTest21(void)
721{
722 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
723 "Host: www.openinfosecfoundation.org\r\n"
724 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
725 "Gecko/20091221 Firefox/3.5.7\r\n"
726 "\r\n";
727 // clang-format off
728 uint8_t http_buf2[] = {
729 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
730 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
731 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
732 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
733 0x0d, 0x0a,
734 0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
735 0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
736 0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
737 0x00, 0x00, 0x00,
738 };
739 // clang-format on
740 struct TestSteps steps[] = {
741 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
742 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
743 { NULL, 0, 0, 0 },
744 };
745 const char *sig = "alert http any any -> any any "
746 "(msg:\"http server body test\"; "
747 "content:\"file\"; http_server_body; "
748 "sid:1;)";
749 return RunTest(steps, sig, NULL);
750}
751
752/*
753 * gzip stream.
754 * We have 2 content-encoding headers. First gzip and second deflate.
755 */
756static int DetectEngineHttpServerBodyTest22(void)
757{
758 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
759 "Host: www.openinfosecfoundation.org\r\n"
760 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
761 "Gecko/20091221 Firefox/3.5.7\r\n"
762 "\r\n";
763 // clang-format off
764 uint8_t http_buf2[] = {
765 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
766 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '5', '1', 0x0d, 0x0a,
767 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
768 'g', 'z', 'i', 'p', 0x0d, 0x0a,
769 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'E', 'n', 'c', 'o', 'd', 'i', 'n', 'g', ':', ' ',
770 'd', 'e', 'f', 'l', 'a', 't', 'e', 0x0d, 0x0a,
771 0x0d, 0x0a,
772 0x1f, 0x8b, 0x08, 0x08, 0x27, 0x1e, 0xe5, 0x51, 0x00, 0x03, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x74,
773 0x78, 0x74, 0x00, 0x2b, 0xc9, 0xc8, 0x2c, 0x56, 0x00, 0xa2, 0x44, 0x85, 0xb4, 0xcc, 0x9c, 0x54,
774 0x85, 0xcc, 0x3c, 0x20, 0x2b, 0x29, 0xbf, 0x42, 0x8f, 0x0b, 0x00, 0xb2, 0x7d, 0xac, 0x9b, 0x19,
775 0x00, 0x00, 0x00,
776 };
777 // clang-format on
778 struct TestSteps steps[] = {
779 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
780 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
781 { NULL, 0, 0, 0 },
782 };
783 const char *sig = "alert http any any -> any any "
784 "(msg:\"http server body test\"; "
785 "content:\"file\"; http_server_body; "
786 "sid:1;)";
787 return RunTest(steps, sig, NULL);
788}
789
790static int DetectEngineHttpServerBodyFileDataTest01(void)
791{
792 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
793 "Host: www.openinfosecfoundation.org\r\n"
794 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
795 "Gecko/20091221 Firefox/3.5.7\r\n"
796 "\r\n";
797 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
798 "Content-Type: text/html\r\n"
799 "Content-Length: 6\r\n"
800 "\r\n"
801 "abcdef";
802 struct TestSteps steps[] = {
803 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
804 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
805 { NULL, 0, 0, 0 },
806 };
807 const char *sig = "alert http any any -> any any "
808 "(msg:\"http server body test\"; "
809 "file_data; pcre:/ab/; "
810 "content:\"ef\"; distance:2; "
811 "sid:1;)";
812 return RunTest(steps, sig, NULL);
813}
814
815static int DetectEngineHttpServerBodyFileDataTest02(void)
816{
817 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
818 "Host: www.openinfosecfoundation.org\r\n"
819 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
820 "Gecko/20091221 Firefox/3.5.7\r\n"
821 "\r\n";
822 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
823 "Content-Type: text/html\r\n"
824 "Content-Length: 6\r\n"
825 "\r\n"
826 "abcdef";
827 struct TestSteps steps[] = {
828 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
829 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
830 { NULL, 0, 0, 0 },
831 };
832 const char *sig = "alert http any any -> any any "
833 "(msg:\"http server body test\"; "
834 "file_data; pcre:/abc/; "
835 "content:!\"xyz\"; distance:0; within:3; "
836 "sid:1;)";
837 return RunTest(steps, sig, NULL);
838}
839
840/* \test recursive relative byte test */
841static int DetectEngineHttpServerBodyFileDataTest03(void)
842{
843 TcpSession ssn;
844 Packet *p1 = NULL;
845 Packet *p2 = NULL;
846 ThreadVars th_v;
847 DetectEngineThreadCtx *det_ctx = NULL;
848 HtpState *http_state = NULL;
849 Flow f;
850 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
851 "Host: www.openinfosecfoundation.org\r\n"
852 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
853 "Gecko/20091221 Firefox/3.5.7\r\n"
854 "\r\n";
855 uint32_t http_len1 = sizeof(http_buf1) - 1;
856 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
857 "Content-Type: text/html\r\n"
858 "Content-Length: 33\r\n"
859 "\r\n"
860 "XYZ_klm_1234abcd_XYZ_klm_5678abcd";
861 uint32_t http_len2 = sizeof(http_buf2) - 1;
862 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
863
864 memset(&th_v, 0, sizeof(th_v));
865 memset(&f, 0, sizeof(f));
866 memset(&ssn, 0, sizeof(ssn));
867
868 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
869 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
870
871 FLOW_INITIALIZE(&f);
872 f.protoctx = (void *)&ssn;
873 f.proto = IPPROTO_TCP;
874 f.flags |= FLOW_IPV4;
875
876 p1->flow = &f;
877 p1->flowflags |= FLOW_PKT_TOSERVER;
878 p1->flowflags |= FLOW_PKT_ESTABLISHED;
879 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
880 p2->flow = &f;
881 p2->flowflags |= FLOW_PKT_TOCLIENT;
882 p2->flowflags |= FLOW_PKT_ESTABLISHED;
883 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
884 f.alproto = ALPROTO_HTTP1;
885
886 StreamTcpInitConfig(true);
887
888 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
889 FAIL_IF_NULL(de_ctx);
890 de_ctx->flags |= DE_QUIET;
891
892 Signature *s = DetectEngineAppendSig(de_ctx,
893 "alert http any any -> any any "
894 "(msg:\"match on 1st\"; "
895 "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
896 "distance:4; byte_test:4,=,1234,-8,relative,string;"
897 "sid:1;)");
898 FAIL_IF_NULL(s);
899 s = DetectEngineAppendSig(de_ctx,
900 "alert http any any -> any any "
901 "(msg:\"match on 2nd\"; "
902 "file_data; content:\"XYZ\"; content:\"_klm_\"; distance:0; content:\"abcd\"; "
903 "distance:4; byte_test:4,=,5678,-8,relative,string;"
904 "sid:2;)");
905 FAIL_IF_NULL(s);
906
907 SigGroupBuild(de_ctx);
908 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
909
910 int r = AppLayerParserParse(
911 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
912 FAIL_IF(r != 0);
913 http_state = f.alstate;
914 FAIL_IF_NULL(http_state);
915
916 /* do detect */
917 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
918 FAIL_IF(PacketAlertCheck(p1, 1));
919
920 r = AppLayerParserParse(
921 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
922 FAIL_IF(r != 0);
923
924 /* do detect */
925 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
926
927 FAIL_IF_NOT(PacketAlertCheck(p2, 1));
928 FAIL_IF_NOT(PacketAlertCheck(p2, 2));
929
930 AppLayerParserThreadCtxFree(alp_tctx);
931 DetectEngineCtxFree(de_ctx);
932 StreamTcpFreeConfig(true);
933 FLOW_DESTROY(&f);
934 UTHFreePackets(&p1, 1);
935 UTHFreePackets(&p2, 1);
936 PASS;
937}
938
939static int DetectEngineHttpServerBodyFileDataTest04(void)
940{
941
942 const char yaml[] = "\
943%YAML 1.1\n\
944---\n\
945libhtp:\n\
946\n\
947 default-config:\n\
948\n\
949 http-body-inline: yes\n\
950 response-body-minimal-inspect-size: 6\n\
951 response-body-inspect-window: 3\n\
952";
953
954 struct TestSteps steps[] = {
955 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
956 "Host: www.openinfosecfoundation.org\r\n"
957 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
958 "Gecko/20091221 Firefox/3.5.7\r\n"
959 "\r\n",
960 0, STREAM_TOSERVER, 0 },
961 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
962 "Content-Type: text/html\r\n"
963 "Content-Length: 6\r\n"
964 "\r\n"
965 "ab",
966 0, STREAM_TOCLIENT, 0 },
967 { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 1 },
968 { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 0 },
969 { NULL, 0, 0, 0 },
970 };
971
972 const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
973 return RunTest(steps, sig, yaml);
974}
975
976static int DetectEngineHttpServerBodyFileDataTest05(void)
977{
978
979 const char yaml[] = "\
980%YAML 1.1\n\
981---\n\
982libhtp:\n\
983\n\
984 default-config:\n\
985\n\
986 http-body-inline: yes\n\
987 response-body-minimal-inspect-size: 6\n\
988 response-body-inspect-window: 3\n\
989";
990
991 struct TestSteps steps[] = {
992 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
993 "Host: www.openinfosecfoundation.org\r\n"
994 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
995 "Gecko/20091221 Firefox/3.5.7\r\n"
996 "\r\n",
997 0, STREAM_TOSERVER, 0 },
998 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
999 "Content-Type: text/html\r\n"
1000 "Content-Length: 6\r\n"
1001 "\r\n"
1002 "ab",
1003 0, STREAM_TOCLIENT, 0 },
1004 { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1005 { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 1 },
1006 { NULL, 0, 0, 0 },
1007 };
1008
1009 const char *sig = "alert http any any -> any any (file_data; content:\"abcdef\"; sid:1;)";
1010 return RunTest(steps, sig, yaml);
1011}
1012
1013static int DetectEngineHttpServerBodyFileDataTest06(void)
1014{
1015
1016 const char yaml[] = "\
1017%YAML 1.1\n\
1018---\n\
1019libhtp:\n\
1020\n\
1021 default-config:\n\
1022\n\
1023 http-body-inline: yes\n\
1024 response-body-minimal-inspect-size: 6\n\
1025 response-body-inspect-window: 3\n\
1026";
1027
1028 struct TestSteps steps[] = {
1029 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1030 "Host: www.openinfosecfoundation.org\r\n"
1031 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1032 "Gecko/20091221 Firefox/3.5.7\r\n"
1033 "\r\n",
1034 0, STREAM_TOSERVER, 0 },
1035 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1036 "Content-Type: text/html\r\n"
1037 "Content-Length: 6\r\n"
1038 "\r\n"
1039 "ab",
1040 0, STREAM_TOCLIENT, 0 },
1041 { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1042 { (const uint8_t *)"ef", 0, STREAM_TOCLIENT, 1 },
1043 { NULL, 0, 0, 0 },
1044 };
1045
1046 const char *sig =
1047 "alert http any any -> any any (file_data; content:\"bcdef\"; offset:1; sid:1;)";
1048 return RunTest(steps, sig, yaml);
1049}
1050
1051static int DetectEngineHttpServerBodyFileDataTest07(void)
1052{
1053
1054 const char yaml[] = "\
1055%YAML 1.1\n\
1056---\n\
1057libhtp:\n\
1058\n\
1059 default-config:\n\
1060\n\
1061 http-body-inline: yes\n\
1062 response-body-minimal-inspect-size: 6\n\
1063 response-body-inspect-window: 3\n\
1064";
1065
1066 struct TestSteps steps[] = {
1067 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1068 "Host: www.openinfosecfoundation.org\r\n"
1069 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1070 "Gecko/20091221 Firefox/3.5.7\r\n"
1071 "\r\n",
1072 0, STREAM_TOSERVER, 0 },
1073 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1074 "Content-Type: text/html\r\n"
1075 "Content-Length: 13\r\n"
1076 "\r\n"
1077 "ab",
1078 0, STREAM_TOCLIENT, 0 },
1079 { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 1 },
1080 { (const uint8_t *)"123456789", 0, STREAM_TOCLIENT, 0 },
1081 { NULL, 0, 0, 0 },
1082 };
1083
1084 const char *sig =
1085 "alert http any any -> any any (file_data; content:\"bc\"; offset:1; depth:2; sid:1;)";
1086 return RunTest(steps, sig, yaml);
1087}
1088
1089static int DetectEngineHttpServerBodyFileDataTest08(void)
1090{
1091
1092 const char yaml[] = "\
1093%YAML 1.1\n\
1094---\n\
1095libhtp:\n\
1096\n\
1097 default-config:\n\
1098\n\
1099 http-body-inline: yes\n\
1100 response-body-minimal-inspect-size: 6\n\
1101 response-body-inspect-window: 3\n\
1102";
1103
1104 struct TestSteps steps[] = {
1105 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1106 "Host: www.openinfosecfoundation.org\r\n"
1107 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1108 "Gecko/20091221 Firefox/3.5.7\r\n"
1109 "\r\n",
1110 0, STREAM_TOSERVER, 0 },
1111 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1112 "Content-Type: text/html\r\n"
1113 "Content-Length: 14\r\n"
1114 "\r\n"
1115 "ab",
1116 0, STREAM_TOCLIENT, 0 },
1117 { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1118 { (const uint8_t *)"1234567890", 0, STREAM_TOCLIENT, 1 },
1119 { NULL, 0, 0, 0 },
1120 };
1121
1122 const char *sig =
1123 "alert http any any -> any any (file_data; content:\"d123456789\"; offset:3; sid:1;)";
1124 return RunTest(steps, sig, yaml);
1125}
1126
1127static int DetectEngineHttpServerBodyFileDataTest09(void)
1128{
1129
1130 const char yaml[] = "\
1131%YAML 1.1\n\
1132---\n\
1133libhtp:\n\
1134\n\
1135 default-config:\n\
1136\n\
1137 http-body-inline: yes\n\
1138 response-body-minimal-inspect-size: 6\n\
1139 response-body-inspect-window: 3\n\
1140";
1141
1142 struct TestSteps steps[] = {
1143 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1144 "Host: www.openinfosecfoundation.org\r\n"
1145 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1146 "Gecko/20091221 Firefox/3.5.7\r\n"
1147 "\r\n",
1148 0, STREAM_TOSERVER, 0 },
1149 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1150 "Content-Type: text/html\r\n"
1151 "Content-Length: 13\r\n"
1152 "\r\n"
1153 "ab",
1154 0, STREAM_TOCLIENT, 0 },
1155 { (const uint8_t *)"cd", 0, STREAM_TOCLIENT, 0 },
1156 { (const uint8_t *)"123456789", 0, STREAM_TOCLIENT, 1 },
1157 { NULL, 0, 0, 0 },
1158 };
1159
1160 const char *sig =
1161 "alert http any any -> any any (file_data; content:\"abcd12\"; depth:6; sid:1;)";
1162 return RunTest(steps, sig, yaml);
1163}
1164
1165static int DetectEngineHttpServerBodyFileDataTest10(void)
1166{
1167
1168 const char yaml[] = "\
1169%YAML 1.1\n\
1170---\n\
1171libhtp:\n\
1172\n\
1173 default-config:\n\
1174\n\
1175 http-body-inline: yes\n\
1176 response-body-minimal-inspect-size: 6\n\
1177 response-body-inspect-window: 3\n\
1178";
1179
1180 struct TestSteps steps[] = {
1181 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1182 "Host: www.openinfosecfoundation.org\r\n"
1183 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1184 "Gecko/20091221 Firefox/3.5.7\r\n"
1185 "\r\n",
1186 0, STREAM_TOSERVER, 0 },
1187 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1188 "Content-Type: text/html\r\n"
1189 "Content-Length: 5\r\n"
1190 "\r\n"
1191 "ab",
1192 0, STREAM_TOCLIENT, 0 },
1193 { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 1 },
1194 { (const uint8_t *)"de", 0, STREAM_TOCLIENT, 0 },
1195 { NULL, 0, 0, 0 },
1196 };
1197
1198 const char *sig = "alert http any any -> any any (file_data; content:\"abc\"; depth:3; sid:1;)";
1199 return RunTest(steps, sig, yaml);
1200}
1201
1202static int DetectEngineHttpServerBodyFileDataTest11(void)
1203{
1204
1205 const char yaml[] = "\
1206%YAML 1.1\n\
1207---\n\
1208libhtp:\n\
1209\n\
1210 default-config:\n\
1211\n\
1212 http-body-inline: yes\n\
1213 response-body-minimal-inspect-size: 6\n\
1214 response-body-inspect-window: 3\n\
1215";
1216
1217 struct TestSteps steps[] = {
1218 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1219 "Host: www.openinfosecfoundation.org\r\n"
1220 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1221 "Gecko/20091221 Firefox/3.5.7\r\n"
1222 "\r\n",
1223 0, STREAM_TOSERVER, 0 },
1224 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1225 "Content-Type: text/html\r\n"
1226 "Content-Length: 5\r\n"
1227 "\r\n"
1228 "ab",
1229 0, STREAM_TOCLIENT, 0 },
1230 { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1231 { (const uint8_t *)"de", 0, STREAM_TOCLIENT, 1 },
1232 { NULL, 0, 0, 0 },
1233 };
1234
1235 const char *sig = "alert http any any -> any any (file_data; content:\"bcde\"; offset:1; "
1236 "depth:4; sid:1;)";
1237 return RunTest(steps, sig, yaml);
1238}
1239
1240static int DetectEngineHttpServerBodyFileDataTest12(void)
1241{
1242
1243 const char yaml[] = "\
1244%YAML 1.1\n\
1245---\n\
1246libhtp:\n\
1247\n\
1248 default-config:\n\
1249\n\
1250 http-body-inline: yes\n\
1251 response-body-minimal-inspect-size: 6\n\
1252 response-body-inspect-window: 3\n\
1253";
1254
1255 struct TestSteps steps[] = {
1256 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1257 "Host: www.openinfosecfoundation.org\r\n"
1258 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1259 "Gecko/20091221 Firefox/3.5.7\r\n"
1260 "\r\n",
1261 0, STREAM_TOSERVER, 0 },
1262 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1263 "Content-Type: text/html\r\n"
1264 "Content-Length: 13\r\n"
1265 "\r\n"
1266 "a",
1267 0, STREAM_TOCLIENT, 0 },
1268 { (const uint8_t *)"b", 0, STREAM_TOCLIENT, 0 },
1269 { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1270 { (const uint8_t *)"d", 0, STREAM_TOCLIENT, 1 },
1271 { (const uint8_t *)"efghijklm", 0, STREAM_TOCLIENT, 0 },
1272 { NULL, 0, 0, 0 },
1273 };
1274
1275 const char *sig = "alert http any any -> any any (file_data; content:\"abcd\"; sid:1;)";
1276 return RunTest(steps, sig, yaml);
1277}
1278
1279static int DetectEngineHttpServerBodyFileDataTest13(void)
1280{
1281
1282 const char yaml[] = "\
1283%YAML 1.1\n\
1284---\n\
1285libhtp:\n\
1286\n\
1287 default-config:\n\
1288\n\
1289 http-body-inline: yes\n\
1290 response-body-minimal-inspect-size: 9\n\
1291 response-body-inspect-window: 12\n\
1292";
1293
1294 struct TestSteps steps[] = {
1295 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1296 "Host: www.openinfosecfoundation.org\r\n"
1297 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1298 "Gecko/20091221 Firefox/3.5.7\r\n"
1299 "\r\n",
1300 0, STREAM_TOSERVER, 0 },
1301 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1302 "Content-Type: text/html\r\n"
1303 "Content-Length: 13\r\n"
1304 "\r\n"
1305 "a",
1306 0, STREAM_TOCLIENT, 0 },
1307 { (const uint8_t *)"b", 0, STREAM_TOCLIENT, 0 },
1308 { (const uint8_t *)"c", 0, STREAM_TOCLIENT, 0 },
1309 { (const uint8_t *)"d", 0, STREAM_TOCLIENT, 0 },
1310 { (const uint8_t *)"efghijklm", 0, STREAM_TOCLIENT, 1 },
1311 { NULL, 0, 0, 0 },
1312 };
1313
1314 const char *sig =
1315 "alert http any any -> any any (file_data; content:\"abcdefghijklm\"; sid:1;)";
1316 return RunTest(steps, sig, yaml);
1317}
1318
1319static int DetectEngineHttpServerBodyFileDataTest14(void)
1320{
1321
1322 const char yaml[] = "\
1323%YAML 1.1\n\
1324---\n\
1325libhtp:\n\
1326\n\
1327 default-config:\n\
1328\n\
1329 http-body-inline: yes\n\
1330 response-body-minimal-inspect-size: 9\n\
1331 response-body-inspect-window: 12\n\
1332";
1333
1334 struct TestSteps steps[] = {
1335 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1336 "Host: www.openinfosecfoundation.org\r\n"
1337 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1338 "Gecko/20091221 Firefox/3.5.7\r\n"
1339 "\r\n",
1340 0, STREAM_TOSERVER, 0 },
1341 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1342 "Content-Type: text/html\r\n"
1343 "Content-Length: 20\r\n"
1344 "\r\n"
1345 "1234567890",
1346 0, STREAM_TOCLIENT, 0 },
1347 { (const uint8_t *)"abcdefghi", 0, STREAM_TOCLIENT, 1 },
1348 { NULL, 0, 0, 0 },
1349 };
1350
1351 const char *sig = "alert http any any -> any any (file_data; content:\"890abcdefghi\"; sid:1;)";
1352 return RunTest(steps, sig, yaml);
1353}
1354
1355static int DetectEngineHttpServerBodyFileDataTest15(void)
1356{
1357
1358 const char yaml[] = "\
1359%YAML 1.1\n\
1360---\n\
1361libhtp:\n\
1362\n\
1363 default-config:\n\
1364\n\
1365 http-body-inline: yes\n\
1366 response-body-minimal-inspect-size: 9\n\
1367 response-body-inspect-window: 12\n\
1368";
1369
1370 struct TestSteps steps[] = {
1371 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1372 "Host: www.openinfosecfoundation.org\r\n"
1373 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1374 "Gecko/20091221 Firefox/3.5.7\r\n"
1375 "\r\n",
1376 0, STREAM_TOSERVER, 0 },
1377 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1378 "Content-Type: text/html\r\n"
1379 "Content-Length: 20\r\n"
1380 "\r\n"
1381 "1234567890",
1382 0, STREAM_TOCLIENT, 0 },
1383 { (const uint8_t *)"abcdefghi", 0, STREAM_TOCLIENT, 0 },
1384 { NULL, 0, 0, 0 },
1385 };
1386
1387 const char *sig =
1388 "alert http any any -> any any (file_data; content:\"7890ab\"; depth:6; sid:1;)";
1389 return RunTest(steps, sig, yaml);
1390}
1391
1392static int DetectEngineHttpServerBodyFileDataTest16(void)
1393{
1394
1395 const char yaml[] = "\
1396%YAML 1.1\n\
1397---\n\
1398libhtp:\n\
1399\n\
1400 default-config:\n\
1401\n\
1402 http-body-inline: yes\n\
1403 response-body-minimal-inspect-size: 9\n\
1404 response-body-inspect-window: 12\n\
1405";
1406
1407 struct TestSteps steps[] = {
1408 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1409 "Host: www.openinfosecfoundation.org\r\n"
1410 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1411 "Gecko/20091221 Firefox/3.5.7\r\n"
1412 "\r\n",
1413 0, STREAM_TOSERVER, 0 },
1414 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1415 "Content-Type: text/html\r\n"
1416 "Content-Length: 20\r\n"
1417 "\r\n"
1418 "aaaab",
1419 0, STREAM_TOCLIENT, 0 },
1420 { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1421 { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1422 { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1423 { NULL, 0, 0, 0 },
1424 };
1425
1426 const char *sig =
1427 "alert http any any -> any any (file_data; content:\"aabb\"; depth:4; sid:1;)";
1428 return RunTest(steps, sig, yaml);
1429}
1430
1431static int DetectEngineHttpServerBodyFileDataTest17(void)
1432{
1433
1434 const char yaml[] = "\
1435%YAML 1.1\n\
1436---\n\
1437libhtp:\n\
1438\n\
1439 default-config:\n\
1440\n\
1441 http-body-inline: yes\n\
1442 response-body-minimal-inspect-size: 8\n\
1443 response-body-inspect-window: 4\n\
1444";
1445
1446 struct TestSteps steps[] = {
1447 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1448 "Host: www.openinfosecfoundation.org\r\n"
1449 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1450 "Gecko/20091221 Firefox/3.5.7\r\n"
1451 "\r\n",
1452 0, STREAM_TOSERVER, 0 },
1453 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1454 "Content-Type: text/html\r\n"
1455 "Content-Length: 20\r\n"
1456 "\r\n"
1457 "aaaab",
1458 0, STREAM_TOCLIENT, 0 },
1459 { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1460 { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1461 { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1462 { NULL, 0, 0, 0 },
1463 };
1464
1465 const char *sig =
1466 "alert http any any -> any any (file_data; content:\"bbbc\"; depth:4; sid:1;)";
1467 return RunTest(steps, sig, yaml);
1468}
1469
1470static int DetectEngineHttpServerBodyFileDataTest18(void)
1471{
1472
1473 const char yaml[] = "\
1474%YAML 1.1\n\
1475---\n\
1476libhtp:\n\
1477\n\
1478 default-config:\n\
1479\n\
1480 http-body-inline: yes\n\
1481 response-body-minimal-inspect-size: 8\n\
1482 response-body-inspect-window: 4\n\
1483";
1484
1485 struct TestSteps steps[] = {
1486 { (const uint8_t *)"GET /index.html HTTP/1.0\r\n"
1487 "Host: www.openinfosecfoundation.org\r\n"
1488 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1489 "Gecko/20091221 Firefox/3.5.7\r\n"
1490 "\r\n",
1491 0, STREAM_TOSERVER, 0 },
1492 { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
1493 "Content-Type: text/html\r\n"
1494 "Content-Length: 20\r\n"
1495 "\r\n"
1496 "aaaab",
1497 0, STREAM_TOCLIENT, 0 },
1498 { (const uint8_t *)"bbbbc", 0, STREAM_TOCLIENT, 0 },
1499 { (const uint8_t *)"ccccd", 0, STREAM_TOCLIENT, 0 },
1500 { (const uint8_t *)"dddde", 0, STREAM_TOCLIENT, 0 },
1501 { NULL, 0, 0, 0 },
1502 };
1503
1504 const char *sig =
1505 "alert http any any -> any any (file_data; content:\"bccd\"; depth:4; sid:1;)";
1506 return RunTest(steps, sig, yaml);
1507}
1508static int DetectEngineHttpServerBodyFileDataTest19(void)
1509{
1510 char input[] = "\
1511%YAML 1.1\n\
1512---\n\
1513libhtp:\n\
1514\n\
1515 default-config:\n\
1516\n\
1517 swf-decompression:\n\
1518 enabled: yes\n\
1519 type: both\n\
1520 compress-depth: 0\n\
1521 decompress-depth: 0\n\
1522";
1523 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1524 "Host: www.openinfosecfoundation.org\r\n"
1525 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1526 "Gecko/20091221 Firefox/3.5.7\r\n"
1527 "\r\n";
1528 // clang-format off
1529 uint8_t http_buf2[] = {
1530 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1531 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '1', '0', '3', 0x0d, 0x0a,
1532 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1533 'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1534 0x0d, 0x0a,
1535 0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1536 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1537 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe,
1538 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37,
1539 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1540 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08, 0xe9,
1541 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86
1542 };
1543 // clang-format on
1544 struct TestSteps steps[] = {
1545 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1546 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1547 { NULL, 0, 0, 0 },
1548 };
1549 const char *sig = "alert tcp any any -> any any "
1550 "(flow:established,from_server; "
1551 "file_data; content:\"FWS\"; "
1552 "sid:1;)";
1553 return RunTest(steps, sig, input);
1554}
1555
1556static int DetectEngineHttpServerBodyFileDataTest20(void)
1557{
1558 char input[] = "\
1559%YAML 1.1\n\
1560---\n\
1561libhtp:\n\
1562\n\
1563 default-config:\n\
1564\n\
1565 swf-decompression:\n\
1566 enabled: no\n\
1567 type: both\n\
1568 compress-depth: 0\n\
1569 decompress-depth: 0\n\
1570";
1571 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1572 "Host: www.openinfosecfoundation.org\r\n"
1573 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1574 "Gecko/20091221 Firefox/3.5.7\r\n"
1575 "\r\n";
1576 // clang-format off
1577 uint8_t http_buf2[] = {
1578 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1579 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1580 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1581 'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1582 0x0d, 0x0a,
1583 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1584 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1585 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1586 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1587 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1588 };
1589 // clang-format on
1590 struct TestSteps steps[] = {
1591 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1592 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1593 { NULL, 0, 0, 0 },
1594 };
1595 const char *sig = "alert tcp any any -> any any "
1596 "(flow:established,from_server; "
1597 "file_data; content:\"CWS\"; "
1598 "sid:1;)";
1599 return RunTest(steps, sig, input);
1600}
1601
1602static int DetectEngineHttpServerBodyFileDataTest21(void)
1603{
1604 char input[] = "\
1605%YAML 1.1\n\
1606---\n\
1607libhtp:\n\
1608\n\
1609 default-config:\n\
1610\n\
1611 swf-decompression:\n\
1612 enabled: yes\n\
1613 type: deflate\n\
1614 compress-depth: 0\n\
1615 decompress-depth: 0\n\
1616";
1617 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1618 "Host: www.openinfosecfoundation.org\r\n"
1619 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1620 "Gecko/20091221 Firefox/3.5.7\r\n"
1621 "\r\n";
1622 // clang-format off
1623 uint8_t http_buf2[] = {
1624 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1625 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1626 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1627 'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1628 0x0d, 0x0a,
1629 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1630 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1631 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1632 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1633 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1634 };
1635 // clang-format on
1636 struct TestSteps steps[] = {
1637 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1638 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1639 { NULL, 0, 0, 0 },
1640 };
1641 const char *sig = "alert tcp any any -> any any "
1642 "(flow:established,from_server; "
1643 "file_data; content:\"FWS\"; "
1644 "sid:1;)";
1645 return RunTest(steps, sig, input);
1646}
1647
1648static int DetectEngineHttpServerBodyFileDataTest22(void)
1649{
1650 char input[] = "\
1651%YAML 1.1\n\
1652---\n\
1653libhtp:\n\
1654\n\
1655 default-config:\n\
1656\n\
1657 swf-decompression:\n\
1658 enabled: yes\n\
1659 type: lzma\n\
1660 compress-depth: 0\n\
1661 decompress-depth: 0\n\
1662";
1663 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1664 "Host: www.openinfosecfoundation.org\r\n"
1665 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1666 "Gecko/20091221 Firefox/3.5.7\r\n"
1667 "\r\n";
1668 // clang-format off
1669 uint8_t http_buf2[] = {
1670 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1671 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1672 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1673 'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1674 0x0d, 0x0a,
1675 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1676 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1677 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1678 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1679 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1680 };
1681 // clang-format on
1682 struct TestSteps steps[] = {
1683 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1684 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1685 { NULL, 0, 0, 0 },
1686 };
1687 const char *sig = "alert tcp any any -> any any "
1688 "(flow:established,from_server; "
1689 "file_data; content:\"CWS\"; "
1690 "sid:1;)";
1691 return RunTest(steps, sig, input);
1692}
1693
1694static int DetectEngineHttpServerBodyFileDataTest23(void)
1695{
1696 char input[] = "\
1697%YAML 1.1\n\
1698---\n\
1699libhtp:\n\
1700\n\
1701 default-config:\n\
1702\n\
1703 swf-decompression:\n\
1704 enabled: yes\n\
1705 type: both\n\
1706 compress-depth: 0\n\
1707 decompress-depth: 0\n\
1708";
1709 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1710 "Host: www.openinfosecfoundation.org\r\n"
1711 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1712 "Gecko/20091221 Firefox/3.5.7\r\n"
1713 "\r\n";
1714 // clang-format off
1715 uint8_t http_buf2[] = {
1716 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1717 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1718 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1719 'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1720 0x0d, 0x0a,
1721 0x43, 0x57, 0x53, 0x01, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1722 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1723 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1724 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1725 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1726 };
1727 // clang-format on
1728 struct TestSteps steps[] = {
1729 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1730 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1731 { NULL, 0, 0, 0 },
1732 };
1733 const char *sig = "alert tcp any any -> any any "
1734 "(flow:established,from_server; "
1735 "file_data; content:\"CWS\"; "
1736 "sid:1;)";
1737 return RunTest(steps, sig, input);
1738}
1739
1740static int DetectEngineHttpServerBodyFileDataTest24(void)
1741{
1742 char input[] = "\
1743%YAML 1.1\n\
1744---\n\
1745libhtp:\n\
1746\n\
1747 default-config:\n\
1748\n\
1749 swf-decompression:\n\
1750 enabled: yes\n\
1751 type: both\n\
1752 compress-depth: 0\n\
1753 decompress-depth: 0\n\
1754";
1755 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1756 "Host: www.openinfosecfoundation.org\r\n"
1757 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1758 "Gecko/20091221 Firefox/3.5.7\r\n"
1759 "\r\n";
1760 uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1761 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1762 '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1763 ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1764 '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1765 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1766 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1767 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1768 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1769 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1770 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1771 0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1772 struct TestSteps steps[] = {
1773 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1774 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1775 { NULL, 0, 0, 0 },
1776 };
1777 const char *sig = "alert tcp any any -> any any "
1778 "(flow:established,from_server; "
1779 "file_data; content:\"FWS\"; "
1780 "sid:1;)";
1781 return RunTest(steps, sig, input);
1782}
1783
1784static int DetectEngineHttpServerBodyFileDataTest25(void)
1785{
1786 char input[] = "\
1787%YAML 1.1\n\
1788---\n\
1789libhtp:\n\
1790\n\
1791 default-config:\n\
1792\n\
1793 swf-decompression:\n\
1794 enabled: no\n\
1795 type: both\n\
1796 compress-depth: 0\n\
1797 decompress-depth: 0\n\
1798";
1799 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1800 "Host: www.openinfosecfoundation.org\r\n"
1801 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1802 "Gecko/20091221 Firefox/3.5.7\r\n"
1803 "\r\n";
1804 uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1805 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1806 '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1807 ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1808 '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1809 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1810 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1811 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1812 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1813 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1814 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1815 0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1816 struct TestSteps steps[] = {
1817 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1818 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1819 { NULL, 0, 0, 0 },
1820 };
1821 const char *sig = "alert tcp any any -> any any "
1822 "(flow:established,from_server; "
1823 "file_data; content:\"ZWS\"; "
1824 "sid:1;)";
1825 return RunTest(steps, sig, input);
1826}
1827
1828static int DetectEngineHttpServerBodyFileDataTest26(void)
1829{
1830 char input[] = "\
1831%YAML 1.1\n\
1832---\n\
1833libhtp:\n\
1834\n\
1835 default-config:\n\
1836\n\
1837 swf-decompression:\n\
1838 enabled: yes\n\
1839 type: lzma\n\
1840 compress-depth: 0\n\
1841 decompress-depth: 0\n\
1842";
1843 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1844 "Host: www.openinfosecfoundation.org\r\n"
1845 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1846 "Gecko/20091221 Firefox/3.5.7\r\n"
1847 "\r\n";
1848 uint8_t http_buf2[] = { 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k',
1849 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ',
1850 '1', '0', '3', 0x0d, 0x0a, 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':',
1851 ' ', 'a', 'p', 'p', 'l', 'i', 'c', 'a', 't', 'i', 'o', 'n', '/', 'o', 'c', 't', 'e', 't',
1852 '-', 's', 't', 'r', 'e', 'a', 'm', 0x0d, 0x0a, 0x0d, 0x0a, 0x5a, 0x57, 0x53, 0x17, 0x5c,
1853 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20, 0x00, 0x00, 0x3b, 0xff,
1854 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f,
1855 0xd0, 0x7e, 0x61, 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c,
1856 0x46, 0x49, 0xb7, 0x7b, 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01,
1857 0x37, 0x0e, 0xe9, 0xf2, 0xe1, 0xfc, 0x9e, 0x64, 0xda, 0x6c, 0x11, 0x21, 0x33, 0xed, 0xa0,
1858 0x0e, 0x76, 0x70, 0xa0, 0xcd, 0x98, 0x2e, 0x76, 0x80, 0xf0, 0xe0, 0x59, 0x56, 0x06, 0x08,
1859 0xe9, 0xca, 0xeb, 0xa2, 0xc6, 0xdb, 0x5a, 0x86 };
1860 struct TestSteps steps[] = {
1861 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1862 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1863 { NULL, 0, 0, 0 },
1864 };
1865 const char *sig = "alert tcp any any -> any any "
1866 "(flow:established,from_server; "
1867 "file_data; content:\"FWS\"; "
1868 "sid:1;)";
1869 return RunTest(steps, sig, input);
1870}
1871
1872static int DetectEngineHttpServerBodyFileDataTest27(void)
1873{
1874 char input[] = "\
1875%YAML 1.1\n\
1876---\n\
1877libhtp:\n\
1878\n\
1879 default-config:\n\
1880\n\
1881 swf-decompression:\n\
1882 enabled: yes\n\
1883 type: deflate\n\
1884 compress-depth: 0\n\
1885 decompress-depth: 0\n\
1886";
1887 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1888 "Host: www.openinfosecfoundation.org\r\n"
1889 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1890 "Gecko/20091221 Firefox/3.5.7\r\n"
1891 "\r\n";
1892 // clang-format off
1893 uint8_t http_buf2[] = {
1894 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1895 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1896 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1897 'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1898 0x0d, 0x0a,
1899 0x5a, 0x57, 0x53, 0x17, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1900 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1901 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
1902 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
1903 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
1904 };
1905 // clang-format on
1906 struct TestSteps steps[] = {
1907 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1908 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1909 { NULL, 0, 0, 0 },
1910 };
1911 const char *sig = "alert tcp any any -> any any "
1912 "(flow:established,from_server; "
1913 "file_data; content:\"ZWS\"; "
1914 "sid:1;)";
1915 return RunTest(steps, sig, input);
1916}
1917
1918static int DetectEngineHttpServerBodyFileDataTest28(void)
1919{
1920 char input[] = "\
1921%YAML 1.1\n\
1922---\n\
1923libhtp:\n\
1924\n\
1925 default-config:\n\
1926\n\
1927 swf-decompression:\n\
1928 enabled: yes\n\
1929 type: both\n\
1930 compress-depth: 0\n\
1931 decompress-depth: 0\n\
1932";
1933 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1934 "Host: www.openinfosecfoundation.org\r\n"
1935 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1936 "Gecko/20091221 Firefox/3.5.7\r\n"
1937 "\r\n";
1938 // clang-format off
1939 uint8_t http_buf2[] = {
1940 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1941 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1942 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1943 'a','p','p','l','i','c','a','t','i','o','n','/','o','c','t','e','t','-','s','t','r','e','a','m', 0x0d, 0x0a,
1944 0x0d, 0x0a,
1945 0x5a, 0x57, 0x53, 0x01, 0x5c, 0x24, 0x00, 0x00, 0xb7, 0x21, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x20,
1946 0x00, 0x00, 0x3b, 0xff, 0xfc, 0x8e, 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85,
1947 0x19, 0xfa, 0xdf, 0xe7, 0x66, 0x08, 0xa0, 0x3d, 0x3e, 0x85, 0xf5, 0x75, 0x6f, 0xd0, 0x7e, 0x61,
1948 0x35, 0x1b, 0x1a, 0x8b, 0x16, 0x4d, 0xdf, 0x05, 0x32, 0xfe, 0xa4, 0x4c, 0x46, 0x49, 0xb7, 0x7b,
1949 0x6b, 0x75, 0xf9, 0x2b, 0x5c, 0x37, 0x29, 0x0b, 0x91, 0x37, 0x01, 0x37, 0x0e, 0xe9, 0xf2, 0xe1,
1950 };
1951 // clang-format on
1952 struct TestSteps steps[] = {
1953 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
1954 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
1955 { NULL, 0, 0, 0 },
1956 };
1957 const char *sig = "alert tcp any any -> any any "
1958 "(flow:established,from_server; "
1959 "file_data; content:\"ZWS\"; "
1960 "sid:1;)";
1961 return RunTest(steps, sig, input);
1962}
1963
1964static int DetectEngineHttpServerBodyFileDataTest29(void)
1965{
1966 char input[] = "\
1967%YAML 1.1\n\
1968---\n\
1969libhtp:\n\
1970\n\
1971 default-config:\n\
1972\n\
1973 swf-decompression:\n\
1974 enabled: yes\n\
1975 type: both\n\
1976 compress-depth: 1000\n\
1977 decompress-depth: 0\n\
1978";
1979 uint8_t http_buf1[] = "GET /file.swf HTTP/1.0\r\n"
1980 "Host: www.openinfosecfoundation.org\r\n"
1981 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
1982 "Gecko/20091221 Firefox/3.5.7\r\n"
1983 "\r\n";
1984 // clang-format off
1985 uint8_t http_buf2[] = {
1986 'H', 'T', 'T', 'P', '/', '1', '.', '1', ' ', '2', '0', '0', 'o', 'k', 0x0d, 0x0a,
1987 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'L', 'e', 'n', 'g', 't', 'h', ':', ' ', '8', '0', 0x0d, 0x0a,
1988 'C', 'o', 'n', 't', 'e', 'n', 't', '-', 'T', 'y', 'p', 'e', ':', ' ',
1989 'a','p','p','l','i','c','a','t','i','o','n','/','x','-','s','h','o','c','k','w','a','v','e','-','f','l','a','s','h', 0x0d, 0x0a,
1990 0x0d, 0x0a,
1991 0x43, 0x57, 0x53, 0x0a, 0xcb, 0x6c, 0x00, 0x00, 0x78, 0xda, 0xad, 0xbd, 0x07, 0x98, 0x55, 0x55,
1992 0x9e, 0xee, 0xbd, 0x4f, 0xd8, 0xb5, 0x4e, 0x15, 0xc1, 0xc2, 0x80, 0x28, 0x86, 0xd2, 0x2e, 0x5a,
1993 0xdb, 0x46, 0xd9, 0x39, 0x38, 0xdd, 0x4e, 0x1b, 0xa8, 0x56, 0x5b, 0xc5, 0x6b, 0xe8, 0x76, 0xfa,
1994 0x0e, 0xc2, 0x8e, 0x50, 0x76, 0x51, 0xc5, 0x54, 0x15, 0x88, 0x73, 0xc3, 0xd0, 0x88, 0x39, 0x81,
1995 0x98, 0x63, 0x91, 0x93, 0x8a, 0x82, 0x89, 0x60, 0x00, 0xcc, 0xb1, 0x00, 0x01, 0x73, 0xce, 0x39,
1996 };
1997 // clang-format on
1998 struct TestSteps steps[] = {
1999 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2000 { (const uint8_t *)http_buf2, sizeof(http_buf2), STREAM_TOCLIENT, 1 },
2001 { NULL, 0, 0, 0 },
2002 };
2003 const char *sig = "alert tcp any any -> any any "
2004 "(flow:established,from_server; "
2005 "file_data; content:\"FWS\"; "
2006 "sid:1;)";
2007 return RunTest(steps, sig, input);
2008}
2009
2010/**
2011 *\test Test that the http_server_body content matches against a http request
2012 * which holds the content.
2013 */
2014static int DetectHttpServerBodyTest06(void)
2015{
2016 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2017 "Host: www.openinfosecfoundation.org\r\n"
2018 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2019 "Gecko/20091221 Firefox/3.5.7\r\n"
2020 "\r\n";
2021 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2022 "Content-Type: text/html\r\n"
2023 "Content-Length: 7\r\n"
2024 "\r\n"
2025 "message";
2026 struct TestSteps steps[] = {
2027 { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2028 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2029 { NULL, 0, 0, 0 },
2030 };
2031 const char *sig = "alert http any any -> any any "
2032 "(msg:\"http server body test\"; "
2033 "content:\"message\"; http_server_body; "
2034 "sid:1;)";
2035 return RunTest(steps, sig, NULL);
2036}
2037
2038/**
2039 *\test Test that the http_server_body content matches against a http request
2040 * which holds the content.
2041 */
2042static int DetectHttpServerBodyTest07(void)
2043{
2044 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2045 "Host: www.openinfosecfoundation.org\r\n"
2046 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2047 "Gecko/20091221 Firefox/3.5.7\r\n"
2048 "\r\n";
2049 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2050 "Content-Type: text/html\r\n"
2051 "Content-Length: 14\r\n"
2052 "\r\n";
2053 uint8_t http_buf3[] = "message";
2054 struct TestSteps steps[] = {
2055 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2056 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2057 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT | STREAM_EOF, 1 },
2058 { NULL, 0, 0, 0 },
2059 };
2060 const char *sig = "alert http any any -> any any "
2061 "(msg:\"http server body test\"; "
2062 "content:\"message\"; http_server_body; "
2063 "sid:1;)";
2064 return RunTest(steps, sig, NULL);
2065}
2066
2067/**
2068 *\test Test that the http_server_body content matches against a http request
2069 * which holds the content.
2070 */
2071static int DetectHttpServerBodyTest08(void)
2072{
2073 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2074 "Host: www.openinfosecfoundation.org\r\n"
2075 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2076 "Gecko/20091221 Firefox/3.5.7\r\n"
2077 "\r\n";
2078 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2079 "Content-Type: text/html\r\n"
2080 "Content-Length: 14\r\n"
2081 "\r\n"
2082 "bigmes";
2083 uint8_t http_buf3[] = "sage4u!!";
2084 struct TestSteps steps[] = {
2085 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2086 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2087 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2088 { NULL, 0, 0, 0 },
2089 };
2090 const char *sig = "alert http any any -> any any "
2091 "(msg:\"http client body test\"; "
2092 "content:\"message\"; http_server_body; "
2093 "sid:1;)";
2094 return RunTest(steps, sig, NULL);
2095}
2096
2097/**
2098 *\test Test that the http_server_body content matches against a http request
2099 * which holds the content.
2100 */
2101static int DetectHttpServerBodyTest09(void)
2102{
2103 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2104 "Host: www.openinfosecfoundation.org\r\n"
2105 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2106 "Gecko/20091221 Firefox/3.5.7\r\n"
2107 "\r\n";
2108 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2109 "Content-Type: text/html\r\n"
2110 "Content-Length: 14\r\n"
2111 "\r\n"
2112 "bigmes";
2113 uint8_t http_buf3[] = "sag";
2114 uint8_t http_buf4[] = "e4u!!";
2115 struct TestSteps steps[] = {
2116 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2117 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2118 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2119 { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2120 { NULL, 0, 0, 0 },
2121 };
2122 const char *sig = "alert http any any -> any any "
2123 "(msg:\"http client body test\"; "
2124 "content:\"message\"; http_server_body; "
2125 "sid:1;)";
2126 return RunTest(steps, sig, NULL);
2127}
2128
2129/**
2130 *\test Test that the http_server_body content matches against a http request
2131 * which holds the content. Case insensitive.
2132 */
2133static int DetectHttpServerBodyTest10(void)
2134{
2135 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2136 "Host: www.openinfosecfoundation.org\r\n"
2137 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2138 "Gecko/20091221 Firefox/3.5.7\r\n"
2139 "\r\n";
2140 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2141 "Content-Type: text/html\r\n"
2142 "Content-Length: 14\r\n"
2143 "\r\n"
2144 "bigmes";
2145 uint8_t http_buf3[] = "sag";
2146 uint8_t http_buf4[] =
2147 "e4u!!";
2148 struct TestSteps steps[] = {
2149 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2150 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2151 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2152 { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2153 { NULL, 0, 0, 0 },
2154 };
2155 const char *sig = "alert http any any -> any any "
2156 "(msg:\"http client body test\"; "
2157 "content:\"MeSSaGE\"; http_server_body; nocase; "
2158 "sid:1;)";
2159 return RunTest(steps, sig, NULL);
2160}
2161
2162/**
2163 *\test Test that the http_server_body content matches against a http request
2164 * which holds the content. Negated match.
2165 */
2166static int DetectHttpServerBodyTest11(void)
2167{
2168 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2169 "Host: www.openinfosecfoundation.org\r\n"
2170 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2171 "Gecko/20091221 Firefox/3.5.7\r\n"
2172 "\r\n";
2173 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2174 "Content-Type: text/html\r\n"
2175 "Content-Length: 14\r\n"
2176 "\r\n";
2177 uint8_t http_buf3[] = "bigmessage4u!!";
2178 struct TestSteps steps[] = {
2179 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2180 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2181 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2182 { NULL, 0, 0, 0 },
2183 };
2184 const char *sig = "alert http any any -> any any "
2185 "(msg:\"http client body test\"; "
2186 "content:!\"MaSSaGE\"; http_server_body; nocase; "
2187 "sid:1;)";
2188 return RunTest(steps, sig, NULL);
2189}
2190
2191/**
2192 *\test Test that the http_server_body content matches against a http request
2193 * which holds the content. Negated match.
2194 */
2195static int DetectHttpServerBodyTest12(void)
2196{
2197 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2198 "Host: www.openinfosecfoundation.org\r\n"
2199 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2200 "Gecko/20091221 Firefox/3.5.7\r\n"
2201 "\r\n";
2202 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2203 "Content-Type: text/html\r\n"
2204 "Content-Length: 14\r\n"
2205 "\r\n";
2206 uint8_t http_buf3[] = "bigmessage4u!!";
2207 struct TestSteps steps[] = {
2208 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2209 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2210 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2211 { NULL, 0, 0, 0 },
2212 };
2213 const char *sig = "alert http any any -> any any "
2214 "(msg:\"http client body test\"; "
2215 "content:!\"MeSSaGE\"; http_server_body; nocase; "
2216 "sid:1;)";
2217 return RunTest(steps, sig, NULL);
2218}
2219
2220static int DetectHttpServerBodyTest13(void)
2221{
2222 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2223 "Host: www.openinfosecfoundation.org\r\n"
2224 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2225 "Gecko/20091221 Firefox/3.5.7\r\n"
2226 "\r\n";
2227 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2228 "Content-Type: text/html\r\n"
2229 "Content-Length: 55\r\n"
2230 "\r\n"
2231 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
2232 struct TestSteps steps[] = {
2233 { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2234 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2235 { NULL, 0, 0, 0 },
2236 };
2237 const char *sig = "alert http any any -> any any "
2238 "(msg:\"http server body test\"; "
2239 "content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
2240 "http_server_body; "
2241 "sid:1;)";
2242 return RunTest(steps, sig, NULL);
2243}
2244
2245/** \test multiple http transactions and body chunks of request handling */
2246static int DetectHttpServerBodyTest14(void)
2247{
2248 int result = 0;
2249 Signature *s = NULL;
2250 DetectEngineThreadCtx *det_ctx = NULL;
2251 ThreadVars th_v;
2252 Flow f;
2253 TcpSession ssn;
2254 Packet *p = NULL;
2255 uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2256 "User-Agent: Mozilla/1.0\r\n"
2257 "Host: www.openinfosecfoundation.org\r\n"
2258 "Connection: keep-alive\r\n"
2259 "Cookie: dummy1\r\n\r\n";
2260 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2261 uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2262 "Content-Type: text/html\r\n"
2263 "Content-Length: 3\r\n"
2264 "\r\n"
2265 "one";
2266 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2267 uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2268 "User-Agent: Firefox/1.0\r\n"
2269 "Host: www.openinfosecfoundation.org\r\n"
2270 "Connection: keep-alive\r\n"
2271 "Cookie: dummy2\r\n\r\n";
2272 uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2273 uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2274 "Content-Type: text/html\r\n"
2275 "Content-Length: 3\r\n"
2276 "\r\n"
2277 "two";
2278 uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2279 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2280
2281 memset(&th_v, 0, sizeof(th_v));
2282 memset(&f, 0, sizeof(f));
2283 memset(&ssn, 0, sizeof(ssn));
2284
2285 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2286
2287 FLOW_INITIALIZE(&f);
2288 f.protoctx = (void *)&ssn;
2289 f.proto = IPPROTO_TCP;
2290 f.flags |= FLOW_IPV4;
2291
2292 p->flow = &f;
2293 p->flowflags |= FLOW_PKT_TOCLIENT;
2294 p->flowflags |= FLOW_PKT_ESTABLISHED;
2295 p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
2296 f.alproto = ALPROTO_HTTP1;
2297
2298 StreamTcpInitConfig(true);
2299
2300 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2301 if (de_ctx == NULL) {
2302 goto end;
2303 }
2304
2305 de_ctx->flags |= DE_QUIET;
2306
2307 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2308 "content:\"one\"; http_server_body; sid:1; rev:1;)");
2309 if (s == NULL) {
2310 printf("sig parse failed: ");
2311 goto end;
2312 }
2313 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2314 "content:\"two\"; http_server_body; sid:2; rev:1;)");
2315 if (s == NULL) {
2316 printf("sig2 parse failed: ");
2317 goto end;
2318 }
2319
2320 SigGroupBuild(de_ctx);
2321 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2322
2323 SCLogDebug("add chunk 1");
2324
2325 int r = AppLayerParserParse(
2326 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2327 if (r != 0) {
2328 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2329 goto end;
2330 }
2331
2332 SCLogDebug("add chunk 2");
2333
2334 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2335 if (r != 0) {
2336 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
2337 goto end;
2338 }
2339
2340 SCLogDebug("inspect chunk 1");
2341
2342 /* do detect */
2343 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2344 if (!(PacketAlertCheck(p, 1))) {
2345 printf("sig 1 didn't alert (tx 1): ");
2346 goto end;
2347 }
2348 p->alerts.cnt = 0;
2349
2350 SCLogDebug("add chunk 3");
2351
2352 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2353 if (r != 0) {
2354 printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
2355 goto end;
2356 }
2357
2358 SCLogDebug("add chunk 4");
2359
2360 r = AppLayerParserParse(
2361 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2362 if (r != 0) {
2363 printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
2364 goto end;
2365 }
2366
2367 SCLogDebug("inspect chunk 4");
2368
2369 /* do detect */
2370 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2371 if ((PacketAlertCheck(p, 1))) {
2372 printf("sig 1 alerted (tx 2): ");
2373 goto end;
2374 }
2375 if (!(PacketAlertCheck(p, 2))) {
2376 printf("sig 2 didn't alert (tx 2): ");
2377 goto end;
2378 }
2379 p->alerts.cnt = 0;
2380
2381 HtpState *htp_state = f.alstate;
2382 if (htp_state == NULL) {
2383 printf("no http state: ");
2384 goto end;
2385 }
2386
2387 if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
2388 printf("The http app layer doesn't have 2 transactions, but it should: ");
2389 goto end;
2390 }
2391
2392 result = 1;
2393end:
2394 if (alp_tctx != NULL)
2395 AppLayerParserThreadCtxFree(alp_tctx);
2396 if (det_ctx != NULL) {
2397 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2398 }
2399 if (de_ctx != NULL) {
2400 DetectEngineCtxFree(de_ctx);
2401 }
2402
2403 StreamTcpFreeConfig(true);
2404 FLOW_DESTROY(&f);
2405 UTHFreePacket(p);
2406 return result;
2407}
2408
2409static int DetectHttpServerBodyTest15(void)
2410{
2411 int result = 0;
2412 Signature *s = NULL;
2413 DetectEngineThreadCtx *det_ctx = NULL;
2414 ThreadVars th_v;
2415 Flow f;
2416 TcpSession ssn;
2417 Packet *p = NULL;
2418 uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2419 "User-Agent: Mozilla/1.0\r\n"
2420 "Host: www.openinfosecfoundation.org\r\n"
2421 "Connection: keep-alive\r\n"
2422 "Cookie: dummy1\r\n\r\n";
2423 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2424 uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2425 "Content-Type: text/html\r\n"
2426 "Content-Length: 3\r\n"
2427 "\r\n"
2428 "one";
2429 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2430 uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2431 "User-Agent: Firefox/1.0\r\n"
2432 "Host: www.openinfosecfoundation.org\r\n"
2433 "Connection: keep-alive\r\n"
2434 "Cookie: dummy2\r\n\r\n";
2435 uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2436 uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2437 "Content-Type: text/html\r\n"
2438 "Content-Length: 3\r\n"
2439 "\r\n"
2440 "two";
2441 uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2442 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2443
2444 memset(&th_v, 0, sizeof(th_v));
2445 memset(&f, 0, sizeof(f));
2446 memset(&ssn, 0, sizeof(ssn));
2447
2448 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2449
2450 FLOW_INITIALIZE(&f);
2451 f.protoctx = (void *)&ssn;
2452 f.proto = IPPROTO_TCP;
2453 f.flags |= FLOW_IPV4;
2454
2455 p->flow = &f;
2456 p->flowflags |= FLOW_PKT_TOCLIENT;
2457 p->flowflags |= FLOW_PKT_ESTABLISHED;
2458 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2459 f.alproto = ALPROTO_HTTP1;
2460
2461 StreamTcpInitConfig(true);
2462
2463 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2464 if (de_ctx == NULL) {
2465 goto end;
2466 }
2467
2468 de_ctx->flags |= DE_QUIET;
2469
2470 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2471 "content:\"one\"; http_server_body; sid:1; rev:1;)");
2472 if (s == NULL) {
2473 printf("sig parse failed: ");
2474 goto end;
2475 }
2476 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; "
2477 "content:\"two\"; http_server_body; sid:2; rev:1;)");
2478 if (s == NULL) {
2479 printf("sig2 parse failed: ");
2480 goto end;
2481 }
2482
2483 SigGroupBuild(de_ctx);
2484 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2485
2486 int r = AppLayerParserParse(
2487 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2488 if (r != 0) {
2489 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2490 goto end;
2491 }
2492
2493 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2494 if (r != 0) {
2495 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
2496 goto end;
2497 }
2498
2499 /* do detect */
2500 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2501 if (!(PacketAlertCheck(p, 1))) {
2502 printf("sig 1 didn't alert (tx 1): ");
2503 goto end;
2504 }
2505 if (PacketAlertCheck(p, 2)) {
2506 printf("sig 2 alerted (tx 1): ");
2507 goto end;
2508 }
2509 p->alerts.cnt = 0;
2510
2511 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2512 if (r != 0) {
2513 printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
2514 goto end;
2515 }
2516
2517 r = AppLayerParserParse(
2518 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2519 if (r != 0) {
2520 printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
2521 goto end;
2522 }
2523
2524 /* do detect */
2525 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2526 if ((PacketAlertCheck(p, 1))) {
2527 printf("sig 1 alerted (tx 2): ");
2528 goto end;
2529 }
2530 if (!(PacketAlertCheck(p, 2))) {
2531 printf("sig 2 didn't alert (tx 2): ");
2532 goto end;
2533 }
2534 p->alerts.cnt = 0;
2535
2536 HtpState *htp_state = f.alstate;
2537 if (htp_state == NULL) {
2538 printf("no http state: ");
2539 goto end;
2540 }
2541
2542 if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
2543 printf("The http app layer doesn't have 2 transactions, but it should: ");
2544 goto end;
2545 }
2546
2547 result = 1;
2548end:
2549 if (alp_tctx != NULL)
2550 AppLayerParserThreadCtxFree(alp_tctx);
2551 if (det_ctx != NULL) {
2552 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2553 }
2554 if (de_ctx != NULL) {
2555 DetectEngineCtxFree(de_ctx);
2556 }
2557
2558 StreamTcpFreeConfig(true);
2559 FLOW_DESTROY(&f);
2560 UTHFreePacket(p);
2561 return result;
2562}
2563
2564/**
2565 *\test Test that the http_server_body content matches against a http request
2566 * which holds the content.
2567 */
2568static int DetectHttpServerBodyFileDataTest01(void)
2569{
2570 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2571 "Host: www.openinfosecfoundation.org\r\n"
2572 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2573 "Gecko/20091221 Firefox/3.5.7\r\n"
2574 "\r\n";
2575 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2576 "Content-Type: text/html\r\n"
2577 "Content-Length: 7\r\n"
2578 "\r\n"
2579 "message";
2580 struct TestSteps steps[] = {
2581 { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2582 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2583 { NULL, 0, 0, 0 },
2584 };
2585 const char *sig = "alert http any any -> any any "
2586 "(msg:\"http server body test\"; "
2587 "file_data; content:\"message\"; "
2588 "sid:1;)";
2589 return RunTest(steps, sig, NULL);
2590}
2591
2592/**
2593 *\test Test that the http_server_body content matches against a http request
2594 * which holds the content.
2595 */
2596static int DetectHttpServerBodyFileDataTest02(void)
2597{
2598 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2599 "Host: www.openinfosecfoundation.org\r\n"
2600 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2601 "Gecko/20091221 Firefox/3.5.7\r\n"
2602 "\r\n";
2603 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2604 "Content-Type: text/html\r\n"
2605 "Content-Length: 14\r\n"
2606 "\r\n";
2607 uint8_t http_buf3[] = "message";
2608 struct TestSteps steps[] = {
2609 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2610 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2611 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT | STREAM_EOF, 1 },
2612 { NULL, 0, 0, 0 },
2613 };
2614 const char *sig = "alert http any any -> any any "
2615 "(msg:\"http server body test\"; "
2616 "file_data; content:\"message\"; "
2617 "sid:1;)";
2618 return RunTest(steps, sig, NULL);
2619}
2620
2621/**
2622 *\test Test that the http_server_body content matches against a http request
2623 * which holds the content.
2624 */
2625static int DetectHttpServerBodyFileDataTest03(void)
2626{
2627 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2628 "Host: www.openinfosecfoundation.org\r\n"
2629 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2630 "Gecko/20091221 Firefox/3.5.7\r\n"
2631 "\r\n";
2632 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2633 "Content-Type: text/html\r\n"
2634 "Content-Length: 14\r\n"
2635 "\r\n"
2636 "bigmes";
2637 uint8_t http_buf3[] = "sage4u!!";
2638 struct TestSteps steps[] = {
2639 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2640 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2641 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2642 { NULL, 0, 0, 0 },
2643 };
2644 const char *sig = "alert http any any -> any any "
2645 "(msg:\"http server body test\"; "
2646 "file_data; content:\"message\"; "
2647 "sid:1;)";
2648 return RunTest(steps, sig, NULL);
2649}
2650
2651/**
2652 *\test Test that the http_server_body content matches against a http request
2653 * which holds the content.
2654 */
2655static int DetectHttpServerBodyFileDataTest04(void)
2656{
2657 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2658 "Host: www.openinfosecfoundation.org\r\n"
2659 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2660 "Gecko/20091221 Firefox/3.5.7\r\n"
2661 "\r\n";
2662 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2663 "Content-Type: text/html\r\n"
2664 "Content-Length: 14\r\n"
2665 "\r\n"
2666 "bigmes";
2667 uint8_t http_buf3[] = "sag";
2668 uint8_t http_buf4[] = "e4u!!";
2669 struct TestSteps steps[] = {
2670 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2671 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2672 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2673 { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2674 { NULL, 0, 0, 0 },
2675 };
2676 const char *sig = "alert http any any -> any any "
2677 "(msg:\"http server body test\"; "
2678 "file_data; content:\"message\"; "
2679 "sid:1;)";
2680 return RunTest(steps, sig, NULL);
2681}
2682
2683/**
2684 *\test Test that the http_server_body content matches against a http request
2685 * which holds the content. Case insensitive.
2686 */
2687static int DetectHttpServerBodyFileDataTest05(void)
2688{
2689 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2690 "Host: www.openinfosecfoundation.org\r\n"
2691 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2692 "Gecko/20091221 Firefox/3.5.7\r\n"
2693 "\r\n";
2694 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2695 "Content-Type: text/html\r\n"
2696 "Content-Length: 14\r\n"
2697 "\r\n"
2698 "bigmes";
2699 uint8_t http_buf3[] = "sag";
2700 uint8_t http_buf4[] = "e4u!!";
2701 struct TestSteps steps[] = {
2702 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2703 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2704 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2705 { (const uint8_t *)http_buf4, sizeof(http_buf4) - 1, STREAM_TOCLIENT, 1 },
2706 { NULL, 0, 0, 0 },
2707 };
2708 const char *sig = "alert http any any -> any any "
2709 "(msg:\"http client body test\"; "
2710 "file_data; content:\"MeSSaGE\"; nocase; "
2711 "sid:1;)";
2712 return RunTest(steps, sig, NULL);
2713}
2714
2715/**
2716 *\test Test that the http_server_body content matches against a http request
2717 * which holds the content. Negated match.
2718 */
2719static int DetectHttpServerBodyFileDataTest06(void)
2720{
2721 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2722 "Host: www.openinfosecfoundation.org\r\n"
2723 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2724 "Gecko/20091221 Firefox/3.5.7\r\n"
2725 "\r\n";
2726 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2727 "Content-Type: text/html\r\n"
2728 "Content-Length: 14\r\n"
2729 "\r\n";
2730 uint8_t http_buf3[] = "bigmessage4u!!";
2731 struct TestSteps steps[] = {
2732 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2733 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2734 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 1 },
2735 { NULL, 0, 0, 0 },
2736 };
2737 const char *sig = "alert http any any -> any any "
2738 "(msg:\"http file_data test\"; "
2739 "file_data; content:!\"MaSSaGE\"; nocase; "
2740 "sid:1;)";
2741 return RunTest(steps, sig, NULL);
2742}
2743
2744/**
2745 *\test Test that the http_server_body content matches against a http request
2746 * which holds the content. Negated match.
2747 */
2748static int DetectHttpServerBodyFileDataTest07(void)
2749{
2750 uint8_t http_buf1[] = "GET /index.html HTTP/1.0\r\n"
2751 "Host: www.openinfosecfoundation.org\r\n"
2752 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2753 "Gecko/20091221 Firefox/3.5.7\r\n"
2754 "\r\n";
2755 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2756 "Content-Type: text/html\r\n"
2757 "Content-Length: 14\r\n"
2758 "\r\n";
2759 uint8_t http_buf3[] = "bigmessage4u!!";
2760 struct TestSteps steps[] = {
2761 { (const uint8_t *)http_buf1, sizeof(http_buf1) - 1, STREAM_TOSERVER, 0 },
2762 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 0 },
2763 { (const uint8_t *)http_buf3, sizeof(http_buf3) - 1, STREAM_TOCLIENT, 0 },
2764 { NULL, 0, 0, 0 },
2765 };
2766 const char *sig = "alert http any any -> any any "
2767 "(msg:\"http file_data test\"; "
2768 "file_data; content:!\"MeSSaGE\"; nocase; "
2769 "sid:1;)";
2770 return RunTest(steps, sig, NULL);
2771}
2772
2773static int DetectHttpServerBodyFileDataTest08(void)
2774{
2775 uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
2776 "Host: www.openinfosecfoundation.org\r\n"
2777 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) "
2778 "Gecko/20091221 Firefox/3.5.7\r\n"
2779 "\r\n";
2780 uint8_t http_buf2[] = "HTTP/1.0 200 ok\r\n"
2781 "Content-Type: text/html\r\n"
2782 "Content-Length: 55\r\n"
2783 "\r\n"
2784 "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
2785 struct TestSteps steps[] = {
2786 { (const uint8_t *)http_buf, sizeof(http_buf) - 1, STREAM_TOSERVER, 0 },
2787 { (const uint8_t *)http_buf2, sizeof(http_buf2) - 1, STREAM_TOCLIENT, 1 },
2788 { NULL, 0, 0, 0 },
2789 };
2790 const char *sig =
2791 "alert http any any -> any any "
2792 "(msg:\"http server body test\"; "
2793 "file_data; content:\"longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\"; "
2794 "sid:1;)";
2795 return RunTest(steps, sig, NULL);
2796}
2797
2798/** \test multiple http transactions and body chunks of request handling */
2799static int DetectHttpServerBodyFileDataTest09(void)
2800{
2801 int result = 0;
2802 Signature *s = NULL;
2803 DetectEngineThreadCtx *det_ctx = NULL;
2804 ThreadVars th_v;
2805 Flow f;
2806 TcpSession ssn;
2807 Packet *p = NULL;
2808 uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2809 "User-Agent: Mozilla/1.0\r\n"
2810 "Host: www.openinfosecfoundation.org\r\n"
2811 "Connection: keep-alive\r\n"
2812 "Cookie: dummy1\r\n\r\n";
2813 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2814 uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2815 "Content-Type: text/html\r\n"
2816 "Content-Length: 3\r\n"
2817 "\r\n"
2818 "one";
2819 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2820 uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2821 "User-Agent: Firefox/1.0\r\n"
2822 "Host: www.openinfosecfoundation.org\r\n"
2823 "Connection: keep-alive\r\n"
2824 "Cookie: dummy2\r\n\r\n";
2825 uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2826 uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2827 "Content-Type: text/html\r\n"
2828 "Content-Length: 3\r\n"
2829 "\r\n"
2830 "two";
2831 uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2832 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2833
2834 memset(&th_v, 0, sizeof(th_v));
2835 memset(&f, 0, sizeof(f));
2836 memset(&ssn, 0, sizeof(ssn));
2837
2838 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2839
2840 FLOW_INITIALIZE(&f);
2841 f.protoctx = (void *)&ssn;
2842 f.proto = IPPROTO_TCP;
2843 f.flags |= FLOW_IPV4;
2844
2845 p->flow = &f;
2846 p->flowflags |= FLOW_PKT_TOCLIENT;
2847 p->flowflags |= FLOW_PKT_ESTABLISHED;
2848 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2849 f.alproto = ALPROTO_HTTP1;
2850
2851 StreamTcpInitConfig(true);
2852
2853 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2854 if (de_ctx == NULL) {
2855 goto end;
2856 }
2857
2858 de_ctx->flags |= DE_QUIET;
2859
2860 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"one\"; sid:1; rev:1;)");
2861 if (s == NULL) {
2862 printf("sig parse failed: ");
2863 goto end;
2864 }
2865 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
2866 if (s == NULL) {
2867 printf("sig2 parse failed: ");
2868 goto end;
2869 }
2870
2871 SigGroupBuild(de_ctx);
2872 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2873
2874 int r = AppLayerParserParse(
2875 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
2876 if (r != 0) {
2877 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2878 goto end;
2879 }
2880
2881 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2882 if (r != 0) {
2883 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
2884 goto end;
2885 }
2886
2887 /* do detect */
2888 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2889 if (!(PacketAlertCheck(p, 1))) {
2890 printf("sig 1 didn't alert (tx 1): ");
2891 goto end;
2892 }
2893 p->alerts.cnt = 0;
2894
2895 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2896 if (r != 0) {
2897 printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
2898 goto end;
2899 }
2900
2901 r = AppLayerParserParse(
2902 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
2903 if (r != 0) {
2904 printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
2905 goto end;
2906 }
2907
2908 /* do detect */
2909 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2910 if ((PacketAlertCheck(p, 1))) {
2911 printf("sig 1 alerted (tx 2): ");
2912 goto end;
2913 }
2914 if (!(PacketAlertCheck(p, 2))) {
2915 printf("sig 2 didn't alert (tx 2): ");
2916 goto end;
2917 }
2918 p->alerts.cnt = 0;
2919
2920 HtpState *htp_state = f.alstate;
2921 if (htp_state == NULL) {
2922 printf("no http state: ");
2923 goto end;
2924 }
2925
2926 if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
2927 printf("The http app layer doesn't have 2 transactions, but it should: ");
2928 goto end;
2929 }
2930
2931 result = 1;
2932end:
2933 if (alp_tctx != NULL)
2934 AppLayerParserThreadCtxFree(alp_tctx);
2935 if (det_ctx != NULL) {
2936 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2937 }
2938 if (de_ctx != NULL) {
2939 DetectEngineCtxFree(de_ctx);
2940 }
2941
2942 StreamTcpFreeConfig(true);
2943 FLOW_DESTROY(&f);
2944 UTHFreePacket(p);
2945 return result;
2946}
2947
2948static int DetectHttpServerBodyFileDataTest10(void)
2949{
2950 int result = 0;
2951 Signature *s = NULL;
2952 DetectEngineThreadCtx *det_ctx = NULL;
2953 ThreadVars th_v;
2954 Flow f;
2955 TcpSession ssn;
2956 Packet *p = NULL;
2957 uint8_t httpbuf1[] = "GET /index1.html HTTP/1.1\r\n"
2958 "User-Agent: Mozilla/1.0\r\n"
2959 "Host: www.openinfosecfoundation.org\r\n"
2960 "Connection: keep-alive\r\n"
2961 "Cookie: dummy1\r\n\r\n";
2962 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2963 uint8_t httpbuf2[] = "HTTP/1.1 200 ok\r\n"
2964 "Content-Type: text/html\r\n"
2965 "Content-Length: 3\r\n"
2966 "\r\n"
2967 "one";
2968 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2969 uint8_t httpbuf3[] = "GET /index2.html HTTP/1.1\r\n"
2970 "User-Agent: Firefox/1.0\r\n"
2971 "Host: www.openinfosecfoundation.org\r\n"
2972 "Connection: keep-alive\r\n"
2973 "Cookie: dummy2\r\n\r\n";
2974 uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
2975 uint8_t httpbuf4[] = "HTTP/1.1 200 ok\r\n"
2976 "Content-Type: text/html\r\n"
2977 "Content-Length: 3\r\n"
2978 "\r\n"
2979 "two";
2980 uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
2981 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2982
2983 memset(&th_v, 0, sizeof(th_v));
2984 memset(&f, 0, sizeof(f));
2985 memset(&ssn, 0, sizeof(ssn));
2986
2987 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2988
2989 FLOW_INITIALIZE(&f);
2990 f.protoctx = (void *)&ssn;
2991 f.proto = IPPROTO_TCP;
2992 f.flags |= FLOW_IPV4;
2993
2994 p->flow = &f;
2995 p->flowflags |= FLOW_PKT_TOCLIENT;
2996 p->flowflags |= FLOW_PKT_ESTABLISHED;
2997 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2998 f.alproto = ALPROTO_HTTP1;
2999
3000 StreamTcpInitConfig(true);
3001
3002 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3003 if (de_ctx == NULL) {
3004 goto end;
3005 }
3006
3007 de_ctx->flags |= DE_QUIET;
3008
3009 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"one\"; sid:1; rev:1;)");
3010 if (s == NULL) {
3011 printf("sig parse failed: ");
3012 goto end;
3013 }
3014 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:established,to_client; file_data; content:\"two\"; sid:2; rev:1;)");
3015 if (s == NULL) {
3016 printf("sig2 parse failed: ");
3017 goto end;
3018 }
3019
3020 SigGroupBuild(de_ctx);
3021 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3022
3023 int r = AppLayerParserParse(
3024 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
3025 if (r != 0) {
3026 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3027 goto end;
3028 }
3029
3030 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
3031 if (r != 0) {
3032 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
3033 goto end;
3034 }
3035
3036 /* do detect */
3037 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3038 if (!(PacketAlertCheck(p, 1))) {
3039 printf("sig 1 didn't alert (tx 1): ");
3040 goto end;
3041 }
3042 p->alerts.cnt = 0;
3043
3044 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
3045 if (r != 0) {
3046 printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
3047 goto end;
3048 }
3049
3050 r = AppLayerParserParse(
3051 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT | STREAM_EOF, httpbuf4, httplen4);
3052 if (r != 0) {
3053 printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
3054 goto end;
3055 }
3056
3057 /* do detect */
3058 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3059 if ((PacketAlertCheck(p, 1))) {
3060 printf("sig 1 alerted (tx 2): ");
3061 goto end;
3062 }
3063 if (!(PacketAlertCheck(p, 2))) {
3064 printf("sig 2 didn't alert (tx 2): ");
3065 goto end;
3066 }
3067 p->alerts.cnt = 0;
3068
3069 HtpState *htp_state = f.alstate;
3070 if (htp_state == NULL) {
3071 printf("no http state: ");
3072 goto end;
3073 }
3074
3075 if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
3076 printf("The http app layer doesn't have 2 transactions, but it should: ");
3077 goto end;
3078 }
3079
3080 result = 1;
3081end:
3082 if (alp_tctx != NULL)
3083 AppLayerParserThreadCtxFree(alp_tctx);
3084 if (det_ctx != NULL) {
3085 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3086 }
3087 if (de_ctx != NULL) {
3088 DetectEngineCtxFree(de_ctx);
3089 }
3090
3091 StreamTcpFreeConfig(true);
3092 FLOW_DESTROY(&f);
3093 UTHFreePacket(p);
3094 return result;
3095}
3096
3097void DetectHttpServerBodyRegisterTests(void)
3098{
3099 UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
3100 UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
3101
3102 UtRegisterTest("DetectHttpServerBodyTest06", DetectHttpServerBodyTest06);
3103 UtRegisterTest("DetectHttpServerBodyTest07", DetectHttpServerBodyTest07);
3104 UtRegisterTest("DetectHttpServerBodyTest08", DetectHttpServerBodyTest08);
3105 UtRegisterTest("DetectHttpServerBodyTest09", DetectHttpServerBodyTest09);
3106 UtRegisterTest("DetectHttpServerBodyTest10", DetectHttpServerBodyTest10);
3107 UtRegisterTest("DetectHttpServerBodyTest11", DetectHttpServerBodyTest11);
3108 UtRegisterTest("DetectHttpServerBodyTest12", DetectHttpServerBodyTest12);
3109 UtRegisterTest("DetectHttpServerBodyTest13", DetectHttpServerBodyTest13);
3110 UtRegisterTest("DetectHttpServerBodyTest14", DetectHttpServerBodyTest14);
3111 UtRegisterTest("DetectHttpServerBodyTest15", DetectHttpServerBodyTest15);
3112
3113 UtRegisterTest("DetectHttpServerBodyFileDataTest01",
3114 DetectHttpServerBodyFileDataTest01);
3115 UtRegisterTest("DetectHttpServerBodyFileDataTest02",
3116 DetectHttpServerBodyFileDataTest02);
3117 UtRegisterTest("DetectHttpServerBodyFileDataTest03",
3118 DetectHttpServerBodyFileDataTest03);
3119 UtRegisterTest("DetectHttpServerBodyFileDataTest04",
3120 DetectHttpServerBodyFileDataTest04);
3121 UtRegisterTest("DetectHttpServerBodyFileDataTest05",
3122 DetectHttpServerBodyFileDataTest05);
3123 UtRegisterTest("DetectHttpServerBodyFileDataTest06",
3124 DetectHttpServerBodyFileDataTest06);
3125 UtRegisterTest("DetectHttpServerBodyFileDataTest07",
3126 DetectHttpServerBodyFileDataTest07);
3127 UtRegisterTest("DetectHttpServerBodyFileDataTest08",
3128 DetectHttpServerBodyFileDataTest08);
3129 UtRegisterTest("DetectHttpServerBodyFileDataTest09",
3130 DetectHttpServerBodyFileDataTest09);
3131 UtRegisterTest("DetectHttpServerBodyFileDataTest10",
3132 DetectHttpServerBodyFileDataTest10);
3133
3134 UtRegisterTest("DetectEngineHttpServerBodyTest01",
3135 DetectEngineHttpServerBodyTest01);
3136 UtRegisterTest("DetectEngineHttpServerBodyTest02",
3137 DetectEngineHttpServerBodyTest02);
3138 UtRegisterTest("DetectEngineHttpServerBodyTest03",
3139 DetectEngineHttpServerBodyTest03);
3140 UtRegisterTest("DetectEngineHttpServerBodyTest04",
3141 DetectEngineHttpServerBodyTest04);
3142 UtRegisterTest("DetectEngineHttpServerBodyTest05",
3143 DetectEngineHttpServerBodyTest05);
3144 UtRegisterTest("DetectEngineHttpServerBodyTest06",
3145 DetectEngineHttpServerBodyTest06);
3146 UtRegisterTest("DetectEngineHttpServerBodyTest07",
3147 DetectEngineHttpServerBodyTest07);
3148 UtRegisterTest("DetectEngineHttpServerBodyTest08",
3149 DetectEngineHttpServerBodyTest08);
3150 UtRegisterTest("DetectEngineHttpServerBodyTest09",
3151 DetectEngineHttpServerBodyTest09);
3152 UtRegisterTest("DetectEngineHttpServerBodyTest10",
3153 DetectEngineHttpServerBodyTest10);
3154 UtRegisterTest("DetectEngineHttpServerBodyTest11",
3155 DetectEngineHttpServerBodyTest11);
3156 UtRegisterTest("DetectEngineHttpServerBodyTest12",
3157 DetectEngineHttpServerBodyTest12);
3158 UtRegisterTest("DetectEngineHttpServerBodyTest13",
3159 DetectEngineHttpServerBodyTest13);
3160 UtRegisterTest("DetectEngineHttpServerBodyTest14",
3161 DetectEngineHttpServerBodyTest14);
3162 UtRegisterTest("DetectEngineHttpServerBodyTest15",
3163 DetectEngineHttpServerBodyTest15);
3164 UtRegisterTest("DetectEngineHttpServerBodyTest16",
3165 DetectEngineHttpServerBodyTest16);
3166 UtRegisterTest("DetectEngineHttpServerBodyTest17",
3167 DetectEngineHttpServerBodyTest17);
3168 UtRegisterTest("DetectEngineHttpServerBodyTest18",
3169 DetectEngineHttpServerBodyTest18);
3170 UtRegisterTest("DetectEngineHttpServerBodyTest19",
3171 DetectEngineHttpServerBodyTest19);
3172 UtRegisterTest("DetectEngineHttpServerBodyTest20",
3173 DetectEngineHttpServerBodyTest20);
3174 UtRegisterTest("DetectEngineHttpServerBodyTest21",
3175 DetectEngineHttpServerBodyTest21);
3176 UtRegisterTest("DetectEngineHttpServerBodyTest22",
3177 DetectEngineHttpServerBodyTest22);
3178
3179 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest01",
3180 DetectEngineHttpServerBodyFileDataTest01);
3181 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest02",
3182 DetectEngineHttpServerBodyFileDataTest02);
3183 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest03",
3184 DetectEngineHttpServerBodyFileDataTest03);
3185 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest04",
3186 DetectEngineHttpServerBodyFileDataTest04);
3187 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest05",
3188 DetectEngineHttpServerBodyFileDataTest05);
3189 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest06",
3190 DetectEngineHttpServerBodyFileDataTest06);
3191 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest07",
3192 DetectEngineHttpServerBodyFileDataTest07);
3193 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest08",
3194 DetectEngineHttpServerBodyFileDataTest08);
3195 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest09",
3196 DetectEngineHttpServerBodyFileDataTest09);
3197 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest10",
3198 DetectEngineHttpServerBodyFileDataTest10);
3199 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest11",
3200 DetectEngineHttpServerBodyFileDataTest11);
3201 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest12",
3202 DetectEngineHttpServerBodyFileDataTest12);
3203 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest13",
3204 DetectEngineHttpServerBodyFileDataTest13);
3205 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest14",
3206 DetectEngineHttpServerBodyFileDataTest14);
3207 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest15",
3208 DetectEngineHttpServerBodyFileDataTest15);
3209 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest16",
3210 DetectEngineHttpServerBodyFileDataTest16);
3211 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest17",
3212 DetectEngineHttpServerBodyFileDataTest17);
3213 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest18",
3214 DetectEngineHttpServerBodyFileDataTest18);
3215
3216 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest19",
3217 DetectEngineHttpServerBodyFileDataTest19);
3218 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest20",
3219 DetectEngineHttpServerBodyFileDataTest20);
3220 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest21",
3221 DetectEngineHttpServerBodyFileDataTest21);
3222 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest22",
3223 DetectEngineHttpServerBodyFileDataTest22);
3224 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest23",
3225 DetectEngineHttpServerBodyFileDataTest23);
3226 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest24",
3227 DetectEngineHttpServerBodyFileDataTest24);
3228 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest25",
3229 DetectEngineHttpServerBodyFileDataTest25);
3230 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest26",
3231 DetectEngineHttpServerBodyFileDataTest26);
3232 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest27",
3233 DetectEngineHttpServerBodyFileDataTest27);
3234 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest28",
3235 DetectEngineHttpServerBodyFileDataTest28);
3236 UtRegisterTest("DetectEngineHttpServerBodyFileDataTest29",
3237 DetectEngineHttpServerBodyFileDataTest29);
3238}
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition app-layer-parser.c:1102
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition conf-yaml-loader.c:523
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition conf.c:120
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition conf.c:684
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition conf.c:694
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition flow-util.h:119
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition flow.h:234
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
HtpConfigRestoreBackup
void HtpConfigRestoreBackup(void)
Definition app-layer-htp.c:2692
HtpConfigCreateBackup
void HtpConfigCreateBackup(void)
Definition app-layer-htp.c:2687
HTPConfigure
void HTPConfigure(void)
Definition app-layer-htp.c:2351
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineThreadCtx_
Definition detect.h:1244
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::alstate
void * alstate
Definition flow.h:479
Flow_::protoctx
void * protoctx
Definition flow.h:441
HtpState_
Definition app-layer-htp.h:181
PacketAlerts_::cnt
uint16_t cnt
Definition decode.h:287
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::alerts
PacketAlerts alerts
Definition decode.h:620
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::flags
uint32_t flags
Definition decode.h:544
Signature_
Signature container.
Definition detect.h:668
TcpSession_
Definition stream-tcp-private.h:283
TestSteps::input
const uint8_t * input
Definition detect-http-client-body.c:108
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition suricata.c:264
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition suricata.c:259
DetectHttpServerBodyRegisterTests
void DetectHttpServerBodyRegisterTests(void)
Definition detect-http-server-body.c:3097
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:473
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition util-unittest-helper.c:898