suricata
detect-http-stat-msg.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2016 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \ingroup httplayer
20 *
21 * @{
22 */
23
24/**
25 * \file
26 *
27 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28 * \author Victor Julien <victor@inliniac.net>
29 */
30
31#include "../suricata-common.h"
32#include "../suricata.h"
33#include "../flow-util.h"
34#include "../flow.h"
35#include "../app-layer-parser.h"
36#include "../util-unittest.h"
37#include "../util-unittest-helper.h"
38#include "../app-layer.h"
39#include "../app-layer-htp.h"
40#include "../app-layer-protos.h"
41#include "../detect-engine-build.h"
42#include "../detect-engine-alert.h"
43
44static int DetectEngineHttpStatMsgTest01(void)
45 {
46 TcpSession ssn;
47 Packet *p1 = NULL;
48 Packet *p2 = NULL;
49 ThreadVars th_v;
50 DetectEngineCtx *de_ctx = NULL;
51 DetectEngineThreadCtx *det_ctx = NULL;
52 HtpState *http_state = NULL;
53 Flow f;
54 uint8_t http_buf1[] =
55 "GET /index.html HTTP/1.0\r\n"
56 "Host: www.openinfosecfoundation.org\r\n"
57 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
58 "\r\n";
59 uint32_t http_len1 = sizeof(http_buf1) - 1;
60 uint8_t http_buf2[] =
61 "HTTP/1.0 200 message\r\n"
62 "Content-Type: text/html\r\n"
63 "Content-Length: 7\r\n"
64 "\r\n"
65 "message";
66 uint32_t http_len2 = sizeof(http_buf2) - 1;
67 int result = 0;
68 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
69
70 memset(&th_v, 0, sizeof(th_v));
71 memset(&f, 0, sizeof(f));
72 memset(&ssn, 0, sizeof(ssn));
73
74 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
75 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
76
77 FLOW_INITIALIZE(&f);
78 f.protoctx = (void *)&ssn;
79 f.proto = IPPROTO_TCP;
80 f.flags |= FLOW_IPV4;
81
82 p1->flow = &f;
83 p1->flowflags |= FLOW_PKT_TOSERVER;
84 p1->flowflags |= FLOW_PKT_ESTABLISHED;
85 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
86 p2->flow = &f;
87 p2->flowflags |= FLOW_PKT_TOCLIENT;
88 p2->flowflags |= FLOW_PKT_ESTABLISHED;
89 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
90 f.alproto = ALPROTO_HTTP1;
91
92 StreamTcpInitConfig(true);
93
94 de_ctx = DetectEngineCtxInit();
95 if (de_ctx == NULL)
96 goto end;
97
98 de_ctx->flags |= DE_QUIET;
99
100 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
101 "(msg:\"http stat msg test\"; "
102 "content:\"message\"; http_stat_msg; "
103 "sid:1;)");
104 if (de_ctx->sig_list == NULL)
105 goto end;
106
107 SigGroupBuild(de_ctx);
108 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
109
110 int r = AppLayerParserParse(
111 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
112 if (r != 0) {
113 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
114 result = 0;
115 goto end;
116 }
117
118 http_state = f.alstate;
119 if (http_state == NULL) {
120 printf("no http state: \n");
121 result = 0;
122 goto end;
123 }
124
125 /* do detect */
126 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
127
128 if ((PacketAlertCheck(p1, 1))) {
129 printf("sid 1 matched but shouldn't have\n");
130 goto end;
131 }
132
133 r = AppLayerParserParse(
134 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
135 if (r != 0) {
136 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
137 result = 0;
138 goto end;
139 }
140
141 /* do detect */
142 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
143
144 if (!(PacketAlertCheck(p2, 1))) {
145 printf("sid 1 didn't match but should have");
146 goto end;
147 }
148
149 result = 1;
150
151end:
152 if (alp_tctx != NULL)
153 AppLayerParserThreadCtxFree(alp_tctx);
154 if (de_ctx != NULL)
155 DetectEngineCtxFree(de_ctx);
156
157 StreamTcpFreeConfig(true);
158 FLOW_DESTROY(&f);
159 UTHFreePackets(&p1, 1);
160 UTHFreePackets(&p2, 1);
161 return result;
162}
163
164static int DetectEngineHttpStatMsgTest02(void)
165{
166 TcpSession ssn;
167 Packet *p1 = NULL;
168 ThreadVars th_v;
169 DetectEngineCtx *de_ctx = NULL;
170 DetectEngineThreadCtx *det_ctx = NULL;
171 HtpState *http_state = NULL;
172 Flow f;
173 uint8_t http_buf1[] =
174 "GET /index.html HTTP/1.0\r\n"
175 "Host: www.openinfosecfoundation.org\r\n"
176 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
177 "\r\n";
178 uint32_t http_len1 = sizeof(http_buf1) - 1;
179 uint8_t http_buf2[] =
180 "HTTP/1.0 200 xxxxABC\r\n"
181 "Content-Type: text/html\r\n"
182 "Content-Length: 7\r\n"
183 "\r\n"
184 "xxxxABC";
185 uint32_t http_len2 = sizeof(http_buf2) - 1;
186 int result = 0;
187 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
188
189 memset(&th_v, 0, sizeof(th_v));
190 memset(&f, 0, sizeof(f));
191 memset(&ssn, 0, sizeof(ssn));
192
193 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
194
195 FLOW_INITIALIZE(&f);
196 f.protoctx = (void *)&ssn;
197 f.proto = IPPROTO_TCP;
198 f.flags |= FLOW_IPV4;
199
200 p1->flow = &f;
201 p1->flowflags |= FLOW_PKT_TOCLIENT;
202 p1->flowflags |= FLOW_PKT_ESTABLISHED;
203 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
204 f.alproto = ALPROTO_HTTP1;
205
206 StreamTcpInitConfig(true);
207
208 de_ctx = DetectEngineCtxInit();
209 if (de_ctx == NULL)
210 goto end;
211
212 de_ctx->flags |= DE_QUIET;
213
214 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
215 "(msg:\"http stat msg test\"; "
216 "content:\"ABC\"; http_stat_msg; offset:4; "
217 "sid:1;)");
218 if (de_ctx->sig_list == NULL)
219 goto end;
220
221 SigGroupBuild(de_ctx);
222 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
223
224 int r = AppLayerParserParse(
225 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
226 if (r != 0) {
227 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
228 result = 0;
229 goto end;
230 }
231
232 r = AppLayerParserParse(
233 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
234 if (r != 0) {
235 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
236 result = 0;
237 goto end;
238 }
239
240 http_state = f.alstate;
241 if (http_state == NULL) {
242 printf("no http state: \n");
243 result = 0;
244 goto end;
245 }
246
247 /* do detect */
248 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
249
250 if (!(PacketAlertCheck(p1, 1))) {
251 printf("sid 1 didn't match but should have\n");
252 goto end;
253 }
254
255 result = 1;
256
257end:
258 if (alp_tctx != NULL)
259 AppLayerParserThreadCtxFree(alp_tctx);
260 if (de_ctx != NULL)
261 DetectEngineCtxFree(de_ctx);
262
263 StreamTcpFreeConfig(true);
264 FLOW_DESTROY(&f);
265 UTHFreePackets(&p1, 1);
266 return result;
267}
268
269static int DetectEngineHttpStatMsgTest03(void)
270{
271 TcpSession ssn;
272 Packet *p1 = NULL;
273 Packet *p2 = NULL;
274 ThreadVars th_v;
275 DetectEngineCtx *de_ctx = NULL;
276 DetectEngineThreadCtx *det_ctx = NULL;
277 HtpState *http_state = NULL;
278 Flow f;
279 int result = 0;
280 uint8_t http_buf1[] =
281 "GET /index.html HTTP/1.0\r\n"
282 "Host: www.openinfosecfoundation.org\r\n"
283 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
284 "\r\n";
285 uint32_t http_len1 = sizeof(http_buf1) - 1;
286 uint8_t http_buf2[] =
287 "HTTP/1.0 200 1234567";
288 uint32_t http_len2 = sizeof(http_buf2) - 1;
289 uint8_t http_buf3[] =
290 "8901234ABC\r\n"
291 "Content-Type: text/html\r\n"
292 "Content-Length: 17\r\n"
293 "\r\n"
294 "12345678901234ABC";
295 uint32_t http_len3 = sizeof(http_buf3) - 1;
296 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
297
298 memset(&th_v, 0, sizeof(th_v));
299 memset(&f, 0, sizeof(f));
300 memset(&ssn, 0, sizeof(ssn));
301
302 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
303 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
304
305 FLOW_INITIALIZE(&f);
306 f.protoctx = (void *)&ssn;
307 f.proto = IPPROTO_TCP;
308 f.flags |= FLOW_IPV4;
309
310 p1->flow = &f;
311 p1->flowflags |= FLOW_PKT_TOSERVER;
312 p1->flowflags |= FLOW_PKT_ESTABLISHED;
313 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
314 p2->flow = &f;
315 p2->flowflags |= FLOW_PKT_TOCLIENT;
316 p2->flowflags |= FLOW_PKT_ESTABLISHED;
317 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
318 f.alproto = ALPROTO_HTTP1;
319
320 StreamTcpInitConfig(true);
321
322 de_ctx = DetectEngineCtxInit();
323 if (de_ctx == NULL)
324 goto end;
325
326 de_ctx->flags |= DE_QUIET;
327
328 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
329 "(msg:\"http stat msg test\"; "
330 "content:\"ABC\"; http_stat_msg; offset:14; "
331 "sid:1;)");
332 if (de_ctx->sig_list == NULL)
333 goto end;
334
335 SigGroupBuild(de_ctx);
336 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
337
338 int r = AppLayerParserParse(
339 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
340 if (r != 0) {
341 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
342 result = 0;
343 goto end;
344 }
345
346 http_state = f.alstate;
347 if (http_state == NULL) {
348 printf("no http state: \n");
349 result = 0;
350 goto end;
351 }
352
353 /* do detect */
354 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
355
356 if (PacketAlertCheck(p1, 1)) {
357 printf("sid 1 matched but shouldn't have\n");
358 goto end;
359 }
360
361 r = AppLayerParserParse(
362 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
363 if (r != 0) {
364 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
365 result = 0;
366 goto end;
367 }
368
369 r = AppLayerParserParse(
370 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf3, http_len3);
371 if (r != 0) {
372 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
373 result = 0;
374 goto end;
375 }
376
377 /* do detect */
378 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
379
380 if (!(PacketAlertCheck(p2, 1))) {
381 printf("sid 1 didn't match but should have");
382 goto end;
383 }
384
385 result = 1;
386
387end:
388 if (alp_tctx != NULL)
389 AppLayerParserThreadCtxFree(alp_tctx);
390 if (de_ctx != NULL)
391 DetectEngineCtxFree(de_ctx);
392
393 StreamTcpFreeConfig(true);
394 FLOW_DESTROY(&f);
395 UTHFreePackets(&p1, 1);
396 UTHFreePackets(&p2, 1);
397 return result;
398}
399
400static int DetectEngineHttpStatMsgTest04(void)
401{
402 TcpSession ssn;
403 Packet *p1 = NULL;
404 Packet *p2 = NULL;
405 ThreadVars th_v;
406 DetectEngineCtx *de_ctx = NULL;
407 DetectEngineThreadCtx *det_ctx = NULL;
408 HtpState *http_state = NULL;
409 Flow f;
410 uint8_t http_buf1[] =
411 "GET /index.html HTTP/1.0\r\n"
412 "Host: www.openinfosecfoundation.org\r\n"
413 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
414 "\r\n";
415 uint32_t http_len1 = sizeof(http_buf1) - 1;
416 uint8_t http_buf2[] =
417 "HTTP/1.0 200 abcdef\r\n"
418 "Content-Type: text/html\r\n"
419 "Content-Length: 6\r\n"
420 "\r\n"
421 "abcdef";
422 uint32_t http_len2 = sizeof(http_buf2) - 1;
423 int result = 0;
424 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
425
426 memset(&th_v, 0, sizeof(th_v));
427 memset(&f, 0, sizeof(f));
428 memset(&ssn, 0, sizeof(ssn));
429
430 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
431 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
432
433 FLOW_INITIALIZE(&f);
434 f.protoctx = (void *)&ssn;
435 f.proto = IPPROTO_TCP;
436 f.flags |= FLOW_IPV4;
437
438 p1->flow = &f;
439 p1->flowflags |= FLOW_PKT_TOSERVER;
440 p1->flowflags |= FLOW_PKT_ESTABLISHED;
441 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
442 p2->flow = &f;
443 p2->flowflags |= FLOW_PKT_TOCLIENT;
444 p2->flowflags |= FLOW_PKT_ESTABLISHED;
445 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
446 f.alproto = ALPROTO_HTTP1;
447
448 StreamTcpInitConfig(true);
449
450 de_ctx = DetectEngineCtxInit();
451 if (de_ctx == NULL)
452 goto end;
453
454 de_ctx->flags |= DE_QUIET;
455
456 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
457 "(msg:\"http stat msg test\"; "
458 "content:!\"abc\"; http_stat_msg; offset:3; "
459 "sid:1;)");
460 if (de_ctx->sig_list == NULL)
461 goto end;
462
463 SigGroupBuild(de_ctx);
464 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
465
466 int r = AppLayerParserParse(
467 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
468 if (r != 0) {
469 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
470 result = 0;
471 goto end;
472 }
473
474 http_state = f.alstate;
475 if (http_state == NULL) {
476 printf("no http state: \n");
477 result = 0;
478 goto end;
479 }
480
481 /* do detect */
482 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
483
484 if (PacketAlertCheck(p1, 1)) {
485 printf("sid 1 matched but shouldn't have: ");
486 goto end;
487 }
488
489 r = AppLayerParserParse(
490 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
491 if (r != 0) {
492 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
493 result = 0;
494 goto end;
495 }
496
497 /* do detect */
498 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
499
500 if (!PacketAlertCheck(p2, 1)) {
501 printf("sid 1 didn't match but should have: ");
502 goto end;
503 }
504
505 result = 1;
506
507end:
508 if (alp_tctx != NULL)
509 AppLayerParserThreadCtxFree(alp_tctx);
510 if (de_ctx != NULL)
511 DetectEngineCtxFree(de_ctx);
512
513 StreamTcpFreeConfig(true);
514 FLOW_DESTROY(&f);
515 UTHFreePackets(&p1, 1);
516 UTHFreePackets(&p2, 1);
517 return result;
518}
519
520static int DetectEngineHttpStatMsgTest05(void)
521{
522 TcpSession ssn;
523 Packet *p1 = NULL;
524 Packet *p2 = NULL;
525 ThreadVars th_v;
526 DetectEngineCtx *de_ctx = NULL;
527 DetectEngineThreadCtx *det_ctx = NULL;
528 HtpState *http_state = NULL;
529 Flow f;
530 uint8_t http_buf1[] =
531 "GET /index.html HTTP/1.0\r\n"
532 "Host: www.openinfosecfoundation.org\r\n"
533 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
534 "\r\n";
535 uint32_t http_len1 = sizeof(http_buf1) - 1;
536 uint8_t http_buf2[] =
537 "HTTP/1.0 200 abcdef\r\n"
538 "Content-Type: text/html\r\n"
539 "Content-Length: 6\r\n"
540 "\r\n"
541 "abcdef";
542 uint32_t http_len2 = sizeof(http_buf2) - 1;
543 int result = 0;
544 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
545
546 memset(&th_v, 0, sizeof(th_v));
547 memset(&f, 0, sizeof(f));
548 memset(&ssn, 0, sizeof(ssn));
549
550 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
551 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
552
553 FLOW_INITIALIZE(&f);
554 f.protoctx = (void *)&ssn;
555 f.proto = IPPROTO_TCP;
556 f.flags |= FLOW_IPV4;
557
558 p1->flow = &f;
559 p1->flowflags |= FLOW_PKT_TOSERVER;
560 p1->flowflags |= FLOW_PKT_ESTABLISHED;
561 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
562 p2->flow = &f;
563 p2->flowflags |= FLOW_PKT_TOCLIENT;
564 p2->flowflags |= FLOW_PKT_ESTABLISHED;
565 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
566 f.alproto = ALPROTO_HTTP1;
567
568 StreamTcpInitConfig(true);
569
570 de_ctx = DetectEngineCtxInit();
571 if (de_ctx == NULL)
572 goto end;
573
574 de_ctx->flags |= DE_QUIET;
575
576 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
577 "(msg:\"http stat msg test\"; "
578 "content:\"abc\"; http_stat_msg; depth:3; "
579 "sid:1;)");
580 if (de_ctx->sig_list == NULL)
581 goto end;
582
583 SigGroupBuild(de_ctx);
584 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
585
586 int r = AppLayerParserParse(
587 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
588 if (r != 0) {
589 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
590 result = 0;
591 goto end;
592 }
593
594 http_state = f.alstate;
595 if (http_state == NULL) {
596 printf("no http state: \n");
597 result = 0;
598 goto end;
599 }
600
601 /* do detect */
602 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
603
604 if (PacketAlertCheck(p1, 1)) {
605 printf("sid 1 matched but shouldn't have: ");
606 goto end;
607 }
608
609 r = AppLayerParserParse(
610 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
611 if (r != 0) {
612 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
613 result = 0;
614 goto end;
615 }
616
617 /* do detect */
618 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
619
620 if (!PacketAlertCheck(p2, 1)) {
621 printf("sid 1 didn't match but should have: ");
622 goto end;
623 }
624
625 result = 1;
626
627end:
628 if (alp_tctx != NULL)
629 AppLayerParserThreadCtxFree(alp_tctx);
630 if (de_ctx != NULL)
631 DetectEngineCtxFree(de_ctx);
632
633 StreamTcpFreeConfig(true);
634 FLOW_DESTROY(&f);
635 UTHFreePackets(&p1, 1);
636 UTHFreePackets(&p2, 1);
637 return result;
638}
639
640static int DetectEngineHttpStatMsgTest06(void)
641{
642 TcpSession ssn;
643 Packet *p1 = NULL;
644 Packet *p2 = NULL;
645 ThreadVars th_v;
646 DetectEngineCtx *de_ctx = NULL;
647 DetectEngineThreadCtx *det_ctx = NULL;
648 HtpState *http_state = NULL;
649 Flow f;
650 uint8_t http_buf1[] =
651 "GET /index.html HTTP/1.0\r\n"
652 "Host: www.openinfosecfoundation.org\r\n"
653 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
654 "\r\n";
655 uint32_t http_len1 = sizeof(http_buf1) - 1;
656 uint8_t http_buf2[] =
657 "HTTP/1.0 200 abcdef\r\n"
658 "Content-Type: text/html\r\n"
659 "Content-Length: 6\r\n"
660 "\r\n"
661 "abcdef";
662 uint32_t http_len2 = sizeof(http_buf2) - 1;
663 int result = 0;
664 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
665
666 memset(&th_v, 0, sizeof(th_v));
667 memset(&f, 0, sizeof(f));
668 memset(&ssn, 0, sizeof(ssn));
669
670 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
671 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
672
673 FLOW_INITIALIZE(&f);
674 f.protoctx = (void *)&ssn;
675 f.proto = IPPROTO_TCP;
676 f.flags |= FLOW_IPV4;
677
678 p1->flow = &f;
679 p1->flowflags |= FLOW_PKT_TOSERVER;
680 p1->flowflags |= FLOW_PKT_ESTABLISHED;
681 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
682 p2->flow = &f;
683 p2->flowflags |= FLOW_PKT_TOCLIENT;
684 p2->flowflags |= FLOW_PKT_ESTABLISHED;
685 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
686 f.alproto = ALPROTO_HTTP1;
687
688 StreamTcpInitConfig(true);
689
690 de_ctx = DetectEngineCtxInit();
691 if (de_ctx == NULL)
692 goto end;
693
694 de_ctx->flags |= DE_QUIET;
695
696 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
697 "(msg:\"http stat msg test\"; "
698 "content:!\"def\"; http_stat_msg; depth:3; "
699 "sid:1;)");
700 if (de_ctx->sig_list == NULL)
701 goto end;
702
703 SigGroupBuild(de_ctx);
704 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
705
706 int r = AppLayerParserParse(
707 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
708 if (r != 0) {
709 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
710 result = 0;
711 goto end;
712 }
713
714 http_state = f.alstate;
715 if (http_state == NULL) {
716 printf("no http state: \n");
717 result = 0;
718 goto end;
719 }
720
721 /* do detect */
722 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
723
724 if (PacketAlertCheck(p1, 1)) {
725 printf("sid 1 matched but shouldn't have: ");
726 goto end;
727 }
728
729 r = AppLayerParserParse(
730 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
731 if (r != 0) {
732 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
733 result = 0;
734 goto end;
735 }
736
737 /* do detect */
738 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
739
740 if (!PacketAlertCheck(p2, 1)) {
741 printf("sid 1 didn't match but should have: ");
742 goto end;
743 }
744
745 result = 1;
746
747end:
748 if (alp_tctx != NULL)
749 AppLayerParserThreadCtxFree(alp_tctx);
750 if (de_ctx != NULL)
751 DetectEngineCtxFree(de_ctx);
752
753 StreamTcpFreeConfig(true);
754 FLOW_DESTROY(&f);
755 UTHFreePackets(&p1, 1);
756 UTHFreePackets(&p2, 1);
757 return result;
758}
759
760static int DetectEngineHttpStatMsgTest07(void)
761{
762 TcpSession ssn;
763 Packet *p1 = NULL;
764 Packet *p2 = NULL;
765 ThreadVars th_v;
766 DetectEngineCtx *de_ctx = NULL;
767 DetectEngineThreadCtx *det_ctx = NULL;
768 HtpState *http_state = NULL;
769 Flow f;
770 uint8_t http_buf1[] =
771 "GET /index.html HTTP/1.0\r\n"
772 "Host: www.openinfosecfoundation.org\r\n"
773 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
774 "\r\n";
775 uint32_t http_len1 = sizeof(http_buf1) - 1;
776 uint8_t http_buf2[] =
777 "HTTP/1.0 200 abcdef\r\n"
778 "Content-Type: text/html\r\n"
779 "Content-Length: 6\r\n"
780 "\r\n"
781 "abcdef";
782 uint32_t http_len2 = sizeof(http_buf2) - 1;
783 int result = 0;
784 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
785
786 memset(&th_v, 0, sizeof(th_v));
787 memset(&f, 0, sizeof(f));
788 memset(&ssn, 0, sizeof(ssn));
789
790 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
791 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
792
793 FLOW_INITIALIZE(&f);
794 f.protoctx = (void *)&ssn;
795 f.proto = IPPROTO_TCP;
796 f.flags |= FLOW_IPV4;
797
798 p1->flow = &f;
799 p1->flowflags |= FLOW_PKT_TOSERVER;
800 p1->flowflags |= FLOW_PKT_ESTABLISHED;
801 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
802 p2->flow = &f;
803 p2->flowflags |= FLOW_PKT_TOCLIENT;
804 p2->flowflags |= FLOW_PKT_ESTABLISHED;
805 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
806 f.alproto = ALPROTO_HTTP1;
807
808 StreamTcpInitConfig(true);
809
810 de_ctx = DetectEngineCtxInit();
811 if (de_ctx == NULL)
812 goto end;
813
814 de_ctx->flags |= DE_QUIET;
815
816 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
817 "(msg:\"http stat msg test\"; "
818 "content:!\"def\"; http_stat_msg; offset:3; "
819 "sid:1;)");
820 if (de_ctx->sig_list == NULL)
821 goto end;
822
823 SigGroupBuild(de_ctx);
824 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
825
826 int r = AppLayerParserParse(
827 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
828 if (r != 0) {
829 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
830 result = 0;
831 goto end;
832 }
833
834 http_state = f.alstate;
835 if (http_state == NULL) {
836 printf("no http state: \n");
837 result = 0;
838 goto end;
839 }
840
841 /* do detect */
842 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
843
844 if (PacketAlertCheck(p1, 1)) {
845 printf("sid 1 matched but shouldn't have: ");
846 goto end;
847 }
848
849 r = AppLayerParserParse(
850 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
851 if (r != 0) {
852 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
853 result = 0;
854 goto end;
855 }
856
857 /* do detect */
858 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
859
860 if (PacketAlertCheck(p2, 1)) {
861 printf("sid 1 matched but shouldn't have: ");
862 goto end;
863 }
864
865 result = 1;
866
867end:
868 if (alp_tctx != NULL)
869 AppLayerParserThreadCtxFree(alp_tctx);
870 if (de_ctx != NULL)
871 DetectEngineCtxFree(de_ctx);
872
873 StreamTcpFreeConfig(true);
874 FLOW_DESTROY(&f);
875 UTHFreePackets(&p1, 1);
876 UTHFreePackets(&p2, 1);
877 return result;
878}
879
880static int DetectEngineHttpStatMsgTest08(void)
881{
882 TcpSession ssn;
883 Packet *p1 = NULL;
884 Packet *p2 = NULL;
885 ThreadVars th_v;
886 DetectEngineCtx *de_ctx = NULL;
887 DetectEngineThreadCtx *det_ctx = NULL;
888 HtpState *http_state = NULL;
889 Flow f;
890 uint8_t http_buf1[] =
891 "GET /index.html HTTP/1.0\r\n"
892 "Host: www.openinfosecfoundation.org\r\n"
893 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
894 "\r\n";
895 uint32_t http_len1 = sizeof(http_buf1) - 1;
896 uint8_t http_buf2[] =
897 "HTTP/1.0 200 abcdef\r\n"
898 "Content-Type: text/html\r\n"
899 "Content-Length: 6\r\n"
900 "\r\n"
901 "abcdef";
902 uint32_t http_len2 = sizeof(http_buf2) - 1;
903 int result = 0;
904 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
905
906 memset(&th_v, 0, sizeof(th_v));
907 memset(&f, 0, sizeof(f));
908 memset(&ssn, 0, sizeof(ssn));
909
910 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
911 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
912
913 FLOW_INITIALIZE(&f);
914 f.protoctx = (void *)&ssn;
915 f.proto = IPPROTO_TCP;
916 f.flags |= FLOW_IPV4;
917
918 p1->flow = &f;
919 p1->flowflags |= FLOW_PKT_TOSERVER;
920 p1->flowflags |= FLOW_PKT_ESTABLISHED;
921 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
922 p2->flow = &f;
923 p2->flowflags |= FLOW_PKT_TOCLIENT;
924 p2->flowflags |= FLOW_PKT_ESTABLISHED;
925 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
926 f.alproto = ALPROTO_HTTP1;
927
928 StreamTcpInitConfig(true);
929
930 de_ctx = DetectEngineCtxInit();
931 if (de_ctx == NULL)
932 goto end;
933
934 de_ctx->flags |= DE_QUIET;
935
936 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
937 "(msg:\"http stat msg test\"; "
938 "content:!\"abc\"; http_stat_msg; depth:3; "
939 "sid:1;)");
940 if (de_ctx->sig_list == NULL)
941 goto end;
942
943 SigGroupBuild(de_ctx);
944 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
945
946 int r = AppLayerParserParse(
947 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
948 if (r != 0) {
949 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
950 result = 0;
951 goto end;
952 }
953
954 http_state = f.alstate;
955 if (http_state == NULL) {
956 printf("no http state: \n");
957 result = 0;
958 goto end;
959 }
960
961 /* do detect */
962 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
963
964 if (PacketAlertCheck(p1, 1)) {
965 printf("sid 1 matched but shouldn't have: ");
966 goto end;
967 }
968
969 r = AppLayerParserParse(
970 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
971 if (r != 0) {
972 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
973 result = 0;
974 goto end;
975 }
976
977 /* do detect */
978 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
979
980 if (PacketAlertCheck(p2, 1)) {
981 printf("sid 1 matched but shouldn't have: ");
982 goto end;
983 }
984
985 result = 1;
986
987end:
988 if (alp_tctx != NULL)
989 AppLayerParserThreadCtxFree(alp_tctx);
990 if (de_ctx != NULL)
991 DetectEngineCtxFree(de_ctx);
992
993 StreamTcpFreeConfig(true);
994 FLOW_DESTROY(&f);
995 UTHFreePackets(&p1, 1);
996 UTHFreePackets(&p2, 1);
997 return result;
998}
999
1000static int DetectEngineHttpStatMsgTest09(void)
1001{
1002 TcpSession ssn;
1003 Packet *p1 = NULL;
1004 Packet *p2 = NULL;
1005 ThreadVars th_v;
1006 DetectEngineCtx *de_ctx = NULL;
1007 DetectEngineThreadCtx *det_ctx = NULL;
1008 HtpState *http_state = NULL;
1009 Flow f;
1010 uint8_t http_buf1[] =
1011 "GET /index.html HTTP/1.0\r\n"
1012 "Host: www.openinfosecfoundation.org\r\n"
1013 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1014 "\r\n";
1015 uint32_t http_len1 = sizeof(http_buf1) - 1;
1016 uint8_t http_buf2[] =
1017 "HTTP/1.0 200 abcdef\r\n"
1018 "Content-Type: text/html\r\n"
1019 "Content-Length: 6\r\n"
1020 "\r\n"
1021 "abcdef";
1022 uint32_t http_len2 = sizeof(http_buf2) - 1;
1023 int result = 0;
1024 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1025
1026 memset(&th_v, 0, sizeof(th_v));
1027 memset(&f, 0, sizeof(f));
1028 memset(&ssn, 0, sizeof(ssn));
1029
1030 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1031 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1032
1033 FLOW_INITIALIZE(&f);
1034 f.protoctx = (void *)&ssn;
1035 f.proto = IPPROTO_TCP;
1036 f.flags |= FLOW_IPV4;
1037
1038 p1->flow = &f;
1039 p1->flowflags |= FLOW_PKT_TOSERVER;
1040 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1041 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1042 p2->flow = &f;
1043 p2->flowflags |= FLOW_PKT_TOCLIENT;
1044 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1045 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1046 f.alproto = ALPROTO_HTTP1;
1047
1048 StreamTcpInitConfig(true);
1049
1050 de_ctx = DetectEngineCtxInit();
1051 if (de_ctx == NULL)
1052 goto end;
1053
1054 de_ctx->flags |= DE_QUIET;
1055
1056 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1057 "(msg:\"http stat msg test\"; "
1058 "content:\"abc\"; http_stat_msg; depth:3; "
1059 "content:\"def\"; http_stat_msg; within:3; "
1060 "sid:1;)");
1061 if (de_ctx->sig_list == NULL)
1062 goto end;
1063
1064 SigGroupBuild(de_ctx);
1065 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1066
1067 int r = AppLayerParserParse(
1068 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1069 if (r != 0) {
1070 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1071 result = 0;
1072 goto end;
1073 }
1074
1075 http_state = f.alstate;
1076 if (http_state == NULL) {
1077 printf("no http state: \n");
1078 result = 0;
1079 goto end;
1080 }
1081
1082 /* do detect */
1083 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1084
1085 if (PacketAlertCheck(p1, 1)) {
1086 printf("sid 1 matched but shouldn't have: ");
1087 goto end;
1088 }
1089
1090 r = AppLayerParserParse(
1091 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1092 if (r != 0) {
1093 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1094 result = 0;
1095 goto end;
1096 }
1097
1098 /* do detect */
1099 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1100
1101 if (!PacketAlertCheck(p2, 1)) {
1102 printf("sid 1 didn't match but should have: ");
1103 goto end;
1104 }
1105
1106 result = 1;
1107
1108end:
1109 if (alp_tctx != NULL)
1110 AppLayerParserThreadCtxFree(alp_tctx);
1111 if (de_ctx != NULL)
1112 DetectEngineCtxFree(de_ctx);
1113
1114 StreamTcpFreeConfig(true);
1115 FLOW_DESTROY(&f);
1116 UTHFreePackets(&p1, 1);
1117 UTHFreePackets(&p2, 1);
1118 return result;
1119}
1120
1121static int DetectEngineHttpStatMsgTest10(void)
1122{
1123 TcpSession ssn;
1124 Packet *p1 = NULL;
1125 Packet *p2 = NULL;
1126 ThreadVars th_v;
1127 DetectEngineCtx *de_ctx = NULL;
1128 DetectEngineThreadCtx *det_ctx = NULL;
1129 HtpState *http_state = NULL;
1130 Flow f;
1131 uint8_t http_buf1[] =
1132 "GET /index.html HTTP/1.0\r\n"
1133 "Host: www.openinfosecfoundation.org\r\n"
1134 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1135 "\r\n";
1136 uint32_t http_len1 = sizeof(http_buf1) - 1;
1137 uint8_t http_buf2[] =
1138 "HTTP/1.0 200 abcdef\r\n"
1139 "Content-Type: text/html\r\n"
1140 "Content-Length: 6\r\n"
1141 "\r\n"
1142 "abcdef";
1143 uint32_t http_len2 = sizeof(http_buf2) - 1;
1144 int result = 0;
1145 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1146
1147 memset(&th_v, 0, sizeof(th_v));
1148 memset(&f, 0, sizeof(f));
1149 memset(&ssn, 0, sizeof(ssn));
1150
1151 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1152 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1153
1154 FLOW_INITIALIZE(&f);
1155 f.protoctx = (void *)&ssn;
1156 f.proto = IPPROTO_TCP;
1157 f.flags |= FLOW_IPV4;
1158
1159 p1->flow = &f;
1160 p1->flowflags |= FLOW_PKT_TOSERVER;
1161 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1162 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1163 p2->flow = &f;
1164 p2->flowflags |= FLOW_PKT_TOCLIENT;
1165 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1166 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1167 f.alproto = ALPROTO_HTTP1;
1168
1169 StreamTcpInitConfig(true);
1170
1171 de_ctx = DetectEngineCtxInit();
1172 if (de_ctx == NULL)
1173 goto end;
1174
1175 de_ctx->flags |= DE_QUIET;
1176
1177 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1178 "(msg:\"http stat msg test\"; "
1179 "content:\"abc\"; http_stat_msg; depth:3; "
1180 "content:!\"xyz\"; http_stat_msg; within:3; "
1181 "sid:1;)");
1182 if (de_ctx->sig_list == NULL)
1183 goto end;
1184
1185 SigGroupBuild(de_ctx);
1186 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1187
1188 int r = AppLayerParserParse(
1189 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1190 if (r != 0) {
1191 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1192 result = 0;
1193 goto end;
1194 }
1195
1196 http_state = f.alstate;
1197 if (http_state == NULL) {
1198 printf("no http state: \n");
1199 result = 0;
1200 goto end;
1201 }
1202
1203 /* do detect */
1204 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1205
1206 if (PacketAlertCheck(p1, 1)) {
1207 printf("sid 1 matched but shouldn't have: ");
1208 goto end;
1209 }
1210
1211 r = AppLayerParserParse(
1212 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1213 if (r != 0) {
1214 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1215 result = 0;
1216 goto end;
1217 }
1218
1219 /* do detect */
1220 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1221
1222 if (!PacketAlertCheck(p2, 1)) {
1223 printf("sid 1 didn't match but should have: ");
1224 goto end;
1225 }
1226
1227 result = 1;
1228
1229end:
1230 if (alp_tctx != NULL)
1231 AppLayerParserThreadCtxFree(alp_tctx);
1232 if (de_ctx != NULL)
1233 DetectEngineCtxFree(de_ctx);
1234
1235 StreamTcpFreeConfig(true);
1236 FLOW_DESTROY(&f);
1237 UTHFreePackets(&p1, 1);
1238 UTHFreePackets(&p2, 1);
1239 return result;
1240}
1241
1242static int DetectEngineHttpStatMsgTest11(void)
1243{
1244 TcpSession ssn;
1245 Packet *p1 = NULL;
1246 Packet *p2 = NULL;
1247 ThreadVars th_v;
1248 DetectEngineCtx *de_ctx = NULL;
1249 DetectEngineThreadCtx *det_ctx = NULL;
1250 HtpState *http_state = NULL;
1251 Flow f;
1252 uint8_t http_buf1[] =
1253 "GET /index.html HTTP/1.0\r\n"
1254 "Host: www.openinfosecfoundation.org\r\n"
1255 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1256 "\r\n";
1257 uint32_t http_len1 = sizeof(http_buf1) - 1;
1258 uint8_t http_buf2[] =
1259 "HTTP/1.0 200 abcdef\r\n"
1260 "Content-Type: text/html\r\n"
1261 "Content-Length: 6\r\n"
1262 "\r\n"
1263 "abcdef";
1264 uint32_t http_len2 = sizeof(http_buf2) - 1;
1265 int result = 0;
1266 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1267
1268 memset(&th_v, 0, sizeof(th_v));
1269 memset(&f, 0, sizeof(f));
1270 memset(&ssn, 0, sizeof(ssn));
1271
1272 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1273 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1274
1275 FLOW_INITIALIZE(&f);
1276 f.protoctx = (void *)&ssn;
1277 f.proto = IPPROTO_TCP;
1278 f.flags |= FLOW_IPV4;
1279
1280 p1->flow = &f;
1281 p1->flowflags |= FLOW_PKT_TOSERVER;
1282 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1283 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1284 p2->flow = &f;
1285 p2->flowflags |= FLOW_PKT_TOCLIENT;
1286 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1287 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1288 f.alproto = ALPROTO_HTTP1;
1289
1290 StreamTcpInitConfig(true);
1291
1292 de_ctx = DetectEngineCtxInit();
1293 if (de_ctx == NULL)
1294 goto end;
1295
1296 de_ctx->flags |= DE_QUIET;
1297
1298 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1299 "(msg:\"http stat msg test\"; "
1300 "content:\"abc\"; http_stat_msg; depth:3; "
1301 "content:\"xyz\"; http_stat_msg; within:3; "
1302 "sid:1;)");
1303 if (de_ctx->sig_list == NULL)
1304 goto end;
1305
1306 SigGroupBuild(de_ctx);
1307 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1308
1309 int r = AppLayerParserParse(
1310 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1311 if (r != 0) {
1312 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1313 result = 0;
1314 goto end;
1315 }
1316
1317 http_state = f.alstate;
1318 if (http_state == NULL) {
1319 printf("no http state: \n");
1320 result = 0;
1321 goto end;
1322 }
1323
1324 /* do detect */
1325 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1326
1327 if (PacketAlertCheck(p1, 1)) {
1328 printf("sid 1 matched but shouldn't have: ");
1329 goto end;
1330 }
1331
1332 r = AppLayerParserParse(
1333 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1334 if (r != 0) {
1335 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1336 result = 0;
1337 goto end;
1338 }
1339
1340 /* do detect */
1341 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1342
1343 if (PacketAlertCheck(p2, 1)) {
1344 printf("sid 1 did match but should not have: ");
1345 goto end;
1346 }
1347
1348 result = 1;
1349
1350end:
1351 if (alp_tctx != NULL)
1352 AppLayerParserThreadCtxFree(alp_tctx);
1353 if (de_ctx != NULL)
1354 DetectEngineCtxFree(de_ctx);
1355
1356 StreamTcpFreeConfig(true);
1357 FLOW_DESTROY(&f);
1358 UTHFreePackets(&p1, 1);
1359 UTHFreePackets(&p2, 1);
1360 return result;
1361}
1362
1363static int DetectEngineHttpStatMsgTest12(void)
1364{
1365 TcpSession ssn;
1366 Packet *p1 = NULL;
1367 Packet *p2 = NULL;
1368 ThreadVars th_v;
1369 DetectEngineCtx *de_ctx = NULL;
1370 DetectEngineThreadCtx *det_ctx = NULL;
1371 HtpState *http_state = NULL;
1372 Flow f;
1373 uint8_t http_buf1[] =
1374 "GET /index.html HTTP/1.0\r\n"
1375 "Host: www.openinfosecfoundation.org\r\n"
1376 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1377 "\r\n";
1378 uint32_t http_len1 = sizeof(http_buf1) - 1;
1379 uint8_t http_buf2[] =
1380 "HTTP/1.0 200 abcdef\r\n"
1381 "Content-Type: text/html\r\n"
1382 "Content-Length: 6\r\n"
1383 "\r\n"
1384 "abcdef";
1385 uint32_t http_len2 = sizeof(http_buf2) - 1;
1386 int result = 0;
1387 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1388
1389 memset(&th_v, 0, sizeof(th_v));
1390 memset(&f, 0, sizeof(f));
1391 memset(&ssn, 0, sizeof(ssn));
1392
1393 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1394 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1395
1396 FLOW_INITIALIZE(&f);
1397 f.protoctx = (void *)&ssn;
1398 f.proto = IPPROTO_TCP;
1399 f.flags |= FLOW_IPV4;
1400
1401 p1->flow = &f;
1402 p1->flowflags |= FLOW_PKT_TOSERVER;
1403 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1404 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1405 p2->flow = &f;
1406 p2->flowflags |= FLOW_PKT_TOCLIENT;
1407 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1408 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1409 f.alproto = ALPROTO_HTTP1;
1410
1411 StreamTcpInitConfig(true);
1412
1413 de_ctx = DetectEngineCtxInit();
1414 if (de_ctx == NULL)
1415 goto end;
1416
1417 de_ctx->flags |= DE_QUIET;
1418
1419 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1420 "(msg:\"http stat msg test\"; "
1421 "content:\"ab\"; http_stat_msg; depth:2; "
1422 "content:\"ef\"; http_stat_msg; distance:2; "
1423 "sid:1;)");
1424 if (de_ctx->sig_list == NULL)
1425 goto end;
1426
1427 SigGroupBuild(de_ctx);
1428 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1429
1430 int r = AppLayerParserParse(
1431 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1432 if (r != 0) {
1433 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1434 result = 0;
1435 goto end;
1436 }
1437
1438 http_state = f.alstate;
1439 if (http_state == NULL) {
1440 printf("no http state: \n");
1441 result = 0;
1442 goto end;
1443 }
1444
1445 /* do detect */
1446 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1447
1448 if (PacketAlertCheck(p1, 1)) {
1449 printf("sid 1 matched but shouldn't have: ");
1450 goto end;
1451 }
1452
1453 r = AppLayerParserParse(
1454 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1455 if (r != 0) {
1456 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1457 result = 0;
1458 goto end;
1459 }
1460
1461 /* do detect */
1462 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1463
1464 if (!PacketAlertCheck(p2, 1)) {
1465 printf("sid 1 did not match but should have: ");
1466 goto end;
1467 }
1468
1469 result = 1;
1470
1471end:
1472 if (alp_tctx != NULL)
1473 AppLayerParserThreadCtxFree(alp_tctx);
1474 if (de_ctx != NULL)
1475 DetectEngineCtxFree(de_ctx);
1476
1477 StreamTcpFreeConfig(true);
1478 FLOW_DESTROY(&f);
1479 UTHFreePackets(&p1, 1);
1480 UTHFreePackets(&p2, 1);
1481 return result;
1482}
1483
1484static int DetectEngineHttpStatMsgTest13(void)
1485{
1486 TcpSession ssn;
1487 Packet *p1 = NULL;
1488 Packet *p2 = NULL;
1489 ThreadVars th_v;
1490 DetectEngineCtx *de_ctx = NULL;
1491 DetectEngineThreadCtx *det_ctx = NULL;
1492 HtpState *http_state = NULL;
1493 Flow f;
1494 uint8_t http_buf1[] =
1495 "GET /index.html HTTP/1.0\r\n"
1496 "Host: www.openinfosecfoundation.org\r\n"
1497 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1498 "\r\n";
1499 uint32_t http_len1 = sizeof(http_buf1) - 1;
1500 uint8_t http_buf2[] =
1501 "HTTP/1.0 200 abcdef\r\n"
1502 "Content-Type: text/html\r\n"
1503 "Content-Length: 6\r\n"
1504 "\r\n"
1505 "abcdef";
1506 uint32_t http_len2 = sizeof(http_buf2) - 1;
1507 int result = 0;
1508 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1509
1510 memset(&th_v, 0, sizeof(th_v));
1511 memset(&f, 0, sizeof(f));
1512 memset(&ssn, 0, sizeof(ssn));
1513
1514 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1515 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1516
1517 FLOW_INITIALIZE(&f);
1518 f.protoctx = (void *)&ssn;
1519 f.proto = IPPROTO_TCP;
1520 f.flags |= FLOW_IPV4;
1521
1522 p1->flow = &f;
1523 p1->flowflags |= FLOW_PKT_TOSERVER;
1524 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1525 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1526 p2->flow = &f;
1527 p2->flowflags |= FLOW_PKT_TOCLIENT;
1528 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1529 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1530 f.alproto = ALPROTO_HTTP1;
1531
1532 StreamTcpInitConfig(true);
1533
1534 de_ctx = DetectEngineCtxInit();
1535 if (de_ctx == NULL)
1536 goto end;
1537
1538 de_ctx->flags |= DE_QUIET;
1539
1540 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1541 "(msg:\"http stat msg test\"; "
1542 "content:\"ab\"; http_stat_msg; depth:3; "
1543 "content:!\"yz\"; http_stat_msg; distance:2; "
1544 "sid:1;)");
1545 if (de_ctx->sig_list == NULL)
1546 goto end;
1547
1548 SigGroupBuild(de_ctx);
1549 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1550
1551 int r = AppLayerParserParse(
1552 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1553 if (r != 0) {
1554 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1555 result = 0;
1556 goto end;
1557 }
1558
1559 http_state = f.alstate;
1560 if (http_state == NULL) {
1561 printf("no http state: \n");
1562 result = 0;
1563 goto end;
1564 }
1565
1566 /* do detect */
1567 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1568
1569 if (PacketAlertCheck(p1, 1)) {
1570 printf("sid 1 matched but shouldn't have: ");
1571 goto end;
1572 }
1573
1574 r = AppLayerParserParse(
1575 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1576 if (r != 0) {
1577 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1578 result = 0;
1579 goto end;
1580 }
1581
1582 /* do detect */
1583 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1584
1585 if (!PacketAlertCheck(p2, 1)) {
1586 printf("sid 1 did not match but should have: ");
1587 goto end;
1588 }
1589
1590 result = 1;
1591
1592end:
1593 if (alp_tctx != NULL)
1594 AppLayerParserThreadCtxFree(alp_tctx);
1595 if (de_ctx != NULL)
1596 DetectEngineCtxFree(de_ctx);
1597
1598 StreamTcpFreeConfig(true);
1599 FLOW_DESTROY(&f);
1600 UTHFreePackets(&p1, 1);
1601 UTHFreePackets(&p2, 1);
1602 return result;
1603}
1604
1605static int DetectEngineHttpStatMsgTest14(void)
1606{
1607 TcpSession ssn;
1608 Packet *p1 = NULL;
1609 Packet *p2 = NULL;
1610 ThreadVars th_v;
1611 DetectEngineCtx *de_ctx = NULL;
1612 DetectEngineThreadCtx *det_ctx = NULL;
1613 HtpState *http_state = NULL;
1614 Flow f;
1615 uint8_t http_buf1[] =
1616 "GET /index.html HTTP/1.0\r\n"
1617 "Host: www.openinfosecfoundation.org\r\n"
1618 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1619 "\r\n";
1620 uint32_t http_len1 = sizeof(http_buf1) - 1;
1621 uint8_t http_buf2[] =
1622 "HTTP/1.0 200 abcdef\r\n"
1623 "Content-Type: text/html\r\n"
1624 "Content-Length: 6\r\n"
1625 "\r\n"
1626 "abcdef";
1627 uint32_t http_len2 = sizeof(http_buf2) - 1;
1628 int result = 0;
1629 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1630
1631 memset(&th_v, 0, sizeof(th_v));
1632 memset(&f, 0, sizeof(f));
1633 memset(&ssn, 0, sizeof(ssn));
1634
1635 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1636 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1637
1638 FLOW_INITIALIZE(&f);
1639 f.protoctx = (void *)&ssn;
1640 f.proto = IPPROTO_TCP;
1641 f.flags |= FLOW_IPV4;
1642
1643 p1->flow = &f;
1644 p1->flowflags |= FLOW_PKT_TOSERVER;
1645 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1646 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1647 p2->flow = &f;
1648 p2->flowflags |= FLOW_PKT_TOCLIENT;
1649 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1650 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1651 f.alproto = ALPROTO_HTTP1;
1652
1653 StreamTcpInitConfig(true);
1654
1655 de_ctx = DetectEngineCtxInit();
1656 if (de_ctx == NULL)
1657 goto end;
1658
1659 de_ctx->flags |= DE_QUIET;
1660
1661 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1662 "(msg:\"http stat msg test\"; "
1663 "pcre:/ab/Y; "
1664 "content:\"ef\"; http_stat_msg; distance:2; "
1665 "sid:1;)");
1666 if (de_ctx->sig_list == NULL)
1667 goto end;
1668
1669 SigGroupBuild(de_ctx);
1670 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1671
1672 int r = AppLayerParserParse(
1673 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1674 if (r != 0) {
1675 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1676 result = 0;
1677 goto end;
1678 }
1679
1680 http_state = f.alstate;
1681 if (http_state == NULL) {
1682 printf("no http state: \n");
1683 result = 0;
1684 goto end;
1685 }
1686
1687 /* do detect */
1688 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1689
1690 if (PacketAlertCheck(p1, 1)) {
1691 printf("sid 1 matched but shouldn't have: ");
1692 goto end;
1693 }
1694
1695 r = AppLayerParserParse(
1696 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1697 if (r != 0) {
1698 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1699 result = 0;
1700 goto end;
1701 }
1702
1703 /* do detect */
1704 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1705
1706 if (!PacketAlertCheck(p2, 1)) {
1707 printf("sid 1 did not match but should have: ");
1708 goto end;
1709 }
1710
1711 result = 1;
1712
1713end:
1714 if (alp_tctx != NULL)
1715 AppLayerParserThreadCtxFree(alp_tctx);
1716 if (de_ctx != NULL)
1717 DetectEngineCtxFree(de_ctx);
1718
1719 StreamTcpFreeConfig(true);
1720 FLOW_DESTROY(&f);
1721 UTHFreePackets(&p1, 1);
1722 UTHFreePackets(&p2, 1);
1723 return result;
1724}
1725
1726static int DetectEngineHttpStatMsgTest15(void)
1727{
1728 TcpSession ssn;
1729 Packet *p1 = NULL;
1730 Packet *p2 = NULL;
1731 ThreadVars th_v;
1732 DetectEngineCtx *de_ctx = NULL;
1733 DetectEngineThreadCtx *det_ctx = NULL;
1734 HtpState *http_state = NULL;
1735 Flow f;
1736 uint8_t http_buf1[] =
1737 "GET /index.html HTTP/1.0\r\n"
1738 "Host: www.openinfosecfoundation.org\r\n"
1739 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1740 "\r\n";
1741 uint32_t http_len1 = sizeof(http_buf1) - 1;
1742 uint8_t http_buf2[] =
1743 "HTTP/1.0 200 abcdef\r\n"
1744 "Content-Type: text/html\r\n"
1745 "Content-Length: 6\r\n"
1746 "\r\n"
1747 "abcdef";
1748 uint32_t http_len2 = sizeof(http_buf2) - 1;
1749 int result = 0;
1750 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1751
1752 memset(&th_v, 0, sizeof(th_v));
1753 memset(&f, 0, sizeof(f));
1754 memset(&ssn, 0, sizeof(ssn));
1755
1756 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1757 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1758
1759 FLOW_INITIALIZE(&f);
1760 f.protoctx = (void *)&ssn;
1761 f.proto = IPPROTO_TCP;
1762 f.flags |= FLOW_IPV4;
1763
1764 p1->flow = &f;
1765 p1->flowflags |= FLOW_PKT_TOSERVER;
1766 p1->flowflags |= FLOW_PKT_ESTABLISHED;
1767 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1768 p2->flow = &f;
1769 p2->flowflags |= FLOW_PKT_TOCLIENT;
1770 p2->flowflags |= FLOW_PKT_ESTABLISHED;
1771 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1772 f.alproto = ALPROTO_HTTP1;
1773
1774 StreamTcpInitConfig(true);
1775
1776 de_ctx = DetectEngineCtxInit();
1777 if (de_ctx == NULL)
1778 goto end;
1779
1780 de_ctx->flags |= DE_QUIET;
1781
1782 de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
1783 "(msg:\"http stat msg test\"; "
1784 "pcre:/abc/Y; "
1785 "content:!\"xyz\"; http_stat_msg; distance:0; within:3; "
1786 "sid:1;)");
1787 if (de_ctx->sig_list == NULL)
1788 goto end;
1789
1790 SigGroupBuild(de_ctx);
1791 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1792
1793 int r = AppLayerParserParse(
1794 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_len1);
1795 if (r != 0) {
1796 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1797 result = 0;
1798 goto end;
1799 }
1800
1801 http_state = f.alstate;
1802 if (http_state == NULL) {
1803 printf("no http state: \n");
1804 result = 0;
1805 goto end;
1806 }
1807
1808 /* do detect */
1809 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1810
1811 if (PacketAlertCheck(p1, 1)) {
1812 printf("sid 1 matched but shouldn't have: ");
1813 goto end;
1814 }
1815
1816 r = AppLayerParserParse(
1817 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, http_buf2, http_len2);
1818 if (r != 0) {
1819 printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1820 result = 0;
1821 goto end;
1822 }
1823
1824 /* do detect */
1825 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1826
1827 if (!PacketAlertCheck(p2, 1)) {
1828 printf("sid 1 did not match but should have: ");
1829 goto end;
1830 }
1831
1832 result = 1;
1833
1834end:
1835 if (alp_tctx != NULL)
1836 AppLayerParserThreadCtxFree(alp_tctx);
1837 if (de_ctx != NULL)
1838 DetectEngineCtxFree(de_ctx);
1839
1840 StreamTcpFreeConfig(true);
1841 FLOW_DESTROY(&f);
1842 UTHFreePackets(&p1, 1);
1843 UTHFreePackets(&p2, 1);
1844 return result;
1845}
1846
1847/** \test Check the signature working to alert when http_stat_msg is matched . */
1848static int DetectHttpStatMsgSigTest01(void)
1849{
1850 int result = 0;
1851 Flow f;
1852 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1853 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1854 uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1855 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1856 TcpSession ssn;
1857 Packet *p = NULL;
1858 Signature *s = NULL;
1859 ThreadVars th_v;
1860 DetectEngineThreadCtx *det_ctx = NULL;
1861 HtpState *http_state = NULL;
1862 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1863
1864 memset(&th_v, 0, sizeof(th_v));
1865 memset(&f, 0, sizeof(f));
1866 memset(&ssn, 0, sizeof(ssn));
1867
1868 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1869
1870 FLOW_INITIALIZE(&f);
1871 f.protoctx = (void *)&ssn;
1872 f.proto = IPPROTO_TCP;
1873 f.flags |= FLOW_IPV4;
1874
1875 p->flow = &f;
1876 p->flowflags |= FLOW_PKT_TOCLIENT;
1877 p->flowflags |= FLOW_PKT_ESTABLISHED;
1878 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1879 f.alproto = ALPROTO_HTTP1;
1880
1881 StreamTcpInitConfig(true);
1882
1883 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1884 if (de_ctx == NULL) {
1885 goto end;
1886 }
1887
1888 de_ctx->flags |= DE_QUIET;
1889
1890 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
1891 "\"HTTP status message\"; content:\"OK\"; "
1892 "http_stat_msg; sid:1;)");
1893 if (s == NULL) {
1894 goto end;
1895 }
1896
1897 s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
1898 "Status message nocase\"; content:\"ok\"; nocase; "
1899 "http_stat_msg; sid:2;)");
1900 if (s->next == NULL) {
1901 goto end;
1902 }
1903
1904 SigGroupBuild(de_ctx);
1905 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1906
1907 int r = AppLayerParserParse(
1908 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1909 if (r != 0) {
1910 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1911 result = 0;
1912 goto end;
1913 }
1914
1915 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
1916 if (r != 0) {
1917 printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
1918 result = 0;
1919 goto end;
1920 }
1921
1922 http_state = f.alstate;
1923 if (http_state == NULL) {
1924 printf("no http state: ");
1925 result = 0;
1926 goto end;
1927 }
1928
1929 /* do detect */
1930 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1931
1932 if (!(PacketAlertCheck(p, 1))) {
1933 printf("sid 1 didn't match but should have: ");
1934 goto end;
1935 }
1936 if (!(PacketAlertCheck(p, 2))) {
1937 printf("sid 2 didn't match but should have: ");
1938 goto end;
1939 }
1940
1941 result = 1;
1942end:
1943 if (alp_tctx != NULL)
1944 AppLayerParserThreadCtxFree(alp_tctx);
1945 if (det_ctx != NULL) {
1946 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1947 }
1948 if (de_ctx != NULL) {
1949 DetectEngineCtxFree(de_ctx);
1950 }
1951
1952 StreamTcpFreeConfig(true);
1953
1954 UTHFreePackets(&p, 1);
1955 return result;
1956}
1957
1958/** \test Check the signature working to alert when http_stat_msg is not matched . */
1959static int DetectHttpStatMsgSigTest02(void)
1960{
1961 int result = 0;
1962 Flow f;
1963 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
1964 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1965 uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
1966 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1967 TcpSession ssn;
1968 Packet *p = NULL;
1969 Signature *s = NULL;
1970 ThreadVars th_v;
1971 DetectEngineThreadCtx *det_ctx = NULL;
1972 HtpState *http_state = NULL;
1973 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1974
1975 memset(&th_v, 0, sizeof(th_v));
1976 memset(&f, 0, sizeof(f));
1977 memset(&ssn, 0, sizeof(ssn));
1978
1979 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1980
1981 FLOW_INITIALIZE(&f);
1982 f.protoctx = (void *)&ssn;
1983 f.proto = IPPROTO_TCP;
1984 f.flags |= FLOW_IPV4;
1985
1986 p->flow = &f;
1987 p->flowflags |= FLOW_PKT_TOCLIENT;
1988 p->flowflags |= FLOW_PKT_ESTABLISHED;
1989 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1990 f.alproto = ALPROTO_HTTP1;
1991
1992 StreamTcpInitConfig(true);
1993
1994 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1995 if (de_ctx == NULL) {
1996 goto end;
1997 }
1998
1999 de_ctx->flags |= DE_QUIET;
2000
2001 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2002 "\"HTTP status message\"; content:\"no\"; "
2003 "http_stat_msg; sid:1;)");
2004 if (s == NULL) {
2005 goto end;
2006 }
2007
2008 SigGroupBuild(de_ctx);
2009 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2010
2011 int r = AppLayerParserParse(
2012 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2013 if (r != 0) {
2014 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2015 result = 0;
2016 goto end;
2017 }
2018
2019 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2020 if (r != 0) {
2021 printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
2022 result = 0;
2023 goto end;
2024 }
2025
2026 http_state = f.alstate;
2027 if (http_state == NULL) {
2028 printf("no http state: ");
2029 result = 0;
2030 goto end;
2031 }
2032
2033 /* do detect */
2034 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2035
2036 if (PacketAlertCheck(p, 1)) {
2037 printf("sid 1 matched but shouldn't: ");
2038 goto end;
2039 }
2040
2041 result = 1;
2042end:
2043 if (alp_tctx != NULL)
2044 AppLayerParserThreadCtxFree(alp_tctx);
2045 if (det_ctx != NULL) {
2046 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2047 }
2048 if (de_ctx != NULL) {
2049 DetectEngineCtxFree(de_ctx);
2050 }
2051
2052 StreamTcpFreeConfig(true);
2053
2054 UTHFreePackets(&p, 1);
2055 return result;
2056}
2057
2058/** \test Check the signature working to alert when http_stat_msg is used with
2059 * negated content . */
2060static int DetectHttpStatMsgSigTest03(void)
2061{
2062 int result = 0;
2063 Flow f;
2064 uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
2065 uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2066 uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
2067 uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2068 TcpSession ssn;
2069 Packet *p = NULL;
2070 Signature *s = NULL;
2071 ThreadVars th_v;
2072 DetectEngineThreadCtx *det_ctx = NULL;
2073 HtpState *http_state = NULL;
2074 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2075
2076 memset(&th_v, 0, sizeof(th_v));
2077 memset(&f, 0, sizeof(f));
2078 memset(&ssn, 0, sizeof(ssn));
2079
2080 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2081
2082 FLOW_INITIALIZE(&f);
2083 f.protoctx = (void *)&ssn;
2084 f.proto = IPPROTO_TCP;
2085 f.flags |= FLOW_IPV4;
2086
2087 p->flow = &f;
2088 p->flowflags |= FLOW_PKT_TOCLIENT;
2089 p->flowflags |= FLOW_PKT_ESTABLISHED;
2090 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2091 f.alproto = ALPROTO_HTTP1;
2092
2093 StreamTcpInitConfig(true);
2094
2095 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2096 if (de_ctx == NULL) {
2097 goto end;
2098 }
2099
2100 de_ctx->flags |= DE_QUIET;
2101
2102 s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
2103 "\"HTTP status message\"; content:\"ok\"; "
2104 "nocase; http_stat_msg; sid:1;)");
2105 if (s == NULL) {
2106 goto end;
2107 }
2108
2109 s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
2110 "Status message nocase\"; content:!\"Not\"; "
2111 "http_stat_msg; sid:2;)");
2112 if (s->next == NULL) {
2113 goto end;
2114 }
2115
2116 SigGroupBuild(de_ctx);
2117 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2118
2119 int r = AppLayerParserParse(
2120 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2121 if (r != 0) {
2122 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2123 result = 0;
2124 goto end;
2125 }
2126
2127 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOCLIENT, httpbuf2, httplen2);
2128 if (r != 0) {
2129 printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
2130 result = 0;
2131 goto end;
2132 }
2133
2134 http_state = f.alstate;
2135 if (http_state == NULL) {
2136 printf("no http state: ");
2137 result = 0;
2138 goto end;
2139 }
2140
2141 /* do detect */
2142 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2143
2144 if (! PacketAlertCheck(p, 1)) {
2145 printf("sid 1 didn't matched but should have: ");
2146 goto end;
2147 }
2148 if (! PacketAlertCheck(p, 2)) {
2149 printf("sid 2 didn't matched but should have: ");
2150 goto end;
2151 }
2152
2153 result = 1;
2154end:
2155 if (alp_tctx != NULL)
2156 AppLayerParserThreadCtxFree(alp_tctx);
2157 if (det_ctx != NULL) {
2158 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2159 }
2160 if (de_ctx != NULL) {
2161 DetectEngineCtxFree(de_ctx);
2162 }
2163
2164 StreamTcpFreeConfig(true);
2165
2166 UTHFreePackets(&p, 1);
2167 return result;
2168}
2169
2170/**
2171 * \brief Register the UNITTESTS for the http_stat_msg keyword
2172 */
2173void DetectHttpStatMsgRegisterTests (void)
2174{
2175 UtRegisterTest("DetectHttpStatMsgSigTest01", DetectHttpStatMsgSigTest01);
2176 UtRegisterTest("DetectHttpStatMsgSigTest02", DetectHttpStatMsgSigTest02);
2177 UtRegisterTest("DetectHttpStatMsgSigTest03", DetectHttpStatMsgSigTest03);
2178
2179 UtRegisterTest("DetectEngineHttpStatMsgTest01",
2180 DetectEngineHttpStatMsgTest01);
2181 UtRegisterTest("DetectEngineHttpStatMsgTest02",
2182 DetectEngineHttpStatMsgTest02);
2183 UtRegisterTest("DetectEngineHttpStatMsgTest03",
2184 DetectEngineHttpStatMsgTest03);
2185 UtRegisterTest("DetectEngineHttpStatMsgTest04",
2186 DetectEngineHttpStatMsgTest04);
2187 UtRegisterTest("DetectEngineHttpStatMsgTest05",
2188 DetectEngineHttpStatMsgTest05);
2189 UtRegisterTest("DetectEngineHttpStatMsgTest06",
2190 DetectEngineHttpStatMsgTest06);
2191 UtRegisterTest("DetectEngineHttpStatMsgTest07",
2192 DetectEngineHttpStatMsgTest07);
2193 UtRegisterTest("DetectEngineHttpStatMsgTest08",
2194 DetectEngineHttpStatMsgTest08);
2195 UtRegisterTest("DetectEngineHttpStatMsgTest09",
2196 DetectEngineHttpStatMsgTest09);
2197 UtRegisterTest("DetectEngineHttpStatMsgTest10",
2198 DetectEngineHttpStatMsgTest10);
2199 UtRegisterTest("DetectEngineHttpStatMsgTest11",
2200 DetectEngineHttpStatMsgTest11);
2201 UtRegisterTest("DetectEngineHttpStatMsgTest12",
2202 DetectEngineHttpStatMsgTest12);
2203 UtRegisterTest("DetectEngineHttpStatMsgTest13",
2204 DetectEngineHttpStatMsgTest13);
2205 UtRegisterTest("DetectEngineHttpStatMsgTest14",
2206 DetectEngineHttpStatMsgTest14);
2207 UtRegisterTest("DetectEngineHttpStatMsgTest15",
2208 DetectEngineHttpStatMsgTest15);
2209}
2210
2211/**
2212 * @}
2213 */
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition flow-util.h:119
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition flow.h:234
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineThreadCtx_
Definition detect.h:1244
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::alstate
void * alstate
Definition flow.h:479
Flow_::protoctx
void * protoctx
Definition flow.h:441
HtpState_
Definition app-layer-htp.h:181
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::flags
uint32_t flags
Definition decode.h:544
Signature_
Signature container.
Definition detect.h:668
Signature_::next
struct Signature_ * next
Definition detect.h:750
TcpSession_
Definition stream-tcp-private.h:283
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365