suricata
detect-engine-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup sigstate State support
20  *
21  * State is stored in the ::DetectEngineState structure. This is
22  * basically a container for storage item of type ::DeStateStore.
23  * They contains an array of ::DeStateStoreItem which store the
24  * state of match for an individual signature identified by
25  * DeStateStoreItem::sid.
26  *
27  * @{
28  */
29 
30 /**
31  * \file
32  *
33  * \author Victor Julien <victor@inliniac.net>
34  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
35  *
36  * \brief State based signature handling.
37  */
38 
39 #include "suricata-common.h"
40 
41 #include "decode.h"
42 
43 #include "detect.h"
44 #include "detect-engine.h"
45 #include "detect-parse.h"
46 #include "detect-engine-state.h"
47 #include "detect-engine-dcepayload.h"
48 #include "detect-engine-build.h"
49 
50 #include "detect-flowvar.h"
51 
52 #include "stream-tcp.h"
53 #include "stream-tcp-private.h"
54 #include "stream-tcp-reassemble.h"
55 
56 #include "app-layer.h"
57 #include "app-layer-parser.h"
58 #include "app-layer-protos.h"
59 #include "app-layer-htp.h"
60 
61 #include "util-unittest.h"
62 #include "util-unittest-helper.h"
63 #include "util-profiling.h"
64 
65 #include "flow-util.h"
66 
67 static inline int StateIsValid(uint16_t alproto, void *alstate)
68 {
69  if (alstate != NULL) {
70  if (alproto == ALPROTO_HTTP1) {
71  HtpState *htp_state = (HtpState *)alstate;
72  if (htp_state->conn != NULL) {
73  return 1;
74  }
75  } else {
76  return 1;
77  }
78  }
79  return 0;
80 }
81 
82 static DeStateStore *DeStateStoreAlloc(void)
83 {
84  DeStateStore *d = SCCalloc(1, sizeof(DeStateStore));
85  if (unlikely(d == NULL))
86  return NULL;
87 
88  return d;
89 }
90 
91 #ifdef DEBUG_VALIDATION
92 static int DeStateSearchState(DetectEngineState *state, uint8_t direction, SigIntId num)
93 {
94  DetectEngineStateDirection *dir_state = &state->dir_state[direction & STREAM_TOSERVER ? 0 : 1];
95  DeStateStore *tx_store = dir_state->head;
96  SigIntId store_cnt;
97  SigIntId state_cnt = 0;
98 
99  for (; tx_store != NULL; tx_store = tx_store->next) {
100  SCLogDebug("tx_store %p", tx_store);
101  for (store_cnt = 0;
102  store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < dir_state->cnt;
103  store_cnt++, state_cnt++)
104  {
105  DeStateStoreItem *item = &tx_store->store[store_cnt];
106  if (item->sid == num) {
107  SCLogDebug("sid %u already in state: %p %p %p %u %u, direction %s",
108  num, state, dir_state, tx_store, state_cnt,
109  store_cnt, direction & STREAM_TOSERVER ? "toserver" : "toclient");
110  return 1;
111  }
112  }
113  }
114  return 0;
115 }
116 #endif
117 
118 static void DeStateSignatureAppend(DetectEngineState *state,
119  const Signature *s, uint32_t inspect_flags, uint8_t direction)
120 {
121  SCEnter();
122 
123  DetectEngineStateDirection *dir_state =
124  &state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1];
125 
126 #ifdef DEBUG_VALIDATION
127  BUG_ON(DeStateSearchState(state, direction, s->iid));
128 #endif
129  DeStateStore *store = dir_state->tail;
130  if (store == NULL) {
131  store = DeStateStoreAlloc();
132  dir_state->head = store;
133  dir_state->cur = store;
134  dir_state->tail = store;
135  } else if (dir_state->cur) {
136  store = dir_state->cur;
137  } else {
138  store = DeStateStoreAlloc();
139  if (store != NULL) {
140  dir_state->tail->next = store;
141  dir_state->tail = store;
142  dir_state->cur = store;
143  }
144  }
145  if (store == NULL)
146  SCReturn;
147 
148  SigIntId idx = dir_state->cnt % DE_STATE_CHUNK_SIZE;
149  store->store[idx].sid = s->iid;
150  store->store[idx].flags = inspect_flags;
151  dir_state->cnt++;
152  /* if current chunk is full, progress cur */
153  if (dir_state->cnt % DE_STATE_CHUNK_SIZE == 0) {
154  dir_state->cur = dir_state->cur->next;
155  }
156 
157  SCReturn;
158 }
159 
160 DetectEngineState *DetectEngineStateAlloc(void)
161 {
162  DetectEngineState *d = SCCalloc(1, sizeof(DetectEngineState));
163  if (unlikely(d == NULL))
164  return NULL;
165 
166  return d;
167 }
168 
169 void SCDetectEngineStateFree(DetectEngineState *state)
170 {
171  DeStateStore *store;
172  DeStateStore *store_next;
173  int i = 0;
174 
175  for (i = 0; i < 2; i++) {
176  store = state->dir_state[i].head;
177  while (store != NULL) {
178  store_next = store->next;
179  SCFree(store);
180  store = store_next;
181  }
182  }
183  SCFree(state);
184 }
185 
186 static void StoreFileNoMatchCnt(DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
187 {
188  de_state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt += file_no_match;
189 }
190 
191 static bool StoreFilestoreSigsCantMatch(const SigGroupHead *sgh, const DetectEngineState *de_state, uint8_t direction)
192 {
193  if (de_state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt ==
194  sgh->filestore_cnt)
195  return true;
196  else
197  return false;
198 }
199 
200 static void StoreStateTxHandleFiles(const SigGroupHead *sgh, Flow *f, DetectEngineState *destate,
201  const uint8_t flow_flags, void *tx, const uint64_t tx_id, const uint16_t file_no_match)
202 {
203  SCLogDebug("tx %"PRIu64", file_no_match %u", tx_id, file_no_match);
204  StoreFileNoMatchCnt(destate, file_no_match, flow_flags);
205  if (StoreFilestoreSigsCantMatch(sgh, destate, flow_flags)) {
206  SCLogDebug("filestore sigs can't match");
207  FileDisableStoringForTransaction(
208  f, flow_flags & (STREAM_TOCLIENT | STREAM_TOSERVER), tx, tx_id);
209  } else {
210  SCLogDebug("filestore sigs can still match");
211  }
212 }
213 
214 void DetectRunStoreStateTx(
215  const SigGroupHead *sgh,
216  Flow *f, void *tx, uint64_t tx_id,
217  const Signature *s,
218  uint32_t inspect_flags, uint8_t flow_flags,
219  const uint16_t file_no_match)
220 {
221  AppLayerTxData *tx_data = AppLayerParserGetTxData(f->proto, f->alproto, tx);
222  if (tx_data->de_state == NULL) {
223  tx_data->de_state = DetectEngineStateAlloc();
224  if (tx_data->de_state == NULL)
225  return;
226  SCLogDebug("destate created for %"PRIu64, tx_id);
227  }
228  DeStateSignatureAppend(tx_data->de_state, s, inspect_flags, flow_flags);
229  if (s->flags & SIG_FLAG_TXBOTHDIR) {
230  // add also in the other DetectEngineStateDirection
231  DeStateSignatureAppend(tx_data->de_state, s, inspect_flags,
232  flow_flags ^ (STREAM_TOSERVER | STREAM_TOCLIENT));
233  }
234  StoreStateTxHandleFiles(sgh, f, tx_data->de_state, flow_flags, tx, tx_id, file_no_match);
235 
236  SCLogDebug("Stored for TX %"PRIu64, tx_id);
237 }
238 
239 static inline void ResetTxState(DetectEngineState *s)
240 {
241  if (s) {
242  s->dir_state[0].cnt = 0;
243  s->dir_state[0].filestore_cnt = 0;
244  s->dir_state[0].flags = 0;
245  /* reset 'cur' back to the list head */
246  s->dir_state[0].cur = s->dir_state[0].head;
247 
248  s->dir_state[1].cnt = 0;
249  s->dir_state[1].filestore_cnt = 0;
250  s->dir_state[1].flags = 0;
251  /* reset 'cur' back to the list head */
252  s->dir_state[1].cur = s->dir_state[1].head;
253  }
254 }
255 
256 /** \brief Reset de state for active tx'
257  * To be used on detect engine reload.
258  * \param f write LOCKED flow
259  */
260 void DetectEngineStateResetTxs(Flow *f)
261 {
262  void *alstate = FlowGetAppState(f);
263  if (!StateIsValid(f->alproto, alstate)) {
264  return;
265  }
266 
267  uint64_t inspect_ts = AppLayerParserGetTransactionInspectId(f->alparser, STREAM_TOCLIENT);
268  uint64_t inspect_tc = AppLayerParserGetTransactionInspectId(f->alparser, STREAM_TOSERVER);
269 
270  uint64_t inspect_tx_id = MIN(inspect_ts, inspect_tc);
271 
272  uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
273 
274  for ( ; inspect_tx_id < total_txs; inspect_tx_id++) {
275  void *inspect_tx = AppLayerParserGetTx(f->proto, f->alproto, alstate, inspect_tx_id);
276  if (inspect_tx != NULL) {
277  AppLayerTxData *txd = AppLayerParserGetTxData(f->proto, f->alproto, inspect_tx);
278  ResetTxState(txd->de_state);
279  }
280  }
281 }
282 
283 /*********Unittests*********/
284 
285 #ifdef UNITTESTS
286 #include "detect-engine-alert.h"
287 
288 static int DeStateTest01(void)
289 {
290  SCLogDebug("sizeof(DetectEngineState)\t\t%"PRIuMAX,
291  (uintmax_t)sizeof(DetectEngineState));
292  SCLogDebug("sizeof(DeStateStore)\t\t\t%"PRIuMAX,
293  (uintmax_t)sizeof(DeStateStore));
294  SCLogDebug("sizeof(DeStateStoreItem)\t\t%"PRIuMAX"",
295  (uintmax_t)sizeof(DeStateStoreItem));
296 
297  return 1;
298 }
299 
300 static int DeStateTest02(void)
301 {
302  uint8_t direction = STREAM_TOSERVER;
303  DetectEngineState *state = DetectEngineStateAlloc();
304  FAIL_IF_NULL(state);
305  FAIL_IF_NOT_NULL(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head);
306 
307  Signature s;
308  memset(&s, 0x00, sizeof(s));
309 
310  s.iid = 0;
311  DeStateSignatureAppend(state, &s, 0, direction);
312  s.iid = 11;
313  DeStateSignatureAppend(state, &s, 0, direction);
314  s.iid = 22;
315  DeStateSignatureAppend(state, &s, 0, direction);
316  s.iid = 33;
317  DeStateSignatureAppend(state, &s, 0, direction);
318  s.iid = 44;
319  DeStateSignatureAppend(state, &s, 0, direction);
320  s.iid = 55;
321  DeStateSignatureAppend(state, &s, 0, direction);
322  s.iid = 66;
323  DeStateSignatureAppend(state, &s, 0, direction);
324  s.iid = 77;
325  DeStateSignatureAppend(state, &s, 0, direction);
326  s.iid = 88;
327  DeStateSignatureAppend(state, &s, 0, direction);
328  s.iid = 99;
329  DeStateSignatureAppend(state, &s, 0, direction);
330  s.iid = 100;
331  DeStateSignatureAppend(state, &s, 0, direction);
332  s.iid = 111;
333  DeStateSignatureAppend(state, &s, 0, direction);
334  s.iid = 122;
335  DeStateSignatureAppend(state, &s, 0, direction);
336  s.iid = 133;
337  DeStateSignatureAppend(state, &s, 0, direction);
338  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
339  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
340 
341  s.iid = 144;
342  DeStateSignatureAppend(state, &s, 0, direction);
343 
344  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
345  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
346  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
347  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur == NULL);
348 
349  s.iid = 155;
350  DeStateSignatureAppend(state, &s, 0, direction);
351 
352  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].tail ==
353  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
354 
355  s.iid = 166;
356  DeStateSignatureAppend(state, &s, 0, direction);
357 
358  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
359  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 11);
360  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next == NULL);
361  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
362  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[0].sid != 155);
363  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[1].sid != 166);
364 
365  ResetTxState(state);
366 
367  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
368  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
369  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
370 
371  s.iid = 0;
372  DeStateSignatureAppend(state, &s, 0, direction);
373  s.iid = 11;
374  DeStateSignatureAppend(state, &s, 0, direction);
375  s.iid = 22;
376  DeStateSignatureAppend(state, &s, 0, direction);
377  s.iid = 33;
378  DeStateSignatureAppend(state, &s, 0, direction);
379  s.iid = 44;
380  DeStateSignatureAppend(state, &s, 0, direction);
381  s.iid = 55;
382  DeStateSignatureAppend(state, &s, 0, direction);
383  s.iid = 66;
384  DeStateSignatureAppend(state, &s, 0, direction);
385  s.iid = 77;
386  DeStateSignatureAppend(state, &s, 0, direction);
387  s.iid = 88;
388  DeStateSignatureAppend(state, &s, 0, direction);
389  s.iid = 99;
390  DeStateSignatureAppend(state, &s, 0, direction);
391  s.iid = 100;
392  DeStateSignatureAppend(state, &s, 0, direction);
393  s.iid = 111;
394  DeStateSignatureAppend(state, &s, 0, direction);
395  s.iid = 122;
396  DeStateSignatureAppend(state, &s, 0, direction);
397  s.iid = 133;
398  DeStateSignatureAppend(state, &s, 0, direction);
399  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
400  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
401  s.iid = 144;
402  DeStateSignatureAppend(state, &s, 0, direction);
403  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
404  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
405  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
406  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].tail ==
407  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
408  s.iid = 155;
409  DeStateSignatureAppend(state, &s, 0, direction);
410  s.iid = 166;
411  DeStateSignatureAppend(state, &s, 0, direction);
412 
413  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
414  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 11);
415  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next == NULL);
416  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
417  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[0].sid != 155);
418  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[1].sid != 166);
419 
420  SCDetectEngineStateFree(state);
421 
422  PASS;
423 }
424 
425 static int DeStateTest03(void)
426 {
427  DetectEngineState *state = DetectEngineStateAlloc();
428  FAIL_IF_NULL(state);
429 
430  Signature s;
431  memset(&s, 0x00, sizeof(s));
432 
433  uint8_t direction = STREAM_TOSERVER;
434 
435  s.iid = 11;
436  DeStateSignatureAppend(state, &s, 0, direction);
437  s.iid = 22;
438  DeStateSignatureAppend(state, &s, BIT_U32(DE_STATE_FLAG_BASE), direction);
439 
440  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
441  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[0].sid != 11);
442  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[0].flags & BIT_U32(DE_STATE_FLAG_BASE));
443  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 22);
444  FAIL_IF(!(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].flags & BIT_U32(DE_STATE_FLAG_BASE)));
445 
446  SCDetectEngineStateFree(state);
447  PASS;
448 }
449 
450 static int DeStateSigTest01(void)
451 {
452  DetectEngineThreadCtx *det_ctx = NULL;
453  ThreadVars th_v;
454  Flow f;
455  TcpSession ssn;
456  Packet *p = NULL;
457  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\n";
458  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\n";
459  uint8_t httpbuf3[] = "Cookie: dummy\r\nContent-Length: 10\r\n\r\n";
460  uint8_t httpbuf4[] = "Http Body!";
461  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
462  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
463  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
464  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
465 
466  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
467  FAIL_IF_NULL(alp_tctx);
468 
469  memset(&th_v, 0, sizeof(th_v));
470  memset(&f, 0, sizeof(f));
471  memset(&ssn, 0, sizeof(ssn));
472 
473  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
474  FAIL_IF_NULL(p);
475 
476  FLOW_INITIALIZE(&f);
477  f.protoctx = (void *)&ssn;
478  f.proto = IPPROTO_TCP;
479  f.flags |= FLOW_IPV4;
480  f.alproto = ALPROTO_HTTP1;
481 
482  p->flow = &f;
483  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
484  p->flowflags |= FLOW_PKT_TOSERVER;
485  p->flowflags |= FLOW_PKT_ESTABLISHED;
486 
487  StreamTcpInitConfig(true);
488 
489  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
490  FAIL_IF_NULL(de_ctx);
491  de_ctx->flags |= DE_QUIET;
492 
493  Signature *s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy\"; http_cookie; sid:1; rev:1;)");
494  FAIL_IF_NULL(s);
495 
496  SigGroupBuild(de_ctx);
497  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
498  FAIL_IF_NULL(det_ctx);
499 
500  int r = AppLayerParserParse(
501  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
502  FAIL_IF_NOT(r == 0);
503  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
504  FAIL_IF(PacketAlertCheck(p, 1));
505 
506  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
507  FAIL_IF_NOT(r == 0);
508  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
509  FAIL_IF(PacketAlertCheck(p, 1));
510 
511  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
512  FAIL_IF_NOT(r == 0);
513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
514  FAIL_IF_NOT(PacketAlertCheck(p, 1));
515 
516  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
517  FAIL_IF_NOT(r == 0);
518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
519  FAIL_IF(PacketAlertCheck(p, 1));
520 
521  UTHFreePacket(p);
522  FLOW_DESTROY(&f);
523  AppLayerParserThreadCtxFree(alp_tctx);
524  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
525  DetectEngineCtxFree(de_ctx);
526  StreamTcpFreeConfig(true);
527  StatsThreadCleanup(&th_v);
528  PASS;
529 }
530 
531 /** \test multiple pipelined http transactions */
532 static int DeStateSigTest02(void)
533 {
534  DetectEngineThreadCtx *det_ctx = NULL;
535  ThreadVars th_v;
536  Flow f;
537  TcpSession ssn;
538  Packet *p = NULL;
539  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
540  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
541  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
542  uint8_t httpbuf4[] = "Http Body!";
543  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
544  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
545  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
546  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
547  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
548  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
549  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nHttp Body!";
550  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
551  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
552  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
553  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
554  FAIL_IF_NULL(alp_tctx);
555 
556  memset(&th_v, 0, sizeof(th_v));
557  memset(&f, 0, sizeof(f));
558  memset(&ssn, 0, sizeof(ssn));
559 
560  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
561 
562  FLOW_INITIALIZE(&f);
563  f.protoctx = (void *)&ssn;
564  f.proto = IPPROTO_TCP;
565  f.flags |= FLOW_IPV4;
566 
567  p->flow = &f;
568  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
569  p->flowflags |= FLOW_PKT_TOSERVER;
570  p->flowflags |= FLOW_PKT_ESTABLISHED;
571  f.alproto = ALPROTO_HTTP1;
572 
573  StreamTcpInitConfig(true);
574 
575  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
576  FAIL_IF_NULL(de_ctx);
577 
578  de_ctx->flags |= DE_QUIET;
579 
580  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
581  FAIL_IF_NULL(s);
582  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
583  FAIL_IF_NULL(s);
584 
585  SigGroupBuild(de_ctx);
586  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
587  FAIL_IF_NULL(det_ctx);
588 
589  int r = AppLayerParserParse(
590  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
591  FAIL_IF(r != 0);
592  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
593  FAIL_IF(PacketAlertCheck(p, 1));
594 
595  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
596  FAIL_IF(r != 0);
597  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
598  FAIL_IF(PacketAlertCheck(p, 1));
599 
600  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
601  FAIL_IF(r != 0);
602  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
603  FAIL_IF(PacketAlertCheck(p, 1));
604 
605  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f.alstate, 0);
606  FAIL_IF_NULL(tx);
607 
608  AppLayerTxData *tx_data = AppLayerParserGetTxData(IPPROTO_TCP, ALPROTO_HTTP1, tx);
609  FAIL_IF_NULL(tx_data);
610  DetectEngineState *tx_de_state = tx_data->de_state;
611  FAIL_IF_NULL(tx_de_state);
612  FAIL_IF(tx_de_state->dir_state[0].cnt != 1);
613  /* http_header(mpm): 5, uri: 3, method: 6, cookie: 7 */
614  uint32_t expected_flags = (BIT_U32(5) | BIT_U32(3) | BIT_U32(6) | BIT_U32(4));
615  FAIL_IF(tx_de_state->dir_state[0].head->store[0].flags != expected_flags);
616 
617  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
618  FAIL_IF(r != 0);
619  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
620  FAIL_IF(!(PacketAlertCheck(p, 1)));
621 
622  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
623  FAIL_IF(r != 0);
624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
625  FAIL_IF(PacketAlertCheck(p, 1));
626 
627  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
628  FAIL_IF(r != 0);
629  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
630  FAIL_IF((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2)));
631 
632  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
633  FAIL_IF(r != 0);
634  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
635  FAIL_IF(!(PacketAlertCheck(p, 2)));
636 
637  UTHFreePacket(p);
638  FLOW_DESTROY(&f);
639  AppLayerParserThreadCtxFree(alp_tctx);
640  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
641  DetectEngineCtxFree(de_ctx);
642  StreamTcpFreeConfig(true);
643  StatsThreadCleanup(&th_v);
644  PASS;
645 }
646 
647 static int DeStateSigTest03(void)
648 {
649  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
650  "Host: www.server.lan\r\n"
651  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
652  "Content-Length: 215\r\n"
653  "\r\n"
654  "-----------------------------277531038314945\r\n"
655  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
656  "Content-Type: image/jpeg\r\n"
657  "\r\n"
658  "filecontent\r\n"
659  "-----------------------------277531038314945--";
660  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
661  ThreadVars th_v;
662  TcpSession ssn;
663  Flow *f = NULL;
664  Packet *p = NULL;
665  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
666  FAIL_IF_NULL(alp_tctx);
667 
668  memset(&th_v, 0, sizeof(th_v));
669  memset(&ssn, 0, sizeof(ssn));
670 
671  DetectEngineThreadCtx *det_ctx = NULL;
672  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
673  FAIL_IF_NULL(de_ctx);
674 
675  de_ctx->flags |= DE_QUIET;
676 
677  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
678  FAIL_IF_NULL(s);
679 
680  SigGroupBuild(de_ctx);
681  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
682 
683  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
684  FAIL_IF_NULL(f);
685  f->protoctx = &ssn;
686  f->proto = IPPROTO_TCP;
687  f->alproto = ALPROTO_HTTP1;
688 
689  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
690  FAIL_IF_NULL(p);
691 
692  p->flow = f;
693  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
694  p->flowflags |= FLOW_PKT_TOSERVER;
695  p->flowflags |= FLOW_PKT_ESTABLISHED;
696 
697  StreamTcpInitConfig(true);
698 
699  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
700  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
701  FAIL_IF(r != 0);
702 
703  HtpState *http_state = f->alstate;
704  FAIL_IF_NULL(http_state);
705  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
706  FAIL_IF_NULL(tx);
707  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
708  FAIL_IF_NULL(tx_ud);
709 
710  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
711  FAIL_IF(!(PacketAlertCheck(p, 1)));
712 
713  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
714  FileContainer *fc = files.fc;
715  FAIL_IF_NULL(fc);
716 
717  File *file = fc->head;
718  FAIL_IF_NULL(file);
719 
720  FAIL_IF(!(file->flags & FILE_STORE));
721 
722  UTHFreePacket(p);
723  UTHFreeFlow(f);
724 
725  AppLayerParserThreadCtxFree(alp_tctx);
726  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
727  DetectEngineCtxFree(de_ctx);
728  StreamTcpFreeConfig(true);
729  StatsThreadCleanup(&th_v);
730  PASS;
731 }
732 
733 static int DeStateSigTest04(void)
734 {
735  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
736  "Host: www.server.lan\r\n"
737  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
738  "Content-Length: 215\r\n"
739  "\r\n"
740  "-----------------------------277531038314945\r\n"
741  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
742  "Content-Type: image/jpeg\r\n"
743  "\r\n"
744  "filecontent\r\n"
745  "-----------------------------277531038314945--";
746  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
747  ThreadVars th_v;
748  TcpSession ssn;
749  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
750  FAIL_IF_NULL(alp_tctx);
751 
752  memset(&th_v, 0, sizeof(th_v));
753  memset(&ssn, 0, sizeof(ssn));
754 
755  DetectEngineThreadCtx *det_ctx = NULL;
756  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
757  FAIL_IF_NULL(de_ctx);
758  de_ctx->flags |= DE_QUIET;
759 
760  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
761  FAIL_IF_NULL(s);
762 
763  SigGroupBuild(de_ctx);
764  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
765  FAIL_IF_NULL(det_ctx);
766 
767  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
768  FAIL_IF_NULL(f);
769  f->protoctx = &ssn;
770  f->proto = IPPROTO_TCP;
771  f->alproto = ALPROTO_HTTP1;
772 
773  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
774  FAIL_IF_NULL(p);
775  p->flow = f;
776  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
777  p->flowflags |= FLOW_PKT_TOSERVER;
778  p->flowflags |= FLOW_PKT_ESTABLISHED;
779 
780  StreamTcpInitConfig(true);
781 
782  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
783  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
784  FAIL_IF(r != 0);
785  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
786  FAIL_IF(PacketAlertCheck(p, 1));
787 
788  HtpState *http_state = f->alstate;
789  FAIL_IF_NULL(http_state);
790  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
791  FAIL_IF_NULL(tx);
792  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
793  FAIL_IF_NULL(tx_ud);
794 
795  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
796  FileContainer *fc = files.fc;
797  FAIL_IF_NULL(fc);
798  File *file = fc->head;
799  FAIL_IF_NULL(file);
800 
801  FAIL_IF(file->flags & FILE_STORE);
802 
803  UTHFreePacket(p);
804  UTHFreeFlow(f);
805  AppLayerParserThreadCtxFree(alp_tctx);
806  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
807  DetectEngineCtxFree(de_ctx);
808  StreamTcpFreeConfig(true);
809  StatsThreadCleanup(&th_v);
810  PASS;
811 }
812 
813 static int DeStateSigTest05(void)
814 {
815  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
816  "Host: www.server.lan\r\n"
817  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
818  "Content-Length: 215\r\n"
819  "\r\n"
820  "-----------------------------277531038314945\r\n"
821  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
822  "Content-Type: image/jpeg\r\n"
823  "\r\n"
824  "filecontent\r\n"
825  "-----------------------------277531038314945--";
826  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
827  ThreadVars th_v;
828  TcpSession ssn;
829 
830  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
831  FAIL_IF_NULL(alp_tctx);
832 
833  memset(&th_v, 0, sizeof(th_v));
834  memset(&ssn, 0, sizeof(ssn));
835 
836  DetectEngineThreadCtx *det_ctx = NULL;
837  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
838  FAIL_IF_NULL(de_ctx);
839  de_ctx->flags |= DE_QUIET;
840 
841  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; sid:1; rev:1;)");
842  FAIL_IF_NULL(s);
843 
844  SigGroupBuild(de_ctx);
845  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
846 
847  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
848  FAIL_IF_NULL(f);
849  f->protoctx = &ssn;
850  f->proto = IPPROTO_TCP;
851  f->alproto = ALPROTO_HTTP1;
852 
853  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
854  FAIL_IF_NULL(p);
855  p->flow = f;
856  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
857  p->flowflags |= FLOW_PKT_TOSERVER;
858  p->flowflags |= FLOW_PKT_ESTABLISHED;
859 
860  StreamTcpInitConfig(true);
861 
862  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
863  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
864  FAIL_IF_NOT(r == 0);
865  HtpState *http_state = f->alstate;
866  FAIL_IF_NULL(http_state);
867  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
868  FAIL_IF_NULL(tx);
869  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
870  FAIL_IF_NULL(tx_ud);
871 
872  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
873  FileContainer *fc = files.fc;
874  FAIL_IF_NULL(fc);
875  File *file = fc->head;
876  FAIL_IF_NULL(file);
877  FAIL_IF(http_state->state_data.file_flags & FLOWFILE_NO_STORE_TS);
878 
879  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
880  FAIL_IF(PacketAlertCheck(p, 1));
881 
882  /* detect will have set FLOWFILE_NO_STORE_TS, but it won't have had
883  * an opportunity to be applied to the file itself yet */
884  FAIL_IF_NOT(http_state->state_data.file_flags & FLOWFILE_NO_STORE_TS);
885  FAIL_IF(file->flags & FILE_NOSTORE);
886 
887  UTHFreePacket(p);
888  UTHFreeFlow(f);
889  AppLayerParserThreadCtxFree(alp_tctx);
890  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
891  DetectEngineCtxFree(de_ctx);
892  StreamTcpFreeConfig(true);
893  StatsThreadCleanup(&th_v);
894  PASS;
895 }
896 
897 static int DeStateSigTest06(void)
898 {
899  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
900  "Host: www.server.lan\r\n"
901  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
902  "Content-Length: 215\r\n"
903  "\r\n"
904  "-----------------------------277531038314945\r\n"
905  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
906  "Content-Type: image/jpeg\r\n"
907  "\r\n"
908  "filecontent\r\n"
909  "-----------------------------277531038314945--";
910  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
911  ThreadVars th_v;
912  TcpSession ssn;
913 
914  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
915  FAIL_IF_NULL(alp_tctx);
916 
917  memset(&th_v, 0, sizeof(th_v));
918  memset(&ssn, 0, sizeof(ssn));
919 
920  DetectEngineThreadCtx *det_ctx = NULL;
921  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
922  FAIL_IF_NULL(de_ctx);
923  de_ctx->flags |= DE_QUIET;
924 
925  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; filestore; sid:1; rev:1;)");
926  FAIL_IF_NULL(s);
927 
928  SigGroupBuild(de_ctx);
929  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
930  FAIL_IF_NULL(det_ctx);
931 
932  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
933  FAIL_IF_NULL(f);
934  f->protoctx = &ssn;
935  f->proto = IPPROTO_TCP;
936  f->alproto = ALPROTO_HTTP1;
937 
938  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
939  FAIL_IF_NULL(p);
940  p->flow = f;
941  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
942  p->flowflags |= FLOW_PKT_TOSERVER;
943  p->flowflags |= FLOW_PKT_ESTABLISHED;
944 
945  StreamTcpInitConfig(true);
946 
947  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
948  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
949  FAIL_IF(r != 0);
950  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
951  FAIL_IF(PacketAlertCheck(p, 1));
952 
953  HtpState *http_state = f->alstate;
954  FAIL_IF_NULL(http_state);
955  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
956  FAIL_IF_NULL(tx);
957  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
958  FAIL_IF_NULL(tx_ud);
959 
960  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
961  FileContainer *fc = files.fc;
962  FAIL_IF_NULL(fc);
963  File *file = fc->head;
964  FAIL_IF_NULL(file);
965  /* detect will have set FLOWFILE_NO_STORE_TS, but it won't have had
966  * an opportunity to be applied to the file itself yet */
967  FAIL_IF_NOT(tx_ud->tx_data.file_flags & FLOWFILE_NO_STORE_TS);
968  FAIL_IF(file->flags & FILE_NOSTORE);
969 
970  UTHFreePacket(p);
971  UTHFreeFlow(f);
972  AppLayerParserThreadCtxFree(alp_tctx);
973  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
974  DetectEngineCtxFree(de_ctx);
975  StreamTcpFreeConfig(true);
976  StatsThreadCleanup(&th_v);
977  PASS;
978 }
979 
980 static int DeStateSigTest07(void)
981 {
982  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
983  "Host: www.server.lan\r\n"
984  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
985  "Content-Length: 215\r\n"
986  "\r\n"
987  "-----------------------------277531038314945\r\n"
988  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
989  "Content-Type: image/jpeg\r\n"
990  "\r\n";
991 
992  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
993  uint8_t httpbuf2[] = "filecontent\r\n"
994  "-----------------------------277531038314945--";
995  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
996  ThreadVars th_v;
997  TcpSession ssn;
998 
999  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1000  FAIL_IF_NULL(alp_tctx);
1001 
1002  memset(&th_v, 0, sizeof(th_v));
1003  memset(&ssn, 0, sizeof(ssn));
1004 
1005  DetectEngineThreadCtx *det_ctx = NULL;
1006  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1007  FAIL_IF_NULL(de_ctx);
1008  de_ctx->flags |= DE_QUIET;
1009 
1010  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
1011  FAIL_IF_NULL(s);
1012 
1013  SigGroupBuild(de_ctx);
1014  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1015 
1016  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1017  FAIL_IF_NULL(f);
1018  f->protoctx = &ssn;
1019  f->proto = IPPROTO_TCP;
1020  f->alproto = ALPROTO_HTTP1;
1021 
1022  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1023  FAIL_IF_NULL(p);
1024  p->flow = f;
1025  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1026  p->flowflags |= FLOW_PKT_TOSERVER;
1027  p->flowflags |= FLOW_PKT_ESTABLISHED;
1028 
1029  StreamTcpInitConfig(true);
1030 
1031  int r = AppLayerParserParse(
1032  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1033  FAIL_IF(r != 0);
1034  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1035  FAIL_IF(PacketAlertCheck(p, 1));
1036 
1037  r = AppLayerParserParse(
1038  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf2, httplen2);
1039  FAIL_IF(r != 0);
1040  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1041  FAIL_IF(PacketAlertCheck(p, 1));
1042 
1043  HtpState *http_state = f->alstate;
1044  FAIL_IF_NULL(http_state);
1045  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1046  FAIL_IF_NULL(tx);
1047  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1048  FAIL_IF_NULL(tx_ud);
1049 
1050  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1051  FileContainer *fc = files.fc;
1052  FAIL_IF_NULL(fc);
1053  File *file = fc->head;
1054  FAIL_IF_NULL(file);
1055  FAIL_IF(file->flags & FILE_STORE);
1056 
1057  UTHFreePacket(p);
1058  UTHFreeFlow(f);
1059  AppLayerParserThreadCtxFree(alp_tctx);
1060  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1061  DetectEngineCtxFree(de_ctx);
1062  StreamTcpFreeConfig(true);
1063  StatsThreadCleanup(&th_v);
1064  PASS;
1065 }
1066 
1067 /**
1068  * \test multiple files in a tx
1069  */
1070 static int DeStateSigTest08(void)
1071 {
1072  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1073  "Host: www.server.lan\r\n"
1074  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1075  "Content-Length: 440\r\n"
1076  "\r\n"
1077  "-----------------------------277531038314945\r\n"
1078  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"AAAApicture1.jpg\"\r\n"
1079  "Content-Type: image/jpeg\r\n"
1080  "\r\n";
1081 
1082  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1083  uint8_t httpbuf2[] = "file";
1084  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1085  uint8_t httpbuf3[] = "content\r\n"
1086  "-----------------------------277531038314945\r\n";
1087  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1088 
1089  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"BBBBpicture2.jpg\"\r\n"
1090  "Content-Type: image/jpeg\r\n"
1091  "\r\n"
1092  "filecontent2\r\n"
1093  "-----------------------------277531038314945--";
1094  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1095 
1096  ThreadVars th_v;
1097  TcpSession ssn;
1098 
1099  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1100  FAIL_IF_NULL(alp_tctx);
1101 
1102  memset(&th_v, 0, sizeof(th_v));
1103  memset(&ssn, 0, sizeof(ssn));
1104 
1105  DetectEngineThreadCtx *det_ctx = NULL;
1106  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1107  FAIL_IF_NULL(de_ctx);
1108  de_ctx->flags |= DE_QUIET;
1109 
1110  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"BBBBpicture\"; filestore; sid:1; rev:1;)");
1111  FAIL_IF_NULL(s);
1112 
1113  SigGroupBuild(de_ctx);
1114  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1115 
1116  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1117  FAIL_IF_NULL(f);
1118  f->protoctx = &ssn;
1119  f->proto = IPPROTO_TCP;
1120  f->alproto = ALPROTO_HTTP1;
1121 
1122  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1123  FAIL_IF_NULL(p);
1124  p->flow = f;
1125  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1126  p->flowflags |= FLOW_PKT_TOSERVER;
1127  p->flowflags |= FLOW_PKT_ESTABLISHED;
1128 
1129  StreamTcpInitConfig(true);
1130 
1131  /* HTTP request with 1st part of the multipart body */
1132 
1133  int r = AppLayerParserParse(
1134  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1135  FAIL_IF(r != 0);
1136  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1137  FAIL_IF(PacketAlertCheck(p, 1));
1138 
1139  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1140  FAIL_IF(r != 0);
1141  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1142  FAIL_IF(PacketAlertCheck(p, 1));
1143 
1144  HtpState *http_state = f->alstate;
1145  FAIL_IF_NULL(http_state);
1146  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1147  FAIL_IF_NULL(tx);
1148  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1149  FAIL_IF_NULL(tx_ud);
1150 
1151  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1152  FileContainer *fc = files.fc;
1153  FAIL_IF_NULL(fc);
1154  File *file = fc->head;
1155  FAIL_IF_NULL(file);
1156  FAIL_IF(file->flags & FILE_STORE);
1157 
1158  /* 2nd multipart body file */
1159 
1160  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1161  FAIL_IF(r != 0);
1162  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1163  FAIL_IF(PacketAlertCheck(p, 1));
1164 
1165  r = AppLayerParserParse(
1166  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1167  FAIL_IF(r != 0);
1168  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1169  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1170 
1171  http_state = f->alstate;
1172  FAIL_IF_NULL(http_state);
1173  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1174  FAIL_IF_NULL(tx);
1175  tx_ud = htp_tx_get_user_data(tx);
1176  FAIL_IF_NULL(tx_ud);
1177 
1178  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1179  fc = files.fc;
1180  FAIL_IF_NULL(fc);
1181  file = fc->head;
1182  FAIL_IF_NULL(file);
1183  file = file->next;
1184  FAIL_IF_NULL(file);
1185  FAIL_IF_NOT(file->flags & FILE_STORE);
1186 
1187  UTHFreePacket(p);
1188  UTHFreeFlow(f);
1189  AppLayerParserThreadCtxFree(alp_tctx);
1190  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1191  DetectEngineCtxFree(de_ctx);
1192  StreamTcpFreeConfig(true);
1193  StatsThreadCleanup(&th_v);
1194  PASS;
1195 }
1196 
1197 /**
1198  * \test multiple files in a tx. Both files should match
1199  */
1200 static int DeStateSigTest09(void)
1201 {
1202  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1203  "Host: www.server.lan\r\n"
1204  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1205  "Content-Length: 440\r\n"
1206  "\r\n"
1207  "-----------------------------277531038314945\r\n"
1208  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1209  "Content-Type: image/jpeg\r\n"
1210  "\r\n";
1211 
1212  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1213  uint8_t httpbuf2[] = "file";
1214  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1215  uint8_t httpbuf3[] = "content\r\n"
1216  "-----------------------------277531038314945\r\n";
1217  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1218 
1219  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1220  "Content-Type: image/jpeg\r\n"
1221  "\r\n"
1222  "filecontent2\r\n"
1223  "-----------------------------277531038314945--";
1224  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1225 
1226  ThreadVars th_v;
1227  TcpSession ssn;
1228 
1229  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1230  FAIL_IF_NULL(alp_tctx);
1231 
1232  memset(&th_v, 0, sizeof(th_v));
1233  memset(&ssn, 0, sizeof(ssn));
1234 
1235  DetectEngineThreadCtx *det_ctx = NULL;
1236  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1237  FAIL_IF_NULL(de_ctx);
1238  de_ctx->flags |= DE_QUIET;
1239 
1240  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1241  FAIL_IF_NULL(s);
1242 
1243  SigGroupBuild(de_ctx);
1244  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1245 
1246  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1247  FAIL_IF_NULL(f);
1248  f->protoctx = &ssn;
1249  f->proto = IPPROTO_TCP;
1250  f->alproto = ALPROTO_HTTP1;
1251 
1252  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1253  FAIL_IF_NULL(p);
1254  p->flow = f;
1255  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1256  p->flowflags |= FLOW_PKT_TOSERVER;
1257  p->flowflags |= FLOW_PKT_ESTABLISHED;
1258 
1259  StreamTcpInitConfig(true);
1260 
1261  /* HTTP request with 1st part of the multipart body */
1262 
1263  int r = AppLayerParserParse(
1264  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1265  FAIL_IF(r != 0);
1266  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1267  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1268 
1269  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1270  FAIL_IF(r != 0);
1271  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1272  FAIL_IF(PacketAlertCheck(p, 1));
1273 
1274  HtpState *http_state = f->alstate;
1275  FAIL_IF_NULL(http_state);
1276  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1277  FAIL_IF_NULL(tx);
1278  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1279  FAIL_IF_NULL(tx_ud);
1280 
1281  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1282  FileContainer *fc = files.fc;
1283  FAIL_IF_NULL(fc);
1284  File *file = fc->head;
1285  FAIL_IF_NULL(file);
1286  FAIL_IF_NOT(file->flags & FILE_STORE);
1287 
1288  /* 2nd multipart body file */
1289 
1290  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1291  FAIL_IF(r != 0);
1292  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1293  FAIL_IF(PacketAlertCheck(p, 1));
1294 
1295  r = AppLayerParserParse(
1296  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1297  FAIL_IF(r != 0);
1298  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1299  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1300 
1301  http_state = f->alstate;
1302  FAIL_IF_NULL(http_state);
1303  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1304  FAIL_IF_NULL(tx);
1305  tx_ud = htp_tx_get_user_data(tx);
1306  FAIL_IF_NULL(tx_ud);
1307 
1308  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1309  fc = files.fc;
1310  FAIL_IF_NULL(fc);
1311  file = fc->head;
1312  FAIL_IF_NULL(file);
1313  FAIL_IF_NOT(file->flags & FILE_STORE);
1314 
1315  UTHFreePacket(p);
1316  UTHFreeFlow(f);
1317  AppLayerParserThreadCtxFree(alp_tctx);
1318  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1319  DetectEngineCtxFree(de_ctx);
1320  StreamTcpFreeConfig(true);
1321  StatsThreadCleanup(&th_v);
1322  PASS;
1323 }
1324 
1325 /**
1326  * \test multiple files in a tx. Both files should match. No other matches.
1327  */
1328 static int DeStateSigTest10(void)
1329 {
1330  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1331  "Host: www.server.lan\r\n"
1332  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1333  "Content-Length: 440\r\n"
1334  "\r\n"
1335  "-----------------------------277531038314945\r\n"
1336  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1337  "Content-Type: image/jpeg\r\n"
1338  "\r\n";
1339 
1340  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1341  uint8_t httpbuf2[] = "file";
1342  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1343  uint8_t httpbuf3[] = "content\r\n"
1344  "-----------------------------277531038314945\r\n";
1345  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1346 
1347  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1348  "Content-Type: image/jpeg\r\n"
1349  "\r\n"
1350  "filecontent2\r\n"
1351  "-----------------------------277531038314945--";
1352  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1353 
1354  ThreadVars th_v;
1355  TcpSession ssn;
1356 
1357  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1358  FAIL_IF_NULL(alp_tctx);
1359 
1360  memset(&th_v, 0, sizeof(th_v));
1361  memset(&ssn, 0, sizeof(ssn));
1362 
1363  DetectEngineThreadCtx *det_ctx = NULL;
1364  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1365  FAIL_IF_NULL(de_ctx);
1366  de_ctx->flags |= DE_QUIET;
1367 
1368  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1369  FAIL_IF_NULL(s);
1370 
1371  SigGroupBuild(de_ctx);
1372  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1373 
1374  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1375  FAIL_IF_NULL(f);
1376  f->protoctx = &ssn;
1377  f->proto = IPPROTO_TCP;
1378  f->alproto = ALPROTO_HTTP1;
1379 
1380  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1381  FAIL_IF_NULL(p);
1382  p->flow = f;
1383  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1384  p->flowflags |= FLOW_PKT_TOSERVER;
1385  p->flowflags |= FLOW_PKT_ESTABLISHED;
1386 
1387  StreamTcpInitConfig(true);
1388 
1389  /* HTTP request with 1st part of the multipart body */
1390 
1391  int r = AppLayerParserParse(
1392  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1393  FAIL_IF(r != 0);
1394  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1395  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1396 
1397  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1398  FAIL_IF(r != 0);
1399  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1400  FAIL_IF(PacketAlertCheck(p, 1));
1401 
1402  HtpState *http_state = f->alstate;
1403  FAIL_IF_NULL(http_state);
1404  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1405  FAIL_IF_NULL(tx);
1406  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1407  FAIL_IF_NULL(tx_ud);
1408 
1409  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1410  FileContainer *fc = files.fc;
1411  FAIL_IF_NULL(fc);
1412  File *file = fc->head;
1413  FAIL_IF_NULL(file);
1414  FAIL_IF_NOT(file->flags & FILE_STORE);
1415 
1416  /* 2nd multipart body file */
1417 
1418  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1419  FAIL_IF(r != 0);
1420  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1421  FAIL_IF(PacketAlertCheck(p, 1));
1422 
1423  r = AppLayerParserParse(
1424  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1425  FAIL_IF(r != 0);
1426  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1427  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1428 
1429  http_state = f->alstate;
1430  FAIL_IF_NULL(http_state);
1431  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1432  FAIL_IF_NULL(tx);
1433  tx_ud = htp_tx_get_user_data(tx);
1434  FAIL_IF_NULL(tx_ud);
1435 
1436  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1437  fc = files.fc;
1438  FAIL_IF_NULL(fc);
1439  file = fc->head;
1440  FAIL_IF_NULL(file);
1441  FAIL_IF_NOT(file->flags & FILE_STORE);
1442 
1443  UTHFreePacket(p);
1444  UTHFreeFlow(f);
1445  AppLayerParserThreadCtxFree(alp_tctx);
1446  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1447  DetectEngineCtxFree(de_ctx);
1448  StreamTcpFreeConfig(true);
1449  StatsThreadCleanup(&th_v);
1450  PASS;
1451 }
1452 
1453 #endif
1454 
1455 void DeStateRegisterTests(void)
1456 {
1457 #ifdef UNITTESTS
1458  UtRegisterTest("DeStateTest01", DeStateTest01);
1459  UtRegisterTest("DeStateTest02", DeStateTest02);
1460  UtRegisterTest("DeStateTest03", DeStateTest03);
1461  UtRegisterTest("DeStateSigTest01", DeStateSigTest01);
1462  UtRegisterTest("DeStateSigTest02", DeStateSigTest02);
1463  UtRegisterTest("DeStateSigTest03", DeStateSigTest03);
1464  UtRegisterTest("DeStateSigTest04", DeStateSigTest04);
1465  UtRegisterTest("DeStateSigTest05", DeStateSigTest05);
1466  UtRegisterTest("DeStateSigTest06", DeStateSigTest06);
1467  UtRegisterTest("DeStateSigTest07", DeStateSigTest07);
1468  UtRegisterTest("DeStateSigTest08", DeStateSigTest08);
1469  UtRegisterTest("DeStateSigTest09", DeStateSigTest09);
1470  UtRegisterTest("DeStateSigTest10", DeStateSigTest10);
1471 #endif
1472 }
1473 
1474 /**
1475  * @}
1476  */
FileContainer_
Definition: util-file.h:37
DE_STATE_CHUNK_SIZE
#define DE_STATE_CHUNK_SIZE
Definition: detect-engine-state.h:55
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectEngineStateDirection_::flags
uint8_t flags
Definition: detect-engine-state.h:91
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
flow-util.h
DetectEngineState_
Definition: detect-engine-state.h:95
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1627
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
DetectEngineStateDirection_::cnt
SigIntId cnt
Definition: detect-engine-state.h:89
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
FILE_STORE
#define FILE_STORE
Definition: util-file.h:83
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2633
DetectEngineState_::dir_state
DetectEngineStateDirection dir_state[2]
Definition: detect-engine-state.h:96
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
SIG_FLAG_TXBOTHDIR
#define SIG_FLAG_TXBOTHDIR
Definition: detect.h:250
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: app-layer-parser.h:42
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
DeStateStoreItem_::sid
SigIntId sid
Definition: detect-engine-state.h:77
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:732
util-unittest.h
DetectEngineStateDirection_::cur
DeStateStore * cur
Definition: detect-engine-state.h:87
HtpState_
Definition: app-layer-htp.h:181
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:873
detect-flowvar.h
DetectRunStoreStateTx
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
Definition: detect-engine-state.c:214
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:470
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:497
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
DeStateStoreItem_::flags
uint32_t flags
Definition: detect-engine-state.h:76
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:134
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:417
AppLayerGetFileState
struct AppLayerGetFileState AppLayerGetFileState
Definition: app-layer-parser.h:41
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
SCDetectEngineStateFree
void SCDetectEngineStateFree(DetectEngineState *state)
Frees a DetectEngineState object.
Definition: detect-engine-state.c:169
SCEnter
#define SCEnter(...)
Definition: util-debug.h:281
FileContainer_::head
File * head
Definition: util-file.h:38
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DeStateStore_::next
struct DeStateStore_ * next
Definition: detect-engine-state.h:82
HtpState_::conn
htp_conn_t * conn
Definition: app-layer-htp.h:185
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3360
HtpTxUserData_::tx_data
AppLayerTxData tx_data
Definition: app-layer-htp.h:176
HtpState_::state_data
AppLayerStateData state_data
Definition: app-layer-htp.h:198
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
util-profiling.h
DetectEngineStateAlloc
DetectEngineState * DetectEngineStateAlloc(void)
Alloc a DetectEngineState object.
Definition: detect-engine-state.c:160
SigIntId
#define SigIntId
Definition: detect-engine-state.h:38
SCReturn
#define SCReturn
Definition: util-debug.h:283
Signature_::flags
uint32_t flags
Definition: detect.h:669
Packet_
Definition: decode.h:501
DE_STATE_FLAG_BASE
#define DE_STATE_FLAG_BASE
Definition: detect-engine-state.h:66
detect-engine-build.h
stream-tcp-private.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1109
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2185
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:502
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for files in a transaction
Definition: util-file.c:1138
File_::flags
uint16_t flags
Definition: util-file.h:108
DetectEngineStateDirection_::head
DeStateStore * head
Definition: detect-engine-state.h:86
File_
Definition: util-file.h:107
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
DetectEngineStateResetTxs
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
Definition: detect-engine-state.c:260
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
suricata-common.h
DeStateStore_
Definition: detect-engine-state.h:80
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
File_::next
struct File_ * next
Definition: util-file.h:120
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
DetectEngineStateDirection_
Definition: detect-engine-state.h:85
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1183
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
HtpTxUserData_
Definition: app-layer-htp.h:151
DetectEngineStateDirection_::filestore_cnt
uint16_t filestore_cnt
Definition: detect-engine-state.h:90
Signature_::iid
SigIntId iid
Definition: detect.h:680
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
DeStateStore_::store
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
Definition: detect-engine-state.h:81
Flow_::flags
uint32_t flags
Definition: flow.h:413
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2594
app-layer-protos.h
FILE_NOSTORE
#define FILE_NOSTORE
Definition: util-file.h:82
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
DeStateStoreItem_
Definition: detect-engine-state.h:75
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
DeStateRegisterTests
void DeStateRegisterTests(void)
Definition: detect-engine-state.c:1455
detect-engine-dcepayload.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1633
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1102
DetectEngineStateDirection_::tail
DeStateStore * tail
Definition: detect-engine-state.h:88
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
app-layer.h