suricata
detect-engine-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup sigstate State support
20  *
21  * State is stored in the ::DetectEngineState structure. This is
22  * basically a container for storage item of type ::DeStateStore.
23  * They contains an array of ::DeStateStoreItem which store the
24  * state of match for an individual signature identified by
25  * DeStateStoreItem::sid.
26  *
27  * @{
28  */
29 
30 /**
31  * \file
32  *
33  * \author Victor Julien <victor@inliniac.net>
34  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
35  *
36  * \brief State based signature handling.
37  */
38 
39 #include "suricata-common.h"
40 
41 #include "decode.h"
42 
43 #include "detect.h"
44 #include "detect-engine.h"
45 #include "detect-parse.h"
46 #include "detect-engine-state.h"
47 #include "detect-engine-dcepayload.h"
48 #include "detect-engine-build.h"
49 
50 #include "detect-flowvar.h"
51 
52 #include "stream-tcp.h"
53 #include "stream-tcp-private.h"
54 #include "stream-tcp-reassemble.h"
55 
56 #include "app-layer.h"
57 #include "app-layer-parser.h"
58 #include "app-layer-protos.h"
59 #include "app-layer-htp.h"
60 
61 #include "util-unittest.h"
62 #include "util-unittest-helper.h"
63 #include "util-profiling.h"
64 
65 #include "flow-util.h"
66 
67 static inline int StateIsValid(uint16_t alproto, void *alstate)
68 {
69  if (alstate != NULL) {
70  if (alproto == ALPROTO_HTTP1) {
71  HtpState *htp_state = (HtpState *)alstate;
72  if (htp_state->conn != NULL) {
73  return 1;
74  }
75  } else {
76  return 1;
77  }
78  }
79  return 0;
80 }
81 
82 static DeStateStore *DeStateStoreAlloc(void)
83 {
84  DeStateStore *d = SCCalloc(1, sizeof(DeStateStore));
85  if (unlikely(d == NULL))
86  return NULL;
87 
88  return d;
89 }
90 
91 #ifdef DEBUG_VALIDATION
92 static int DeStateSearchState(DetectEngineState *state, uint8_t direction, SigIntId num)
93 {
94  DetectEngineStateDirection *dir_state = &state->dir_state[direction & STREAM_TOSERVER ? 0 : 1];
95  DeStateStore *tx_store = dir_state->head;
96  SigIntId store_cnt;
97  SigIntId state_cnt = 0;
98 
99  for (; tx_store != NULL; tx_store = tx_store->next) {
100  SCLogDebug("tx_store %p", tx_store);
101  for (store_cnt = 0;
102  store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < dir_state->cnt;
103  store_cnt++, state_cnt++)
104  {
105  DeStateStoreItem *item = &tx_store->store[store_cnt];
106  if (item->sid == num) {
107  SCLogDebug("sid %u already in state: %p %p %p %u %u, direction %s",
108  num, state, dir_state, tx_store, state_cnt,
109  store_cnt, direction & STREAM_TOSERVER ? "toserver" : "toclient");
110  return 1;
111  }
112  }
113  }
114  return 0;
115 }
116 #endif
117 
118 static void DeStateSignatureAppend(DetectEngineState *state,
119  const Signature *s, uint32_t inspect_flags, uint8_t direction)
120 {
121  SCEnter();
122 
123  DetectEngineStateDirection *dir_state =
124  &state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1];
125 
126 #ifdef DEBUG_VALIDATION
127  BUG_ON(DeStateSearchState(state, direction, s->num));
128 #endif
129  DeStateStore *store = dir_state->tail;
130  if (store == NULL) {
131  store = DeStateStoreAlloc();
132  dir_state->head = store;
133  dir_state->cur = store;
134  dir_state->tail = store;
135  } else if (dir_state->cur) {
136  store = dir_state->cur;
137  } else {
138  store = DeStateStoreAlloc();
139  if (store != NULL) {
140  dir_state->tail->next = store;
141  dir_state->tail = store;
142  dir_state->cur = store;
143  }
144  }
145  if (store == NULL)
146  SCReturn;
147 
148  SigIntId idx = dir_state->cnt % DE_STATE_CHUNK_SIZE;
149  store->store[idx].sid = s->num;
150  store->store[idx].flags = inspect_flags;
151  dir_state->cnt++;
152  /* if current chunk is full, progress cur */
153  if (dir_state->cnt % DE_STATE_CHUNK_SIZE == 0) {
154  dir_state->cur = dir_state->cur->next;
155  }
156 
157  SCReturn;
158 }
159 
160 DetectEngineState *DetectEngineStateAlloc(void)
161 {
162  DetectEngineState *d = SCCalloc(1, sizeof(DetectEngineState));
163  if (unlikely(d == NULL))
164  return NULL;
165 
166  return d;
167 }
168 
169 void DetectEngineStateFree(DetectEngineState *state)
170 {
171  DeStateStore *store;
172  DeStateStore *store_next;
173  int i = 0;
174 
175  for (i = 0; i < 2; i++) {
176  store = state->dir_state[i].head;
177  while (store != NULL) {
178  store_next = store->next;
179  SCFree(store);
180  store = store_next;
181  }
182  }
183  SCFree(state);
184 }
185 
186 static void StoreFileNoMatchCnt(DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
187 {
188  de_state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt += file_no_match;
189 }
190 
191 static bool StoreFilestoreSigsCantMatch(const SigGroupHead *sgh, const DetectEngineState *de_state, uint8_t direction)
192 {
193  if (de_state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt ==
194  sgh->filestore_cnt)
195  return true;
196  else
197  return false;
198 }
199 
200 static void StoreStateTxHandleFiles(const SigGroupHead *sgh, Flow *f, DetectEngineState *destate,
201  const uint8_t flow_flags, void *tx, const uint64_t tx_id, const uint16_t file_no_match)
202 {
203  SCLogDebug("tx %"PRIu64", file_no_match %u", tx_id, file_no_match);
204  StoreFileNoMatchCnt(destate, file_no_match, flow_flags);
205  if (StoreFilestoreSigsCantMatch(sgh, destate, flow_flags)) {
206  SCLogDebug("filestore sigs can't match");
207  FileDisableStoringForTransaction(
208  f, flow_flags & (STREAM_TOCLIENT | STREAM_TOSERVER), tx, tx_id);
209  } else {
210  SCLogDebug("filestore sigs can still match");
211  }
212 }
213 
214 void DetectRunStoreStateTx(
215  const SigGroupHead *sgh,
216  Flow *f, void *tx, uint64_t tx_id,
217  const Signature *s,
218  uint32_t inspect_flags, uint8_t flow_flags,
219  const uint16_t file_no_match)
220 {
221  AppLayerTxData *tx_data = AppLayerParserGetTxData(f->proto, f->alproto, tx);
222  BUG_ON(tx_data == NULL);
223  if (tx_data == NULL) {
224  SCLogDebug("No TX data for %" PRIu64, tx_id);
225  return;
226  }
227  if (tx_data->de_state == NULL) {
228  tx_data->de_state = DetectEngineStateAlloc();
229  if (tx_data->de_state == NULL)
230  return;
231  SCLogDebug("destate created for %"PRIu64, tx_id);
232  }
233  DeStateSignatureAppend(tx_data->de_state, s, inspect_flags, flow_flags);
234  StoreStateTxHandleFiles(sgh, f, tx_data->de_state, flow_flags, tx, tx_id, file_no_match);
235 
236  SCLogDebug("Stored for TX %"PRIu64, tx_id);
237 }
238 
239 static inline void ResetTxState(DetectEngineState *s)
240 {
241  if (s) {
242  s->dir_state[0].cnt = 0;
243  s->dir_state[0].filestore_cnt = 0;
244  s->dir_state[0].flags = 0;
245  /* reset 'cur' back to the list head */
246  s->dir_state[0].cur = s->dir_state[0].head;
247 
248  s->dir_state[1].cnt = 0;
249  s->dir_state[1].filestore_cnt = 0;
250  s->dir_state[1].flags = 0;
251  /* reset 'cur' back to the list head */
252  s->dir_state[1].cur = s->dir_state[1].head;
253  }
254 }
255 
256 /** \brief Reset de state for active tx'
257  * To be used on detect engine reload.
258  * \param f write LOCKED flow
259  */
260 void DetectEngineStateResetTxs(Flow *f)
261 {
262  void *alstate = FlowGetAppState(f);
263  if (!StateIsValid(f->alproto, alstate)) {
264  return;
265  }
266 
267  uint64_t inspect_ts = AppLayerParserGetTransactionInspectId(f->alparser, STREAM_TOCLIENT);
268  uint64_t inspect_tc = AppLayerParserGetTransactionInspectId(f->alparser, STREAM_TOSERVER);
269 
270  uint64_t inspect_tx_id = MIN(inspect_ts, inspect_tc);
271 
272  uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
273 
274  for ( ; inspect_tx_id < total_txs; inspect_tx_id++) {
275  void *inspect_tx = AppLayerParserGetTx(f->proto, f->alproto, alstate, inspect_tx_id);
276  if (inspect_tx != NULL) {
277  AppLayerTxData *txd = AppLayerParserGetTxData(f->proto, f->alproto, inspect_tx);
278  BUG_ON(txd == NULL);
279  if (txd) {
280  ResetTxState(txd->de_state);
281  }
282  }
283  }
284 }
285 
286 /*********Unittests*********/
287 
288 #ifdef UNITTESTS
289 #include "detect-engine-alert.h"
290 
291 static int DeStateTest01(void)
292 {
293  SCLogDebug("sizeof(DetectEngineState)\t\t%"PRIuMAX,
294  (uintmax_t)sizeof(DetectEngineState));
295  SCLogDebug("sizeof(DeStateStore)\t\t\t%"PRIuMAX,
296  (uintmax_t)sizeof(DeStateStore));
297  SCLogDebug("sizeof(DeStateStoreItem)\t\t%"PRIuMAX"",
298  (uintmax_t)sizeof(DeStateStoreItem));
299 
300  return 1;
301 }
302 
303 static int DeStateTest02(void)
304 {
305  uint8_t direction = STREAM_TOSERVER;
306  DetectEngineState *state = DetectEngineStateAlloc();
307  FAIL_IF_NULL(state);
308  FAIL_IF_NOT_NULL(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head);
309 
310  Signature s;
311  memset(&s, 0x00, sizeof(s));
312 
313  s.num = 0;
314  DeStateSignatureAppend(state, &s, 0, direction);
315  s.num = 11;
316  DeStateSignatureAppend(state, &s, 0, direction);
317  s.num = 22;
318  DeStateSignatureAppend(state, &s, 0, direction);
319  s.num = 33;
320  DeStateSignatureAppend(state, &s, 0, direction);
321  s.num = 44;
322  DeStateSignatureAppend(state, &s, 0, direction);
323  s.num = 55;
324  DeStateSignatureAppend(state, &s, 0, direction);
325  s.num = 66;
326  DeStateSignatureAppend(state, &s, 0, direction);
327  s.num = 77;
328  DeStateSignatureAppend(state, &s, 0, direction);
329  s.num = 88;
330  DeStateSignatureAppend(state, &s, 0, direction);
331  s.num = 99;
332  DeStateSignatureAppend(state, &s, 0, direction);
333  s.num = 100;
334  DeStateSignatureAppend(state, &s, 0, direction);
335  s.num = 111;
336  DeStateSignatureAppend(state, &s, 0, direction);
337  s.num = 122;
338  DeStateSignatureAppend(state, &s, 0, direction);
339  s.num = 133;
340  DeStateSignatureAppend(state, &s, 0, direction);
341  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
342  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
343 
344  s.num = 144;
345  DeStateSignatureAppend(state, &s, 0, direction);
346 
347  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
348  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
349  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
350  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur == NULL);
351 
352  s.num = 155;
353  DeStateSignatureAppend(state, &s, 0, direction);
354 
355  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].tail ==
356  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
357 
358  s.num = 166;
359  DeStateSignatureAppend(state, &s, 0, direction);
360 
361  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
362  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 11);
363  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next == NULL);
364  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
365  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[0].sid != 155);
366  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[1].sid != 166);
367 
368  ResetTxState(state);
369 
370  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
371  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
372  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
373 
374  s.num = 0;
375  DeStateSignatureAppend(state, &s, 0, direction);
376  s.num = 11;
377  DeStateSignatureAppend(state, &s, 0, direction);
378  s.num = 22;
379  DeStateSignatureAppend(state, &s, 0, direction);
380  s.num = 33;
381  DeStateSignatureAppend(state, &s, 0, direction);
382  s.num = 44;
383  DeStateSignatureAppend(state, &s, 0, direction);
384  s.num = 55;
385  DeStateSignatureAppend(state, &s, 0, direction);
386  s.num = 66;
387  DeStateSignatureAppend(state, &s, 0, direction);
388  s.num = 77;
389  DeStateSignatureAppend(state, &s, 0, direction);
390  s.num = 88;
391  DeStateSignatureAppend(state, &s, 0, direction);
392  s.num = 99;
393  DeStateSignatureAppend(state, &s, 0, direction);
394  s.num = 100;
395  DeStateSignatureAppend(state, &s, 0, direction);
396  s.num = 111;
397  DeStateSignatureAppend(state, &s, 0, direction);
398  s.num = 122;
399  DeStateSignatureAppend(state, &s, 0, direction);
400  s.num = 133;
401  DeStateSignatureAppend(state, &s, 0, direction);
402  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
403  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
404  s.num = 144;
405  DeStateSignatureAppend(state, &s, 0, direction);
406  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
407  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
408  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
409  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].tail ==
410  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
411  s.num = 155;
412  DeStateSignatureAppend(state, &s, 0, direction);
413  s.num = 166;
414  DeStateSignatureAppend(state, &s, 0, direction);
415 
416  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
417  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 11);
418  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next == NULL);
419  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
420  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[0].sid != 155);
421  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[1].sid != 166);
422 
423  DetectEngineStateFree(state);
424 
425  PASS;
426 }
427 
428 static int DeStateTest03(void)
429 {
430  DetectEngineState *state = DetectEngineStateAlloc();
431  FAIL_IF_NULL(state);
432 
433  Signature s;
434  memset(&s, 0x00, sizeof(s));
435 
436  uint8_t direction = STREAM_TOSERVER;
437 
438  s.num = 11;
439  DeStateSignatureAppend(state, &s, 0, direction);
440  s.num = 22;
441  DeStateSignatureAppend(state, &s, BIT_U32(DE_STATE_FLAG_BASE), direction);
442 
443  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
444  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[0].sid != 11);
445  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[0].flags & BIT_U32(DE_STATE_FLAG_BASE));
446  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 22);
447  FAIL_IF(!(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].flags & BIT_U32(DE_STATE_FLAG_BASE)));
448 
449  DetectEngineStateFree(state);
450  PASS;
451 }
452 
453 static int DeStateSigTest01(void)
454 {
455  DetectEngineThreadCtx *det_ctx = NULL;
456  ThreadVars th_v;
457  Flow f;
458  TcpSession ssn;
459  Packet *p = NULL;
460  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\n";
461  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\n";
462  uint8_t httpbuf3[] = "Cookie: dummy\r\nContent-Length: 10\r\n\r\n";
463  uint8_t httpbuf4[] = "Http Body!";
464  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
465  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
466  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
467  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
468 
469  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
470  FAIL_IF_NULL(alp_tctx);
471 
472  memset(&th_v, 0, sizeof(th_v));
473  memset(&f, 0, sizeof(f));
474  memset(&ssn, 0, sizeof(ssn));
475 
476  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
477  FAIL_IF_NULL(p);
478 
479  FLOW_INITIALIZE(&f);
480  f.protoctx = (void *)&ssn;
481  f.proto = IPPROTO_TCP;
482  f.flags |= FLOW_IPV4;
483  f.alproto = ALPROTO_HTTP1;
484 
485  p->flow = &f;
486  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
487  p->flowflags |= FLOW_PKT_TOSERVER;
488  p->flowflags |= FLOW_PKT_ESTABLISHED;
489 
490  StreamTcpInitConfig(true);
491 
492  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
493  FAIL_IF_NULL(de_ctx);
494  de_ctx->flags |= DE_QUIET;
495 
496  Signature *s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy\"; http_cookie; sid:1; rev:1;)");
497  FAIL_IF_NULL(s);
498 
499  SigGroupBuild(de_ctx);
500  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
501  FAIL_IF_NULL(det_ctx);
502 
503  int r = AppLayerParserParse(
504  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
505  FAIL_IF_NOT(r == 0);
506  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
507  FAIL_IF(PacketAlertCheck(p, 1));
508 
509  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
510  FAIL_IF_NOT(r == 0);
511  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
512  FAIL_IF(PacketAlertCheck(p, 1));
513 
514  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
515  FAIL_IF_NOT(r == 0);
516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
517  FAIL_IF_NOT(PacketAlertCheck(p, 1));
518 
519  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
520  FAIL_IF_NOT(r == 0);
521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
522  FAIL_IF(PacketAlertCheck(p, 1));
523 
524  AppLayerParserThreadCtxFree(alp_tctx);
525  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
526  DetectEngineCtxFree(de_ctx);
527  StreamTcpFreeConfig(true);
528  FLOW_DESTROY(&f);
529  UTHFreePacket(p);
530  PASS;
531 }
532 
533 /** \test multiple pipelined http transactions */
534 static int DeStateSigTest02(void)
535 {
536  DetectEngineThreadCtx *det_ctx = NULL;
537  ThreadVars th_v;
538  Flow f;
539  TcpSession ssn;
540  Packet *p = NULL;
541  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
542  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
543  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
544  uint8_t httpbuf4[] = "Http Body!";
545  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
546  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
547  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
548  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
549  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
550  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
551  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nHttp Body!";
552  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
553  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
554  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
555  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
556  FAIL_IF_NULL(alp_tctx);
557 
558  memset(&th_v, 0, sizeof(th_v));
559  memset(&f, 0, sizeof(f));
560  memset(&ssn, 0, sizeof(ssn));
561 
562  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
563 
564  FLOW_INITIALIZE(&f);
565  f.protoctx = (void *)&ssn;
566  f.proto = IPPROTO_TCP;
567  f.flags |= FLOW_IPV4;
568 
569  p->flow = &f;
570  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
571  p->flowflags |= FLOW_PKT_TOSERVER;
572  p->flowflags |= FLOW_PKT_ESTABLISHED;
573  f.alproto = ALPROTO_HTTP1;
574 
575  StreamTcpInitConfig(true);
576 
577  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
578  FAIL_IF_NULL(de_ctx);
579 
580  de_ctx->flags |= DE_QUIET;
581 
582  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
583  FAIL_IF_NULL(s);
584  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
585  FAIL_IF_NULL(s);
586 
587  SigGroupBuild(de_ctx);
588  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
589  FAIL_IF_NULL(det_ctx);
590 
591  int r = AppLayerParserParse(
592  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
593  FAIL_IF(r != 0);
594  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
595  FAIL_IF(PacketAlertCheck(p, 1));
596 
597  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
598  FAIL_IF(r != 0);
599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
600  FAIL_IF(PacketAlertCheck(p, 1));
601 
602  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
603  FAIL_IF(r != 0);
604  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
605  FAIL_IF(PacketAlertCheck(p, 1));
606 
607  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f.alstate, 0);
608  FAIL_IF_NULL(tx);
609 
610  AppLayerTxData *tx_data = AppLayerParserGetTxData(IPPROTO_TCP, ALPROTO_HTTP1, tx);
611  FAIL_IF_NULL(tx_data);
612  DetectEngineState *tx_de_state = tx_data->de_state;
613  FAIL_IF_NULL(tx_de_state);
614  FAIL_IF(tx_de_state->dir_state[0].cnt != 1);
615  /* http_header(mpm): 5, uri: 3, method: 6, cookie: 7 */
616  uint32_t expected_flags = (BIT_U32(5) | BIT_U32(3) | BIT_U32(6) | BIT_U32(4));
617  FAIL_IF(tx_de_state->dir_state[0].head->store[0].flags != expected_flags);
618 
619  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
620  FAIL_IF(r != 0);
621  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
622  FAIL_IF(!(PacketAlertCheck(p, 1)));
623 
624  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
625  FAIL_IF(r != 0);
626  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
627  FAIL_IF(PacketAlertCheck(p, 1));
628 
629  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
630  FAIL_IF(r != 0);
631  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
632  FAIL_IF((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2)));
633 
634  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
635  FAIL_IF(r != 0);
636  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
637  FAIL_IF(!(PacketAlertCheck(p, 2)));
638 
639  AppLayerParserThreadCtxFree(alp_tctx);
640  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
641  DetectEngineCtxFree(de_ctx);
642  StreamTcpFreeConfig(true);
643  FLOW_DESTROY(&f);
644  UTHFreePacket(p);
645  PASS;
646 }
647 
648 static int DeStateSigTest03(void)
649 {
650  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
651  "Host: www.server.lan\r\n"
652  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
653  "Content-Length: 215\r\n"
654  "\r\n"
655  "-----------------------------277531038314945\r\n"
656  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
657  "Content-Type: image/jpeg\r\n"
658  "\r\n"
659  "filecontent\r\n"
660  "-----------------------------277531038314945--";
661  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
662  ThreadVars th_v;
663  TcpSession ssn;
664  Flow *f = NULL;
665  Packet *p = NULL;
666  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
667  FAIL_IF_NULL(alp_tctx);
668 
669  memset(&th_v, 0, sizeof(th_v));
670  memset(&ssn, 0, sizeof(ssn));
671 
672  DetectEngineThreadCtx *det_ctx = NULL;
673  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
674  FAIL_IF_NULL(de_ctx);
675 
676  de_ctx->flags |= DE_QUIET;
677 
678  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
679  FAIL_IF_NULL(s);
680 
681  SigGroupBuild(de_ctx);
682  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
683 
684  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
685  FAIL_IF_NULL(f);
686  f->protoctx = &ssn;
687  f->proto = IPPROTO_TCP;
688  f->alproto = ALPROTO_HTTP1;
689 
690  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
691  FAIL_IF_NULL(p);
692 
693  p->flow = f;
694  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
695  p->flowflags |= FLOW_PKT_TOSERVER;
696  p->flowflags |= FLOW_PKT_ESTABLISHED;
697 
698  StreamTcpInitConfig(true);
699 
700  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
701  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
702  FAIL_IF(r != 0);
703 
704  HtpState *http_state = f->alstate;
705  FAIL_IF_NULL(http_state);
706  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
707  FAIL_IF_NULL(tx);
708  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
709  FAIL_IF_NULL(tx_ud);
710 
711  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
712  FAIL_IF(!(PacketAlertCheck(p, 1)));
713 
714  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
715  FileContainer *fc = files.fc;
716  FAIL_IF_NULL(fc);
717 
718  File *file = fc->head;
719  FAIL_IF_NULL(file);
720 
721  FAIL_IF(!(file->flags & FILE_STORE));
722 
723  AppLayerParserThreadCtxFree(alp_tctx);
724  UTHFreeFlow(f);
725 
726  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
727  DetectEngineCtxFree(de_ctx);
728  StreamTcpFreeConfig(true);
729  PASS;
730 }
731 
732 static int DeStateSigTest04(void)
733 {
734  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
735  "Host: www.server.lan\r\n"
736  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
737  "Content-Length: 215\r\n"
738  "\r\n"
739  "-----------------------------277531038314945\r\n"
740  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
741  "Content-Type: image/jpeg\r\n"
742  "\r\n"
743  "filecontent\r\n"
744  "-----------------------------277531038314945--";
745  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
746  ThreadVars th_v;
747  TcpSession ssn;
748  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
749  FAIL_IF_NULL(alp_tctx);
750 
751  memset(&th_v, 0, sizeof(th_v));
752  memset(&ssn, 0, sizeof(ssn));
753 
754  DetectEngineThreadCtx *det_ctx = NULL;
755  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
756  FAIL_IF_NULL(de_ctx);
757  de_ctx->flags |= DE_QUIET;
758 
759  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
760  FAIL_IF_NULL(s);
761 
762  SigGroupBuild(de_ctx);
763  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
764  FAIL_IF_NULL(det_ctx);
765 
766  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
767  FAIL_IF_NULL(f);
768  f->protoctx = &ssn;
769  f->proto = IPPROTO_TCP;
770  f->alproto = ALPROTO_HTTP1;
771 
772  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
773  FAIL_IF_NULL(p);
774  p->flow = f;
775  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
776  p->flowflags |= FLOW_PKT_TOSERVER;
777  p->flowflags |= FLOW_PKT_ESTABLISHED;
778 
779  StreamTcpInitConfig(true);
780 
781  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
782  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
783  FAIL_IF(r != 0);
784  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
785  FAIL_IF(PacketAlertCheck(p, 1));
786 
787  HtpState *http_state = f->alstate;
788  FAIL_IF_NULL(http_state);
789  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
790  FAIL_IF_NULL(tx);
791  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
792  FAIL_IF_NULL(tx_ud);
793 
794  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
795  FileContainer *fc = files.fc;
796  FAIL_IF_NULL(fc);
797  File *file = fc->head;
798  FAIL_IF_NULL(file);
799 
800  FAIL_IF(file->flags & FILE_STORE);
801 
802  AppLayerParserThreadCtxFree(alp_tctx);
803  UTHFreeFlow(f);
804  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
805  DetectEngineCtxFree(de_ctx);
806  StreamTcpFreeConfig(true);
807  PASS;
808 }
809 
810 static int DeStateSigTest05(void)
811 {
812  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
813  "Host: www.server.lan\r\n"
814  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
815  "Content-Length: 215\r\n"
816  "\r\n"
817  "-----------------------------277531038314945\r\n"
818  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
819  "Content-Type: image/jpeg\r\n"
820  "\r\n"
821  "filecontent\r\n"
822  "-----------------------------277531038314945--";
823  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
824  ThreadVars th_v;
825  TcpSession ssn;
826 
827  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
828  FAIL_IF_NULL(alp_tctx);
829 
830  memset(&th_v, 0, sizeof(th_v));
831  memset(&ssn, 0, sizeof(ssn));
832 
833  DetectEngineThreadCtx *det_ctx = NULL;
834  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
835  FAIL_IF_NULL(de_ctx);
836  de_ctx->flags |= DE_QUIET;
837 
838  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; sid:1; rev:1;)");
839  FAIL_IF_NULL(s);
840 
841  SigGroupBuild(de_ctx);
842  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
843 
844  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
845  FAIL_IF_NULL(f);
846  f->protoctx = &ssn;
847  f->proto = IPPROTO_TCP;
848  f->alproto = ALPROTO_HTTP1;
849 
850  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
851  FAIL_IF_NULL(p);
852  p->flow = f;
853  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
854  p->flowflags |= FLOW_PKT_TOSERVER;
855  p->flowflags |= FLOW_PKT_ESTABLISHED;
856 
857  StreamTcpInitConfig(true);
858 
859  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
860  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
861  FAIL_IF_NOT(r == 0);
862  HtpState *http_state = f->alstate;
863  FAIL_IF_NULL(http_state);
864  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
865  FAIL_IF_NULL(tx);
866  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
867  FAIL_IF_NULL(tx_ud);
868 
869  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
870  FileContainer *fc = files.fc;
871  FAIL_IF_NULL(fc);
872  File *file = fc->head;
873  FAIL_IF_NULL(file);
874  FAIL_IF(http_state->state_data.file_flags & FLOWFILE_NO_STORE_TS);
875 
876  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
877  FAIL_IF(PacketAlertCheck(p, 1));
878 
879  /* detect will have set FLOWFILE_NO_STORE_TS, but it won't have had
880  * an opportunity to be applied to the file itself yet */
881  FAIL_IF_NOT(http_state->state_data.file_flags & FLOWFILE_NO_STORE_TS);
882  FAIL_IF(file->flags & FILE_NOSTORE);
883 
884  AppLayerParserThreadCtxFree(alp_tctx);
885  UTHFreeFlow(f);
886  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
887  DetectEngineCtxFree(de_ctx);
888  StreamTcpFreeConfig(true);
889  PASS;
890 }
891 
892 static int DeStateSigTest06(void)
893 {
894  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
895  "Host: www.server.lan\r\n"
896  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
897  "Content-Length: 215\r\n"
898  "\r\n"
899  "-----------------------------277531038314945\r\n"
900  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
901  "Content-Type: image/jpeg\r\n"
902  "\r\n"
903  "filecontent\r\n"
904  "-----------------------------277531038314945--";
905  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
906  ThreadVars th_v;
907  TcpSession ssn;
908 
909  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
910  FAIL_IF_NULL(alp_tctx);
911 
912  memset(&th_v, 0, sizeof(th_v));
913  memset(&ssn, 0, sizeof(ssn));
914 
915  DetectEngineThreadCtx *det_ctx = NULL;
916  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
917  FAIL_IF_NULL(de_ctx);
918  de_ctx->flags |= DE_QUIET;
919 
920  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; filestore; sid:1; rev:1;)");
921  FAIL_IF_NULL(s);
922 
923  SigGroupBuild(de_ctx);
924  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
925  FAIL_IF_NULL(det_ctx);
926 
927  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
928  FAIL_IF_NULL(f);
929  f->protoctx = &ssn;
930  f->proto = IPPROTO_TCP;
931  f->alproto = ALPROTO_HTTP1;
932 
933  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
934  FAIL_IF_NULL(p);
935  p->flow = f;
936  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
937  p->flowflags |= FLOW_PKT_TOSERVER;
938  p->flowflags |= FLOW_PKT_ESTABLISHED;
939 
940  StreamTcpInitConfig(true);
941 
942  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
943  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
944  FAIL_IF(r != 0);
945  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
946  FAIL_IF(PacketAlertCheck(p, 1));
947 
948  HtpState *http_state = f->alstate;
949  FAIL_IF_NULL(http_state);
950  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
951  FAIL_IF_NULL(tx);
952  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
953  FAIL_IF_NULL(tx_ud);
954 
955  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
956  FileContainer *fc = files.fc;
957  FAIL_IF_NULL(fc);
958  File *file = fc->head;
959  FAIL_IF_NULL(file);
960  /* detect will have set FLOWFILE_NO_STORE_TS, but it won't have had
961  * an opportunity to be applied to the file itself yet */
962  FAIL_IF_NOT(tx_ud->tx_data.file_flags & FLOWFILE_NO_STORE_TS);
963  FAIL_IF(file->flags & FILE_NOSTORE);
964 
965  AppLayerParserThreadCtxFree(alp_tctx);
966  UTHFreeFlow(f);
967  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
968  DetectEngineCtxFree(de_ctx);
969  StreamTcpFreeConfig(true);
970  PASS;
971 }
972 
973 static int DeStateSigTest07(void)
974 {
975  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
976  "Host: www.server.lan\r\n"
977  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
978  "Content-Length: 215\r\n"
979  "\r\n"
980  "-----------------------------277531038314945\r\n"
981  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
982  "Content-Type: image/jpeg\r\n"
983  "\r\n";
984 
985  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
986  uint8_t httpbuf2[] = "filecontent\r\n"
987  "-----------------------------277531038314945--";
988  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
989  ThreadVars th_v;
990  TcpSession ssn;
991 
992  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
993  FAIL_IF_NULL(alp_tctx);
994 
995  memset(&th_v, 0, sizeof(th_v));
996  memset(&ssn, 0, sizeof(ssn));
997 
998  DetectEngineThreadCtx *det_ctx = NULL;
999  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1000  FAIL_IF_NULL(de_ctx);
1001  de_ctx->flags |= DE_QUIET;
1002 
1003  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
1004  FAIL_IF_NULL(s);
1005 
1006  SigGroupBuild(de_ctx);
1007  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1008 
1009  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1010  FAIL_IF_NULL(f);
1011  f->protoctx = &ssn;
1012  f->proto = IPPROTO_TCP;
1013  f->alproto = ALPROTO_HTTP1;
1014 
1015  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1016  FAIL_IF_NULL(p);
1017  p->flow = f;
1018  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1019  p->flowflags |= FLOW_PKT_TOSERVER;
1020  p->flowflags |= FLOW_PKT_ESTABLISHED;
1021 
1022  StreamTcpInitConfig(true);
1023 
1024  int r = AppLayerParserParse(
1025  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1026  FAIL_IF(r != 0);
1027  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1028  FAIL_IF(PacketAlertCheck(p, 1));
1029 
1030  r = AppLayerParserParse(
1031  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf2, httplen2);
1032  FAIL_IF(r != 0);
1033  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1034  FAIL_IF(PacketAlertCheck(p, 1));
1035 
1036  HtpState *http_state = f->alstate;
1037  FAIL_IF_NULL(http_state);
1038  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1039  FAIL_IF_NULL(tx);
1040  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1041  FAIL_IF_NULL(tx_ud);
1042 
1043  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1044  FileContainer *fc = files.fc;
1045  FAIL_IF_NULL(fc);
1046  File *file = fc->head;
1047  FAIL_IF_NULL(file);
1048  FAIL_IF(file->flags & FILE_STORE);
1049 
1050  AppLayerParserThreadCtxFree(alp_tctx);
1051  UTHFreeFlow(f);
1052  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1053  DetectEngineCtxFree(de_ctx);
1054  StreamTcpFreeConfig(true);
1055  PASS;
1056 }
1057 
1058 /**
1059  * \test multiple files in a tx
1060  */
1061 static int DeStateSigTest08(void)
1062 {
1063  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1064  "Host: www.server.lan\r\n"
1065  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1066  "Content-Length: 440\r\n"
1067  "\r\n"
1068  "-----------------------------277531038314945\r\n"
1069  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"AAAApicture1.jpg\"\r\n"
1070  "Content-Type: image/jpeg\r\n"
1071  "\r\n";
1072 
1073  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1074  uint8_t httpbuf2[] = "file";
1075  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1076  uint8_t httpbuf3[] = "content\r\n"
1077  "-----------------------------277531038314945\r\n";
1078  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1079 
1080  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"BBBBpicture2.jpg\"\r\n"
1081  "Content-Type: image/jpeg\r\n"
1082  "\r\n"
1083  "filecontent2\r\n"
1084  "-----------------------------277531038314945--";
1085  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1086 
1087  ThreadVars th_v;
1088  TcpSession ssn;
1089 
1090  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1091  FAIL_IF_NULL(alp_tctx);
1092 
1093  memset(&th_v, 0, sizeof(th_v));
1094  memset(&ssn, 0, sizeof(ssn));
1095 
1096  DetectEngineThreadCtx *det_ctx = NULL;
1097  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1098  FAIL_IF_NULL(de_ctx);
1099  de_ctx->flags |= DE_QUIET;
1100 
1101  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"BBBBpicture\"; filestore; sid:1; rev:1;)");
1102  FAIL_IF_NULL(s);
1103 
1104  SigGroupBuild(de_ctx);
1105  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1106 
1107  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1108  FAIL_IF_NULL(f);
1109  f->protoctx = &ssn;
1110  f->proto = IPPROTO_TCP;
1111  f->alproto = ALPROTO_HTTP1;
1112 
1113  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1114  FAIL_IF_NULL(p);
1115  p->flow = f;
1116  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1117  p->flowflags |= FLOW_PKT_TOSERVER;
1118  p->flowflags |= FLOW_PKT_ESTABLISHED;
1119 
1120  StreamTcpInitConfig(true);
1121 
1122  /* HTTP request with 1st part of the multipart body */
1123 
1124  int r = AppLayerParserParse(
1125  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1126  FAIL_IF(r != 0);
1127  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1128  FAIL_IF(PacketAlertCheck(p, 1));
1129 
1130  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1131  FAIL_IF(r != 0);
1132  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1133  FAIL_IF(PacketAlertCheck(p, 1));
1134 
1135  HtpState *http_state = f->alstate;
1136  FAIL_IF_NULL(http_state);
1137  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1138  FAIL_IF_NULL(tx);
1139  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1140  FAIL_IF_NULL(tx_ud);
1141 
1142  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1143  FileContainer *fc = files.fc;
1144  FAIL_IF_NULL(fc);
1145  File *file = fc->head;
1146  FAIL_IF_NULL(file);
1147  FAIL_IF(file->flags & FILE_STORE);
1148 
1149  /* 2nd multipart body file */
1150 
1151  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1152  FAIL_IF(r != 0);
1153  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1154  FAIL_IF(PacketAlertCheck(p, 1));
1155 
1156  r = AppLayerParserParse(
1157  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1158  FAIL_IF(r != 0);
1159  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1160  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1161 
1162  http_state = f->alstate;
1163  FAIL_IF_NULL(http_state);
1164  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1165  FAIL_IF_NULL(tx);
1166  tx_ud = htp_tx_get_user_data(tx);
1167  FAIL_IF_NULL(tx_ud);
1168 
1169  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1170  fc = files.fc;
1171  FAIL_IF_NULL(fc);
1172  file = fc->head;
1173  FAIL_IF_NULL(file);
1174  file = file->next;
1175  FAIL_IF_NULL(file);
1176  FAIL_IF_NOT(file->flags & FILE_STORE);
1177 
1178  AppLayerParserThreadCtxFree(alp_tctx);
1179  UTHFreeFlow(f);
1180  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1181  DetectEngineCtxFree(de_ctx);
1182  StreamTcpFreeConfig(true);
1183  PASS;
1184 }
1185 
1186 /**
1187  * \test multiple files in a tx. Both files should match
1188  */
1189 static int DeStateSigTest09(void)
1190 {
1191  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1192  "Host: www.server.lan\r\n"
1193  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1194  "Content-Length: 440\r\n"
1195  "\r\n"
1196  "-----------------------------277531038314945\r\n"
1197  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1198  "Content-Type: image/jpeg\r\n"
1199  "\r\n";
1200 
1201  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1202  uint8_t httpbuf2[] = "file";
1203  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1204  uint8_t httpbuf3[] = "content\r\n"
1205  "-----------------------------277531038314945\r\n";
1206  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1207 
1208  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1209  "Content-Type: image/jpeg\r\n"
1210  "\r\n"
1211  "filecontent2\r\n"
1212  "-----------------------------277531038314945--";
1213  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1214 
1215  ThreadVars th_v;
1216  TcpSession ssn;
1217 
1218  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1219  FAIL_IF_NULL(alp_tctx);
1220 
1221  memset(&th_v, 0, sizeof(th_v));
1222  memset(&ssn, 0, sizeof(ssn));
1223 
1224  DetectEngineThreadCtx *det_ctx = NULL;
1225  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1226  FAIL_IF_NULL(de_ctx);
1227  de_ctx->flags |= DE_QUIET;
1228 
1229  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1230  FAIL_IF_NULL(s);
1231 
1232  SigGroupBuild(de_ctx);
1233  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1234 
1235  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1236  FAIL_IF_NULL(f);
1237  f->protoctx = &ssn;
1238  f->proto = IPPROTO_TCP;
1239  f->alproto = ALPROTO_HTTP1;
1240 
1241  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1242  FAIL_IF_NULL(p);
1243  p->flow = f;
1244  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1245  p->flowflags |= FLOW_PKT_TOSERVER;
1246  p->flowflags |= FLOW_PKT_ESTABLISHED;
1247 
1248  StreamTcpInitConfig(true);
1249 
1250  /* HTTP request with 1st part of the multipart body */
1251 
1252  int r = AppLayerParserParse(
1253  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1254  FAIL_IF(r != 0);
1255  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1256  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1257 
1258  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1259  FAIL_IF(r != 0);
1260  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1261  FAIL_IF(PacketAlertCheck(p, 1));
1262 
1263  HtpState *http_state = f->alstate;
1264  FAIL_IF_NULL(http_state);
1265  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1266  FAIL_IF_NULL(tx);
1267  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1268  FAIL_IF_NULL(tx_ud);
1269 
1270  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1271  FileContainer *fc = files.fc;
1272  FAIL_IF_NULL(fc);
1273  File *file = fc->head;
1274  FAIL_IF_NULL(file);
1275  FAIL_IF_NOT(file->flags & FILE_STORE);
1276 
1277  /* 2nd multipart body file */
1278 
1279  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1280  FAIL_IF(r != 0);
1281  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1282  FAIL_IF(PacketAlertCheck(p, 1));
1283 
1284  r = AppLayerParserParse(
1285  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1286  FAIL_IF(r != 0);
1287  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1288  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1289 
1290  http_state = f->alstate;
1291  FAIL_IF_NULL(http_state);
1292  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1293  FAIL_IF_NULL(tx);
1294  tx_ud = htp_tx_get_user_data(tx);
1295  FAIL_IF_NULL(tx_ud);
1296 
1297  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1298  fc = files.fc;
1299  FAIL_IF_NULL(fc);
1300  file = fc->head;
1301  FAIL_IF_NULL(file);
1302  FAIL_IF_NOT(file->flags & FILE_STORE);
1303 
1304  AppLayerParserThreadCtxFree(alp_tctx);
1305  UTHFreeFlow(f);
1306  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1307  DetectEngineCtxFree(de_ctx);
1308  StreamTcpFreeConfig(true);
1309  PASS;
1310 }
1311 
1312 /**
1313  * \test multiple files in a tx. Both files should match. No other matches.
1314  */
1315 static int DeStateSigTest10(void)
1316 {
1317  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1318  "Host: www.server.lan\r\n"
1319  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1320  "Content-Length: 440\r\n"
1321  "\r\n"
1322  "-----------------------------277531038314945\r\n"
1323  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1324  "Content-Type: image/jpeg\r\n"
1325  "\r\n";
1326 
1327  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1328  uint8_t httpbuf2[] = "file";
1329  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1330  uint8_t httpbuf3[] = "content\r\n"
1331  "-----------------------------277531038314945\r\n";
1332  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1333 
1334  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1335  "Content-Type: image/jpeg\r\n"
1336  "\r\n"
1337  "filecontent2\r\n"
1338  "-----------------------------277531038314945--";
1339  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1340 
1341  ThreadVars th_v;
1342  TcpSession ssn;
1343 
1344  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1345  FAIL_IF_NULL(alp_tctx);
1346 
1347  memset(&th_v, 0, sizeof(th_v));
1348  memset(&ssn, 0, sizeof(ssn));
1349 
1350  DetectEngineThreadCtx *det_ctx = NULL;
1351  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1352  FAIL_IF_NULL(de_ctx);
1353  de_ctx->flags |= DE_QUIET;
1354 
1355  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1356  FAIL_IF_NULL(s);
1357 
1358  SigGroupBuild(de_ctx);
1359  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1360 
1361  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1362  FAIL_IF_NULL(f);
1363  f->protoctx = &ssn;
1364  f->proto = IPPROTO_TCP;
1365  f->alproto = ALPROTO_HTTP1;
1366 
1367  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1368  FAIL_IF_NULL(p);
1369  p->flow = f;
1370  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1371  p->flowflags |= FLOW_PKT_TOSERVER;
1372  p->flowflags |= FLOW_PKT_ESTABLISHED;
1373 
1374  StreamTcpInitConfig(true);
1375 
1376  /* HTTP request with 1st part of the multipart body */
1377 
1378  int r = AppLayerParserParse(
1379  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1380  FAIL_IF(r != 0);
1381  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1382  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1383 
1384  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1385  FAIL_IF(r != 0);
1386  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1387  FAIL_IF(PacketAlertCheck(p, 1));
1388 
1389  HtpState *http_state = f->alstate;
1390  FAIL_IF_NULL(http_state);
1391  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1392  FAIL_IF_NULL(tx);
1393  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1394  FAIL_IF_NULL(tx_ud);
1395 
1396  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1397  FileContainer *fc = files.fc;
1398  FAIL_IF_NULL(fc);
1399  File *file = fc->head;
1400  FAIL_IF_NULL(file);
1401  FAIL_IF_NOT(file->flags & FILE_STORE);
1402 
1403  /* 2nd multipart body file */
1404 
1405  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1406  FAIL_IF(r != 0);
1407  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1408  FAIL_IF(PacketAlertCheck(p, 1));
1409 
1410  r = AppLayerParserParse(
1411  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1412  FAIL_IF(r != 0);
1413  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1414  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1415 
1416  http_state = f->alstate;
1417  FAIL_IF_NULL(http_state);
1418  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1419  FAIL_IF_NULL(tx);
1420  tx_ud = htp_tx_get_user_data(tx);
1421  FAIL_IF_NULL(tx_ud);
1422 
1423  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1424  fc = files.fc;
1425  FAIL_IF_NULL(fc);
1426  file = fc->head;
1427  FAIL_IF_NULL(file);
1428  FAIL_IF_NOT(file->flags & FILE_STORE);
1429 
1430  AppLayerParserThreadCtxFree(alp_tctx);
1431  UTHFreeFlow(f);
1432  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1433  DetectEngineCtxFree(de_ctx);
1434  StreamTcpFreeConfig(true);
1435  PASS;
1436 }
1437 
1438 #endif
1439 
1440 void DeStateRegisterTests(void)
1441 {
1442 #ifdef UNITTESTS
1443  UtRegisterTest("DeStateTest01", DeStateTest01);
1444  UtRegisterTest("DeStateTest02", DeStateTest02);
1445  UtRegisterTest("DeStateTest03", DeStateTest03);
1446  UtRegisterTest("DeStateSigTest01", DeStateSigTest01);
1447  UtRegisterTest("DeStateSigTest02", DeStateSigTest02);
1448  UtRegisterTest("DeStateSigTest03", DeStateSigTest03);
1449  UtRegisterTest("DeStateSigTest04", DeStateSigTest04);
1450  UtRegisterTest("DeStateSigTest05", DeStateSigTest05);
1451  UtRegisterTest("DeStateSigTest06", DeStateSigTest06);
1452  UtRegisterTest("DeStateSigTest07", DeStateSigTest07);
1453  UtRegisterTest("DeStateSigTest08", DeStateSigTest08);
1454  UtRegisterTest("DeStateSigTest09", DeStateSigTest09);
1455  UtRegisterTest("DeStateSigTest10", DeStateSigTest10);
1456 #endif
1457 }
1458 
1459 /**
1460  * @}
1461  */
FileContainer_
Definition: util-file.h:113
DE_STATE_CHUNK_SIZE
#define DE_STATE_CHUNK_SIZE
Definition: detect-engine-state.h:52
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectEngineStateDirection_::flags
uint8_t flags
Definition: detect-engine-state.h:88
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1273
flow-util.h
DetectEngineState_
Definition: detect-engine-state.h:92
Signature_::num
SigIntId num
Definition: detect.h:613
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1457
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectEngineStateDirection_::cnt
SigIntId cnt
Definition: detect-engine-state.h:86
Flow_::proto
uint8_t proto
Definition: flow.h:382
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:516
Flow_
Flow data structure.
Definition: flow.h:360
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2597
DetectEngineState_::dir_state
DetectEngineStateDirection dir_state[2]
Definition: detect-engine-state.h:93
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:301
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1926
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:510
Flow_::protoctx
void * protoctx
Definition: flow.h:450
DeStateStoreItem_::sid
SigIntId sid
Definition: detect-engine-state.h:74
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:700
util-unittest.h
DetectEngineStateDirection_::cur
DeStateStore * cur
Definition: detect-engine-state.h:84
HtpState_
Definition: app-layer-htp.h:236
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:856
detect-flowvar.h
DetectRunStoreStateTx
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
Definition: detect-engine-state.c:214
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:484
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:482
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1090
DeStateStoreItem_::flags
uint32_t flags
Definition: detect-engine-state.h:73
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:133
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:400
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DeStateStore_::next
struct DeStateStore_ * next
Definition: detect-engine-state.h:79
HtpState_::conn
htp_conn_t * conn
Definition: app-layer-htp.h:240
HtpTxUserData_::tx_data
AppLayerTxData tx_data
Definition: app-layer-htp.h:231
HtpState_::state_data
AppLayerStateData state_data
Definition: app-layer-htp.h:260
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2285
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
util-profiling.h
DetectEngineStateAlloc
DetectEngineState * DetectEngineStateAlloc(void)
Alloc a DetectEngineState object.
Definition: detect-engine-state.c:160
SCReturn
#define SCReturn
Definition: util-debug.h:273
Packet_
Definition: decode.h:479
DE_STATE_FLAG_BASE
#define DE_STATE_FLAG_BASE
Definition: detect-engine-state.h:63
detect-engine-build.h
stream-tcp-private.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1089
DetectEngineStateFree
void DetectEngineStateFree(DetectEngineState *state)
Frees a DetectEngineState object.
Definition: detect-engine-state.c:169
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2161
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:487
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:280
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for files in a transaction
Definition: util-file.c:1157
File_::flags
uint16_t flags
Definition: util-file.h:80
DetectEngineStateDirection_::head
DeStateStore * head
Definition: detect-engine-state.h:83
File_
Definition: util-file.h:79
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1364
Packet_::flow
struct Flow_ * flow
Definition: decode.h:518
DetectEngineStateResetTxs
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
Definition: detect-engine-state.c:260
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3312
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1267
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3539
DeStateStore_
Definition: detect-engine-state.h:77
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
File_::next
struct File_ * next
Definition: util-file.h:92
DetectEngineStateDirection_
Definition: detect-engine-state.h:82
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1159
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:849
HtpTxUserData_
Definition: app-layer-htp.h:204
DetectEngineStateDirection_::filestore_cnt
uint16_t filestore_cnt
Definition: detect-engine-state.h:87
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:485
DeStateStore_::store
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
Definition: detect-engine-state.h:78
Flow_::flags
uint32_t flags
Definition: flow.h:430
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2558
app-layer-protos.h
FILE_NOSTORE
#define FILE_NOSTORE
Definition: util-file.h:54
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:59
TcpSession_
Definition: stream-tcp-private.h:283
SigIntId
#define SigIntId
Definition: suricata-common.h:315
DeStateStoreItem_
Definition: detect-engine-state.h:72
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:459
DeStateRegisterTests
void DeStateRegisterTests(void)
Definition: detect-engine-state.c:1440
detect-engine-dcepayload.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1463
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1082
DetectEngineStateDirection_::tail
DeStateStore * tail
Definition: detect-engine-state.h:85
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1270
app-layer.h