suricata
detect-engine-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup sigstate State support
20  *
21  * State is stored in the ::DetectEngineState structure. This is
22  * basically a container for storage item of type ::DeStateStore.
23  * They contains an array of ::DeStateStoreItem which store the
24  * state of match for an individual signature identified by
25  * DeStateStoreItem::sid.
26  *
27  * @{
28  */
29 
30 /**
31  * \file
32  *
33  * \author Victor Julien <victor@inliniac.net>
34  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
35  *
36  * \brief State based signature handling.
37  */
38 
39 #include "suricata-common.h"
40 
41 #include "decode.h"
42 
43 #include "detect.h"
44 #include "detect-engine.h"
45 #include "detect-parse.h"
46 #include "detect-engine-state.h"
47 #include "detect-engine-dcepayload.h"
48 #include "detect-engine-build.h"
49 
50 #include "detect-flowvar.h"
51 
52 #include "stream-tcp.h"
53 #include "stream-tcp-private.h"
54 #include "stream-tcp-reassemble.h"
55 
56 #include "app-layer.h"
57 #include "app-layer-parser.h"
58 #include "app-layer-protos.h"
59 #include "app-layer-htp.h"
60 
61 #include "util-unittest.h"
62 #include "util-unittest-helper.h"
63 #include "util-profiling.h"
64 
65 #include "flow-util.h"
66 
67 static inline int StateIsValid(uint16_t alproto, void *alstate)
68 {
69  if (alstate != NULL) {
70  if (alproto == ALPROTO_HTTP1) {
71  HtpState *htp_state = (HtpState *)alstate;
72  if (htp_state->conn != NULL) {
73  return 1;
74  }
75  } else {
76  return 1;
77  }
78  }
79  return 0;
80 }
81 
82 static DeStateStore *DeStateStoreAlloc(void)
83 {
84  DeStateStore *d = SCCalloc(1, sizeof(DeStateStore));
85  if (unlikely(d == NULL))
86  return NULL;
87 
88  return d;
89 }
90 
91 #ifdef DEBUG_VALIDATION
92 static int DeStateSearchState(DetectEngineState *state, uint8_t direction, SigIntId num)
93 {
94  DetectEngineStateDirection *dir_state = &state->dir_state[direction & STREAM_TOSERVER ? 0 : 1];
95  DeStateStore *tx_store = dir_state->head;
96  SigIntId store_cnt;
97  SigIntId state_cnt = 0;
98 
99  for (; tx_store != NULL; tx_store = tx_store->next) {
100  SCLogDebug("tx_store %p", tx_store);
101  for (store_cnt = 0;
102  store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < dir_state->cnt;
103  store_cnt++, state_cnt++)
104  {
105  DeStateStoreItem *item = &tx_store->store[store_cnt];
106  if (item->sid == num) {
107  SCLogDebug("sid %u already in state: %p %p %p %u %u, direction %s",
108  num, state, dir_state, tx_store, state_cnt,
109  store_cnt, direction & STREAM_TOSERVER ? "toserver" : "toclient");
110  return 1;
111  }
112  }
113  }
114  return 0;
115 }
116 #endif
117 
118 static void DeStateSignatureAppend(DetectEngineState *state,
119  const Signature *s, uint32_t inspect_flags, uint8_t direction)
120 {
121  SCEnter();
122 
123  DetectEngineStateDirection *dir_state =
124  &state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1];
125 
126 #ifdef DEBUG_VALIDATION
127  BUG_ON(DeStateSearchState(state, direction, s->num));
128 #endif
129  DeStateStore *store = dir_state->tail;
130  if (store == NULL) {
131  store = DeStateStoreAlloc();
132  dir_state->head = store;
133  dir_state->cur = store;
134  dir_state->tail = store;
135  } else if (dir_state->cur) {
136  store = dir_state->cur;
137  } else {
138  store = DeStateStoreAlloc();
139  if (store != NULL) {
140  dir_state->tail->next = store;
141  dir_state->tail = store;
142  dir_state->cur = store;
143  }
144  }
145  if (store == NULL)
146  SCReturn;
147 
148  SigIntId idx = dir_state->cnt % DE_STATE_CHUNK_SIZE;
149  store->store[idx].sid = s->num;
150  store->store[idx].flags = inspect_flags;
151  dir_state->cnt++;
152  /* if current chunk is full, progress cur */
153  if (dir_state->cnt % DE_STATE_CHUNK_SIZE == 0) {
154  dir_state->cur = dir_state->cur->next;
155  }
156 
157  SCReturn;
158 }
159 
160 DetectEngineState *DetectEngineStateAlloc(void)
161 {
162  DetectEngineState *d = SCCalloc(1, sizeof(DetectEngineState));
163  if (unlikely(d == NULL))
164  return NULL;
165 
166  return d;
167 }
168 
169 void DetectEngineStateFree(DetectEngineState *state)
170 {
171  DeStateStore *store;
172  DeStateStore *store_next;
173  int i = 0;
174 
175  for (i = 0; i < 2; i++) {
176  store = state->dir_state[i].head;
177  while (store != NULL) {
178  store_next = store->next;
179  SCFree(store);
180  store = store_next;
181  }
182  }
183  SCFree(state);
184 }
185 
186 static void StoreFileNoMatchCnt(DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
187 {
188  de_state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt += file_no_match;
189 }
190 
191 static bool StoreFilestoreSigsCantMatch(const SigGroupHead *sgh, const DetectEngineState *de_state, uint8_t direction)
192 {
193  if (de_state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt ==
194  sgh->filestore_cnt)
195  return true;
196  else
197  return false;
198 }
199 
200 static void StoreStateTxHandleFiles(const SigGroupHead *sgh, Flow *f, DetectEngineState *destate,
201  const uint8_t flow_flags, void *tx, const uint64_t tx_id, const uint16_t file_no_match)
202 {
203  SCLogDebug("tx %"PRIu64", file_no_match %u", tx_id, file_no_match);
204  StoreFileNoMatchCnt(destate, file_no_match, flow_flags);
205  if (StoreFilestoreSigsCantMatch(sgh, destate, flow_flags)) {
206  SCLogDebug("filestore sigs can't match");
207  FileDisableStoringForTransaction(
208  f, flow_flags & (STREAM_TOCLIENT | STREAM_TOSERVER), tx, tx_id);
209  } else {
210  SCLogDebug("filestore sigs can still match");
211  }
212 }
213 
214 void DetectRunStoreStateTx(
215  const SigGroupHead *sgh,
216  Flow *f, void *tx, uint64_t tx_id,
217  const Signature *s,
218  uint32_t inspect_flags, uint8_t flow_flags,
219  const uint16_t file_no_match)
220 {
221  AppLayerTxData *tx_data = AppLayerParserGetTxData(f->proto, f->alproto, tx);
222  if (tx_data->de_state == NULL) {
223  tx_data->de_state = DetectEngineStateAlloc();
224  if (tx_data->de_state == NULL)
225  return;
226  SCLogDebug("destate created for %"PRIu64, tx_id);
227  }
228  DeStateSignatureAppend(tx_data->de_state, s, inspect_flags, flow_flags);
229  if (s->flags & SIG_FLAG_TXBOTHDIR) {
230  // add also in the other DetectEngineStateDirection
231  DeStateSignatureAppend(tx_data->de_state, s, inspect_flags,
232  flow_flags ^ (STREAM_TOSERVER | STREAM_TOCLIENT));
233  }
234  StoreStateTxHandleFiles(sgh, f, tx_data->de_state, flow_flags, tx, tx_id, file_no_match);
235 
236  SCLogDebug("Stored for TX %"PRIu64, tx_id);
237 }
238 
239 static inline void ResetTxState(DetectEngineState *s)
240 {
241  if (s) {
242  s->dir_state[0].cnt = 0;
243  s->dir_state[0].filestore_cnt = 0;
244  s->dir_state[0].flags = 0;
245  /* reset 'cur' back to the list head */
246  s->dir_state[0].cur = s->dir_state[0].head;
247 
248  s->dir_state[1].cnt = 0;
249  s->dir_state[1].filestore_cnt = 0;
250  s->dir_state[1].flags = 0;
251  /* reset 'cur' back to the list head */
252  s->dir_state[1].cur = s->dir_state[1].head;
253  }
254 }
255 
256 /** \brief Reset de state for active tx'
257  * To be used on detect engine reload.
258  * \param f write LOCKED flow
259  */
260 void DetectEngineStateResetTxs(Flow *f)
261 {
262  void *alstate = FlowGetAppState(f);
263  if (!StateIsValid(f->alproto, alstate)) {
264  return;
265  }
266 
267  uint64_t inspect_ts = AppLayerParserGetTransactionInspectId(f->alparser, STREAM_TOCLIENT);
268  uint64_t inspect_tc = AppLayerParserGetTransactionInspectId(f->alparser, STREAM_TOSERVER);
269 
270  uint64_t inspect_tx_id = MIN(inspect_ts, inspect_tc);
271 
272  uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
273 
274  for ( ; inspect_tx_id < total_txs; inspect_tx_id++) {
275  void *inspect_tx = AppLayerParserGetTx(f->proto, f->alproto, alstate, inspect_tx_id);
276  if (inspect_tx != NULL) {
277  AppLayerTxData *txd = AppLayerParserGetTxData(f->proto, f->alproto, inspect_tx);
278  ResetTxState(txd->de_state);
279  }
280  }
281 }
282 
283 /*********Unittests*********/
284 
285 #ifdef UNITTESTS
286 #include "detect-engine-alert.h"
287 
288 static int DeStateTest01(void)
289 {
290  SCLogDebug("sizeof(DetectEngineState)\t\t%"PRIuMAX,
291  (uintmax_t)sizeof(DetectEngineState));
292  SCLogDebug("sizeof(DeStateStore)\t\t\t%"PRIuMAX,
293  (uintmax_t)sizeof(DeStateStore));
294  SCLogDebug("sizeof(DeStateStoreItem)\t\t%"PRIuMAX"",
295  (uintmax_t)sizeof(DeStateStoreItem));
296 
297  return 1;
298 }
299 
300 static int DeStateTest02(void)
301 {
302  uint8_t direction = STREAM_TOSERVER;
303  DetectEngineState *state = DetectEngineStateAlloc();
304  FAIL_IF_NULL(state);
305  FAIL_IF_NOT_NULL(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head);
306 
307  Signature s;
308  memset(&s, 0x00, sizeof(s));
309 
310  s.num = 0;
311  DeStateSignatureAppend(state, &s, 0, direction);
312  s.num = 11;
313  DeStateSignatureAppend(state, &s, 0, direction);
314  s.num = 22;
315  DeStateSignatureAppend(state, &s, 0, direction);
316  s.num = 33;
317  DeStateSignatureAppend(state, &s, 0, direction);
318  s.num = 44;
319  DeStateSignatureAppend(state, &s, 0, direction);
320  s.num = 55;
321  DeStateSignatureAppend(state, &s, 0, direction);
322  s.num = 66;
323  DeStateSignatureAppend(state, &s, 0, direction);
324  s.num = 77;
325  DeStateSignatureAppend(state, &s, 0, direction);
326  s.num = 88;
327  DeStateSignatureAppend(state, &s, 0, direction);
328  s.num = 99;
329  DeStateSignatureAppend(state, &s, 0, direction);
330  s.num = 100;
331  DeStateSignatureAppend(state, &s, 0, direction);
332  s.num = 111;
333  DeStateSignatureAppend(state, &s, 0, direction);
334  s.num = 122;
335  DeStateSignatureAppend(state, &s, 0, direction);
336  s.num = 133;
337  DeStateSignatureAppend(state, &s, 0, direction);
338  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
339  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
340 
341  s.num = 144;
342  DeStateSignatureAppend(state, &s, 0, direction);
343 
344  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
345  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
346  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
347  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur == NULL);
348 
349  s.num = 155;
350  DeStateSignatureAppend(state, &s, 0, direction);
351 
352  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].tail ==
353  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
354 
355  s.num = 166;
356  DeStateSignatureAppend(state, &s, 0, direction);
357 
358  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
359  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 11);
360  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next == NULL);
361  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
362  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[0].sid != 155);
363  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[1].sid != 166);
364 
365  ResetTxState(state);
366 
367  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
368  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
369  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
370 
371  s.num = 0;
372  DeStateSignatureAppend(state, &s, 0, direction);
373  s.num = 11;
374  DeStateSignatureAppend(state, &s, 0, direction);
375  s.num = 22;
376  DeStateSignatureAppend(state, &s, 0, direction);
377  s.num = 33;
378  DeStateSignatureAppend(state, &s, 0, direction);
379  s.num = 44;
380  DeStateSignatureAppend(state, &s, 0, direction);
381  s.num = 55;
382  DeStateSignatureAppend(state, &s, 0, direction);
383  s.num = 66;
384  DeStateSignatureAppend(state, &s, 0, direction);
385  s.num = 77;
386  DeStateSignatureAppend(state, &s, 0, direction);
387  s.num = 88;
388  DeStateSignatureAppend(state, &s, 0, direction);
389  s.num = 99;
390  DeStateSignatureAppend(state, &s, 0, direction);
391  s.num = 100;
392  DeStateSignatureAppend(state, &s, 0, direction);
393  s.num = 111;
394  DeStateSignatureAppend(state, &s, 0, direction);
395  s.num = 122;
396  DeStateSignatureAppend(state, &s, 0, direction);
397  s.num = 133;
398  DeStateSignatureAppend(state, &s, 0, direction);
399  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
400  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
401  s.num = 144;
402  DeStateSignatureAppend(state, &s, 0, direction);
403  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
404  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
405  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
406  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].tail ==
407  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
408  s.num = 155;
409  DeStateSignatureAppend(state, &s, 0, direction);
410  s.num = 166;
411  DeStateSignatureAppend(state, &s, 0, direction);
412 
413  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
414  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 11);
415  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next == NULL);
416  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
417  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[0].sid != 155);
418  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[1].sid != 166);
419 
420  DetectEngineStateFree(state);
421 
422  PASS;
423 }
424 
425 static int DeStateTest03(void)
426 {
427  DetectEngineState *state = DetectEngineStateAlloc();
428  FAIL_IF_NULL(state);
429 
430  Signature s;
431  memset(&s, 0x00, sizeof(s));
432 
433  uint8_t direction = STREAM_TOSERVER;
434 
435  s.num = 11;
436  DeStateSignatureAppend(state, &s, 0, direction);
437  s.num = 22;
438  DeStateSignatureAppend(state, &s, BIT_U32(DE_STATE_FLAG_BASE), direction);
439 
440  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
441  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[0].sid != 11);
442  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[0].flags & BIT_U32(DE_STATE_FLAG_BASE));
443  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 22);
444  FAIL_IF(!(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].flags & BIT_U32(DE_STATE_FLAG_BASE)));
445 
446  DetectEngineStateFree(state);
447  PASS;
448 }
449 
450 static int DeStateSigTest01(void)
451 {
452  DetectEngineThreadCtx *det_ctx = NULL;
453  ThreadVars th_v;
454  Flow f;
455  TcpSession ssn;
456  Packet *p = NULL;
457  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\n";
458  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\n";
459  uint8_t httpbuf3[] = "Cookie: dummy\r\nContent-Length: 10\r\n\r\n";
460  uint8_t httpbuf4[] = "Http Body!";
461  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
462  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
463  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
464  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
465 
466  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
467  FAIL_IF_NULL(alp_tctx);
468 
469  memset(&th_v, 0, sizeof(th_v));
470  memset(&f, 0, sizeof(f));
471  memset(&ssn, 0, sizeof(ssn));
472 
473  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
474  FAIL_IF_NULL(p);
475 
476  FLOW_INITIALIZE(&f);
477  f.protoctx = (void *)&ssn;
478  f.proto = IPPROTO_TCP;
479  f.flags |= FLOW_IPV4;
480  f.alproto = ALPROTO_HTTP1;
481 
482  p->flow = &f;
483  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
484  p->flowflags |= FLOW_PKT_TOSERVER;
485  p->flowflags |= FLOW_PKT_ESTABLISHED;
486 
487  StreamTcpInitConfig(true);
488 
489  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
490  FAIL_IF_NULL(de_ctx);
491  de_ctx->flags |= DE_QUIET;
492 
493  Signature *s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy\"; http_cookie; sid:1; rev:1;)");
494  FAIL_IF_NULL(s);
495 
496  SigGroupBuild(de_ctx);
497  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
498  FAIL_IF_NULL(det_ctx);
499 
500  int r = AppLayerParserParse(
501  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
502  FAIL_IF_NOT(r == 0);
503  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
504  FAIL_IF(PacketAlertCheck(p, 1));
505 
506  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
507  FAIL_IF_NOT(r == 0);
508  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
509  FAIL_IF(PacketAlertCheck(p, 1));
510 
511  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
512  FAIL_IF_NOT(r == 0);
513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
514  FAIL_IF_NOT(PacketAlertCheck(p, 1));
515 
516  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
517  FAIL_IF_NOT(r == 0);
518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
519  FAIL_IF(PacketAlertCheck(p, 1));
520 
521  AppLayerParserThreadCtxFree(alp_tctx);
522  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
523  DetectEngineCtxFree(de_ctx);
524  StreamTcpFreeConfig(true);
525  FLOW_DESTROY(&f);
526  UTHFreePacket(p);
527  PASS;
528 }
529 
530 /** \test multiple pipelined http transactions */
531 static int DeStateSigTest02(void)
532 {
533  DetectEngineThreadCtx *det_ctx = NULL;
534  ThreadVars th_v;
535  Flow f;
536  TcpSession ssn;
537  Packet *p = NULL;
538  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
539  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
540  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
541  uint8_t httpbuf4[] = "Http Body!";
542  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
543  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
544  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
545  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
546  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
547  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
548  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nHttp Body!";
549  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
550  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
551  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
552  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
553  FAIL_IF_NULL(alp_tctx);
554 
555  memset(&th_v, 0, sizeof(th_v));
556  memset(&f, 0, sizeof(f));
557  memset(&ssn, 0, sizeof(ssn));
558 
559  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
560 
561  FLOW_INITIALIZE(&f);
562  f.protoctx = (void *)&ssn;
563  f.proto = IPPROTO_TCP;
564  f.flags |= FLOW_IPV4;
565 
566  p->flow = &f;
567  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
568  p->flowflags |= FLOW_PKT_TOSERVER;
569  p->flowflags |= FLOW_PKT_ESTABLISHED;
570  f.alproto = ALPROTO_HTTP1;
571 
572  StreamTcpInitConfig(true);
573 
574  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
575  FAIL_IF_NULL(de_ctx);
576 
577  de_ctx->flags |= DE_QUIET;
578 
579  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
580  FAIL_IF_NULL(s);
581  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
582  FAIL_IF_NULL(s);
583 
584  SigGroupBuild(de_ctx);
585  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
586  FAIL_IF_NULL(det_ctx);
587 
588  int r = AppLayerParserParse(
589  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
590  FAIL_IF(r != 0);
591  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
592  FAIL_IF(PacketAlertCheck(p, 1));
593 
594  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
595  FAIL_IF(r != 0);
596  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
597  FAIL_IF(PacketAlertCheck(p, 1));
598 
599  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
600  FAIL_IF(r != 0);
601  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
602  FAIL_IF(PacketAlertCheck(p, 1));
603 
604  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f.alstate, 0);
605  FAIL_IF_NULL(tx);
606 
607  AppLayerTxData *tx_data = AppLayerParserGetTxData(IPPROTO_TCP, ALPROTO_HTTP1, tx);
608  FAIL_IF_NULL(tx_data);
609  DetectEngineState *tx_de_state = tx_data->de_state;
610  FAIL_IF_NULL(tx_de_state);
611  FAIL_IF(tx_de_state->dir_state[0].cnt != 1);
612  /* http_header(mpm): 5, uri: 3, method: 6, cookie: 7 */
613  uint32_t expected_flags = (BIT_U32(5) | BIT_U32(3) | BIT_U32(6) | BIT_U32(4));
614  FAIL_IF(tx_de_state->dir_state[0].head->store[0].flags != expected_flags);
615 
616  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
617  FAIL_IF(r != 0);
618  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
619  FAIL_IF(!(PacketAlertCheck(p, 1)));
620 
621  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
622  FAIL_IF(r != 0);
623  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
624  FAIL_IF(PacketAlertCheck(p, 1));
625 
626  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
627  FAIL_IF(r != 0);
628  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
629  FAIL_IF((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2)));
630 
631  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
632  FAIL_IF(r != 0);
633  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
634  FAIL_IF(!(PacketAlertCheck(p, 2)));
635 
636  AppLayerParserThreadCtxFree(alp_tctx);
637  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
638  DetectEngineCtxFree(de_ctx);
639  StreamTcpFreeConfig(true);
640  FLOW_DESTROY(&f);
641  UTHFreePacket(p);
642  PASS;
643 }
644 
645 static int DeStateSigTest03(void)
646 {
647  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
648  "Host: www.server.lan\r\n"
649  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
650  "Content-Length: 215\r\n"
651  "\r\n"
652  "-----------------------------277531038314945\r\n"
653  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
654  "Content-Type: image/jpeg\r\n"
655  "\r\n"
656  "filecontent\r\n"
657  "-----------------------------277531038314945--";
658  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
659  ThreadVars th_v;
660  TcpSession ssn;
661  Flow *f = NULL;
662  Packet *p = NULL;
663  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
664  FAIL_IF_NULL(alp_tctx);
665 
666  memset(&th_v, 0, sizeof(th_v));
667  memset(&ssn, 0, sizeof(ssn));
668 
669  DetectEngineThreadCtx *det_ctx = NULL;
670  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
671  FAIL_IF_NULL(de_ctx);
672 
673  de_ctx->flags |= DE_QUIET;
674 
675  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
676  FAIL_IF_NULL(s);
677 
678  SigGroupBuild(de_ctx);
679  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
680 
681  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
682  FAIL_IF_NULL(f);
683  f->protoctx = &ssn;
684  f->proto = IPPROTO_TCP;
685  f->alproto = ALPROTO_HTTP1;
686 
687  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
688  FAIL_IF_NULL(p);
689 
690  p->flow = f;
691  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
692  p->flowflags |= FLOW_PKT_TOSERVER;
693  p->flowflags |= FLOW_PKT_ESTABLISHED;
694 
695  StreamTcpInitConfig(true);
696 
697  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
698  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
699  FAIL_IF(r != 0);
700 
701  HtpState *http_state = f->alstate;
702  FAIL_IF_NULL(http_state);
703  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
704  FAIL_IF_NULL(tx);
705  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
706  FAIL_IF_NULL(tx_ud);
707 
708  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
709  FAIL_IF(!(PacketAlertCheck(p, 1)));
710 
711  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
712  FileContainer *fc = files.fc;
713  FAIL_IF_NULL(fc);
714 
715  File *file = fc->head;
716  FAIL_IF_NULL(file);
717 
718  FAIL_IF(!(file->flags & FILE_STORE));
719 
720  AppLayerParserThreadCtxFree(alp_tctx);
721  UTHFreeFlow(f);
722 
723  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
724  DetectEngineCtxFree(de_ctx);
725  StreamTcpFreeConfig(true);
726  PASS;
727 }
728 
729 static int DeStateSigTest04(void)
730 {
731  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
732  "Host: www.server.lan\r\n"
733  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
734  "Content-Length: 215\r\n"
735  "\r\n"
736  "-----------------------------277531038314945\r\n"
737  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
738  "Content-Type: image/jpeg\r\n"
739  "\r\n"
740  "filecontent\r\n"
741  "-----------------------------277531038314945--";
742  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
743  ThreadVars th_v;
744  TcpSession ssn;
745  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
746  FAIL_IF_NULL(alp_tctx);
747 
748  memset(&th_v, 0, sizeof(th_v));
749  memset(&ssn, 0, sizeof(ssn));
750 
751  DetectEngineThreadCtx *det_ctx = NULL;
752  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
753  FAIL_IF_NULL(de_ctx);
754  de_ctx->flags |= DE_QUIET;
755 
756  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
757  FAIL_IF_NULL(s);
758 
759  SigGroupBuild(de_ctx);
760  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
761  FAIL_IF_NULL(det_ctx);
762 
763  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
764  FAIL_IF_NULL(f);
765  f->protoctx = &ssn;
766  f->proto = IPPROTO_TCP;
767  f->alproto = ALPROTO_HTTP1;
768 
769  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
770  FAIL_IF_NULL(p);
771  p->flow = f;
772  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
773  p->flowflags |= FLOW_PKT_TOSERVER;
774  p->flowflags |= FLOW_PKT_ESTABLISHED;
775 
776  StreamTcpInitConfig(true);
777 
778  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
779  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
780  FAIL_IF(r != 0);
781  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
782  FAIL_IF(PacketAlertCheck(p, 1));
783 
784  HtpState *http_state = f->alstate;
785  FAIL_IF_NULL(http_state);
786  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
787  FAIL_IF_NULL(tx);
788  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
789  FAIL_IF_NULL(tx_ud);
790 
791  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
792  FileContainer *fc = files.fc;
793  FAIL_IF_NULL(fc);
794  File *file = fc->head;
795  FAIL_IF_NULL(file);
796 
797  FAIL_IF(file->flags & FILE_STORE);
798 
799  AppLayerParserThreadCtxFree(alp_tctx);
800  UTHFreeFlow(f);
801  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
802  DetectEngineCtxFree(de_ctx);
803  StreamTcpFreeConfig(true);
804  PASS;
805 }
806 
807 static int DeStateSigTest05(void)
808 {
809  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
810  "Host: www.server.lan\r\n"
811  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
812  "Content-Length: 215\r\n"
813  "\r\n"
814  "-----------------------------277531038314945\r\n"
815  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
816  "Content-Type: image/jpeg\r\n"
817  "\r\n"
818  "filecontent\r\n"
819  "-----------------------------277531038314945--";
820  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
821  ThreadVars th_v;
822  TcpSession ssn;
823 
824  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
825  FAIL_IF_NULL(alp_tctx);
826 
827  memset(&th_v, 0, sizeof(th_v));
828  memset(&ssn, 0, sizeof(ssn));
829 
830  DetectEngineThreadCtx *det_ctx = NULL;
831  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
832  FAIL_IF_NULL(de_ctx);
833  de_ctx->flags |= DE_QUIET;
834 
835  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; sid:1; rev:1;)");
836  FAIL_IF_NULL(s);
837 
838  SigGroupBuild(de_ctx);
839  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
840 
841  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
842  FAIL_IF_NULL(f);
843  f->protoctx = &ssn;
844  f->proto = IPPROTO_TCP;
845  f->alproto = ALPROTO_HTTP1;
846 
847  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
848  FAIL_IF_NULL(p);
849  p->flow = f;
850  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
851  p->flowflags |= FLOW_PKT_TOSERVER;
852  p->flowflags |= FLOW_PKT_ESTABLISHED;
853 
854  StreamTcpInitConfig(true);
855 
856  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
857  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
858  FAIL_IF_NOT(r == 0);
859  HtpState *http_state = f->alstate;
860  FAIL_IF_NULL(http_state);
861  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
862  FAIL_IF_NULL(tx);
863  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
864  FAIL_IF_NULL(tx_ud);
865 
866  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
867  FileContainer *fc = files.fc;
868  FAIL_IF_NULL(fc);
869  File *file = fc->head;
870  FAIL_IF_NULL(file);
871  FAIL_IF(http_state->state_data.file_flags & FLOWFILE_NO_STORE_TS);
872 
873  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
874  FAIL_IF(PacketAlertCheck(p, 1));
875 
876  /* detect will have set FLOWFILE_NO_STORE_TS, but it won't have had
877  * an opportunity to be applied to the file itself yet */
878  FAIL_IF_NOT(http_state->state_data.file_flags & FLOWFILE_NO_STORE_TS);
879  FAIL_IF(file->flags & FILE_NOSTORE);
880 
881  AppLayerParserThreadCtxFree(alp_tctx);
882  UTHFreeFlow(f);
883  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
884  DetectEngineCtxFree(de_ctx);
885  StreamTcpFreeConfig(true);
886  PASS;
887 }
888 
889 static int DeStateSigTest06(void)
890 {
891  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
892  "Host: www.server.lan\r\n"
893  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
894  "Content-Length: 215\r\n"
895  "\r\n"
896  "-----------------------------277531038314945\r\n"
897  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
898  "Content-Type: image/jpeg\r\n"
899  "\r\n"
900  "filecontent\r\n"
901  "-----------------------------277531038314945--";
902  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
903  ThreadVars th_v;
904  TcpSession ssn;
905 
906  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
907  FAIL_IF_NULL(alp_tctx);
908 
909  memset(&th_v, 0, sizeof(th_v));
910  memset(&ssn, 0, sizeof(ssn));
911 
912  DetectEngineThreadCtx *det_ctx = NULL;
913  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
914  FAIL_IF_NULL(de_ctx);
915  de_ctx->flags |= DE_QUIET;
916 
917  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; filestore; sid:1; rev:1;)");
918  FAIL_IF_NULL(s);
919 
920  SigGroupBuild(de_ctx);
921  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
922  FAIL_IF_NULL(det_ctx);
923 
924  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
925  FAIL_IF_NULL(f);
926  f->protoctx = &ssn;
927  f->proto = IPPROTO_TCP;
928  f->alproto = ALPROTO_HTTP1;
929 
930  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
931  FAIL_IF_NULL(p);
932  p->flow = f;
933  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
934  p->flowflags |= FLOW_PKT_TOSERVER;
935  p->flowflags |= FLOW_PKT_ESTABLISHED;
936 
937  StreamTcpInitConfig(true);
938 
939  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
940  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
941  FAIL_IF(r != 0);
942  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
943  FAIL_IF(PacketAlertCheck(p, 1));
944 
945  HtpState *http_state = f->alstate;
946  FAIL_IF_NULL(http_state);
947  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
948  FAIL_IF_NULL(tx);
949  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
950  FAIL_IF_NULL(tx_ud);
951 
952  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
953  FileContainer *fc = files.fc;
954  FAIL_IF_NULL(fc);
955  File *file = fc->head;
956  FAIL_IF_NULL(file);
957  /* detect will have set FLOWFILE_NO_STORE_TS, but it won't have had
958  * an opportunity to be applied to the file itself yet */
959  FAIL_IF_NOT(tx_ud->tx_data.file_flags & FLOWFILE_NO_STORE_TS);
960  FAIL_IF(file->flags & FILE_NOSTORE);
961 
962  AppLayerParserThreadCtxFree(alp_tctx);
963  UTHFreeFlow(f);
964  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
965  DetectEngineCtxFree(de_ctx);
966  StreamTcpFreeConfig(true);
967  PASS;
968 }
969 
970 static int DeStateSigTest07(void)
971 {
972  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
973  "Host: www.server.lan\r\n"
974  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
975  "Content-Length: 215\r\n"
976  "\r\n"
977  "-----------------------------277531038314945\r\n"
978  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
979  "Content-Type: image/jpeg\r\n"
980  "\r\n";
981 
982  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
983  uint8_t httpbuf2[] = "filecontent\r\n"
984  "-----------------------------277531038314945--";
985  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
986  ThreadVars th_v;
987  TcpSession ssn;
988 
989  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
990  FAIL_IF_NULL(alp_tctx);
991 
992  memset(&th_v, 0, sizeof(th_v));
993  memset(&ssn, 0, sizeof(ssn));
994 
995  DetectEngineThreadCtx *det_ctx = NULL;
996  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
997  FAIL_IF_NULL(de_ctx);
998  de_ctx->flags |= DE_QUIET;
999 
1000  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
1001  FAIL_IF_NULL(s);
1002 
1003  SigGroupBuild(de_ctx);
1004  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1005 
1006  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1007  FAIL_IF_NULL(f);
1008  f->protoctx = &ssn;
1009  f->proto = IPPROTO_TCP;
1010  f->alproto = ALPROTO_HTTP1;
1011 
1012  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1013  FAIL_IF_NULL(p);
1014  p->flow = f;
1015  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1016  p->flowflags |= FLOW_PKT_TOSERVER;
1017  p->flowflags |= FLOW_PKT_ESTABLISHED;
1018 
1019  StreamTcpInitConfig(true);
1020 
1021  int r = AppLayerParserParse(
1022  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1023  FAIL_IF(r != 0);
1024  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1025  FAIL_IF(PacketAlertCheck(p, 1));
1026 
1027  r = AppLayerParserParse(
1028  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf2, httplen2);
1029  FAIL_IF(r != 0);
1030  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1031  FAIL_IF(PacketAlertCheck(p, 1));
1032 
1033  HtpState *http_state = f->alstate;
1034  FAIL_IF_NULL(http_state);
1035  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1036  FAIL_IF_NULL(tx);
1037  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1038  FAIL_IF_NULL(tx_ud);
1039 
1040  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1041  FileContainer *fc = files.fc;
1042  FAIL_IF_NULL(fc);
1043  File *file = fc->head;
1044  FAIL_IF_NULL(file);
1045  FAIL_IF(file->flags & FILE_STORE);
1046 
1047  AppLayerParserThreadCtxFree(alp_tctx);
1048  UTHFreeFlow(f);
1049  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1050  DetectEngineCtxFree(de_ctx);
1051  StreamTcpFreeConfig(true);
1052  PASS;
1053 }
1054 
1055 /**
1056  * \test multiple files in a tx
1057  */
1058 static int DeStateSigTest08(void)
1059 {
1060  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1061  "Host: www.server.lan\r\n"
1062  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1063  "Content-Length: 440\r\n"
1064  "\r\n"
1065  "-----------------------------277531038314945\r\n"
1066  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"AAAApicture1.jpg\"\r\n"
1067  "Content-Type: image/jpeg\r\n"
1068  "\r\n";
1069 
1070  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1071  uint8_t httpbuf2[] = "file";
1072  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1073  uint8_t httpbuf3[] = "content\r\n"
1074  "-----------------------------277531038314945\r\n";
1075  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1076 
1077  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"BBBBpicture2.jpg\"\r\n"
1078  "Content-Type: image/jpeg\r\n"
1079  "\r\n"
1080  "filecontent2\r\n"
1081  "-----------------------------277531038314945--";
1082  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1083 
1084  ThreadVars th_v;
1085  TcpSession ssn;
1086 
1087  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1088  FAIL_IF_NULL(alp_tctx);
1089 
1090  memset(&th_v, 0, sizeof(th_v));
1091  memset(&ssn, 0, sizeof(ssn));
1092 
1093  DetectEngineThreadCtx *det_ctx = NULL;
1094  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1095  FAIL_IF_NULL(de_ctx);
1096  de_ctx->flags |= DE_QUIET;
1097 
1098  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"BBBBpicture\"; filestore; sid:1; rev:1;)");
1099  FAIL_IF_NULL(s);
1100 
1101  SigGroupBuild(de_ctx);
1102  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1103 
1104  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1105  FAIL_IF_NULL(f);
1106  f->protoctx = &ssn;
1107  f->proto = IPPROTO_TCP;
1108  f->alproto = ALPROTO_HTTP1;
1109 
1110  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1111  FAIL_IF_NULL(p);
1112  p->flow = f;
1113  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1114  p->flowflags |= FLOW_PKT_TOSERVER;
1115  p->flowflags |= FLOW_PKT_ESTABLISHED;
1116 
1117  StreamTcpInitConfig(true);
1118 
1119  /* HTTP request with 1st part of the multipart body */
1120 
1121  int r = AppLayerParserParse(
1122  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1123  FAIL_IF(r != 0);
1124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1125  FAIL_IF(PacketAlertCheck(p, 1));
1126 
1127  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1128  FAIL_IF(r != 0);
1129  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1130  FAIL_IF(PacketAlertCheck(p, 1));
1131 
1132  HtpState *http_state = f->alstate;
1133  FAIL_IF_NULL(http_state);
1134  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1135  FAIL_IF_NULL(tx);
1136  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1137  FAIL_IF_NULL(tx_ud);
1138 
1139  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1140  FileContainer *fc = files.fc;
1141  FAIL_IF_NULL(fc);
1142  File *file = fc->head;
1143  FAIL_IF_NULL(file);
1144  FAIL_IF(file->flags & FILE_STORE);
1145 
1146  /* 2nd multipart body file */
1147 
1148  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1149  FAIL_IF(r != 0);
1150  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1151  FAIL_IF(PacketAlertCheck(p, 1));
1152 
1153  r = AppLayerParserParse(
1154  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1155  FAIL_IF(r != 0);
1156  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1157  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1158 
1159  http_state = f->alstate;
1160  FAIL_IF_NULL(http_state);
1161  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1162  FAIL_IF_NULL(tx);
1163  tx_ud = htp_tx_get_user_data(tx);
1164  FAIL_IF_NULL(tx_ud);
1165 
1166  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1167  fc = files.fc;
1168  FAIL_IF_NULL(fc);
1169  file = fc->head;
1170  FAIL_IF_NULL(file);
1171  file = file->next;
1172  FAIL_IF_NULL(file);
1173  FAIL_IF_NOT(file->flags & FILE_STORE);
1174 
1175  AppLayerParserThreadCtxFree(alp_tctx);
1176  UTHFreeFlow(f);
1177  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1178  DetectEngineCtxFree(de_ctx);
1179  StreamTcpFreeConfig(true);
1180  PASS;
1181 }
1182 
1183 /**
1184  * \test multiple files in a tx. Both files should match
1185  */
1186 static int DeStateSigTest09(void)
1187 {
1188  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1189  "Host: www.server.lan\r\n"
1190  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1191  "Content-Length: 440\r\n"
1192  "\r\n"
1193  "-----------------------------277531038314945\r\n"
1194  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1195  "Content-Type: image/jpeg\r\n"
1196  "\r\n";
1197 
1198  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1199  uint8_t httpbuf2[] = "file";
1200  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1201  uint8_t httpbuf3[] = "content\r\n"
1202  "-----------------------------277531038314945\r\n";
1203  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1204 
1205  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1206  "Content-Type: image/jpeg\r\n"
1207  "\r\n"
1208  "filecontent2\r\n"
1209  "-----------------------------277531038314945--";
1210  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1211 
1212  ThreadVars th_v;
1213  TcpSession ssn;
1214 
1215  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1216  FAIL_IF_NULL(alp_tctx);
1217 
1218  memset(&th_v, 0, sizeof(th_v));
1219  memset(&ssn, 0, sizeof(ssn));
1220 
1221  DetectEngineThreadCtx *det_ctx = NULL;
1222  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1223  FAIL_IF_NULL(de_ctx);
1224  de_ctx->flags |= DE_QUIET;
1225 
1226  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1227  FAIL_IF_NULL(s);
1228 
1229  SigGroupBuild(de_ctx);
1230  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1231 
1232  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1233  FAIL_IF_NULL(f);
1234  f->protoctx = &ssn;
1235  f->proto = IPPROTO_TCP;
1236  f->alproto = ALPROTO_HTTP1;
1237 
1238  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1239  FAIL_IF_NULL(p);
1240  p->flow = f;
1241  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1242  p->flowflags |= FLOW_PKT_TOSERVER;
1243  p->flowflags |= FLOW_PKT_ESTABLISHED;
1244 
1245  StreamTcpInitConfig(true);
1246 
1247  /* HTTP request with 1st part of the multipart body */
1248 
1249  int r = AppLayerParserParse(
1250  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1251  FAIL_IF(r != 0);
1252  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1253  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1254 
1255  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1256  FAIL_IF(r != 0);
1257  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1258  FAIL_IF(PacketAlertCheck(p, 1));
1259 
1260  HtpState *http_state = f->alstate;
1261  FAIL_IF_NULL(http_state);
1262  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1263  FAIL_IF_NULL(tx);
1264  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1265  FAIL_IF_NULL(tx_ud);
1266 
1267  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1268  FileContainer *fc = files.fc;
1269  FAIL_IF_NULL(fc);
1270  File *file = fc->head;
1271  FAIL_IF_NULL(file);
1272  FAIL_IF_NOT(file->flags & FILE_STORE);
1273 
1274  /* 2nd multipart body file */
1275 
1276  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1277  FAIL_IF(r != 0);
1278  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1279  FAIL_IF(PacketAlertCheck(p, 1));
1280 
1281  r = AppLayerParserParse(
1282  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1283  FAIL_IF(r != 0);
1284  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1285  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1286 
1287  http_state = f->alstate;
1288  FAIL_IF_NULL(http_state);
1289  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1290  FAIL_IF_NULL(tx);
1291  tx_ud = htp_tx_get_user_data(tx);
1292  FAIL_IF_NULL(tx_ud);
1293 
1294  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1295  fc = files.fc;
1296  FAIL_IF_NULL(fc);
1297  file = fc->head;
1298  FAIL_IF_NULL(file);
1299  FAIL_IF_NOT(file->flags & FILE_STORE);
1300 
1301  AppLayerParserThreadCtxFree(alp_tctx);
1302  UTHFreeFlow(f);
1303  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1304  DetectEngineCtxFree(de_ctx);
1305  StreamTcpFreeConfig(true);
1306  PASS;
1307 }
1308 
1309 /**
1310  * \test multiple files in a tx. Both files should match. No other matches.
1311  */
1312 static int DeStateSigTest10(void)
1313 {
1314  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1315  "Host: www.server.lan\r\n"
1316  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1317  "Content-Length: 440\r\n"
1318  "\r\n"
1319  "-----------------------------277531038314945\r\n"
1320  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1321  "Content-Type: image/jpeg\r\n"
1322  "\r\n";
1323 
1324  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1325  uint8_t httpbuf2[] = "file";
1326  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1327  uint8_t httpbuf3[] = "content\r\n"
1328  "-----------------------------277531038314945\r\n";
1329  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1330 
1331  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1332  "Content-Type: image/jpeg\r\n"
1333  "\r\n"
1334  "filecontent2\r\n"
1335  "-----------------------------277531038314945--";
1336  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1337 
1338  ThreadVars th_v;
1339  TcpSession ssn;
1340 
1341  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1342  FAIL_IF_NULL(alp_tctx);
1343 
1344  memset(&th_v, 0, sizeof(th_v));
1345  memset(&ssn, 0, sizeof(ssn));
1346 
1347  DetectEngineThreadCtx *det_ctx = NULL;
1348  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1349  FAIL_IF_NULL(de_ctx);
1350  de_ctx->flags |= DE_QUIET;
1351 
1352  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1353  FAIL_IF_NULL(s);
1354 
1355  SigGroupBuild(de_ctx);
1356  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1357 
1358  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1359  FAIL_IF_NULL(f);
1360  f->protoctx = &ssn;
1361  f->proto = IPPROTO_TCP;
1362  f->alproto = ALPROTO_HTTP1;
1363 
1364  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1365  FAIL_IF_NULL(p);
1366  p->flow = f;
1367  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1368  p->flowflags |= FLOW_PKT_TOSERVER;
1369  p->flowflags |= FLOW_PKT_ESTABLISHED;
1370 
1371  StreamTcpInitConfig(true);
1372 
1373  /* HTTP request with 1st part of the multipart body */
1374 
1375  int r = AppLayerParserParse(
1376  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1377  FAIL_IF(r != 0);
1378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1379  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1380 
1381  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1382  FAIL_IF(r != 0);
1383  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1384  FAIL_IF(PacketAlertCheck(p, 1));
1385 
1386  HtpState *http_state = f->alstate;
1387  FAIL_IF_NULL(http_state);
1388  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1389  FAIL_IF_NULL(tx);
1390  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
1391  FAIL_IF_NULL(tx_ud);
1392 
1393  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1394  FileContainer *fc = files.fc;
1395  FAIL_IF_NULL(fc);
1396  File *file = fc->head;
1397  FAIL_IF_NULL(file);
1398  FAIL_IF_NOT(file->flags & FILE_STORE);
1399 
1400  /* 2nd multipart body file */
1401 
1402  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1403  FAIL_IF(r != 0);
1404  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1405  FAIL_IF(PacketAlertCheck(p, 1));
1406 
1407  r = AppLayerParserParse(
1408  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1409  FAIL_IF(r != 0);
1410  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1411  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1412 
1413  http_state = f->alstate;
1414  FAIL_IF_NULL(http_state);
1415  tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f->alstate, 0);
1416  FAIL_IF_NULL(tx);
1417  tx_ud = htp_tx_get_user_data(tx);
1418  FAIL_IF_NULL(tx_ud);
1419 
1420  files = AppLayerParserGetTxFiles(p->flow, tx, STREAM_TOSERVER);
1421  fc = files.fc;
1422  FAIL_IF_NULL(fc);
1423  file = fc->head;
1424  FAIL_IF_NULL(file);
1425  FAIL_IF_NOT(file->flags & FILE_STORE);
1426 
1427  AppLayerParserThreadCtxFree(alp_tctx);
1428  UTHFreeFlow(f);
1429  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1430  DetectEngineCtxFree(de_ctx);
1431  StreamTcpFreeConfig(true);
1432  PASS;
1433 }
1434 
1435 #endif
1436 
1437 void DeStateRegisterTests(void)
1438 {
1439 #ifdef UNITTESTS
1440  UtRegisterTest("DeStateTest01", DeStateTest01);
1441  UtRegisterTest("DeStateTest02", DeStateTest02);
1442  UtRegisterTest("DeStateTest03", DeStateTest03);
1443  UtRegisterTest("DeStateSigTest01", DeStateSigTest01);
1444  UtRegisterTest("DeStateSigTest02", DeStateSigTest02);
1445  UtRegisterTest("DeStateSigTest03", DeStateSigTest03);
1446  UtRegisterTest("DeStateSigTest04", DeStateSigTest04);
1447  UtRegisterTest("DeStateSigTest05", DeStateSigTest05);
1448  UtRegisterTest("DeStateSigTest06", DeStateSigTest06);
1449  UtRegisterTest("DeStateSigTest07", DeStateSigTest07);
1450  UtRegisterTest("DeStateSigTest08", DeStateSigTest08);
1451  UtRegisterTest("DeStateSigTest09", DeStateSigTest09);
1452  UtRegisterTest("DeStateSigTest10", DeStateSigTest10);
1453 #endif
1454 }
1455 
1456 /**
1457  * @}
1458  */
FileContainer_
Definition: util-file.h:113
DE_STATE_CHUNK_SIZE
#define DE_STATE_CHUNK_SIZE
Definition: detect-engine-state.h:52
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectEngineStateDirection_::flags
uint8_t flags
Definition: detect-engine-state.h:88
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1250
flow-util.h
DetectEngineState_
Definition: detect-engine-state.h:92
Signature_::num
SigIntId num
Definition: detect.h:682
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1598
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectEngineStateDirection_::cnt
SigIntId cnt
Definition: detect-engine-state.h:86
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:535
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:931
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2674
DetectEngineState_::dir_state
DetectEngineStateDirection dir_state[2]
Definition: detect-engine-state.h:93
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:322
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
SIG_FLAG_TXBOTHDIR
#define SIG_FLAG_TXBOTHDIR
Definition: detect.h:249
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
DE_QUIET
#define DE_QUIET
Definition: detect.h:329
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2347
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:523
Flow_::protoctx
void * protoctx
Definition: flow.h:441
DeStateStoreItem_::sid
SigIntId sid
Definition: detect-engine-state.h:74
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:731
util-unittest.h
DetectEngineStateDirection_::cur
DeStateStore * cur
Definition: detect-engine-state.h:84
HtpState_
Definition: app-layer-htp.h:181
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:872
detect-flowvar.h
DetectRunStoreStateTx
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
Definition: detect-engine-state.c:214
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:478
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1223
DeStateStoreItem_::flags
uint32_t flags
Definition: detect-engine-state.h:73
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:134
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:417
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DeStateStore_::next
struct DeStateStore_ * next
Definition: detect-engine-state.h:79
HtpState_::conn
htp_conn_t * conn
Definition: app-layer-htp.h:185
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3400
HtpTxUserData_::tx_data
AppLayerTxData tx_data
Definition: app-layer-htp.h:176
HtpState_::state_data
AppLayerStateData state_data
Definition: app-layer-htp.h:198
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
util-profiling.h
DetectEngineStateAlloc
DetectEngineState * DetectEngineStateAlloc(void)
Alloc a DetectEngineState object.
Definition: detect-engine-state.c:160
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:671
Packet_
Definition: decode.h:492
DE_STATE_FLAG_BASE
#define DE_STATE_FLAG_BASE
Definition: detect-engine-state.h:63
detect-engine-build.h
stream-tcp-private.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1108
DetectEngineStateFree
void DetectEngineStateFree(DetectEngineState *state)
Frees a DetectEngineState object.
Definition: detect-engine-state.c:169
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2129
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:493
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:295
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, const uint8_t direction, void *tx, uint64_t tx_id)
disable file storing for files in a transaction
Definition: util-file.c:1156
File_::flags
uint16_t flags
Definition: util-file.h:80
DetectEngineStateDirection_::head
DeStateStore * head
Definition: detect-engine-state.h:83
File_
Definition: util-file.h:79
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1494
Packet_::flow
struct Flow_ * flow
Definition: decode.h:537
DetectEngineStateResetTxs
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
Definition: detect-engine-state.c:260
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1290
suricata-common.h
DeStateStore_
Definition: detect-engine-state.h:77
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
File_::next
struct File_ * next
Definition: util-file.h:92
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3626
DetectEngineStateDirection_
Definition: detect-engine-state.h:82
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1182
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:940
HtpTxUserData_
Definition: app-layer-htp.h:151
DetectEngineStateDirection_::filestore_cnt
uint16_t filestore_cnt
Definition: detect-engine-state.h:87
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:479
DeStateStore_::store
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
Definition: detect-engine-state.h:78
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:670
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:235
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2635
app-layer-protos.h
FILE_NOSTORE
#define FILE_NOSTORE
Definition: util-file.h:54
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:933
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
SigIntId
#define SigIntId
Definition: suricata-common.h:332
DeStateStoreItem_
Definition: detect-engine-state.h:72
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DeStateRegisterTests
void DeStateRegisterTests(void)
Definition: detect-engine-state.c:1437
detect-engine-dcepayload.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1604
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1101
DetectEngineStateDirection_::tail
DeStateStore * tail
Definition: detect-engine-state.h:85
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1247
app-layer.h