suricata
detect-engine-state.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup sigstate State support
20  *
21  * State is stored in the ::DetectEngineState structure. This is
22  * basically a containter for storage item of type ::DeStateStore.
23  * They contains an array of ::DeStateStoreItem which store the
24  * state of match for an individual signature identified by
25  * DeStateStoreItem::sid.
26  *
27  * @{
28  */
29 
30 /**
31  * \file
32  *
33  * \author Victor Julien <victor@inliniac.net>
34  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
35  *
36  * \brief State based signature handling.
37  */
38 
39 #include "suricata-common.h"
40 
41 #include "decode.h"
42 
43 #include "detect.h"
44 #include "detect-engine.h"
45 #include "detect-parse.h"
46 #include "detect-engine-state.h"
47 #include "detect-engine-dcepayload.h"
48 
49 #include "detect-flowvar.h"
50 
51 #include "stream-tcp.h"
52 #include "stream-tcp-private.h"
53 #include "stream-tcp-reassemble.h"
54 
55 #include "app-layer.h"
56 #include "app-layer-parser.h"
57 #include "app-layer-protos.h"
58 #include "app-layer-htp.h"
59 #include "app-layer-dcerpc-common.h"
60 
61 #include "util-unittest.h"
62 #include "util-unittest-helper.h"
63 #include "util-profiling.h"
64 
65 #include "flow-util.h"
66 
67 /** convert enum to string */
68 #define CASE_CODE(E) case E: return #E
69 
70 static inline int StateIsValid(uint16_t alproto, void *alstate)
71 {
72  if (alstate != NULL) {
73  if (alproto == ALPROTO_HTTP1) {
74  HtpState *htp_state = (HtpState *)alstate;
75  if (htp_state->conn != NULL) {
76  return 1;
77  }
78  } else {
79  return 1;
80  }
81  }
82  return 0;
83 }
84 
85 static DeStateStore *DeStateStoreAlloc(void)
86 {
87  DeStateStore *d = SCMalloc(sizeof(DeStateStore));
88  if (unlikely(d == NULL))
89  return NULL;
90  memset(d, 0, sizeof(DeStateStore));
91 
92  return d;
93 }
94 
95 #ifdef DEBUG_VALIDATION
96 static int DeStateSearchState(DetectEngineState *state, uint8_t direction, SigIntId num)
97 {
98  DetectEngineStateDirection *dir_state = &state->dir_state[direction & STREAM_TOSERVER ? 0 : 1];
99  DeStateStore *tx_store = dir_state->head;
100  SigIntId store_cnt;
101  SigIntId state_cnt = 0;
102 
103  for (; tx_store != NULL; tx_store = tx_store->next) {
104  SCLogDebug("tx_store %p", tx_store);
105  for (store_cnt = 0;
106  store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < dir_state->cnt;
107  store_cnt++, state_cnt++)
108  {
109  DeStateStoreItem *item = &tx_store->store[store_cnt];
110  if (item->sid == num) {
111  SCLogDebug("sid %u already in state: %p %p %p %u %u, direction %s",
112  num, state, dir_state, tx_store, state_cnt,
113  store_cnt, direction & STREAM_TOSERVER ? "toserver" : "toclient");
114  return 1;
115  }
116  }
117  }
118  return 0;
119 }
120 #endif
121 
122 static void DeStateSignatureAppend(DetectEngineState *state,
123  const Signature *s, uint32_t inspect_flags, uint8_t direction)
124 {
125  SCEnter();
126 
127  DetectEngineStateDirection *dir_state =
128  &state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1];
129 
130 #ifdef DEBUG_VALIDATION
131  BUG_ON(DeStateSearchState(state, direction, s->num));
132 #endif
133  DeStateStore *store = dir_state->tail;
134  if (store == NULL) {
135  store = DeStateStoreAlloc();
136  dir_state->head = store;
137  dir_state->cur = store;
138  dir_state->tail = store;
139  } else if (dir_state->cur) {
140  store = dir_state->cur;
141  } else {
142  store = DeStateStoreAlloc();
143  if (store != NULL) {
144  dir_state->tail->next = store;
145  dir_state->tail = store;
146  dir_state->cur = store;
147  }
148  }
149  if (store == NULL)
150  SCReturn;
151 
152  SigIntId idx = dir_state->cnt % DE_STATE_CHUNK_SIZE;
153  store->store[idx].sid = s->num;
154  store->store[idx].flags = inspect_flags;
155  dir_state->cnt++;
156  /* if current chunk is full, progress cur */
157  if (dir_state->cnt % DE_STATE_CHUNK_SIZE == 0) {
158  dir_state->cur = dir_state->cur->next;
159  }
160 
161  SCReturn;
162 }
163 
164 DetectEngineState *DetectEngineStateAlloc(void)
165 {
166  DetectEngineState *d = SCMalloc(sizeof(DetectEngineState));
167  if (unlikely(d == NULL))
168  return NULL;
169  memset(d, 0, sizeof(DetectEngineState));
170 
171  return d;
172 }
173 
174 void DetectEngineStateFree(DetectEngineState *state)
175 {
176  DeStateStore *store;
177  DeStateStore *store_next;
178  int i = 0;
179 
180  for (i = 0; i < 2; i++) {
181  store = state->dir_state[i].head;
182  while (store != NULL) {
183  store_next = store->next;
184  SCFree(store);
185  store = store_next;
186  }
187  }
188  SCFree(state);
189 
190  return;
191 }
192 
193 static void StoreFileNoMatchCnt(DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
194 {
195  de_state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt += file_no_match;
196 
197  return;
198 }
199 
200 static bool StoreFilestoreSigsCantMatch(const SigGroupHead *sgh, const DetectEngineState *de_state, uint8_t direction)
201 {
202  if (de_state->dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt ==
203  sgh->filestore_cnt)
204  return true;
205  else
206  return false;
207 }
208 
209 static void StoreStateTxHandleFiles(const SigGroupHead *sgh, Flow *f,
210  DetectEngineState *destate, const uint8_t flow_flags,
211  const uint64_t tx_id, const uint16_t file_no_match)
212 {
213  SCLogDebug("tx %"PRIu64", file_no_match %u", tx_id, file_no_match);
214  StoreFileNoMatchCnt(destate, file_no_match, flow_flags);
215  if (StoreFilestoreSigsCantMatch(sgh, destate, flow_flags)) {
216  FileDisableStoringForTransaction(f, flow_flags & (STREAM_TOCLIENT | STREAM_TOSERVER), tx_id);
217  }
218 }
219 
220 void DetectRunStoreStateTx(
221  const SigGroupHead *sgh,
222  Flow *f, void *tx, uint64_t tx_id,
223  const Signature *s,
224  uint32_t inspect_flags, uint8_t flow_flags,
225  const uint16_t file_no_match)
226 {
227  AppLayerTxData *tx_data = AppLayerParserGetTxData(f->proto, f->alproto, tx);
228  BUG_ON(tx_data == NULL);
229  if (tx_data == NULL) {
230  SCLogDebug("No TX data for %" PRIu64, tx_id);
231  return;
232  }
233  if (tx_data->de_state == NULL) {
234  tx_data->de_state = DetectEngineStateAlloc();
235  if (tx_data->de_state == NULL)
236  return;
237  SCLogDebug("destate created for %"PRIu64, tx_id);
238  }
239  DeStateSignatureAppend(tx_data->de_state, s, inspect_flags, flow_flags);
240  StoreStateTxHandleFiles(sgh, f, tx_data->de_state, flow_flags, tx_id, file_no_match);
241 
242  SCLogDebug("Stored for TX %"PRIu64, tx_id);
243 }
244 
245 /** \brief update flow's inspection id's
246  *
247  * \param f unlocked flow
248  * \param flags direction and disruption flags
249  * \param tag_txs_as_inspected if true all 'complete' txs will be marked
250  * 'inspected'
251  *
252  * \note it is possible that f->alstate, f->alparser are NULL */
253 void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags,
254  const bool tag_txs_as_inspected)
255 {
256  if (f->alparser && f->alstate) {
257  AppLayerParserSetTransactionInspectId(f, f->alparser,
258  f->alstate, flags,
259  tag_txs_as_inspected);
260  }
261  return;
262 }
263 
264 static inline void ResetTxState(DetectEngineState *s)
265 {
266  if (s) {
267  s->dir_state[0].cnt = 0;
268  s->dir_state[0].filestore_cnt = 0;
269  s->dir_state[0].flags = 0;
270  /* reset 'cur' back to the list head */
271  s->dir_state[0].cur = s->dir_state[0].head;
272 
273  s->dir_state[1].cnt = 0;
274  s->dir_state[1].filestore_cnt = 0;
275  s->dir_state[1].flags = 0;
276  /* reset 'cur' back to the list head */
277  s->dir_state[1].cur = s->dir_state[1].head;
278  }
279 }
280 
281 /** \brief Reset de state for active tx'
282  * To be used on detect engine reload.
283  * \param f write LOCKED flow
284  */
285 void DetectEngineStateResetTxs(Flow *f)
286 {
287  void *alstate = FlowGetAppState(f);
288  if (!StateIsValid(f->alproto, alstate)) {
289  return;
290  }
291 
292  uint64_t inspect_ts = AppLayerParserGetTransactionInspectId(f->alparser, STREAM_TOCLIENT);
293  uint64_t inspect_tc = AppLayerParserGetTransactionInspectId(f->alparser, STREAM_TOSERVER);
294 
295  uint64_t inspect_tx_id = MIN(inspect_ts, inspect_tc);
296 
297  uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
298 
299  for ( ; inspect_tx_id < total_txs; inspect_tx_id++) {
300  void *inspect_tx = AppLayerParserGetTx(f->proto, f->alproto, alstate, inspect_tx_id);
301  if (inspect_tx != NULL) {
302  AppLayerTxData *txd = AppLayerParserGetTxData(f->proto, f->alproto, inspect_tx);
303  BUG_ON(txd == NULL);
304  if (txd) {
305  ResetTxState(txd->de_state);
306  }
307  }
308  }
309 }
310 
311 /*********Unittests*********/
312 
313 #ifdef UNITTESTS
314 
315 static int DeStateTest01(void)
316 {
317  SCLogDebug("sizeof(DetectEngineState)\t\t%"PRIuMAX,
318  (uintmax_t)sizeof(DetectEngineState));
319  SCLogDebug("sizeof(DeStateStore)\t\t\t%"PRIuMAX,
320  (uintmax_t)sizeof(DeStateStore));
321  SCLogDebug("sizeof(DeStateStoreItem)\t\t%"PRIuMAX"",
322  (uintmax_t)sizeof(DeStateStoreItem));
323 
324  return 1;
325 }
326 
327 static int DeStateTest02(void)
328 {
329  uint8_t direction = STREAM_TOSERVER;
330  DetectEngineState *state = DetectEngineStateAlloc();
331  FAIL_IF_NULL(state);
332  FAIL_IF_NOT_NULL(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head);
333 
334  Signature s;
335  memset(&s, 0x00, sizeof(s));
336 
337  s.num = 0;
338  DeStateSignatureAppend(state, &s, 0, direction);
339  s.num = 11;
340  DeStateSignatureAppend(state, &s, 0, direction);
341  s.num = 22;
342  DeStateSignatureAppend(state, &s, 0, direction);
343  s.num = 33;
344  DeStateSignatureAppend(state, &s, 0, direction);
345  s.num = 44;
346  DeStateSignatureAppend(state, &s, 0, direction);
347  s.num = 55;
348  DeStateSignatureAppend(state, &s, 0, direction);
349  s.num = 66;
350  DeStateSignatureAppend(state, &s, 0, direction);
351  s.num = 77;
352  DeStateSignatureAppend(state, &s, 0, direction);
353  s.num = 88;
354  DeStateSignatureAppend(state, &s, 0, direction);
355  s.num = 99;
356  DeStateSignatureAppend(state, &s, 0, direction);
357  s.num = 100;
358  DeStateSignatureAppend(state, &s, 0, direction);
359  s.num = 111;
360  DeStateSignatureAppend(state, &s, 0, direction);
361  s.num = 122;
362  DeStateSignatureAppend(state, &s, 0, direction);
363  s.num = 133;
364  DeStateSignatureAppend(state, &s, 0, direction);
365  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
366  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
367 
368  s.num = 144;
369  DeStateSignatureAppend(state, &s, 0, direction);
370 
371  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
372  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
373  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
374  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur == NULL);
375 
376  s.num = 155;
377  DeStateSignatureAppend(state, &s, 0, direction);
378 
379  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].tail ==
380  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
381 
382  s.num = 166;
383  DeStateSignatureAppend(state, &s, 0, direction);
384 
385  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
386  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 11);
387  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next == NULL);
388  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
389  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[0].sid != 155);
390  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[1].sid != 166);
391 
392  ResetTxState(state);
393 
394  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
395  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
396  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
397 
398  s.num = 0;
399  DeStateSignatureAppend(state, &s, 0, direction);
400  s.num = 11;
401  DeStateSignatureAppend(state, &s, 0, direction);
402  s.num = 22;
403  DeStateSignatureAppend(state, &s, 0, direction);
404  s.num = 33;
405  DeStateSignatureAppend(state, &s, 0, direction);
406  s.num = 44;
407  DeStateSignatureAppend(state, &s, 0, direction);
408  s.num = 55;
409  DeStateSignatureAppend(state, &s, 0, direction);
410  s.num = 66;
411  DeStateSignatureAppend(state, &s, 0, direction);
412  s.num = 77;
413  DeStateSignatureAppend(state, &s, 0, direction);
414  s.num = 88;
415  DeStateSignatureAppend(state, &s, 0, direction);
416  s.num = 99;
417  DeStateSignatureAppend(state, &s, 0, direction);
418  s.num = 100;
419  DeStateSignatureAppend(state, &s, 0, direction);
420  s.num = 111;
421  DeStateSignatureAppend(state, &s, 0, direction);
422  s.num = 122;
423  DeStateSignatureAppend(state, &s, 0, direction);
424  s.num = 133;
425  DeStateSignatureAppend(state, &s, 0, direction);
426  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
427  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
428  s.num = 144;
429  DeStateSignatureAppend(state, &s, 0, direction);
430  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
431  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head ==
432  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
433  FAIL_IF_NOT(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].tail ==
434  state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].cur);
435  s.num = 155;
436  DeStateSignatureAppend(state, &s, 0, direction);
437  s.num = 166;
438  DeStateSignatureAppend(state, &s, 0, direction);
439 
440  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
441  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 11);
442  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next == NULL);
443  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[14].sid != 144);
444  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[0].sid != 155);
445  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->next->store[1].sid != 166);
446 
447  DetectEngineStateFree(state);
448 
449  PASS;
450 }
451 
452 static int DeStateTest03(void)
453 {
454  DetectEngineState *state = DetectEngineStateAlloc();
455  FAIL_IF_NULL(state);
456 
457  Signature s;
458  memset(&s, 0x00, sizeof(s));
459 
460  uint8_t direction = STREAM_TOSERVER;
461 
462  s.num = 11;
463  DeStateSignatureAppend(state, &s, 0, direction);
464  s.num = 22;
465  DeStateSignatureAppend(state, &s, BIT_U32(DE_STATE_FLAG_BASE), direction);
466 
467  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head == NULL);
468  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[0].sid != 11);
469  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[0].flags & BIT_U32(DE_STATE_FLAG_BASE));
470  FAIL_IF(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].sid != 22);
471  FAIL_IF(!(state->dir_state[direction & STREAM_TOSERVER ? 0 : 1].head->store[1].flags & BIT_U32(DE_STATE_FLAG_BASE)));
472 
473  DetectEngineStateFree(state);
474  PASS;
475 }
476 
477 static int DeStateSigTest01(void)
478 {
479  DetectEngineThreadCtx *det_ctx = NULL;
480  ThreadVars th_v;
481  Flow f;
482  TcpSession ssn;
483  Packet *p = NULL;
484  uint8_t httpbuf1[] = "POST / HTTP/1.0\r\n";
485  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\n";
486  uint8_t httpbuf3[] = "Cookie: dummy\r\nContent-Length: 10\r\n\r\n";
487  uint8_t httpbuf4[] = "Http Body!";
488  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
489  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
490  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
491  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
492 
493  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
494  FAIL_IF_NULL(alp_tctx);
495 
496  memset(&th_v, 0, sizeof(th_v));
497  memset(&f, 0, sizeof(f));
498  memset(&ssn, 0, sizeof(ssn));
499 
500  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
501  FAIL_IF_NULL(p);
502 
503  FLOW_INITIALIZE(&f);
504  f.protoctx = (void *)&ssn;
505  f.proto = IPPROTO_TCP;
506  f.flags |= FLOW_IPV4;
507  f.alproto = ALPROTO_HTTP1;
508 
509  p->flow = &f;
510  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
511  p->flowflags |= FLOW_PKT_TOSERVER;
512  p->flowflags |= FLOW_PKT_ESTABLISHED;
513 
514  StreamTcpInitConfig(true);
515 
516  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
517  FAIL_IF_NULL(de_ctx);
518  de_ctx->flags |= DE_QUIET;
519 
520  Signature *s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy\"; http_cookie; sid:1; rev:1;)");
521  FAIL_IF_NULL(s);
522 
523  SigGroupBuild(de_ctx);
524  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
525  FAIL_IF_NULL(det_ctx);
526 
527  int r = AppLayerParserParse(
528  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
529  FAIL_IF_NOT(r == 0);
530  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
531  FAIL_IF(PacketAlertCheck(p, 1));
532 
533  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
534  FAIL_IF_NOT(r == 0);
535  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
536  FAIL_IF(PacketAlertCheck(p, 1));
537 
538  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
539  FAIL_IF_NOT(r == 0);
540  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
541  FAIL_IF_NOT(PacketAlertCheck(p, 1));
542 
543  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
544  FAIL_IF_NOT(r == 0);
545  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
546  FAIL_IF(PacketAlertCheck(p, 1));
547 
548  AppLayerParserThreadCtxFree(alp_tctx);
549  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
550  DetectEngineCtxFree(de_ctx);
551  StreamTcpFreeConfig(true);
552  FLOW_DESTROY(&f);
553  UTHFreePacket(p);
554  PASS;
555 }
556 
557 /** \test multiple pipelined http transactions */
558 static int DeStateSigTest02(void)
559 {
560  DetectEngineThreadCtx *det_ctx = NULL;
561  ThreadVars th_v;
562  Flow f;
563  TcpSession ssn;
564  Packet *p = NULL;
565  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
566  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
567  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
568  uint8_t httpbuf4[] = "Http Body!";
569  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
570  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
571  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
572  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
573  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
574  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
575  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nHttp Body!";
576  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
577  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
578  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
579  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
580  FAIL_IF_NULL(alp_tctx);
581 
582  memset(&th_v, 0, sizeof(th_v));
583  memset(&f, 0, sizeof(f));
584  memset(&ssn, 0, sizeof(ssn));
585 
586  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
587 
588  FLOW_INITIALIZE(&f);
589  f.protoctx = (void *)&ssn;
590  f.proto = IPPROTO_TCP;
591  f.flags |= FLOW_IPV4;
592 
593  p->flow = &f;
594  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
595  p->flowflags |= FLOW_PKT_TOSERVER;
596  p->flowflags |= FLOW_PKT_ESTABLISHED;
597  f.alproto = ALPROTO_HTTP1;
598 
599  StreamTcpInitConfig(true);
600 
601  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
602  FAIL_IF_NULL(de_ctx);
603 
604  de_ctx->flags |= DE_QUIET;
605 
606  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
607  FAIL_IF_NULL(s);
608  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
609  FAIL_IF_NULL(s);
610 
611  SigGroupBuild(de_ctx);
612  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
613  FAIL_IF_NULL(det_ctx);
614 
615  int r = AppLayerParserParse(
616  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
617  FAIL_IF(r != 0);
618  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
619  FAIL_IF(PacketAlertCheck(p, 1));
620 
621  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
622  FAIL_IF(r != 0);
623  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
624  FAIL_IF(PacketAlertCheck(p, 1));
625 
626  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
627  FAIL_IF(r != 0);
628  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
629  FAIL_IF(PacketAlertCheck(p, 1));
630 
631  void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, f.alstate, 0);
632  FAIL_IF_NULL(tx);
633 
634  AppLayerTxData *tx_data = AppLayerParserGetTxData(IPPROTO_TCP, ALPROTO_HTTP1, tx);
635  FAIL_IF_NULL(tx_data);
636  DetectEngineState *tx_de_state = tx_data->de_state;
637  FAIL_IF_NULL(tx_de_state);
638  FAIL_IF(tx_de_state->dir_state[0].cnt != 1);
639  /* http_header(mpm): 5, uri: 3, method: 6, cookie: 7 */
640  uint32_t expected_flags = (BIT_U32(5) | BIT_U32(3) | BIT_U32(6) |BIT_U32(7));
641  FAIL_IF(tx_de_state->dir_state[0].head->store[0].flags != expected_flags);
642 
643  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
644  FAIL_IF(r != 0);
645  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
646  FAIL_IF(!(PacketAlertCheck(p, 1)));
647 
648  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
649  FAIL_IF(r != 0);
650  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
651  FAIL_IF(PacketAlertCheck(p, 1));
652 
653  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
654  FAIL_IF(r != 0);
655  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
656  FAIL_IF((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2)));
657 
658  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
659  FAIL_IF(r != 0);
660  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
661  FAIL_IF(!(PacketAlertCheck(p, 2)));
662 
663  AppLayerParserThreadCtxFree(alp_tctx);
664  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
665  DetectEngineCtxFree(de_ctx);
666  StreamTcpFreeConfig(true);
667  FLOW_DESTROY(&f);
668  UTHFreePacket(p);
669  PASS;
670 }
671 
672 static int DeStateSigTest03(void)
673 {
674  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
675  "Host: www.server.lan\r\n"
676  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
677  "Content-Length: 215\r\n"
678  "\r\n"
679  "-----------------------------277531038314945\r\n"
680  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
681  "Content-Type: image/jpeg\r\n"
682  "\r\n"
683  "filecontent\r\n"
684  "-----------------------------277531038314945--";
685  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
686  ThreadVars th_v;
687  TcpSession ssn;
688  Flow *f = NULL;
689  Packet *p = NULL;
690  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
691  FAIL_IF_NULL(alp_tctx);
692 
693  memset(&th_v, 0, sizeof(th_v));
694  memset(&ssn, 0, sizeof(ssn));
695 
696  DetectEngineThreadCtx *det_ctx = NULL;
697  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
698  FAIL_IF_NULL(de_ctx);
699 
700  de_ctx->flags |= DE_QUIET;
701 
702  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
703  FAIL_IF_NULL(s);
704 
705  SigGroupBuild(de_ctx);
706  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
707 
708  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
709  FAIL_IF_NULL(f);
710  f->protoctx = &ssn;
711  f->proto = IPPROTO_TCP;
712  f->alproto = ALPROTO_HTTP1;
713 
714  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
715  FAIL_IF_NULL(p);
716 
717  p->flow = f;
718  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
719  p->flowflags |= FLOW_PKT_TOSERVER;
720  p->flowflags |= FLOW_PKT_ESTABLISHED;
721 
722  StreamTcpInitConfig(true);
723 
724  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
725  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
726  FAIL_IF(r != 0);
727 
728  HtpState *http_state = f->alstate;
729  FAIL_IF_NULL(http_state);
730  FAIL_IF_NULL(http_state->files_ts);
731 
732  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
733  FAIL_IF(!(PacketAlertCheck(p, 1)));
734 
735  FileContainer *files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
736  FAIL_IF_NULL(files);
737 
738  File *file = files->head;
739  FAIL_IF_NULL(file);
740 
741  FAIL_IF(!(file->flags & FILE_STORE));
742 
743  AppLayerParserThreadCtxFree(alp_tctx);
744  UTHFreeFlow(f);
745 
746  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
747  DetectEngineCtxFree(de_ctx);
748  StreamTcpFreeConfig(true);
749  PASS;
750 }
751 
752 static int DeStateSigTest04(void)
753 {
754  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
755  "Host: www.server.lan\r\n"
756  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
757  "Content-Length: 215\r\n"
758  "\r\n"
759  "-----------------------------277531038314945\r\n"
760  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
761  "Content-Type: image/jpeg\r\n"
762  "\r\n"
763  "filecontent\r\n"
764  "-----------------------------277531038314945--";
765  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
766  ThreadVars th_v;
767  TcpSession ssn;
768  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
769  FAIL_IF_NULL(alp_tctx);
770 
771  memset(&th_v, 0, sizeof(th_v));
772  memset(&ssn, 0, sizeof(ssn));
773 
774  DetectEngineThreadCtx *det_ctx = NULL;
775  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
776  FAIL_IF_NULL(de_ctx);
777  de_ctx->flags |= DE_QUIET;
778 
779  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
780  FAIL_IF_NULL(s);
781 
782  SigGroupBuild(de_ctx);
783  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
784  FAIL_IF_NULL(det_ctx);
785 
786  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
787  FAIL_IF_NULL(f);
788  f->protoctx = &ssn;
789  f->proto = IPPROTO_TCP;
790  f->alproto = ALPROTO_HTTP1;
791 
792  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
793  FAIL_IF_NULL(p);
794  p->flow = f;
795  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
796  p->flowflags |= FLOW_PKT_TOSERVER;
797  p->flowflags |= FLOW_PKT_ESTABLISHED;
798 
799  StreamTcpInitConfig(true);
800 
801  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
802  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
803  FAIL_IF(r != 0);
804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
805  FAIL_IF(PacketAlertCheck(p, 1));
806 
807  HtpState *http_state = f->alstate;
808  FAIL_IF_NULL(http_state);
809  FAIL_IF_NULL(http_state->files_ts);
810 
811  FileContainer *files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
812  FAIL_IF_NULL(files);
813  File *file = files->head;
814  FAIL_IF_NULL(file);
815 
816  FAIL_IF(file->flags & FILE_STORE);
817 
818  AppLayerParserThreadCtxFree(alp_tctx);
819  UTHFreeFlow(f);
820  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
821  DetectEngineCtxFree(de_ctx);
822  StreamTcpFreeConfig(true);
823  PASS;
824 }
825 
826 static int DeStateSigTest05(void)
827 {
828  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
829  "Host: www.server.lan\r\n"
830  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
831  "Content-Length: 215\r\n"
832  "\r\n"
833  "-----------------------------277531038314945\r\n"
834  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
835  "Content-Type: image/jpeg\r\n"
836  "\r\n"
837  "filecontent\r\n"
838  "-----------------------------277531038314945--";
839  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
840  ThreadVars th_v;
841  TcpSession ssn;
842 
843  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
844  FAIL_IF_NULL(alp_tctx);
845 
846  memset(&th_v, 0, sizeof(th_v));
847  memset(&ssn, 0, sizeof(ssn));
848 
849  DetectEngineThreadCtx *det_ctx = NULL;
850  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
851  FAIL_IF_NULL(de_ctx);
852  de_ctx->flags |= DE_QUIET;
853 
854  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; sid:1; rev:1;)");
855  FAIL_IF_NULL(s);
856 
857  SigGroupBuild(de_ctx);
858  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
859 
860  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
861  FAIL_IF_NULL(f);
862  f->protoctx = &ssn;
863  f->proto = IPPROTO_TCP;
864  f->alproto = ALPROTO_HTTP1;
865 
866  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
867  FAIL_IF_NULL(p);
868  p->flow = f;
869  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
870  p->flowflags |= FLOW_PKT_TOSERVER;
871  p->flowflags |= FLOW_PKT_ESTABLISHED;
872 
873  StreamTcpInitConfig(true);
874 
875  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
876  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
877  FAIL_IF_NOT(r == 0);
878  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
879  FAIL_IF(PacketAlertCheck(p, 1));
880 
881  HtpState *http_state = f->alstate;
882  FAIL_IF_NULL(http_state);
883  FAIL_IF_NULL(http_state->files_ts);
884 
885  FileContainer *files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
886  FAIL_IF_NULL(files);
887  File *file = files->head;
888  FAIL_IF_NULL(file);
889 
890  FAIL_IF(!(file->flags & FILE_NOSTORE));
891 
892  AppLayerParserThreadCtxFree(alp_tctx);
893  UTHFreeFlow(f);
894  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
895  DetectEngineCtxFree(de_ctx);
896  StreamTcpFreeConfig(true);
897  PASS;
898 }
899 
900 static int DeStateSigTest06(void)
901 {
902  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
903  "Host: www.server.lan\r\n"
904  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
905  "Content-Length: 215\r\n"
906  "\r\n"
907  "-----------------------------277531038314945\r\n"
908  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
909  "Content-Type: image/jpeg\r\n"
910  "\r\n"
911  "filecontent\r\n"
912  "-----------------------------277531038314945--";
913  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
914  ThreadVars th_v;
915  TcpSession ssn;
916 
917  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
918  FAIL_IF_NULL(alp_tctx);
919 
920  memset(&th_v, 0, sizeof(th_v));
921  memset(&ssn, 0, sizeof(ssn));
922 
923  DetectEngineThreadCtx *det_ctx = NULL;
924  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
925  FAIL_IF_NULL(de_ctx);
926  de_ctx->flags |= DE_QUIET;
927 
928  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; filestore; sid:1; rev:1;)");
929  FAIL_IF_NULL(s);
930 
931  SigGroupBuild(de_ctx);
932  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
933  FAIL_IF_NULL(det_ctx);
934 
935  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
936  FAIL_IF_NULL(f);
937  f->protoctx = &ssn;
938  f->proto = IPPROTO_TCP;
939  f->alproto = ALPROTO_HTTP1;
940 
941  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
942  FAIL_IF_NULL(p);
943  p->flow = f;
944  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
945  p->flowflags |= FLOW_PKT_TOSERVER;
946  p->flowflags |= FLOW_PKT_ESTABLISHED;
947 
948  StreamTcpInitConfig(true);
949 
950  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1,
951  STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
952  FAIL_IF(r != 0);
953  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
954  FAIL_IF(PacketAlertCheck(p, 1));
955 
956  HtpState *http_state = f->alstate;
957  FAIL_IF_NULL(http_state);
958  FAIL_IF_NULL(http_state->files_ts);
959 
960  FileContainer *files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
961  FAIL_IF_NULL(files);
962  File *file = files->head;
963  FAIL_IF_NULL(file);
964  FAIL_IF(!(file->flags & FILE_NOSTORE));
965 
966  AppLayerParserThreadCtxFree(alp_tctx);
967  UTHFreeFlow(f);
968  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
969  DetectEngineCtxFree(de_ctx);
970  StreamTcpFreeConfig(true);
971  PASS;
972 }
973 
974 static int DeStateSigTest07(void)
975 {
976  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
977  "Host: www.server.lan\r\n"
978  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
979  "Content-Length: 215\r\n"
980  "\r\n"
981  "-----------------------------277531038314945\r\n"
982  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
983  "Content-Type: image/jpeg\r\n"
984  "\r\n";
985 
986  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
987  uint8_t httpbuf2[] = "filecontent\r\n"
988  "-----------------------------277531038314945--";
989  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
990  ThreadVars th_v;
991  TcpSession ssn;
992 
993  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
994  FAIL_IF_NULL(alp_tctx);
995 
996  memset(&th_v, 0, sizeof(th_v));
997  memset(&ssn, 0, sizeof(ssn));
998 
999  DetectEngineThreadCtx *det_ctx = NULL;
1000  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1001  FAIL_IF_NULL(de_ctx);
1002  de_ctx->flags |= DE_QUIET;
1003 
1004  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
1005  FAIL_IF_NULL(s);
1006 
1007  SigGroupBuild(de_ctx);
1008  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1009 
1010  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1011  FAIL_IF_NULL(f);
1012  f->protoctx = &ssn;
1013  f->proto = IPPROTO_TCP;
1014  f->alproto = ALPROTO_HTTP1;
1015 
1016  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1017  FAIL_IF_NULL(p);
1018  p->flow = f;
1019  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1020  p->flowflags |= FLOW_PKT_TOSERVER;
1021  p->flowflags |= FLOW_PKT_ESTABLISHED;
1022 
1023  StreamTcpInitConfig(true);
1024 
1025  int r = AppLayerParserParse(
1026  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1027  FAIL_IF(r != 0);
1028  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1029  FAIL_IF(PacketAlertCheck(p, 1));
1030 
1031  r = AppLayerParserParse(
1032  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf2, httplen2);
1033  FAIL_IF(r != 0);
1034  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1035  FAIL_IF(PacketAlertCheck(p, 1));
1036 
1037  HtpState *http_state = f->alstate;
1038  FAIL_IF_NULL(http_state);
1039  FAIL_IF_NULL(http_state->files_ts);
1040 
1041  FileContainer *files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
1042  FAIL_IF_NULL(files);
1043  File *file = files->head;
1044  FAIL_IF_NULL(file);
1045  FAIL_IF(file->flags & FILE_STORE);
1046 
1047  AppLayerParserThreadCtxFree(alp_tctx);
1048  UTHFreeFlow(f);
1049  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1050  DetectEngineCtxFree(de_ctx);
1051  StreamTcpFreeConfig(true);
1052  PASS;
1053 }
1054 
1055 /**
1056  * \test multiple files in a tx
1057  */
1058 static int DeStateSigTest08(void)
1059 {
1060  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1061  "Host: www.server.lan\r\n"
1062  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1063  "Content-Length: 440\r\n"
1064  "\r\n"
1065  "-----------------------------277531038314945\r\n"
1066  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"AAAApicture1.jpg\"\r\n"
1067  "Content-Type: image/jpeg\r\n"
1068  "\r\n";
1069 
1070  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1071  uint8_t httpbuf2[] = "file";
1072  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1073  uint8_t httpbuf3[] = "content\r\n"
1074  "-----------------------------277531038314945\r\n";
1075  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1076 
1077  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"BBBBpicture2.jpg\"\r\n"
1078  "Content-Type: image/jpeg\r\n"
1079  "\r\n"
1080  "filecontent2\r\n"
1081  "-----------------------------277531038314945--";
1082  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1083 
1084  ThreadVars th_v;
1085  TcpSession ssn;
1086 
1087  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1088  FAIL_IF_NULL(alp_tctx);
1089 
1090  memset(&th_v, 0, sizeof(th_v));
1091  memset(&ssn, 0, sizeof(ssn));
1092 
1093  DetectEngineThreadCtx *det_ctx = NULL;
1094  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1095  FAIL_IF_NULL(de_ctx);
1096  de_ctx->flags |= DE_QUIET;
1097 
1098  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"BBBBpicture\"; filestore; sid:1; rev:1;)");
1099  FAIL_IF_NULL(s);
1100 
1101  SigGroupBuild(de_ctx);
1102  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1103 
1104  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1105  FAIL_IF_NULL(f);
1106  f->protoctx = &ssn;
1107  f->proto = IPPROTO_TCP;
1108  f->alproto = ALPROTO_HTTP1;
1109 
1110  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1111  FAIL_IF_NULL(p);
1112  p->flow = f;
1113  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1114  p->flowflags |= FLOW_PKT_TOSERVER;
1115  p->flowflags |= FLOW_PKT_ESTABLISHED;
1116 
1117  StreamTcpInitConfig(true);
1118 
1119  /* HTTP request with 1st part of the multipart body */
1120 
1121  int r = AppLayerParserParse(
1122  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1123  FAIL_IF(r != 0);
1124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1125  FAIL_IF(PacketAlertCheck(p, 1));
1126 
1127  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1128  FAIL_IF(r != 0);
1129  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1130  FAIL_IF(PacketAlertCheck(p, 1));
1131 
1132  HtpState *http_state = f->alstate;
1133  FAIL_IF_NULL(http_state);
1134  FAIL_IF_NULL(http_state->files_ts);
1135 
1136  FileContainer *files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
1137  FAIL_IF_NULL(files);
1138  File *file = files->head;
1139  FAIL_IF_NULL(file);
1140  FAIL_IF(file->flags & FILE_STORE);
1141 
1142  /* 2nd multipart body file */
1143 
1144  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1145  FAIL_IF(r != 0);
1146  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1147  FAIL_IF(PacketAlertCheck(p, 1));
1148 
1149  r = AppLayerParserParse(
1150  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1151  FAIL_IF(r != 0);
1152  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1153  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1154 
1155  http_state = f->alstate;
1156  FAIL_IF_NULL(http_state);
1157  FAIL_IF_NULL(http_state->files_ts);
1158 
1159  files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
1160  FAIL_IF_NULL(files);
1161  file = files->head;
1162  FAIL_IF_NULL(file);
1163  file = file->next;
1164  FAIL_IF_NULL(file);
1165  FAIL_IF_NOT(file->flags & FILE_STORE);
1166 
1167  AppLayerParserThreadCtxFree(alp_tctx);
1168  UTHFreeFlow(f);
1169  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1170  DetectEngineCtxFree(de_ctx);
1171  StreamTcpFreeConfig(true);
1172  PASS;
1173 }
1174 
1175 /**
1176  * \test multiple files in a tx. Both files should match
1177  */
1178 static int DeStateSigTest09(void)
1179 {
1180  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1181  "Host: www.server.lan\r\n"
1182  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1183  "Content-Length: 440\r\n"
1184  "\r\n"
1185  "-----------------------------277531038314945\r\n"
1186  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1187  "Content-Type: image/jpeg\r\n"
1188  "\r\n";
1189 
1190  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1191  uint8_t httpbuf2[] = "file";
1192  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1193  uint8_t httpbuf3[] = "content\r\n"
1194  "-----------------------------277531038314945\r\n";
1195  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1196 
1197  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1198  "Content-Type: image/jpeg\r\n"
1199  "\r\n"
1200  "filecontent2\r\n"
1201  "-----------------------------277531038314945--";
1202  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1203 
1204  ThreadVars th_v;
1205  TcpSession ssn;
1206 
1207  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1208  FAIL_IF_NULL(alp_tctx);
1209 
1210  memset(&th_v, 0, sizeof(th_v));
1211  memset(&ssn, 0, sizeof(ssn));
1212 
1213  DetectEngineThreadCtx *det_ctx = NULL;
1214  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1215  FAIL_IF_NULL(de_ctx);
1216  de_ctx->flags |= DE_QUIET;
1217 
1218  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1219  FAIL_IF_NULL(s);
1220 
1221  SigGroupBuild(de_ctx);
1222  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1223 
1224  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1225  FAIL_IF_NULL(f);
1226  f->protoctx = &ssn;
1227  f->proto = IPPROTO_TCP;
1228  f->alproto = ALPROTO_HTTP1;
1229 
1230  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1231  FAIL_IF_NULL(p);
1232  p->flow = f;
1233  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1234  p->flowflags |= FLOW_PKT_TOSERVER;
1235  p->flowflags |= FLOW_PKT_ESTABLISHED;
1236 
1237  StreamTcpInitConfig(true);
1238 
1239  /* HTTP request with 1st part of the multipart body */
1240 
1241  int r = AppLayerParserParse(
1242  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1243  FAIL_IF(r != 0);
1244  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1245  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1246 
1247  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1248  FAIL_IF(r != 0);
1249  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1250  FAIL_IF(PacketAlertCheck(p, 1));
1251 
1252  HtpState *http_state = f->alstate;
1253  FAIL_IF_NULL(http_state);
1254  FAIL_IF_NULL(http_state->files_ts);
1255 
1256  FileContainer *files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
1257  FAIL_IF_NULL(files);
1258  File *file = files->head;
1259  FAIL_IF_NULL(file);
1260  FAIL_IF_NOT(file->flags & FILE_STORE);
1261 
1262  /* 2nd multipart body file */
1263 
1264  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1265  FAIL_IF(r != 0);
1266  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1267  FAIL_IF(PacketAlertCheck(p, 1));
1268 
1269  r = AppLayerParserParse(
1270  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1271  FAIL_IF(r != 0);
1272  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1273  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1274 
1275  http_state = f->alstate;
1276  FAIL_IF_NULL(http_state);
1277  FAIL_IF_NULL(http_state->files_ts);
1278 
1279  files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
1280  FAIL_IF_NULL(files);
1281  file = files->head;
1282  FAIL_IF_NULL(file);
1283  FAIL_IF_NOT(file->flags & FILE_STORE);
1284 
1285  AppLayerParserThreadCtxFree(alp_tctx);
1286  UTHFreeFlow(f);
1287  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1288  DetectEngineCtxFree(de_ctx);
1289  StreamTcpFreeConfig(true);
1290  PASS;
1291 }
1292 
1293 /**
1294  * \test multiple files in a tx. Both files should match. No other matches.
1295  */
1296 static int DeStateSigTest10(void)
1297 {
1298  uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n"
1299  "Host: www.server.lan\r\n"
1300  "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1301  "Content-Length: 440\r\n"
1302  "\r\n"
1303  "-----------------------------277531038314945\r\n"
1304  "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1305  "Content-Type: image/jpeg\r\n"
1306  "\r\n";
1307 
1308  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1309  uint8_t httpbuf2[] = "file";
1310  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1311  uint8_t httpbuf3[] = "content\r\n"
1312  "-----------------------------277531038314945\r\n";
1313  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1314 
1315  uint8_t httpbuf4[] = "Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1316  "Content-Type: image/jpeg\r\n"
1317  "\r\n"
1318  "filecontent2\r\n"
1319  "-----------------------------277531038314945--";
1320  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1321 
1322  ThreadVars th_v;
1323  TcpSession ssn;
1324 
1325  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1326  FAIL_IF_NULL(alp_tctx);
1327 
1328  memset(&th_v, 0, sizeof(th_v));
1329  memset(&ssn, 0, sizeof(ssn));
1330 
1331  DetectEngineThreadCtx *det_ctx = NULL;
1332  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1333  FAIL_IF_NULL(de_ctx);
1334  de_ctx->flags |= DE_QUIET;
1335 
1336  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1337  FAIL_IF_NULL(s);
1338 
1339  SigGroupBuild(de_ctx);
1340  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1341 
1342  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80);
1343  FAIL_IF_NULL(f);
1344  f->protoctx = &ssn;
1345  f->proto = IPPROTO_TCP;
1346  f->alproto = ALPROTO_HTTP1;
1347 
1348  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1349  FAIL_IF_NULL(p);
1350  p->flow = f;
1351  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1352  p->flowflags |= FLOW_PKT_TOSERVER;
1353  p->flowflags |= FLOW_PKT_ESTABLISHED;
1354 
1355  StreamTcpInitConfig(true);
1356 
1357  /* HTTP request with 1st part of the multipart body */
1358 
1359  int r = AppLayerParserParse(
1360  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1361  FAIL_IF(r != 0);
1362  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1363  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1364 
1365  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1366  FAIL_IF(r != 0);
1367  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1368  FAIL_IF(PacketAlertCheck(p, 1));
1369 
1370  HtpState *http_state = f->alstate;
1371  FAIL_IF_NULL(http_state);
1372  FAIL_IF_NULL(http_state->files_ts);
1373 
1374  FileContainer *files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
1375  FAIL_IF_NULL(files);
1376  File *file = files->head;
1377  FAIL_IF_NULL(file);
1378  FAIL_IF_NOT(file->flags & FILE_STORE);
1379 
1380  /* 2nd multipart body file */
1381 
1382  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1383  FAIL_IF(r != 0);
1384  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1385  FAIL_IF(PacketAlertCheck(p, 1));
1386 
1387  r = AppLayerParserParse(
1388  NULL, alp_tctx, f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_EOF, httpbuf4, httplen4);
1389  FAIL_IF(r != 0);
1390  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1391  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1392 
1393  http_state = f->alstate;
1394  FAIL_IF_NULL(http_state);
1395  FAIL_IF_NULL(http_state->files_ts);
1396 
1397  files = AppLayerParserGetFiles(p->flow, STREAM_TOSERVER);
1398  FAIL_IF_NULL(files);
1399  file = files->head;
1400  FAIL_IF_NULL(file);
1401  FAIL_IF_NOT(file->flags & FILE_STORE);
1402 
1403  AppLayerParserThreadCtxFree(alp_tctx);
1404  UTHFreeFlow(f);
1405  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1406  DetectEngineCtxFree(de_ctx);
1407  StreamTcpFreeConfig(true);
1408  PASS;
1409 }
1410 
1411 #endif
1412 
1413 void DeStateRegisterTests(void)
1414 {
1415 #ifdef UNITTESTS
1416  UtRegisterTest("DeStateTest01", DeStateTest01);
1417  UtRegisterTest("DeStateTest02", DeStateTest02);
1418  UtRegisterTest("DeStateTest03", DeStateTest03);
1419  UtRegisterTest("DeStateSigTest01", DeStateSigTest01);
1420  UtRegisterTest("DeStateSigTest02", DeStateSigTest02);
1421  UtRegisterTest("DeStateSigTest03", DeStateSigTest03);
1422  UtRegisterTest("DeStateSigTest04", DeStateSigTest04);
1423  UtRegisterTest("DeStateSigTest05", DeStateSigTest05);
1424  UtRegisterTest("DeStateSigTest06", DeStateSigTest06);
1425  UtRegisterTest("DeStateSigTest07", DeStateSigTest07);
1426  UtRegisterTest("DeStateSigTest08", DeStateSigTest08);
1427  UtRegisterTest("DeStateSigTest09", DeStateSigTest09);
1428  UtRegisterTest("DeStateSigTest10", DeStateSigTest10);
1429 #endif
1430 
1431  return;
1432 }
1433 
1434 /**
1435  * @}
1436  */
FileContainer_
Definition: util-file.h:110
DE_STATE_CHUNK_SIZE
#define DE_STATE_CHUNK_SIZE
Definition: detect-engine-state.h:53
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectEngineStateDirection_::flags
uint8_t flags
Definition: detect-engine-state.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1175
flow-util.h
DetectEngineState_
Definition: detect-engine-state.h:93
Signature_::num
SigIntId num
Definition: detect.h:559
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1425
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
AppLayerParserSetTransactionInspectId
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
Definition: app-layer-parser.c:757
DetectEngineStateDirection_::cnt
SigIntId cnt
Definition: detect-engine-state.h:87
Flow_::proto
uint8_t proto
Definition: flow.h:375
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::flags
uint32_t flags
Definition: decode.h:462
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
FileDisableStoringForTransaction
void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id)
disable file storing for files in a transaction
Definition: util-file.c:1146
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
DetectEngineState_::dir_state
DetectEngineStateDirection dir_state[2]
Definition: detect-engine-state.h:94
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:320
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:887
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
Flow_::protoctx
void * protoctx
Definition: flow.h:451
DeStateStoreItem_::sid
SigIntId sid
Definition: detect-engine-state.h:75
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:726
util-unittest.h
DetectEngineStateDirection_::cur
DeStateStore * cur
Definition: detect-engine-state.h:85
HtpState_
Definition: app-layer-htp.h:247
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1125
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
detect-flowvar.h
DetectRunStoreStateTx
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
Definition: detect-engine-state.c:220
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:485
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:357
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:521
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
app-layer-htp.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
DeStateStoreItem_::flags
uint32_t flags
Definition: detect-engine-state.h:74
DeStateUpdateInspectTransactionId
void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags, const bool tag_txs_as_inspected)
update flow's inspection id's
Definition: detect-engine-state.c:253
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:381
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
FileContainer_::head
File * head
Definition: util-file.h:111
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DeStateStore_::next
struct DeStateStore_ * next
Definition: detect-engine-state.h:80
HtpState_::conn
htp_conn_t * conn
Definition: app-layer-htp.h:251
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
util-profiling.h
DetectEngineStateAlloc
DetectEngineState * DetectEngineStateAlloc(void)
Alloc a DetectEngineState object.
Definition: detect-engine-state.c:164
SCReturn
#define SCReturn
Definition: util-debug.h:302
Packet_
Definition: decode.h:427
DE_STATE_FLAG_BASE
#define DE_STATE_FLAG_BASE
Definition: detect-engine-state.h:64
app-layer-dcerpc-common.h
stream-tcp-private.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1116
DetectEngineStateFree
void DetectEngineStateFree(DetectEngineState *state)
Frees a DetectEngineState object.
Definition: detect-engine-state.c:174
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:526
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:299
File_::flags
uint16_t flags
Definition: util-file.h:76
DetectEngineStateDirection_::head
DeStateStore * head
Definition: detect-engine-state.h:84
File_
Definition: util-file.h:75
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2420
Packet_::flow
struct Flow_ * flow
Definition: decode.h:464
DetectEngineStateResetTxs
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
Definition: detect-engine-state.c:285
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:662
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1237
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
DeStateStore_
Definition: detect-engine-state.h:78
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
File_::next
struct File_ * next
Definition: util-file.h:89
DetectEngineStateDirection_
Definition: detect-engine-state.h:83
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1188
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectEngineStateDirection_::filestore_cnt
uint16_t filestore_cnt
Definition: detect-engine-state.h:88
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:486
DeStateStore_::store
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
Definition: detect-engine-state.h:79
Flow_::flags
uint32_t flags
Definition: flow.h:431
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
app-layer-protos.h
HtpState_::files_ts
FileContainer * files_ts
Definition: app-layer-htp.h:255
FILE_NOSTORE
#define FILE_NOSTORE
Definition: util-file.h:54
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
TcpSession_
Definition: stream-tcp-private.h:260
SigIntId
#define SigIntId
Definition: suricata-common.h:296
DeStateStoreItem_
Definition: detect-engine-state.h:73
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
DeStateRegisterTests
void DeStateRegisterTests(void)
Definition: detect-engine-state.c:1413
detect-engine-dcepayload.h
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1438
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1109
DetectEngineStateDirection_::tail
DeStateStore * tail
Definition: detect-engine-state.h:86
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1172
app-layer.h