68 #define CASE_CODE(E) case E: return #E
70 static inline int StateIsValid(uint16_t alproto,
void *alstate)
72 if (alstate != NULL) {
75 if (htp_state->
conn != NULL) {
95 #ifdef DEBUG_VALIDATION
103 for (; tx_store != NULL; tx_store = tx_store->
next) {
107 store_cnt++, state_cnt++)
110 if (item->
sid == num) {
111 SCLogDebug(
"sid %u already in state: %p %p %p %u %u, direction %s",
112 num, state, dir_state, tx_store, state_cnt,
113 store_cnt, direction & STREAM_TOSERVER ?
"toserver" :
"toclient");
123 const Signature *s, uint32_t inspect_flags, uint8_t direction)
128 &state->
dir_state[(direction & STREAM_TOSERVER) ? 0 : 1];
130 #ifdef DEBUG_VALIDATION
131 BUG_ON(DeStateSearchState(state, direction, s->
num));
135 store = DeStateStoreAlloc();
136 dir_state->
head = store;
137 dir_state->
cur = store;
138 dir_state->
tail = store;
139 }
else if (dir_state->
cur) {
140 store = dir_state->
cur;
142 store = DeStateStoreAlloc();
145 dir_state->
tail = store;
146 dir_state->
cur = store;
180 for (i = 0; i < 2; i++) {
182 while (store != NULL) {
183 store_next = store->
next;
193 static void StoreFileNoMatchCnt(
DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
195 de_state->
dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt += file_no_match;
211 const uint64_t tx_id,
const uint16_t file_no_match)
213 SCLogDebug(
"tx %"PRIu64
", file_no_match %u", tx_id, file_no_match);
214 StoreFileNoMatchCnt(destate, file_no_match, flow_flags);
215 if (StoreFilestoreSigsCantMatch(sgh, destate, flow_flags)) {
222 Flow *f,
void *tx, uint64_t tx_id,
224 uint32_t inspect_flags, uint8_t flow_flags,
225 const uint16_t file_no_match)
229 if (tx_data == NULL) {
233 if (tx_data->de_state == NULL) {
235 if (tx_data->de_state == NULL)
237 SCLogDebug(
"destate created for %"PRIu64, tx_id);
239 DeStateSignatureAppend(tx_data->de_state, s, inspect_flags, flow_flags);
240 StoreStateTxHandleFiles(sgh, f, tx_data->de_state, flow_flags, tx_id, file_no_match);
254 const bool tag_txs_as_inspected)
259 tag_txs_as_inspected);
288 if (!StateIsValid(f->
alproto, alstate)) {
295 uint64_t inspect_tx_id =
MIN(inspect_ts, inspect_tc);
299 for ( ; inspect_tx_id < total_txs; inspect_tx_id++) {
301 if (inspect_tx != NULL) {
305 ResetTxState(txd->de_state);
315 static int DeStateTest01(
void)
317 SCLogDebug(
"sizeof(DetectEngineState)\t\t%"PRIuMAX,
319 SCLogDebug(
"sizeof(DeStateStore)\t\t\t%"PRIuMAX,
321 SCLogDebug(
"sizeof(DeStateStoreItem)\t\t%"PRIuMAX
"",
327 static int DeStateTest02(
void)
329 uint8_t direction = STREAM_TOSERVER;
335 memset(&s, 0x00,
sizeof(s));
338 DeStateSignatureAppend(state, &s, 0, direction);
340 DeStateSignatureAppend(state, &s, 0, direction);
342 DeStateSignatureAppend(state, &s, 0, direction);
344 DeStateSignatureAppend(state, &s, 0, direction);
346 DeStateSignatureAppend(state, &s, 0, direction);
348 DeStateSignatureAppend(state, &s, 0, direction);
350 DeStateSignatureAppend(state, &s, 0, direction);
352 DeStateSignatureAppend(state, &s, 0, direction);
354 DeStateSignatureAppend(state, &s, 0, direction);
356 DeStateSignatureAppend(state, &s, 0, direction);
358 DeStateSignatureAppend(state, &s, 0, direction);
360 DeStateSignatureAppend(state, &s, 0, direction);
362 DeStateSignatureAppend(state, &s, 0, direction);
364 DeStateSignatureAppend(state, &s, 0, direction);
366 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
369 DeStateSignatureAppend(state, &s, 0, direction);
373 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
377 DeStateSignatureAppend(state, &s, 0, direction);
380 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
383 DeStateSignatureAppend(state, &s, 0, direction);
396 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
399 DeStateSignatureAppend(state, &s, 0, direction);
401 DeStateSignatureAppend(state, &s, 0, direction);
403 DeStateSignatureAppend(state, &s, 0, direction);
405 DeStateSignatureAppend(state, &s, 0, direction);
407 DeStateSignatureAppend(state, &s, 0, direction);
409 DeStateSignatureAppend(state, &s, 0, direction);
411 DeStateSignatureAppend(state, &s, 0, direction);
413 DeStateSignatureAppend(state, &s, 0, direction);
415 DeStateSignatureAppend(state, &s, 0, direction);
417 DeStateSignatureAppend(state, &s, 0, direction);
419 DeStateSignatureAppend(state, &s, 0, direction);
421 DeStateSignatureAppend(state, &s, 0, direction);
423 DeStateSignatureAppend(state, &s, 0, direction);
425 DeStateSignatureAppend(state, &s, 0, direction);
427 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
429 DeStateSignatureAppend(state, &s, 0, direction);
432 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
434 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
436 DeStateSignatureAppend(state, &s, 0, direction);
438 DeStateSignatureAppend(state, &s, 0, direction);
452 static int DeStateTest03(
void)
458 memset(&s, 0x00,
sizeof(s));
460 uint8_t direction = STREAM_TOSERVER;
463 DeStateSignatureAppend(state, &s, 0, direction);
477 static int DeStateSigTest01(
void)
484 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\n";
485 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\n";
486 uint8_t httpbuf3[] =
"Cookie: dummy\r\nContent-Length: 10\r\n\r\n";
487 uint8_t httpbuf4[] =
"Http Body!";
488 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
489 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
490 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
491 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
496 memset(&th_v, 0,
sizeof(th_v));
497 memset(&f, 0,
sizeof(f));
498 memset(&ssn, 0,
sizeof(ssn));
505 f.
proto = IPPROTO_TCP;
558 static int DeStateSigTest02(
void)
565 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
566 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
567 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
568 uint8_t httpbuf4[] =
"Http Body!";
569 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
570 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
571 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
572 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
573 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
574 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
575 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nHttp Body!";
576 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
577 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
578 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
582 memset(&th_v, 0,
sizeof(th_v));
583 memset(&f, 0,
sizeof(f));
584 memset(&ssn, 0,
sizeof(ssn));
590 f.
proto = IPPROTO_TCP;
606 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
608 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
672 static int DeStateSigTest03(
void)
674 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
675 "Host: www.server.lan\r\n"
676 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
677 "Content-Length: 215\r\n"
679 "-----------------------------277531038314945\r\n"
680 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
681 "Content-Type: image/jpeg\r\n"
684 "-----------------------------277531038314945--";
685 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
693 memset(&th_v, 0,
sizeof(th_v));
694 memset(&ssn, 0,
sizeof(ssn));
702 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
708 f =
UTHBuildFlow(AF_INET,
"1.2.3.4",
"1.2.3.5", 1024, 80);
711 f->
proto = IPPROTO_TCP;
725 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
752 static int DeStateSigTest04(
void)
754 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
755 "Host: www.server.lan\r\n"
756 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
757 "Content-Length: 215\r\n"
759 "-----------------------------277531038314945\r\n"
760 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
761 "Content-Type: image/jpeg\r\n"
764 "-----------------------------277531038314945--";
765 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
771 memset(&th_v, 0,
sizeof(th_v));
772 memset(&ssn, 0,
sizeof(ssn));
789 f->
proto = IPPROTO_TCP;
802 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
826 static int DeStateSigTest05(
void)
828 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
829 "Host: www.server.lan\r\n"
830 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
831 "Content-Length: 215\r\n"
833 "-----------------------------277531038314945\r\n"
834 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
835 "Content-Type: image/jpeg\r\n"
838 "-----------------------------277531038314945--";
839 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
846 memset(&th_v, 0,
sizeof(th_v));
847 memset(&ssn, 0,
sizeof(ssn));
854 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; sid:1; rev:1;)");
863 f->
proto = IPPROTO_TCP;
876 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
900 static int DeStateSigTest06(
void)
902 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
903 "Host: www.server.lan\r\n"
904 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
905 "Content-Length: 215\r\n"
907 "-----------------------------277531038314945\r\n"
908 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
909 "Content-Type: image/jpeg\r\n"
912 "-----------------------------277531038314945--";
913 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
920 memset(&th_v, 0,
sizeof(th_v));
921 memset(&ssn, 0,
sizeof(ssn));
928 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; filestore; sid:1; rev:1;)");
938 f->
proto = IPPROTO_TCP;
951 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
974 static int DeStateSigTest07(
void)
976 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
977 "Host: www.server.lan\r\n"
978 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
979 "Content-Length: 215\r\n"
981 "-----------------------------277531038314945\r\n"
982 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
983 "Content-Type: image/jpeg\r\n"
986 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
987 uint8_t httpbuf2[] =
"filecontent\r\n"
988 "-----------------------------277531038314945--";
989 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
996 memset(&th_v, 0,
sizeof(th_v));
997 memset(&ssn, 0,
sizeof(ssn));
1013 f->
proto = IPPROTO_TCP;
1058 static int DeStateSigTest08(
void)
1060 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1061 "Host: www.server.lan\r\n"
1062 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1063 "Content-Length: 440\r\n"
1065 "-----------------------------277531038314945\r\n"
1066 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"AAAApicture1.jpg\"\r\n"
1067 "Content-Type: image/jpeg\r\n"
1070 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1071 uint8_t httpbuf2[] =
"file";
1072 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1073 uint8_t httpbuf3[] =
"content\r\n"
1074 "-----------------------------277531038314945\r\n";
1075 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1077 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"BBBBpicture2.jpg\"\r\n"
1078 "Content-Type: image/jpeg\r\n"
1081 "-----------------------------277531038314945--";
1082 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1090 memset(&th_v, 0,
sizeof(th_v));
1091 memset(&ssn, 0,
sizeof(ssn));
1098 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"BBBBpicture\"; filestore; sid:1; rev:1;)");
1107 f->
proto = IPPROTO_TCP;
1178 static int DeStateSigTest09(
void)
1180 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1181 "Host: www.server.lan\r\n"
1182 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1183 "Content-Length: 440\r\n"
1185 "-----------------------------277531038314945\r\n"
1186 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1187 "Content-Type: image/jpeg\r\n"
1190 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1191 uint8_t httpbuf2[] =
"file";
1192 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1193 uint8_t httpbuf3[] =
"content\r\n"
1194 "-----------------------------277531038314945\r\n";
1195 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1197 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1198 "Content-Type: image/jpeg\r\n"
1201 "-----------------------------277531038314945--";
1202 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1210 memset(&th_v, 0,
sizeof(th_v));
1211 memset(&ssn, 0,
sizeof(ssn));
1218 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1227 f->
proto = IPPROTO_TCP;
1296 static int DeStateSigTest10(
void)
1298 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1299 "Host: www.server.lan\r\n"
1300 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1301 "Content-Length: 440\r\n"
1303 "-----------------------------277531038314945\r\n"
1304 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1305 "Content-Type: image/jpeg\r\n"
1308 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1309 uint8_t httpbuf2[] =
"file";
1310 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1311 uint8_t httpbuf3[] =
"content\r\n"
1312 "-----------------------------277531038314945\r\n";
1313 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1315 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1316 "Content-Type: image/jpeg\r\n"
1319 "-----------------------------277531038314945--";
1320 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1328 memset(&th_v, 0,
sizeof(th_v));
1329 memset(&ssn, 0,
sizeof(ssn));
1345 f->
proto = IPPROTO_TCP;