67 static inline int StateIsValid(uint16_t alproto,
void *alstate)
69 if (alstate != NULL) {
72 if (htp_state->
conn != NULL) {
91 #ifdef DEBUG_VALIDATION
99 for (; tx_store != NULL; tx_store = tx_store->
next) {
103 store_cnt++, state_cnt++)
106 if (item->
sid == num) {
107 SCLogDebug(
"sid %u already in state: %p %p %p %u %u, direction %s",
108 num, state, dir_state, tx_store, state_cnt,
109 store_cnt, direction & STREAM_TOSERVER ?
"toserver" :
"toclient");
119 const Signature *s, uint32_t inspect_flags, uint8_t direction)
124 &state->
dir_state[(direction & STREAM_TOSERVER) ? 0 : 1];
126 #ifdef DEBUG_VALIDATION
127 BUG_ON(DeStateSearchState(state, direction, s->
num));
131 store = DeStateStoreAlloc();
132 dir_state->
head = store;
133 dir_state->
cur = store;
134 dir_state->
tail = store;
135 }
else if (dir_state->
cur) {
136 store = dir_state->
cur;
138 store = DeStateStoreAlloc();
141 dir_state->
tail = store;
142 dir_state->
cur = store;
175 for (i = 0; i < 2; i++) {
177 while (store != NULL) {
178 store_next = store->
next;
186 static void StoreFileNoMatchCnt(
DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
188 de_state->
dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt += file_no_match;
201 const uint8_t flow_flags,
void *tx,
const uint64_t tx_id,
const uint16_t file_no_match)
203 SCLogDebug(
"tx %"PRIu64
", file_no_match %u", tx_id, file_no_match);
204 StoreFileNoMatchCnt(destate, file_no_match, flow_flags);
205 if (StoreFilestoreSigsCantMatch(sgh, destate, flow_flags)) {
208 f, flow_flags & (STREAM_TOCLIENT | STREAM_TOSERVER), tx, tx_id);
216 Flow *f,
void *tx, uint64_t tx_id,
218 uint32_t inspect_flags, uint8_t flow_flags,
219 const uint16_t file_no_match)
222 if (tx_data->de_state == NULL) {
224 if (tx_data->de_state == NULL)
226 SCLogDebug(
"destate created for %"PRIu64, tx_id);
228 DeStateSignatureAppend(tx_data->de_state, s, inspect_flags, flow_flags);
231 DeStateSignatureAppend(tx_data->de_state, s, inspect_flags,
232 flow_flags ^ (STREAM_TOSERVER | STREAM_TOCLIENT));
234 StoreStateTxHandleFiles(sgh, f, tx_data->de_state, flow_flags, tx, tx_id, file_no_match);
262 void *alstate = FlowGetAppState(f);
263 if (!StateIsValid(f->
alproto, alstate)) {
270 uint64_t inspect_tx_id =
MIN(inspect_ts, inspect_tc);
274 for ( ; inspect_tx_id < total_txs; inspect_tx_id++) {
276 if (inspect_tx != NULL) {
278 ResetTxState(txd->de_state);
288 static int DeStateTest01(
void)
290 SCLogDebug(
"sizeof(DetectEngineState)\t\t%"PRIuMAX,
292 SCLogDebug(
"sizeof(DeStateStore)\t\t\t%"PRIuMAX,
294 SCLogDebug(
"sizeof(DeStateStoreItem)\t\t%"PRIuMAX
"",
300 static int DeStateTest02(
void)
302 uint8_t direction = STREAM_TOSERVER;
308 memset(&s, 0x00,
sizeof(s));
311 DeStateSignatureAppend(state, &s, 0, direction);
313 DeStateSignatureAppend(state, &s, 0, direction);
315 DeStateSignatureAppend(state, &s, 0, direction);
317 DeStateSignatureAppend(state, &s, 0, direction);
319 DeStateSignatureAppend(state, &s, 0, direction);
321 DeStateSignatureAppend(state, &s, 0, direction);
323 DeStateSignatureAppend(state, &s, 0, direction);
325 DeStateSignatureAppend(state, &s, 0, direction);
327 DeStateSignatureAppend(state, &s, 0, direction);
329 DeStateSignatureAppend(state, &s, 0, direction);
331 DeStateSignatureAppend(state, &s, 0, direction);
333 DeStateSignatureAppend(state, &s, 0, direction);
335 DeStateSignatureAppend(state, &s, 0, direction);
337 DeStateSignatureAppend(state, &s, 0, direction);
339 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
342 DeStateSignatureAppend(state, &s, 0, direction);
346 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
350 DeStateSignatureAppend(state, &s, 0, direction);
353 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
356 DeStateSignatureAppend(state, &s, 0, direction);
369 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
372 DeStateSignatureAppend(state, &s, 0, direction);
374 DeStateSignatureAppend(state, &s, 0, direction);
376 DeStateSignatureAppend(state, &s, 0, direction);
378 DeStateSignatureAppend(state, &s, 0, direction);
380 DeStateSignatureAppend(state, &s, 0, direction);
382 DeStateSignatureAppend(state, &s, 0, direction);
384 DeStateSignatureAppend(state, &s, 0, direction);
386 DeStateSignatureAppend(state, &s, 0, direction);
388 DeStateSignatureAppend(state, &s, 0, direction);
390 DeStateSignatureAppend(state, &s, 0, direction);
392 DeStateSignatureAppend(state, &s, 0, direction);
394 DeStateSignatureAppend(state, &s, 0, direction);
396 DeStateSignatureAppend(state, &s, 0, direction);
398 DeStateSignatureAppend(state, &s, 0, direction);
400 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
402 DeStateSignatureAppend(state, &s, 0, direction);
405 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
407 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
409 DeStateSignatureAppend(state, &s, 0, direction);
411 DeStateSignatureAppend(state, &s, 0, direction);
425 static int DeStateTest03(
void)
431 memset(&s, 0x00,
sizeof(s));
433 uint8_t direction = STREAM_TOSERVER;
436 DeStateSignatureAppend(state, &s, 0, direction);
450 static int DeStateSigTest01(
void)
457 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\n";
458 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\n";
459 uint8_t httpbuf3[] =
"Cookie: dummy\r\nContent-Length: 10\r\n\r\n";
460 uint8_t httpbuf4[] =
"Http Body!";
461 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
462 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
463 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
464 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
469 memset(&th_v, 0,
sizeof(th_v));
470 memset(&f, 0,
sizeof(f));
471 memset(&ssn, 0,
sizeof(ssn));
478 f.
proto = IPPROTO_TCP;
531 static int DeStateSigTest02(
void)
538 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
539 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
540 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
541 uint8_t httpbuf4[] =
"Http Body!";
542 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
543 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
544 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
545 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
546 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
547 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
548 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nHttp Body!";
549 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
550 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
551 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
555 memset(&th_v, 0,
sizeof(th_v));
556 memset(&f, 0,
sizeof(f));
557 memset(&ssn, 0,
sizeof(ssn));
563 f.
proto = IPPROTO_TCP;
579 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
581 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
645 static int DeStateSigTest03(
void)
647 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
648 "Host: www.server.lan\r\n"
649 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
650 "Content-Length: 215\r\n"
652 "-----------------------------277531038314945\r\n"
653 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
654 "Content-Type: image/jpeg\r\n"
657 "-----------------------------277531038314945--";
658 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
666 memset(&th_v, 0,
sizeof(th_v));
667 memset(&ssn, 0,
sizeof(ssn));
675 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
681 f =
UTHBuildFlow(AF_INET,
"1.2.3.4",
"1.2.3.5", 1024, 80);
684 f->
proto = IPPROTO_TCP;
698 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
729 static int DeStateSigTest04(
void)
731 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
732 "Host: www.server.lan\r\n"
733 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
734 "Content-Length: 215\r\n"
736 "-----------------------------277531038314945\r\n"
737 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
738 "Content-Type: image/jpeg\r\n"
741 "-----------------------------277531038314945--";
742 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
748 memset(&th_v, 0,
sizeof(th_v));
749 memset(&ssn, 0,
sizeof(ssn));
766 f->
proto = IPPROTO_TCP;
779 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
807 static int DeStateSigTest05(
void)
809 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
810 "Host: www.server.lan\r\n"
811 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
812 "Content-Length: 215\r\n"
814 "-----------------------------277531038314945\r\n"
815 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
816 "Content-Type: image/jpeg\r\n"
819 "-----------------------------277531038314945--";
820 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
827 memset(&th_v, 0,
sizeof(th_v));
828 memset(&ssn, 0,
sizeof(ssn));
835 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; sid:1; rev:1;)");
844 f->
proto = IPPROTO_TCP;
857 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
889 static int DeStateSigTest06(
void)
891 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
892 "Host: www.server.lan\r\n"
893 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
894 "Content-Length: 215\r\n"
896 "-----------------------------277531038314945\r\n"
897 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
898 "Content-Type: image/jpeg\r\n"
901 "-----------------------------277531038314945--";
902 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
909 memset(&th_v, 0,
sizeof(th_v));
910 memset(&ssn, 0,
sizeof(ssn));
917 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; filestore; sid:1; rev:1;)");
927 f->
proto = IPPROTO_TCP;
940 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
970 static int DeStateSigTest07(
void)
972 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
973 "Host: www.server.lan\r\n"
974 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
975 "Content-Length: 215\r\n"
977 "-----------------------------277531038314945\r\n"
978 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
979 "Content-Type: image/jpeg\r\n"
982 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
983 uint8_t httpbuf2[] =
"filecontent\r\n"
984 "-----------------------------277531038314945--";
985 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
992 memset(&th_v, 0,
sizeof(th_v));
993 memset(&ssn, 0,
sizeof(ssn));
1009 f->
proto = IPPROTO_TCP;
1058 static int DeStateSigTest08(
void)
1060 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1061 "Host: www.server.lan\r\n"
1062 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1063 "Content-Length: 440\r\n"
1065 "-----------------------------277531038314945\r\n"
1066 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"AAAApicture1.jpg\"\r\n"
1067 "Content-Type: image/jpeg\r\n"
1070 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1071 uint8_t httpbuf2[] =
"file";
1072 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1073 uint8_t httpbuf3[] =
"content\r\n"
1074 "-----------------------------277531038314945\r\n";
1075 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1077 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"BBBBpicture2.jpg\"\r\n"
1078 "Content-Type: image/jpeg\r\n"
1081 "-----------------------------277531038314945--";
1082 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1090 memset(&th_v, 0,
sizeof(th_v));
1091 memset(&ssn, 0,
sizeof(ssn));
1098 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"BBBBpicture\"; filestore; sid:1; rev:1;)");
1107 f->
proto = IPPROTO_TCP;
1163 tx_ud = htp_tx_get_user_data(tx);
1186 static int DeStateSigTest09(
void)
1188 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1189 "Host: www.server.lan\r\n"
1190 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1191 "Content-Length: 440\r\n"
1193 "-----------------------------277531038314945\r\n"
1194 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1195 "Content-Type: image/jpeg\r\n"
1198 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1199 uint8_t httpbuf2[] =
"file";
1200 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1201 uint8_t httpbuf3[] =
"content\r\n"
1202 "-----------------------------277531038314945\r\n";
1203 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1205 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1206 "Content-Type: image/jpeg\r\n"
1209 "-----------------------------277531038314945--";
1210 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1218 memset(&th_v, 0,
sizeof(th_v));
1219 memset(&ssn, 0,
sizeof(ssn));
1226 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1235 f->
proto = IPPROTO_TCP;
1291 tx_ud = htp_tx_get_user_data(tx);
1312 static int DeStateSigTest10(
void)
1314 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1315 "Host: www.server.lan\r\n"
1316 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1317 "Content-Length: 440\r\n"
1319 "-----------------------------277531038314945\r\n"
1320 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1321 "Content-Type: image/jpeg\r\n"
1324 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1325 uint8_t httpbuf2[] =
"file";
1326 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1327 uint8_t httpbuf3[] =
"content\r\n"
1328 "-----------------------------277531038314945\r\n";
1329 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1331 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1332 "Content-Type: image/jpeg\r\n"
1335 "-----------------------------277531038314945--";
1336 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1344 memset(&th_v, 0,
sizeof(th_v));
1345 memset(&ssn, 0,
sizeof(ssn));
1361 f->
proto = IPPROTO_TCP;
1417 tx_ud = htp_tx_get_user_data(tx);