67 static inline int StateIsValid(uint16_t alproto,
void *alstate)
69 if (alstate != NULL) {
72 if (htp_state->
conn != NULL) {
91 #ifdef DEBUG_VALIDATION
99 for (; tx_store != NULL; tx_store = tx_store->
next) {
103 store_cnt++, state_cnt++)
106 if (item->
sid == num) {
107 SCLogDebug(
"sid %u already in state: %p %p %p %u %u, direction %s",
108 num, state, dir_state, tx_store, state_cnt,
109 store_cnt, direction & STREAM_TOSERVER ?
"toserver" :
"toclient");
119 const Signature *s, uint32_t inspect_flags, uint8_t direction)
124 &state->
dir_state[(direction & STREAM_TOSERVER) ? 0 : 1];
126 #ifdef DEBUG_VALIDATION
127 BUG_ON(DeStateSearchState(state, direction, s->
num));
131 store = DeStateStoreAlloc();
132 dir_state->
head = store;
133 dir_state->
cur = store;
134 dir_state->
tail = store;
135 }
else if (dir_state->
cur) {
136 store = dir_state->
cur;
138 store = DeStateStoreAlloc();
141 dir_state->
tail = store;
142 dir_state->
cur = store;
175 for (i = 0; i < 2; i++) {
177 while (store != NULL) {
178 store_next = store->
next;
186 static void StoreFileNoMatchCnt(
DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
188 de_state->
dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt += file_no_match;
201 const uint8_t flow_flags,
void *tx,
const uint64_t tx_id,
const uint16_t file_no_match)
203 SCLogDebug(
"tx %"PRIu64
", file_no_match %u", tx_id, file_no_match);
204 StoreFileNoMatchCnt(destate, file_no_match, flow_flags);
205 if (StoreFilestoreSigsCantMatch(sgh, destate, flow_flags)) {
208 f, flow_flags & (STREAM_TOCLIENT | STREAM_TOSERVER), tx, tx_id);
216 Flow *f,
void *tx, uint64_t tx_id,
218 uint32_t inspect_flags, uint8_t flow_flags,
219 const uint16_t file_no_match)
223 if (tx_data == NULL) {
227 if (tx_data->de_state == NULL) {
229 if (tx_data->de_state == NULL)
231 SCLogDebug(
"destate created for %"PRIu64, tx_id);
233 DeStateSignatureAppend(tx_data->de_state, s, inspect_flags, flow_flags);
236 DeStateSignatureAppend(tx_data->de_state, s, inspect_flags,
237 flow_flags ^ (STREAM_TOSERVER | STREAM_TOCLIENT));
239 StoreStateTxHandleFiles(sgh, f, tx_data->de_state, flow_flags, tx, tx_id, file_no_match);
267 void *alstate = FlowGetAppState(f);
268 if (!StateIsValid(f->
alproto, alstate)) {
275 uint64_t inspect_tx_id =
MIN(inspect_ts, inspect_tc);
279 for ( ; inspect_tx_id < total_txs; inspect_tx_id++) {
281 if (inspect_tx != NULL) {
285 ResetTxState(txd->de_state);
296 static int DeStateTest01(
void)
298 SCLogDebug(
"sizeof(DetectEngineState)\t\t%"PRIuMAX,
300 SCLogDebug(
"sizeof(DeStateStore)\t\t\t%"PRIuMAX,
302 SCLogDebug(
"sizeof(DeStateStoreItem)\t\t%"PRIuMAX
"",
308 static int DeStateTest02(
void)
310 uint8_t direction = STREAM_TOSERVER;
316 memset(&s, 0x00,
sizeof(s));
319 DeStateSignatureAppend(state, &s, 0, direction);
321 DeStateSignatureAppend(state, &s, 0, direction);
323 DeStateSignatureAppend(state, &s, 0, direction);
325 DeStateSignatureAppend(state, &s, 0, direction);
327 DeStateSignatureAppend(state, &s, 0, direction);
329 DeStateSignatureAppend(state, &s, 0, direction);
331 DeStateSignatureAppend(state, &s, 0, direction);
333 DeStateSignatureAppend(state, &s, 0, direction);
335 DeStateSignatureAppend(state, &s, 0, direction);
337 DeStateSignatureAppend(state, &s, 0, direction);
339 DeStateSignatureAppend(state, &s, 0, direction);
341 DeStateSignatureAppend(state, &s, 0, direction);
343 DeStateSignatureAppend(state, &s, 0, direction);
345 DeStateSignatureAppend(state, &s, 0, direction);
347 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
350 DeStateSignatureAppend(state, &s, 0, direction);
354 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
358 DeStateSignatureAppend(state, &s, 0, direction);
361 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
364 DeStateSignatureAppend(state, &s, 0, direction);
377 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
380 DeStateSignatureAppend(state, &s, 0, direction);
382 DeStateSignatureAppend(state, &s, 0, direction);
384 DeStateSignatureAppend(state, &s, 0, direction);
386 DeStateSignatureAppend(state, &s, 0, direction);
388 DeStateSignatureAppend(state, &s, 0, direction);
390 DeStateSignatureAppend(state, &s, 0, direction);
392 DeStateSignatureAppend(state, &s, 0, direction);
394 DeStateSignatureAppend(state, &s, 0, direction);
396 DeStateSignatureAppend(state, &s, 0, direction);
398 DeStateSignatureAppend(state, &s, 0, direction);
400 DeStateSignatureAppend(state, &s, 0, direction);
402 DeStateSignatureAppend(state, &s, 0, direction);
404 DeStateSignatureAppend(state, &s, 0, direction);
406 DeStateSignatureAppend(state, &s, 0, direction);
408 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
410 DeStateSignatureAppend(state, &s, 0, direction);
413 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
415 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
417 DeStateSignatureAppend(state, &s, 0, direction);
419 DeStateSignatureAppend(state, &s, 0, direction);
433 static int DeStateTest03(
void)
439 memset(&s, 0x00,
sizeof(s));
441 uint8_t direction = STREAM_TOSERVER;
444 DeStateSignatureAppend(state, &s, 0, direction);
458 static int DeStateSigTest01(
void)
465 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\n";
466 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\n";
467 uint8_t httpbuf3[] =
"Cookie: dummy\r\nContent-Length: 10\r\n\r\n";
468 uint8_t httpbuf4[] =
"Http Body!";
469 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
470 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
471 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
472 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
477 memset(&th_v, 0,
sizeof(th_v));
478 memset(&f, 0,
sizeof(f));
479 memset(&ssn, 0,
sizeof(ssn));
486 f.
proto = IPPROTO_TCP;
539 static int DeStateSigTest02(
void)
546 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
547 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
548 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
549 uint8_t httpbuf4[] =
"Http Body!";
550 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
551 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
552 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
553 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
554 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
555 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
556 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nHttp Body!";
557 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
558 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
559 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
563 memset(&th_v, 0,
sizeof(th_v));
564 memset(&f, 0,
sizeof(f));
565 memset(&ssn, 0,
sizeof(ssn));
571 f.
proto = IPPROTO_TCP;
587 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
589 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
653 static int DeStateSigTest03(
void)
655 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
656 "Host: www.server.lan\r\n"
657 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
658 "Content-Length: 215\r\n"
660 "-----------------------------277531038314945\r\n"
661 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
662 "Content-Type: image/jpeg\r\n"
665 "-----------------------------277531038314945--";
666 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
674 memset(&th_v, 0,
sizeof(th_v));
675 memset(&ssn, 0,
sizeof(ssn));
683 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
689 f =
UTHBuildFlow(AF_INET,
"1.2.3.4",
"1.2.3.5", 1024, 80);
692 f->
proto = IPPROTO_TCP;
706 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
737 static int DeStateSigTest04(
void)
739 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
740 "Host: www.server.lan\r\n"
741 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
742 "Content-Length: 215\r\n"
744 "-----------------------------277531038314945\r\n"
745 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
746 "Content-Type: image/jpeg\r\n"
749 "-----------------------------277531038314945--";
750 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
756 memset(&th_v, 0,
sizeof(th_v));
757 memset(&ssn, 0,
sizeof(ssn));
774 f->
proto = IPPROTO_TCP;
787 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
815 static int DeStateSigTest05(
void)
817 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
818 "Host: www.server.lan\r\n"
819 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
820 "Content-Length: 215\r\n"
822 "-----------------------------277531038314945\r\n"
823 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
824 "Content-Type: image/jpeg\r\n"
827 "-----------------------------277531038314945--";
828 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
835 memset(&th_v, 0,
sizeof(th_v));
836 memset(&ssn, 0,
sizeof(ssn));
843 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; sid:1; rev:1;)");
852 f->
proto = IPPROTO_TCP;
865 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
897 static int DeStateSigTest06(
void)
899 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
900 "Host: www.server.lan\r\n"
901 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
902 "Content-Length: 215\r\n"
904 "-----------------------------277531038314945\r\n"
905 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
906 "Content-Type: image/jpeg\r\n"
909 "-----------------------------277531038314945--";
910 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
917 memset(&th_v, 0,
sizeof(th_v));
918 memset(&ssn, 0,
sizeof(ssn));
925 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; filestore; sid:1; rev:1;)");
935 f->
proto = IPPROTO_TCP;
948 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
978 static int DeStateSigTest07(
void)
980 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
981 "Host: www.server.lan\r\n"
982 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
983 "Content-Length: 215\r\n"
985 "-----------------------------277531038314945\r\n"
986 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
987 "Content-Type: image/jpeg\r\n"
990 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
991 uint8_t httpbuf2[] =
"filecontent\r\n"
992 "-----------------------------277531038314945--";
993 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1000 memset(&th_v, 0,
sizeof(th_v));
1001 memset(&ssn, 0,
sizeof(ssn));
1017 f->
proto = IPPROTO_TCP;
1066 static int DeStateSigTest08(
void)
1068 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1069 "Host: www.server.lan\r\n"
1070 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1071 "Content-Length: 440\r\n"
1073 "-----------------------------277531038314945\r\n"
1074 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"AAAApicture1.jpg\"\r\n"
1075 "Content-Type: image/jpeg\r\n"
1078 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1079 uint8_t httpbuf2[] =
"file";
1080 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1081 uint8_t httpbuf3[] =
"content\r\n"
1082 "-----------------------------277531038314945\r\n";
1083 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1085 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"BBBBpicture2.jpg\"\r\n"
1086 "Content-Type: image/jpeg\r\n"
1089 "-----------------------------277531038314945--";
1090 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1098 memset(&th_v, 0,
sizeof(th_v));
1099 memset(&ssn, 0,
sizeof(ssn));
1106 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"BBBBpicture\"; filestore; sid:1; rev:1;)");
1115 f->
proto = IPPROTO_TCP;
1171 tx_ud = htp_tx_get_user_data(tx);
1194 static int DeStateSigTest09(
void)
1196 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1197 "Host: www.server.lan\r\n"
1198 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1199 "Content-Length: 440\r\n"
1201 "-----------------------------277531038314945\r\n"
1202 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1203 "Content-Type: image/jpeg\r\n"
1206 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1207 uint8_t httpbuf2[] =
"file";
1208 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1209 uint8_t httpbuf3[] =
"content\r\n"
1210 "-----------------------------277531038314945\r\n";
1211 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1213 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1214 "Content-Type: image/jpeg\r\n"
1217 "-----------------------------277531038314945--";
1218 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1226 memset(&th_v, 0,
sizeof(th_v));
1227 memset(&ssn, 0,
sizeof(ssn));
1234 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1243 f->
proto = IPPROTO_TCP;
1299 tx_ud = htp_tx_get_user_data(tx);
1320 static int DeStateSigTest10(
void)
1322 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1323 "Host: www.server.lan\r\n"
1324 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1325 "Content-Length: 440\r\n"
1327 "-----------------------------277531038314945\r\n"
1328 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1329 "Content-Type: image/jpeg\r\n"
1332 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1333 uint8_t httpbuf2[] =
"file";
1334 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1335 uint8_t httpbuf3[] =
"content\r\n"
1336 "-----------------------------277531038314945\r\n";
1337 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1339 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1340 "Content-Type: image/jpeg\r\n"
1343 "-----------------------------277531038314945--";
1344 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1352 memset(&th_v, 0,
sizeof(th_v));
1353 memset(&ssn, 0,
sizeof(ssn));
1369 f->
proto = IPPROTO_TCP;
1425 tx_ud = htp_tx_get_user_data(tx);