68 #define CASE_CODE(E) case E: return #E
70 static inline int StateIsValid(uint16_t alproto,
void *alstate)
72 if (alstate != NULL) {
75 if (htp_state->
conn != NULL) {
94 #ifdef DEBUG_VALIDATION
102 for (; tx_store != NULL; tx_store = tx_store->
next) {
106 store_cnt++, state_cnt++)
109 if (item->
sid == num) {
110 SCLogDebug(
"sid %u already in state: %p %p %p %u %u, direction %s",
111 num, state, dir_state, tx_store, state_cnt,
112 store_cnt, direction & STREAM_TOSERVER ?
"toserver" :
"toclient");
122 const Signature *s, uint32_t inspect_flags, uint8_t direction)
127 &state->
dir_state[(direction & STREAM_TOSERVER) ? 0 : 1];
129 #ifdef DEBUG_VALIDATION
130 BUG_ON(DeStateSearchState(state, direction, s->
num));
134 store = DeStateStoreAlloc();
135 dir_state->
head = store;
136 dir_state->
cur = store;
137 dir_state->
tail = store;
138 }
else if (dir_state->
cur) {
139 store = dir_state->
cur;
141 store = DeStateStoreAlloc();
144 dir_state->
tail = store;
145 dir_state->
cur = store;
178 for (i = 0; i < 2; i++) {
180 while (store != NULL) {
181 store_next = store->
next;
191 static void StoreFileNoMatchCnt(
DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
193 de_state->
dir_state[(direction & STREAM_TOSERVER) ? 0 : 1].filestore_cnt += file_no_match;
208 const uint8_t flow_flags,
void *tx,
const uint64_t tx_id,
const uint16_t file_no_match)
210 SCLogDebug(
"tx %"PRIu64
", file_no_match %u", tx_id, file_no_match);
211 StoreFileNoMatchCnt(destate, file_no_match, flow_flags);
212 if (StoreFilestoreSigsCantMatch(sgh, destate, flow_flags)) {
215 f, flow_flags & (STREAM_TOCLIENT | STREAM_TOSERVER), tx, tx_id);
223 Flow *f,
void *tx, uint64_t tx_id,
225 uint32_t inspect_flags, uint8_t flow_flags,
226 const uint16_t file_no_match)
230 if (tx_data == NULL) {
234 if (tx_data->de_state == NULL) {
236 if (tx_data->de_state == NULL)
238 SCLogDebug(
"destate created for %"PRIu64, tx_id);
240 DeStateSignatureAppend(tx_data->de_state, s, inspect_flags, flow_flags);
241 StoreStateTxHandleFiles(sgh, f, tx_data->de_state, flow_flags, tx, tx_id, file_no_match);
269 void *alstate = FlowGetAppState(f);
270 if (!StateIsValid(f->
alproto, alstate)) {
277 uint64_t inspect_tx_id =
MIN(inspect_ts, inspect_tc);
281 for ( ; inspect_tx_id < total_txs; inspect_tx_id++) {
283 if (inspect_tx != NULL) {
287 ResetTxState(txd->de_state);
298 static int DeStateTest01(
void)
300 SCLogDebug(
"sizeof(DetectEngineState)\t\t%"PRIuMAX,
302 SCLogDebug(
"sizeof(DeStateStore)\t\t\t%"PRIuMAX,
304 SCLogDebug(
"sizeof(DeStateStoreItem)\t\t%"PRIuMAX
"",
310 static int DeStateTest02(
void)
312 uint8_t direction = STREAM_TOSERVER;
318 memset(&s, 0x00,
sizeof(s));
321 DeStateSignatureAppend(state, &s, 0, direction);
323 DeStateSignatureAppend(state, &s, 0, direction);
325 DeStateSignatureAppend(state, &s, 0, direction);
327 DeStateSignatureAppend(state, &s, 0, direction);
329 DeStateSignatureAppend(state, &s, 0, direction);
331 DeStateSignatureAppend(state, &s, 0, direction);
333 DeStateSignatureAppend(state, &s, 0, direction);
335 DeStateSignatureAppend(state, &s, 0, direction);
337 DeStateSignatureAppend(state, &s, 0, direction);
339 DeStateSignatureAppend(state, &s, 0, direction);
341 DeStateSignatureAppend(state, &s, 0, direction);
343 DeStateSignatureAppend(state, &s, 0, direction);
345 DeStateSignatureAppend(state, &s, 0, direction);
347 DeStateSignatureAppend(state, &s, 0, direction);
349 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
352 DeStateSignatureAppend(state, &s, 0, direction);
356 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
360 DeStateSignatureAppend(state, &s, 0, direction);
363 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
366 DeStateSignatureAppend(state, &s, 0, direction);
379 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
382 DeStateSignatureAppend(state, &s, 0, direction);
384 DeStateSignatureAppend(state, &s, 0, direction);
386 DeStateSignatureAppend(state, &s, 0, direction);
388 DeStateSignatureAppend(state, &s, 0, direction);
390 DeStateSignatureAppend(state, &s, 0, direction);
392 DeStateSignatureAppend(state, &s, 0, direction);
394 DeStateSignatureAppend(state, &s, 0, direction);
396 DeStateSignatureAppend(state, &s, 0, direction);
398 DeStateSignatureAppend(state, &s, 0, direction);
400 DeStateSignatureAppend(state, &s, 0, direction);
402 DeStateSignatureAppend(state, &s, 0, direction);
404 DeStateSignatureAppend(state, &s, 0, direction);
406 DeStateSignatureAppend(state, &s, 0, direction);
408 DeStateSignatureAppend(state, &s, 0, direction);
410 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
412 DeStateSignatureAppend(state, &s, 0, direction);
415 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
417 state->
dir_state[direction & STREAM_TOSERVER ? 0 : 1].
cur);
419 DeStateSignatureAppend(state, &s, 0, direction);
421 DeStateSignatureAppend(state, &s, 0, direction);
435 static int DeStateTest03(
void)
441 memset(&s, 0x00,
sizeof(s));
443 uint8_t direction = STREAM_TOSERVER;
446 DeStateSignatureAppend(state, &s, 0, direction);
460 static int DeStateSigTest01(
void)
467 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\n";
468 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\n";
469 uint8_t httpbuf3[] =
"Cookie: dummy\r\nContent-Length: 10\r\n\r\n";
470 uint8_t httpbuf4[] =
"Http Body!";
471 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
472 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
473 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
474 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
479 memset(&th_v, 0,
sizeof(th_v));
480 memset(&f, 0,
sizeof(f));
481 memset(&ssn, 0,
sizeof(ssn));
488 f.
proto = IPPROTO_TCP;
541 static int DeStateSigTest02(
void)
548 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
549 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
550 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
551 uint8_t httpbuf4[] =
"Http Body!";
552 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
553 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
554 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
555 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
556 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
557 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
558 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nHttp Body!";
559 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
560 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
561 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
565 memset(&th_v, 0,
sizeof(th_v));
566 memset(&f, 0,
sizeof(f));
567 memset(&ssn, 0,
sizeof(ssn));
573 f.
proto = IPPROTO_TCP;
589 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
591 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
655 static int DeStateSigTest03(
void)
657 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
658 "Host: www.server.lan\r\n"
659 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
660 "Content-Length: 215\r\n"
662 "-----------------------------277531038314945\r\n"
663 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
664 "Content-Type: image/jpeg\r\n"
667 "-----------------------------277531038314945--";
668 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
676 memset(&th_v, 0,
sizeof(th_v));
677 memset(&ssn, 0,
sizeof(ssn));
685 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
691 f =
UTHBuildFlow(AF_INET,
"1.2.3.4",
"1.2.3.5", 1024, 80);
694 f->
proto = IPPROTO_TCP;
708 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
739 static int DeStateSigTest04(
void)
741 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
742 "Host: www.server.lan\r\n"
743 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
744 "Content-Length: 215\r\n"
746 "-----------------------------277531038314945\r\n"
747 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
748 "Content-Type: image/jpeg\r\n"
751 "-----------------------------277531038314945--";
752 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
758 memset(&th_v, 0,
sizeof(th_v));
759 memset(&ssn, 0,
sizeof(ssn));
776 f->
proto = IPPROTO_TCP;
789 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
817 static int DeStateSigTest05(
void)
819 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
820 "Host: www.server.lan\r\n"
821 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
822 "Content-Length: 215\r\n"
824 "-----------------------------277531038314945\r\n"
825 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
826 "Content-Type: image/jpeg\r\n"
829 "-----------------------------277531038314945--";
830 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
837 memset(&th_v, 0,
sizeof(th_v));
838 memset(&ssn, 0,
sizeof(ssn));
845 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"GET\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; sid:1; rev:1;)");
854 f->
proto = IPPROTO_TCP;
867 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
899 static int DeStateSigTest06(
void)
901 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
902 "Host: www.server.lan\r\n"
903 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
904 "Content-Length: 215\r\n"
906 "-----------------------------277531038314945\r\n"
907 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
908 "Content-Type: image/jpeg\r\n"
911 "-----------------------------277531038314945--";
912 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
919 memset(&th_v, 0,
sizeof(th_v));
920 memset(&ssn, 0,
sizeof(ssn));
927 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"nomatch\"; filestore; sid:1; rev:1;)");
937 f->
proto = IPPROTO_TCP;
950 STREAM_TOSERVER | STREAM_START | STREAM_EOF, httpbuf1, httplen1);
980 static int DeStateSigTest07(
void)
982 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
983 "Host: www.server.lan\r\n"
984 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
985 "Content-Length: 215\r\n"
987 "-----------------------------277531038314945\r\n"
988 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
989 "Content-Type: image/jpeg\r\n"
992 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
993 uint8_t httpbuf2[] =
"filecontent\r\n"
994 "-----------------------------277531038314945--";
995 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1002 memset(&th_v, 0,
sizeof(th_v));
1003 memset(&ssn, 0,
sizeof(ssn));
1019 f->
proto = IPPROTO_TCP;
1068 static int DeStateSigTest08(
void)
1070 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1071 "Host: www.server.lan\r\n"
1072 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1073 "Content-Length: 440\r\n"
1075 "-----------------------------277531038314945\r\n"
1076 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"AAAApicture1.jpg\"\r\n"
1077 "Content-Type: image/jpeg\r\n"
1080 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1081 uint8_t httpbuf2[] =
"file";
1082 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1083 uint8_t httpbuf3[] =
"content\r\n"
1084 "-----------------------------277531038314945\r\n";
1085 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1087 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"BBBBpicture2.jpg\"\r\n"
1088 "Content-Type: image/jpeg\r\n"
1091 "-----------------------------277531038314945--";
1092 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1100 memset(&th_v, 0,
sizeof(th_v));
1101 memset(&ssn, 0,
sizeof(ssn));
1108 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"BBBBpicture\"; filestore; sid:1; rev:1;)");
1117 f->
proto = IPPROTO_TCP;
1173 tx_ud = htp_tx_get_user_data(tx);
1196 static int DeStateSigTest09(
void)
1198 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1199 "Host: www.server.lan\r\n"
1200 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1201 "Content-Length: 440\r\n"
1203 "-----------------------------277531038314945\r\n"
1204 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1205 "Content-Type: image/jpeg\r\n"
1208 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1209 uint8_t httpbuf2[] =
"file";
1210 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1211 uint8_t httpbuf3[] =
"content\r\n"
1212 "-----------------------------277531038314945\r\n";
1213 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1215 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1216 "Content-Type: image/jpeg\r\n"
1219 "-----------------------------277531038314945--";
1220 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1228 memset(&th_v, 0,
sizeof(th_v));
1229 memset(&ssn, 0,
sizeof(ssn));
1236 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filename:\"somepicture\"; filestore; sid:1; rev:1;)");
1245 f->
proto = IPPROTO_TCP;
1301 tx_ud = htp_tx_get_user_data(tx);
1322 static int DeStateSigTest10(
void)
1324 uint8_t httpbuf1[] =
"POST /upload.cgi HTTP/1.1\r\n"
1325 "Host: www.server.lan\r\n"
1326 "Content-Type: multipart/form-data; boundary=---------------------------277531038314945\r\n"
1327 "Content-Length: 440\r\n"
1329 "-----------------------------277531038314945\r\n"
1330 "Content-Disposition: form-data; name=\"uploadfile_0\"; filename=\"somepicture1.jpg\"\r\n"
1331 "Content-Type: image/jpeg\r\n"
1334 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1335 uint8_t httpbuf2[] =
"file";
1336 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1337 uint8_t httpbuf3[] =
"content\r\n"
1338 "-----------------------------277531038314945\r\n";
1339 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1341 uint8_t httpbuf4[] =
"Content-Disposition: form-data; name=\"uploadfile_1\"; filename=\"somepicture2.jpg\"\r\n"
1342 "Content-Type: image/jpeg\r\n"
1345 "-----------------------------277531038314945--";
1346 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1354 memset(&th_v, 0,
sizeof(th_v));
1355 memset(&ssn, 0,
sizeof(ssn));
1371 f->
proto = IPPROTO_TCP;
1427 tx_ud = htp_tx_get_user_data(tx);