suricata
detect-http-user-agent.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP user agent match
31  *
32  */
33 
34 #include "suricata-common.h"
35 #include "suricata.h"
36 #include "flow-util.h"
37 #include "flow.h"
38 #include "app-layer-parser.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "app-layer.h"
42 #include "app-layer-htp.h"
43 #include "app-layer-protos.h"
44 #include "detect-engine-build.h"
45 #include "detect-engine-alert.h"
46 
47 static int DetectEngineHttpUATest(
48  const uint8_t *buf, const uint32_t buf_len, const char *sig, const bool expect)
49 {
50  TcpSession ssn;
51  ThreadVars th_v;
52  DetectEngineThreadCtx *det_ctx = NULL;
53  Flow f;
54 
55  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
56  FAIL_IF_NULL(alp_tctx);
57 
58  memset(&th_v, 0, sizeof(th_v));
59  memset(&f, 0, sizeof(f));
60  memset(&ssn, 0, sizeof(ssn));
61 
62  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
63  FAIL_IF_NULL(p);
64 
65  FLOW_INITIALIZE(&f);
66  f.protoctx = (void *)&ssn;
67  f.proto = IPPROTO_TCP;
68  f.flags |= FLOW_IPV4;
69  p->flow = &f;
70  p->flowflags |= FLOW_PKT_TOSERVER;
71  p->flowflags |= FLOW_PKT_ESTABLISHED;
72  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
73  f.alproto = ALPROTO_HTTP1;
74 
75  StreamTcpInitConfig(true);
76 
77  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
78  FAIL_IF_NULL(de_ctx);
79  de_ctx->flags |= DE_QUIET;
80 
81  Signature *s = DetectEngineAppendSig(de_ctx, sig);
82  FAIL_IF_NULL(s);
83 
84  SigGroupBuild(de_ctx);
85  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
86  FAIL_IF_NULL(det_ctx);
87 
88  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buf_len);
89  FAIL_IF_NOT(r == 0);
90  FAIL_IF_NULL(f.alstate);
91 
92  /* do detect */
93  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
94 
95  bool match = PacketAlertCheck(p, 1);
96  FAIL_IF_NOT(match == expect);
97 
98  UTHFreePackets(&p, 1);
99  FLOW_DESTROY(&f);
100  AppLayerParserThreadCtxFree(alp_tctx);
101  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
102  DetectEngineCtxFree(de_ctx);
103  StreamTcpFreeConfig(true);
104  StatsThreadCleanup(&th_v);
105  PASS;
106 }
107 
108 static int DetectEngineHttpUATest01(void)
109 {
110  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
111  "User-Agent: CONNECT\r\n"
112  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
113  uint32_t http_len = sizeof(http_buf) - 1;
114  return DetectEngineHttpUATest(http_buf, http_len,
115  "alert http any any -> any any "
116  "(msg:\"http user agent test\"; "
117  "content:\"CONNECT\"; http_user_agent; "
118  "sid:1;)",
119  true);
120 }
121 
122 static int DetectEngineHttpUATest02(void)
123 {
124  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
125  "User-Agent: CONNECT\r\n"
126  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
127  uint32_t http_len = sizeof(http_buf) - 1;
128  return DetectEngineHttpUATest(http_buf, http_len,
129  "alert http any any -> any any "
130  "(msg:\"http user agent test\"; "
131  "content:\"CO\"; depth:4; http_user_agent; "
132  "sid:1;)",
133  true);
134 }
135 
136 static int DetectEngineHttpUATest03(void)
137 {
138  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
139  "User-Agent: CONNECT\r\n"
140  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
141  uint32_t http_len = sizeof(http_buf) - 1;
142  return DetectEngineHttpUATest(http_buf, http_len,
143  "alert http any any -> any any "
144  "(msg:\"http_user_agent test\"; "
145  "content:!\"ECT\"; depth:4; http_user_agent; "
146  "sid:1;)",
147  true);
148 }
149 
150 static int DetectEngineHttpUATest04(void)
151 {
152  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
153  "User-Agent: CONNECT\r\n"
154  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
155  uint32_t http_len = sizeof(http_buf) - 1;
156  return DetectEngineHttpUATest(http_buf, http_len,
157  "alert http any any -> any any "
158  "(msg:\"http user agent test\"; "
159  "content:\"ECT\"; depth:4; http_user_agent; "
160  "sid:1;)",
161  false);
162 }
163 
164 static int DetectEngineHttpUATest05(void)
165 {
166  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
167  "User-Agent: CONNECT\r\n"
168  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
169  uint32_t http_len = sizeof(http_buf) - 1;
170  return DetectEngineHttpUATest(http_buf, http_len,
171  "alert http any any -> any any "
172  "(msg:\"http user agent test\"; "
173  "content:!\"CON\"; depth:4; http_user_agent; "
174  "sid:1;)",
175  false);
176 }
177 
178 static int DetectEngineHttpUATest06(void)
179 {
180  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
181  "User-Agent: CONNECT\r\n"
182  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
183  uint32_t http_len = sizeof(http_buf) - 1;
184  return DetectEngineHttpUATest(http_buf, http_len,
185  "alert http any any -> any any "
186  "(msg:\"http user agent test\"; "
187  "content:\"ECT\"; offset:3; http_user_agent; "
188  "sid:1;)",
189  true);
190 }
191 
192 static int DetectEngineHttpUATest07(void)
193 {
194  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
195  "User-Agent: CONNECT\r\n"
196  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
197  uint32_t http_len = sizeof(http_buf) - 1;
198  return DetectEngineHttpUATest(http_buf, http_len,
199  "alert http any any -> any any "
200  "(msg:\"http user agent test\"; "
201  "content:!\"CO\"; offset:3; http_user_agent; "
202  "sid:1;)",
203  true);
204 }
205 
206 static int DetectEngineHttpUATest08(void)
207 {
208  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
209  "User-Agent: CONNECT\r\n"
210  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
211  uint32_t http_len = sizeof(http_buf) - 1;
212  return DetectEngineHttpUATest(http_buf, http_len,
213  "alert http any any -> any any "
214  "(msg:\"http user agent test\"; "
215  "content:!\"ECT\"; offset:3; http_user_agent; "
216  "sid:1;)",
217  false);
218 }
219 
220 static int DetectEngineHttpUATest09(void)
221 {
222  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
223  "User-Agent: CONNECT\r\n"
224  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
225  uint32_t http_len = sizeof(http_buf) - 1;
226  return DetectEngineHttpUATest(http_buf, http_len,
227  "alert http any any -> any any "
228  "(msg:\"http user agent test\"; "
229  "content:\"CON\"; offset:3; http_user_agent; "
230  "sid:1;)",
231  false);
232 }
233 
234 static int DetectEngineHttpUATest10(void)
235 {
236  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
237  "User-Agent: CONNECT\r\n"
238  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
239  uint32_t http_len = sizeof(http_buf) - 1;
240  return DetectEngineHttpUATest(http_buf, http_len,
241  "alert http any any -> any any "
242  "(msg:\"http_user_agent test\"; "
243  "content:\"CO\"; http_user_agent; "
244  "content:\"EC\"; within:4; http_user_agent; "
245  "sid:1;)",
246  true);
247 }
248 
249 static int DetectEngineHttpUATest11(void)
250 {
251  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
252  "User-Agent: CONNECT\r\n"
253  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
254  uint32_t http_len = sizeof(http_buf) - 1;
255  return DetectEngineHttpUATest(http_buf, http_len,
256  "alert http any any -> any any "
257  "(msg:\"http user agent test\"; "
258  "content:\"CO\"; http_user_agent; "
259  "content:!\"EC\"; within:3; http_user_agent; "
260  "sid:1;)",
261  true);
262 }
263 
264 static int DetectEngineHttpUATest12(void)
265 {
266  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
267  "User-Agent: CONNECT\r\n"
268  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
269  uint32_t http_len = sizeof(http_buf) - 1;
270  return DetectEngineHttpUATest(http_buf, http_len,
271  "alert http any any -> any any "
272  "(msg:\"http_user_agent test\"; "
273  "content:\"CO\"; http_user_agent; "
274  "content:\"EC\"; within:3; http_user_agent; "
275  "sid:1;)",
276  false);
277 }
278 
279 static int DetectEngineHttpUATest13(void)
280 {
281  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
282  "User-Agent: CONNECT\r\n"
283  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
284  uint32_t http_len = sizeof(http_buf) - 1;
285  return DetectEngineHttpUATest(http_buf, http_len,
286  "alert http any any -> any any "
287  "(msg:\"http user agent test\"; "
288  "content:\"CO\"; http_user_agent; "
289  "content:!\"EC\"; within:4; http_user_agent; "
290  "sid:1;)",
291  false);
292 }
293 
294 static int DetectEngineHttpUATest14(void)
295 {
296  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
297  "User-Agent: CONNECT\r\n"
298  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
299  uint32_t http_len = sizeof(http_buf) - 1;
300  return DetectEngineHttpUATest(http_buf, http_len,
301  "alert http any any -> any any "
302  "(msg:\"http_user_agent test\"; "
303  "content:\"CO\"; http_user_agent; "
304  "content:\"EC\"; distance:2; http_user_agent; "
305  "sid:1;)",
306  true);
307 }
308 
309 static int DetectEngineHttpUATest15(void)
310 {
311  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
312  "User-Agent: CONNECT\r\n"
313  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
314  uint32_t http_len = sizeof(http_buf) - 1;
315  return DetectEngineHttpUATest(http_buf, http_len,
316  "alert http any any -> any any "
317  "(msg:\"http user agent test\"; "
318  "content:\"CO\"; http_user_agent; "
319  "content:!\"EC\"; distance:3; http_user_agent; "
320  "sid:1;)",
321  true);
322 }
323 
324 static int DetectEngineHttpUATest16(void)
325 {
326  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
327  "User-Agent: CONNECT\r\n"
328  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
329  uint32_t http_len = sizeof(http_buf) - 1;
330  return DetectEngineHttpUATest(http_buf, http_len,
331  "alert http any any -> any any "
332  "(msg:\"http user agent test\"; "
333  "content:\"CO\"; http_user_agent; "
334  "content:\"EC\"; distance:3; http_user_agent; "
335  "sid:1;)",
336  false);
337 }
338 
339 static int DetectEngineHttpUATest17(void)
340 {
341  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
342  "User-Agent: CONNECT\r\n"
343  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
344  uint32_t http_len = sizeof(http_buf) - 1;
345  return DetectEngineHttpUATest(http_buf, http_len,
346  "alert http any any -> any any "
347  "(msg:\"http_user_agent test\"; "
348  "content:\"CO\"; http_user_agent; "
349  "content:!\"EC\"; distance:2; http_user_agent; "
350  "sid:1;)",
351  false);
352 }
353 
354 static int DetectHttpUATestSigParse(const char *sig, const bool expect)
355 {
356  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
357  FAIL_IF_NULL(de_ctx);
358  de_ctx->flags |= DE_QUIET;
359 
360  Signature *s = DetectEngineAppendSig(de_ctx, sig);
361  bool parsed = (s != NULL);
362  FAIL_IF_NOT(parsed == expect);
363  DetectEngineCtxFree(de_ctx);
364  PASS;
365 }
366 
367 /**
368  * \test Test that a signature containing a http_user_agent is correctly parsed
369  * and the keyword is registered.
370  */
371 static int DetectHttpUATest01(void)
372 {
373  return DetectHttpUATestSigParse("alert tcp any any -> any any "
374  "(msg:\"Testing http_user_agent\"; "
375  "content:\"one\"; http_user_agent; sid:1;)",
376  true);
377 }
378 
379 /**
380  * \test Test that a signature containing an valid http_user_agent entry is
381  * parsed.
382  */
383 static int DetectHttpUATest02(void)
384 {
385  return DetectHttpUATestSigParse("alert tcp any any -> any any "
386  "(msg:\"Testing http_user_agent\"; "
387  "content:\"one\"; http_user_agent:; sid:1;)",
388  true);
389 }
390 
391 /**
392  * \test Test that an invalid signature containing no content but a
393  * http_user_agent is invalidated.
394  */
395 static int DetectHttpUATest03(void)
396 {
397  return DetectHttpUATestSigParse("alert tcp any any -> any any "
398  "(msg:\"Testing http_user_agent\"; "
399  "http_user_agent; sid:1;)",
400  false);
401 }
402 
403 /**
404  * \test Test that an invalid signature containing a rawbytes along with a
405  * http_user_agent is invalidated.
406  */
407 static int DetectHttpUATest04(void)
408 {
409  return DetectHttpUATestSigParse("alert tcp any any -> any any "
410  "(msg:\"Testing http_user_agent\"; "
411  "content:\"one\"; rawbytes; http_user_agent; sid:1;)",
412  false);
413 }
414 
415 /**
416  * \test Test that a http_user_agent with nocase is parsed.
417  */
418 static int DetectHttpUATest05(void)
419 {
420  return DetectHttpUATestSigParse("alert tcp any any -> any any "
421  "(msg:\"Testing http_user_agent\"; "
422  "content:\"one\"; http_user_agent; nocase; sid:1;)",
423  true);
424 }
425 
426 /**
427  *\test Test that the http_user_agent content matches against a http request
428  * which holds the content.
429  */
430 static int DetectHttpUATest06(void)
431 {
432  TcpSession ssn;
433  ThreadVars th_v;
434  DetectEngineThreadCtx *det_ctx = NULL;
435  Flow f;
436  uint8_t http_buf[] =
437  "GET /index.html HTTP/1.0\r\n"
438  "Host: www.openinfosecfoundation.org\r\n"
439  "User-Agent: This is dummy message body\r\n"
440  "Content-Type: text/html\r\n"
441  "\r\n";
442  uint32_t http_len = sizeof(http_buf) - 1;
443  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
444 
445  memset(&th_v, 0, sizeof(th_v));
446  memset(&f, 0, sizeof(f));
447  memset(&ssn, 0, sizeof(ssn));
448 
449  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
450  FAIL_IF_NULL(p);
451 
452  FLOW_INITIALIZE(&f);
453  f.protoctx = (void *)&ssn;
454  f.proto = IPPROTO_TCP;
455  f.flags |= FLOW_IPV4;
456 
457  p->flow = &f;
458  p->flowflags |= FLOW_PKT_TOSERVER;
459  p->flowflags |= FLOW_PKT_ESTABLISHED;
460  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
461  f.alproto = ALPROTO_HTTP1;
462 
463  StreamTcpInitConfig(true);
464 
465  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
466  FAIL_IF_NULL(de_ctx);
467  de_ctx->flags |= DE_QUIET;
468 
469  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
470  "(msg:\"http user agent test\"; "
471  "content:\"message\"; http_user_agent; "
472  "sid:1;)");
473  FAIL_IF_NULL(s);
474 
475  SigGroupBuild(de_ctx);
476  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
477 
478  int r = AppLayerParserParse(
479  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
480  FAIL_IF_NOT(r == 0);
481  FAIL_IF_NULL(f.alstate);
482 
483  /* do detect */
484  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
485 
486  FAIL_IF_NOT(PacketAlertCheck(p, 1));
487 
488  AppLayerParserThreadCtxFree(alp_tctx);
489  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
490  DetectEngineCtxFree(de_ctx);
491 
492  StreamTcpFreeConfig(true);
493  FLOW_DESTROY(&f);
494  UTHFreePackets(&p, 1);
495  StatsThreadCleanup(&th_v);
496  PASS;
497 }
498 
499 /**
500  *\test Test that the http_user_agent content matches against a http request
501  * which holds the content.
502  */
503 static int DetectHttpUATest07(void)
504 {
505  TcpSession ssn;
506  Packet *p1 = NULL;
507  Packet *p2 = NULL;
508  ThreadVars th_v;
509  DetectEngineThreadCtx *det_ctx = NULL;
510  Flow f;
511  uint8_t http1_buf[] =
512  "GET /index.html HTTP/1.0\r\n"
513  "Host: www.openinfosecfoundation.org\r\n"
514  "User-Agent: This is dummy message";
515  uint8_t http2_buf[] =
516  "body1\r\n\r\n";
517  uint32_t http1_len = sizeof(http1_buf) - 1;
518  uint32_t http2_len = sizeof(http2_buf) - 1;
519  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
520 
521  memset(&th_v, 0, sizeof(th_v));
522  memset(&f, 0, sizeof(f));
523  memset(&ssn, 0, sizeof(ssn));
524 
525  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
526  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
527 
528  FLOW_INITIALIZE(&f);
529  f.protoctx = (void *)&ssn;
530  f.proto = IPPROTO_TCP;
531  f.flags |= FLOW_IPV4;
532 
533  p1->flow = &f;
534  p1->flowflags |= FLOW_PKT_TOSERVER;
535  p1->flowflags |= FLOW_PKT_ESTABLISHED;
536  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
537  p2->flow = &f;
538  p2->flowflags |= FLOW_PKT_TOSERVER;
539  p2->flowflags |= FLOW_PKT_ESTABLISHED;
540  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
541  f.alproto = ALPROTO_HTTP1;
542 
543  StreamTcpInitConfig(true);
544 
545  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
546  FAIL_IF_NULL(de_ctx);
547  de_ctx->flags |= DE_QUIET;
548 
549  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
550  "(msg:\"http user agent test\"; "
551  "content:\"message\"; http_user_agent; "
552  "sid:1;)");
553  FAIL_IF_NULL(s);
554 
555  SigGroupBuild(de_ctx);
556  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
557 
558  int r = AppLayerParserParse(
559  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
560  FAIL_IF_NOT(r == 0);
561  FAIL_IF_NULL(f.alstate);
562 
563  /* do detect */
564  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
565 
566  FAIL_IF(PacketAlertCheck(p1, 1));
567 
568  r = AppLayerParserParse(
569  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
570  FAIL_IF_NOT(r == 0);
571  FAIL_IF_NULL(f.alstate);
572 
573  /* do detect */
574  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
575  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
576 
577  AppLayerParserThreadCtxFree(alp_tctx);
578  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
579  DetectEngineCtxFree(de_ctx);
580 
581  StreamTcpFreeConfig(true);
582  FLOW_DESTROY(&f);
583  UTHFreePackets(&p1, 1);
584  UTHFreePackets(&p2, 1);
585  StatsThreadCleanup(&th_v);
586  PASS;
587 }
588 
589 /**
590  *\test Test that the http_user_agent content matches against a http request
591  * which holds the content.
592  */
593 static int DetectHttpUATest08(void)
594 {
595  TcpSession ssn;
596  Packet *p1 = NULL;
597  Packet *p2 = NULL;
598  ThreadVars th_v;
599  DetectEngineThreadCtx *det_ctx = NULL;
600  Flow f;
601  uint8_t http1_buf[] =
602  "GET /index.html HTTP/1.0\r\n"
603  "Host: www.openinfosecfoundation.org\r\n"
604  "User-Agent: This is dummy mess";
605  uint8_t http2_buf[] =
606  "age body\r\n\r\n";
607  uint32_t http1_len = sizeof(http1_buf) - 1;
608  uint32_t http2_len = sizeof(http2_buf) - 1;
609  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
610 
611  memset(&th_v, 0, sizeof(th_v));
612  memset(&f, 0, sizeof(f));
613  memset(&ssn, 0, sizeof(ssn));
614 
615  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
616  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
617 
618  FLOW_INITIALIZE(&f);
619  f.protoctx = (void *)&ssn;
620  f.proto = IPPROTO_TCP;
621  f.flags |= FLOW_IPV4;
622 
623  p1->flow = &f;
624  p1->flowflags |= FLOW_PKT_TOSERVER;
625  p1->flowflags |= FLOW_PKT_ESTABLISHED;
626  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
627  p2->flow = &f;
628  p2->flowflags |= FLOW_PKT_TOSERVER;
629  p2->flowflags |= FLOW_PKT_ESTABLISHED;
630  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
631  f.alproto = ALPROTO_HTTP1;
632 
633  StreamTcpInitConfig(true);
634 
635  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
636  FAIL_IF_NULL(de_ctx);
637  de_ctx->flags |= DE_QUIET;
638 
639  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
640  "(msg:\"http user agent test\"; "
641  "content:\"message\"; http_user_agent; "
642  "sid:1;)");
643  FAIL_IF_NULL(s);
644 
645  SigGroupBuild(de_ctx);
646  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
647 
648  int r = AppLayerParserParse(
649  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
650  FAIL_IF_NOT(r == 0);
651  FAIL_IF_NULL(f.alstate);
652 
653  /* do detect */
654  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
655  FAIL_IF(PacketAlertCheck(p1, 1));
656 
657  r = AppLayerParserParse(
658  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
659  FAIL_IF_NOT(r == 0);
660  FAIL_IF_NULL(f.alstate);
661 
662  /* do detect */
663  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
664 
665  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
666 
667  AppLayerParserThreadCtxFree(alp_tctx);
668  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
669  DetectEngineCtxFree(de_ctx);
670 
671  StreamTcpFreeConfig(true);
672  FLOW_DESTROY(&f);
673  UTHFreePackets(&p1, 1);
674  UTHFreePackets(&p2, 1);
675  StatsThreadCleanup(&th_v);
676  PASS;
677 }
678 
679 /**
680  *\test Test that the http_user_agent content matches against a http request
681  * which holds the content, against a cross boundary present pattern.
682  */
683 static int DetectHttpUATest09(void)
684 {
685  TcpSession ssn;
686  Packet *p1 = NULL;
687  Packet *p2 = NULL;
688  ThreadVars th_v;
689  DetectEngineThreadCtx *det_ctx = NULL;
690  Flow f;
691  uint8_t http1_buf[] =
692  "GET /index.html HTTP/1.0\r\n"
693  "Host: www.openinfosecfoundation.org\r\n"
694  "User-Agent: This is dummy body1";
695  uint8_t http2_buf[] =
696  "This is dummy message body2\r\n"
697  "Content-Type: text/html\r\n"
698  "Content-Length: 46\r\n"
699  "\r\n"
700  "This is dummy body1";
701  uint32_t http1_len = sizeof(http1_buf) - 1;
702  uint32_t http2_len = sizeof(http2_buf) - 1;
703  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
704 
705  memset(&th_v, 0, sizeof(th_v));
706  memset(&f, 0, sizeof(f));
707  memset(&ssn, 0, sizeof(ssn));
708 
709  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
710  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
711 
712  FLOW_INITIALIZE(&f);
713  f.protoctx = (void *)&ssn;
714  f.proto = IPPROTO_TCP;
715  f.flags |= FLOW_IPV4;
716 
717  p1->flow = &f;
718  p1->flowflags |= FLOW_PKT_TOSERVER;
719  p1->flowflags |= FLOW_PKT_ESTABLISHED;
720  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
721  p2->flow = &f;
722  p2->flowflags |= FLOW_PKT_TOSERVER;
723  p2->flowflags |= FLOW_PKT_ESTABLISHED;
724  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
725  f.alproto = ALPROTO_HTTP1;
726 
727  StreamTcpInitConfig(true);
728 
729  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
730  FAIL_IF_NULL(de_ctx);
731  de_ctx->flags |= DE_QUIET;
732 
733  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
734  "(msg:\"http user agent test\"; "
735  "content:\"body1This\"; http_user_agent; "
736  "sid:1;)");
737  FAIL_IF_NULL(s);
738 
739  SigGroupBuild(de_ctx);
740  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
741 
742  int r = AppLayerParserParse(
743  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
744  FAIL_IF_NOT(r == 0);
745  FAIL_IF_NULL(f.alstate);
746 
747  /* do detect */
748  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
749  FAIL_IF(PacketAlertCheck(p1, 1));
750 
751  r = AppLayerParserParse(
752  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
753  FAIL_IF_NOT(r == 0);
754  FAIL_IF_NULL(f.alstate);
755 
756  /* do detect */
757  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
758 
759  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
760 
761  AppLayerParserThreadCtxFree(alp_tctx);
762  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
763  DetectEngineCtxFree(de_ctx);
764  StreamTcpFreeConfig(true);
765  FLOW_DESTROY(&f);
766  UTHFreePackets(&p1, 1);
767  UTHFreePackets(&p2, 1);
768  StatsThreadCleanup(&th_v);
769  PASS;
770 }
771 
772 /**
773  *\test Test that the http_user_agent content matches against a http request
774  * against a case insensitive pattern.
775  */
776 static int DetectHttpUATest10(void)
777 {
778  TcpSession ssn;
779  Packet *p1 = NULL;
780  Packet *p2 = NULL;
781  ThreadVars th_v;
782  DetectEngineThreadCtx *det_ctx = NULL;
783  Flow f;
784  uint8_t http1_buf[] =
785  "GET /index.html HTTP/1.0\r\n"
786  "Host: www.openinfosecfoundation.org\r\n"
787  "User-Agent: This is dummy bodY1";
788  uint8_t http2_buf[] =
789  "This is dummy message body2\r\n"
790  "Content-Type: text/html\r\n"
791  "Content-Length: 46\r\n"
792  "\r\n"
793  "This is dummy bodY1";
794  uint32_t http1_len = sizeof(http1_buf) - 1;
795  uint32_t http2_len = sizeof(http2_buf) - 1;
796  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
797 
798  memset(&th_v, 0, sizeof(th_v));
799  memset(&f, 0, sizeof(f));
800  memset(&ssn, 0, sizeof(ssn));
801 
802  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
803  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
804 
805  FLOW_INITIALIZE(&f);
806  f.protoctx = (void *)&ssn;
807  f.proto = IPPROTO_TCP;
808  f.flags |= FLOW_IPV4;
809 
810  p1->flow = &f;
811  p1->flowflags |= FLOW_PKT_TOSERVER;
812  p1->flowflags |= FLOW_PKT_ESTABLISHED;
813  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
814  p2->flow = &f;
815  p2->flowflags |= FLOW_PKT_TOSERVER;
816  p2->flowflags |= FLOW_PKT_ESTABLISHED;
817  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
818  f.alproto = ALPROTO_HTTP1;
819 
820  StreamTcpInitConfig(true);
821 
822  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
823  FAIL_IF_NULL(de_ctx);
824  de_ctx->flags |= DE_QUIET;
825 
826  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
827  "(msg:\"http user agent test\"; "
828  "content:\"body1this\"; http_user_agent; nocase;"
829  "sid:1;)");
830  FAIL_IF_NULL(s);
831 
832  SigGroupBuild(de_ctx);
833  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
834 
835  int r = AppLayerParserParse(
836  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
837  FAIL_IF_NOT(r == 0);
838  FAIL_IF_NULL(f.alstate);
839 
840  /* do detect */
841  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
842  FAIL_IF(PacketAlertCheck(p1, 1));
843 
844  r = AppLayerParserParse(
845  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
846  FAIL_IF_NOT(r == 0);
847  FAIL_IF_NULL(f.alstate);
848 
849  /* do detect */
850  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
851  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
852 
853  AppLayerParserThreadCtxFree(alp_tctx);
854  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
855  DetectEngineCtxFree(de_ctx);
856  StreamTcpFreeConfig(true);
857  FLOW_DESTROY(&f);
858  UTHFreePackets(&p1, 1);
859  UTHFreePackets(&p2, 1);
860  StatsThreadCleanup(&th_v);
861  PASS;
862 }
863 
864 /**
865  *\test Test that the negated http_user_agent content matches against a
866  * http request which doesn't hold the content.
867  */
868 static int DetectHttpUATest11(void)
869 {
870  TcpSession ssn;
871  Packet *p = NULL;
872  ThreadVars th_v;
873  DetectEngineThreadCtx *det_ctx = NULL;
874  Flow f;
875  uint8_t http_buf[] =
876  "GET /index.html HTTP/1.0\r\n"
877  "Host: www.openinfosecfoundation.org\r\n"
878  "User-Agent: This is dummy message body\r\n"
879  "Content-Type: text/html\r\n"
880  "\r\n";
881  uint32_t http_len = sizeof(http_buf) - 1;
882  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
883 
884  memset(&th_v, 0, sizeof(th_v));
885  memset(&f, 0, sizeof(f));
886  memset(&ssn, 0, sizeof(ssn));
887 
888  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
889 
890  FLOW_INITIALIZE(&f);
891  f.protoctx = (void *)&ssn;
892  f.proto = IPPROTO_TCP;
893  f.flags |= FLOW_IPV4;
894 
895  p->flow = &f;
896  p->flowflags |= FLOW_PKT_TOSERVER;
897  p->flowflags |= FLOW_PKT_ESTABLISHED;
898  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
899  f.alproto = ALPROTO_HTTP1;
900 
901  StreamTcpInitConfig(true);
902 
903  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
904  FAIL_IF_NULL(de_ctx);
905  de_ctx->flags |= DE_QUIET;
906 
907  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
908  "(msg:\"http user agent test\"; "
909  "content:!\"message\"; http_user_agent; "
910  "sid:1;)");
911  FAIL_IF_NULL(s);
912 
913  SigGroupBuild(de_ctx);
914  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
915 
916  int r = AppLayerParserParse(
917  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
918  FAIL_IF_NOT(r == 0);
919  FAIL_IF_NULL(f.alstate);
920 
921  /* do detect */
922  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
923 
924  FAIL_IF(PacketAlertCheck(p, 1));
925 
926  AppLayerParserThreadCtxFree(alp_tctx);
927  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
928  DetectEngineCtxFree(de_ctx);
929  StreamTcpFreeConfig(true);
930  FLOW_DESTROY(&f);
931  UTHFreePackets(&p, 1);
932  StatsThreadCleanup(&th_v);
933  PASS;
934 }
935 
936 /**
937  *\test Negative test that the negated http_user_agent content matches against a
938  * http request which holds hold the content.
939  */
940 static int DetectHttpUATest12(void)
941 {
942  TcpSession ssn;
943  Packet *p = NULL;
944  ThreadVars th_v;
945  DetectEngineThreadCtx *det_ctx = NULL;
946  Flow f;
947  uint8_t http_buf[] =
948  "GET /index.html HTTP/1.0\r\n"
949  "Host: www.openinfosecfoundation.org\r\n"
950  "User-Agent: This is dummy body\r\n"
951  "\r\n";
952  uint32_t http_len = sizeof(http_buf) - 1;
953  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
954 
955  memset(&th_v, 0, sizeof(th_v));
956  memset(&f, 0, sizeof(f));
957  memset(&ssn, 0, sizeof(ssn));
958 
959  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
960 
961  FLOW_INITIALIZE(&f);
962  f.protoctx = (void *)&ssn;
963  f.proto = IPPROTO_TCP;
964  f.flags |= FLOW_IPV4;
965 
966  p->flow = &f;
967  p->flowflags |= FLOW_PKT_TOSERVER;
968  p->flowflags |= FLOW_PKT_ESTABLISHED;
969  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
970  f.alproto = ALPROTO_HTTP1;
971 
972  StreamTcpInitConfig(true);
973 
974  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
975  FAIL_IF_NULL(de_ctx);
976  de_ctx->flags |= DE_QUIET;
977 
978  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
979  "(msg:\"http user agent test\"; "
980  "content:!\"message\"; http_user_agent; "
981  "sid:1;)");
982  FAIL_IF_NULL(s);
983 
984  SigGroupBuild(de_ctx);
985  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
986 
987  int r = AppLayerParserParse(
988  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
989  FAIL_IF_NOT(r == 0);
990  FAIL_IF_NULL(f.alstate);
991 
992  /* do detect */
993  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
994  FAIL_IF_NOT(PacketAlertCheck(p, 1));
995 
996  AppLayerParserThreadCtxFree(alp_tctx);
997  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
998  DetectEngineCtxFree(de_ctx);
999 
1000  StreamTcpFreeConfig(true);
1001  FLOW_DESTROY(&f);
1002  UTHFreePackets(&p, 1);
1003  StatsThreadCleanup(&th_v);
1004  PASS;
1005 }
1006 
1007 /**
1008  * \test Test that the http_user_agent content matches against a http request
1009  * which holds the content.
1010  */
1011 static int DetectHttpUATest13(void)
1012 {
1013  TcpSession ssn;
1014  Packet *p = NULL;
1015  ThreadVars th_v;
1016  DetectEngineThreadCtx *det_ctx = NULL;
1017  Flow f;
1018  uint8_t http_buf[] =
1019  "GET /index.html HTTP/1.0\r\n"
1020  "Host: www.openinfosecfoundation.org\r\n"
1021  "User-Agent: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1022  "Content-Type: text/html\r\n"
1023  "\r\n";
1024  uint32_t http_len = sizeof(http_buf) - 1;
1025  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1026 
1027  memset(&th_v, 0, sizeof(th_v));
1028  memset(&f, 0, sizeof(f));
1029  memset(&ssn, 0, sizeof(ssn));
1030 
1031  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1032 
1033  FLOW_INITIALIZE(&f);
1034  f.protoctx = (void *)&ssn;
1035  f.proto = IPPROTO_TCP;
1036  f.flags |= FLOW_IPV4;
1037 
1038  p->flow = &f;
1039  p->flowflags |= FLOW_PKT_TOSERVER;
1040  p->flowflags |= FLOW_PKT_ESTABLISHED;
1041  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1042  f.alproto = ALPROTO_HTTP1;
1043 
1044  StreamTcpInitConfig(true);
1045 
1046  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1047  FAIL_IF_NULL(de_ctx);
1048  de_ctx->flags |= DE_QUIET;
1049 
1050  Signature *s = DetectEngineAppendSig(de_ctx,
1051  "alert http any any -> any any "
1052  "(msg:\"http user agent test\"; "
1053  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_user_agent; "
1054  "sid:1;)");
1055  FAIL_IF_NULL(s);
1056 
1057  SigGroupBuild(de_ctx);
1058  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1059 
1060  int r = AppLayerParserParse(
1061  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1062  FAIL_IF_NOT(r == 0);
1063  FAIL_IF_NULL(f.alstate);
1064 
1065  /* do detect */
1066  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1067 
1068  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1069 
1070  AppLayerParserThreadCtxFree(alp_tctx);
1071  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1072  DetectEngineCtxFree(de_ctx);
1073  StreamTcpFreeConfig(true);
1074  FLOW_DESTROY(&f);
1075  UTHFreePackets(&p, 1);
1076  StatsThreadCleanup(&th_v);
1077  PASS;
1078 }
1079 
1080 /**
1081  * \test multiple http transactions and body chunks of request handling
1082  */
1083 static int DetectHttpUATest14(void)
1084 {
1085  Signature *s = NULL;
1086  DetectEngineThreadCtx *det_ctx = NULL;
1087  ThreadVars th_v;
1088  Flow f;
1089  TcpSession ssn;
1090  Packet *p = NULL;
1091  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1092  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1093  uint8_t httpbuf3[] = "User-Agent: Body one!!\r\n\r\n";
1094  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1095  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1096  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1097  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1098  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1099  uint8_t httpbuf6[] = "User-Agent: Body two\r\n\r\n";
1100  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1101  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1102  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1103  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1104 
1105  memset(&th_v, 0, sizeof(th_v));
1106  memset(&f, 0, sizeof(f));
1107  memset(&ssn, 0, sizeof(ssn));
1108 
1109  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1110 
1111  FLOW_INITIALIZE(&f);
1112  f.protoctx = (void *)&ssn;
1113  f.proto = IPPROTO_TCP;
1114  f.flags |= FLOW_IPV4;
1115 
1116  p->flow = &f;
1117  p->flowflags |= FLOW_PKT_TOSERVER;
1118  p->flowflags |= FLOW_PKT_ESTABLISHED;
1119  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1120  f.alproto = ALPROTO_HTTP1;
1121 
1122  StreamTcpInitConfig(true);
1123 
1124  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1125  FAIL_IF_NULL(de_ctx);
1126  de_ctx->flags |= DE_QUIET;
1127 
1128  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; http_cookie; content:\"Body one\"; http_user_agent; sid:1; rev:1;)");
1129  FAIL_IF_NULL(s);
1130  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; http_cookie; content:\"Body two\"; http_user_agent; sid:2; rev:1;)");
1131  FAIL_IF_NULL(s);
1132 
1133  SigGroupBuild(de_ctx);
1134  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1135 
1136  int r = AppLayerParserParse(
1137  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1138  FAIL_IF_NOT(r == 0);
1139 
1140  /* do detect */
1141  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1142  FAIL_IF(PacketAlertCheck(p, 1));
1143 
1144  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1145  FAIL_IF_NOT(r == 0);
1146 
1147  /* do detect */
1148  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1149  FAIL_IF(PacketAlertCheck(p, 1));
1150 
1151  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1152  FAIL_IF_NOT(r == 0);
1153 
1154  /* do detect */
1155  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1156  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1157  p->alerts.cnt = 0;
1158 
1159  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1160  FAIL_IF_NOT(r == 0);
1161 
1162  /* do detect */
1163  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1164  FAIL_IF(PacketAlertCheck(p, 1));
1165  FAIL_IF(PacketAlertCheck(p, 2));
1166 
1167  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1168  FAIL_IF_NOT(r == 0);
1169 
1170  /* do detect */
1171  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1172  FAIL_IF(PacketAlertCheck(p, 1));
1173  FAIL_IF(PacketAlertCheck(p, 2));
1174 
1175  SCLogDebug("sending data chunk 7");
1176 
1177  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1178  FAIL_IF_NOT(r == 0);
1179 
1180  /* do detect */
1181  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1182  FAIL_IF(PacketAlertCheck(p, 1));
1183  FAIL_IF_NOT(PacketAlertCheck(p, 2));
1184  p->alerts.cnt = 0;
1185 
1186  HtpState *htp_state = f.alstate;
1187  FAIL_IF_NULL(htp_state);
1188  FAIL_IF_NOT(AppLayerParserGetTxCnt(&f, htp_state) == 2);
1189 
1190  AppLayerParserThreadCtxFree(alp_tctx);
1191  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1192  DetectEngineCtxFree(de_ctx);
1193 
1194  StreamTcpFreeConfig(true);
1195  FLOW_DESTROY(&f);
1196  UTHFreePacket(p);
1197  StatsThreadCleanup(&th_v);
1198  PASS;
1199 }
1200 
1201 static void DetectHttpUARegisterTests(void)
1202 {
1203  UtRegisterTest("DetectEngineHttpUATest01", DetectEngineHttpUATest01);
1204  UtRegisterTest("DetectEngineHttpUATest02", DetectEngineHttpUATest02);
1205  UtRegisterTest("DetectEngineHttpUATest03", DetectEngineHttpUATest03);
1206  UtRegisterTest("DetectEngineHttpUATest04", DetectEngineHttpUATest04);
1207  UtRegisterTest("DetectEngineHttpUATest05", DetectEngineHttpUATest05);
1208  UtRegisterTest("DetectEngineHttpUATest06", DetectEngineHttpUATest06);
1209  UtRegisterTest("DetectEngineHttpUATest07", DetectEngineHttpUATest07);
1210  UtRegisterTest("DetectEngineHttpUATest08", DetectEngineHttpUATest08);
1211  UtRegisterTest("DetectEngineHttpUATest09", DetectEngineHttpUATest09);
1212  UtRegisterTest("DetectEngineHttpUATest10", DetectEngineHttpUATest10);
1213  UtRegisterTest("DetectEngineHttpUATest11", DetectEngineHttpUATest11);
1214  UtRegisterTest("DetectEngineHttpUATest12", DetectEngineHttpUATest12);
1215  UtRegisterTest("DetectEngineHttpUATest13", DetectEngineHttpUATest13);
1216  UtRegisterTest("DetectEngineHttpUATest14", DetectEngineHttpUATest14);
1217  UtRegisterTest("DetectEngineHttpUATest15", DetectEngineHttpUATest15);
1218  UtRegisterTest("DetectEngineHttpUATest16", DetectEngineHttpUATest16);
1219  UtRegisterTest("DetectEngineHttpUATest17", DetectEngineHttpUATest17);
1220 
1221  UtRegisterTest("DetectHttpUATest01", DetectHttpUATest01);
1222  UtRegisterTest("DetectHttpUATest02", DetectHttpUATest02);
1223  UtRegisterTest("DetectHttpUATest03", DetectHttpUATest03);
1224  UtRegisterTest("DetectHttpUATest04", DetectHttpUATest04);
1225  UtRegisterTest("DetectHttpUATest05", DetectHttpUATest05);
1226  UtRegisterTest("DetectHttpUATest06", DetectHttpUATest06);
1227  UtRegisterTest("DetectHttpUATest07", DetectHttpUATest07);
1228  UtRegisterTest("DetectHttpUATest08", DetectHttpUATest08);
1229  UtRegisterTest("DetectHttpUATest09", DetectHttpUATest09);
1230  UtRegisterTest("DetectHttpUATest10", DetectHttpUATest10);
1231  UtRegisterTest("DetectHttpUATest11", DetectHttpUATest11);
1232  UtRegisterTest("DetectHttpUATest12", DetectHttpUATest12);
1233  UtRegisterTest("DetectHttpUATest13", DetectHttpUATest13);
1234  UtRegisterTest("DetectHttpUATest14", DetectHttpUATest14);
1235 }
1236 
1237 /**
1238  * @}
1239  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
flow-util.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
util-unittest.h
HtpState_
Definition: app-layer-htp.h:181
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
app-layer-parser.h
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
app-layer-protos.h
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1102
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456