suricata
detect-http-user-agent.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP user agent match
31  *
32  */
33 
34 #include "suricata-common.h"
35 #include "suricata.h"
36 #include "flow-util.h"
37 #include "flow.h"
38 #include "app-layer-parser.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "app-layer.h"
42 #include "app-layer-htp.h"
43 #include "app-layer-protos.h"
44 #include "detect-engine-build.h"
45 #include "detect-engine-alert.h"
46 
47 static int DetectEngineHttpUATest(
48  const uint8_t *buf, const uint32_t buf_len, const char *sig, const bool expect)
49 {
50  TcpSession ssn;
51  ThreadVars th_v;
52  DetectEngineThreadCtx *det_ctx = NULL;
53  Flow f;
54 
55  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
56  FAIL_IF_NULL(alp_tctx);
57 
58  memset(&th_v, 0, sizeof(th_v));
59  StatsThreadInit(&th_v.stats);
60  memset(&f, 0, sizeof(f));
61  memset(&ssn, 0, sizeof(ssn));
62 
63  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
64  FAIL_IF_NULL(p);
65 
66  FLOW_INITIALIZE(&f);
67  f.protoctx = (void *)&ssn;
68  f.proto = IPPROTO_TCP;
69  f.flags |= FLOW_IPV4;
70  p->flow = &f;
71  p->flowflags |= FLOW_PKT_TOSERVER;
72  p->flowflags |= FLOW_PKT_ESTABLISHED;
73  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
74  f.alproto = ALPROTO_HTTP1;
75 
76  StreamTcpInitConfig(true);
77 
78  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
79  FAIL_IF_NULL(de_ctx);
80  de_ctx->flags |= DE_QUIET;
81 
82  Signature *s = DetectEngineAppendSig(de_ctx, sig);
83  FAIL_IF_NULL(s);
84 
85  SigGroupBuild(de_ctx);
86  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
87  FAIL_IF_NULL(det_ctx);
88 
89  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buf_len);
90  FAIL_IF_NOT(r == 0);
91  FAIL_IF_NULL(f.alstate);
92 
93  /* do detect */
94  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
95 
96  bool match = PacketAlertCheck(p, 1);
97  FAIL_IF_NOT(match == expect);
98 
99  UTHFreePackets(&p, 1);
100  FLOW_DESTROY(&f);
101  AppLayerParserThreadCtxFree(alp_tctx);
102  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
103  DetectEngineCtxFree(de_ctx);
104  StreamTcpFreeConfig(true);
105  StatsThreadCleanup(&th_v.stats);
106  PASS;
107 }
108 
109 static int DetectEngineHttpUATest01(void)
110 {
111  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
112  "User-Agent: CONNECT\r\n"
113  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
114  uint32_t http_len = sizeof(http_buf) - 1;
115  return DetectEngineHttpUATest(http_buf, http_len,
116  "alert http any any -> any any "
117  "(msg:\"http user agent test\"; "
118  "content:\"CONNECT\"; http_user_agent; "
119  "sid:1;)",
120  true);
121 }
122 
123 static int DetectEngineHttpUATest02(void)
124 {
125  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
126  "User-Agent: CONNECT\r\n"
127  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
128  uint32_t http_len = sizeof(http_buf) - 1;
129  return DetectEngineHttpUATest(http_buf, http_len,
130  "alert http any any -> any any "
131  "(msg:\"http user agent test\"; "
132  "content:\"CO\"; depth:4; http_user_agent; "
133  "sid:1;)",
134  true);
135 }
136 
137 static int DetectEngineHttpUATest03(void)
138 {
139  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
140  "User-Agent: CONNECT\r\n"
141  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
142  uint32_t http_len = sizeof(http_buf) - 1;
143  return DetectEngineHttpUATest(http_buf, http_len,
144  "alert http any any -> any any "
145  "(msg:\"http_user_agent test\"; "
146  "content:!\"ECT\"; depth:4; http_user_agent; "
147  "sid:1;)",
148  true);
149 }
150 
151 static int DetectEngineHttpUATest04(void)
152 {
153  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
154  "User-Agent: CONNECT\r\n"
155  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
156  uint32_t http_len = sizeof(http_buf) - 1;
157  return DetectEngineHttpUATest(http_buf, http_len,
158  "alert http any any -> any any "
159  "(msg:\"http user agent test\"; "
160  "content:\"ECT\"; depth:4; http_user_agent; "
161  "sid:1;)",
162  false);
163 }
164 
165 static int DetectEngineHttpUATest05(void)
166 {
167  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
168  "User-Agent: CONNECT\r\n"
169  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
170  uint32_t http_len = sizeof(http_buf) - 1;
171  return DetectEngineHttpUATest(http_buf, http_len,
172  "alert http any any -> any any "
173  "(msg:\"http user agent test\"; "
174  "content:!\"CON\"; depth:4; http_user_agent; "
175  "sid:1;)",
176  false);
177 }
178 
179 static int DetectEngineHttpUATest06(void)
180 {
181  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
182  "User-Agent: CONNECT\r\n"
183  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
184  uint32_t http_len = sizeof(http_buf) - 1;
185  return DetectEngineHttpUATest(http_buf, http_len,
186  "alert http any any -> any any "
187  "(msg:\"http user agent test\"; "
188  "content:\"ECT\"; offset:3; http_user_agent; "
189  "sid:1;)",
190  true);
191 }
192 
193 static int DetectEngineHttpUATest07(void)
194 {
195  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
196  "User-Agent: CONNECT\r\n"
197  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
198  uint32_t http_len = sizeof(http_buf) - 1;
199  return DetectEngineHttpUATest(http_buf, http_len,
200  "alert http any any -> any any "
201  "(msg:\"http user agent test\"; "
202  "content:!\"CO\"; offset:3; http_user_agent; "
203  "sid:1;)",
204  true);
205 }
206 
207 static int DetectEngineHttpUATest08(void)
208 {
209  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
210  "User-Agent: CONNECT\r\n"
211  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
212  uint32_t http_len = sizeof(http_buf) - 1;
213  return DetectEngineHttpUATest(http_buf, http_len,
214  "alert http any any -> any any "
215  "(msg:\"http user agent test\"; "
216  "content:!\"ECT\"; offset:3; http_user_agent; "
217  "sid:1;)",
218  false);
219 }
220 
221 static int DetectEngineHttpUATest09(void)
222 {
223  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
224  "User-Agent: CONNECT\r\n"
225  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
226  uint32_t http_len = sizeof(http_buf) - 1;
227  return DetectEngineHttpUATest(http_buf, http_len,
228  "alert http any any -> any any "
229  "(msg:\"http user agent test\"; "
230  "content:\"CON\"; offset:3; http_user_agent; "
231  "sid:1;)",
232  false);
233 }
234 
235 static int DetectEngineHttpUATest10(void)
236 {
237  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
238  "User-Agent: CONNECT\r\n"
239  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
240  uint32_t http_len = sizeof(http_buf) - 1;
241  return DetectEngineHttpUATest(http_buf, http_len,
242  "alert http any any -> any any "
243  "(msg:\"http_user_agent test\"; "
244  "content:\"CO\"; http_user_agent; "
245  "content:\"EC\"; within:4; http_user_agent; "
246  "sid:1;)",
247  true);
248 }
249 
250 static int DetectEngineHttpUATest11(void)
251 {
252  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
253  "User-Agent: CONNECT\r\n"
254  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
255  uint32_t http_len = sizeof(http_buf) - 1;
256  return DetectEngineHttpUATest(http_buf, http_len,
257  "alert http any any -> any any "
258  "(msg:\"http user agent test\"; "
259  "content:\"CO\"; http_user_agent; "
260  "content:!\"EC\"; within:3; http_user_agent; "
261  "sid:1;)",
262  true);
263 }
264 
265 static int DetectEngineHttpUATest12(void)
266 {
267  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
268  "User-Agent: CONNECT\r\n"
269  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
270  uint32_t http_len = sizeof(http_buf) - 1;
271  return DetectEngineHttpUATest(http_buf, http_len,
272  "alert http any any -> any any "
273  "(msg:\"http_user_agent test\"; "
274  "content:\"CO\"; http_user_agent; "
275  "content:\"EC\"; within:3; http_user_agent; "
276  "sid:1;)",
277  false);
278 }
279 
280 static int DetectEngineHttpUATest13(void)
281 {
282  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
283  "User-Agent: CONNECT\r\n"
284  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
285  uint32_t http_len = sizeof(http_buf) - 1;
286  return DetectEngineHttpUATest(http_buf, http_len,
287  "alert http any any -> any any "
288  "(msg:\"http user agent test\"; "
289  "content:\"CO\"; http_user_agent; "
290  "content:!\"EC\"; within:4; http_user_agent; "
291  "sid:1;)",
292  false);
293 }
294 
295 static int DetectEngineHttpUATest14(void)
296 {
297  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
298  "User-Agent: CONNECT\r\n"
299  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
300  uint32_t http_len = sizeof(http_buf) - 1;
301  return DetectEngineHttpUATest(http_buf, http_len,
302  "alert http any any -> any any "
303  "(msg:\"http_user_agent test\"; "
304  "content:\"CO\"; http_user_agent; "
305  "content:\"EC\"; distance:2; http_user_agent; "
306  "sid:1;)",
307  true);
308 }
309 
310 static int DetectEngineHttpUATest15(void)
311 {
312  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
313  "User-Agent: CONNECT\r\n"
314  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
315  uint32_t http_len = sizeof(http_buf) - 1;
316  return DetectEngineHttpUATest(http_buf, http_len,
317  "alert http any any -> any any "
318  "(msg:\"http user agent test\"; "
319  "content:\"CO\"; http_user_agent; "
320  "content:!\"EC\"; distance:3; http_user_agent; "
321  "sid:1;)",
322  true);
323 }
324 
325 static int DetectEngineHttpUATest16(void)
326 {
327  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
328  "User-Agent: CONNECT\r\n"
329  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
330  uint32_t http_len = sizeof(http_buf) - 1;
331  return DetectEngineHttpUATest(http_buf, http_len,
332  "alert http any any -> any any "
333  "(msg:\"http user agent test\"; "
334  "content:\"CO\"; http_user_agent; "
335  "content:\"EC\"; distance:3; http_user_agent; "
336  "sid:1;)",
337  false);
338 }
339 
340 static int DetectEngineHttpUATest17(void)
341 {
342  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
343  "User-Agent: CONNECT\r\n"
344  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
345  uint32_t http_len = sizeof(http_buf) - 1;
346  return DetectEngineHttpUATest(http_buf, http_len,
347  "alert http any any -> any any "
348  "(msg:\"http_user_agent test\"; "
349  "content:\"CO\"; http_user_agent; "
350  "content:!\"EC\"; distance:2; http_user_agent; "
351  "sid:1;)",
352  false);
353 }
354 
355 static int DetectHttpUATestSigParse(const char *sig, const bool expect)
356 {
357  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
358  FAIL_IF_NULL(de_ctx);
359  de_ctx->flags |= DE_QUIET;
360 
361  Signature *s = DetectEngineAppendSig(de_ctx, sig);
362  bool parsed = (s != NULL);
363  FAIL_IF_NOT(parsed == expect);
364  DetectEngineCtxFree(de_ctx);
365  PASS;
366 }
367 
368 /**
369  * \test Test that a signature containing a http_user_agent is correctly parsed
370  * and the keyword is registered.
371  */
372 static int DetectHttpUATest01(void)
373 {
374  return DetectHttpUATestSigParse("alert tcp any any -> any any "
375  "(msg:\"Testing http_user_agent\"; "
376  "content:\"one\"; http_user_agent; sid:1;)",
377  true);
378 }
379 
380 /**
381  * \test Test that a signature containing an valid http_user_agent entry is
382  * parsed.
383  */
384 static int DetectHttpUATest02(void)
385 {
386  return DetectHttpUATestSigParse("alert tcp any any -> any any "
387  "(msg:\"Testing http_user_agent\"; "
388  "content:\"one\"; http_user_agent:; sid:1;)",
389  true);
390 }
391 
392 /**
393  * \test Test that an invalid signature containing no content but a
394  * http_user_agent is invalidated.
395  */
396 static int DetectHttpUATest03(void)
397 {
398  return DetectHttpUATestSigParse("alert tcp any any -> any any "
399  "(msg:\"Testing http_user_agent\"; "
400  "http_user_agent; sid:1;)",
401  false);
402 }
403 
404 /**
405  * \test Test that an invalid signature containing a rawbytes along with a
406  * http_user_agent is invalidated.
407  */
408 static int DetectHttpUATest04(void)
409 {
410  return DetectHttpUATestSigParse("alert tcp any any -> any any "
411  "(msg:\"Testing http_user_agent\"; "
412  "content:\"one\"; rawbytes; http_user_agent; sid:1;)",
413  false);
414 }
415 
416 /**
417  * \test Test that a http_user_agent with nocase is parsed.
418  */
419 static int DetectHttpUATest05(void)
420 {
421  return DetectHttpUATestSigParse("alert tcp any any -> any any "
422  "(msg:\"Testing http_user_agent\"; "
423  "content:\"one\"; http_user_agent; nocase; sid:1;)",
424  true);
425 }
426 
427 /**
428  *\test Test that the http_user_agent content matches against a http request
429  * which holds the content.
430  */
431 static int DetectHttpUATest06(void)
432 {
433  TcpSession ssn;
434  ThreadVars th_v;
435  DetectEngineThreadCtx *det_ctx = NULL;
436  Flow f;
437  uint8_t http_buf[] =
438  "GET /index.html HTTP/1.0\r\n"
439  "Host: www.openinfosecfoundation.org\r\n"
440  "User-Agent: This is dummy message body\r\n"
441  "Content-Type: text/html\r\n"
442  "\r\n";
443  uint32_t http_len = sizeof(http_buf) - 1;
444  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
445 
446  memset(&th_v, 0, sizeof(th_v));
447  StatsThreadInit(&th_v.stats);
448  memset(&f, 0, sizeof(f));
449  memset(&ssn, 0, sizeof(ssn));
450 
451  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
452  FAIL_IF_NULL(p);
453 
454  FLOW_INITIALIZE(&f);
455  f.protoctx = (void *)&ssn;
456  f.proto = IPPROTO_TCP;
457  f.flags |= FLOW_IPV4;
458 
459  p->flow = &f;
460  p->flowflags |= FLOW_PKT_TOSERVER;
461  p->flowflags |= FLOW_PKT_ESTABLISHED;
462  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
463  f.alproto = ALPROTO_HTTP1;
464 
465  StreamTcpInitConfig(true);
466 
467  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
468  FAIL_IF_NULL(de_ctx);
469  de_ctx->flags |= DE_QUIET;
470 
471  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
472  "(msg:\"http user agent test\"; "
473  "content:\"message\"; http_user_agent; "
474  "sid:1;)");
475  FAIL_IF_NULL(s);
476 
477  SigGroupBuild(de_ctx);
478  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
479 
480  int r = AppLayerParserParse(
481  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
482  FAIL_IF_NOT(r == 0);
483  FAIL_IF_NULL(f.alstate);
484 
485  /* do detect */
486  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
487 
488  FAIL_IF_NOT(PacketAlertCheck(p, 1));
489 
490  AppLayerParserThreadCtxFree(alp_tctx);
491  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
492  DetectEngineCtxFree(de_ctx);
493 
494  StreamTcpFreeConfig(true);
495  FLOW_DESTROY(&f);
496  UTHFreePackets(&p, 1);
497  StatsThreadCleanup(&th_v.stats);
498  PASS;
499 }
500 
501 /**
502  *\test Test that the http_user_agent content matches against a http request
503  * which holds the content.
504  */
505 static int DetectHttpUATest07(void)
506 {
507  TcpSession ssn;
508  Packet *p1 = NULL;
509  Packet *p2 = NULL;
510  ThreadVars th_v;
511  DetectEngineThreadCtx *det_ctx = NULL;
512  Flow f;
513  uint8_t http1_buf[] =
514  "GET /index.html HTTP/1.0\r\n"
515  "Host: www.openinfosecfoundation.org\r\n"
516  "User-Agent: This is dummy message";
517  uint8_t http2_buf[] =
518  "body1\r\n\r\n";
519  uint32_t http1_len = sizeof(http1_buf) - 1;
520  uint32_t http2_len = sizeof(http2_buf) - 1;
521  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
522 
523  memset(&th_v, 0, sizeof(th_v));
524  StatsThreadInit(&th_v.stats);
525  memset(&f, 0, sizeof(f));
526  memset(&ssn, 0, sizeof(ssn));
527 
528  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
529  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
530 
531  FLOW_INITIALIZE(&f);
532  f.protoctx = (void *)&ssn;
533  f.proto = IPPROTO_TCP;
534  f.flags |= FLOW_IPV4;
535 
536  p1->flow = &f;
537  p1->flowflags |= FLOW_PKT_TOSERVER;
538  p1->flowflags |= FLOW_PKT_ESTABLISHED;
539  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
540  p2->flow = &f;
541  p2->flowflags |= FLOW_PKT_TOSERVER;
542  p2->flowflags |= FLOW_PKT_ESTABLISHED;
543  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
544  f.alproto = ALPROTO_HTTP1;
545 
546  StreamTcpInitConfig(true);
547 
548  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
549  FAIL_IF_NULL(de_ctx);
550  de_ctx->flags |= DE_QUIET;
551 
552  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
553  "(msg:\"http user agent test\"; "
554  "content:\"message\"; http_user_agent; "
555  "sid:1;)");
556  FAIL_IF_NULL(s);
557 
558  SigGroupBuild(de_ctx);
559  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
560 
561  int r = AppLayerParserParse(
562  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
563  FAIL_IF_NOT(r == 0);
564  FAIL_IF_NULL(f.alstate);
565 
566  /* do detect */
567  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
568 
569  FAIL_IF(PacketAlertCheck(p1, 1));
570 
571  r = AppLayerParserParse(
572  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
573  FAIL_IF_NOT(r == 0);
574  FAIL_IF_NULL(f.alstate);
575 
576  /* do detect */
577  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
578  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
579 
580  AppLayerParserThreadCtxFree(alp_tctx);
581  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
582  DetectEngineCtxFree(de_ctx);
583 
584  StreamTcpFreeConfig(true);
585  FLOW_DESTROY(&f);
586  UTHFreePackets(&p1, 1);
587  UTHFreePackets(&p2, 1);
588  StatsThreadCleanup(&th_v.stats);
589  PASS;
590 }
591 
592 /**
593  *\test Test that the http_user_agent content matches against a http request
594  * which holds the content.
595  */
596 static int DetectHttpUATest08(void)
597 {
598  TcpSession ssn;
599  Packet *p1 = NULL;
600  Packet *p2 = NULL;
601  ThreadVars th_v;
602  DetectEngineThreadCtx *det_ctx = NULL;
603  Flow f;
604  uint8_t http1_buf[] =
605  "GET /index.html HTTP/1.0\r\n"
606  "Host: www.openinfosecfoundation.org\r\n"
607  "User-Agent: This is dummy mess";
608  uint8_t http2_buf[] =
609  "age body\r\n\r\n";
610  uint32_t http1_len = sizeof(http1_buf) - 1;
611  uint32_t http2_len = sizeof(http2_buf) - 1;
612  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
613 
614  memset(&th_v, 0, sizeof(th_v));
615  StatsThreadInit(&th_v.stats);
616  memset(&f, 0, sizeof(f));
617  memset(&ssn, 0, sizeof(ssn));
618 
619  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
620  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
621 
622  FLOW_INITIALIZE(&f);
623  f.protoctx = (void *)&ssn;
624  f.proto = IPPROTO_TCP;
625  f.flags |= FLOW_IPV4;
626 
627  p1->flow = &f;
628  p1->flowflags |= FLOW_PKT_TOSERVER;
629  p1->flowflags |= FLOW_PKT_ESTABLISHED;
630  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
631  p2->flow = &f;
632  p2->flowflags |= FLOW_PKT_TOSERVER;
633  p2->flowflags |= FLOW_PKT_ESTABLISHED;
634  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
635  f.alproto = ALPROTO_HTTP1;
636 
637  StreamTcpInitConfig(true);
638 
639  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
640  FAIL_IF_NULL(de_ctx);
641  de_ctx->flags |= DE_QUIET;
642 
643  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
644  "(msg:\"http user agent test\"; "
645  "content:\"message\"; http_user_agent; "
646  "sid:1;)");
647  FAIL_IF_NULL(s);
648 
649  SigGroupBuild(de_ctx);
650  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
651 
652  int r = AppLayerParserParse(
653  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
654  FAIL_IF_NOT(r == 0);
655  FAIL_IF_NULL(f.alstate);
656 
657  /* do detect */
658  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
659  FAIL_IF(PacketAlertCheck(p1, 1));
660 
661  r = AppLayerParserParse(
662  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
663  FAIL_IF_NOT(r == 0);
664  FAIL_IF_NULL(f.alstate);
665 
666  /* do detect */
667  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
668 
669  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
670 
671  AppLayerParserThreadCtxFree(alp_tctx);
672  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
673  DetectEngineCtxFree(de_ctx);
674 
675  StreamTcpFreeConfig(true);
676  FLOW_DESTROY(&f);
677  UTHFreePackets(&p1, 1);
678  UTHFreePackets(&p2, 1);
679  StatsThreadCleanup(&th_v.stats);
680  PASS;
681 }
682 
683 /**
684  *\test Test that the http_user_agent content matches against a http request
685  * which holds the content, against a cross boundary present pattern.
686  */
687 static int DetectHttpUATest09(void)
688 {
689  TcpSession ssn;
690  Packet *p1 = NULL;
691  Packet *p2 = NULL;
692  ThreadVars th_v;
693  DetectEngineThreadCtx *det_ctx = NULL;
694  Flow f;
695  uint8_t http1_buf[] =
696  "GET /index.html HTTP/1.0\r\n"
697  "Host: www.openinfosecfoundation.org\r\n"
698  "User-Agent: This is dummy body1";
699  uint8_t http2_buf[] =
700  "This is dummy message body2\r\n"
701  "Content-Type: text/html\r\n"
702  "Content-Length: 46\r\n"
703  "\r\n"
704  "This is dummy body1";
705  uint32_t http1_len = sizeof(http1_buf) - 1;
706  uint32_t http2_len = sizeof(http2_buf) - 1;
707  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
708 
709  memset(&th_v, 0, sizeof(th_v));
710  StatsThreadInit(&th_v.stats);
711  memset(&f, 0, sizeof(f));
712  memset(&ssn, 0, sizeof(ssn));
713 
714  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
715  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
716 
717  FLOW_INITIALIZE(&f);
718  f.protoctx = (void *)&ssn;
719  f.proto = IPPROTO_TCP;
720  f.flags |= FLOW_IPV4;
721 
722  p1->flow = &f;
723  p1->flowflags |= FLOW_PKT_TOSERVER;
724  p1->flowflags |= FLOW_PKT_ESTABLISHED;
725  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
726  p2->flow = &f;
727  p2->flowflags |= FLOW_PKT_TOSERVER;
728  p2->flowflags |= FLOW_PKT_ESTABLISHED;
729  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
730  f.alproto = ALPROTO_HTTP1;
731 
732  StreamTcpInitConfig(true);
733 
734  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
735  FAIL_IF_NULL(de_ctx);
736  de_ctx->flags |= DE_QUIET;
737 
738  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
739  "(msg:\"http user agent test\"; "
740  "content:\"body1This\"; http_user_agent; "
741  "sid:1;)");
742  FAIL_IF_NULL(s);
743 
744  SigGroupBuild(de_ctx);
745  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
746 
747  int r = AppLayerParserParse(
748  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
749  FAIL_IF_NOT(r == 0);
750  FAIL_IF_NULL(f.alstate);
751 
752  /* do detect */
753  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
754  FAIL_IF(PacketAlertCheck(p1, 1));
755 
756  r = AppLayerParserParse(
757  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
758  FAIL_IF_NOT(r == 0);
759  FAIL_IF_NULL(f.alstate);
760 
761  /* do detect */
762  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
763 
764  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
765 
766  AppLayerParserThreadCtxFree(alp_tctx);
767  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
768  DetectEngineCtxFree(de_ctx);
769  StreamTcpFreeConfig(true);
770  FLOW_DESTROY(&f);
771  UTHFreePackets(&p1, 1);
772  UTHFreePackets(&p2, 1);
773  StatsThreadCleanup(&th_v.stats);
774  PASS;
775 }
776 
777 /**
778  *\test Test that the http_user_agent content matches against a http request
779  * against a case insensitive pattern.
780  */
781 static int DetectHttpUATest10(void)
782 {
783  TcpSession ssn;
784  Packet *p1 = NULL;
785  Packet *p2 = NULL;
786  ThreadVars th_v;
787  DetectEngineThreadCtx *det_ctx = NULL;
788  Flow f;
789  uint8_t http1_buf[] =
790  "GET /index.html HTTP/1.0\r\n"
791  "Host: www.openinfosecfoundation.org\r\n"
792  "User-Agent: This is dummy bodY1";
793  uint8_t http2_buf[] =
794  "This is dummy message body2\r\n"
795  "Content-Type: text/html\r\n"
796  "Content-Length: 46\r\n"
797  "\r\n"
798  "This is dummy bodY1";
799  uint32_t http1_len = sizeof(http1_buf) - 1;
800  uint32_t http2_len = sizeof(http2_buf) - 1;
801  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
802 
803  memset(&th_v, 0, sizeof(th_v));
804  StatsThreadInit(&th_v.stats);
805  memset(&f, 0, sizeof(f));
806  memset(&ssn, 0, sizeof(ssn));
807 
808  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
809  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
810 
811  FLOW_INITIALIZE(&f);
812  f.protoctx = (void *)&ssn;
813  f.proto = IPPROTO_TCP;
814  f.flags |= FLOW_IPV4;
815 
816  p1->flow = &f;
817  p1->flowflags |= FLOW_PKT_TOSERVER;
818  p1->flowflags |= FLOW_PKT_ESTABLISHED;
819  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
820  p2->flow = &f;
821  p2->flowflags |= FLOW_PKT_TOSERVER;
822  p2->flowflags |= FLOW_PKT_ESTABLISHED;
823  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
824  f.alproto = ALPROTO_HTTP1;
825 
826  StreamTcpInitConfig(true);
827 
828  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
829  FAIL_IF_NULL(de_ctx);
830  de_ctx->flags |= DE_QUIET;
831 
832  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
833  "(msg:\"http user agent test\"; "
834  "content:\"body1this\"; http_user_agent; nocase;"
835  "sid:1;)");
836  FAIL_IF_NULL(s);
837 
838  SigGroupBuild(de_ctx);
839  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
840 
841  int r = AppLayerParserParse(
842  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
843  FAIL_IF_NOT(r == 0);
844  FAIL_IF_NULL(f.alstate);
845 
846  /* do detect */
847  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
848  FAIL_IF(PacketAlertCheck(p1, 1));
849 
850  r = AppLayerParserParse(
851  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
852  FAIL_IF_NOT(r == 0);
853  FAIL_IF_NULL(f.alstate);
854 
855  /* do detect */
856  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
857  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
858 
859  AppLayerParserThreadCtxFree(alp_tctx);
860  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
861  DetectEngineCtxFree(de_ctx);
862  StreamTcpFreeConfig(true);
863  FLOW_DESTROY(&f);
864  UTHFreePackets(&p1, 1);
865  UTHFreePackets(&p2, 1);
866  StatsThreadCleanup(&th_v.stats);
867  PASS;
868 }
869 
870 /**
871  *\test Test that the negated http_user_agent content matches against a
872  * http request which doesn't hold the content.
873  */
874 static int DetectHttpUATest11(void)
875 {
876  TcpSession ssn;
877  Packet *p = NULL;
878  ThreadVars th_v;
879  DetectEngineThreadCtx *det_ctx = NULL;
880  Flow f;
881  uint8_t http_buf[] =
882  "GET /index.html HTTP/1.0\r\n"
883  "Host: www.openinfosecfoundation.org\r\n"
884  "User-Agent: This is dummy message body\r\n"
885  "Content-Type: text/html\r\n"
886  "\r\n";
887  uint32_t http_len = sizeof(http_buf) - 1;
888  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
889 
890  memset(&th_v, 0, sizeof(th_v));
891  StatsThreadInit(&th_v.stats);
892  memset(&f, 0, sizeof(f));
893  memset(&ssn, 0, sizeof(ssn));
894 
895  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
896 
897  FLOW_INITIALIZE(&f);
898  f.protoctx = (void *)&ssn;
899  f.proto = IPPROTO_TCP;
900  f.flags |= FLOW_IPV4;
901 
902  p->flow = &f;
903  p->flowflags |= FLOW_PKT_TOSERVER;
904  p->flowflags |= FLOW_PKT_ESTABLISHED;
905  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
906  f.alproto = ALPROTO_HTTP1;
907 
908  StreamTcpInitConfig(true);
909 
910  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
911  FAIL_IF_NULL(de_ctx);
912  de_ctx->flags |= DE_QUIET;
913 
914  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
915  "(msg:\"http user agent test\"; "
916  "content:!\"message\"; http_user_agent; "
917  "sid:1;)");
918  FAIL_IF_NULL(s);
919 
920  SigGroupBuild(de_ctx);
921  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
922 
923  int r = AppLayerParserParse(
924  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
925  FAIL_IF_NOT(r == 0);
926  FAIL_IF_NULL(f.alstate);
927 
928  /* do detect */
929  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
930 
931  FAIL_IF(PacketAlertCheck(p, 1));
932 
933  AppLayerParserThreadCtxFree(alp_tctx);
934  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
935  DetectEngineCtxFree(de_ctx);
936  StreamTcpFreeConfig(true);
937  FLOW_DESTROY(&f);
938  UTHFreePackets(&p, 1);
939  StatsThreadCleanup(&th_v.stats);
940  PASS;
941 }
942 
943 /**
944  *\test Negative test that the negated http_user_agent content matches against a
945  * http request which holds hold the content.
946  */
947 static int DetectHttpUATest12(void)
948 {
949  TcpSession ssn;
950  Packet *p = NULL;
951  ThreadVars th_v;
952  DetectEngineThreadCtx *det_ctx = NULL;
953  Flow f;
954  uint8_t http_buf[] =
955  "GET /index.html HTTP/1.0\r\n"
956  "Host: www.openinfosecfoundation.org\r\n"
957  "User-Agent: This is dummy body\r\n"
958  "\r\n";
959  uint32_t http_len = sizeof(http_buf) - 1;
960  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
961 
962  memset(&th_v, 0, sizeof(th_v));
963  StatsThreadInit(&th_v.stats);
964  memset(&f, 0, sizeof(f));
965  memset(&ssn, 0, sizeof(ssn));
966 
967  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
968 
969  FLOW_INITIALIZE(&f);
970  f.protoctx = (void *)&ssn;
971  f.proto = IPPROTO_TCP;
972  f.flags |= FLOW_IPV4;
973 
974  p->flow = &f;
975  p->flowflags |= FLOW_PKT_TOSERVER;
976  p->flowflags |= FLOW_PKT_ESTABLISHED;
977  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
978  f.alproto = ALPROTO_HTTP1;
979 
980  StreamTcpInitConfig(true);
981 
982  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
983  FAIL_IF_NULL(de_ctx);
984  de_ctx->flags |= DE_QUIET;
985 
986  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
987  "(msg:\"http user agent test\"; "
988  "content:!\"message\"; http_user_agent; "
989  "sid:1;)");
990  FAIL_IF_NULL(s);
991 
992  SigGroupBuild(de_ctx);
993  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
994 
995  int r = AppLayerParserParse(
996  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
997  FAIL_IF_NOT(r == 0);
998  FAIL_IF_NULL(f.alstate);
999 
1000  /* do detect */
1001  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1002  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1003 
1004  AppLayerParserThreadCtxFree(alp_tctx);
1005  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1006  DetectEngineCtxFree(de_ctx);
1007 
1008  StreamTcpFreeConfig(true);
1009  FLOW_DESTROY(&f);
1010  UTHFreePackets(&p, 1);
1011  StatsThreadCleanup(&th_v.stats);
1012  PASS;
1013 }
1014 
1015 /**
1016  * \test Test that the http_user_agent content matches against a http request
1017  * which holds the content.
1018  */
1019 static int DetectHttpUATest13(void)
1020 {
1021  TcpSession ssn;
1022  Packet *p = NULL;
1023  ThreadVars th_v;
1024  DetectEngineThreadCtx *det_ctx = NULL;
1025  Flow f;
1026  uint8_t http_buf[] =
1027  "GET /index.html HTTP/1.0\r\n"
1028  "Host: www.openinfosecfoundation.org\r\n"
1029  "User-Agent: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1030  "Content-Type: text/html\r\n"
1031  "\r\n";
1032  uint32_t http_len = sizeof(http_buf) - 1;
1033  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1034 
1035  memset(&th_v, 0, sizeof(th_v));
1036  StatsThreadInit(&th_v.stats);
1037  memset(&f, 0, sizeof(f));
1038  memset(&ssn, 0, sizeof(ssn));
1039 
1040  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1041 
1042  FLOW_INITIALIZE(&f);
1043  f.protoctx = (void *)&ssn;
1044  f.proto = IPPROTO_TCP;
1045  f.flags |= FLOW_IPV4;
1046 
1047  p->flow = &f;
1048  p->flowflags |= FLOW_PKT_TOSERVER;
1049  p->flowflags |= FLOW_PKT_ESTABLISHED;
1050  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1051  f.alproto = ALPROTO_HTTP1;
1052 
1053  StreamTcpInitConfig(true);
1054 
1055  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1056  FAIL_IF_NULL(de_ctx);
1057  de_ctx->flags |= DE_QUIET;
1058 
1059  Signature *s = DetectEngineAppendSig(de_ctx,
1060  "alert http any any -> any any "
1061  "(msg:\"http user agent test\"; "
1062  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_user_agent; "
1063  "sid:1;)");
1064  FAIL_IF_NULL(s);
1065 
1066  SigGroupBuild(de_ctx);
1067  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1068 
1069  int r = AppLayerParserParse(
1070  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1071  FAIL_IF_NOT(r == 0);
1072  FAIL_IF_NULL(f.alstate);
1073 
1074  /* do detect */
1075  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1076 
1077  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1078 
1079  AppLayerParserThreadCtxFree(alp_tctx);
1080  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1081  DetectEngineCtxFree(de_ctx);
1082  StreamTcpFreeConfig(true);
1083  FLOW_DESTROY(&f);
1084  UTHFreePackets(&p, 1);
1085  StatsThreadCleanup(&th_v.stats);
1086  PASS;
1087 }
1088 
1089 /**
1090  * \test multiple http transactions and body chunks of request handling
1091  */
1092 static int DetectHttpUATest14(void)
1093 {
1094  Signature *s = NULL;
1095  DetectEngineThreadCtx *det_ctx = NULL;
1096  ThreadVars th_v;
1097  Flow f;
1098  TcpSession ssn;
1099  Packet *p = NULL;
1100  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1101  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1102  uint8_t httpbuf3[] = "User-Agent: Body one!!\r\n\r\n";
1103  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1104  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1105  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1106  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1107  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1108  uint8_t httpbuf6[] = "User-Agent: Body two\r\n\r\n";
1109  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1110  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1111  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1112  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1113 
1114  memset(&th_v, 0, sizeof(th_v));
1115  StatsThreadInit(&th_v.stats);
1116  memset(&f, 0, sizeof(f));
1117  memset(&ssn, 0, sizeof(ssn));
1118 
1119  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1120 
1121  FLOW_INITIALIZE(&f);
1122  f.protoctx = (void *)&ssn;
1123  f.proto = IPPROTO_TCP;
1124  f.flags |= FLOW_IPV4;
1125 
1126  p->flow = &f;
1127  p->flowflags |= FLOW_PKT_TOSERVER;
1128  p->flowflags |= FLOW_PKT_ESTABLISHED;
1129  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1130  f.alproto = ALPROTO_HTTP1;
1131 
1132  StreamTcpInitConfig(true);
1133 
1134  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1135  FAIL_IF_NULL(de_ctx);
1136  de_ctx->flags |= DE_QUIET;
1137 
1138  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; http_cookie; content:\"Body one\"; http_user_agent; sid:1; rev:1;)");
1139  FAIL_IF_NULL(s);
1140  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; http_cookie; content:\"Body two\"; http_user_agent; sid:2; rev:1;)");
1141  FAIL_IF_NULL(s);
1142 
1143  SigGroupBuild(de_ctx);
1144  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1145 
1146  int r = AppLayerParserParse(
1147  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1148  FAIL_IF_NOT(r == 0);
1149 
1150  /* do detect */
1151  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1152  FAIL_IF(PacketAlertCheck(p, 1));
1153 
1154  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1155  FAIL_IF_NOT(r == 0);
1156 
1157  /* do detect */
1158  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1159  FAIL_IF(PacketAlertCheck(p, 1));
1160 
1161  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1162  FAIL_IF_NOT(r == 0);
1163 
1164  /* do detect */
1165  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1166  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1167  p->alerts.cnt = 0;
1168 
1169  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1170  FAIL_IF_NOT(r == 0);
1171 
1172  /* do detect */
1173  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1174  FAIL_IF(PacketAlertCheck(p, 1));
1175  FAIL_IF(PacketAlertCheck(p, 2));
1176 
1177  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1178  FAIL_IF_NOT(r == 0);
1179 
1180  /* do detect */
1181  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1182  FAIL_IF(PacketAlertCheck(p, 1));
1183  FAIL_IF(PacketAlertCheck(p, 2));
1184 
1185  SCLogDebug("sending data chunk 7");
1186 
1187  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1188  FAIL_IF_NOT(r == 0);
1189 
1190  /* do detect */
1191  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1192  FAIL_IF(PacketAlertCheck(p, 1));
1193  FAIL_IF_NOT(PacketAlertCheck(p, 2));
1194  p->alerts.cnt = 0;
1195 
1196  HtpState *htp_state = f.alstate;
1197  FAIL_IF_NULL(htp_state);
1198  FAIL_IF_NOT(AppLayerParserGetTxCnt(&f, htp_state) == 2);
1199 
1200  AppLayerParserThreadCtxFree(alp_tctx);
1201  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1202  DetectEngineCtxFree(de_ctx);
1203 
1204  StreamTcpFreeConfig(true);
1205  FLOW_DESTROY(&f);
1206  UTHFreePacket(p);
1207  StatsThreadCleanup(&th_v.stats);
1208  PASS;
1209 }
1210 
1211 static void DetectHttpUARegisterTests(void)
1212 {
1213  UtRegisterTest("DetectEngineHttpUATest01", DetectEngineHttpUATest01);
1214  UtRegisterTest("DetectEngineHttpUATest02", DetectEngineHttpUATest02);
1215  UtRegisterTest("DetectEngineHttpUATest03", DetectEngineHttpUATest03);
1216  UtRegisterTest("DetectEngineHttpUATest04", DetectEngineHttpUATest04);
1217  UtRegisterTest("DetectEngineHttpUATest05", DetectEngineHttpUATest05);
1218  UtRegisterTest("DetectEngineHttpUATest06", DetectEngineHttpUATest06);
1219  UtRegisterTest("DetectEngineHttpUATest07", DetectEngineHttpUATest07);
1220  UtRegisterTest("DetectEngineHttpUATest08", DetectEngineHttpUATest08);
1221  UtRegisterTest("DetectEngineHttpUATest09", DetectEngineHttpUATest09);
1222  UtRegisterTest("DetectEngineHttpUATest10", DetectEngineHttpUATest10);
1223  UtRegisterTest("DetectEngineHttpUATest11", DetectEngineHttpUATest11);
1224  UtRegisterTest("DetectEngineHttpUATest12", DetectEngineHttpUATest12);
1225  UtRegisterTest("DetectEngineHttpUATest13", DetectEngineHttpUATest13);
1226  UtRegisterTest("DetectEngineHttpUATest14", DetectEngineHttpUATest14);
1227  UtRegisterTest("DetectEngineHttpUATest15", DetectEngineHttpUATest15);
1228  UtRegisterTest("DetectEngineHttpUATest16", DetectEngineHttpUATest16);
1229  UtRegisterTest("DetectEngineHttpUATest17", DetectEngineHttpUATest17);
1230 
1231  UtRegisterTest("DetectHttpUATest01", DetectHttpUATest01);
1232  UtRegisterTest("DetectHttpUATest02", DetectHttpUATest02);
1233  UtRegisterTest("DetectHttpUATest03", DetectHttpUATest03);
1234  UtRegisterTest("DetectHttpUATest04", DetectHttpUATest04);
1235  UtRegisterTest("DetectHttpUATest05", DetectHttpUATest05);
1236  UtRegisterTest("DetectHttpUATest06", DetectHttpUATest06);
1237  UtRegisterTest("DetectHttpUATest07", DetectHttpUATest07);
1238  UtRegisterTest("DetectHttpUATest08", DetectHttpUATest08);
1239  UtRegisterTest("DetectHttpUATest09", DetectHttpUATest09);
1240  UtRegisterTest("DetectHttpUATest10", DetectHttpUATest10);
1241  UtRegisterTest("DetectHttpUATest11", DetectHttpUATest11);
1242  UtRegisterTest("DetectHttpUATest12", DetectHttpUATest12);
1243  UtRegisterTest("DetectHttpUATest13", DetectHttpUATest13);
1244  UtRegisterTest("DetectHttpUATest14", DetectHttpUATest14);
1245 }
1246 
1247 /**
1248  * @}
1249  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
flow-util.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3447
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
util-unittest.h
HtpState_
Definition: app-layer-htp.h:181
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1245
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
app-layer-parser.h
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1258
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
app-layer-protos.h
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1354
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1088
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456