suricata
detect-http-user-agent.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP user agent match
31  *
32  */
33 
34 #include "suricata-common.h"
35 #include "suricata.h"
36 #include "flow-util.h"
37 #include "flow.h"
38 #include "app-layer-parser.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "app-layer.h"
42 #include "app-layer-htp.h"
43 #include "app-layer-protos.h"
44 #include "detect-engine-build.h"
45 #include "detect-engine-alert.h"
46 
47 static int DetectEngineHttpUATest(
48  const uint8_t *buf, const uint32_t buf_len, const char *sig, const bool expect)
49 {
50  TcpSession ssn;
51  ThreadVars th_v;
52  DetectEngineThreadCtx *det_ctx = NULL;
53  Flow f;
54 
55  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
56  FAIL_IF_NULL(alp_tctx);
57 
58  memset(&th_v, 0, sizeof(th_v));
59  memset(&f, 0, sizeof(f));
60  memset(&ssn, 0, sizeof(ssn));
61 
62  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
63  FAIL_IF_NULL(p);
64 
65  FLOW_INITIALIZE(&f);
66  f.protoctx = (void *)&ssn;
67  f.proto = IPPROTO_TCP;
68  f.flags |= FLOW_IPV4;
69  p->flow = &f;
70  p->flowflags |= FLOW_PKT_TOSERVER;
71  p->flowflags |= FLOW_PKT_ESTABLISHED;
72  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
73  f.alproto = ALPROTO_HTTP1;
74 
75  StreamTcpInitConfig(true);
76 
77  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
78  FAIL_IF_NULL(de_ctx);
79  de_ctx->flags |= DE_QUIET;
80 
81  Signature *s = DetectEngineAppendSig(de_ctx, sig);
82  FAIL_IF_NULL(s);
83 
84  SigGroupBuild(de_ctx);
85  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
86  FAIL_IF_NULL(det_ctx);
87 
88  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buf_len);
89  FAIL_IF_NOT(r == 0);
90  FAIL_IF_NULL(f.alstate);
91 
92  /* do detect */
93  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
94 
95  bool match = PacketAlertCheck(p, 1);
96  FAIL_IF_NOT(match == expect);
97 
98  AppLayerParserThreadCtxFree(alp_tctx);
99 
100  DetectEngineCtxFree(de_ctx);
101  StreamTcpFreeConfig(true);
102  FLOW_DESTROY(&f);
103  UTHFreePackets(&p, 1);
104  PASS;
105 }
106 
107 static int DetectEngineHttpUATest01(void)
108 {
109  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
110  "User-Agent: CONNECT\r\n"
111  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
112  uint32_t http_len = sizeof(http_buf) - 1;
113  return DetectEngineHttpUATest(http_buf, http_len,
114  "alert http any any -> any any "
115  "(msg:\"http user agent test\"; "
116  "content:\"CONNECT\"; http_user_agent; "
117  "sid:1;)",
118  true);
119 }
120 
121 static int DetectEngineHttpUATest02(void)
122 {
123  uint8_t http_buf[] = "GET /index.html HTTP/1.0\r\n"
124  "User-Agent: CONNECT\r\n"
125  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
126  uint32_t http_len = sizeof(http_buf) - 1;
127  return DetectEngineHttpUATest(http_buf, http_len,
128  "alert http any any -> any any "
129  "(msg:\"http user agent test\"; "
130  "content:\"CO\"; depth:4; http_user_agent; "
131  "sid:1;)",
132  true);
133 }
134 
135 static int DetectEngineHttpUATest03(void)
136 {
137  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
138  "User-Agent: CONNECT\r\n"
139  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
140  uint32_t http_len = sizeof(http_buf) - 1;
141  return DetectEngineHttpUATest(http_buf, http_len,
142  "alert http any any -> any any "
143  "(msg:\"http_user_agent test\"; "
144  "content:!\"ECT\"; depth:4; http_user_agent; "
145  "sid:1;)",
146  true);
147 }
148 
149 static int DetectEngineHttpUATest04(void)
150 {
151  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
152  "User-Agent: CONNECT\r\n"
153  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
154  uint32_t http_len = sizeof(http_buf) - 1;
155  return DetectEngineHttpUATest(http_buf, http_len,
156  "alert http any any -> any any "
157  "(msg:\"http user agent test\"; "
158  "content:\"ECT\"; depth:4; http_user_agent; "
159  "sid:1;)",
160  false);
161 }
162 
163 static int DetectEngineHttpUATest05(void)
164 {
165  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
166  "User-Agent: CONNECT\r\n"
167  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
168  uint32_t http_len = sizeof(http_buf) - 1;
169  return DetectEngineHttpUATest(http_buf, http_len,
170  "alert http any any -> any any "
171  "(msg:\"http user agent test\"; "
172  "content:!\"CON\"; depth:4; http_user_agent; "
173  "sid:1;)",
174  false);
175 }
176 
177 static int DetectEngineHttpUATest06(void)
178 {
179  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
180  "User-Agent: CONNECT\r\n"
181  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
182  uint32_t http_len = sizeof(http_buf) - 1;
183  return DetectEngineHttpUATest(http_buf, http_len,
184  "alert http any any -> any any "
185  "(msg:\"http user agent test\"; "
186  "content:\"ECT\"; offset:3; http_user_agent; "
187  "sid:1;)",
188  true);
189 }
190 
191 static int DetectEngineHttpUATest07(void)
192 {
193  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
194  "User-Agent: CONNECT\r\n"
195  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
196  uint32_t http_len = sizeof(http_buf) - 1;
197  return DetectEngineHttpUATest(http_buf, http_len,
198  "alert http any any -> any any "
199  "(msg:\"http user agent test\"; "
200  "content:!\"CO\"; offset:3; http_user_agent; "
201  "sid:1;)",
202  true);
203 }
204 
205 static int DetectEngineHttpUATest08(void)
206 {
207  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
208  "User-Agent: CONNECT\r\n"
209  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
210  uint32_t http_len = sizeof(http_buf) - 1;
211  return DetectEngineHttpUATest(http_buf, http_len,
212  "alert http any any -> any any "
213  "(msg:\"http user agent test\"; "
214  "content:!\"ECT\"; offset:3; http_user_agent; "
215  "sid:1;)",
216  false);
217 }
218 
219 static int DetectEngineHttpUATest09(void)
220 {
221  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
222  "User-Agent: CONNECT\r\n"
223  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
224  uint32_t http_len = sizeof(http_buf) - 1;
225  return DetectEngineHttpUATest(http_buf, http_len,
226  "alert http any any -> any any "
227  "(msg:\"http user agent test\"; "
228  "content:\"CON\"; offset:3; http_user_agent; "
229  "sid:1;)",
230  false);
231 }
232 
233 static int DetectEngineHttpUATest10(void)
234 {
235  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
236  "User-Agent: CONNECT\r\n"
237  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
238  uint32_t http_len = sizeof(http_buf) - 1;
239  return DetectEngineHttpUATest(http_buf, http_len,
240  "alert http any any -> any any "
241  "(msg:\"http_user_agent test\"; "
242  "content:\"CO\"; http_user_agent; "
243  "content:\"EC\"; within:4; http_user_agent; "
244  "sid:1;)",
245  true);
246 }
247 
248 static int DetectEngineHttpUATest11(void)
249 {
250  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
251  "User-Agent: CONNECT\r\n"
252  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
253  uint32_t http_len = sizeof(http_buf) - 1;
254  return DetectEngineHttpUATest(http_buf, http_len,
255  "alert http any any -> any any "
256  "(msg:\"http user agent test\"; "
257  "content:\"CO\"; http_user_agent; "
258  "content:!\"EC\"; within:3; http_user_agent; "
259  "sid:1;)",
260  true);
261 }
262 
263 static int DetectEngineHttpUATest12(void)
264 {
265  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
266  "User-Agent: CONNECT\r\n"
267  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
268  uint32_t http_len = sizeof(http_buf) - 1;
269  return DetectEngineHttpUATest(http_buf, http_len,
270  "alert http any any -> any any "
271  "(msg:\"http_user_agent test\"; "
272  "content:\"CO\"; http_user_agent; "
273  "content:\"EC\"; within:3; http_user_agent; "
274  "sid:1;)",
275  false);
276 }
277 
278 static int DetectEngineHttpUATest13(void)
279 {
280  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
281  "User-Agent: CONNECT\r\n"
282  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
283  uint32_t http_len = sizeof(http_buf) - 1;
284  return DetectEngineHttpUATest(http_buf, http_len,
285  "alert http any any -> any any "
286  "(msg:\"http user agent test\"; "
287  "content:\"CO\"; http_user_agent; "
288  "content:!\"EC\"; within:4; http_user_agent; "
289  "sid:1;)",
290  false);
291 }
292 
293 static int DetectEngineHttpUATest14(void)
294 {
295  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
296  "User-Agent: CONNECT\r\n"
297  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
298  uint32_t http_len = sizeof(http_buf) - 1;
299  return DetectEngineHttpUATest(http_buf, http_len,
300  "alert http any any -> any any "
301  "(msg:\"http_user_agent test\"; "
302  "content:\"CO\"; http_user_agent; "
303  "content:\"EC\"; distance:2; http_user_agent; "
304  "sid:1;)",
305  true);
306 }
307 
308 static int DetectEngineHttpUATest15(void)
309 {
310  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
311  "User-Agent: CONNECT\r\n"
312  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
313  uint32_t http_len = sizeof(http_buf) - 1;
314  return DetectEngineHttpUATest(http_buf, http_len,
315  "alert http any any -> any any "
316  "(msg:\"http user agent test\"; "
317  "content:\"CO\"; http_user_agent; "
318  "content:!\"EC\"; distance:3; http_user_agent; "
319  "sid:1;)",
320  true);
321 }
322 
323 static int DetectEngineHttpUATest16(void)
324 {
325  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
326  "User-Agent: CONNECT\r\n"
327  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
328  uint32_t http_len = sizeof(http_buf) - 1;
329  return DetectEngineHttpUATest(http_buf, http_len,
330  "alert http any any -> any any "
331  "(msg:\"http user agent test\"; "
332  "content:\"CO\"; http_user_agent; "
333  "content:\"EC\"; distance:3; http_user_agent; "
334  "sid:1;)",
335  false);
336 }
337 
338 static int DetectEngineHttpUATest17(void)
339 {
340  uint8_t http_buf[] = "CONNECT /index.html HTTP/1.0\r\n"
341  "User-Agent: CONNECT\r\n"
342  "Host: www.onetwothreefourfivesixseven.org\r\n\r\n";
343  uint32_t http_len = sizeof(http_buf) - 1;
344  return DetectEngineHttpUATest(http_buf, http_len,
345  "alert http any any -> any any "
346  "(msg:\"http_user_agent test\"; "
347  "content:\"CO\"; http_user_agent; "
348  "content:!\"EC\"; distance:2; http_user_agent; "
349  "sid:1;)",
350  false);
351 }
352 
353 static int DetectHttpUATestSigParse(const char *sig, const bool expect)
354 {
355  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
356  FAIL_IF_NULL(de_ctx);
357  de_ctx->flags |= DE_QUIET;
358 
359  Signature *s = DetectEngineAppendSig(de_ctx, sig);
360  bool parsed = (s != NULL);
361  FAIL_IF_NOT(parsed == expect);
362  DetectEngineCtxFree(de_ctx);
363  PASS;
364 }
365 
366 /**
367  * \test Test that a signature containing a http_user_agent is correctly parsed
368  * and the keyword is registered.
369  */
370 static int DetectHttpUATest01(void)
371 {
372  return DetectHttpUATestSigParse("alert tcp any any -> any any "
373  "(msg:\"Testing http_user_agent\"; "
374  "content:\"one\"; http_user_agent; sid:1;)",
375  true);
376 }
377 
378 /**
379  * \test Test that a signature containing an valid http_user_agent entry is
380  * parsed.
381  */
382 static int DetectHttpUATest02(void)
383 {
384  return DetectHttpUATestSigParse("alert tcp any any -> any any "
385  "(msg:\"Testing http_user_agent\"; "
386  "content:\"one\"; http_user_agent:; sid:1;)",
387  true);
388 }
389 
390 /**
391  * \test Test that an invalid signature containing no content but a
392  * http_user_agent is invalidated.
393  */
394 static int DetectHttpUATest03(void)
395 {
396  return DetectHttpUATestSigParse("alert tcp any any -> any any "
397  "(msg:\"Testing http_user_agent\"; "
398  "http_user_agent; sid:1;)",
399  false);
400 }
401 
402 /**
403  * \test Test that an invalid signature containing a rawbytes along with a
404  * http_user_agent is invalidated.
405  */
406 static int DetectHttpUATest04(void)
407 {
408  return DetectHttpUATestSigParse("alert tcp any any -> any any "
409  "(msg:\"Testing http_user_agent\"; "
410  "content:\"one\"; rawbytes; http_user_agent; sid:1;)",
411  false);
412 }
413 
414 /**
415  * \test Test that a http_user_agent with nocase is parsed.
416  */
417 static int DetectHttpUATest05(void)
418 {
419  return DetectHttpUATestSigParse("alert tcp any any -> any any "
420  "(msg:\"Testing http_user_agent\"; "
421  "content:\"one\"; http_user_agent; nocase; sid:1;)",
422  true);
423 }
424 
425 /**
426  *\test Test that the http_user_agent content matches against a http request
427  * which holds the content.
428  */
429 static int DetectHttpUATest06(void)
430 {
431  TcpSession ssn;
432  ThreadVars th_v;
433  DetectEngineThreadCtx *det_ctx = NULL;
434  Flow f;
435  uint8_t http_buf[] =
436  "GET /index.html HTTP/1.0\r\n"
437  "Host: www.openinfosecfoundation.org\r\n"
438  "User-Agent: This is dummy message body\r\n"
439  "Content-Type: text/html\r\n"
440  "\r\n";
441  uint32_t http_len = sizeof(http_buf) - 1;
442  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
443 
444  memset(&th_v, 0, sizeof(th_v));
445  memset(&f, 0, sizeof(f));
446  memset(&ssn, 0, sizeof(ssn));
447 
448  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
449  FAIL_IF_NULL(p);
450 
451  FLOW_INITIALIZE(&f);
452  f.protoctx = (void *)&ssn;
453  f.proto = IPPROTO_TCP;
454  f.flags |= FLOW_IPV4;
455 
456  p->flow = &f;
457  p->flowflags |= FLOW_PKT_TOSERVER;
458  p->flowflags |= FLOW_PKT_ESTABLISHED;
459  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
460  f.alproto = ALPROTO_HTTP1;
461 
462  StreamTcpInitConfig(true);
463 
464  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
465  FAIL_IF_NULL(de_ctx);
466  de_ctx->flags |= DE_QUIET;
467 
468  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
469  "(msg:\"http user agent test\"; "
470  "content:\"message\"; http_user_agent; "
471  "sid:1;)");
472  FAIL_IF_NULL(s);
473 
474  SigGroupBuild(de_ctx);
475  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
476 
477  int r = AppLayerParserParse(
478  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
479  FAIL_IF_NOT(r == 0);
480  FAIL_IF_NULL(f.alstate);
481 
482  /* do detect */
483  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
484 
485  FAIL_IF_NOT(PacketAlertCheck(p, 1));
486 
487  AppLayerParserThreadCtxFree(alp_tctx);
488  DetectEngineCtxFree(de_ctx);
489 
490  StreamTcpFreeConfig(true);
491  FLOW_DESTROY(&f);
492  UTHFreePackets(&p, 1);
493  PASS;
494 }
495 
496 /**
497  *\test Test that the http_user_agent content matches against a http request
498  * which holds the content.
499  */
500 static int DetectHttpUATest07(void)
501 {
502  TcpSession ssn;
503  Packet *p1 = NULL;
504  Packet *p2 = NULL;
505  ThreadVars th_v;
506  DetectEngineThreadCtx *det_ctx = NULL;
507  Flow f;
508  uint8_t http1_buf[] =
509  "GET /index.html HTTP/1.0\r\n"
510  "Host: www.openinfosecfoundation.org\r\n"
511  "User-Agent: This is dummy message";
512  uint8_t http2_buf[] =
513  "body1\r\n\r\n";
514  uint32_t http1_len = sizeof(http1_buf) - 1;
515  uint32_t http2_len = sizeof(http2_buf) - 1;
516  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
517 
518  memset(&th_v, 0, sizeof(th_v));
519  memset(&f, 0, sizeof(f));
520  memset(&ssn, 0, sizeof(ssn));
521 
522  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
523  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
524 
525  FLOW_INITIALIZE(&f);
526  f.protoctx = (void *)&ssn;
527  f.proto = IPPROTO_TCP;
528  f.flags |= FLOW_IPV4;
529 
530  p1->flow = &f;
531  p1->flowflags |= FLOW_PKT_TOSERVER;
532  p1->flowflags |= FLOW_PKT_ESTABLISHED;
533  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
534  p2->flow = &f;
535  p2->flowflags |= FLOW_PKT_TOSERVER;
536  p2->flowflags |= FLOW_PKT_ESTABLISHED;
537  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
538  f.alproto = ALPROTO_HTTP1;
539 
540  StreamTcpInitConfig(true);
541 
542  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
543  FAIL_IF_NULL(de_ctx);
544  de_ctx->flags |= DE_QUIET;
545 
546  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
547  "(msg:\"http user agent test\"; "
548  "content:\"message\"; http_user_agent; "
549  "sid:1;)");
550  FAIL_IF_NULL(s);
551 
552  SigGroupBuild(de_ctx);
553  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
554 
555  int r = AppLayerParserParse(
556  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
557  FAIL_IF_NOT(r == 0);
558  FAIL_IF_NULL(f.alstate);
559 
560  /* do detect */
561  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
562 
563  FAIL_IF(PacketAlertCheck(p1, 1));
564 
565  r = AppLayerParserParse(
566  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
567  FAIL_IF_NOT(r == 0);
568  FAIL_IF_NULL(f.alstate);
569 
570  /* do detect */
571  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
572  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
573 
574  AppLayerParserThreadCtxFree(alp_tctx);
575  DetectEngineCtxFree(de_ctx);
576 
577  StreamTcpFreeConfig(true);
578  FLOW_DESTROY(&f);
579  UTHFreePackets(&p1, 1);
580  UTHFreePackets(&p2, 1);
581  PASS;
582 }
583 
584 /**
585  *\test Test that the http_user_agent content matches against a http request
586  * which holds the content.
587  */
588 static int DetectHttpUATest08(void)
589 {
590  TcpSession ssn;
591  Packet *p1 = NULL;
592  Packet *p2 = NULL;
593  ThreadVars th_v;
594  DetectEngineThreadCtx *det_ctx = NULL;
595  Flow f;
596  uint8_t http1_buf[] =
597  "GET /index.html HTTP/1.0\r\n"
598  "Host: www.openinfosecfoundation.org\r\n"
599  "User-Agent: This is dummy mess";
600  uint8_t http2_buf[] =
601  "age body\r\n\r\n";
602  uint32_t http1_len = sizeof(http1_buf) - 1;
603  uint32_t http2_len = sizeof(http2_buf) - 1;
604  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
605 
606  memset(&th_v, 0, sizeof(th_v));
607  memset(&f, 0, sizeof(f));
608  memset(&ssn, 0, sizeof(ssn));
609 
610  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
611  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
612 
613  FLOW_INITIALIZE(&f);
614  f.protoctx = (void *)&ssn;
615  f.proto = IPPROTO_TCP;
616  f.flags |= FLOW_IPV4;
617 
618  p1->flow = &f;
619  p1->flowflags |= FLOW_PKT_TOSERVER;
620  p1->flowflags |= FLOW_PKT_ESTABLISHED;
621  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
622  p2->flow = &f;
623  p2->flowflags |= FLOW_PKT_TOSERVER;
624  p2->flowflags |= FLOW_PKT_ESTABLISHED;
625  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
626  f.alproto = ALPROTO_HTTP1;
627 
628  StreamTcpInitConfig(true);
629 
630  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
631  FAIL_IF_NULL(de_ctx);
632  de_ctx->flags |= DE_QUIET;
633 
634  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
635  "(msg:\"http user agent test\"; "
636  "content:\"message\"; http_user_agent; "
637  "sid:1;)");
638  FAIL_IF_NULL(s);
639 
640  SigGroupBuild(de_ctx);
641  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
642 
643  int r = AppLayerParserParse(
644  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
645  FAIL_IF_NOT(r == 0);
646  FAIL_IF_NULL(f.alstate);
647 
648  /* do detect */
649  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
650  FAIL_IF(PacketAlertCheck(p1, 1));
651 
652  r = AppLayerParserParse(
653  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
654  FAIL_IF_NOT(r == 0);
655  FAIL_IF_NULL(f.alstate);
656 
657  /* do detect */
658  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
659 
660  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
661 
662  AppLayerParserThreadCtxFree(alp_tctx);
663  DetectEngineCtxFree(de_ctx);
664 
665  StreamTcpFreeConfig(true);
666  FLOW_DESTROY(&f);
667  UTHFreePackets(&p1, 1);
668  UTHFreePackets(&p2, 1);
669  PASS;
670 }
671 
672 /**
673  *\test Test that the http_user_agent content matches against a http request
674  * which holds the content, against a cross boundary present pattern.
675  */
676 static int DetectHttpUATest09(void)
677 {
678  TcpSession ssn;
679  Packet *p1 = NULL;
680  Packet *p2 = NULL;
681  ThreadVars th_v;
682  DetectEngineThreadCtx *det_ctx = NULL;
683  Flow f;
684  uint8_t http1_buf[] =
685  "GET /index.html HTTP/1.0\r\n"
686  "Host: www.openinfosecfoundation.org\r\n"
687  "User-Agent: This is dummy body1";
688  uint8_t http2_buf[] =
689  "This is dummy message body2\r\n"
690  "Content-Type: text/html\r\n"
691  "Content-Length: 46\r\n"
692  "\r\n"
693  "This is dummy body1";
694  uint32_t http1_len = sizeof(http1_buf) - 1;
695  uint32_t http2_len = sizeof(http2_buf) - 1;
696  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
697 
698  memset(&th_v, 0, sizeof(th_v));
699  memset(&f, 0, sizeof(f));
700  memset(&ssn, 0, sizeof(ssn));
701 
702  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
703  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
704 
705  FLOW_INITIALIZE(&f);
706  f.protoctx = (void *)&ssn;
707  f.proto = IPPROTO_TCP;
708  f.flags |= FLOW_IPV4;
709 
710  p1->flow = &f;
711  p1->flowflags |= FLOW_PKT_TOSERVER;
712  p1->flowflags |= FLOW_PKT_ESTABLISHED;
713  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
714  p2->flow = &f;
715  p2->flowflags |= FLOW_PKT_TOSERVER;
716  p2->flowflags |= FLOW_PKT_ESTABLISHED;
717  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
718  f.alproto = ALPROTO_HTTP1;
719 
720  StreamTcpInitConfig(true);
721 
722  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
723  FAIL_IF_NULL(de_ctx);
724  de_ctx->flags |= DE_QUIET;
725 
726  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
727  "(msg:\"http user agent test\"; "
728  "content:\"body1This\"; http_user_agent; "
729  "sid:1;)");
730  FAIL_IF_NULL(s);
731 
732  SigGroupBuild(de_ctx);
733  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
734 
735  int r = AppLayerParserParse(
736  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
737  FAIL_IF_NOT(r == 0);
738  FAIL_IF_NULL(f.alstate);
739 
740  /* do detect */
741  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
742  FAIL_IF(PacketAlertCheck(p1, 1));
743 
744  r = AppLayerParserParse(
745  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
746  FAIL_IF_NOT(r == 0);
747  FAIL_IF_NULL(f.alstate);
748 
749  /* do detect */
750  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
751 
752  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
753 
754  AppLayerParserThreadCtxFree(alp_tctx);
755  DetectEngineCtxFree(de_ctx);
756  StreamTcpFreeConfig(true);
757  FLOW_DESTROY(&f);
758  UTHFreePackets(&p1, 1);
759  UTHFreePackets(&p2, 1);
760  PASS;
761 }
762 
763 /**
764  *\test Test that the http_user_agent content matches against a http request
765  * against a case insensitive pattern.
766  */
767 static int DetectHttpUATest10(void)
768 {
769  TcpSession ssn;
770  Packet *p1 = NULL;
771  Packet *p2 = NULL;
772  ThreadVars th_v;
773  DetectEngineThreadCtx *det_ctx = NULL;
774  Flow f;
775  uint8_t http1_buf[] =
776  "GET /index.html HTTP/1.0\r\n"
777  "Host: www.openinfosecfoundation.org\r\n"
778  "User-Agent: This is dummy bodY1";
779  uint8_t http2_buf[] =
780  "This is dummy message body2\r\n"
781  "Content-Type: text/html\r\n"
782  "Content-Length: 46\r\n"
783  "\r\n"
784  "This is dummy bodY1";
785  uint32_t http1_len = sizeof(http1_buf) - 1;
786  uint32_t http2_len = sizeof(http2_buf) - 1;
787  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
788 
789  memset(&th_v, 0, sizeof(th_v));
790  memset(&f, 0, sizeof(f));
791  memset(&ssn, 0, sizeof(ssn));
792 
793  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
794  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
795 
796  FLOW_INITIALIZE(&f);
797  f.protoctx = (void *)&ssn;
798  f.proto = IPPROTO_TCP;
799  f.flags |= FLOW_IPV4;
800 
801  p1->flow = &f;
802  p1->flowflags |= FLOW_PKT_TOSERVER;
803  p1->flowflags |= FLOW_PKT_ESTABLISHED;
804  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
805  p2->flow = &f;
806  p2->flowflags |= FLOW_PKT_TOSERVER;
807  p2->flowflags |= FLOW_PKT_ESTABLISHED;
808  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
809  f.alproto = ALPROTO_HTTP1;
810 
811  StreamTcpInitConfig(true);
812 
813  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
814  FAIL_IF_NULL(de_ctx);
815  de_ctx->flags |= DE_QUIET;
816 
817  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
818  "(msg:\"http user agent test\"; "
819  "content:\"body1this\"; http_user_agent; nocase;"
820  "sid:1;)");
821  FAIL_IF_NULL(s);
822 
823  SigGroupBuild(de_ctx);
824  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
825 
826  int r = AppLayerParserParse(
827  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
828  FAIL_IF_NOT(r == 0);
829  FAIL_IF_NULL(f.alstate);
830 
831  /* do detect */
832  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
833  FAIL_IF(PacketAlertCheck(p1, 1));
834 
835  r = AppLayerParserParse(
836  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
837  FAIL_IF_NOT(r == 0);
838  FAIL_IF_NULL(f.alstate);
839 
840  /* do detect */
841  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
842  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
843 
844  AppLayerParserThreadCtxFree(alp_tctx);
845  DetectEngineCtxFree(de_ctx);
846  StreamTcpFreeConfig(true);
847  FLOW_DESTROY(&f);
848  UTHFreePackets(&p1, 1);
849  UTHFreePackets(&p2, 1);
850  PASS;
851 }
852 
853 /**
854  *\test Test that the negated http_user_agent content matches against a
855  * http request which doesn't hold the content.
856  */
857 static int DetectHttpUATest11(void)
858 {
859  TcpSession ssn;
860  Packet *p = NULL;
861  ThreadVars th_v;
862  DetectEngineThreadCtx *det_ctx = NULL;
863  Flow f;
864  uint8_t http_buf[] =
865  "GET /index.html HTTP/1.0\r\n"
866  "Host: www.openinfosecfoundation.org\r\n"
867  "User-Agent: This is dummy message body\r\n"
868  "Content-Type: text/html\r\n"
869  "\r\n";
870  uint32_t http_len = sizeof(http_buf) - 1;
871  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
872 
873  memset(&th_v, 0, sizeof(th_v));
874  memset(&f, 0, sizeof(f));
875  memset(&ssn, 0, sizeof(ssn));
876 
877  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
878 
879  FLOW_INITIALIZE(&f);
880  f.protoctx = (void *)&ssn;
881  f.proto = IPPROTO_TCP;
882  f.flags |= FLOW_IPV4;
883 
884  p->flow = &f;
885  p->flowflags |= FLOW_PKT_TOSERVER;
886  p->flowflags |= FLOW_PKT_ESTABLISHED;
887  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
888  f.alproto = ALPROTO_HTTP1;
889 
890  StreamTcpInitConfig(true);
891 
892  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
893  FAIL_IF_NULL(de_ctx);
894  de_ctx->flags |= DE_QUIET;
895 
896  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
897  "(msg:\"http user agent test\"; "
898  "content:!\"message\"; http_user_agent; "
899  "sid:1;)");
900  FAIL_IF_NULL(s);
901 
902  SigGroupBuild(de_ctx);
903  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
904 
905  int r = AppLayerParserParse(
906  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
907  FAIL_IF_NOT(r == 0);
908  FAIL_IF_NULL(f.alstate);
909 
910  /* do detect */
911  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
912 
913  FAIL_IF(PacketAlertCheck(p, 1));
914 
915  AppLayerParserThreadCtxFree(alp_tctx);
916  DetectEngineCtxFree(de_ctx);
917  StreamTcpFreeConfig(true);
918  FLOW_DESTROY(&f);
919  UTHFreePackets(&p, 1);
920  PASS;
921 }
922 
923 /**
924  *\test Negative test that the negated http_user_agent content matches against a
925  * http request which holds hold the content.
926  */
927 static int DetectHttpUATest12(void)
928 {
929  TcpSession ssn;
930  Packet *p = NULL;
931  ThreadVars th_v;
932  DetectEngineThreadCtx *det_ctx = NULL;
933  Flow f;
934  uint8_t http_buf[] =
935  "GET /index.html HTTP/1.0\r\n"
936  "Host: www.openinfosecfoundation.org\r\n"
937  "User-Agent: This is dummy body\r\n"
938  "\r\n";
939  uint32_t http_len = sizeof(http_buf) - 1;
940  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
941 
942  memset(&th_v, 0, sizeof(th_v));
943  memset(&f, 0, sizeof(f));
944  memset(&ssn, 0, sizeof(ssn));
945 
946  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
947 
948  FLOW_INITIALIZE(&f);
949  f.protoctx = (void *)&ssn;
950  f.proto = IPPROTO_TCP;
951  f.flags |= FLOW_IPV4;
952 
953  p->flow = &f;
954  p->flowflags |= FLOW_PKT_TOSERVER;
955  p->flowflags |= FLOW_PKT_ESTABLISHED;
956  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
957  f.alproto = ALPROTO_HTTP1;
958 
959  StreamTcpInitConfig(true);
960 
961  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
962  FAIL_IF_NULL(de_ctx);
963  de_ctx->flags |= DE_QUIET;
964 
965  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
966  "(msg:\"http user agent test\"; "
967  "content:!\"message\"; http_user_agent; "
968  "sid:1;)");
969  FAIL_IF_NULL(s);
970 
971  SigGroupBuild(de_ctx);
972  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
973 
974  int r = AppLayerParserParse(
975  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
976  FAIL_IF_NOT(r == 0);
977  FAIL_IF_NULL(f.alstate);
978 
979  /* do detect */
980  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
981  FAIL_IF_NOT(PacketAlertCheck(p, 1));
982 
983  AppLayerParserThreadCtxFree(alp_tctx);
984  DetectEngineCtxFree(de_ctx);
985 
986  StreamTcpFreeConfig(true);
987  FLOW_DESTROY(&f);
988  UTHFreePackets(&p, 1);
989  PASS;
990 }
991 
992 /**
993  * \test Test that the http_user_agent content matches against a http request
994  * which holds the content.
995  */
996 static int DetectHttpUATest13(void)
997 {
998  TcpSession ssn;
999  Packet *p = NULL;
1000  ThreadVars th_v;
1001  DetectEngineThreadCtx *det_ctx = NULL;
1002  Flow f;
1003  uint8_t http_buf[] =
1004  "GET /index.html HTTP/1.0\r\n"
1005  "Host: www.openinfosecfoundation.org\r\n"
1006  "User-Agent: longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend\r\n"
1007  "Content-Type: text/html\r\n"
1008  "\r\n";
1009  uint32_t http_len = sizeof(http_buf) - 1;
1010  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1011 
1012  memset(&th_v, 0, sizeof(th_v));
1013  memset(&f, 0, sizeof(f));
1014  memset(&ssn, 0, sizeof(ssn));
1015 
1016  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1017 
1018  FLOW_INITIALIZE(&f);
1019  f.protoctx = (void *)&ssn;
1020  f.proto = IPPROTO_TCP;
1021  f.flags |= FLOW_IPV4;
1022 
1023  p->flow = &f;
1024  p->flowflags |= FLOW_PKT_TOSERVER;
1025  p->flowflags |= FLOW_PKT_ESTABLISHED;
1026  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1027  f.alproto = ALPROTO_HTTP1;
1028 
1029  StreamTcpInitConfig(true);
1030 
1031  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1032  FAIL_IF_NULL(de_ctx);
1033  de_ctx->flags |= DE_QUIET;
1034 
1035  Signature *s = DetectEngineAppendSig(de_ctx,
1036  "alert http any any -> any any "
1037  "(msg:\"http user agent test\"; "
1038  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_user_agent; "
1039  "sid:1;)");
1040  FAIL_IF_NULL(s);
1041 
1042  SigGroupBuild(de_ctx);
1043  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1044 
1045  int r = AppLayerParserParse(
1046  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1047  FAIL_IF_NOT(r == 0);
1048  FAIL_IF_NULL(f.alstate);
1049 
1050  /* do detect */
1051  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1052 
1053  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1054 
1055  AppLayerParserThreadCtxFree(alp_tctx);
1056  DetectEngineCtxFree(de_ctx);
1057  StreamTcpFreeConfig(true);
1058  FLOW_DESTROY(&f);
1059  UTHFreePackets(&p, 1);
1060  PASS;
1061 }
1062 
1063 /**
1064  * \test multiple http transactions and body chunks of request handling
1065  */
1066 static int DetectHttpUATest14(void)
1067 {
1068  Signature *s = NULL;
1069  DetectEngineThreadCtx *det_ctx = NULL;
1070  ThreadVars th_v;
1071  Flow f;
1072  TcpSession ssn;
1073  Packet *p = NULL;
1074  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1075  uint8_t httpbuf2[] = "Cookie: dummy1\r\n";
1076  uint8_t httpbuf3[] = "User-Agent: Body one!!\r\n\r\n";
1077  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1078  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1079  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1080  uint8_t httpbuf4[] = "GET /?var=val HTTP/1.1\r\n";
1081  uint8_t httpbuf5[] = "Cookie: dummy2\r\n";
1082  uint8_t httpbuf6[] = "User-Agent: Body two\r\n\r\n";
1083  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1084  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1085  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1086  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1087 
1088  memset(&th_v, 0, sizeof(th_v));
1089  memset(&f, 0, sizeof(f));
1090  memset(&ssn, 0, sizeof(ssn));
1091 
1092  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1093 
1094  FLOW_INITIALIZE(&f);
1095  f.protoctx = (void *)&ssn;
1096  f.proto = IPPROTO_TCP;
1097  f.flags |= FLOW_IPV4;
1098 
1099  p->flow = &f;
1100  p->flowflags |= FLOW_PKT_TOSERVER;
1101  p->flowflags |= FLOW_PKT_ESTABLISHED;
1102  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1103  f.alproto = ALPROTO_HTTP1;
1104 
1105  StreamTcpInitConfig(true);
1106 
1107  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1108  FAIL_IF_NULL(de_ctx);
1109  de_ctx->flags |= DE_QUIET;
1110 
1111  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"dummy1\"; http_cookie; content:\"Body one\"; http_user_agent; sid:1; rev:1;)");
1112  FAIL_IF_NULL(s);
1113  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"dummy2\"; http_cookie; content:\"Body two\"; http_user_agent; sid:2; rev:1;)");
1114  FAIL_IF_NULL(s);
1115 
1116  SigGroupBuild(de_ctx);
1117  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1118 
1119  int r = AppLayerParserParse(
1120  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1121  FAIL_IF_NOT(r == 0);
1122 
1123  /* do detect */
1124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1125  FAIL_IF(PacketAlertCheck(p, 1));
1126 
1127  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1128  FAIL_IF_NOT(r == 0);
1129 
1130  /* do detect */
1131  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1132  FAIL_IF(PacketAlertCheck(p, 1));
1133 
1134  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1135  FAIL_IF_NOT(r == 0);
1136 
1137  /* do detect */
1138  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1139  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1140  p->alerts.cnt = 0;
1141 
1142  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1143  FAIL_IF_NOT(r == 0);
1144 
1145  /* do detect */
1146  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1147  FAIL_IF(PacketAlertCheck(p, 1));
1148  FAIL_IF(PacketAlertCheck(p, 2));
1149 
1150  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1151  FAIL_IF_NOT(r == 0);
1152 
1153  /* do detect */
1154  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1155  FAIL_IF(PacketAlertCheck(p, 1));
1156  FAIL_IF(PacketAlertCheck(p, 2));
1157 
1158  SCLogDebug("sending data chunk 7");
1159 
1160  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1161  FAIL_IF_NOT(r == 0);
1162 
1163  /* do detect */
1164  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1165  FAIL_IF(PacketAlertCheck(p, 1));
1166  FAIL_IF_NOT(PacketAlertCheck(p, 2));
1167  p->alerts.cnt = 0;
1168 
1169  HtpState *htp_state = f.alstate;
1170  FAIL_IF_NULL(htp_state);
1171  FAIL_IF_NOT(AppLayerParserGetTxCnt(&f, htp_state) == 2);
1172 
1173  AppLayerParserThreadCtxFree(alp_tctx);
1174  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1175  DetectEngineCtxFree(de_ctx);
1176 
1177  StreamTcpFreeConfig(true);
1178  FLOW_DESTROY(&f);
1179  UTHFreePacket(p);
1180  PASS;
1181 }
1182 
1183 static void DetectHttpUARegisterTests(void)
1184 {
1185  UtRegisterTest("DetectEngineHttpUATest01", DetectEngineHttpUATest01);
1186  UtRegisterTest("DetectEngineHttpUATest02", DetectEngineHttpUATest02);
1187  UtRegisterTest("DetectEngineHttpUATest03", DetectEngineHttpUATest03);
1188  UtRegisterTest("DetectEngineHttpUATest04", DetectEngineHttpUATest04);
1189  UtRegisterTest("DetectEngineHttpUATest05", DetectEngineHttpUATest05);
1190  UtRegisterTest("DetectEngineHttpUATest06", DetectEngineHttpUATest06);
1191  UtRegisterTest("DetectEngineHttpUATest07", DetectEngineHttpUATest07);
1192  UtRegisterTest("DetectEngineHttpUATest08", DetectEngineHttpUATest08);
1193  UtRegisterTest("DetectEngineHttpUATest09", DetectEngineHttpUATest09);
1194  UtRegisterTest("DetectEngineHttpUATest10", DetectEngineHttpUATest10);
1195  UtRegisterTest("DetectEngineHttpUATest11", DetectEngineHttpUATest11);
1196  UtRegisterTest("DetectEngineHttpUATest12", DetectEngineHttpUATest12);
1197  UtRegisterTest("DetectEngineHttpUATest13", DetectEngineHttpUATest13);
1198  UtRegisterTest("DetectEngineHttpUATest14", DetectEngineHttpUATest14);
1199  UtRegisterTest("DetectEngineHttpUATest15", DetectEngineHttpUATest15);
1200  UtRegisterTest("DetectEngineHttpUATest16", DetectEngineHttpUATest16);
1201  UtRegisterTest("DetectEngineHttpUATest17", DetectEngineHttpUATest17);
1202 
1203  UtRegisterTest("DetectHttpUATest01", DetectHttpUATest01);
1204  UtRegisterTest("DetectHttpUATest02", DetectHttpUATest02);
1205  UtRegisterTest("DetectHttpUATest03", DetectHttpUATest03);
1206  UtRegisterTest("DetectHttpUATest04", DetectHttpUATest04);
1207  UtRegisterTest("DetectHttpUATest05", DetectHttpUATest05);
1208  UtRegisterTest("DetectHttpUATest06", DetectHttpUATest06);
1209  UtRegisterTest("DetectHttpUATest07", DetectHttpUATest07);
1210  UtRegisterTest("DetectHttpUATest08", DetectHttpUATest08);
1211  UtRegisterTest("DetectHttpUATest09", DetectHttpUATest09);
1212  UtRegisterTest("DetectHttpUATest10", DetectHttpUATest10);
1213  UtRegisterTest("DetectHttpUATest11", DetectHttpUATest11);
1214  UtRegisterTest("DetectHttpUATest12", DetectHttpUATest12);
1215  UtRegisterTest("DetectHttpUATest13", DetectHttpUATest13);
1216  UtRegisterTest("DetectHttpUATest14", DetectHttpUATest14);
1217 }
1218 
1219 /**
1220  * @}
1221  */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
flow-util.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:290
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:601
util-unittest.h
HtpState_
Definition: app-layer-htp.h:244
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
app-layer-parser.h
Packet_
Definition: decode.h:437
detect-engine-build.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:593
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
app-layer-protos.h
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1107
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:431