suricata
detect-uricontent.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
23  *
24  * Simple uricontent match part of the detection engine.
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-content.h"
31 #include "detect-http-uri.h"
32 #include "detect-uricontent.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "flow.h"
38 #include "detect-flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 #include "threads.h"
42 
43 #include "stream-tcp.h"
44 #include "stream.h"
45 #include "app-layer.h"
46 #include "app-layer-parser.h"
47 #include "app-layer-protos.h"
48 #include "app-layer-htp.h"
49 
50 #include "util-mpm.h"
51 #include "util-print.h"
52 #include "util-debug.h"
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-spm.h"
56 #include "conf.h"
57 
58 /* prototypes */
59 static int DetectUricontentSetup (DetectEngineCtx *, Signature *, const char *);
60 static void DetectUricontentRegisterTests(void);
61 static void DetectUricontentFree(void *);
62 
63 static int g_http_uri_buffer_id = 0;
64 
65 /**
66  * \brief Registration function for uricontent: keyword
67  */
69 {
70  sigmatch_table[DETECT_URICONTENT].name = "uricontent";
71  sigmatch_table[DETECT_URICONTENT].desc = "legacy keyword to match on the request URI buffer";
72  sigmatch_table[DETECT_URICONTENT].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#uricontent";
74  sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup;
75  sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree;
76  sigmatch_table[DETECT_URICONTENT].RegisterTests = DetectUricontentRegisterTests;
79 
80  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
81 }
82 
83 /**
84  * \brief this function will Free memory associated with DetectContentData
85  *
86  * \param cd pointer to DetectUricotentData
87  */
88 void DetectUricontentFree(void *ptr)
89 {
90  SCEnter();
92 
93  if (cd == NULL)
94  SCReturn;
95 
97  SCFree(cd);
98 
99  SCReturn;
100 }
101 
102 /**
103  * \brief Creates a SigMatch for the uricontent keyword being sent as argument,
104  * and appends it to the Signature(s).
105  *
106  * \param de_ctx Pointer to the detection engine context
107  * \param s Pointer to signature for the current Signature being parsed
108  * from the rules
109  * \param contentstr Pointer to the string holding the keyword value
110  *
111  * \retval 0 on success, -1 on failure
112  */
113 int DetectUricontentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
114 {
115  SCEnter();
116 
117  const char *legacy = NULL;
118  if (ConfGet("legacy.uricontent", &legacy) == 1) {
119  if (strcasecmp("disabled", legacy) == 0) {
120  SCLogError(SC_ERR_INVALID_SIGNATURE, "uriconent deprecated. To "
121  "use a rule with \"uricontent\", either set the "
122  "option - \"legacy.uricontent\" in the conf to "
123  "\"enabled\" OR replace uricontent with "
124  "\'content:%s; http_uri;\'.", contentstr);
125  goto error;
126  } else if (strcasecmp("enabled", legacy) == 0) {
127  ;
128  } else {
129  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid value found "
130  "for legacy.uriconent - \"%s\". Valid values are "
131  "\"enabled\" OR \"disabled\".", legacy);
132  goto error;
133  }
134  }
135 
136  if (DetectContentSetup(de_ctx, s, contentstr) < 0)
137  goto error;
138 
139  if (DetectHttpUriSetup(de_ctx, s, NULL) < 0)
140  goto error;
141 
142  SCReturnInt(0);
143 error:
144  SCReturnInt(-1);
145 }
146 
147 /*
148  * UNITTTESTS
149  */
150 
151 #ifdef UNITTESTS
152 
153 #include "detect-isdataat.h"
154 #include "stream-tcp-reassemble.h"
155 
156 /**
157  * \brief Helper function to print a DetectContentData
158  */
159 static void DetectUricontentPrint(DetectContentData *cd)
160 {
161  int i = 0;
162  if (cd == NULL) {
163  SCLogDebug("Detect UricontentData \"cd\" is NULL");
164  return;
165  }
166  char *tmpstr = SCMalloc(sizeof(char) * cd->content_len + 1);
167  if (unlikely(tmpstr == NULL))
168  return;
169 
170  if (tmpstr != NULL) {
171  for (i = 0; i < cd->content_len; i++) {
172  if (isprint(cd->content[i]))
173  tmpstr[i] = cd->content[i];
174  else
175  tmpstr[i] = '.';
176  }
177  tmpstr[i] = '\0';
178  SCLogDebug("Uricontent: \"%s\"", tmpstr);
179  SCFree(tmpstr);
180  } else {
181  SCLogDebug("Uricontent: ");
182  for (i = 0; i < cd->content_len; i++)
183  SCLogDebug("%c", cd->content[i]);
184  }
185 
186  SCLogDebug("Uricontent_id: %"PRIu32, cd->id);
187  SCLogDebug("Uricontent_len: %"PRIu16, cd->content_len);
188  SCLogDebug("Depth: %"PRIu16, cd->depth);
189  SCLogDebug("Offset: %"PRIu16, cd->offset);
190  SCLogDebug("Within: %"PRIi32, cd->within);
191  SCLogDebug("Distance: %"PRIi32, cd->distance);
192  SCLogDebug("flags: %u ", cd->flags);
193  SCLogDebug("negated: %s ",
194  cd->flags & DETECT_CONTENT_NEGATED ? "true" : "false");
195  SCLogDebug("relative match next: %s ",
196  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ? "true" : "false");
197  SCLogDebug("-----------");
198 }
199 
200 /** \test Test case where path traversal has been sent as a path string in the
201  * HTTP URL and normalized path string is checked */
202 static int HTTPUriTest01(void)
203 {
204  int result = 0;
205  Flow f;
206  uint8_t httpbuf1[] = "GET /../../images.gif HTTP/1.1\r\nHost: www.ExA"
207  "mPlE.cOM\r\n\r\n";
208  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
209  TcpSession ssn;
210  int r = 0;
212  memset(&f, 0, sizeof(f));
213  memset(&ssn, 0, sizeof(ssn));
214 
215  FLOW_INITIALIZE(&f);
216  f.protoctx = (void *)&ssn;
217  f.proto = IPPROTO_TCP;
218  f.alproto = ALPROTO_HTTP;
219  f.flags |= FLOW_IPV4;
220 
222 
223  FLOWLOCK_WRLOCK(&f);
224  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
226  httpbuf1,
227  httplen1);
228  if (r != 0) {
229  printf("AppLayerParse failed: r(%d) != 0: ", r);
230  goto end;
231  }
232 
233  HtpState *htp_state = f.alstate;
234  if (htp_state == NULL) {
235  printf("no http state: ");
236  goto end;
237  }
238 
239  htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, 0);
240 
241  if (tx->request_method_number != HTP_M_GET ||
242  tx->request_protocol_number != HTP_PROTOCOL_1_1)
243  {
244  goto end;
245  }
246 
247  if ((tx->request_hostname == NULL) ||
248  (bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
249  {
250  goto end;
251  }
252 
253  if ((tx->parsed_uri->path == NULL) ||
254  (bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
255  {
256  goto end;
257  }
258 
259  result = 1;
260 end:
261  if (alp_tctx != NULL)
262  AppLayerParserThreadCtxFree(alp_tctx);
264  FLOWLOCK_UNLOCK(&f);
265  FLOW_DESTROY(&f);
266  return result;
267 }
268 
269 /** \test Test case where path traversal has been sent in special characters in
270  * HEX encoding in the HTTP URL and normalized path string is checked */
271 static int HTTPUriTest02(void)
272 {
273  int result = 0;
274  Flow f;
275  HtpState *htp_state = NULL;
276  uint8_t httpbuf1[] = "GET /%2e%2e/images.gif HTTP/1.1\r\nHost: www.ExA"
277  "mPlE.cOM\r\n\r\n";
278  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
279  TcpSession ssn;
280  int r = 0;
282 
283  memset(&f, 0, sizeof(f));
284  memset(&ssn, 0, sizeof(ssn));
285 
286  FLOW_INITIALIZE(&f);
287  f.protoctx = (void *)&ssn;
288  f.proto = IPPROTO_TCP;
289  f.alproto = ALPROTO_HTTP;
290  f.flags |= FLOW_IPV4;
291 
293 
294  FLOWLOCK_WRLOCK(&f);
295  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
297  httpbuf1,
298  httplen1);
299  if (r != 0) {
300  printf("AppLayerParse failed: r(%d) != 0: ", r);
301  goto end;
302  }
303 
304  htp_state = f.alstate;
305  if (htp_state == NULL) {
306  printf("no http state: ");
307  goto end;
308  }
309 
310  htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, 0);
311 
312  if (tx->request_method_number != HTP_M_GET ||
313  tx->request_protocol_number != HTP_PROTOCOL_1_1)
314  {
315  goto end;
316  }
317 
318  if ((tx->request_hostname == NULL) ||
319  (bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
320  {
321  goto end;
322  }
323 
324  if ((tx->parsed_uri->path == NULL) ||
325  (bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
326  {
327  goto end;
328  }
329 
330  result = 1;
331 end:
332  if (alp_tctx != NULL)
333  AppLayerParserThreadCtxFree(alp_tctx);
335  FLOWLOCK_UNLOCK(&f);
336  FLOW_DESTROY(&f);
337  return result;
338 }
339 
340 /** \test Test case where NULL character has been sent in HEX encoding in the
341  * HTTP URL and normalized path string is checked */
342 static int HTTPUriTest03(void)
343 {
344  int result = 0;
345  Flow f;
346  HtpState *htp_state = NULL;
347  uint8_t httpbuf1[] = "GET%00 /images.gif HTTP/1.1\r\nHost: www.ExA"
348  "mPlE.cOM\r\n\r\n";
349  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
350  TcpSession ssn;
351  int r = 0;
353 
354  memset(&f, 0, sizeof(f));
355  memset(&ssn, 0, sizeof(ssn));
356 
357  FLOW_INITIALIZE(&f);
358  f.protoctx = (void *)&ssn;
359  f.proto = IPPROTO_TCP;
360  f.alproto = ALPROTO_HTTP;
361  f.flags |= FLOW_IPV4;
362 
364 
365  FLOWLOCK_WRLOCK(&f);
366  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
368  httpbuf1,
369  httplen1);
370  if (r != 0) {
371  printf("AppLayerParse failed: r(%d) != 0: ", r);
372  goto end;
373  }
374 
375  htp_state = f.alstate;
376  if (htp_state == NULL) {
377  printf("no http state: ");
378  goto end;
379  }
380 
381  htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, 0);
382 
383  if (tx->request_method_number != HTP_M_UNKNOWN ||
384  tx->request_protocol_number != HTP_PROTOCOL_1_1)
385  {
386  goto end;
387  }
388 
389  if ((tx->request_hostname == NULL) ||
390  (bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
391  {
392  goto end;
393  }
394 
395  if ((tx->parsed_uri->path == NULL) ||
396  (bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
397  {
398  goto end;
399  }
400 
401  result = 1;
402 end:
403  if (alp_tctx != NULL)
404  AppLayerParserThreadCtxFree(alp_tctx);
406  FLOWLOCK_UNLOCK(&f);
407  FLOW_DESTROY(&f);
408  return result;
409 }
410 
411 
412 /** \test Test case where self referencing directories request has been sent
413  * in the HTTP URL and normalized path string is checked */
414 static int HTTPUriTest04(void)
415 {
416  int result = 0;
417  Flow f;
418  HtpState *htp_state = NULL;
419  uint8_t httpbuf1[] = "GET /./././images.gif HTTP/1.1\r\nHost: www.ExA"
420  "mPlE.cOM\r\n\r\n";
421  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
422  TcpSession ssn;
423  int r = 0;
425 
426  memset(&f, 0, sizeof(f));
427  memset(&ssn, 0, sizeof(ssn));
428 
429  FLOW_INITIALIZE(&f);
430  f.protoctx = (void *)&ssn;
431  f.proto = IPPROTO_TCP;
432  f.alproto = ALPROTO_HTTP;
433  f.flags |= FLOW_IPV4;
434 
436 
437  FLOWLOCK_WRLOCK(&f);
438  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
440  httpbuf1,
441  httplen1);
442  if (r != 0) {
443  printf("AppLayerParse failed: r(%d) != 0: ", r);
444  goto end;
445  }
446 
447  htp_state = f.alstate;
448  if (htp_state == NULL) {
449  printf("no http state: ");
450  goto end;
451  }
452 
453  htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, 0);
454 
455  if (tx->request_method_number != HTP_M_GET ||
456  tx->request_protocol_number != HTP_PROTOCOL_1_1)
457  {
458  goto end;
459  }
460 
461  if ((tx->request_hostname == NULL) ||
462  (bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
463  {
464  goto end;
465  }
466 
467  if ((tx->parsed_uri->path == NULL) ||
468  (bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
469  {
470  goto end;
471  }
472 
473  result = 1;
474 end:
475  if (alp_tctx != NULL)
476  AppLayerParserThreadCtxFree(alp_tctx);
478  FLOWLOCK_UNLOCK(&f);
479  FLOW_DESTROY(&f);
480  return result;
481 }
482 
483 /**
484  * \test Checks if a uricontent is registered in a Signature
485  */
486 static int DetectUriSigTest01(void)
487 {
488  ThreadVars th_v;
489  Signature *s = NULL;
490 
491  memset(&th_v, 0, sizeof(th_v));
492 
494  FAIL_IF_NULL(de_ctx);
495  de_ctx->flags |= DE_QUIET;
496 
497  s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any (msg:"
498  "\" Test uricontent\"; content:\"me\"; uricontent:\"me\"; sid:1;)");
499  FAIL_IF_NULL(s);
500 
501  BUG_ON(s->sm_lists[g_http_uri_buffer_id] == NULL);
502  FAIL_IF_NOT(de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]->type == DETECT_CONTENT);
503 
504  DetectEngineCtxFree(de_ctx);
505  PASS;
506 }
507 
508 /** \test Check the signature working to alert when http_cookie is matched . */
509 static int DetectUriSigTest02(void)
510 {
511  int result = 0;
512  Flow f;
513  uint8_t httpbuf1[] = "POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
514  " hellocatch\r\n\r\n";
515  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
516  TcpSession ssn;
517  Packet *p = NULL;
518  Signature *s = NULL;
519  ThreadVars th_v;
520  DetectEngineThreadCtx *det_ctx = NULL;
521  HtpState *http_state = NULL;
523 
524  memset(&th_v, 0, sizeof(th_v));
525  memset(&f, 0, sizeof(f));
526  memset(&ssn, 0, sizeof(ssn));
527 
528  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
529 
530  FLOW_INITIALIZE(&f);
531  f.protoctx = (void *)&ssn;
532  f.proto = IPPROTO_TCP;
533  f.flags |= FLOW_IPV4;
534 
535  p->flow = &f;
539  f.alproto = ALPROTO_HTTP;
540 
542 
544  if (de_ctx == NULL) {
545  goto end;
546  }
547  de_ctx->flags |= DE_QUIET;
548 
549  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
550  "\" Test uricontent\"; "
551  "uricontent:\"foo\"; sid:1;)");
552  if (s == NULL) {
553  goto end;
554  }
555 
556  s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
557  "\" Test uricontent\"; "
558  "uricontent:\"one\"; sid:2;)");
559  if (s == NULL) {
560  goto end;
561  }
562 
563  s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
564  "\" Test uricontent\"; "
565  "uricontent:\"oisf\"; sid:3;)");
566  if (s == NULL) {
567  goto end;
568  }
569 
570 
571  SigGroupBuild(de_ctx);
572  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
573 
574  FLOWLOCK_WRLOCK(&f);
575  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
576  STREAM_TOSERVER, httpbuf1, httplen1);
577  if (r != 0) {
578  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
579  FLOWLOCK_UNLOCK(&f);
580  goto end;
581  }
582  FLOWLOCK_UNLOCK(&f);
583 
584  http_state = f.alstate;
585  if (http_state == NULL) {
586  printf("no http state: ");
587  goto end;
588  }
589 
590  /* do detect */
591  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
592 
593  if ((PacketAlertCheck(p, 1))) {
594  printf("sig: 1 alerted, but it should not\n");
595  goto end;
596  } else if (!PacketAlertCheck(p, 2)) {
597  printf("sig: 2 did not alerted, but it should\n");
598  goto end;
599  } else if ((PacketAlertCheck(p, 3))) {
600  printf("sig: 3 alerted, but it should not\n");
601  goto end;
602  }
603 
604  result = 1;
605 end:
606  if (alp_tctx != NULL)
607  AppLayerParserThreadCtxFree(alp_tctx);
608  //if (http_state != NULL) HTPStateFree(http_state);
609  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
610  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
611  if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx);
612  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
613 
615  FLOW_DESTROY(&f);
616  UTHFreePackets(&p, 1);
617  return result;
618 }
619 
620 /** \test Check the working of search once per packet only in applayer
621  * match */
622 static int DetectUriSigTest03(void)
623 {
624  int result = 0;
625  Flow f;
626  HtpState *http_state = NULL;
627  uint8_t httpbuf1[] = "POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
628  " hellocatch\r\n\r\n";
629  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
630  uint8_t httpbuf2[] = "POST /oneself HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
631  " hellocatch\r\n\r\n";
632  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
633  TcpSession ssn;
634  Packet *p = NULL;
635  Signature *s = NULL;
636  ThreadVars th_v;
637  DetectEngineThreadCtx *det_ctx = NULL;
639 
640  memset(&th_v, 0, sizeof(th_v));
641  memset(&f, 0, sizeof(f));
642  memset(&ssn, 0, sizeof(ssn));
643 
644  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
645 
646  FLOW_INITIALIZE(&f);
647  f.protoctx = (void *)&ssn;
648  f.proto = IPPROTO_TCP;
649  f.flags |= FLOW_IPV4;
650 
651  p->flow = &f;
655  f.alproto = ALPROTO_HTTP;
656 
658 
660  if (de_ctx == NULL) {
661  goto end;
662  }
663  de_ctx->flags |= DE_QUIET;
664 
665  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
666  "\" Test uricontent\"; "
667  "uricontent:\"foo\"; sid:1;)");
668  if (s == NULL) {
669  goto end;
670  }
671 
672  s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
673  "\" Test uricontent\"; "
674  "uricontent:\"one\"; sid:2;)");
675  if (s == NULL) {
676  goto end;
677  }
678 
679  s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
680  "\" Test uricontent\"; "
681  "uricontent:\"self\"; sid:3;)");
682  if (s == NULL) {
683  goto end;
684  }
685 
686 
687  SigGroupBuild(de_ctx);
688  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
689 
690  FLOWLOCK_WRLOCK(&f);
691  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
692  STREAM_TOSERVER, httpbuf1, httplen1);
693  if (r != 0) {
694  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
695  FLOWLOCK_UNLOCK(&f);
696  goto end;
697  }
698  FLOWLOCK_UNLOCK(&f);
699 
700  /* do detect */
701  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
702 
703  if ((PacketAlertCheck(p, 1))) {
704  printf("sig 1 alerted, but it should not: ");
705  goto end;
706  } else if (!PacketAlertCheck(p, 2)) {
707  printf("sig 2 did not alert, but it should: ");
708  goto end;
709  } else if ((PacketAlertCheck(p, 3))) {
710  printf("sig 3 alerted, but it should not: ");
711  goto end;
712  }
713 
714 
715  FLOWLOCK_WRLOCK(&f);
716  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
717  STREAM_TOSERVER, httpbuf2, httplen2);
718  if (r != 0) {
719  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
720  FLOWLOCK_UNLOCK(&f);
721  goto end;
722  }
723  FLOWLOCK_UNLOCK(&f);
724 
725  http_state = f.alstate;
726  if (http_state == NULL) {
727  printf("no http state: ");
728  goto end;
729  }
730 
731  /* do detect */
732  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
733 
734  if ((PacketAlertCheck(p, 1))) {
735  printf("sig 1 alerted, but it should not (chunk 2): ");
736  goto end;
737  } else if (!PacketAlertCheck(p, 2)) {
738  printf("sig 2 alerted, but it should not (chunk 2): ");
739  goto end;
740  } else if (!(PacketAlertCheck(p, 3))) {
741  printf("sig 3 did not alert, but it should (chunk 2): ");
742  goto end;
743  }
744 
745  result = 1;
746 
747 end:
748  if (alp_tctx != NULL)
749  AppLayerParserThreadCtxFree(alp_tctx);
750  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
751  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
752  if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx);
753  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
754 
756  FLOW_DESTROY(&f);
757  UTHFreePackets(&p, 1);
758  return result;
759 }
760 
761 /**
762  * \test Check that modifiers of content apply only to content keywords
763  * and the same for uricontent modifiers
764  */
765 static int DetectUriSigTest04(void)
766 {
767  int result = 0;
768  Signature *s = NULL;
769 
771  if (de_ctx == NULL) {
772  goto end;
773  }
774 
775  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
776  "\" Test uricontent\"; "
777  "uricontent:\"foo\"; sid:1;)");
778  if (s == NULL ||
779  s->sm_lists[g_http_uri_buffer_id] == NULL ||
780  s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL ||
781  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
782  {
783  printf("sig 1 failed to parse: ");
784  goto end;
785  }
786 
787  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
788  "\" Test uricontent and content\"; "
789  "uricontent:\"foo\"; content:\"bar\";sid:1;)");
790  if (s == NULL ||
791  s->sm_lists[g_http_uri_buffer_id] == NULL ||
792  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
793  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
794  {
795  printf("sig 2 failed to parse: ");
796  goto end;
797  }
798 
799  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
800  "\" Test uricontent and content\"; "
801  "uricontent:\"foo\"; content:\"bar\";"
802  " depth:10; offset: 5; sid:1;)");
803  if (s == NULL ||
804  s->sm_lists[g_http_uri_buffer_id] == NULL ||
805  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
806  ((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
807  ((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
808  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
809  {
810  printf("sig 3 failed to parse: ");
811  goto end;
812  }
813 
814  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
815  "\" Test uricontent and content\"; "
816  "content:\"foo\"; uricontent:\"bar\";"
817  " depth:10; offset: 5; sid:1;)");
818  if (s == NULL ||
819  s->sm_lists[g_http_uri_buffer_id] == NULL ||
820  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
821  ((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->depth != 15 ||
822  ((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->offset != 5 ||
823  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
824  {
825  printf("sig 4 failed to parse: ");
826  goto end;
827  }
828 
829  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
830  "\" Test uricontent and content\"; "
831  "uricontent:\"foo\"; content:\"bar\";"
832  " depth:10; offset: 5; within:3; sid:1;)");
833  if (s != NULL) {
834  printf("sig 5 failed to parse: ");
835  goto end;
836  }
837 
838  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
839  "\" Test uricontent and content\"; "
840  "uricontent:\"foo\"; content:\"bar\";"
841  " depth:10; offset: 5; distance:3; sid:1;)");
842  if (s != NULL) {
843  printf("sig 6 failed to parse: ");
844  goto end;
845  }
846 
847  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
848  "\" Test uricontent and content\"; "
849  "uricontent:\"foo\"; content:\"bar\";"
850  " depth:10; offset: 5; content:"
851  "\"two_contents\"; within:30; sid:1;)");
852  if (s == NULL) {
853  goto end;
854  } else if (s->sm_lists[g_http_uri_buffer_id] == NULL ||
855  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
856  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
857  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
858  ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within != 30 ||
859  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
860  {
861  printf("sig 7 failed to parse: ");
863  goto end;
864  }
865 
866  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
867  "\" Test uricontent and content\"; "
868  "uricontent:\"foo\"; content:\"bar\";"
869  " depth:10; offset: 5; uricontent:"
870  "\"two_uricontents\"; within:30; sid:1;)");
871  if (s == NULL) {
872  goto end;
873  } else if (s->sm_lists[g_http_uri_buffer_id] == NULL ||
874  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
875  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
876  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
877  ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within != 30 ||
878  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
879  {
880  printf("sig 8 failed to parse: ");
881  DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
882  goto end;
883  }
884 
885  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
886  "\" Test uricontent and content\"; "
887  "uricontent:\"foo\"; content:\"bar\";"
888  " depth:10; offset: 5; content:"
889  "\"two_contents\"; distance:30; sid:1;)");
890  if (s == NULL) {
891  goto end;
892  } else if (
893  s->sm_lists[g_http_uri_buffer_id] == NULL ||
894  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
895  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
896  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
897  ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance != 30 ||
898  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
899  {
900  printf("sig 9 failed to parse: ");
902  goto end;
903  }
904 
905  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
906  "\" Test uricontent and content\"; "
907  "uricontent:\"foo\"; content:\"bar\";"
908  " depth:10; offset: 5; uricontent:"
909  "\"two_uricontents\"; distance:30; sid:1;)");
910  if (s == NULL) {
911  goto end;
912  } else if (
913  s->sm_lists[g_http_uri_buffer_id] == NULL ||
914  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
915  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
916  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
917  ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance != 30 ||
918  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
919  {
920  printf("sig 10 failed to parse: ");
921  DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
922  goto end;
923  }
924 
925  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
926  "\" Test uricontent and content\"; "
927  "uricontent:\"foo\"; content:\"bar\";"
928  " depth:10; offset: 5; uricontent:"
929  "\"two_uricontents\"; distance:30; "
930  "within:60; content:\"two_contents\";"
931  " within:70; distance:45; sid:1;)");
932  if (s == NULL) {
933  printf("sig 10 failed to parse: ");
934  goto end;
935  }
936 
937  if (s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
938  printf("umatch %p or pmatch %p: ", s->sm_lists[g_http_uri_buffer_id], s->sm_lists[DETECT_SM_LIST_PMATCH]);
939  goto end;
940  }
941 
942  if ( ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
943  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
944  ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance != 30 ||
945  ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within != 60 ||
946  ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance != 45 ||
947  ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within != 70 ||
948  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) {
949  printf("sig 10 failed to parse, content not setup properly: ");
951  DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
953  goto end;
954  }
955 
956  result = 1;
957 end:
958  if (de_ctx != NULL)
959  DetectEngineCtxFree(de_ctx);
960  return result;
961 }
962 
963 /** \test Check the modifiers for uricontent and content
964  * match
965  */
966 static int DetectUriSigTest05(void)
967 {
968  HtpState *http_state = NULL;
969  uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
970  " hellocatch\r\n\r\n";
971  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
972  Packet *p = NULL;
973  Signature *s = NULL;
974  ThreadVars th_v;
975  DetectEngineThreadCtx *det_ctx = NULL;
977 
978  memset(&th_v, 0, sizeof(th_v));
980 
981  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
982  FAIL_IF_NULL(p);
983  p->tcph->th_seq = htonl(1000);
984  Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
985  FAIL_IF_NULL(f);
986  f->proto = IPPROTO_TCP;
987 
988  UTHAddSessionToFlow(f, 1000, 1000);
989  UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
990 
991  p->flow = f;
995  f->alproto = ALPROTO_HTTP;
996 
998  FAIL_IF_NULL(de_ctx);
999  de_ctx->flags |= DE_QUIET;
1000 
1001  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1002  "\" Test uricontent\"; uricontent:\"foo\"; sid:1;)");
1003  FAIL_IF_NULL(s);
1004 
1005  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1006  "\" Test uricontent\"; uricontent:\"one\"; content:\"two\"; sid:2;)");
1007  FAIL_IF_NULL(s);
1008 
1009  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1010  "\" Test uricontent\"; uricontent:\"one\"; offset:1; depth:10; "
1011  "uricontent:\"two\"; distance:1; within: 4; uricontent:\"three\"; "
1012  "distance:1; within: 6; sid:3;)");
1013  FAIL_IF_NULL(s);
1014 
1015  SigGroupBuild(de_ctx);
1016  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1017 
1018  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
1019  STREAM_TOSERVER, httpbuf1, httplen1);
1020  FAIL_IF(r != 0);
1021  http_state = f->alstate;
1022  FAIL_IF_NULL(http_state);
1023 
1024  /* do detect */
1025  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1026 
1027  FAIL_IF((PacketAlertCheck(p, 1)));
1028  FAIL_IF(!PacketAlertCheck(p, 2));
1029  FAIL_IF(!(PacketAlertCheck(p, 3)));
1030 
1031  AppLayerParserThreadCtxFree(alp_tctx);
1032  DetectEngineThreadCtxDeinit(&th_v, det_ctx);
1033  DetectEngineCtxFree(de_ctx);
1034 
1036  UTHFreeFlow(f);
1037  UTHFreePackets(&p, 1);
1039  PASS;
1040 }
1041 
1042 /** \test Check the modifiers for uricontent and content
1043  * match
1044  */
1045 static int DetectUriSigTest06(void)
1046 {
1047  HtpState *http_state = NULL;
1048  uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1049  " hellocatch\r\n\r\n";
1050  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1051  Packet *p = NULL;
1052  Signature *s = NULL;
1053  ThreadVars th_v;
1054  DetectEngineThreadCtx *det_ctx = NULL;
1056 
1057  memset(&th_v, 0, sizeof(th_v));
1059 
1060  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
1061  FAIL_IF_NULL(p);
1062  p->tcph->th_seq = htonl(1000);
1063  Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
1064  FAIL_IF_NULL(f);
1065  f->proto = IPPROTO_TCP;
1066 
1067  UTHAddSessionToFlow(f, 1000, 1000);
1068  UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
1069 
1070  p->flow = f;
1074  f->alproto = ALPROTO_HTTP;
1075 
1077  FAIL_IF_NULL(de_ctx);
1078  de_ctx->flags |= DE_QUIET;
1079 
1080  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1081  "\" Test uricontent\"; "
1082  "uricontent:\"foo\"; content:\"bar\"; sid:1;)");
1083  FAIL_IF_NULL(s);
1084 
1085  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1086  "\" Test uricontent\"; "
1087  "uricontent:\"one\"; offset:1; depth:10; "
1088  "content:\"one\"; offset:1; depth:10; "
1089  "uricontent:\"two\"; distance:1; within: 4; "
1090  "content:\"two\"; distance:1; within: 4; "
1091  "uricontent:\"three\"; distance:1; within: 6; "
1092  "content:\"/three\"; distance:0; within: 7; "
1093  "sid:2;)");
1094  FAIL_IF_NULL(s);
1095 
1096  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1097  "\" Test uricontent\"; "
1098  "uricontent:\"one\"; offset:1; depth:10; "
1099  "uricontent:\"two\"; distance:1; within: 4; "
1100  "uricontent:\"three\"; distance:1; within: 6; "
1101  "sid:3;)");
1102  FAIL_IF_NULL(s);
1103 
1104  SigGroupBuild(de_ctx);
1105  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1106 
1107  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
1108  STREAM_TOSERVER, httpbuf1, httplen1);
1109  FAIL_IF(r != 0);
1110  http_state = f->alstate;
1111  FAIL_IF_NULL(http_state);
1112 
1113  /* do detect */
1114  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1115 
1116  FAIL_IF((PacketAlertCheck(p, 1)));
1117  FAIL_IF(!PacketAlertCheck(p, 2));
1118  FAIL_IF(!(PacketAlertCheck(p, 3)));
1119 
1120  AppLayerParserThreadCtxFree(alp_tctx);
1121  DetectEngineThreadCtxDeinit(&th_v, det_ctx);
1122  DetectEngineCtxFree(de_ctx);
1123 
1125  UTHFreeFlow(f);
1126  UTHFreePackets(&p, 1);
1128  PASS;
1129 }
1130 
1131 /** \test Check the modifiers for uricontent and content
1132  * match
1133  */
1134 static int DetectUriSigTest07(void)
1135 {
1136  HtpState *http_state = NULL;
1137  uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1138  " hellocatch\r\n\r\n";
1139  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1140  Packet *p = NULL;
1141  Signature *s = NULL;
1142  ThreadVars th_v;
1143  DetectEngineThreadCtx *det_ctx = NULL;
1145 
1146  memset(&th_v, 0, sizeof(th_v));
1148 
1149  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
1150  FAIL_IF_NULL(p);
1151  p->tcph->th_seq = htonl(1000);
1152  Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
1153  FAIL_IF_NULL(f);
1154  f->proto = IPPROTO_TCP;
1155 
1156  UTHAddSessionToFlow(f, 1000, 1000);
1157  UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
1158 
1159  p->flow = f;
1163  f->alproto = ALPROTO_HTTP;
1164 
1166  FAIL_IF_NULL(de_ctx);
1167  de_ctx->flags |= DE_QUIET;
1168 
1169  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1170  "\" Test uricontent\"; "
1171  "uricontent:\"foo\"; content:\"bar\"; sid:1;)");
1172  FAIL_IF_NULL(s);
1173 
1174  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1175  "\" Test uricontent\"; "
1176  "uricontent:\"one\"; offset:1; depth:10; "
1177  "content:\"one\"; offset:1; depth:10; "
1178  "uricontent:\"two\"; distance:3; within: 4; "
1179  "content:\"two\"; distance:1; within: 4; "
1180  "uricontent:\"three\"; distance:1; within: 6; "
1181  "content:\"/three\"; distance:0; within: 7; "
1182  "sid:2;)");
1183  FAIL_IF_NULL(s);
1184 
1185  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1186  "\" Test uricontent\"; "
1187  "uricontent:\"one\"; offset:1; depth:10; "
1188  "uricontent:\"two\"; distance:1; within: 4; "
1189  "uricontent:\"six\"; distance:1; within: 6; "
1190  "sid:3;)");
1191  FAIL_IF_NULL(s);
1192 
1193  SigGroupBuild(de_ctx);
1194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1195 
1196  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
1197  STREAM_TOSERVER, httpbuf1, httplen1);
1198  FAIL_IF(r != 0);
1199  http_state = f->alstate;
1200  FAIL_IF_NULL(http_state);
1201 
1202  /* do detect */
1203  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1204 
1205  FAIL_IF((PacketAlertCheck(p, 1)));
1206  FAIL_IF((PacketAlertCheck(p, 2)));
1207  FAIL_IF((PacketAlertCheck(p, 3)));
1208 
1209  AppLayerParserThreadCtxFree(alp_tctx);
1210  DetectEngineThreadCtxDeinit(&th_v, det_ctx);
1211  DetectEngineCtxFree(de_ctx);
1212 
1214  UTHFreeFlow(f);
1215  UTHFreePackets(&p, 1);
1217  PASS;
1218 }
1219 
1220 /**
1221  * \test Test content for dce sig.
1222  */
1223 static int DetectUriSigTest08(void)
1224 {
1225  DetectEngineCtx *de_ctx = NULL;
1226  int result = 1;
1227 
1228  de_ctx = DetectEngineCtxInit();
1229  if (de_ctx == NULL)
1230  goto end;
1231 
1232  de_ctx->flags |= DE_QUIET;
1233  de_ctx->sig_list = SigInit(de_ctx,
1234  "alert udp any any -> any any "
1235  "(msg:\"test\"; uricontent:\"\"; sid:238012;)");
1236  if (de_ctx->sig_list != NULL) {
1237  result = 0;
1238  goto end;
1239  }
1240 
1241  end:
1242  SigGroupCleanup(de_ctx);
1243  SigCleanSignatures(de_ctx);
1244  DetectEngineCtxFree(de_ctx);
1245 
1246  return result;
1247 }
1248 
1249 /**
1250  * \test Test content for dce sig.
1251  */
1252 static int DetectUriSigTest09(void)
1253 {
1254  DetectEngineCtx *de_ctx = NULL;
1255  int result = 1;
1256 
1257  de_ctx = DetectEngineCtxInit();
1258  if (de_ctx == NULL)
1259  goto end;
1260 
1261  de_ctx->flags |= DE_QUIET;
1262  de_ctx->sig_list = SigInit(de_ctx,
1263  "alert udp any any -> any any "
1264  "(msg:\"test\"; uricontent:\"; sid:238012;)");
1265  if (de_ctx->sig_list != NULL) {
1266  result = 0;
1267  goto end;
1268  }
1269 
1270  end:
1271  SigGroupCleanup(de_ctx);
1272  SigCleanSignatures(de_ctx);
1273  DetectEngineCtxFree(de_ctx);
1274 
1275  return result;
1276 }
1277 
1278 /**
1279  * \test Test content for dce sig.
1280  */
1281 static int DetectUriSigTest10(void)
1282 {
1283  DetectEngineCtx *de_ctx = NULL;
1284  int result = 1;
1285 
1286  de_ctx = DetectEngineCtxInit();
1287  if (de_ctx == NULL)
1288  goto end;
1289 
1290  de_ctx->flags |= DE_QUIET;
1291  de_ctx->sig_list = SigInit(de_ctx,
1292  "alert udp any any -> any any "
1293  "(msg:\"test\"; uricontent:\"boo; sid:238012;)");
1294  if (de_ctx->sig_list != NULL) {
1295  result = 0;
1296  goto end;
1297  }
1298 
1299  end:
1300  SigGroupCleanup(de_ctx);
1301  SigCleanSignatures(de_ctx);
1302  DetectEngineCtxFree(de_ctx);
1303 
1304  return result;
1305 }
1306 
1307 /**
1308  * \test Test content for dce sig.
1309  */
1310 static int DetectUriSigTest11(void)
1311 {
1312  DetectEngineCtx *de_ctx = NULL;
1313  int result = 1;
1314 
1315  de_ctx = DetectEngineCtxInit();
1316  if (de_ctx == NULL)
1317  goto end;
1318 
1319  de_ctx->flags |= DE_QUIET;
1320  de_ctx->sig_list = SigInit(de_ctx,
1321  "alert udp any any -> any any "
1322  "(msg:\"test\"; uricontent:boo\"; sid:238012;)");
1323  if (de_ctx->sig_list != NULL) {
1324  result = 0;
1325  goto end;
1326  }
1327 
1328  end:
1329  SigGroupCleanup(de_ctx);
1330  SigCleanSignatures(de_ctx);
1331  DetectEngineCtxFree(de_ctx);
1332 
1333  return result;
1334 }
1335 
1336 /**
1337  * \test Parsing test
1338  */
1339 static int DetectUriSigTest12(void)
1340 {
1341  DetectEngineCtx *de_ctx = NULL;
1342  DetectContentData *ud = 0;
1343  Signature *s = NULL;
1344  int result = 0;
1345 
1346  de_ctx = DetectEngineCtxInit();
1347  if (de_ctx == NULL)
1348  goto end;
1349 
1350  de_ctx->flags |= DE_QUIET;
1351  s = de_ctx->sig_list = SigInit(de_ctx,
1352  "alert udp any any -> any any "
1353  "(msg:\"test\"; uricontent: !\"boo\"; sid:238012;)");
1354  if (de_ctx->sig_list == NULL) {
1355  printf("de_ctx->sig_list == NULL: ");
1356  goto end;
1357  }
1358 
1359  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL || s->sm_lists_tail[g_http_uri_buffer_id]->ctx == NULL) {
1360  printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
1361  goto end;
1362  }
1363 
1364  ud = (DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx;
1365  result = (strncmp("boo", (char *)ud->content, ud->content_len) == 0);
1366 
1367 end:
1368  SigGroupCleanup(de_ctx);
1369  SigCleanSignatures(de_ctx);
1370  DetectEngineCtxFree(de_ctx);
1371 
1372  return result;
1373 }
1374 
1375 
1376 /**
1377  * \test Parsing test
1378  */
1379 static int DetectUriContentParseTest13(void)
1380 {
1381  DetectEngineCtx *de_ctx = NULL;
1382  int result = 1;
1383 
1384  de_ctx = DetectEngineCtxInit();
1385  if (de_ctx == NULL)
1386  goto end;
1387 
1388  de_ctx->flags |= DE_QUIET;
1389  de_ctx->sig_list = SigInit(de_ctx,
1390  "alert udp any any -> any any "
1391  "(msg:\"test\"; uricontent:\"|\"; sid:1;)");
1392  if (de_ctx->sig_list != NULL) {
1393  result = 0;
1394  goto end;
1395  }
1396 
1397  end:
1398  SigGroupCleanup(de_ctx);
1399  SigCleanSignatures(de_ctx);
1400  DetectEngineCtxFree(de_ctx);
1401 
1402  return result;
1403 }
1404 
1405 /**
1406  * \test Parsing test
1407  */
1408 static int DetectUriContentParseTest14(void)
1409 {
1410  DetectEngineCtx *de_ctx = NULL;
1411  int result = 1;
1412 
1413  de_ctx = DetectEngineCtxInit();
1414  if (de_ctx == NULL)
1415  goto end;
1416 
1417  de_ctx->flags |= DE_QUIET;
1418  de_ctx->sig_list = SigInit(de_ctx,
1419  "alert udp any any -> any any "
1420  "(msg:\"test\"; uricontent:\"|af\"; sid:1;)");
1421  if (de_ctx->sig_list != NULL) {
1422  result = 0;
1423  goto end;
1424  }
1425 
1426  end:
1427  SigGroupCleanup(de_ctx);
1428  SigCleanSignatures(de_ctx);
1429  DetectEngineCtxFree(de_ctx);
1430 
1431  return result;
1432 }
1433 
1434 /**
1435  * \test Parsing test
1436  */
1437 static int DetectUriContentParseTest15(void)
1438 {
1439  DetectEngineCtx *de_ctx = NULL;
1440  int result = 1;
1441 
1442  de_ctx = DetectEngineCtxInit();
1443  if (de_ctx == NULL)
1444  goto end;
1445 
1446  de_ctx->flags |= DE_QUIET;
1447  de_ctx->sig_list = SigInit(de_ctx,
1448  "alert udp any any -> any any "
1449  "(msg:\"test\"; uricontent:\"af|\"; sid:1;)");
1450  if (de_ctx->sig_list != NULL) {
1451  result = 0;
1452  goto end;
1453  }
1454 
1455  end:
1456  SigGroupCleanup(de_ctx);
1457  SigCleanSignatures(de_ctx);
1458  DetectEngineCtxFree(de_ctx);
1459 
1460  return result;
1461 }
1462 
1463 /**
1464  * \test Parsing test
1465  */
1466 static int DetectUriContentParseTest16(void)
1467 {
1468  DetectEngineCtx *de_ctx = NULL;
1469  int result = 1;
1470 
1471  de_ctx = DetectEngineCtxInit();
1472  if (de_ctx == NULL)
1473  goto end;
1474 
1475  de_ctx->flags |= DE_QUIET;
1476  de_ctx->sig_list = SigInit(de_ctx,
1477  "alert udp any any -> any any "
1478  "(msg:\"test\"; uricontent:\"|af|\"; sid:1;)");
1479  if (de_ctx->sig_list == NULL) {
1480  result = 0;
1481  goto end;
1482  }
1483 
1484  end:
1485  SigGroupCleanup(de_ctx);
1486  SigCleanSignatures(de_ctx);
1487  DetectEngineCtxFree(de_ctx);
1488 
1489  return result;
1490 }
1491 
1492 /**
1493  * \test Parsing test
1494  */
1495 static int DetectUriContentParseTest17(void)
1496 {
1497  DetectEngineCtx *de_ctx = NULL;
1498  int result = 1;
1499 
1500  de_ctx = DetectEngineCtxInit();
1501  if (de_ctx == NULL)
1502  goto end;
1503 
1504  de_ctx->flags |= DE_QUIET;
1505  de_ctx->sig_list = SigInit(de_ctx,
1506  "alert udp any any -> any any "
1507  "(msg:\"test\"; uricontent:\"aast|\"; sid:1;)");
1508  if (de_ctx->sig_list != NULL) {
1509  result = 0;
1510  goto end;
1511  }
1512 
1513  end:
1514  SigGroupCleanup(de_ctx);
1515  SigCleanSignatures(de_ctx);
1516  DetectEngineCtxFree(de_ctx);
1517 
1518  return result;
1519 }
1520 
1521 /**
1522  * \test Parsing test
1523  */
1524 static int DetectUriContentParseTest18(void)
1525 {
1526  DetectEngineCtx *de_ctx = NULL;
1527  int result = 1;
1528 
1529  de_ctx = DetectEngineCtxInit();
1530  if (de_ctx == NULL)
1531  goto end;
1532 
1533  de_ctx->flags |= DE_QUIET;
1534  de_ctx->sig_list = SigInit(de_ctx,
1535  "alert udp any any -> any any "
1536  "(msg:\"test\"; uricontent:\"aast|af\"; sid:1;)");
1537  if (de_ctx->sig_list != NULL) {
1538  result = 0;
1539  goto end;
1540  }
1541 
1542  end:
1543  SigGroupCleanup(de_ctx);
1544  SigCleanSignatures(de_ctx);
1545  DetectEngineCtxFree(de_ctx);
1546 
1547  return result;
1548 }
1549 
1550 /**
1551  * \test Parsing test
1552  */
1553 static int DetectUriContentParseTest19(void)
1554 {
1555  DetectEngineCtx *de_ctx = NULL;
1556  int result = 1;
1557 
1558  de_ctx = DetectEngineCtxInit();
1559  if (de_ctx == NULL)
1560  goto end;
1561 
1562  de_ctx->flags |= DE_QUIET;
1563  de_ctx->sig_list = SigInit(de_ctx,
1564  "alert udp any any -> any any "
1565  "(msg:\"test\"; uricontent:\"aast|af|\"; sid:1;)");
1566  if (de_ctx->sig_list == NULL) {
1567  result = 0;
1568  goto end;
1569  }
1570 
1571  end:
1572  SigGroupCleanup(de_ctx);
1573  SigCleanSignatures(de_ctx);
1574  DetectEngineCtxFree(de_ctx);
1575 
1576  return result;
1577 }
1578 
1579 /**
1580  * \test Parsing test
1581  */
1582 static int DetectUriContentParseTest20(void)
1583 {
1584  DetectEngineCtx *de_ctx = NULL;
1585  int result = 1;
1586 
1587  de_ctx = DetectEngineCtxInit();
1588  if (de_ctx == NULL)
1589  goto end;
1590 
1591  de_ctx->flags |= DE_QUIET;
1592  de_ctx->sig_list = SigInit(de_ctx,
1593  "alert udp any any -> any any "
1594  "(msg:\"test\"; uricontent:\"|af|asdf\"; sid:1;)");
1595  if (de_ctx->sig_list == NULL) {
1596  result = 0;
1597  goto end;
1598  }
1599 
1600  end:
1601  SigGroupCleanup(de_ctx);
1602  SigCleanSignatures(de_ctx);
1603  DetectEngineCtxFree(de_ctx);
1604 
1605  return result;
1606 }
1607 
1608 /**
1609  * \test Parsing test
1610  */
1611 static int DetectUriContentParseTest21(void)
1612 {
1613  DetectEngineCtx *de_ctx = NULL;
1614  int result = 1;
1615 
1616  de_ctx = DetectEngineCtxInit();
1617  if (de_ctx == NULL)
1618  goto end;
1619 
1620  de_ctx->flags |= DE_QUIET;
1621  de_ctx->sig_list = SigInit(de_ctx,
1622  "alert udp any any -> any any "
1623  "(msg:\"test\"; uricontent:\"|af|af|\"; sid:1;)");
1624  if (de_ctx->sig_list != NULL) {
1625  result = 0;
1626  goto end;
1627  }
1628 
1629  end:
1630  SigGroupCleanup(de_ctx);
1631  SigCleanSignatures(de_ctx);
1632  DetectEngineCtxFree(de_ctx);
1633 
1634  return result;
1635 }
1636 
1637 /**
1638  * \test Parsing test
1639  */
1640 static int DetectUriContentParseTest22(void)
1641 {
1642  DetectEngineCtx *de_ctx = NULL;
1643  int result = 1;
1644 
1645  de_ctx = DetectEngineCtxInit();
1646  if (de_ctx == NULL)
1647  goto end;
1648 
1649  de_ctx->flags |= DE_QUIET;
1650  de_ctx->sig_list = SigInit(de_ctx,
1651  "alert udp any any -> any any "
1652  "(msg:\"test\"; uricontent:\"|af|af|af\"; sid:1;)");
1653  if (de_ctx->sig_list != NULL) {
1654  result = 0;
1655  goto end;
1656  }
1657 
1658  end:
1659  SigGroupCleanup(de_ctx);
1660  SigCleanSignatures(de_ctx);
1661  DetectEngineCtxFree(de_ctx);
1662 
1663  return result;
1664 }
1665 
1666 /**
1667  * \test Parsing test
1668  */
1669 static int DetectUriContentParseTest23(void)
1670 {
1671  DetectEngineCtx *de_ctx = NULL;
1672  int result = 1;
1673 
1674  de_ctx = DetectEngineCtxInit();
1675  if (de_ctx == NULL)
1676  goto end;
1677 
1678  de_ctx->flags |= DE_QUIET;
1679  de_ctx->sig_list = SigInit(de_ctx,
1680  "alert udp any any -> any any "
1681  "(msg:\"test\"; uricontent:\"|af|af|af|\"; sid:1;)");
1682  if (de_ctx->sig_list == NULL) {
1683  result = 0;
1684  goto end;
1685  }
1686 
1687  end:
1688  SigGroupCleanup(de_ctx);
1689  SigCleanSignatures(de_ctx);
1690  DetectEngineCtxFree(de_ctx);
1691 
1692  return result;
1693 }
1694 
1695 /**
1696  * \test Parsing test
1697  */
1698 static int DetectUriContentParseTest24(void)
1699 {
1700  DetectEngineCtx *de_ctx = NULL;
1701  int result = 1;
1702 
1703  de_ctx = DetectEngineCtxInit();
1704  if (de_ctx == NULL)
1705  goto end;
1706 
1707  de_ctx->flags |= DE_QUIET;
1708  de_ctx->sig_list = SigInit(de_ctx,
1709  "alert tcp any any -> any any "
1710  "(msg:\"test\"; uricontent:\"\"; sid:1;)");
1711  if (de_ctx->sig_list != NULL) {
1712  result = 0;
1713  goto end;
1714  }
1715 
1716  end:
1717  SigGroupCleanup(de_ctx);
1718  SigCleanSignatures(de_ctx);
1719  DetectEngineCtxFree(de_ctx);
1720 
1721  return result;
1722 }
1723 
1724 static int DetectUricontentIsdataatParseTest(void)
1725 {
1727  FAIL_IF_NULL(de_ctx);
1728  de_ctx->flags |= DE_QUIET;
1729 
1730  Signature *s = DetectEngineAppendSig(de_ctx,
1731  "alert tcp any any -> any any ("
1732  "uricontent:\"one\"; "
1733  "isdataat:!4,relative; sid:1;)");
1734  FAIL_IF_NULL(s);
1735 
1736  SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
1737  FAIL_IF_NULL(sm);
1739 
1740  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
1743  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
1744 
1745  DetectEngineCtxFree(de_ctx);
1746  PASS;
1747 }
1748 
1749 #endif /* UNITTESTS */
1750 
1751 static void DetectUricontentRegisterTests(void)
1752 {
1753 #ifdef UNITTESTS
1754  UtRegisterTest("HTTPUriTest01", HTTPUriTest01);
1755  UtRegisterTest("HTTPUriTest02", HTTPUriTest02);
1756  UtRegisterTest("HTTPUriTest03", HTTPUriTest03);
1757  UtRegisterTest("HTTPUriTest04", HTTPUriTest04);
1758 
1759  UtRegisterTest("DetectUriSigTest01", DetectUriSigTest01);
1760  UtRegisterTest("DetectUriSigTest02", DetectUriSigTest02);
1761  UtRegisterTest("DetectUriSigTest03", DetectUriSigTest03);
1762  UtRegisterTest("DetectUriSigTest04 - Modifiers", DetectUriSigTest04);
1763  UtRegisterTest("DetectUriSigTest05 - Inspection", DetectUriSigTest05);
1764  UtRegisterTest("DetectUriSigTest06 - Inspection", DetectUriSigTest06);
1765  UtRegisterTest("DetectUriSigTest07 - Inspection", DetectUriSigTest07);
1766  UtRegisterTest("DetectUriSigTest08", DetectUriSigTest08);
1767  UtRegisterTest("DetectUriSigTest09", DetectUriSigTest09);
1768  UtRegisterTest("DetectUriSigTest10", DetectUriSigTest10);
1769  UtRegisterTest("DetectUriSigTest11", DetectUriSigTest11);
1770  UtRegisterTest("DetectUriSigTest12", DetectUriSigTest12);
1771 
1772  UtRegisterTest("DetectUriContentParseTest13", DetectUriContentParseTest13);
1773  UtRegisterTest("DetectUriContentParseTest14", DetectUriContentParseTest14);
1774  UtRegisterTest("DetectUriContentParseTest15", DetectUriContentParseTest15);
1775  UtRegisterTest("DetectUriContentParseTest16", DetectUriContentParseTest16);
1776  UtRegisterTest("DetectUriContentParseTest17", DetectUriContentParseTest17);
1777  UtRegisterTest("DetectUriContentParseTest18", DetectUriContentParseTest18);
1778  UtRegisterTest("DetectUriContentParseTest19", DetectUriContentParseTest19);
1779  UtRegisterTest("DetectUriContentParseTest20", DetectUriContentParseTest20);
1780  UtRegisterTest("DetectUriContentParseTest21", DetectUriContentParseTest21);
1781  UtRegisterTest("DetectUriContentParseTest22", DetectUriContentParseTest22);
1782  UtRegisterTest("DetectUriContentParseTest23", DetectUriContentParseTest23);
1783  UtRegisterTest("DetectUriContentParseTest24", DetectUriContentParseTest24);
1784 
1785  UtRegisterTest("DetectUricontentIsdataatParseTest",
1786  DetectUricontentIsdataatParseTest);
1787 #endif /* UNITTESTS */
1788 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SignatureInitData * init_data
Definition: detect.h:591
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
this function setups the http_uri modifier keyword used in the rule
struct Flow_ * flow
Definition: decode.h:445
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define BUG_ON(x)
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
int UTHAddStreamToFlow(Flow *f, int direction, uint8_t *data, uint32_t data_len)
void DetectContentPrint(DetectContentData *cd)
Helper function to print a DetectContentData.
Signature * sig_list
Definition: detect.h:767
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define ISDATAAT_RELATIVE
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define ISDATAAT_RAWBYTES
const char * name
Definition: detect.h:1200
TCPHdr * tcph
Definition: decode.h:522
Signature container.
Definition: detect.h:522
#define TRUE
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:331
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:292
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
void DetectUricontentRegister(void)
Registration function for uricontent: keyword.
uint8_t flags
Definition: detect.h:762
Data structures and function prototypes for keeping state for the detection engine.
void(* Free)(void *)
Definition: detect.h:1191
#define ISDATAAT_NEGATED
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define STREAM_EOF
Definition: stream.h:30
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1669
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1385
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:439
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
uint16_t alternative
Definition: detect.h:1198
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
struct SigMatch_ ** smlists_tail
Definition: detect.h:518
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1170
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:594
uint8_t type
Definition: detect.h:319
#define SCReturnInt(x)
Definition: util-debug.h:341
int UTHRemoveSessionFromFlow(Flow *f)
const char * desc
Definition: detect.h:1202
int DetectBufferTypeRegister(const char *name)
SigMatchCtx * ctx
Definition: detect.h:321
#define SCMalloc(a)
Definition: util-mem.h:222
#define DETECT_CONTENT_NEGATED
#define SCFree(a)
Definition: util-mem.h:322
int UTHAddSessionToFlow(Flow *f, uint32_t ts_isn, uint32_t tc_isn)
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define STREAM_START
Definition: stream.h:29
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:176
const char * url
Definition: detect.h:1203
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define PKT_HAS_FLOW
Definition: decode.h:1093
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DOC_URL
Definition: suricata.h:86
#define DETECT_CONTENT_RELATIVE_NEXT
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:443
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1389
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1194
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
uint32_t flags
Definition: flow.h:379
#define PKT_STREAM_EST
Definition: decode.h:1091
void(* RegisterTests)(void)
Definition: detect.h:1192
a single match condition for a signature
Definition: detect.h:318
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
void UTHFreeFlow(Flow *flow)
DetectEngineCtx * DetectEngineCtxInit(void)