suricata
detect-uricontent.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
23  *
24  * Simple uricontent match part of the detection engine.
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-content.h"
31 #include "detect-http-uri.h"
32 #include "detect-uricontent.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "flow.h"
38 #include "detect-flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 #include "threads.h"
42 
43 #include "stream-tcp.h"
44 #include "stream.h"
45 #include "app-layer.h"
46 #include "app-layer-parser.h"
47 #include "app-layer-protos.h"
48 #include "app-layer-htp.h"
49 
50 #include "util-mpm.h"
51 #include "util-print.h"
52 #include "util-debug.h"
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-spm.h"
56 #include "conf.h"
57 
58 /* prototypes */
59 static int DetectUricontentSetup (DetectEngineCtx *, Signature *, const char *);
60 static void DetectUricontentRegisterTests(void);
61 static void DetectUricontentFree(void *);
62 
63 static int g_http_uri_buffer_id = 0;
64 
65 /**
66  * \brief Registration function for uricontent: keyword
67  */
69 {
70  sigmatch_table[DETECT_URICONTENT].name = "uricontent";
72  sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup;
73  sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree;
74  sigmatch_table[DETECT_URICONTENT].RegisterTests = DetectUricontentRegisterTests;
77 
78  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
79 }
80 
81 /**
82  * \brief this function will Free memory associated with DetectContentData
83  *
84  * \param cd pointer to DetectUricotentData
85  */
86 void DetectUricontentFree(void *ptr)
87 {
88  SCEnter();
90 
91  if (cd == NULL)
92  SCReturn;
93 
95  SCFree(cd);
96 
97  SCReturn;
98 }
99 
100 /**
101  * \brief Creates a SigMatch for the uricontent keyword being sent as argument,
102  * and appends it to the Signature(s).
103  *
104  * \param de_ctx Pointer to the detection engine context
105  * \param s Pointer to signature for the current Signature being parsed
106  * from the rules
107  * \param contentstr Pointer to the string holding the keyword value
108  *
109  * \retval 0 on success, -1 on failure
110  */
111 int DetectUricontentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
112 {
113  SCEnter();
114 
115  const char *legacy = NULL;
116  if (ConfGet("legacy.uricontent", &legacy) == 1) {
117  if (strcasecmp("disabled", legacy) == 0) {
118  SCLogError(SC_ERR_INVALID_SIGNATURE, "uriconent deprecated. To "
119  "use a rule with \"uricontent\", either set the "
120  "option - \"legacy.uricontent\" in the conf to "
121  "\"enabled\" OR replace uricontent with "
122  "\'content:%s; http_uri;\'.", contentstr);
123  goto error;
124  } else if (strcasecmp("enabled", legacy) == 0) {
125  ;
126  } else {
127  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid value found "
128  "for legacy.uriconent - \"%s\". Valid values are "
129  "\"enabled\" OR \"disabled\".", legacy);
130  goto error;
131  }
132  }
133 
134  if (DetectContentSetup(de_ctx, s, contentstr) < 0)
135  goto error;
136 
137  if (DetectHttpUriSetup(de_ctx, s, NULL) < 0)
138  goto error;
139 
140  SCReturnInt(0);
141 error:
142  SCReturnInt(-1);
143 }
144 
145 /*
146  * UNITTTESTS
147  */
148 
149 #ifdef UNITTESTS
150 
151 #include "detect-isdataat.h"
152 #include "stream-tcp-reassemble.h"
153 
154 /**
155  * \brief Helper function to print a DetectContentData
156  */
157 static void DetectUricontentPrint(DetectContentData *cd)
158 {
159  int i = 0;
160  if (cd == NULL) {
161  SCLogDebug("Detect UricontentData \"cd\" is NULL");
162  return;
163  }
164  char *tmpstr = SCMalloc(sizeof(char) * cd->content_len + 1);
165  if (unlikely(tmpstr == NULL))
166  return;
167 
168  if (tmpstr != NULL) {
169  for (i = 0; i < cd->content_len; i++) {
170  if (isprint(cd->content[i]))
171  tmpstr[i] = cd->content[i];
172  else
173  tmpstr[i] = '.';
174  }
175  tmpstr[i] = '\0';
176  SCLogDebug("Uricontent: \"%s\"", tmpstr);
177  SCFree(tmpstr);
178  } else {
179  SCLogDebug("Uricontent: ");
180  for (i = 0; i < cd->content_len; i++)
181  SCLogDebug("%c", cd->content[i]);
182  }
183 
184  SCLogDebug("Uricontent_id: %"PRIu32, cd->id);
185  SCLogDebug("Uricontent_len: %"PRIu16, cd->content_len);
186  SCLogDebug("Depth: %"PRIu16, cd->depth);
187  SCLogDebug("Offset: %"PRIu16, cd->offset);
188  SCLogDebug("Within: %"PRIi32, cd->within);
189  SCLogDebug("Distance: %"PRIi32, cd->distance);
190  SCLogDebug("flags: %u ", cd->flags);
191  SCLogDebug("negated: %s ",
192  cd->flags & DETECT_CONTENT_NEGATED ? "true" : "false");
193  SCLogDebug("relative match next: %s ",
194  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ? "true" : "false");
195  SCLogDebug("-----------");
196 }
197 
198 /** \test Test case where path traversal has been sent as a path string in the
199  * HTTP URL and normalized path string is checked */
200 static int HTTPUriTest01(void)
201 {
202  int result = 0;
203  Flow f;
204  uint8_t httpbuf1[] = "GET /../../images.gif HTTP/1.1\r\nHost: www.ExA"
205  "mPlE.cOM\r\n\r\n";
206  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
207  TcpSession ssn;
208  int r = 0;
210  memset(&f, 0, sizeof(f));
211  memset(&ssn, 0, sizeof(ssn));
212 
213  FLOW_INITIALIZE(&f);
214  f.protoctx = (void *)&ssn;
215  f.proto = IPPROTO_TCP;
216  f.alproto = ALPROTO_HTTP;
217  f.flags |= FLOW_IPV4;
218 
220 
221  FLOWLOCK_WRLOCK(&f);
222  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
224  httpbuf1,
225  httplen1);
226  if (r != 0) {
227  printf("AppLayerParse failed: r(%d) != 0: ", r);
228  goto end;
229  }
230 
231  HtpState *htp_state = f.alstate;
232  if (htp_state == NULL) {
233  printf("no http state: ");
234  goto end;
235  }
236 
237  htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, 0);
238 
239  if (tx->request_method_number != HTP_M_GET ||
240  tx->request_protocol_number != HTP_PROTOCOL_1_1)
241  {
242  goto end;
243  }
244 
245  if ((tx->request_hostname == NULL) ||
246  (bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
247  {
248  goto end;
249  }
250 
251  if ((tx->parsed_uri->path == NULL) ||
252  (bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
253  {
254  goto end;
255  }
256 
257  result = 1;
258 end:
259  if (alp_tctx != NULL)
260  AppLayerParserThreadCtxFree(alp_tctx);
262  FLOWLOCK_UNLOCK(&f);
263  FLOW_DESTROY(&f);
264  return result;
265 }
266 
267 /** \test Test case where path traversal has been sent in special characters in
268  * HEX encoding in the HTTP URL and normalized path string is checked */
269 static int HTTPUriTest02(void)
270 {
271  int result = 0;
272  Flow f;
273  HtpState *htp_state = NULL;
274  uint8_t httpbuf1[] = "GET /%2e%2e/images.gif HTTP/1.1\r\nHost: www.ExA"
275  "mPlE.cOM\r\n\r\n";
276  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
277  TcpSession ssn;
278  int r = 0;
280 
281  memset(&f, 0, sizeof(f));
282  memset(&ssn, 0, sizeof(ssn));
283 
284  FLOW_INITIALIZE(&f);
285  f.protoctx = (void *)&ssn;
286  f.proto = IPPROTO_TCP;
287  f.alproto = ALPROTO_HTTP;
288  f.flags |= FLOW_IPV4;
289 
291 
292  FLOWLOCK_WRLOCK(&f);
293  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
295  httpbuf1,
296  httplen1);
297  if (r != 0) {
298  printf("AppLayerParse failed: r(%d) != 0: ", r);
299  goto end;
300  }
301 
302  htp_state = f.alstate;
303  if (htp_state == NULL) {
304  printf("no http state: ");
305  goto end;
306  }
307 
308  htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, 0);
309 
310  if (tx->request_method_number != HTP_M_GET ||
311  tx->request_protocol_number != HTP_PROTOCOL_1_1)
312  {
313  goto end;
314  }
315 
316  if ((tx->request_hostname == NULL) ||
317  (bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
318  {
319  goto end;
320  }
321 
322  if ((tx->parsed_uri->path == NULL) ||
323  (bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
324  {
325  goto end;
326  }
327 
328  result = 1;
329 end:
330  if (alp_tctx != NULL)
331  AppLayerParserThreadCtxFree(alp_tctx);
333  FLOWLOCK_UNLOCK(&f);
334  FLOW_DESTROY(&f);
335  return result;
336 }
337 
338 /** \test Test case where NULL character has been sent in HEX encoding in the
339  * HTTP URL and normalized path string is checked */
340 static int HTTPUriTest03(void)
341 {
342  int result = 0;
343  Flow f;
344  HtpState *htp_state = NULL;
345  uint8_t httpbuf1[] = "GET%00 /images.gif HTTP/1.1\r\nHost: www.ExA"
346  "mPlE.cOM\r\n\r\n";
347  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
348  TcpSession ssn;
349  int r = 0;
351 
352  memset(&f, 0, sizeof(f));
353  memset(&ssn, 0, sizeof(ssn));
354 
355  FLOW_INITIALIZE(&f);
356  f.protoctx = (void *)&ssn;
357  f.proto = IPPROTO_TCP;
358  f.alproto = ALPROTO_HTTP;
359  f.flags |= FLOW_IPV4;
360 
362 
363  FLOWLOCK_WRLOCK(&f);
364  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
366  httpbuf1,
367  httplen1);
368  if (r != 0) {
369  printf("AppLayerParse failed: r(%d) != 0: ", r);
370  goto end;
371  }
372 
373  htp_state = f.alstate;
374  if (htp_state == NULL) {
375  printf("no http state: ");
376  goto end;
377  }
378 
379  htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, 0);
380 
381  if (tx->request_method_number != HTP_M_UNKNOWN ||
382  tx->request_protocol_number != HTP_PROTOCOL_1_1)
383  {
384  goto end;
385  }
386 
387  if ((tx->request_hostname == NULL) ||
388  (bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
389  {
390  goto end;
391  }
392 
393  if ((tx->parsed_uri->path == NULL) ||
394  (bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
395  {
396  goto end;
397  }
398 
399  result = 1;
400 end:
401  if (alp_tctx != NULL)
402  AppLayerParserThreadCtxFree(alp_tctx);
404  FLOWLOCK_UNLOCK(&f);
405  FLOW_DESTROY(&f);
406  return result;
407 }
408 
409 
410 /** \test Test case where self referencing directories request has been sent
411  * in the HTTP URL and normalized path string is checked */
412 static int HTTPUriTest04(void)
413 {
414  int result = 0;
415  Flow f;
416  HtpState *htp_state = NULL;
417  uint8_t httpbuf1[] = "GET /./././images.gif HTTP/1.1\r\nHost: www.ExA"
418  "mPlE.cOM\r\n\r\n";
419  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
420  TcpSession ssn;
421  int r = 0;
423 
424  memset(&f, 0, sizeof(f));
425  memset(&ssn, 0, sizeof(ssn));
426 
427  FLOW_INITIALIZE(&f);
428  f.protoctx = (void *)&ssn;
429  f.proto = IPPROTO_TCP;
430  f.alproto = ALPROTO_HTTP;
431  f.flags |= FLOW_IPV4;
432 
434 
435  FLOWLOCK_WRLOCK(&f);
436  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
438  httpbuf1,
439  httplen1);
440  if (r != 0) {
441  printf("AppLayerParse failed: r(%d) != 0: ", r);
442  goto end;
443  }
444 
445  htp_state = f.alstate;
446  if (htp_state == NULL) {
447  printf("no http state: ");
448  goto end;
449  }
450 
451  htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, 0);
452 
453  if (tx->request_method_number != HTP_M_GET ||
454  tx->request_protocol_number != HTP_PROTOCOL_1_1)
455  {
456  goto end;
457  }
458 
459  if ((tx->request_hostname == NULL) ||
460  (bstr_cmp_c(tx->request_hostname, "www.example.com") != 0))
461  {
462  goto end;
463  }
464 
465  if ((tx->parsed_uri->path == NULL) ||
466  (bstr_cmp_c(tx->parsed_uri->path, "/images.gif") != 0))
467  {
468  goto end;
469  }
470 
471  result = 1;
472 end:
473  if (alp_tctx != NULL)
474  AppLayerParserThreadCtxFree(alp_tctx);
476  FLOWLOCK_UNLOCK(&f);
477  FLOW_DESTROY(&f);
478  return result;
479 }
480 
481 /**
482  * \test Checks if a uricontent is registered in a Signature
483  */
484 static int DetectUriSigTest01(void)
485 {
486  ThreadVars th_v;
487  Signature *s = NULL;
488 
489  memset(&th_v, 0, sizeof(th_v));
490 
492  FAIL_IF_NULL(de_ctx);
493  de_ctx->flags |= DE_QUIET;
494 
495  s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any (msg:"
496  "\" Test uricontent\"; content:\"me\"; uricontent:\"me\"; sid:1;)");
497  FAIL_IF_NULL(s);
498 
499  BUG_ON(s->sm_lists[g_http_uri_buffer_id] == NULL);
500  FAIL_IF_NOT(de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]->type == DETECT_CONTENT);
501 
502  DetectEngineCtxFree(de_ctx);
503  PASS;
504 }
505 
506 /** \test Check the signature working to alert when http_cookie is matched . */
507 static int DetectUriSigTest02(void)
508 {
509  int result = 0;
510  Flow f;
511  uint8_t httpbuf1[] = "POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
512  " hellocatch\r\n\r\n";
513  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
514  TcpSession ssn;
515  Packet *p = NULL;
516  Signature *s = NULL;
517  ThreadVars th_v;
518  DetectEngineThreadCtx *det_ctx = NULL;
519  HtpState *http_state = NULL;
521 
522  memset(&th_v, 0, sizeof(th_v));
523  memset(&f, 0, sizeof(f));
524  memset(&ssn, 0, sizeof(ssn));
525 
526  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
527 
528  FLOW_INITIALIZE(&f);
529  f.protoctx = (void *)&ssn;
530  f.proto = IPPROTO_TCP;
531  f.flags |= FLOW_IPV4;
532 
533  p->flow = &f;
537  f.alproto = ALPROTO_HTTP;
538 
540 
542  if (de_ctx == NULL) {
543  goto end;
544  }
545  de_ctx->flags |= DE_QUIET;
546 
547  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
548  "\" Test uricontent\"; "
549  "uricontent:\"foo\"; sid:1;)");
550  if (s == NULL) {
551  goto end;
552  }
553 
554  s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
555  "\" Test uricontent\"; "
556  "uricontent:\"one\"; sid:2;)");
557  if (s == NULL) {
558  goto end;
559  }
560 
561  s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
562  "\" Test uricontent\"; "
563  "uricontent:\"oisf\"; sid:3;)");
564  if (s == NULL) {
565  goto end;
566  }
567 
568 
569  SigGroupBuild(de_ctx);
570  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
571 
572  FLOWLOCK_WRLOCK(&f);
573  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
574  STREAM_TOSERVER, httpbuf1, httplen1);
575  if (r != 0) {
576  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
577  FLOWLOCK_UNLOCK(&f);
578  goto end;
579  }
580  FLOWLOCK_UNLOCK(&f);
581 
582  http_state = f.alstate;
583  if (http_state == NULL) {
584  printf("no http state: ");
585  goto end;
586  }
587 
588  /* do detect */
589  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
590 
591  if ((PacketAlertCheck(p, 1))) {
592  printf("sig: 1 alerted, but it should not\n");
593  goto end;
594  } else if (!PacketAlertCheck(p, 2)) {
595  printf("sig: 2 did not alerted, but it should\n");
596  goto end;
597  } else if ((PacketAlertCheck(p, 3))) {
598  printf("sig: 3 alerted, but it should not\n");
599  goto end;
600  }
601 
602  result = 1;
603 end:
604  if (alp_tctx != NULL)
605  AppLayerParserThreadCtxFree(alp_tctx);
606  //if (http_state != NULL) HTPStateFree(http_state);
607  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
608  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
609  if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx);
610  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
611 
613  FLOW_DESTROY(&f);
614  UTHFreePackets(&p, 1);
615  return result;
616 }
617 
618 /** \test Check the working of search once per packet only in applayer
619  * match */
620 static int DetectUriSigTest03(void)
621 {
622  int result = 0;
623  Flow f;
624  HtpState *http_state = NULL;
625  uint8_t httpbuf1[] = "POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
626  " hellocatch\r\n\r\n";
627  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
628  uint8_t httpbuf2[] = "POST /oneself HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
629  " hellocatch\r\n\r\n";
630  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
631  TcpSession ssn;
632  Packet *p = NULL;
633  Signature *s = NULL;
634  ThreadVars th_v;
635  DetectEngineThreadCtx *det_ctx = NULL;
637 
638  memset(&th_v, 0, sizeof(th_v));
639  memset(&f, 0, sizeof(f));
640  memset(&ssn, 0, sizeof(ssn));
641 
642  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
643 
644  FLOW_INITIALIZE(&f);
645  f.protoctx = (void *)&ssn;
646  f.proto = IPPROTO_TCP;
647  f.flags |= FLOW_IPV4;
648 
649  p->flow = &f;
653  f.alproto = ALPROTO_HTTP;
654 
656 
658  if (de_ctx == NULL) {
659  goto end;
660  }
661  de_ctx->flags |= DE_QUIET;
662 
663  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
664  "\" Test uricontent\"; "
665  "uricontent:\"foo\"; sid:1;)");
666  if (s == NULL) {
667  goto end;
668  }
669 
670  s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
671  "\" Test uricontent\"; "
672  "uricontent:\"one\"; sid:2;)");
673  if (s == NULL) {
674  goto end;
675  }
676 
677  s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
678  "\" Test uricontent\"; "
679  "uricontent:\"self\"; sid:3;)");
680  if (s == NULL) {
681  goto end;
682  }
683 
684 
685  SigGroupBuild(de_ctx);
686  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
687 
688  FLOWLOCK_WRLOCK(&f);
689  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
690  STREAM_TOSERVER, httpbuf1, httplen1);
691  if (r != 0) {
692  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
693  FLOWLOCK_UNLOCK(&f);
694  goto end;
695  }
696  FLOWLOCK_UNLOCK(&f);
697 
698  /* do detect */
699  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
700 
701  if ((PacketAlertCheck(p, 1))) {
702  printf("sig 1 alerted, but it should not: ");
703  goto end;
704  } else if (!PacketAlertCheck(p, 2)) {
705  printf("sig 2 did not alert, but it should: ");
706  goto end;
707  } else if ((PacketAlertCheck(p, 3))) {
708  printf("sig 3 alerted, but it should not: ");
709  goto end;
710  }
711 
712 
713  FLOWLOCK_WRLOCK(&f);
714  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
715  STREAM_TOSERVER, httpbuf2, httplen2);
716  if (r != 0) {
717  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
718  FLOWLOCK_UNLOCK(&f);
719  goto end;
720  }
721  FLOWLOCK_UNLOCK(&f);
722 
723  http_state = f.alstate;
724  if (http_state == NULL) {
725  printf("no http state: ");
726  goto end;
727  }
728 
729  /* do detect */
730  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
731 
732  if ((PacketAlertCheck(p, 1))) {
733  printf("sig 1 alerted, but it should not (chunk 2): ");
734  goto end;
735  } else if (!PacketAlertCheck(p, 2)) {
736  printf("sig 2 alerted, but it should not (chunk 2): ");
737  goto end;
738  } else if (!(PacketAlertCheck(p, 3))) {
739  printf("sig 3 did not alert, but it should (chunk 2): ");
740  goto end;
741  }
742 
743  result = 1;
744 
745 end:
746  if (alp_tctx != NULL)
747  AppLayerParserThreadCtxFree(alp_tctx);
748  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
749  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
750  if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx);
751  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
752 
754  FLOW_DESTROY(&f);
755  UTHFreePackets(&p, 1);
756  return result;
757 }
758 
759 /**
760  * \test Check that modifiers of content apply only to content keywords
761  * and the same for uricontent modifiers
762  */
763 static int DetectUriSigTest04(void)
764 {
765  int result = 0;
766  Signature *s = NULL;
767 
769  if (de_ctx == NULL) {
770  goto end;
771  }
772 
773  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
774  "\" Test uricontent\"; "
775  "uricontent:\"foo\"; sid:1;)");
776  if (s == NULL ||
777  s->sm_lists[g_http_uri_buffer_id] == NULL ||
778  s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL ||
779  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
780  {
781  printf("sig 1 failed to parse: ");
782  goto end;
783  }
784 
785  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
786  "\" Test uricontent and content\"; "
787  "uricontent:\"foo\"; content:\"bar\";sid:1;)");
788  if (s == NULL ||
789  s->sm_lists[g_http_uri_buffer_id] == NULL ||
790  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
791  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
792  {
793  printf("sig 2 failed to parse: ");
794  goto end;
795  }
796 
797  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
798  "\" Test uricontent and content\"; "
799  "uricontent:\"foo\"; content:\"bar\";"
800  " depth:10; offset: 5; sid:1;)");
801  if (s == NULL ||
802  s->sm_lists[g_http_uri_buffer_id] == NULL ||
803  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
804  ((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
805  ((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
806  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
807  {
808  printf("sig 3 failed to parse: ");
809  goto end;
810  }
811 
812  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
813  "\" Test uricontent and content\"; "
814  "content:\"foo\"; uricontent:\"bar\";"
815  " depth:10; offset: 5; sid:1;)");
816  if (s == NULL ||
817  s->sm_lists[g_http_uri_buffer_id] == NULL ||
818  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
819  ((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->depth != 15 ||
820  ((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->offset != 5 ||
821  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
822  {
823  printf("sig 4 failed to parse: ");
824  goto end;
825  }
826 
827  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
828  "\" Test uricontent and content\"; "
829  "uricontent:\"foo\"; content:\"bar\";"
830  " depth:10; offset: 5; within:3; sid:1;)");
831  if (s != NULL) {
832  printf("sig 5 failed to parse: ");
833  goto end;
834  }
835 
836  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
837  "\" Test uricontent and content\"; "
838  "uricontent:\"foo\"; content:\"bar\";"
839  " depth:10; offset: 5; distance:3; sid:1;)");
840  if (s != NULL) {
841  printf("sig 6 failed to parse: ");
842  goto end;
843  }
844 
845  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
846  "\" Test uricontent and content\"; "
847  "uricontent:\"foo\"; content:\"bar\";"
848  " depth:10; offset: 5; content:"
849  "\"two_contents\"; within:30; sid:1;)");
850  if (s == NULL) {
851  goto end;
852  } else if (s->sm_lists[g_http_uri_buffer_id] == NULL ||
853  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
854  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
855  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
856  ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within != 30 ||
857  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
858  {
859  printf("sig 7 failed to parse: ");
861  goto end;
862  }
863 
864  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
865  "\" Test uricontent and content\"; "
866  "uricontent:\"foo\"; content:\"bar\";"
867  " depth:10; offset: 5; uricontent:"
868  "\"two_uricontents\"; within:30; sid:1;)");
869  if (s == NULL) {
870  goto end;
871  } else if (s->sm_lists[g_http_uri_buffer_id] == NULL ||
872  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
873  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
874  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
875  ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within != 30 ||
876  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
877  {
878  printf("sig 8 failed to parse: ");
879  DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
880  goto end;
881  }
882 
883  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
884  "\" Test uricontent and content\"; "
885  "uricontent:\"foo\"; content:\"bar\";"
886  " depth:10; offset: 5; content:"
887  "\"two_contents\"; distance:30; sid:1;)");
888  if (s == NULL) {
889  goto end;
890  } else if (
891  s->sm_lists[g_http_uri_buffer_id] == NULL ||
892  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
893  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
894  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
895  ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance != 30 ||
896  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
897  {
898  printf("sig 9 failed to parse: ");
900  goto end;
901  }
902 
903  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
904  "\" Test uricontent and content\"; "
905  "uricontent:\"foo\"; content:\"bar\";"
906  " depth:10; offset: 5; uricontent:"
907  "\"two_uricontents\"; distance:30; sid:1;)");
908  if (s == NULL) {
909  goto end;
910  } else if (
911  s->sm_lists[g_http_uri_buffer_id] == NULL ||
912  s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL ||
913  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
914  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
915  ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance != 30 ||
916  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL)
917  {
918  printf("sig 10 failed to parse: ");
919  DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
920  goto end;
921  }
922 
923  s = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
924  "\" Test uricontent and content\"; "
925  "uricontent:\"foo\"; content:\"bar\";"
926  " depth:10; offset: 5; uricontent:"
927  "\"two_uricontents\"; distance:30; "
928  "within:60; content:\"two_contents\";"
929  " within:70; distance:45; sid:1;)");
930  if (s == NULL) {
931  printf("sig 10 failed to parse: ");
932  goto end;
933  }
934 
935  if (s->sm_lists[g_http_uri_buffer_id] == NULL || s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
936  printf("umatch %p or pmatch %p: ", s->sm_lists[g_http_uri_buffer_id], s->sm_lists[DETECT_SM_LIST_PMATCH]);
937  goto end;
938  }
939 
940  if ( ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth != 15 ||
941  ((DetectContentData*) s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset != 5 ||
942  ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance != 30 ||
943  ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within != 60 ||
944  ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance != 45 ||
945  ((DetectContentData*) s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within != 70 ||
946  s->sm_lists[DETECT_SM_LIST_MATCH] != NULL) {
947  printf("sig 10 failed to parse, content not setup properly: ");
949  DetectUricontentPrint((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
951  goto end;
952  }
953 
954  result = 1;
955 end:
956  if (de_ctx != NULL)
957  DetectEngineCtxFree(de_ctx);
958  return result;
959 }
960 
961 /** \test Check the modifiers for uricontent and content
962  * match
963  */
964 static int DetectUriSigTest05(void)
965 {
966  HtpState *http_state = NULL;
967  uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
968  " hellocatch\r\n\r\n";
969  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
970  Packet *p = NULL;
971  Signature *s = NULL;
972  ThreadVars th_v;
973  DetectEngineThreadCtx *det_ctx = NULL;
975 
976  memset(&th_v, 0, sizeof(th_v));
978 
979  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
980  FAIL_IF_NULL(p);
981  p->tcph->th_seq = htonl(1000);
982  Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
983  FAIL_IF_NULL(f);
984  f->proto = IPPROTO_TCP;
985 
986  UTHAddSessionToFlow(f, 1000, 1000);
987  UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
988 
989  p->flow = f;
993  f->alproto = ALPROTO_HTTP;
994 
996  FAIL_IF_NULL(de_ctx);
997  de_ctx->flags |= DE_QUIET;
998 
999  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1000  "\" Test uricontent\"; uricontent:\"foo\"; sid:1;)");
1001  FAIL_IF_NULL(s);
1002 
1003  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1004  "\" Test uricontent\"; uricontent:\"one\"; content:\"two\"; sid:2;)");
1005  FAIL_IF_NULL(s);
1006 
1007  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1008  "\" Test uricontent\"; uricontent:\"one\"; offset:1; depth:10; "
1009  "uricontent:\"two\"; distance:1; within: 4; uricontent:\"three\"; "
1010  "distance:1; within: 6; sid:3;)");
1011  FAIL_IF_NULL(s);
1012 
1013  SigGroupBuild(de_ctx);
1014  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1015 
1016  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
1017  STREAM_TOSERVER, httpbuf1, httplen1);
1018  FAIL_IF(r != 0);
1019  http_state = f->alstate;
1020  FAIL_IF_NULL(http_state);
1021 
1022  /* do detect */
1023  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1024 
1025  FAIL_IF((PacketAlertCheck(p, 1)));
1026  FAIL_IF(!PacketAlertCheck(p, 2));
1027  FAIL_IF(!(PacketAlertCheck(p, 3)));
1028 
1029  AppLayerParserThreadCtxFree(alp_tctx);
1030  DetectEngineThreadCtxDeinit(&th_v, det_ctx);
1031  DetectEngineCtxFree(de_ctx);
1032 
1034  UTHFreeFlow(f);
1035  UTHFreePackets(&p, 1);
1037  PASS;
1038 }
1039 
1040 /** \test Check the modifiers for uricontent and content
1041  * match
1042  */
1043 static int DetectUriSigTest06(void)
1044 {
1045  HtpState *http_state = NULL;
1046  uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1047  " hellocatch\r\n\r\n";
1048  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1049  Packet *p = NULL;
1050  Signature *s = NULL;
1051  ThreadVars th_v;
1052  DetectEngineThreadCtx *det_ctx = NULL;
1054 
1055  memset(&th_v, 0, sizeof(th_v));
1057 
1058  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
1059  FAIL_IF_NULL(p);
1060  p->tcph->th_seq = htonl(1000);
1061  Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
1062  FAIL_IF_NULL(f);
1063  f->proto = IPPROTO_TCP;
1064 
1065  UTHAddSessionToFlow(f, 1000, 1000);
1066  UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
1067 
1068  p->flow = f;
1072  f->alproto = ALPROTO_HTTP;
1073 
1075  FAIL_IF_NULL(de_ctx);
1076  de_ctx->flags |= DE_QUIET;
1077 
1078  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1079  "\" Test uricontent\"; "
1080  "uricontent:\"foo\"; content:\"bar\"; sid:1;)");
1081  FAIL_IF_NULL(s);
1082 
1083  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1084  "\" Test uricontent\"; "
1085  "uricontent:\"one\"; offset:1; depth:10; "
1086  "content:\"one\"; offset:1; depth:10; "
1087  "uricontent:\"two\"; distance:1; within: 4; "
1088  "content:\"two\"; distance:1; within: 4; "
1089  "uricontent:\"three\"; distance:1; within: 6; "
1090  "content:\"/three\"; distance:0; within: 7; "
1091  "sid:2;)");
1092  FAIL_IF_NULL(s);
1093 
1094  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1095  "\" Test uricontent\"; "
1096  "uricontent:\"one\"; offset:1; depth:10; "
1097  "uricontent:\"two\"; distance:1; within: 4; "
1098  "uricontent:\"three\"; distance:1; within: 6; "
1099  "sid:3;)");
1100  FAIL_IF_NULL(s);
1101 
1102  SigGroupBuild(de_ctx);
1103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1104 
1105  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
1106  STREAM_TOSERVER, httpbuf1, httplen1);
1107  FAIL_IF(r != 0);
1108  http_state = f->alstate;
1109  FAIL_IF_NULL(http_state);
1110 
1111  /* do detect */
1112  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1113 
1114  FAIL_IF((PacketAlertCheck(p, 1)));
1115  FAIL_IF(!PacketAlertCheck(p, 2));
1116  FAIL_IF(!(PacketAlertCheck(p, 3)));
1117 
1118  AppLayerParserThreadCtxFree(alp_tctx);
1119  DetectEngineThreadCtxDeinit(&th_v, det_ctx);
1120  DetectEngineCtxFree(de_ctx);
1121 
1123  UTHFreeFlow(f);
1124  UTHFreePackets(&p, 1);
1126  PASS;
1127 }
1128 
1129 /** \test Check the modifiers for uricontent and content
1130  * match
1131  */
1132 static int DetectUriSigTest07(void)
1133 {
1134  HtpState *http_state = NULL;
1135  uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
1136  " hellocatch\r\n\r\n";
1137  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1138  Packet *p = NULL;
1139  Signature *s = NULL;
1140  ThreadVars th_v;
1141  DetectEngineThreadCtx *det_ctx = NULL;
1143 
1144  memset(&th_v, 0, sizeof(th_v));
1146 
1147  p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
1148  FAIL_IF_NULL(p);
1149  p->tcph->th_seq = htonl(1000);
1150  Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
1151  FAIL_IF_NULL(f);
1152  f->proto = IPPROTO_TCP;
1153 
1154  UTHAddSessionToFlow(f, 1000, 1000);
1155  UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
1156 
1157  p->flow = f;
1161  f->alproto = ALPROTO_HTTP;
1162 
1164  FAIL_IF_NULL(de_ctx);
1165  de_ctx->flags |= DE_QUIET;
1166 
1167  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1168  "\" Test uricontent\"; "
1169  "uricontent:\"foo\"; content:\"bar\"; sid:1;)");
1170  FAIL_IF_NULL(s);
1171 
1172  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1173  "\" Test uricontent\"; "
1174  "uricontent:\"one\"; offset:1; depth:10; "
1175  "content:\"one\"; offset:1; depth:10; "
1176  "uricontent:\"two\"; distance:3; within: 4; "
1177  "content:\"two\"; distance:1; within: 4; "
1178  "uricontent:\"three\"; distance:1; within: 6; "
1179  "content:\"/three\"; distance:0; within: 7; "
1180  "sid:2;)");
1181  FAIL_IF_NULL(s);
1182 
1183  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
1184  "\" Test uricontent\"; "
1185  "uricontent:\"one\"; offset:1; depth:10; "
1186  "uricontent:\"two\"; distance:1; within: 4; "
1187  "uricontent:\"six\"; distance:1; within: 6; "
1188  "sid:3;)");
1189  FAIL_IF_NULL(s);
1190 
1191  SigGroupBuild(de_ctx);
1192  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1193 
1194  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
1195  STREAM_TOSERVER, httpbuf1, httplen1);
1196  FAIL_IF(r != 0);
1197  http_state = f->alstate;
1198  FAIL_IF_NULL(http_state);
1199 
1200  /* do detect */
1201  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1202 
1203  FAIL_IF((PacketAlertCheck(p, 1)));
1204  FAIL_IF((PacketAlertCheck(p, 2)));
1205  FAIL_IF((PacketAlertCheck(p, 3)));
1206 
1207  AppLayerParserThreadCtxFree(alp_tctx);
1208  DetectEngineThreadCtxDeinit(&th_v, det_ctx);
1209  DetectEngineCtxFree(de_ctx);
1210 
1212  UTHFreeFlow(f);
1213  UTHFreePackets(&p, 1);
1215  PASS;
1216 }
1217 
1218 /**
1219  * \test Test content for dce sig.
1220  */
1221 static int DetectUriSigTest08(void)
1222 {
1223  DetectEngineCtx *de_ctx = NULL;
1224  int result = 1;
1225 
1226  de_ctx = DetectEngineCtxInit();
1227  if (de_ctx == NULL)
1228  goto end;
1229 
1230  de_ctx->flags |= DE_QUIET;
1231  de_ctx->sig_list = SigInit(de_ctx,
1232  "alert udp any any -> any any "
1233  "(msg:\"test\"; uricontent:\"\"; sid:238012;)");
1234  if (de_ctx->sig_list != NULL) {
1235  result = 0;
1236  goto end;
1237  }
1238 
1239  end:
1240  SigGroupCleanup(de_ctx);
1241  SigCleanSignatures(de_ctx);
1242  DetectEngineCtxFree(de_ctx);
1243 
1244  return result;
1245 }
1246 
1247 /**
1248  * \test Test content for dce sig.
1249  */
1250 static int DetectUriSigTest09(void)
1251 {
1252  DetectEngineCtx *de_ctx = NULL;
1253  int result = 1;
1254 
1255  de_ctx = DetectEngineCtxInit();
1256  if (de_ctx == NULL)
1257  goto end;
1258 
1259  de_ctx->flags |= DE_QUIET;
1260  de_ctx->sig_list = SigInit(de_ctx,
1261  "alert udp any any -> any any "
1262  "(msg:\"test\"; uricontent:\"; sid:238012;)");
1263  if (de_ctx->sig_list != NULL) {
1264  result = 0;
1265  goto end;
1266  }
1267 
1268  end:
1269  SigGroupCleanup(de_ctx);
1270  SigCleanSignatures(de_ctx);
1271  DetectEngineCtxFree(de_ctx);
1272 
1273  return result;
1274 }
1275 
1276 /**
1277  * \test Test content for dce sig.
1278  */
1279 static int DetectUriSigTest10(void)
1280 {
1281  DetectEngineCtx *de_ctx = NULL;
1282  int result = 1;
1283 
1284  de_ctx = DetectEngineCtxInit();
1285  if (de_ctx == NULL)
1286  goto end;
1287 
1288  de_ctx->flags |= DE_QUIET;
1289  de_ctx->sig_list = SigInit(de_ctx,
1290  "alert udp any any -> any any "
1291  "(msg:\"test\"; uricontent:\"boo; sid:238012;)");
1292  if (de_ctx->sig_list != NULL) {
1293  result = 0;
1294  goto end;
1295  }
1296 
1297  end:
1298  SigGroupCleanup(de_ctx);
1299  SigCleanSignatures(de_ctx);
1300  DetectEngineCtxFree(de_ctx);
1301 
1302  return result;
1303 }
1304 
1305 /**
1306  * \test Test content for dce sig.
1307  */
1308 static int DetectUriSigTest11(void)
1309 {
1310  DetectEngineCtx *de_ctx = NULL;
1311  int result = 1;
1312 
1313  de_ctx = DetectEngineCtxInit();
1314  if (de_ctx == NULL)
1315  goto end;
1316 
1317  de_ctx->flags |= DE_QUIET;
1318  de_ctx->sig_list = SigInit(de_ctx,
1319  "alert udp any any -> any any "
1320  "(msg:\"test\"; uricontent:boo\"; sid:238012;)");
1321  if (de_ctx->sig_list != NULL) {
1322  result = 0;
1323  goto end;
1324  }
1325 
1326  end:
1327  SigGroupCleanup(de_ctx);
1328  SigCleanSignatures(de_ctx);
1329  DetectEngineCtxFree(de_ctx);
1330 
1331  return result;
1332 }
1333 
1334 /**
1335  * \test Parsing test
1336  */
1337 static int DetectUriSigTest12(void)
1338 {
1339  DetectEngineCtx *de_ctx = NULL;
1340  DetectContentData *ud = 0;
1341  Signature *s = NULL;
1342  int result = 0;
1343 
1344  de_ctx = DetectEngineCtxInit();
1345  if (de_ctx == NULL)
1346  goto end;
1347 
1348  de_ctx->flags |= DE_QUIET;
1349  s = de_ctx->sig_list = SigInit(de_ctx,
1350  "alert udp any any -> any any "
1351  "(msg:\"test\"; uricontent: !\"boo\"; sid:238012;)");
1352  if (de_ctx->sig_list == NULL) {
1353  printf("de_ctx->sig_list == NULL: ");
1354  goto end;
1355  }
1356 
1357  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL || s->sm_lists_tail[g_http_uri_buffer_id]->ctx == NULL) {
1358  printf("de_ctx->pmatch_tail == NULL && de_ctx->pmatch_tail->ctx == NULL: ");
1359  goto end;
1360  }
1361 
1362  ud = (DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx;
1363  result = (strncmp("boo", (char *)ud->content, ud->content_len) == 0);
1364 
1365 end:
1366  SigGroupCleanup(de_ctx);
1367  SigCleanSignatures(de_ctx);
1368  DetectEngineCtxFree(de_ctx);
1369 
1370  return result;
1371 }
1372 
1373 
1374 /**
1375  * \test Parsing test
1376  */
1377 static int DetectUriContentParseTest13(void)
1378 {
1379  DetectEngineCtx *de_ctx = NULL;
1380  int result = 1;
1381 
1382  de_ctx = DetectEngineCtxInit();
1383  if (de_ctx == NULL)
1384  goto end;
1385 
1386  de_ctx->flags |= DE_QUIET;
1387  de_ctx->sig_list = SigInit(de_ctx,
1388  "alert udp any any -> any any "
1389  "(msg:\"test\"; uricontent:\"|\"; sid:1;)");
1390  if (de_ctx->sig_list != NULL) {
1391  result = 0;
1392  goto end;
1393  }
1394 
1395  end:
1396  SigGroupCleanup(de_ctx);
1397  SigCleanSignatures(de_ctx);
1398  DetectEngineCtxFree(de_ctx);
1399 
1400  return result;
1401 }
1402 
1403 /**
1404  * \test Parsing test
1405  */
1406 static int DetectUriContentParseTest14(void)
1407 {
1408  DetectEngineCtx *de_ctx = NULL;
1409  int result = 1;
1410 
1411  de_ctx = DetectEngineCtxInit();
1412  if (de_ctx == NULL)
1413  goto end;
1414 
1415  de_ctx->flags |= DE_QUIET;
1416  de_ctx->sig_list = SigInit(de_ctx,
1417  "alert udp any any -> any any "
1418  "(msg:\"test\"; uricontent:\"|af\"; sid:1;)");
1419  if (de_ctx->sig_list != NULL) {
1420  result = 0;
1421  goto end;
1422  }
1423 
1424  end:
1425  SigGroupCleanup(de_ctx);
1426  SigCleanSignatures(de_ctx);
1427  DetectEngineCtxFree(de_ctx);
1428 
1429  return result;
1430 }
1431 
1432 /**
1433  * \test Parsing test
1434  */
1435 static int DetectUriContentParseTest15(void)
1436 {
1437  DetectEngineCtx *de_ctx = NULL;
1438  int result = 1;
1439 
1440  de_ctx = DetectEngineCtxInit();
1441  if (de_ctx == NULL)
1442  goto end;
1443 
1444  de_ctx->flags |= DE_QUIET;
1445  de_ctx->sig_list = SigInit(de_ctx,
1446  "alert udp any any -> any any "
1447  "(msg:\"test\"; uricontent:\"af|\"; sid:1;)");
1448  if (de_ctx->sig_list != NULL) {
1449  result = 0;
1450  goto end;
1451  }
1452 
1453  end:
1454  SigGroupCleanup(de_ctx);
1455  SigCleanSignatures(de_ctx);
1456  DetectEngineCtxFree(de_ctx);
1457 
1458  return result;
1459 }
1460 
1461 /**
1462  * \test Parsing test
1463  */
1464 static int DetectUriContentParseTest16(void)
1465 {
1466  DetectEngineCtx *de_ctx = NULL;
1467  int result = 1;
1468 
1469  de_ctx = DetectEngineCtxInit();
1470  if (de_ctx == NULL)
1471  goto end;
1472 
1473  de_ctx->flags |= DE_QUIET;
1474  de_ctx->sig_list = SigInit(de_ctx,
1475  "alert udp any any -> any any "
1476  "(msg:\"test\"; uricontent:\"|af|\"; sid:1;)");
1477  if (de_ctx->sig_list == NULL) {
1478  result = 0;
1479  goto end;
1480  }
1481 
1482  end:
1483  SigGroupCleanup(de_ctx);
1484  SigCleanSignatures(de_ctx);
1485  DetectEngineCtxFree(de_ctx);
1486 
1487  return result;
1488 }
1489 
1490 /**
1491  * \test Parsing test
1492  */
1493 static int DetectUriContentParseTest17(void)
1494 {
1495  DetectEngineCtx *de_ctx = NULL;
1496  int result = 1;
1497 
1498  de_ctx = DetectEngineCtxInit();
1499  if (de_ctx == NULL)
1500  goto end;
1501 
1502  de_ctx->flags |= DE_QUIET;
1503  de_ctx->sig_list = SigInit(de_ctx,
1504  "alert udp any any -> any any "
1505  "(msg:\"test\"; uricontent:\"aast|\"; sid:1;)");
1506  if (de_ctx->sig_list != NULL) {
1507  result = 0;
1508  goto end;
1509  }
1510 
1511  end:
1512  SigGroupCleanup(de_ctx);
1513  SigCleanSignatures(de_ctx);
1514  DetectEngineCtxFree(de_ctx);
1515 
1516  return result;
1517 }
1518 
1519 /**
1520  * \test Parsing test
1521  */
1522 static int DetectUriContentParseTest18(void)
1523 {
1524  DetectEngineCtx *de_ctx = NULL;
1525  int result = 1;
1526 
1527  de_ctx = DetectEngineCtxInit();
1528  if (de_ctx == NULL)
1529  goto end;
1530 
1531  de_ctx->flags |= DE_QUIET;
1532  de_ctx->sig_list = SigInit(de_ctx,
1533  "alert udp any any -> any any "
1534  "(msg:\"test\"; uricontent:\"aast|af\"; sid:1;)");
1535  if (de_ctx->sig_list != NULL) {
1536  result = 0;
1537  goto end;
1538  }
1539 
1540  end:
1541  SigGroupCleanup(de_ctx);
1542  SigCleanSignatures(de_ctx);
1543  DetectEngineCtxFree(de_ctx);
1544 
1545  return result;
1546 }
1547 
1548 /**
1549  * \test Parsing test
1550  */
1551 static int DetectUriContentParseTest19(void)
1552 {
1553  DetectEngineCtx *de_ctx = NULL;
1554  int result = 1;
1555 
1556  de_ctx = DetectEngineCtxInit();
1557  if (de_ctx == NULL)
1558  goto end;
1559 
1560  de_ctx->flags |= DE_QUIET;
1561  de_ctx->sig_list = SigInit(de_ctx,
1562  "alert udp any any -> any any "
1563  "(msg:\"test\"; uricontent:\"aast|af|\"; sid:1;)");
1564  if (de_ctx->sig_list == NULL) {
1565  result = 0;
1566  goto end;
1567  }
1568 
1569  end:
1570  SigGroupCleanup(de_ctx);
1571  SigCleanSignatures(de_ctx);
1572  DetectEngineCtxFree(de_ctx);
1573 
1574  return result;
1575 }
1576 
1577 /**
1578  * \test Parsing test
1579  */
1580 static int DetectUriContentParseTest20(void)
1581 {
1582  DetectEngineCtx *de_ctx = NULL;
1583  int result = 1;
1584 
1585  de_ctx = DetectEngineCtxInit();
1586  if (de_ctx == NULL)
1587  goto end;
1588 
1589  de_ctx->flags |= DE_QUIET;
1590  de_ctx->sig_list = SigInit(de_ctx,
1591  "alert udp any any -> any any "
1592  "(msg:\"test\"; uricontent:\"|af|asdf\"; sid:1;)");
1593  if (de_ctx->sig_list == NULL) {
1594  result = 0;
1595  goto end;
1596  }
1597 
1598  end:
1599  SigGroupCleanup(de_ctx);
1600  SigCleanSignatures(de_ctx);
1601  DetectEngineCtxFree(de_ctx);
1602 
1603  return result;
1604 }
1605 
1606 /**
1607  * \test Parsing test
1608  */
1609 static int DetectUriContentParseTest21(void)
1610 {
1611  DetectEngineCtx *de_ctx = NULL;
1612  int result = 1;
1613 
1614  de_ctx = DetectEngineCtxInit();
1615  if (de_ctx == NULL)
1616  goto end;
1617 
1618  de_ctx->flags |= DE_QUIET;
1619  de_ctx->sig_list = SigInit(de_ctx,
1620  "alert udp any any -> any any "
1621  "(msg:\"test\"; uricontent:\"|af|af|\"; sid:1;)");
1622  if (de_ctx->sig_list != NULL) {
1623  result = 0;
1624  goto end;
1625  }
1626 
1627  end:
1628  SigGroupCleanup(de_ctx);
1629  SigCleanSignatures(de_ctx);
1630  DetectEngineCtxFree(de_ctx);
1631 
1632  return result;
1633 }
1634 
1635 /**
1636  * \test Parsing test
1637  */
1638 static int DetectUriContentParseTest22(void)
1639 {
1640  DetectEngineCtx *de_ctx = NULL;
1641  int result = 1;
1642 
1643  de_ctx = DetectEngineCtxInit();
1644  if (de_ctx == NULL)
1645  goto end;
1646 
1647  de_ctx->flags |= DE_QUIET;
1648  de_ctx->sig_list = SigInit(de_ctx,
1649  "alert udp any any -> any any "
1650  "(msg:\"test\"; uricontent:\"|af|af|af\"; sid:1;)");
1651  if (de_ctx->sig_list != NULL) {
1652  result = 0;
1653  goto end;
1654  }
1655 
1656  end:
1657  SigGroupCleanup(de_ctx);
1658  SigCleanSignatures(de_ctx);
1659  DetectEngineCtxFree(de_ctx);
1660 
1661  return result;
1662 }
1663 
1664 /**
1665  * \test Parsing test
1666  */
1667 static int DetectUriContentParseTest23(void)
1668 {
1669  DetectEngineCtx *de_ctx = NULL;
1670  int result = 1;
1671 
1672  de_ctx = DetectEngineCtxInit();
1673  if (de_ctx == NULL)
1674  goto end;
1675 
1676  de_ctx->flags |= DE_QUIET;
1677  de_ctx->sig_list = SigInit(de_ctx,
1678  "alert udp any any -> any any "
1679  "(msg:\"test\"; uricontent:\"|af|af|af|\"; sid:1;)");
1680  if (de_ctx->sig_list == NULL) {
1681  result = 0;
1682  goto end;
1683  }
1684 
1685  end:
1686  SigGroupCleanup(de_ctx);
1687  SigCleanSignatures(de_ctx);
1688  DetectEngineCtxFree(de_ctx);
1689 
1690  return result;
1691 }
1692 
1693 /**
1694  * \test Parsing test
1695  */
1696 static int DetectUriContentParseTest24(void)
1697 {
1698  DetectEngineCtx *de_ctx = NULL;
1699  int result = 1;
1700 
1701  de_ctx = DetectEngineCtxInit();
1702  if (de_ctx == NULL)
1703  goto end;
1704 
1705  de_ctx->flags |= DE_QUIET;
1706  de_ctx->sig_list = SigInit(de_ctx,
1707  "alert tcp any any -> any any "
1708  "(msg:\"test\"; uricontent:\"\"; sid:1;)");
1709  if (de_ctx->sig_list != NULL) {
1710  result = 0;
1711  goto end;
1712  }
1713 
1714  end:
1715  SigGroupCleanup(de_ctx);
1716  SigCleanSignatures(de_ctx);
1717  DetectEngineCtxFree(de_ctx);
1718 
1719  return result;
1720 }
1721 
1722 static int DetectUricontentIsdataatParseTest(void)
1723 {
1725  FAIL_IF_NULL(de_ctx);
1726  de_ctx->flags |= DE_QUIET;
1727 
1728  Signature *s = DetectEngineAppendSig(de_ctx,
1729  "alert tcp any any -> any any ("
1730  "uricontent:\"one\"; "
1731  "isdataat:!4,relative; sid:1;)");
1732  FAIL_IF_NULL(s);
1733 
1734  SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
1735  FAIL_IF_NULL(sm);
1737 
1738  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
1741  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
1742 
1743  DetectEngineCtxFree(de_ctx);
1744  PASS;
1745 }
1746 
1747 #endif /* UNITTESTS */
1748 
1749 static void DetectUricontentRegisterTests(void)
1750 {
1751 #ifdef UNITTESTS
1752  UtRegisterTest("HTTPUriTest01", HTTPUriTest01);
1753  UtRegisterTest("HTTPUriTest02", HTTPUriTest02);
1754  UtRegisterTest("HTTPUriTest03", HTTPUriTest03);
1755  UtRegisterTest("HTTPUriTest04", HTTPUriTest04);
1756 
1757  UtRegisterTest("DetectUriSigTest01", DetectUriSigTest01);
1758  UtRegisterTest("DetectUriSigTest02", DetectUriSigTest02);
1759  UtRegisterTest("DetectUriSigTest03", DetectUriSigTest03);
1760  UtRegisterTest("DetectUriSigTest04 - Modifiers", DetectUriSigTest04);
1761  UtRegisterTest("DetectUriSigTest05 - Inspection", DetectUriSigTest05);
1762  UtRegisterTest("DetectUriSigTest06 - Inspection", DetectUriSigTest06);
1763  UtRegisterTest("DetectUriSigTest07 - Inspection", DetectUriSigTest07);
1764  UtRegisterTest("DetectUriSigTest08", DetectUriSigTest08);
1765  UtRegisterTest("DetectUriSigTest09", DetectUriSigTest09);
1766  UtRegisterTest("DetectUriSigTest10", DetectUriSigTest10);
1767  UtRegisterTest("DetectUriSigTest11", DetectUriSigTest11);
1768  UtRegisterTest("DetectUriSigTest12", DetectUriSigTest12);
1769 
1770  UtRegisterTest("DetectUriContentParseTest13", DetectUriContentParseTest13);
1771  UtRegisterTest("DetectUriContentParseTest14", DetectUriContentParseTest14);
1772  UtRegisterTest("DetectUriContentParseTest15", DetectUriContentParseTest15);
1773  UtRegisterTest("DetectUriContentParseTest16", DetectUriContentParseTest16);
1774  UtRegisterTest("DetectUriContentParseTest17", DetectUriContentParseTest17);
1775  UtRegisterTest("DetectUriContentParseTest18", DetectUriContentParseTest18);
1776  UtRegisterTest("DetectUriContentParseTest19", DetectUriContentParseTest19);
1777  UtRegisterTest("DetectUriContentParseTest20", DetectUriContentParseTest20);
1778  UtRegisterTest("DetectUriContentParseTest21", DetectUriContentParseTest21);
1779  UtRegisterTest("DetectUriContentParseTest22", DetectUriContentParseTest22);
1780  UtRegisterTest("DetectUriContentParseTest23", DetectUriContentParseTest23);
1781  UtRegisterTest("DetectUriContentParseTest24", DetectUriContentParseTest24);
1782 
1783  UtRegisterTest("DetectUricontentIsdataatParseTest",
1784  DetectUricontentIsdataatParseTest);
1785 #endif /* UNITTESTS */
1786 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
SignatureInitData * init_data
Definition: detect.h:563
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
this function setups the http_uri modifier keyword used in the rule
struct Flow_ * flow
Definition: decode.h:443
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define BUG_ON(x)
uint8_t proto
Definition: flow.h:343
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:242
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
int UTHAddStreamToFlow(Flow *f, int direction, uint8_t *data, uint32_t data_len)
void DetectContentPrint(DetectContentData *cd)
Helper function to print a DetectContentData.
Signature * sig_list
Definition: detect.h:729
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define ISDATAAT_RELATIVE
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:239
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define ISDATAAT_RAWBYTES
const char * name
Definition: detect.h:1163
TCPHdr * tcph
Definition: decode.h:520
Signature container.
Definition: detect.h:495
#define TRUE
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:331
void * protoctx
Definition: flow.h:395
main detection engine ctx
Definition: detect.h:723
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void * alstate
Definition: flow.h:433
#define DE_QUIET
Definition: detect.h:296
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
void DetectUricontentRegister(void)
Registration function for uricontent: keyword.
uint8_t flags
Definition: detect.h:724
Data structures and function prototypes for keeping state for the detection engine.
void(* Free)(void *)
Definition: detect.h:1154
#define ISDATAAT_NEGATED
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define STREAM_EOF
Definition: stream.h:30
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1347
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:437
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
uint16_t alternative
Definition: detect.h:1161
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
struct SigMatch_ ** smlists_tail
Definition: detect.h:491
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:566
uint8_t type
Definition: detect.h:323
#define SCReturnInt(x)
Definition: util-debug.h:341
int UTHRemoveSessionFromFlow(Flow *f)
int DetectBufferTypeRegister(const char *name)
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
#define DETECT_CONTENT_NEGATED
#define SCFree(a)
Definition: util-mem.h:228
int UTHAddSessionToFlow(Flow *f, uint32_t ts_isn, uint32_t tc_isn)
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
#define STREAM_START
Definition: stream.h:29
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:176
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define PKT_HAS_FLOW
Definition: decode.h:1092
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DETECT_CONTENT_RELATIVE_NEXT
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:404
uint32_t flags
Definition: decode.h:441
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1351
uint16_t flags
Definition: detect.h:1157
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:324
#define FLOW_IPV4
Definition: flow.h:93
uint32_t flags
Definition: flow.h:374
#define PKT_STREAM_EST
Definition: decode.h:1090
void(* RegisterTests)(void)
Definition: detect.h:1155
a single match condition for a signature
Definition: detect.h:322
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
void UTHFreeFlow(Flow *flow)
DetectEngineCtx * DetectEngineCtxInit(void)