suricata
detect-http-client-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /** \file
26  *
27  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * \brief Handle HTTP request body match corresponding to http_client_body
31  * keyword.
32  *
33  */
34 
35 #include "../suricata-common.h"
36 #include "../suricata.h"
37 #include "../decode.h"
38 
39 #include "detect.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-parse.h"
43 #include "detect-engine-state.h"
46 #include "detect-isdataat.h"
47 #include "stream-tcp-reassemble.h"
48 #include "detect-engine-build.h"
49 
50 #include "flow-util.h"
51 #include "util-debug.h"
52 #include "util-print.h"
53 #include "flow.h"
54 
55 #include "app-layer-parser.h"
56 
57 #include "stream-tcp.h"
58 
59 #include "util-unittest.h"
60 #include "util-unittest-helper.h"
61 #include "app-layer.h"
62 #include "app-layer-htp.h"
63 #include "app-layer-protos.h"
64 
65 #include "conf.h"
66 #include "conf-yaml-loader.h"
67 
68 #include "util-validate.h"
69 
70 #ifdef UNITTESTS
71 
72 /**
73  * \test Test parser accepting valid rules and rejecting invalid rules
74  */
75 static int DetectHttpClientBodyParserTest01(void)
76 {
77  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; http_client_body; sid:1;)", true));
78  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_client_body; sid:1;)", true));
79  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_client_body; sid:1;)", true));
80  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_client_body; sid:1;)", true));
81  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_client_body; sid:1;)", true));
82 
83  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_client_body; sid:1;)", false));
84  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http_client_body; sid:1;)", false));
85  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; content:\"abc\"; http_client_body; sid:1;)", false));
86  PASS;
87 }
88 
89 /**
90  * \test Test parser accepting valid rules and rejecting invalid rules
91  */
92 static int DetectHttpClientBodyParserTest02(void)
93 {
94  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; sid:1;)", true));
95  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; nocase; sid:1;)", true));
96  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; endswith; sid:1;)", true));
97  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; sid:1;)", true));
98  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; startswith; endswith; sid:1;)", true));
99  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; bsize:10; sid:1;)", true));
100 
101  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.request_body; content:\"abc\"; rawbytes; sid:1;)", false));
102  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http.request_body; sid:1;)", false));
103  FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; http.request_body; content:\"abc\"; sid:1;)", false));
104  PASS;
105 }
106 
107 struct TestSteps {
108  const uint8_t *input;
109  size_t input_size; /**< if 0 strlen will be used */
110  int direction; /**< STREAM_TOSERVER, STREAM_TOCLIENT */
111  int expect;
112 };
113 
114 static int RunTest (struct TestSteps *steps, const char *sig, const char *yaml)
115 {
116  TcpSession ssn;
117  Flow f;
118  ThreadVars th_v;
119  DetectEngineThreadCtx *det_ctx = NULL;
122 
123  memset(&th_v, 0, sizeof(th_v));
124  memset(&f, 0, sizeof(f));
125  memset(&ssn, 0, sizeof(ssn));
126 
127  if (yaml) {
129  ConfInit();
131 
132  ConfYamlLoadString(yaml, strlen(yaml));
133  HTPConfigure();
134  }
135 
136  StreamTcpInitConfig(true);
137 
140  de_ctx->flags |= DE_QUIET;
141 
142  FLOW_INITIALIZE(&f);
143  f.protoctx = (void *)&ssn;
144  f.proto = IPPROTO_TCP;
145  f.flags |= FLOW_IPV4;
147 
148  SCLogDebug("sig %s", sig);
149  Signature *s = DetectEngineAppendSig(de_ctx, (char *)sig);
150  FAIL_IF_NULL(s);
151 
153  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
154  FAIL_IF_NULL(det_ctx);
155 
156  struct TestSteps *b = steps;
157  int i = 0;
158  while (b->input != NULL) {
159  SCLogDebug("chunk %p %d", b, i);
160  (void)i;
161  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
162  FAIL_IF_NULL(p);
163  p->flow = &f;
164  p->flowflags = (b->direction == STREAM_TOSERVER) ? FLOW_PKT_TOSERVER : FLOW_PKT_TOCLIENT;
167 
168  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, b->direction,
169  (uint8_t *)b->input,
170  b->input_size ? b->input_size : strlen((const char *)b->input));
171  FAIL_IF_NOT(r == 0);
172 
173  /* do detect */
174  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
175 
176  int match = PacketAlertCheck(p, 1);
177  FAIL_IF_NOT (b->expect == match);
178 
179  UTHFreePackets(&p, 1);
180  b++;
181  i++;
182  }
183 
184  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
187 
188  StreamTcpFreeConfig(true);
189  FLOW_DESTROY(&f);
190 
191  if (yaml) {
194  }
195  PASS;
196 }
197 
198 static int DetectEngineHttpClientBodyTest01(void)
199 {
200  struct TestSteps steps[] = {
201  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
202  "Host: www.openinfosecfoundation.org\r\n"
203  "Content-Type: text/html\r\n"
204  "Content-Length: 46\r\n"
205  "\r\n"
206  "This is dummy body1",
207  0, STREAM_TOSERVER, 0 },
208  { (const uint8_t *)"This is dummy message body2",
209  0, STREAM_TOSERVER, 1 },
210  { NULL, 0, 0, 0 },
211  };
212 
213  const char *sig = "alert http any any -> any any (content:\"body1This\"; http_client_body; sid:1;)";
214  return RunTest(steps, sig, NULL);
215 }
216 
217 static int DetectEngineHttpClientBodyTest02(void)
218 {
219  struct TestSteps steps[] = {
220  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
221  "Host: www.openinfosecfoundation.org\r\n"
222  "Content-Type: text/html\r\n"
223  "Content-Length: 19\r\n"
224  "\r\n"
225  "This is dummy body1",
226  0, STREAM_TOSERVER, 1 },
227  { NULL, 0, 0, 0 },
228  };
229 
230  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; offset:5; sid:1;)";
231  return RunTest(steps, sig, NULL);
232 }
233 
234 static int DetectEngineHttpClientBodyTest03(void)
235 {
236  struct TestSteps steps[] = {
237  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
238  "Host: www.openinfosecfoundation.org\r\n"
239  "Content-Type: text/html\r\n"
240  "Content-Length: 46\r\n"
241  "\r\n"
242  "This is dummy body1",
243  0, STREAM_TOSERVER, 0 },
244  { (const uint8_t *)"This is dummy message body2",
245  0, STREAM_TOSERVER, 0 },
246  { NULL, 0, 0, 0 },
247  };
248 
249  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; offset:16; sid:1;)";
250  return RunTest(steps, sig, NULL);
251 }
252 
253 static int DetectEngineHttpClientBodyTest04(void)
254 {
255  struct TestSteps steps[] = {
256  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
257  "Host: www.openinfosecfoundation.org\r\n"
258  "Content-Type: text/html\r\n"
259  "Content-Length: 46\r\n"
260  "\r\n"
261  "This is dummy body1",
262  0, STREAM_TOSERVER, 0 },
263  { (const uint8_t *)"This is dummy message body2",
264  0, STREAM_TOSERVER, 1 },
265  { NULL, 0, 0, 0 },
266  };
267 
268  const char *sig = "alert http any any -> any any (content:!\"body1\"; http_client_body; offset:16; sid:1;)";
269  return RunTest(steps, sig, NULL);
270 }
271 
272 static int DetectEngineHttpClientBodyTest05(void)
273 {
274  struct TestSteps steps[] = {
275  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
276  "Host: www.openinfosecfoundation.org\r\n"
277  "Content-Type: text/html\r\n"
278  "Content-Length: 46\r\n"
279  "\r\n"
280  "This is dummy body1",
281  0, STREAM_TOSERVER, 0 },
282  { (const uint8_t *)"This is dummy message body2",
283  0, STREAM_TOSERVER, 1 },
284  { NULL, 0, 0, 0 },
285  };
286 
287  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; depth:25; sid:1;)";
288  return RunTest(steps, sig, NULL);
289 }
290 
291 static int DetectEngineHttpClientBodyTest06(void)
292 {
293  struct TestSteps steps[] = {
294  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
295  "Host: www.openinfosecfoundation.org\r\n"
296  "Content-Type: text/html\r\n"
297  "Content-Length: 46\r\n"
298  "\r\n"
299  "This is dummy body1",
300  0, STREAM_TOSERVER, 0 },
301  { (const uint8_t *)"This is dummy message body2",
302  0, STREAM_TOSERVER, 0 },
303  { NULL, 0, 0, 0 },
304  };
305 
306  const char *sig = "alert http any any -> any any (content:!\"body1\"; http_client_body; depth:25; sid:1;)";
307  return RunTest(steps, sig, NULL);
308 }
309 
310 static int DetectEngineHttpClientBodyTest07(void)
311 {
312  struct TestSteps steps[] = {
313  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
314  "Host: www.openinfosecfoundation.org\r\n"
315  "Content-Type: text/html\r\n"
316  "Content-Length: 46\r\n"
317  "\r\n"
318  "This is dummy body1",
319  0, STREAM_TOSERVER, 0 },
320  { (const uint8_t *)"This is dummy message body2",
321  0, STREAM_TOSERVER, 1 },
322  { NULL, 0, 0, 0 },
323  };
324 
325  const char *sig = "alert http any any -> any any (content:!\"body1\"; http_client_body; depth:15; sid:1;)";
326  return RunTest(steps, sig, NULL);
327 }
328 
329 static int DetectEngineHttpClientBodyTest08(void)
330 {
331  struct TestSteps steps[] = {
332  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
333  "Host: www.openinfosecfoundation.org\r\n"
334  "Content-Type: text/html\r\n"
335  "Content-Length: 46\r\n"
336  "\r\n"
337  "This is dummy body1",
338  0, STREAM_TOSERVER, 0 },
339  { (const uint8_t *)"This is dummy message body2",
340  0, STREAM_TOSERVER, 1 },
341  { NULL, 0, 0, 0 },
342  };
343 
344  const char *sig = "alert http any any -> any any (content:\"This is dummy body1This is dummy message body2\"; http_client_body; sid:1;)";
345  return RunTest(steps, sig, NULL);
346 }
347 
348 static int DetectEngineHttpClientBodyTest09(void)
349 {
350  struct TestSteps steps[] = {
351  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
352  "Host: www.openinfosecfoundation.org\r\n"
353  "Content-Type: text/html\r\n"
354  "Content-Length: 46\r\n"
355  "\r\n"
356  "This is dummy body1",
357  0, STREAM_TOSERVER, 0 },
358  { (const uint8_t *)"This is dummy message body2",
359  0, STREAM_TOSERVER, 1 },
360  { NULL, 0, 0, 0 },
361  };
362 
363  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:\"This\"; http_client_body; within:5; sid:1;)";
364  return RunTest(steps, sig, NULL);
365 }
366 
367 static int DetectEngineHttpClientBodyTest10(void)
368 {
369  struct TestSteps steps[] = {
370  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
371  "Host: www.openinfosecfoundation.org\r\n"
372  "Content-Type: text/html\r\n"
373  "Content-Length: 46\r\n"
374  "\r\n"
375  "This is dummy body1",
376  0, STREAM_TOSERVER, 0 },
377  { (const uint8_t *)"This is dummy message body2",
378  0, STREAM_TOSERVER, 1 },
379  { NULL, 0, 0, 0 },
380  };
381 
382  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"boom\"; http_client_body; within:5; sid:1;)";
383  return RunTest(steps, sig, NULL);
384 }
385 
386 static int DetectEngineHttpClientBodyTest11(void)
387 {
388  struct TestSteps steps[] = {
389  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
390  "Host: www.openinfosecfoundation.org\r\n"
391  "Content-Type: text/html\r\n"
392  "Content-Length: 46\r\n"
393  "\r\n"
394  "This is dummy body1",
395  0, STREAM_TOSERVER, 0 },
396  { (const uint8_t *)"This is dummy message body2",
397  0, STREAM_TOSERVER, 0 },
398  { NULL, 0, 0, 0 },
399  };
400 
401  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:\"boom\"; http_client_body; within:5; sid:1;)";
402  return RunTest(steps, sig, NULL);
403 }
404 
405 static int DetectEngineHttpClientBodyTest12(void)
406 {
407  struct TestSteps steps[] = {
408  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
409  "Host: www.openinfosecfoundation.org\r\n"
410  "Content-Type: text/html\r\n"
411  "Content-Length: 46\r\n"
412  "\r\n"
413  "This is dummy body1",
414  0, STREAM_TOSERVER, 0 },
415  { (const uint8_t *)"This is dummy message body2",
416  0, STREAM_TOSERVER, 0 },
417  { NULL, 0, 0, 0 },
418  };
419 
420  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"This\"; http_client_body; within:5; sid:1;)";
421  return RunTest(steps, sig, NULL);
422 }
423 
424 static int DetectEngineHttpClientBodyTest13(void)
425 {
426  struct TestSteps steps[] = {
427  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
428  "Host: www.openinfosecfoundation.org\r\n"
429  "Content-Type: text/html\r\n"
430  "Content-Length: 46\r\n"
431  "\r\n"
432  "This is dummy body1",
433  0, STREAM_TOSERVER, 0 },
434  { (const uint8_t *)"This is dummy message body2",
435  0, STREAM_TOSERVER, 1 },
436  { NULL, 0, 0, 0 },
437  };
438 
439  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:\"dummy\"; http_client_body; distance:5; sid:1;)";
440  return RunTest(steps, sig, NULL);
441 }
442 
443 static int DetectEngineHttpClientBodyTest14(void)
444 {
445  struct TestSteps steps[] = {
446  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
447  "Host: www.openinfosecfoundation.org\r\n"
448  "Content-Type: text/html\r\n"
449  "Content-Length: 46\r\n"
450  "\r\n"
451  "This is dummy body1",
452  0, STREAM_TOSERVER, 0 },
453  { (const uint8_t *)"This is dummy message body2",
454  0, STREAM_TOSERVER, 1 },
455  { NULL, 0, 0, 0 },
456  };
457 
458  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"dummy\"; http_client_body; distance:10; sid:1;)";
459  return RunTest(steps, sig, NULL);
460 }
461 
462 static int DetectEngineHttpClientBodyTest15(void)
463 {
464  struct TestSteps steps[] = {
465  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
466  "Host: www.openinfosecfoundation.org\r\n"
467  "Content-Type: text/html\r\n"
468  "Content-Length: 46\r\n"
469  "\r\n"
470  "This is dummy body1",
471  0, STREAM_TOSERVER, 0 },
472  { (const uint8_t *)"This is dummy message body2",
473  0, STREAM_TOSERVER, 0 },
474  { NULL, 0, 0, 0 },
475  };
476 
477  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:\"dummy\"; http_client_body; distance:10; sid:1;)";
478  return RunTest(steps, sig, NULL);
479 }
480 
481 static int DetectEngineHttpClientBodyTest16(void)
482 {
483  struct TestSteps steps[] = {
484  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
485  "Host: www.openinfosecfoundation.org\r\n"
486  "Content-Type: text/html\r\n"
487  "Content-Length: 46\r\n"
488  "\r\n"
489  "This is dummy body1",
490  0, STREAM_TOSERVER, 0 },
491  { (const uint8_t *)"This is dummy message body2",
492  0, STREAM_TOSERVER, 0 },
493  { NULL, 0, 0, 0 },
494  };
495 
496  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:!\"dummy\"; http_client_body; distance:5; sid:1;)";
497  return RunTest(steps, sig, NULL);
498 }
499 
500 static int DetectEngineHttpClientBodyTest17(void)
501 {
502  struct TestSteps steps[] = {
503  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
504  "Host: www.openinfosecfoundation.org\r\n"
505  "Content-Type: text/html\r\n"
506  "Content-Length: 19\r\n"
507  "\r\n"
508  "This is dummy body1",
509  0, STREAM_TOSERVER, 0 },
510  { NULL, 0, 0, 0 },
511  };
512 
513  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:\"bambu\"; http_client_body; sid:1;)";
514  return RunTest(steps, sig, NULL);
515 }
516 
517 static int DetectEngineHttpClientBodyTest18(void)
518 {
519  struct TestSteps steps[] = {
520  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
521  "Host: www.openinfosecfoundation.org\r\n"
522  "Content-Type: text/html\r\n"
523  "Content-Length: 19\r\n"
524  "\r\n"
525  "This is dummy body1",
526  0, STREAM_TOSERVER, 0 },
527  { NULL, 0, 0, 0 },
528  };
529 
530  const char *sig = "alert http any any -> any any (content:\"body1\"; http_client_body; content:\"bambu\"; http_client_body; fast_pattern; sid:1;)";
531  return RunTest(steps, sig, NULL);
532 }
533 
534 static int DetectEngineHttpClientBodyTest19(void)
535 {
536  struct TestSteps steps[] = {
537  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
538  "Host: www.openinfosecfoundation.org\r\n"
539  "Content-Type: text/html\r\n"
540  "Content-Length: 19\r\n"
541  "\r\n"
542  "This is dummy body1",
543  0, STREAM_TOSERVER, 0 },
544  { NULL, 0, 0, 0 },
545  };
546 
547  const char *sig = "alert http any any -> any any (content:\"bambu\"; http_client_body; content:\"is\"; http_client_body; sid:1;)";
548  return RunTest(steps, sig, NULL);
549 }
550 
551 static int DetectEngineHttpClientBodyTest20(void)
552 {
553  struct TestSteps steps[] = {
554  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
555  "Host: www.openinfosecfoundation.org\r\n"
556  "Content-Type: text/html\r\n"
557  "Content-Length: 19\r\n"
558  "\r\n"
559  "This is dummy body1",
560  0, STREAM_TOSERVER, 1 },
561  { NULL, 0, 0, 0 },
562  };
563 
564  const char *sig = "alert http any any -> any any (content:\"is\"; http_client_body; fast_pattern; sid:1;)";
565  return RunTest(steps, sig, NULL);
566 }
567 
568 static int DetectEngineHttpClientBodyTest21(void)
569 {
570  struct TestSteps steps[] = {
571  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
572  "Host: www.openinfosecfoundation.org\r\n"
573  "Content-Type: text/html\r\n"
574  "Content-Length: 46\r\n"
575  "\r\n"
576  "This is dummy body1",
577  0, STREAM_TOSERVER, 0 },
578  { (const uint8_t *)"This is dummy message body2",
579  0, STREAM_TOSERVER, 1 },
580  { NULL, 0, 0, 0 },
581  };
582 
583  const char *sig = "alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; http_client_body; within:7; sid:1;)";
584  return RunTest(steps, sig, NULL);
585 }
586 
587 static int DetectEngineHttpClientBodyTest22(void)
588 {
589  struct TestSteps steps[] = {
590  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
591  "Host: www.openinfosecfoundation.org\r\n"
592  "Content-Type: text/html\r\n"
593  "Content-Length: 46\r\n"
594  "\r\n"
595  "This is dummy body1",
596  0, STREAM_TOSERVER, 0 },
597  { (const uint8_t *)"This is dummy message body2",
598  0, STREAM_TOSERVER, 1 },
599  { NULL, 0, 0, 0 },
600  };
601 
602  const char *sig = "alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; within:7; http_client_body; sid:1;)";
603  return RunTest(steps, sig, NULL);
604 }
605 
606 static int DetectEngineHttpClientBodyTest23(void)
607 {
608  struct TestSteps steps[] = {
609  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
610  "Host: www.openinfosecfoundation.org\r\n"
611  "Content-Type: text/html\r\n"
612  "Content-Length: 46\r\n"
613  "\r\n"
614  "This is dummy body1",
615  0, STREAM_TOSERVER, 0 },
616  { (const uint8_t *)"This is dummy message body2",
617  0, STREAM_TOSERVER, 0 },
618  { NULL, 0, 0, 0 },
619  };
620 
621  const char *sig = "alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; distance:3; http_client_body; sid:1;)";
622  return RunTest(steps, sig, NULL);
623 }
624 
625 static int DetectEngineHttpClientBodyTest24(void)
626 {
627  struct TestSteps steps[] = {
628  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
629  "Host: www.openinfosecfoundation.org\r\n"
630  "Content-Type: text/html\r\n"
631  "Content-Length: 46\r\n"
632  "\r\n"
633  "This is dummy body1",
634  0, STREAM_TOSERVER, 0 },
635  { (const uint8_t *)"This is dummy message body2",
636  0, STREAM_TOSERVER, 1 },
637  { NULL, 0, 0, 0 },
638  };
639 
640  const char *sig = "alert http any any -> any any (pcre:/body1/P; content:!\"dummy\"; distance:13; http_client_body; sid:1;)";
641  return RunTest(steps, sig, NULL);
642 }
643 
644 static int DetectEngineHttpClientBodyTest25(void)
645 {
646  struct TestSteps steps[] = {
647  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
648  "Host: www.openinfosecfoundation.org\r\n"
649  "Content-Type: text/html\r\n"
650  "Content-Length: 46\r\n"
651  "\r\n"
652  "This is dummy body1",
653  0, STREAM_TOSERVER, 0 },
654  { (const uint8_t *)"This is dummy message body2",
655  0, STREAM_TOSERVER, 1 },
656  { NULL, 0, 0, 0 },
657  };
658 
659  const char *sig = "alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; within:15; http_client_body; sid:1;)";
660  return RunTest(steps, sig, NULL);
661 }
662 
663 static int DetectEngineHttpClientBodyTest26(void)
664 {
665  struct TestSteps steps[] = {
666  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
667  "Host: www.openinfosecfoundation.org\r\n"
668  "Content-Type: text/html\r\n"
669  "Content-Length: 46\r\n"
670  "\r\n"
671  "This is dummy body1",
672  0, STREAM_TOSERVER, 0 },
673  { (const uint8_t *)"This is dummy message body2",
674  0, STREAM_TOSERVER, 0 },
675  { NULL, 0, 0, 0 },
676  };
677 
678  const char *sig = "alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; within:10; http_client_body; sid:1;)";
679  return RunTest(steps, sig, NULL);
680 }
681 
682 static int DetectEngineHttpClientBodyTest27(void)
683 {
684  struct TestSteps steps[] = {
685  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
686  "Host: www.openinfosecfoundation.org\r\n"
687  "Content-Type: text/html\r\n"
688  "Content-Length: 46\r\n"
689  "\r\n"
690  "This is dummy body1",
691  0, STREAM_TOSERVER, 0 },
692  { (const uint8_t *)"This is dummy message body2",
693  0, STREAM_TOSERVER, 1 },
694  { NULL, 0, 0, 0 },
695  };
696 
697  const char *sig = "alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; distance:8; http_client_body; sid:1;)";
698  return RunTest(steps, sig, NULL);
699 }
700 
701 static int DetectEngineHttpClientBodyTest28(void)
702 {
703  struct TestSteps steps[] = {
704  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
705  "Host: www.openinfosecfoundation.org\r\n"
706  "Content-Type: text/html\r\n"
707  "Content-Length: 46\r\n"
708  "\r\n"
709  "This is dummy body1",
710  0, STREAM_TOSERVER, 0 },
711  { (const uint8_t *)"This is dummy message body2",
712  0, STREAM_TOSERVER, 0 },
713  { NULL, 0, 0, 0 },
714  };
715 
716  const char *sig = "alert http any any -> any any (pcre:/body1/P; content:\"dummy\"; distance:14; http_client_body; sid:1;)";
717  return RunTest(steps, sig, NULL);
718 }
719 
720 static int DetectEngineHttpClientBodyTest29(void)
721 {
722  const char *request_buffer = "GET /one HTTP/1.0\r\n"
723  "Host: localhost\r\n\r\n";
724 #define TOTAL_REQUESTS 45
725  uint8_t *http_buf = SCMalloc(TOTAL_REQUESTS * strlen(request_buffer));
726  if (unlikely(http_buf == NULL))
727  return 0;
728  for (int i = 0; i < TOTAL_REQUESTS; i++) {
729  memcpy(http_buf + i * strlen(request_buffer), request_buffer,
730  strlen(request_buffer));
731  }
732  uint32_t http_buf_len = TOTAL_REQUESTS * strlen(request_buffer);
733 #undef TOTAL_REQUESTS
734 
735  struct TestSteps steps[] = {
736  { (const uint8_t *)http_buf,
737  (size_t)http_buf_len, STREAM_TOSERVER, 0 },
738 
739  { (const uint8_t *)"HTTP/1.0 200 ok\r\n"
740  "Content-Type: text/html\r\n"
741  "Content-Length: 5\r\n"
742  "\r\n"
743  "dummy",
744  0, STREAM_TOCLIENT, 0 },
745 
746  { NULL, 0, 0, 0 },
747  };
748 
749  const char *sig = "alert http any any -> any any (content:\"dummyone\"; fast_pattern:0,3; http_server_body; sid:1;)";
750  int result = RunTest(steps, sig, NULL);
751  SCFree(http_buf);
752  return result;
753 }
754 
755 static int DetectEngineHttpClientBodyTest30(void)
756 {
757  const char yaml[] = "\
758 %YAML 1.1\n\
759 ---\n\
760 libhtp:\n\
761 \n\
762  default-config:\n\
763  personality: IDS\n\
764  request-body-limit: 0\n\
765  response-body-limit: 0\n\
766 \n\
767  request-body-inspect-window: 0\n\
768  response-body-inspect-window: 0\n\
769  request-body-minimal-inspect-size: 0\n\
770  response-body-minimal-inspect-size: 0\n\
771 ";
772  struct TestSteps steps[] = {
773  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
774  "Host: www.openinfosecfoundation.org\r\n"
775  "Content-Type: text/html\r\n"
776  "Content-Length: 46\r\n"
777  "\r\n"
778  "This is dummy body1",
779  0, STREAM_TOSERVER, 0 },
780  { (const uint8_t *)"This is dummy message body2",
781  0, STREAM_TOSERVER, 0 },
782  { NULL, 0, 0, 0 },
783  };
784 
785  const char *sig = "alert http any any -> any any (content:\"bags\"; within:4; http_client_body; sid:1;)";
786  return RunTest(steps, sig, yaml);
787 }
788 
789 static int DetectEngineHttpClientBodyTest31(void)
790 {
791  const char yaml[] = "\
792 %YAML 1.1\n\
793 ---\n\
794 libhtp:\n\
795 \n\
796  default-config:\n\
797  personality: IDS\n\
798  request-body-limit: 0\n\
799  response-body-limit: 0\n\
800 \n\
801  request-body-inspect-window: 0\n\
802  response-body-inspect-window: 0\n\
803  request-body-minimal-inspect-size: 0\n\
804  response-body-minimal-inspect-size: 0\n\
805 ";
806 
807  struct TestSteps steps[] = {
808  { (const uint8_t *)"GET /index.html HTTP/1.1\r\n"
809  "Host: www.openinfosecfoundation.org\r\n"
810  "Content-Type: text/html\r\n"
811  "Content-Length: 46\r\n"
812  "\r\n"
813  "This is dummy body1",
814  0, STREAM_TOSERVER, 0 },
815  { (const uint8_t *)"This is dummy message body2",
816  0, STREAM_TOSERVER, 0 },
817  { NULL, 0, 0, 0 },
818  };
819 
820  const char *sig = "alert http any any -> any any (content:\"bags\"; depth:4; http_client_body; sid:1;)";
821  return RunTest(steps, sig, yaml);
822 }
823 
824 /**
825  * \test Test that a signature containing a http_client_body is correctly parsed
826  * and the keyword is registered.
827  */
828 static int DetectHttpClientBodyTest01(void)
829 {
832  de_ctx->flags |= DE_QUIET;
833 
834  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
835  "(msg:\"Testing http_client_body\"; "
836  "content:\"one\"; http_client_body; sid:1;)");
837  FAIL_IF_NULL(s);
838 
840  FAIL_IF_NOT_NULL(sm);
841 
843  PASS;
844 }
845 
846 /**
847  * \test Test that a signature containing an valid http_client_body entry is
848  * parsed.
849  * \todo error in sig 'http_client_body:;'
850  */
851 static int DetectHttpClientBodyTest02(void)
852 {
855  de_ctx->flags |= DE_QUIET;
856 
857  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
858  "(msg:\"Testing http_client_body\"; "
859  "content:\"one\"; http_client_body:; sid:1;)");
860  FAIL_IF_NULL(s);
861 
863  PASS;
864 }
865 
866 /**
867  * \test Test invalid signatures
868  */
869 static int DetectHttpClientBodyTest03(void)
870 {
873  de_ctx->flags |= DE_QUIET;
874 
875  const char *sigs[] = {
876  "alert tcp any any -> any any (http_client_body; sid:1;)",
877  "alert tcp any any -> any any "
878  "(msg:\"Testing http_client_body\"; "
879  "content:\"one\"; rawbytes; http_client_body; sid:2;)",
880  NULL,
881  };
882 
883  for (uint32_t i = 0; sigs[i] != NULL; i++) {
884  Signature *s = DetectEngineAppendSig(de_ctx, sigs[i]);
885  FAIL_IF_NOT_NULL(s);
886  }
888  PASS;
889 }
890 
891 /**
892  * \test Test that an invalid signature containing a rawbytes along with a
893  * http_client_body is invalidated.
894  */
895 static int DetectHttpClientBodyTest05(void)
896 {
899  de_ctx->flags |= DE_QUIET;
900 
901  const char *sigs[] = {
902  "alert tcp any any -> any any (content:\"one\"; http_client_body; nocase; sid:1;)",
903  NULL,
904  };
905 
906  for (uint32_t i = 0; sigs[i] != NULL; i++) {
907  Signature *s = DetectEngineAppendSig(de_ctx, sigs[i]);
908  FAIL_IF_NULL(s);
909  }
911  PASS;
912 }
913 
914 /**
915  *\test Test that the http_client_body content matches against a http request
916  * which holds the content.
917  */
918 static int DetectHttpClientBodyTest06(void)
919 {
920  TcpSession ssn;
921  Packet *p = NULL;
922  ThreadVars th_v;
923  DetectEngineCtx *de_ctx = NULL;
924  DetectEngineThreadCtx *det_ctx = NULL;
925  HtpState *http_state = NULL;
926  Flow f;
927  uint8_t http_buf[] =
928  "GET /index.html HTTP/1.0\r\n"
929  "Host: www.openinfosecfoundation.org\r\n"
930  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
931  "Content-Type: text/html\r\n"
932  "Content-Length: 26\r\n"
933  "\r\n"
934  "This is dummy message body";
935  uint32_t http_len = sizeof(http_buf) - 1;
936  int result = 0;
938 
939  memset(&th_v, 0, sizeof(th_v));
940  memset(&f, 0, sizeof(f));
941  memset(&ssn, 0, sizeof(ssn));
942 
943  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
944 
945  FLOW_INITIALIZE(&f);
946  f.protoctx = (void *)&ssn;
947  f.proto = IPPROTO_TCP;
948  f.flags |= FLOW_IPV4;
949 
950  p->flow = &f;
955 
956  StreamTcpInitConfig(true);
957 
959  if (de_ctx == NULL)
960  goto end;
961 
962  de_ctx->flags |= DE_QUIET;
963 
964  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
965  "(msg:\"http client body test\"; "
966  "content:\"message\"; http_client_body; "
967  "sid:1;)");
968  FAIL_IF_NULL(s);
969 
971  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
972 
973  int r = AppLayerParserParse(
974  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
975  if (r != 0) {
976  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
977  result = 0;
978  goto end;
979  }
980 
981  http_state = f.alstate;
982  if (http_state == NULL) {
983  printf("no http state: \n");
984  result = 0;
985  goto end;
986  }
987 
988  /* do detect */
989  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
990 
991  if (!(PacketAlertCheck(p, 1))) {
992  printf("sid 1 didn't match but should have\n");
993  goto end;
994  }
995 
996  result = 1;
997 end:
998  if (alp_tctx != NULL)
1000  if (de_ctx != NULL)
1002 
1003  StreamTcpFreeConfig(true);
1004  FLOW_DESTROY(&f);
1005  UTHFreePackets(&p, 1);
1006  return result;
1007 }
1008 
1009 /**
1010  *\test Test that the http_client_body content matches against a http request
1011  * which holds the content.
1012  */
1013 static int DetectHttpClientBodyTest07(void)
1014 {
1015  TcpSession ssn;
1016  Packet *p1 = NULL;
1017  Packet *p2 = NULL;
1018  ThreadVars th_v;
1019  DetectEngineCtx *de_ctx = NULL;
1020  DetectEngineThreadCtx *det_ctx = NULL;
1021  HtpState *http_state = NULL;
1022  Flow f;
1023  uint8_t http1_buf[] =
1024  "GET /index.html HTTP/1.0\r\n"
1025  "Host: www.openinfosecfoundation.org\r\n"
1026  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1027  "Content-Type: text/html\r\n"
1028  "Content-Length: 54\r\n"
1029  "\r\n"
1030  "This is dummy message body1";
1031  uint8_t http2_buf[] =
1032  "This is dummy message body2";
1033  uint32_t http1_len = sizeof(http1_buf) - 1;
1034  uint32_t http2_len = sizeof(http2_buf) - 1;
1035  int result = 0;
1037 
1038  memset(&th_v, 0, sizeof(th_v));
1039  memset(&f, 0, sizeof(f));
1040  memset(&ssn, 0, sizeof(ssn));
1041 
1042  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1043  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1044 
1045  FLOW_INITIALIZE(&f);
1046  f.protoctx = (void *)&ssn;
1047  f.proto = IPPROTO_TCP;
1048  f.flags |= FLOW_IPV4;
1049 
1050  p1->flow = &f;
1054  p2->flow = &f;
1058  f.alproto = ALPROTO_HTTP1;
1059 
1060  StreamTcpInitConfig(true);
1061 
1063  if (de_ctx == NULL)
1064  goto end;
1065 
1066  de_ctx->flags |= DE_QUIET;
1067 
1068  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1069  "(msg:\"http client body test\"; "
1070  "content:\"message\"; http_client_body; "
1071  "sid:1;)");
1072  FAIL_IF_NULL(s);
1073 
1075  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1076 
1077  int r = AppLayerParserParse(
1078  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1079  if (r != 0) {
1080  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1081  result = 0;
1082  goto end;
1083  }
1084 
1085  http_state = f.alstate;
1086  if (http_state == NULL) {
1087  printf("no http state: ");
1088  goto end;
1089  }
1090 
1091  /* do detect */
1092  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1093 
1094  if (PacketAlertCheck(p1, 1)) {
1095  printf("sid 1 matched on p1 but shouldn't have: ");
1096  goto end;
1097  }
1098 
1099  r = AppLayerParserParse(
1100  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1101  if (r != 0) {
1102  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1103  goto end;
1104  }
1105 
1106  /* do detect */
1107  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1108  if (!(PacketAlertCheck(p2, 1))) {
1109  printf("sid 1 didn't match on p2 but should have: ");
1110  goto end;
1111  }
1112 
1113  result = 1;
1114 end:
1115  if (alp_tctx != NULL)
1117  if (de_ctx != NULL)
1119 
1120  StreamTcpFreeConfig(true);
1121  FLOW_DESTROY(&f);
1122  UTHFreePackets(&p1, 1);
1123  UTHFreePackets(&p2, 1);
1124  return result;
1125 }
1126 
1127 /**
1128  *\test Test that the http_client_body content matches against a http request
1129  * which holds the content.
1130  */
1131 static int DetectHttpClientBodyTest08(void)
1132 {
1133  TcpSession ssn;
1134  Packet *p1 = NULL;
1135  Packet *p2 = NULL;
1136  ThreadVars th_v;
1137  DetectEngineCtx *de_ctx = NULL;
1138  DetectEngineThreadCtx *det_ctx = NULL;
1139  HtpState *http_state = NULL;
1140  Flow f;
1141  uint8_t http1_buf[] =
1142  "GET /index.html HTTP/1.0\r\n"
1143  "Host: www.openinfosecfoundation.org\r\n"
1144  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1145  "Content-Type: text/html\r\n"
1146  "Content-Length: 46\r\n"
1147  "\r\n"
1148  "This is dummy body1";
1149  uint8_t http2_buf[] =
1150  "This is dummy message body2";
1151  uint32_t http1_len = sizeof(http1_buf) - 1;
1152  uint32_t http2_len = sizeof(http2_buf) - 1;
1153  int result = 0;
1155 
1156  memset(&th_v, 0, sizeof(th_v));
1157  memset(&f, 0, sizeof(f));
1158  memset(&ssn, 0, sizeof(ssn));
1159 
1160  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1161  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1162 
1163  FLOW_INITIALIZE(&f);
1164  f.protoctx = (void *)&ssn;
1165  f.proto = IPPROTO_TCP;
1166  f.flags |= FLOW_IPV4;
1167 
1168  p1->flow = &f;
1172  p2->flow = &f;
1176  f.alproto = ALPROTO_HTTP1;
1177 
1178  StreamTcpInitConfig(true);
1179 
1181  if (de_ctx == NULL)
1182  goto end;
1183 
1184  de_ctx->flags |= DE_QUIET;
1185 
1186  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1187  "(msg:\"http client body test\"; "
1188  "content:\"message\"; http_client_body; "
1189  "sid:1;)");
1190  FAIL_IF_NULL(s);
1191 
1193  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1194 
1195  int r = AppLayerParserParse(
1196  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1197  if (r != 0) {
1198  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1199  result = 0;
1200  goto end;
1201  }
1202 
1203  http_state = f.alstate;
1204  if (http_state == NULL) {
1205  printf("no http state: ");
1206  result = 0;
1207  goto end;
1208  }
1209 
1210  /* do detect */
1211  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1212 
1213  if ((PacketAlertCheck(p1, 1))) {
1214  printf("sid 1 didn't match but should have");
1215  goto end;
1216  }
1217 
1218  r = AppLayerParserParse(
1219  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1220  if (r != 0) {
1221  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1222  result = 0;
1223  goto end;
1224  }
1225 
1226  /* do detect */
1227  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1228 
1229  if (!(PacketAlertCheck(p2, 1))) {
1230  printf("sid 1 didn't match but should have");
1231  goto end;
1232  }
1233 
1234  result = 1;
1235 end:
1236  if (alp_tctx != NULL)
1238  if (de_ctx != NULL)
1240 
1241  StreamTcpFreeConfig(true);
1242  FLOW_DESTROY(&f);
1243  UTHFreePackets(&p1, 1);
1244  UTHFreePackets(&p2, 1);
1245  return result;
1246 }
1247 
1248 /**
1249  *\test Test that the http_client_body content matches against a http request
1250  * which holds the content, against a cross boundary present pattern.
1251  */
1252 static int DetectHttpClientBodyTest09(void)
1253 {
1254  TcpSession ssn;
1255  Packet *p1 = NULL;
1256  Packet *p2 = NULL;
1257  ThreadVars th_v;
1258  DetectEngineCtx *de_ctx = NULL;
1259  DetectEngineThreadCtx *det_ctx = NULL;
1260  HtpState *http_state = NULL;
1261  Flow f;
1262  uint8_t http1_buf[] =
1263  "GET /index.html HTTP/1.0\r\n"
1264  "Host: www.openinfosecfoundation.org\r\n"
1265  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1266  "Content-Type: text/html\r\n"
1267  "Content-Length: 46\r\n"
1268  "\r\n"
1269  "This is dummy body1";
1270  uint8_t http2_buf[] =
1271  "This is dummy message body2";
1272  uint32_t http1_len = sizeof(http1_buf) - 1;
1273  uint32_t http2_len = sizeof(http2_buf) - 1;
1274  int result = 0;
1276 
1277  memset(&th_v, 0, sizeof(th_v));
1278  memset(&f, 0, sizeof(f));
1279  memset(&ssn, 0, sizeof(ssn));
1280 
1281  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1282  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1283 
1284  FLOW_INITIALIZE(&f);
1285  f.protoctx = (void *)&ssn;
1286  f.proto = IPPROTO_TCP;
1287  f.flags |= FLOW_IPV4;
1288 
1289  p1->flow = &f;
1293  p2->flow = &f;
1297  f.alproto = ALPROTO_HTTP1;
1298 
1299  StreamTcpInitConfig(true);
1300 
1302  if (de_ctx == NULL)
1303  goto end;
1304 
1305  de_ctx->flags |= DE_QUIET;
1306 
1307  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1308  "(msg:\"http client body test\"; "
1309  "content:\"body1This\"; http_client_body; "
1310  "sid:1;)");
1311  FAIL_IF_NULL(s);
1312 
1314  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1315 
1316  int r = AppLayerParserParse(
1317  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1318  if (r != 0) {
1319  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1320  result = 0;
1321  goto end;
1322  }
1323 
1324  http_state = f.alstate;
1325  if (http_state == NULL) {
1326  printf("no http state: ");
1327  result = 0;
1328  goto end;
1329  }
1330 
1331  /* do detect */
1332  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1333 
1334  if ((PacketAlertCheck(p1, 1))) {
1335  printf("sid 1 didn't match but should have");
1336  goto end;
1337  }
1338 
1339  r = AppLayerParserParse(
1340  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1341  if (r != 0) {
1342  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1343  result = 0;
1344  goto end;
1345  }
1346 
1347  /* do detect */
1348  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1349 
1350  if (!(PacketAlertCheck(p2, 1))) {
1351  printf("sid 1 didn't match but should have");
1352  goto end;
1353  }
1354 
1355  result = 1;
1356 end:
1357  if (alp_tctx != NULL)
1359  if (de_ctx != NULL)
1361 
1362  StreamTcpFreeConfig(true);
1363  FLOW_DESTROY(&f);
1364  UTHFreePackets(&p1, 1);
1365  UTHFreePackets(&p2, 1);
1366  return result;
1367 }
1368 
1369 /**
1370  *\test Test that the http_client_body content matches against a http request
1371  * against a case insensitive pattern.
1372  */
1373 static int DetectHttpClientBodyTest10(void)
1374 {
1375  TcpSession ssn;
1376  Packet *p1 = NULL;
1377  Packet *p2 = NULL;
1378  ThreadVars th_v;
1379  DetectEngineCtx *de_ctx = NULL;
1380  DetectEngineThreadCtx *det_ctx = NULL;
1381  HtpState *http_state = NULL;
1382  Flow f;
1383  uint8_t http1_buf[] =
1384  "GET /index.html HTTP/1.0\r\n"
1385  "Host: www.openinfosecfoundation.org\r\n"
1386  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1387  "Content-Type: text/html\r\n"
1388  "Content-Length: 46\r\n"
1389  "\r\n"
1390  "This is dummy bodY1";
1391  uint8_t http2_buf[] =
1392  "This is dummy message body2";
1393  uint32_t http1_len = sizeof(http1_buf) - 1;
1394  uint32_t http2_len = sizeof(http2_buf) - 1;
1395  int result = 0;
1397 
1398  memset(&th_v, 0, sizeof(th_v));
1399  memset(&f, 0, sizeof(f));
1400  memset(&ssn, 0, sizeof(ssn));
1401 
1402  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1403  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1404 
1405  FLOW_INITIALIZE(&f);
1406  f.protoctx = (void *)&ssn;
1407  f.proto = IPPROTO_TCP;
1408  f.flags |= FLOW_IPV4;
1409 
1410  p1->flow = &f;
1414  p2->flow = &f;
1418  f.alproto = ALPROTO_HTTP1;
1419 
1420  StreamTcpInitConfig(true);
1421 
1423  if (de_ctx == NULL)
1424  goto end;
1425 
1426  de_ctx->flags |= DE_QUIET;
1427 
1428  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1429  "(msg:\"http client body test\"; "
1430  "content:\"body1This\"; http_client_body; nocase;"
1431  "sid:1;)");
1432  FAIL_IF_NULL(s);
1433 
1435  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1436 
1437  int r = AppLayerParserParse(
1438  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http1_buf, http1_len);
1439  if (r != 0) {
1440  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1441  result = 0;
1442  goto end;
1443  }
1444 
1445  http_state = f.alstate;
1446  if (http_state == NULL) {
1447  printf("no http state: \n");
1448  result = 0;
1449  goto end;
1450  }
1451 
1452  /* do detect */
1453  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1454 
1455  if ((PacketAlertCheck(p1, 1))) {
1456  printf("sid 1 didn't match but should have\n");
1457  goto end;
1458  }
1459 
1460  r = AppLayerParserParse(
1461  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http2_buf, http2_len);
1462  if (r != 0) {
1463  printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
1464  result = 0;
1465  goto end;
1466  }
1467 
1468  /* do detect */
1469  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1470 
1471  if (!(PacketAlertCheck(p2, 1))) {
1472  printf("sid 1 didn't match but should have");
1473  goto end;
1474  }
1475 
1476  result = 1;
1477 end:
1478  if (alp_tctx != NULL)
1480  if (de_ctx != NULL)
1482 
1483  StreamTcpFreeConfig(true);
1484  FLOW_DESTROY(&f);
1485  UTHFreePackets(&p1, 1);
1486  UTHFreePackets(&p2, 1);
1487  return result;
1488 }
1489 
1490 /**
1491  *\test Test that the negated http_client_body content matches against a
1492  * http request which doesn't hold the content.
1493  */
1494 static int DetectHttpClientBodyTest11(void)
1495 {
1496  TcpSession ssn;
1497  Packet *p = NULL;
1498  ThreadVars th_v;
1499  DetectEngineCtx *de_ctx = NULL;
1500  DetectEngineThreadCtx *det_ctx = NULL;
1501  HtpState *http_state = NULL;
1502  Flow f;
1503  uint8_t http_buf[] =
1504  "GET /index.html HTTP/1.0\r\n"
1505  "Host: www.openinfosecfoundation.org\r\n"
1506  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1507  "Content-Type: text/html\r\n"
1508  "Content-Length: 26\r\n"
1509  "\r\n"
1510  "This is dummy message body";
1511  uint32_t http_len = sizeof(http_buf) - 1;
1512  int result = 0;
1514 
1515  memset(&th_v, 0, sizeof(th_v));
1516  memset(&f, 0, sizeof(f));
1517  memset(&ssn, 0, sizeof(ssn));
1518 
1519  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1520 
1521  FLOW_INITIALIZE(&f);
1522  f.protoctx = (void *)&ssn;
1523  f.proto = IPPROTO_TCP;
1524  f.flags |= FLOW_IPV4;
1525 
1526  p->flow = &f;
1530  f.alproto = ALPROTO_HTTP1;
1531 
1532  StreamTcpInitConfig(true);
1533 
1535  if (de_ctx == NULL)
1536  goto end;
1537 
1538  de_ctx->flags |= DE_QUIET;
1539 
1540  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1541  "(msg:\"http client body test\"; "
1542  "content:!\"message1\"; http_client_body; "
1543  "sid:1;)");
1544  FAIL_IF_NULL(s);
1545 
1547  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1548 
1549  int r = AppLayerParserParse(
1550  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1551  if (r != 0) {
1552  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1553  result = 0;
1554  goto end;
1555  }
1556 
1557  http_state = f.alstate;
1558  if (http_state == NULL) {
1559  printf("no http state: ");
1560  result = 0;
1561  goto end;
1562  }
1563 
1564  /* do detect */
1565  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1566 
1567  if (!(PacketAlertCheck(p, 1))) {
1568  printf("sid 1 didn't match but should have");
1569  goto end;
1570  }
1571 
1572  result = 1;
1573 end:
1574  if (alp_tctx != NULL)
1576  if (de_ctx != NULL)
1578 
1579  StreamTcpFreeConfig(true);
1580  FLOW_DESTROY(&f);
1581  UTHFreePackets(&p, 1);
1582  return result;
1583 }
1584 
1585 /**
1586  *\test Negative test that the negated http_client_body content matches against a
1587  * http request which holds hold the content.
1588  */
1589 static int DetectHttpClientBodyTest12(void)
1590 {
1591  TcpSession ssn;
1592  Packet *p = NULL;
1593  ThreadVars th_v;
1594  DetectEngineCtx *de_ctx = NULL;
1595  DetectEngineThreadCtx *det_ctx = NULL;
1596  HtpState *http_state = NULL;
1597  Flow f;
1598  uint8_t http_buf[] =
1599  "GET /index.html HTTP/1.0\r\n"
1600  "Host: www.openinfosecfoundation.org\r\n"
1601  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1602  "Content-Type: text/html\r\n"
1603  "Content-Length: 26\r\n"
1604  "\r\n"
1605  "This is dummy message body";
1606  uint32_t http_len = sizeof(http_buf) - 1;
1607  int result = 0;
1609 
1610  memset(&th_v, 0, sizeof(th_v));
1611  memset(&f, 0, sizeof(f));
1612  memset(&ssn, 0, sizeof(ssn));
1613 
1614  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1615 
1616  FLOW_INITIALIZE(&f);
1617  f.protoctx = (void *)&ssn;
1618  f.proto = IPPROTO_TCP;
1619  f.flags |= FLOW_IPV4;
1620 
1621  p->flow = &f;
1625  f.alproto = ALPROTO_HTTP1;
1626 
1627  StreamTcpInitConfig(true);
1628 
1630  if (de_ctx == NULL)
1631  goto end;
1632 
1633  de_ctx->flags |= DE_QUIET;
1634 
1635  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
1636  "(msg:\"http client body test\"; "
1637  "content:!\"message\"; http_client_body; "
1638  "sid:1;)");
1639  FAIL_IF_NULL(s);
1640 
1642  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1643 
1644  int r = AppLayerParserParse(
1645  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1646  if (r != 0) {
1647  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1648  result = 0;
1649  goto end;
1650  }
1651 
1652  http_state = f.alstate;
1653  if (http_state == NULL) {
1654  printf("no http state: ");
1655  result = 0;
1656  goto end;
1657  }
1658 
1659  /* do detect */
1660  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1661 
1662  if ((PacketAlertCheck(p, 1))) {
1663  printf("sid 1 didn't match but should have");
1664  goto end;
1665  }
1666 
1667  result = 1;
1668 end:
1669  if (alp_tctx != NULL)
1671  if (de_ctx != NULL)
1673 
1674  StreamTcpFreeConfig(true);
1675  FLOW_DESTROY(&f);
1676  UTHFreePackets(&p, 1);
1677  return result;
1678 }
1679 
1680 /**
1681  *\test Test that the http_client_body content matches against a http request
1682  * which holds the content.
1683  */
1684 static int DetectHttpClientBodyTest13(void)
1685 {
1686  TcpSession ssn;
1687  Packet *p = NULL;
1688  ThreadVars th_v;
1689  DetectEngineCtx *de_ctx = NULL;
1690  DetectEngineThreadCtx *det_ctx = NULL;
1691  HtpState *http_state = NULL;
1692  Flow f;
1693  uint8_t http_buf[] =
1694  "GET /index.html HTTP/1.0\r\n"
1695  "Host: www.openinfosecfoundation.org\r\n"
1696  "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
1697  "Content-Type: text/html\r\n"
1698  "Content-Length: 55\r\n"
1699  "\r\n"
1700  "longbufferabcdefghijklmnopqrstuvwxyz0123456789bufferend";
1701  uint32_t http_len = sizeof(http_buf) - 1;
1702  int result = 0;
1704 
1705  memset(&th_v, 0, sizeof(th_v));
1706  memset(&f, 0, sizeof(f));
1707  memset(&ssn, 0, sizeof(ssn));
1708 
1709  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1710 
1711  FLOW_INITIALIZE(&f);
1712  f.protoctx = (void *)&ssn;
1713  f.proto = IPPROTO_TCP;
1714  f.flags |= FLOW_IPV4;
1715 
1716  p->flow = &f;
1720  f.alproto = ALPROTO_HTTP1;
1721 
1722  StreamTcpInitConfig(true);
1723 
1725  if (de_ctx == NULL)
1726  goto end;
1727 
1728  de_ctx->flags |= DE_QUIET;
1729 
1731  "alert http any any -> any any "
1732  "(msg:\"http client body test\"; "
1733  "content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_client_body; "
1734  "sid:1;)");
1735  FAIL_IF_NULL(s);
1736 
1738  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1739 
1740  int r = AppLayerParserParse(
1741  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf, http_len);
1742  if (r != 0) {
1743  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1744  result = 0;
1745  goto end;
1746  }
1747 
1748  http_state = f.alstate;
1749  if (http_state == NULL) {
1750  printf("no http state: ");
1751  result = 0;
1752  goto end;
1753  }
1754 
1755  /* do detect */
1756  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1757 
1758  if (!(PacketAlertCheck(p, 1))) {
1759  printf("sid 1 didn't match but should have");
1760  goto end;
1761  }
1762 
1763  result = 1;
1764 end:
1765  if (alp_tctx != NULL)
1767  if (de_ctx != NULL)
1769 
1770  StreamTcpFreeConfig(true);
1771  FLOW_DESTROY(&f);
1772  UTHFreePackets(&p, 1);
1773  return result;
1774 }
1775 
1776 /** \test multiple http transactions and body chunks of request handling */
1777 static int DetectHttpClientBodyTest14(void)
1778 {
1779  int result = 0;
1780  Signature *s = NULL;
1781  DetectEngineThreadCtx *det_ctx = NULL;
1782  ThreadVars th_v;
1783  Flow f;
1784  TcpSession ssn;
1785  Packet *p = NULL;
1786  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1787  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1788  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
1789  uint8_t httpbuf4[] = "Body one!!";
1790  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1791  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1792  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1793  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1794  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
1795  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
1796  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1797  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1798  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1799  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
1801 
1802  memset(&th_v, 0, sizeof(th_v));
1803  memset(&f, 0, sizeof(f));
1804  memset(&ssn, 0, sizeof(ssn));
1805 
1806  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1807 
1808  FLOW_INITIALIZE(&f);
1809  f.protoctx = (void *)&ssn;
1810  f.proto = IPPROTO_TCP;
1811  f.flags |= FLOW_IPV4;
1812 
1813  p->flow = &f;
1817  f.alproto = ALPROTO_HTTP1;
1818 
1819  StreamTcpInitConfig(true);
1820 
1822  if (de_ctx == NULL) {
1823  goto end;
1824  }
1825 
1826  de_ctx->flags |= DE_QUIET;
1827 
1828  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"one\"; http_client_body; sid:1; rev:1;)");
1829  if (s == NULL) {
1830  printf("sig parse failed: ");
1831  goto end;
1832  }
1833  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; content:\"two\"; http_client_body; sid:2; rev:1;)");
1834  if (s == NULL) {
1835  printf("sig2 parse failed: ");
1836  goto end;
1837  }
1838 
1840  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1841 
1842  int r = AppLayerParserParse(
1843  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1844  if (r != 0) {
1845  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1846  goto end;
1847  }
1848 
1849  /* do detect */
1850  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1851  if (PacketAlertCheck(p, 1)) {
1852  printf("sig 1 alerted: ");
1853  goto end;
1854  }
1855  p->alerts.cnt = 0;
1856 
1857  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1858  if (r != 0) {
1859  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
1860  goto end;
1861  }
1862 
1863  /* do detect */
1864  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1865  if (PacketAlertCheck(p, 1)) {
1866  printf("sig 1 alerted (2): ");
1867  goto end;
1868  }
1869  p->alerts.cnt = 0;
1870 
1871  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1872  if (r != 0) {
1873  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
1874  goto end;
1875  }
1876 
1877  /* do detect */
1878  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1879  if (PacketAlertCheck(p, 1)) {
1880  printf("signature matched, but shouldn't have: ");
1881  goto end;
1882  }
1883  p->alerts.cnt = 0;
1884 
1885  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1886  if (r != 0) {
1887  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
1888  result = 0;
1889  goto end;
1890  }
1891 
1892  /* do detect */
1893  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1894  if (!(PacketAlertCheck(p, 1))) {
1895  printf("sig 1 didn't alert: ");
1896  goto end;
1897  }
1898  p->alerts.cnt = 0;
1899 
1900  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1901  if (r != 0) {
1902  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
1903  goto end;
1904  }
1905 
1906  /* do detect */
1907  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1908  if (PacketAlertCheck(p, 1)) {
1909  printf("sig 1 alerted (5): ");
1910  goto end;
1911  }
1912  p->alerts.cnt = 0;
1913 
1914  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1915  if (r != 0) {
1916  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
1917  goto end;
1918  }
1919 
1920  /* do detect */
1921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1922  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
1923  printf("sig 1 alerted (request 2, chunk 6): ");
1924  goto end;
1925  }
1926  p->alerts.cnt = 0;
1927 
1928  SCLogDebug("sending data chunk 7");
1929 
1930  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
1931  if (r != 0) {
1932  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
1933  goto end;
1934  }
1935 
1936  /* do detect */
1937  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1938  if (!(PacketAlertCheck(p, 2))) {
1939  printf("signature 2 didn't match, but should have: ");
1940  goto end;
1941  }
1942  p->alerts.cnt = 0;
1943 
1944  HtpState *htp_state = f.alstate;
1945  if (htp_state == NULL) {
1946  printf("no http state: ");
1947  result = 0;
1948  goto end;
1949  }
1950 
1951  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
1952  printf("The http app layer doesn't have 2 transactions, but it should: ");
1953  goto end;
1954  }
1955 
1956  result = 1;
1957 end:
1958  if (alp_tctx != NULL)
1960  if (det_ctx != NULL) {
1961  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1962  }
1963  if (de_ctx != NULL) {
1965  }
1966 
1967  StreamTcpFreeConfig(true);
1968  FLOW_DESTROY(&f);
1969  UTHFreePacket(p);
1970  return result;
1971 }
1972 
1973 /** \test multiple http transactions and body chunks of request handling */
1974 static int DetectHttpClientBodyTest15(void)
1975 {
1976  int result = 0;
1977  Signature *s = NULL;
1978  DetectEngineThreadCtx *det_ctx = NULL;
1979  ThreadVars th_v;
1980  Flow f;
1981  TcpSession ssn;
1982  Packet *p = NULL;
1983  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1984  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1985  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
1986  uint8_t httpbuf4[] = "Body one!!";
1987  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1988  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1989  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1990  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1991  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
1992  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
1993  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1994  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1995  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1996  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
1998 
1999  memset(&th_v, 0, sizeof(th_v));
2000  memset(&f, 0, sizeof(f));
2001  memset(&ssn, 0, sizeof(ssn));
2002 
2003  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2004 
2005  FLOW_INITIALIZE(&f);
2006  f.protoctx = (void *)&ssn;
2007  f.proto = IPPROTO_TCP;
2008  f.flags |= FLOW_IPV4;
2009 
2010  p->flow = &f;
2014  f.alproto = ALPROTO_HTTP1;
2015 
2016  StreamTcpInitConfig(true);
2017 
2019  if (de_ctx == NULL) {
2020  goto end;
2021  }
2022 
2023  de_ctx->flags |= DE_QUIET;
2024 
2025  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"one\"; http_client_body; sid:1; rev:1;)");
2026  if (s == NULL) {
2027  printf("sig parse failed: ");
2028  goto end;
2029  }
2030  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; content:\"two\"; http_client_body; sid:2; rev:1;)");
2031  if (s == NULL) {
2032  printf("sig2 parse failed: ");
2033  goto end;
2034  }
2035 
2037  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2038 
2039  int r = AppLayerParserParse(
2040  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2041  if (r != 0) {
2042  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
2043  goto end;
2044  }
2045 
2046  /* do detect */
2047  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2048  if (PacketAlertCheck(p, 1)) {
2049  printf("sig 1 alerted: ");
2050  goto end;
2051  }
2052  p->alerts.cnt = 0;
2053 
2054  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
2055  if (r != 0) {
2056  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
2057  goto end;
2058  }
2059 
2060  /* do detect */
2061  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2062  if (PacketAlertCheck(p, 1)) {
2063  printf("sig 1 alerted (2): ");
2064  goto end;
2065  }
2066  p->alerts.cnt = 0;
2067 
2068  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
2069  if (r != 0) {
2070  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
2071  goto end;
2072  }
2073 
2074  /* do detect */
2075  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2076  if (PacketAlertCheck(p, 1)) {
2077  printf("signature matched, but shouldn't have: ");
2078  goto end;
2079  }
2080  p->alerts.cnt = 0;
2081 
2082  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
2083  if (r != 0) {
2084  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
2085  result = 0;
2086  goto end;
2087  }
2088 
2089  /* do detect */
2090  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2091  if (!(PacketAlertCheck(p, 1))) {
2092  printf("sig 1 didn't alert: ");
2093  goto end;
2094  }
2095  p->alerts.cnt = 0;
2096 
2097  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
2098  if (r != 0) {
2099  printf("toserver chunk 5 returned %" PRId32 ", expected 0: ", r);
2100  goto end;
2101  }
2102 
2103  /* do detect */
2104  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2105  if (PacketAlertCheck(p, 1)) {
2106  printf("sig 1 alerted (5): ");
2107  goto end;
2108  }
2109  p->alerts.cnt = 0;
2110 
2111  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
2112  if (r != 0) {
2113  printf("toserver chunk 6 returned %" PRId32 ", expected 0: ", r);
2114  goto end;
2115  }
2116 
2117  /* do detect */
2118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2119  if ((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2))) {
2120  printf("sig 1 alerted (request 2, chunk 6): ");
2121  goto end;
2122  }
2123  p->alerts.cnt = 0;
2124 
2125  SCLogDebug("sending data chunk 7");
2126 
2127  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
2128  if (r != 0) {
2129  printf("toserver chunk 7 returned %" PRId32 ", expected 0: ", r);
2130  goto end;
2131  }
2132 
2133  /* do detect */
2134  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2135  if (!(PacketAlertCheck(p, 2))) {
2136  printf("signature 2 didn't match, but should have: ");
2137  goto end;
2138  }
2139  p->alerts.cnt = 0;
2140 
2141  HtpState *htp_state = f.alstate;
2142  if (htp_state == NULL) {
2143  printf("no http state: ");
2144  result = 0;
2145  goto end;
2146  }
2147 
2148  /* hardcoded check of the transactions and it's client body chunks */
2149  if (AppLayerParserGetTxCnt(&f, htp_state) != 2) {
2150  printf("The http app layer doesn't have 2 transactions, but it should: ");
2151  goto end;
2152  }
2153 
2154  htp_tx_t *t1 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 0);
2155  htp_tx_t *t2 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 1);
2156 
2157  HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(t1);
2158 
2159  HtpBodyChunk *cur = htud->request_body.first;
2160  if (htud->request_body.first == NULL) {
2161  SCLogDebug("No body data in t1 (it should be removed only when the tx is destroyed): ");
2162  goto end;
2163  }
2164 
2166  (uint8_t *)"Body one!!", 10) != 1)
2167  {
2168  SCLogDebug("Body data in t1 is not correctly set: ");
2169  goto end;
2170  }
2171 
2172  htud = (HtpTxUserData *) htp_tx_get_user_data(t2);
2173 
2174  cur = htud->request_body.first;
2175  if (htud->request_body.first == NULL) {
2176  SCLogDebug("No body data in t1 (it should be removed only when the tx is destroyed): ");
2177  goto end;
2178  }
2179 
2181  (uint8_t *)"Body two!!", 10) != 1)
2182  {
2183  SCLogDebug("Body data in t1 is not correctly set: ");
2184  goto end;
2185  }
2186 
2187  result = 1;
2188 end:
2189  if (alp_tctx != NULL)
2191  if (det_ctx != NULL) {
2192  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2193  }
2194  if (de_ctx != NULL) {
2196  }
2197 
2198  StreamTcpFreeConfig(true);
2199  FLOW_DESTROY(&f);
2200  UTHFreePacket(p);
2201  return result;
2202 }
2203 
2204 static int DetectHttpClientBodyTest22(void)
2205 {
2208  de_ctx->flags |= DE_QUIET;
2210  "alert icmp any any -> any any "
2211  "(content:\"one\"; content:\"two\"; http_client_body; "
2212  "content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
2213  FAIL_IF_NULL(s);
2215  FAIL_IF(DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL);
2216  SigMatch *sm = DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id);
2217  FAIL_IF_NULL(sm);
2218 
2219  DetectContentData *cd1 =
2221  DetectContentData *cd2 =
2223  DetectContentData *hcbd1 =
2224  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2225  ->prev->ctx;
2226  DetectContentData *hcbd2 =
2227  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2228  FAIL_IF(cd1->flags != 0);
2229  FAIL_IF(memcmp(cd1->content, "one", cd1->content_len) != 0);
2230  FAIL_IF(cd2->flags != 0);
2231  FAIL_IF(memcmp(cd2->content, "four", cd2->content_len) != 0);
2233  FAIL_IF(memcmp(hcbd1->content, "two", hcbd1->content_len) != 0);
2235  FAIL_IF(memcmp(hcbd2->content, "three", hcbd1->content_len) != 0);
2236 
2241 
2243  PASS;
2244 }
2245 
2246 static int DetectHttpClientBodyTest23(void)
2247 {
2250  de_ctx->flags |= DE_QUIET;
2251 
2253  "alert icmp any any -> any any "
2254  "(content:\"one\"; http_client_body; pcre:/two/; "
2255  "content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
2256  FAIL_IF_NULL(s);
2258  FAIL_IF_NULL(DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id));
2259 
2260  DetectPcreData *pd1 =
2262  ->prev->ctx;
2263  DetectContentData *cd2 =
2265  ->ctx;
2266  DetectContentData *hcbd1 =
2267  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2268  ->prev->ctx;
2269  DetectContentData *hcbd2 =
2270  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2271  FAIL_IF(pd1->flags != 0);
2272  FAIL_IF(cd2->flags != 0);
2273  FAIL_IF(memcmp(cd2->content, "four", cd2->content_len) != 0);
2275  FAIL_IF(memcmp(hcbd1->content, "one", hcbd1->content_len) != 0);
2277  FAIL_IF(memcmp(hcbd2->content, "three", hcbd1->content_len) != 0);
2281 
2283  PASS;
2284 }
2285 
2286 static int DetectHttpClientBodyTest24(void)
2287 {
2288  DetectEngineCtx *de_ctx = NULL;
2289  int result = 0;
2290 
2291  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2292  goto end;
2293 
2294  de_ctx->flags |= DE_QUIET;
2295  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2296  "(content:\"one\"; http_client_body; pcre:/two/; "
2297  "content:\"three\"; distance:10; within:15; "
2298  "http_client_body; content:\"four\"; sid:1;)");
2299  if (de_ctx->sig_list == NULL) {
2300  printf("de_ctx->sig_list == NULL\n");
2301  goto end;
2302  }
2303 
2305  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
2306  goto end;
2307  }
2308 
2309  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2310  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2311  goto end;
2312  }
2313 
2314  DetectPcreData *pd1 =
2316  ->prev->ctx;
2317  DetectContentData *cd2 =
2319  ->ctx;
2320  DetectContentData *hcbd1 =
2321  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2322  ->prev->ctx;
2323  DetectContentData *hcbd2 =
2324  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2325  if (pd1->flags != 0 ||
2326  cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
2327  hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
2328  memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
2330  memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
2331  goto end;
2332  }
2333 
2334  if (!DETECT_CONTENT_IS_SINGLE(cd2) ||
2335  DETECT_CONTENT_IS_SINGLE(hcbd1) ||
2336  DETECT_CONTENT_IS_SINGLE(hcbd2)) {
2337  goto end;
2338  }
2339 
2340  result = 1;
2341 
2342  end:
2344  return result;
2345 }
2346 
2347 static int DetectHttpClientBodyTest25(void)
2348 {
2349  DetectEngineCtx *de_ctx = NULL;
2350  int result = 0;
2351 
2352  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2353  goto end;
2354 
2355  de_ctx->flags |= DE_QUIET;
2356  Signature *s =
2357  DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2358  "(content:\"one\"; http_client_body; pcre:/two/; "
2359  "content:\"three\"; distance:10; http_client_body; "
2360  "content:\"four\"; distance:10; sid:1;)");
2361  if (de_ctx->sig_list == NULL) {
2362  printf("de_ctx->sig_list == NULL\n");
2363  goto end;
2364  }
2365 
2367  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
2368  goto end;
2369  }
2370 
2371  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2372  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2373  goto end;
2374  }
2375 
2376  DetectPcreData *pd1 =
2378  ->prev->ctx;
2379  DetectContentData *cd2 =
2381  ->ctx;
2382  DetectContentData *hcbd1 =
2383  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2384  ->prev->ctx;
2385  DetectContentData *hcbd2 =
2386  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2387  if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
2388  cd2->flags != DETECT_CONTENT_DISTANCE ||
2389  memcmp(cd2->content, "four", cd2->content_len) != 0 ||
2390  hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
2391  memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
2392  hcbd2->flags != DETECT_CONTENT_DISTANCE ||
2393  memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
2394  goto end;
2395  }
2396 
2397  if (DETECT_CONTENT_IS_SINGLE(cd2) ||
2398  DETECT_CONTENT_IS_SINGLE(hcbd1) ||
2399  DETECT_CONTENT_IS_SINGLE(hcbd2)) {
2400  goto end;
2401  }
2402 
2403  result = 1;
2404 
2405  end:
2407  return result;
2408 }
2409 
2410 static int DetectHttpClientBodyTest26(void)
2411 {
2412  DetectEngineCtx *de_ctx = NULL;
2413  int result = 0;
2414 
2415  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2416  goto end;
2417 
2418  de_ctx->flags |= DE_QUIET;
2420  "alert icmp any any -> any any "
2421  "(content:\"one\"; offset:10; http_client_body; pcre:/two/; "
2422  "content:\"three\"; distance:10; http_client_body; within:10; "
2423  "content:\"four\"; distance:10; sid:1;)");
2424  if (de_ctx->sig_list == NULL) {
2425  printf("de_ctx->sig_list == NULL\n");
2426  goto end;
2427  }
2428 
2430  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
2431  goto end;
2432  }
2433 
2434  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2435  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2436  goto end;
2437  }
2438 
2439  DetectPcreData *pd1 =
2441  ->prev->ctx;
2442  DetectContentData *cd2 =
2444  ->ctx;
2445  DetectContentData *hcbd1 =
2446  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2447  ->prev->ctx;
2448  DetectContentData *hcbd2 =
2449  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2450  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
2451  cd2->flags != DETECT_CONTENT_DISTANCE ||
2452  memcmp(cd2->content, "four", cd2->content_len) != 0 ||
2454  memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
2456  memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
2457  printf ("failed: http_client_body incorrect flags");
2458  goto end;
2459  }
2460 
2461  if (DETECT_CONTENT_IS_SINGLE(cd2) ||
2462  DETECT_CONTENT_IS_SINGLE(hcbd1) ||
2463  DETECT_CONTENT_IS_SINGLE(hcbd2)) {
2464  goto end;
2465  }
2466 
2467  result = 1;
2468 
2469  end:
2471  return result;
2472 }
2473 
2474 static int DetectHttpClientBodyTest27(void)
2475 {
2476  DetectEngineCtx *de_ctx = NULL;
2477  int result = 0;
2478 
2479  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2480  goto end;
2481 
2482  de_ctx->flags |= DE_QUIET;
2484  "alert icmp any any -> any any "
2485  "(content:\"one\"; offset:10; http_client_body; pcre:/two/; "
2486  "content:\"three\"; distance:10; http_client_body; within:10; "
2487  "content:\"four\"; distance:10; sid:1;)");
2488  FAIL_IF_NULL(s);
2489 
2490  result = 1;
2491 
2492  end:
2494  return result;
2495 }
2496 
2497 static int DetectHttpClientBodyTest28(void)
2498 {
2499  DetectEngineCtx *de_ctx = NULL;
2500  int result = 0;
2501 
2502  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2503  goto end;
2504 
2505  de_ctx->flags |= DE_QUIET;
2506  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2507  "(content:\"one\"; http_client_body; pcre:/two/; "
2508  "content:\"three\"; http_client_body; depth:10; "
2509  "content:\"four\"; distance:10; sid:1;)");
2510  if (de_ctx->sig_list == NULL) {
2511  printf("de_ctx->sig_list == NULL\n");
2512  goto end;
2513  }
2514 
2516  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
2517  goto end;
2518  }
2519 
2520  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2521  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2522  goto end;
2523  }
2524 
2525  DetectPcreData *pd1 =
2527  ->prev->ctx;
2528  DetectContentData *cd2 =
2530  ->ctx;
2531  DetectContentData *hcbd1 =
2532  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2533  ->prev->ctx;
2534  DetectContentData *hcbd2 =
2535  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2536  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
2537  cd2->flags != DETECT_CONTENT_DISTANCE ||
2538  memcmp(cd2->content, "four", cd2->content_len) != 0 ||
2539  hcbd1->flags != 0 ||
2540  memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
2541  hcbd2->flags != DETECT_CONTENT_DEPTH ||
2542  memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
2543  goto end;
2544  }
2545 
2546  if (DETECT_CONTENT_IS_SINGLE(cd2) ||
2547  !DETECT_CONTENT_IS_SINGLE(hcbd1) ||
2548  DETECT_CONTENT_IS_SINGLE(hcbd2)) {
2549  goto end;
2550  }
2551 
2552  result = 1;
2553 
2554  end:
2556  return result;
2557 }
2558 
2559 static int DetectHttpClientBodyTest29(void)
2560 {
2561  DetectEngineCtx *de_ctx = NULL;
2562  int result = 0;
2563 
2564  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2565  goto end;
2566 
2567  de_ctx->flags |= DE_QUIET;
2568  Signature *s =
2569  DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2570  "(content:\"one\"; http_client_body; "
2571  "content:\"two\"; distance:0; http_client_body; sid:1;)");
2572  if (de_ctx->sig_list == NULL) {
2573  printf("de_ctx->sig_list == NULL\n");
2574  goto end;
2575  }
2576 
2578  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2579  goto end;
2580  }
2581 
2582  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2583  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2584  goto end;
2585  }
2586 
2587  DetectContentData *hcbd1 =
2588  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2589  ->prev->ctx;
2590  DetectContentData *hcbd2 =
2591  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2592  if (hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
2593  memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
2594  hcbd2->flags != DETECT_CONTENT_DISTANCE ||
2595  memcmp(hcbd2->content, "two", hcbd1->content_len) != 0) {
2596  goto end;
2597  }
2598 
2599  result = 1;
2600 
2601  end:
2603  return result;
2604 }
2605 
2606 static int DetectHttpClientBodyTest30(void)
2607 {
2608  DetectEngineCtx *de_ctx = NULL;
2609  int result = 0;
2610 
2611  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2612  goto end;
2613 
2614  de_ctx->flags |= DE_QUIET;
2615  Signature *s =
2616  DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2617  "(content:\"one\"; http_client_body; "
2618  "content:\"two\"; within:5; http_client_body; sid:1;)");
2619  if (de_ctx->sig_list == NULL) {
2620  printf("de_ctx->sig_list == NULL\n");
2621  goto end;
2622  }
2623 
2625  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2626  goto end;
2627  }
2628 
2629  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2630  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2631  goto end;
2632  }
2633 
2634  DetectContentData *hcbd1 =
2635  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2636  ->prev->ctx;
2637  DetectContentData *hcbd2 =
2638  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2639  if (hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
2640  memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
2641  hcbd2->flags != DETECT_CONTENT_WITHIN ||
2642  memcmp(hcbd2->content, "two", hcbd1->content_len) != 0) {
2643  goto end;
2644  }
2645 
2646  result = 1;
2647 
2648  end:
2650  return result;
2651 }
2652 
2653 static int DetectHttpClientBodyTest31(void)
2654 {
2655  DetectEngineCtx *de_ctx = NULL;
2656  int result = 0;
2657 
2658  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2659  goto end;
2660 
2661  de_ctx->flags |= DE_QUIET;
2662  Signature *s =
2663  DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2664  "(content:\"one\"; within:5; http_client_body; sid:1;)");
2665  FAIL_IF_NULL(s);
2666 
2667  result = 1;
2668 
2669  end:
2671  return result;
2672 }
2673 
2674 static int DetectHttpClientBodyTest32(void)
2675 {
2676  DetectEngineCtx *de_ctx = NULL;
2677  int result = 0;
2678 
2679  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2680  goto end;
2681 
2682  de_ctx->flags |= DE_QUIET;
2683  Signature *s =
2684  DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2685  "(content:\"one\"; http_client_body; within:5; sid:1;)");
2686  FAIL_IF_NULL(s);
2687 
2688  result = 1;
2689 
2690  end:
2692  return result;
2693 }
2694 
2695 static int DetectHttpClientBodyTest33(void)
2696 {
2697  DetectEngineCtx *de_ctx = NULL;
2698  int result = 0;
2699 
2700  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2701  goto end;
2702 
2703  de_ctx->flags |= DE_QUIET;
2704  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2705  "(content:\"one\"; within:5; sid:1;)");
2706  FAIL_IF_NULL(s);
2707 
2708  result = 1;
2709 
2710  end:
2712  return result;
2713 }
2714 
2715 static int DetectHttpClientBodyTest34(void)
2716 {
2717  DetectEngineCtx *de_ctx = NULL;
2718  int result = 0;
2719 
2720  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2721  goto end;
2722 
2723  de_ctx->flags |= DE_QUIET;
2724  Signature *s =
2725  DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2726  "(pcre:/one/P; "
2727  "content:\"two\"; within:5; http_client_body; sid:1;)");
2728  if (de_ctx->sig_list == NULL) {
2729  printf("de_ctx->sig_list == NULL\n");
2730  goto end;
2731  }
2732 
2734  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2735  goto end;
2736  }
2737 
2738  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2739  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2740  goto end;
2741  }
2742 
2743  if (DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id) == NULL ||
2744  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->type != DETECT_CONTENT ||
2745  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->prev == NULL ||
2746  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->prev->type !=
2747  DETECT_PCRE) {
2748 
2749  goto end;
2750  }
2751 
2752  DetectPcreData *pd1 =
2753  (DetectPcreData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2754  ->prev->ctx;
2755  DetectContentData *hcbd2 =
2756  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2757  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
2758  hcbd2->flags != DETECT_CONTENT_WITHIN ||
2759  memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
2760  goto end;
2761  }
2762 
2763  result = 1;
2764 
2765  end:
2767  return result;
2768 }
2769 
2770 static int DetectHttpClientBodyTest35(void)
2771 {
2772  DetectEngineCtx *de_ctx = NULL;
2773  int result = 0;
2774 
2775  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2776  goto end;
2777 
2778  de_ctx->flags |= DE_QUIET;
2779  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2780  "(content:\"two\"; http_client_body; "
2781  "pcre:/one/PR; sid:1;)");
2782  if (de_ctx->sig_list == NULL) {
2783  printf("de_ctx->sig_list == NULL\n");
2784  goto end;
2785  }
2786 
2788  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2789  goto end;
2790  }
2791 
2792  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2793  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2794  goto end;
2795  }
2796 
2797  if (DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id) == NULL ||
2798  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->type != DETECT_PCRE ||
2799  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->prev == NULL ||
2800  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->prev->type !=
2801  DETECT_CONTENT) {
2802 
2803  goto end;
2804  }
2805 
2806  DetectContentData *hcbd1 =
2807  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2808  ->prev->ctx;
2809  DetectPcreData *pd2 =
2810  (DetectPcreData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2811  if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
2812  hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
2813  memcmp(hcbd1->content, "two", hcbd1->content_len) != 0) {
2814  goto end;
2815  }
2816 
2817  result = 1;
2818 
2819  end:
2821  return result;
2822 }
2823 
2824 static int DetectHttpClientBodyTest36(void)
2825 {
2826  DetectEngineCtx *de_ctx = NULL;
2827  int result = 0;
2828 
2829  if ( (de_ctx = DetectEngineCtxInit()) == NULL)
2830  goto end;
2831 
2832  de_ctx->flags |= DE_QUIET;
2833  Signature *s =
2834  DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
2835  "(pcre:/one/P; "
2836  "content:\"two\"; distance:5; http_client_body; sid:1;)");
2837  if (de_ctx->sig_list == NULL) {
2838  printf("de_ctx->sig_list == NULL\n");
2839  goto end;
2840  }
2841 
2843  printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL\n");
2844  goto end;
2845  }
2846 
2847  if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
2848  printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
2849  goto end;
2850  }
2851 
2852  if (DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id) == NULL ||
2853  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->type != DETECT_CONTENT ||
2854  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->prev == NULL ||
2855  DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->prev->type !=
2856  DETECT_PCRE) {
2857 
2858  goto end;
2859  }
2860 
2861  DetectPcreData *pd1 =
2862  (DetectPcreData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)
2863  ->prev->ctx;
2864  DetectContentData *hcbd2 =
2865  (DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
2866  if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
2867  hcbd2->flags != DETECT_CONTENT_DISTANCE ||
2868  memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
2869  goto end;
2870  }
2871 
2872  result = 1;
2873 
2874  end:
2876  return result;
2877 }
2878 
2879 static int DetectHttpClientBodyIsdataatParseTest(void)
2880 {
2883  de_ctx->flags |= DE_QUIET;
2884 
2886  "alert tcp any any -> any any ("
2887  "content:\"one\"; http_client_body; "
2888  "isdataat:!4,relative; sid:1;)");
2889  FAIL_IF_NULL(s);
2890 
2891  SigMatch *sm = DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id);
2892  FAIL_IF_NULL(sm);
2894 
2895  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
2898  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
2899 
2901  PASS;
2902 }
2903 
2905 {
2906  UtRegisterTest("DetectHttpClientBodyParserTest01", DetectHttpClientBodyParserTest01);
2907  UtRegisterTest("DetectHttpClientBodyParserTest02", DetectHttpClientBodyParserTest02);
2908  UtRegisterTest("DetectHttpClientBodyTest01", DetectHttpClientBodyTest01);
2909  UtRegisterTest("DetectHttpClientBodyTest02", DetectHttpClientBodyTest02);
2910  UtRegisterTest("DetectHttpClientBodyTest03", DetectHttpClientBodyTest03);
2911  UtRegisterTest("DetectHttpClientBodyTest05", DetectHttpClientBodyTest05);
2912  UtRegisterTest("DetectHttpClientBodyTest06", DetectHttpClientBodyTest06);
2913  UtRegisterTest("DetectHttpClientBodyTest07", DetectHttpClientBodyTest07);
2914  UtRegisterTest("DetectHttpClientBodyTest08", DetectHttpClientBodyTest08);
2915  UtRegisterTest("DetectHttpClientBodyTest09", DetectHttpClientBodyTest09);
2916  UtRegisterTest("DetectHttpClientBodyTest10", DetectHttpClientBodyTest10);
2917  UtRegisterTest("DetectHttpClientBodyTest11", DetectHttpClientBodyTest11);
2918  UtRegisterTest("DetectHttpClientBodyTest12", DetectHttpClientBodyTest12);
2919  UtRegisterTest("DetectHttpClientBodyTest13", DetectHttpClientBodyTest13);
2920  UtRegisterTest("DetectHttpClientBodyTest14", DetectHttpClientBodyTest14);
2921  UtRegisterTest("DetectHttpClientBodyTest15", DetectHttpClientBodyTest15);
2922 
2923  UtRegisterTest("DetectHttpClientBodyTest22", DetectHttpClientBodyTest22);
2924  UtRegisterTest("DetectHttpClientBodyTest23", DetectHttpClientBodyTest23);
2925  UtRegisterTest("DetectHttpClientBodyTest24", DetectHttpClientBodyTest24);
2926  UtRegisterTest("DetectHttpClientBodyTest25", DetectHttpClientBodyTest25);
2927  UtRegisterTest("DetectHttpClientBodyTest26", DetectHttpClientBodyTest26);
2928  UtRegisterTest("DetectHttpClientBodyTest27", DetectHttpClientBodyTest27);
2929  UtRegisterTest("DetectHttpClientBodyTest28", DetectHttpClientBodyTest28);
2930  UtRegisterTest("DetectHttpClientBodyTest29", DetectHttpClientBodyTest29);
2931  UtRegisterTest("DetectHttpClientBodyTest30", DetectHttpClientBodyTest30);
2932  UtRegisterTest("DetectHttpClientBodyTest31", DetectHttpClientBodyTest31);
2933  UtRegisterTest("DetectHttpClientBodyTest32", DetectHttpClientBodyTest32);
2934  UtRegisterTest("DetectHttpClientBodyTest33", DetectHttpClientBodyTest33);
2935  UtRegisterTest("DetectHttpClientBodyTest34", DetectHttpClientBodyTest34);
2936  UtRegisterTest("DetectHttpClientBodyTest35", DetectHttpClientBodyTest35);
2937  UtRegisterTest("DetectHttpClientBodyTest36", DetectHttpClientBodyTest36);
2938 
2939  UtRegisterTest("DetectHttpClientBodyIsdataatParseTest",
2940  DetectHttpClientBodyIsdataatParseTest);
2941 
2942  UtRegisterTest("DetectEngineHttpClientBodyTest01",
2943  DetectEngineHttpClientBodyTest01);
2944  UtRegisterTest("DetectEngineHttpClientBodyTest02",
2945  DetectEngineHttpClientBodyTest02);
2946  UtRegisterTest("DetectEngineHttpClientBodyTest03",
2947  DetectEngineHttpClientBodyTest03);
2948  UtRegisterTest("DetectEngineHttpClientBodyTest04",
2949  DetectEngineHttpClientBodyTest04);
2950  UtRegisterTest("DetectEngineHttpClientBodyTest05",
2951  DetectEngineHttpClientBodyTest05);
2952  UtRegisterTest("DetectEngineHttpClientBodyTest06",
2953  DetectEngineHttpClientBodyTest06);
2954  UtRegisterTest("DetectEngineHttpClientBodyTest07",
2955  DetectEngineHttpClientBodyTest07);
2956  UtRegisterTest("DetectEngineHttpClientBodyTest08",
2957  DetectEngineHttpClientBodyTest08);
2958  UtRegisterTest("DetectEngineHttpClientBodyTest09",
2959  DetectEngineHttpClientBodyTest09);
2960  UtRegisterTest("DetectEngineHttpClientBodyTest10",
2961  DetectEngineHttpClientBodyTest10);
2962  UtRegisterTest("DetectEngineHttpClientBodyTest11",
2963  DetectEngineHttpClientBodyTest11);
2964  UtRegisterTest("DetectEngineHttpClientBodyTest12",
2965  DetectEngineHttpClientBodyTest12);
2966  UtRegisterTest("DetectEngineHttpClientBodyTest13",
2967  DetectEngineHttpClientBodyTest13);
2968  UtRegisterTest("DetectEngineHttpClientBodyTest14",
2969  DetectEngineHttpClientBodyTest14);
2970  UtRegisterTest("DetectEngineHttpClientBodyTest15",
2971  DetectEngineHttpClientBodyTest15);
2972  UtRegisterTest("DetectEngineHttpClientBodyTest16",
2973  DetectEngineHttpClientBodyTest16);
2974  UtRegisterTest("DetectEngineHttpClientBodyTest17",
2975  DetectEngineHttpClientBodyTest17);
2976  UtRegisterTest("DetectEngineHttpClientBodyTest18",
2977  DetectEngineHttpClientBodyTest18);
2978  UtRegisterTest("DetectEngineHttpClientBodyTest19",
2979  DetectEngineHttpClientBodyTest19);
2980  UtRegisterTest("DetectEngineHttpClientBodyTest20",
2981  DetectEngineHttpClientBodyTest20);
2982  UtRegisterTest("DetectEngineHttpClientBodyTest21",
2983  DetectEngineHttpClientBodyTest21);
2984  UtRegisterTest("DetectEngineHttpClientBodyTest22",
2985  DetectEngineHttpClientBodyTest22);
2986  UtRegisterTest("DetectEngineHttpClientBodyTest23",
2987  DetectEngineHttpClientBodyTest23);
2988  UtRegisterTest("DetectEngineHttpClientBodyTest24",
2989  DetectEngineHttpClientBodyTest24);
2990  UtRegisterTest("DetectEngineHttpClientBodyTest25",
2991  DetectEngineHttpClientBodyTest25);
2992  UtRegisterTest("DetectEngineHttpClientBodyTest26",
2993  DetectEngineHttpClientBodyTest26);
2994  UtRegisterTest("DetectEngineHttpClientBodyTest27",
2995  DetectEngineHttpClientBodyTest27);
2996  UtRegisterTest("DetectEngineHttpClientBodyTest28",
2997  DetectEngineHttpClientBodyTest28);
2998  UtRegisterTest("DetectEngineHttpClientBodyTest29",
2999  DetectEngineHttpClientBodyTest29);
3000 
3001  UtRegisterTest("DetectEngineHttpClientBodyTest30",
3002  DetectEngineHttpClientBodyTest30);
3003  UtRegisterTest("DetectEngineHttpClientBodyTest31",
3004  DetectEngineHttpClientBodyTest31);
3005 }
3006 
3007 #endif
3008 
3009 /**
3010  * @}
3011  */
TestSteps
Definition: detect-http-client-body.c:107
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:354
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:890
detect-engine.h
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1326
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:588
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
flow-util.h
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:590
stream-tcp.h
DetectHttpClientBodyRegisterTests
void DetectHttpClientBodyRegisterTests(void)
Definition: detect-http-client-body.c:2904
HtpBody_::sb
StreamingBuffer * sb
Definition: app-layer-htp.h:189
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:72
TestSteps::direction
int direction
Definition: detect-http-client-body.c:110
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
TestSteps::input
const uint8_t * input
Definition: detect-http-client-body.c:108
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:267
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:513
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2623
HtpTxUserData_::request_body
HtpBody request_body
Definition: app-layer-htp.h:219
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1950
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:46
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2591
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:507
StreamingBufferSegmentCompareRawData
int StreamingBufferSegmentCompareRawData(const StreamingBuffer *sb, const StreamingBufferSegment *seg, const uint8_t *rawdata, uint32_t rawdata_len)
Definition: util-streaming-buffer.c:1775
Flow_::protoctx
void * protoctx
Definition: flow.h:446
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:589
detect-engine-prefilter.h
util-unittest.h
HTPConfigure
void HTPConfigure(void)
Definition: app-layer-htp.c:2572
HtpBody_::first
HtpBodyChunk * first
Definition: app-layer-htp.h:186
HtpState_
Definition: app-layer-htp.h:238
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
TestSteps::expect
int expect
Definition: detect-http-client-body.c:111
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
TOTAL_REQUESTS
#define TOTAL_REQUESTS
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
HtpConfigCreateBackup
void HtpConfigCreateBackup(void)
Definition: app-layer-htp.c:2882
DetectEngineThreadCtx_
Definition: detect.h:1098
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
util-print.h
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3365
DETECT_CONTENT_IS_SINGLE
#define DETECT_CONTENT_IS_SINGLE(c)
Definition: detect-content.h:68
DetectBufferGetLastSigMatch
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1336
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:523
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:352
Packet_
Definition: decode.h:476
detect-engine-build.h
type
uint16_t type
Definition: decode-vlan.c:107
conf-yaml-loader.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
conf.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:672
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:669
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:74
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1094
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2145
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1272
SigMatch_::type
uint16_t type
Definition: detect.h:350
HtpBodyChunk_
Definition: app-layer-htp.h:177
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:679
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:851
HtpTxUserData_
Definition: app-layer-htp.h:206
util-validate.h
HtpConfigRestoreBackup
void HtpConfigRestoreBackup(void)
Definition: app-layer-htp.c:2887
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:481
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
Flow_::flags
uint32_t flags
Definition: flow.h:426
detect-parse.h
Signature_
Signature container.
Definition: detect.h:603
SigMatch_
a single match condition for a signature
Definition: detect.h:349
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:96
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2584
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:42
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:845
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:29
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1087
HtpBodyChunk_::sbseg
StreamingBufferSegment sbseg
Definition: app-layer-htp.h:180
TestSteps::input_size
size_t input_size
Definition: detect-http-client-body.c:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1265
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450